6 Replies Latest reply on Feb 1, 2010 11:16 AM by mtareiq

    HIPS Event Log

    kink80

      One of my machines is logging an even every 2-3 seconds as a Blocked Incoming UDP event. We are running HIPS 7.0.0.953 with Patch/Hotfix 3.0.5. The application listed is the ntoskrnl.exe. We have ran a full scan on this machine with McAfee VSE 8.7i DAT 5872 and it found nothing. Also ntoskrnl.exe is not running as a process on the machine. Has anyone ran into this before?

        • 1. Re: HIPS Event Log
          bgable

          Depending on the port, it could be netbios-ns traffic on 137.  The system (ntoskrnl.exe) would show up as the associated application.

          BTW. the latest patch release is patch 6 (7.0.0.1070) and patch 7 is expected to release in March.   I would advise upgrading to the most current patch release if you can.

          • 2. Re: HIPS Event Log
            kink80

            Looks like you may be right. Now that I looked at the HIPS event log all of the blocked IPs are coming from a specific local subnet. We have not upgraded the HIPS client because we are in a healthcare setting and when the new HIPS client is deployed it drops the network connection for 20-30 seconds. We have been putting this off for that reason. From what I understand this is not going to change in the future either and McAfee states that it changed its installatin method to be compliant with Microsofts standards.

            • 3. Re: HIPS Event Log
              bgable

              The HIP 7.0 firewall NDIS intermediate miniport filter is based on NDIS 5.0 spec.  Basically when any 5.0 NDIS driver install or uninstall occurs, the operating system must tear down the network stack and restack it with the new NDIS driver.

               

              The HIP 8.0 product will be built on NDIS 6.0 spec which adds the functionality of 'state' awareness for NDIS drivers.

              So, any 6.0 spec NDIS can be "paused" or "resumed" during anothers' install or uninstall.

              Hence, the network stack does not need to be torn down by the operating system and no loss of network connectivity will occur.  8.0 will ship in Q310.

               

               

              Message was edited by: bgable on 1/27/10 8:43:04 AM PST
              • 4. Re: HIPS Event Log
                kink80

                Thanks for the update on NDIS specs. That will be a great benefit for us in HIP 8.0.

                • 5. Re: HIPS Event Log
                  kink80

                  But does this still means that when we upgrade from 7.0.953 to version 8 that the stacks will still be torn down?

                  • 6. Re: HIPS Event Log
                    mtareiq

                    A HIPS upgrade comprises of an uninstall of the existing install and then an install of the newer version. The uninstall of HIPS 7 would need to tear down the networking stack.