8 Replies Latest reply on Oct 26, 2010 12:09 AM by Madan Branched to a new discussion.

    What is Mcafee HIPS?

      What is Mcafee HIPS? And how is it different from other antivirus software?

        • 1. Re: What is Mcafee HIPS?

          HIPS is Host Intrusion Prevention.  AntiVirus software provides protection against malware whereas, HIPS provides protection against OS and application vulnerabilities.  McAfee HIPS includes behavioral and signature based protection.

          • 2. Re: What is Mcafee HIPS?

            Thanks for the reply.

             

            I have seen HIPS doesnt allow to install/run most of the applications. What are the best practices i need to follow while developing an application in order to make it complaint with HIPS?

            • 3. Re: What is Mcafee HIPS?

              Madan,

               

               

              McAfee HIP is a very comprehensive Host Intrusion Prevention software and can be managed quite effectively.

               

              There are two types of the Application Protection settings, One is Learn mode and the other one is Adaptive mode hwich is the more on the aggressive side. Talking about your application. If you know for sure that this application is safe to be run, you just have to add it to the trusted list or allow it. Thats all and HIPS will not stop it. But yes, Initially it will give you many popups even when the slightest actions from that program but as and how you keep allowing it, it will create rules for the same and would not stop the functioning of the program.

               

              Please revert for any more information/clarification.

               

              Thank you

               

              Sameer

              • 4. Re: What is Mcafee HIPS?

                Sameer,

                 

                Thanks for the clarification.

                 

                I have seen the HIPS is blocking most of the software when it is registering dlls/modules (during installation).

                 

                When i was debugging one of the software during installation, I clearly observered the HIPS dlls are hooking to the MSI installer (msiexec.exe) and not allowing to register modules.

                 

                How can we avoid this? Do I need to add msiexec.exe to trust list? Typically all the software now a days use MSI installer, how can we distinguish?

                 

                -Madan

                • 5. Re: What is Mcafee HIPS?

                  Madan,

                   

                   

                  Please unlock the user interface of HIPS.

                   

                  Under the Application Protection settings change the settings to learn mode and do not select the Adaptive mode or if you want, you may keep both of them on as well.

                   

                  The moment you do this, You will see a lot of popups and I mean a lot because a slightest activity is blocked and your permission is asked. You would have to allow all the items that you trust and once you are done adding your preferred program in the allowed list, you are good to get back to the adaptive settings.

                   

                  I would not suggest you to add msiexec.exe as even a malware may take that route. Instead you might want to just add the actual program as and when it prompts for permission. You can also create rules for such programs so that they are allowed without bothering you for permission.

                   

                   

                  Thank you

                   

                  Sameer

                  • 6. Re: What is Mcafee HIPS?
                    Kary Tankink

                    When i was debugging one of the software during installation, I clearly observered the HIPS dlls are hooking to the MSI installer (msiexec.exe) and not allowing to register modules.

                     

                    How can we avoid this? Do I need to add msiexec.exe to trust list? Typically all the software now a days use MSI installer, how can we distinguish?

                     

                    There is an issue with Host IPS 7.0 and MSIEXEC.EXE.  This issue doesn't occur with all MSI-based software installations, but if you encounter MSI-based software installation issues.

                     

                    KB60391 - Third-party software fails to install with Host Intrusion Prevention 7.0 Patch 2 (or later) IPS module enabled

                     

                    https://kc.mcafee.com/corporate/index?page=content&id=KB60391

                     

                    • 7. Re: What is Mcafee HIPS?

                      The workaround suggests to exclude Microsoft installer from protection list. Does it cause a security problem?

                      • 8. Re: What is Mcafee HIPS?

                        Eventhough I added the program to the allowed list. I can see the following dlls are hooking to the application and observed the application malfunction.

                         

                        C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\hipi.dll
                        C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPQA.dll