1 2 Previous Next 18 Replies Latest reply on Aug 1, 2012 1:47 PM by brentil

    HIPS 8 Content Updates on 64-bit Windows thru Evaluation Branch

    JeffGerard

      I am looking for some input here...

      My scenario:

      HIPS7 in production and testing HIPS8 in mixed environment.

      Per content update instructions, I have moved my HIPS 8 Content to eval branch and created a new McAfee Agent policy to pull hips content updates for HIPS8 clients from eval branch.

      I applied the 3740 content update manually to my eval branch and my results were as follows:

      6 test machines, 3 of which are Windows XPSP3 and Win7 x86 machines and the other 3 are Win7 x64. All 6 machines have identical ePO policies for all products installed.

      All 3 x86 machines updated fine from eval but the 3 x64 machines fail on update. If I move the content update to current branch and change the McAfee Agent policy back to pull from current, the update installs fine.

       

      Can anyone else confirm if they experience this as well?

       

      I have opened an SR with McAfee but thus far they are claiming they have heard of no issues with x64 pulling updates from eval.

        • 1. HIPS 8 Content Updates on 64-bit Windows thru Evaluation Branch
          brentil

          I as well am experiencing this issue.  The W7 64bit machines are not installting the newest signature updates, they report failure on the actual install. 

           

           

          This is the error I have in the HIPS8 Helper.log

          02/23/2011 09:08:52 Helper.cpp[850]    ERROR    (7560) Helper::doUpdateDriver() failed to copy C:\ProgramData\McAfee\Common Framework\Current\ENCPTCNT6000\DAT\0000\x64Release\FireNfcp.sys to C:\Windows\system32\drivers\FireNfcp.sys - error code: 0x3.

          02/23/2011 09:08:52 Helper.cpp[894]    ERROR    (6644) Helper::doBackupRestoreDriver() failed to restore FireNfcp.sys - error code: 0x2.

           

           

          This is the error from the McScript.log

          2011-02-23 09:08:50    I    #5520    ScrptMgr    Searching available updates for HIPS Content 8.0.0.3753.

          2011-02-23 09:08:50    I    #5520    ScrptMgr    Downloading PkgCatalog.z.

          2011-02-23 09:08:50    I    #5520    imsite        Download to: C:\ProgramData\McAfee\Common Framework\Evaluation\ENCPTCNT6000\DAT\0000\PkgCatalog.z

          2011-02-23 09:08:50    I    #5520    imsite        Download from: (ePO_NETAPP) Evaluation/ENCPTCNT6000/DAT/0000/PkgCatalog.z

          2011-02-23 09:08:50    I    #5520    naInet    Open URL: http://10.100.100.200/Software/Evaluation/ENCPTCNT6000/DAT/0000/PkgCatalog.z

          2011-02-23 09:08:50    I    #5520    ScrptMgr    Verifying PkgCatalog.z.

          2011-02-23 09:08:50    I    #5520    ScrptMgr    Extracting PkgCatalog.z.

          2011-02-23 09:08:50    I    #5520    ScrptMgr    Loading update configuration from: PkgCatalog.xml

          2011-02-23 09:08:51    I    #5520    ScrptMgr    Verifying EceptHelper.mcs.

          2011-02-23 09:08:51    I    #5520    ScrptMgr    Verifying EceptCntIns.mcs.

          2011-02-23 09:08:51    I    #5520    ScrptMgr    Starting DAT update.

          2011-02-23 09:08:51    I    #5520    ScrptMgr    Setting the working dir as C:\ProgramData\McAfee\Common Framework\Evaluation\ENCPTCNT6000\DAT\0000

          2011-02-23 09:08:51    I    #5520    ScrptMgr    Loading and parsing:  C:\ProgramData\McAfee\Common Framework\Evaluation\ENCPTCNT6000\DAT\0000\EceptCntIns.mcs

          2011-02-23 09:08:51    I    #5520    UpdatePlugin    Initializing update plugin: {B844890B-EEF4-4821-8EBC-0CC9C7EB09EA}

          2011-02-23 09:08:52    I    #5520    UpdatePlugin    QI:succeeded on McAfeePointProduct Update Plugin Interface.

          2011-02-23 09:08:52    I    #5520    ScrptMgr    Verifying agent-windows.zip.

          2011-02-23 09:08:52    I    #5520    MueEep    Invoking events withEventId " 0" Severity " 0" Productid " " Locale " " UpdateType " " UpdateError " 0" New Version " " Date Time " " Script Id" 12368"

          2011-02-23 09:08:52    I    #5520    ScrptMgr    Pre-notifying for DAT update.

          2011-02-23 09:08:52    I    #5520    ScrptMgr    Setting the working dir as C:\Program Files\McAfee\Host Intrusion Prevention

          2011-02-23 09:08:52    I    #5520    ScrptMgr    Setting the working dir as C:\ProgramData\McAfee\Common Framework\Evaluation\ENCPTCNT6000\DAT\0000

          2011-02-23 09:08:52    I    #5520    ScrptMgr    Setting the working dir as C:\Program Files\McAfee\Host Intrusion Prevention

          2011-02-23 09:08:52    I    #5520    ScrptMgr    Copying agent-windows.zip.

          2011-02-23 09:08:52    I    #5520    ScrptMgr    Setting the working dir as C:\Program Files (x86)\McAfee\Host Intrusion Prevention

          2011-02-23 09:08:52    I    #5520    ScrptExe    Running "C:\Program Files\McAfee\Host Intrusion Prevention\Helper" /updateDriver

          2011-02-23 09:08:52    I    #5520    ScrptExe    Running "C:\Program Files\McAfee\Host Intrusion Prevention\Helper" /updateDriver

          2011-02-23 09:08:52    I    #5520    ScrptExe    Did not match searched path

          2011-02-23 09:08:52    I    #5520    ScrptExe    Executing "C:\Program Files\McAfee\Host Intrusion Prevention\Helper" /updateDriver

          2011-02-23 09:08:52    I    #5520    ScrptExe    Running "C:\Program Files\McAfee\Host Intrusion Prevention\Helper" /restoreDriver

          2011-02-23 09:08:52    I    #5520    ScrptExe    Running "C:\Program Files\McAfee\Host Intrusion Prevention\Helper" /restoreDriver

          2011-02-23 09:08:52    I    #5520    ScrptExe    Did not match searched path

          2011-02-23 09:08:52    I    #5520    ScrptExe    Executing "C:\Program Files\McAfee\Host Intrusion Prevention\Helper" /restoreDriver

          2011-02-23 09:08:52    I    #5520    ScrptMgr    Post-notifying for DAT update.

          2011-02-23 09:08:52    I    #5520    MueEep    Invoking events withEventId " 0" Severity " 0" Productid " " Locale " " UpdateType " " UpdateError " 0" New Version " " Date Time " " Script Id" 12368"

          2011-02-23 09:08:52    I    #5520    ScrptMgr    Setting the working dir as C:\ProgramData\McAfee\Common Framework\Evaluation\ENCPTCNT6000

          2011-02-23 09:08:52    I    #5520    ScrptMgr    Update failed to version DAT 8.0.0.3753.

          2011-02-23 09:08:52    I    #5520    MueEep    Invoking events withEventId " 0" Severity " 4" Productid " HOSTIPS_8000" Locale " 0409" UpdateType " DAT" UpdateError " -1" New Version " 8.0.0.3753" Date Time " " Script Id" 12368"

          2011-02-23 09:08:52    I    #5520    ScrptUtl    Always use %%VariableName%% to dereference a variable.

          2011-02-23 09:08:52    I    #5520    ScrptUtl    Continuing in backward compatibility mode for syntax ….

           

           

          In the Agent_usernam.log is the following.

          2011-02-23 09:08:50    i    #9116    Updater    Searching available updates for HIPS Content 8.0.0.3753.

          2011-02-23 09:08:50    I    #9116    Uec    Done processing progress information

          2011-02-23 09:08:50    I    #9116    Uec    Received ipc data from mue

          2011-02-23 09:08:50    I    #9116    Uec    Processing progress information

          2011-02-23 09:08:50    i    #9116    Updater    Downloading PkgCatalog.z.

          2011-02-23 09:08:50    I    #9116    Uec    Done processing progress information

          2011-02-23 09:08:50    I    #9116    Uec    Received ipc data from mue

          2011-02-23 09:08:50    I    #9116    Uec    Processing progress information

          2011-02-23 09:08:50    i    #9116    Updater    Verifying PkgCatalog.z.

          2011-02-23 09:08:50    I    #9116    Uec    Done processing progress information

          2011-02-23 09:08:50    I    #9116    Uec    Received ipc data from mue

          2011-02-23 09:08:50    I    #9116    Uec    Processing progress information

          2011-02-23 09:08:50    i    #9116    Updater    Extracting PkgCatalog.z.

          2011-02-23 09:08:50    I    #9116    Uec    Done processing progress information

          2011-02-23 09:08:50    I    #9116    Uec    Received ipc data from mue

          2011-02-23 09:08:50    I    #9116    Uec    Processing progress information

          2011-02-23 09:08:50    i    #9116    Updater    Loading update configuration from: PkgCatalog.xml

          2011-02-23 09:08:50    I    #9116    Uec    Done processing progress information

          2011-02-23 09:08:51    I    #9116    Uec    Received ipc data from mue

          2011-02-23 09:08:51    I    #9116    Uec    Processing progress information

          2011-02-23 09:08:51    i    #9116    Updater    Verifying EceptHelper.mcs.

          2011-02-23 09:08:51    I    #9116    Uec    Done processing progress information

          2011-02-23 09:08:51    I    #9116    Uec    Received ipc data from mue

          2011-02-23 09:08:51    I    #9116    Uec    Processing progress information

          2011-02-23 09:08:51    i    #9116    Updater    Verifying EceptCntIns.mcs.

          2011-02-23 09:08:51    I    #9116    Uec    Done processing progress information

          2011-02-23 09:08:51    I    #9116    Uec    Received ipc data from mue

          2011-02-23 09:08:51    I    #9116    Uec    Processing progress information

          2011-02-23 09:08:51    i    #9116    Updater    Starting DAT update.

          2011-02-23 09:08:51    I    #9116    Uec    Done processing progress information

          2011-02-23 09:08:52    I    #9116    Uec    Received ipc data from mue

          2011-02-23 09:08:52    I    #9116    Uec    Processing progress information

          2011-02-23 09:08:52    i    #9116    Updater    Verifying agent-windows.zip.

          2011-02-23 09:08:52    I    #9116    Uec    Done processing progress information

          2011-02-23 09:08:52    I    #9116    Uec    Received ipc data from mue

          2011-02-23 09:08:52    I    #9116    Uec    Processing event information

          2011-02-23 09:08:52    I    #9116    Uec    Done processing event  information

          2011-02-23 09:08:52    I    #9116    Uec    Received ipc data from mue

          2011-02-23 09:08:52    I    #9116    Uec    Processing progress information

          2011-02-23 09:08:52    i    #9116    Updater    Pre-notifying for DAT update.

          2011-02-23 09:08:52    I    #9116    Uec    Done processing progress information

          2011-02-23 09:08:52    I    #9116    Uec    Received ipc data from mue

          2011-02-23 09:08:52    I    #9116    Uec    Processing progress information

          2011-02-23 09:08:52    i    #9116    Updater    Copying agent-windows.zip.

          2011-02-23 09:08:52    I    #9116    Uec    Done processing progress information

          2011-02-23 09:08:52    I    #9116    Uec    Received ipc data from mue

          2011-02-23 09:08:52    I    #9116    Uec    Processing progress information

          2011-02-23 09:08:52    i    #9116    Updater    Post-notifying for DAT update.

          2011-02-23 09:08:52    I    #9116    Uec    Done processing progress information

          2011-02-23 09:08:52    I    #9116    Uec    Received ipc data from mue

          2011-02-23 09:08:52    I    #9116    Uec    Processing event information

          2011-02-23 09:08:52    I    #9116    Uec    Done processing event  information

          2011-02-23 09:08:52    I    #9116    Uec    Received ipc data from mue

          2011-02-23 09:08:52    I    #9116    Uec    Processing progress information

          2011-02-23 09:08:52    i    #9116    Updater    Update failed to version DAT 8.0.0.3753.

          2011-02-23 09:08:52    I    #9116    Uec    Done processing progress information

          2011-02-23 09:08:52    I    #9116    Uec    Received ipc data from mue

          2011-02-23 09:08:52    I    #9116    Uec    Processing event information

          2011-02-23 09:08:52    I    #9116    UpdEvents    Generating update event:EventId=2402:Severity=4:ProductId=HOSTIPS_8000:Locale=0409:UpdateType=DAT :UpdateError=-1:NewVersion=8.0.0.3753:DateTime=

          2011-02-23 09:08:52    I    #9116    UpdEvents    EpoEventInf Interface: Event element created.

          • 2. HIPS 8 Content Updates on 64-bit Windows thru Evaluation Branch
            JeffGerard

            Forgot to mention...McAfee has confirmed that this is a bug.

            • 3. HIPS 8 Content Updates on 64-bit Windows thru Evaluation Branch
              brentil

              Is there a manual process that can be done to update it or an ETA on a fix?

              • 4. HIPS 8 Content Updates on 64-bit Windows thru Evaluation Branch
                JeffGerard

                Short and sweet...no and nope

                 

                I snooped around the knowledge base and found nothing on the subject so emailed the contact from my case to see if he could find out if there was a manual workaround.  I also asked for an update so hopefully I'll get some kind of eta but I am guessing it won't be for a while.

                 

                To be honest, other than my issue with queries/hips8 property translator not working again, the client itself is so much better I will likely go live with it replacing hips7 in the very near future.

                • 5. HIPS 8 Content Updates on 64-bit Windows thru Evaluation Branch
                  brentil

                  I'm wondering if this is actually just an error to fail reporting the correct version.  I have 64bit machines reporting HIPS alert 6015 which was an alert added in 3753 yet those machines still show 3709 as being installed.

                  • 6. HIPS 8 Content Updates on 64-bit Windows thru Evaluation Branch
                    JeffGerard

                    If you look at the client itself, does it show 3709 or a newer content update? I have also run into reporting issues where the queries are not pulling current data.  The Host IPS 8 Property Translator task also fails to run.  Could you maybe try to force run that in your environment and see if it fails or not?  This server task does nothing more than populate the client events/rules fields and normally runs quietly in the background but you can force it with the task in server tasks that gets automagically created when installing the HIPS extensions.

                    • 7. Re: HIPS 8 Content Updates on 64-bit Windows thru Evaluation Branch
                      brentil

                      Yeah, the clients are still showing the 3709 versions.

                       

                      Any movement on this?  Now that the official HIPS content files are all HIPS8 content files it would be nice if they actually installed correctly on HIPS8 systems...

                      • 8. Re: HIPS 8 Content Updates on 64-bit Windows thru Evaluation Branch
                        JeffGerard

                        Here's what I know...

                        The x64 issue was solved by a subsequent content dat update.  All machines now update from eval or current without issue.  If you do have machines stuck at 3709, remove hips and reinstall.  I have found a few machines with this problem and a simple R&R resolves it.

                         

                        on 11/05/11 10:29:41 CDT AM
                        • 9. Re: HIPS 8 Content Updates on 64-bit Windows thru Evaluation Branch
                          brentil

                          I tried removing and reinstalling it on the machines having the issues and they still report the same failure to install.  I looked into the content files and figured out how to manually install the files to the file system.  Doing that showed what I was leaning towards believing and that is that the update partially installed.  The new content signatures and some of the DLLs were in place but others were not.  I shut down the services and updated all of the files from the content file and started them back up.  It still reports 3709 but I may need to reboot to get it to clear any cached values.

                           

                          Message was edited by: brentil on 5/11/11 3:00:46 PM GMT-05:00
                          1 2 Previous Next