1 of 1 people found this helpful
I am in the same situation. I have ~15000 nodes that will need to get updated with the HIPS 7 patch and was told by McAfee the following:
The HIP 7.0 firewall NDIS intermediate miniport filter is based on NDIS 5.0 spec. Basically when any 5.0 NDIS driver install or uninstall occurs, the operating system must tear down the network stack and restack it with the new NDIS driver.
The HIP 8.0 product will be built on NDIS 6.0 spec which adds the functionality of 'state' awareness for NDIS drivers.
So, any 6.0 spec NDIS can be "paused" or "resumed" during anothers' install or uninstall.
Hence, the network stack does not need to be torn down by the operating system and now loss of network connectivity will occur. 8.0 will ship in Q310.
However to upgrade to HIPS 8.0 from 7.0 it will still drop the network connection. I have not found a work around for this yet so I would be interested in seeing if anyone has as well.
I'm afraid with the existing NDIS 5.x framework, we don't have much choice in the matter.
1 of 1 people found this helpful
You can reference KB59945.
Also, it's true that HIP 8.0 will be based on NDIS 6.0 which added 2 new filter states; Pause & Resume.
If you are installing/uninstalling NDIS 6.0 filters on a system that only has NDIS 6.0 on it, the network stack does not need to be torn down to relayer the network driver shims. They would simpley be paused and resumed.
However, when you go to upgrade an existing HIP 7 system, the uninstall of the HIP 7 NDIS will cause the stack to be torn down.
Thanks all, so bottom line is that with the current HIPs version 7 I'm pretty stuffed ?
Version 8, whenever that will be released will 'fix' this issue ?
HIP 8.0 will resolve the issue because it is based on NDIS 6.0.
However, the uninstall of HIP 7.0 NDIS driver will still drop the stack momentarily.
Going forward from HIP 8.0, this will not occur again.
This is news to me, I wasn't aware of KB59945 (https://kc.mcafee.com/corporate/index?page=content&id=KB59945 I put the reference here because I didn't find it earlier.
Does this mean that whenever one installs HIPS 7 (using Patch 6 presently) the system needs to reboot ?
We had a policy here that HIPS (and VSE) would be reinstalled on systems (through client tasks) several times a day. This is to compensate for cases where a user having admin rights "accidentally" removes HIPS or VSE . It's worked fine for the past 3-5 years (I've only been here for 2 years).
We use mostly Win XP SP 3 and some Vista for now but the trend is moving towards Windows 7 (test phase).
Up until recently (DFW through HIPS 7 through to HIPS 7 patch 6) we didn't have too much problems, but this month, we started getting calls from users complaining that on some system they'd lose the network as soon as HIPS gets installed.
Since all problems happened on newer Windows 7 systems I thought there might be a compatibility issue with Windows 7.
Could someone confirm that my problems have been due to the issue discussed here and related to KB59945?
 Note: I have been thinking of replacing this by a task that installs VSE resp. HIPS once a day at boot time. It wouldn't change a thing to the problem at hand, now.
No, not reboot.
There is only a momentary loss of network stack while Windows is re-shimming the NDIS 5.0 drivers to the network interfaces.