Normally when this happens, some backend process runs to delete the rules from the database after the rules are removed from the client. Then when running the report for client side rules, the rules disappear - as they should.
This is done via the Host IPS 8.0 Property Translator server task. Leave the task in a DISABLED state, but run it manually to force client rule management on the ePO server side.
Also, the Host IPS 8.0 Catalog Maintenance Task server task might help here as well. See https://kc.mcafee.com/corporate/index?page=content&id=KB80102 for what this task does.
From the attached script, this task does:
1. Deletes all dynamically learned IPS and Firewall rules or rules added manually on the client
2. Deletes all the Executables, Applications and NamedNetworks, Locations and their associations with "Dynamic Rules"
which are not used in any policy or catalog item that are left due to:
a. deletion of dynamic rules on End points
b. step (1) above
Thanks for the response. I noticed the Catalog maintenance task, but wasn't sure what it did. That sounds like something I would want to run periodically -- I have a TON of executables in the database that have been set up by out of control use of client side rules. We have that clamped down now, but I was not sure how to clean up the garbage.
I will kick those off next week -- Not something to try on a Friday afternoon before a three day weekend!
Thanks for your suggestions and the link to the description of that task.
Also, forgot to mention, the Host IPS 8.0 Property Translator server task already runs automatically every 15min inside the ePO Tomcat service, however, you can run it manually to force client rules changes to be immediate (and sometimes if the automatic one doesn't seem to be working; try it once at least).