What is the HIPS extension version you are using ?
Now, my question is what would cause some information, like the group and assignment path, to disappear from the event info after the ma is reinstalled? And, is there a way to remediate it?
I could be wrong (but your comments seem to support this), but this could be due to reinstalling the McAfee Agent and assigning a new GUID value to that particular node in the ePO database. Events are tied to the node's GUID, and if that GUID is changing, it's technically a new node (even if the node's hostname is the same). Check the node's McAfee Agent GUID and see if it's changing. If you are completely uninstalling (or doing a /forceinstall) of the McAfee Agent, I do believe a new GUID will be assigned to the system.
McAfee Agent GUID = unique node identifier value in the ePO database
HIPS 188.8.131.520 Patch 6
I agree that the GUID may be the issue here. But, it would seem ePO would record a snapshot of data at the time of the event; here are the statistics for the host when this triggered. That would be the logical thing as far as forensics is concerned. Maybe McAfee opted for another solution because of database storage concerns.
And, what if a host is removed from the network? Would ePO say I don't have anything on this host because I can't find it? I've never seen that. My colleague and I are trying to remember if we've seen this happen before. But, it appears to be a new development.
I was able to do more extensive testing because we manage several ePO servers on multiple networks. The same thing happened across the board. So, it is definitely something inherent in software, and not a 'glitch' on a particular ePO server.
The bigger issue overall is the problem where existing exceptions suddenly fail to work on some hosts. It's something the McAfee engineers haven't been able to answer for us in the last six months. It's been a big concern for us especially for servers. If exceptions stop working on DCs or Exchange servers that becomes a major problem. You can try altering an exception slightly, or deleting it and creating a new one. Or reinstall HIPS (that poses another issue when some hosts fail to reinstall). The drastic step is to remove everything, drop the host, then add it again and start over.
But, this missing host data is a concern when we're doing trending or looking at possible attacks on a certain group of hosts. We get frequent requests to investigate newly discovered threats/vulnerabilities, so history beyond 24 hours is important for us.
I would try using the latest HIPS extension 7.0.5 (included in Patch 8).
Also the latest ePO 4.0 patch might help if not already installed.
Then recheck the behaviour ...
We're already on ePO 4.0 Build 1333 (Patch 6). I'm going to try HIPS patch 7. We're not currently authorized to move to Patch 8 until completion of testing. Although, the word I'm getting is that this is most likely on the ePO side.
We found a couple of file servers that we'd been forced to reinstall the ma on earlier this year. I did some queries on those to see if there was any system information missing from events prior to the install. That group information remained associated with events after the ma reinstall.
It looks like this is something recent, maybe a small update somewhere below the patch-level type. So far I'm unable to determine just when this started.
I don't see anything concerning ePO 4.5 that addresses this. We're moving to it in the near future.
Latest pacth for ePO 4.0 is patch 7.
And don´t forget that I not meant an actual HIPS client software patch.
I meant the extension used inside ePO which is e.g. responsible for creating tables, registering events etc. There is an updated one available within the HIPS clients patch 8 package.
I'd forgotten that they released a new patch in Sept. I'm going to run it on my test server this weekend to make sure nothings flaky then throw it on our production servers. I've added the latest extensions for HIPS, but so far we're still seeing the same thing. Our other problem of hosts not enforcing policies is actually helping me work on this issue. Who'd a thunk it.