2 Replies Latest reply on Jan 6, 2010 1:22 PM by petersimmons

    HIPS

      On a Air Force network,MCafee Host Intrusion Prevention is installed by the Network Operations Support Center. It is running on Xp and Vista systems. We also use Scriptlogic Desktop Authority. Xp systems only are blowing up at user logon.

      in the "Activity" log when I run McAfeeFire.exe,it shows that

      "Windows Explorer" is blocked, Message is "Attack type:Protect Hips"

      When

      the Scriptogic is launched,the screen flashes on and off about 10 times

      with

      "Explorer.exe" errors. When you try to input any characters in to any

      window,that windows disappears. If I disable HIPS from

      running,this does not happen at login.  It seems that uninstalling,rebooting, and reinstalling Hips stops this. This is happening on 1800 systems. Looking for easier fix than the current one,anyone here had an experience with this?

        • 1. Re: HIPS
          Attila Polinger

          Hello,

           

          on first look I would say that HIPS self defension feature triggers when something from Scriptlogic is being executed by Explorer.exe. I would follow Scriptlogic's policies - I gathered this might be a Windows policy management-type software -  whether such a policy enforcement or rigths control  might interfere with HIPS. On the other hand I would also check if HIPS has an exclusion feature for this type of rule. Althoguh it seems that HISP is only seeing explorer.exe not more which suggests that the offending code is either in a program run by startup or in the registry under HKLM\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, which is also a frequented place for other code to load when explorer.exe loads.

           

          Maybe scriptlogic has a module that you might not need (very often) which could be removed or disabled from loading from places like above.

           

          Hope I could give an idea.

           

          Attila

          • 2. Re: HIPS
            petersimmons

            Ordinarily I'd say that perhaps this was an example to create an exception. However, I'd really suggest not doing that since a) it involves self-protection of Host IPS itself and b) Windows Explorer is the (shill) trigger. If it wasn't self-protection I'd be more inclined to say "exception" or if you could explicitly identify the known scriptlogic processes involved.

             

            I highly suspect there's a driver conflict here since remote tools like this often times employ add-on video drivers or drivers that look at the video subsystems.

             

            This is a case where you definitely want to open a support ticket. Perhaps there's something on the Host IPS side that can be done.