3 Replies Latest reply on Apr 26, 2012 1:06 PM by Kary Tankink

    HIPS 7.0 Questions about agent working

      Hi, I' am new to this technolgy but I have a question about HIPS 7.0

       

      If  a critical vulnerability is covered by a Microsoft fix, and this fix is installed in the client, can the agent read the list of all fix installed on this client?

       

      I have an event triggered on ePO console regarding to a vulnerability, but the relative patch is installed on the client.

       

      So my question is:

      why the event was triggered even if the security patch was installed? And, if possible, I would like to know a few more details on how the triggering of the signature works.

       

      Thanks in advance

       

       

      Messaggio modificato da gazzanet on 11/02/11 6.04.07 CST
        • 1. Re: HIPS 7.0 Questions about agent working
          Kary Tankink
          If  a critical vulnerability is covered by a Microsoft fix, and this fix is installed in the client, can the agent read the list of all fix installed on this client?


          No, Host IPS does not detect if a Microsoft hotfix/patch is applied to disable a particular Signature.  Please submit a PER for this.

           

           

          So my question is:

          why the event was triggered even if the security patch was installed? And, if possible, I would like to know a few more details on how the triggering of the signature works.

           

          Depending on the signature, it can still be violated even if the vulnerability is closed.  KB70810 is a good example of this.  Signature 3776 monitors for a specific ActiveX control being used (the control was used for an older vulnerability).  If the vulnerability is closed, the signature will still violate if it finds the ActiveX control being used.

          • 2. Re: HIPS 7.0 Questions about agent working

            @ Karry,

             

            If the MS10-090 patch is applied and the Sign 3776 disabled, will it still trigger the event?

             

            Thanks

            Suhayl

            • 3. Re: HIPS 7.0 Questions about agent working
              Kary Tankink

              If a Host IPS signature is Disabled, the signature will not trigger.