1 2 Previous Next 14 Replies Latest reply on Nov 17, 2010 2:36 AM by mmialhe

    HIPS 7.0 install effectively killing connections

      Howdy,

       

      We have been rolling out HIPS 7.0.0.1102 (patch 7) and are getting some machines that will not reestablish a network connection.  I realize that the connections will drop while the stack is rebuilt with the NDIS filter inserted, but I have not been able to determine why some of the machines fail to re-establish the connection.  The problem machines do not re-establish connection after a reboot either.

       

      In order to fix these problem machines, we have to either remove HIPS (thus getting rid of the NDIS filter) or we have been able to run a couple of netsh commands and reboot.  This was not an issue that we encountered in our test environment.

       

      Is there something that can be done to alleviate this issue?  We have ~14k machines receiving the package (last count 10k have already installed it).  I'd really not like to go down the path of having any % of machines going down because of this roll-out.

       

      BTW, these are all XP machines.  We have SP2 and SP3 in the field and I can't make a case that it is only on one or the other (I have only seen the issue on SP3 thus far, but the desktop guys aren't bringing me the machines to fix).

       

      Thanks for any insight.

      - Kevin

        • 1. Re: HIPS 7.0 install effectively killing connections
          Kary Tankink

          Check that you are running the latest drivers for your network adapters.

          Disable any NIC teaming before installing Host IPS 7.0 (not too common on workstation systems).

          Check/update any 3rd party software (like VPN software) or drivers that may bind to the network adapter.

          • 2. Re: HIPS 7.0 install effectively killing connections

            I will monitor driver levels of the systems I see come in to see if there is a correlation.  I do not foresee this as a concern as it wipes out all network adapters on affected machines.  (i.e. wireless will not establish a connection, wired n/w adapters won't establish a connection, etc.)

             

            There hasn't been any NIC teaming on what I've seen thus far (and you're right, we don't have this on our workstations).

             

            We do have VPN software on some of the machines, but none that have been affected have been using the VPN.  All have been local on our network...

             

            If it provides more information, the NDIS filter shows up in the device manager with a exclamation point and attached to each network adapter.  I can provide a screenshot if necessary to clarify.

             

            Thanks.

            • 3. Re: HIPS 7.0 install effectively killing connections
              Kary Tankink

              If it continues to be an issue, I would open a support case.  Check the c:\windows\temp\mcafeehip7_ndisinstall.log file, and the c:\windows\setupapi.log for Host IPS NDIS install errors.

              1 of 1 people found this helpful
              • 4. Re: HIPS 7.0 install effectively killing connections

                Thanks for the information.  I will certainly check the logs in the future to see if anything pops out.

                 

                And I most certainly will open a support ticket if this becomes widespread.

                • 5. Re: HIPS 7.0 install effectively killing connections

                  Ok - had one of the HD guys bring me a machine exhibiting the issue.  Both logs show errors and the jpg is a screen of device manager.

                   

                  From the install log:

                  2010-10-18 01:51:30 INFO 405 Installing mfe_firehk...
                  2010-10-18 02:21:29 INFO 942 ============== START ==============
                  2010-10-18 02:21:29 INFO 943 Inf file C:\Program Files\McAfee\Host Intrusion Prevention\Inf\FireHk.inf
                  2010-10-18 02:21:29 INFO 21 Opening inf file C:\Program Files\McAfee\Host Intrusion Prevention\Inf\FireHk.inf
                  2010-10-18 02:21:29 INFO 52 Manufacturer is MCAFEE
                  2010-10-18 02:21:29 INFO 69 DDInstallSection is Firehk.ndi
                  2010-10-18 02:21:29 INFO 86 PnP ID is mfe_firehk
                  2010-10-18 02:21:29 INFO 177 Uninstalling network component
                  2010-10-18 02:21:34 ERRO 481 Failed to get INetCfg, hr=0x8004a024
                  2010-10-18 02:21:34 ERRO 191 Error occured: -2147180508 (0x8004a024)
                  2010-10-18 02:21:34 ERRO 221 Failed to format the message!
                  2010-10-18 02:21:34 INFO 954 =============== END ===============

                   

                  The setupapi.log has a ton of entries on HIPS...

                   

                  I'm going to dig into the errors and see what I can find, figured I'd post up here for now.  Any insight?

                  • 6. Re: HIPS 7.0 install effectively killing connections

                    And just to add, the netsh commands fix the connections (or allow them to establish).

                    netsh winsock reset

                    netsh int ip reset c:\resetlog.txt

                     

                    It doesn't change any of the issues in the device manager.

                    • 7. Re: HIPS 7.0 install effectively killing connections

                      I was able to spend more time with the machine in question above before having to give it back to the user.  After reboot #2, the network connections were trashed again.

                       

                      Uninstalled HIPS, everything worked fine.  Reinstalled HIPS and things were broken again, error logs looked the same as what is posted.  Finished up by uninstalling HIPS and tagging the machine in ePO to not receive it.

                      • 8. Re: HIPS 7.0 install effectively killing connections
                        Kary Tankink

                        Not any real solution, but here's what I see.

                         

                        NDIS installs and hit the 30min timeout, then proceeded to uninstall (which fails as well)

                        2010-10-18 01:51:30 INFO 688 Successfully modified reg value HKLM\System\CurrentControlSet\Control\Network\FilterClasses
                        2010-10-18 01:51:30 INFO 405 Installing mfe_firehk...
                        2010-10-18 02:21:29 INFO 942 ============== START ==============
                        2010-10-18 02:21:29 INFO 943 Inf file C:\Program Files\McAfee\Host Intrusion Prevention\Inf\FireHk.inf


                        Drivers couldn't be started for whatever reason.

                        [2010/10/18 01:51:49 7352.87 Driver Install]
                        #-019 Searching for hardware ID(s): mfe_firehkmp
                        #-199 Executing "C:\Program Files\McAfee\Host Intrusion Prevention\Inf\NdisInstall.exe" with command line: ndisinstall "C:\Program Files\McAfee\Host Intrusion Prevention\Inf\FireHk.inf" /i /v "C:\WINDOWS\Temp"
                        #I022 Found "mfe_firehkmp" in C:\WINDOWS\inf\oem74.inf; Device: "McAfee NDIS Intermediate Filter Miniport"; Driver: "McAfee NDIS Intermediate Filter Miniport"; Provider: "McAfee"; Mfg: "McAfee"; Section name: "FirehkMP.ndi".
                        #I023 Actual install section: [FirehkMP.ndi]. Rank: 0x00000000. Effective driver date: 10/16/2008.
                        #I063 Selected driver installs from section [FirehkMP.ndi] in "c:\windows\inf\oem74.inf".
                        #I320 Class GUID of device remains: {4D36E972-E325-11CE-BFC1-08002BE10318}.
                        #I060 Set selected driver.
                        #I058 Selected best compatible driver.
                        #-166 Device install function: DIF_INSTALLDEVICEFILES.
                        #I124 Doing copy-only install of "ROOT\MFE_FIREHKMP\0004".
                        #-166 Device install function: DIF_REGISTER_COINSTALLERS.
                        #I056 Coinstallers registered.
                        #-166 Device install function: DIF_INSTALLINTERFACES.
                        #-011 Installing section [FirehkMP.ndi.Interfaces] from "c:\windows\inf\oem74.inf".
                        #I054 Interfaces installed.
                        #-166 Device install function: DIF_INSTALLDEVICE.
                        #I123 Doing full install of "ROOT\MFE_FIREHKMP\0004".
                        #I121 Device install of "ROOT\MFE_FIREHKMP\0004" finished successfully.
                        #-166 Device install function: DIF_PROPERTYCHANGE.
                        #I292 Changing device properties of "ROOT\MFE_FIREHKMP\0004".
                        #I163 Device not started: Device has problem: 0x13: CM_PROB_REGISTRY.
                        #I307 DICS_START: Device could not be started.

                         

                        This 0x13: CM_PROB_REGISTRY error repeats further.  Not sure why the device start failures occur though.

                         

                         

                        Typos corrected by: Kary Tankink on 10/21/10 3:32:15 PM CDT
                        • 9. Re: HIPS 7.0 install effectively killing connections

                          Yup - I found the same.  I actually opened an SR for this.  I will post up the solution when we get to one.

                          1 2 Previous Next