i know that in
Host Intrusion Prevention Signature 2224 may cause Internet Explorer browser termination or hang...is that whats happening?
No, my issue is that a lot of the traffic I’m trying to block is being allowed. I want to block FTP in/out for some clients. I was trying to block firefox from working on port 80 (just testing this rule). I eventually created a IPS signature to block firefox from launching. My concern was that a lot of traffic is being allowed out that I want to block. I know the Mcafee NDIS driver is working because I disabled it in Device Manager and all traffic is stopped.
Is there a way to figure out what policy is allowing the network activity to pass?
By policy, I assume you meant rule. Review the Host IPS Client UI Activity Log for allowed and blocked traffic. For each event, the firewall rule name will be at the very end (right side) of the event. This will tell you exactly what firewall rule is allowing or blocking the network traffic. Enable the respective logging option in the Activity Log: "Log all blocked" and/or "Log all allowed", depending on what you are looking for.
I'm not sure now how to figure out what the policy id iit s referencing .
These policy IDs are the firewall rules inside the HIPS process space. There is no reference to them in the policy or locally on the system. They are not used for customer troubleshooting. Use the HIPS Activity Log to troubleshoot firewall allowed/blocked traffic.
I was initially looking at the HIPS Activity log but it is part of the issue. It is not logging any of the traffic. I have it checked to log both blocked and allowed. Because I couldn't see anything in the activity log, I started looking at other logs. My next guess was the install was not working correctly. So I reinstalled the client and also installed HIPS 8.0 on another laptop. The activity log on both laptops didn't show anything so I figured it had to be policy related.
Also, you said you enabled all the options, but make sure that the Traffic option is enabled under the Filter Options section of the Activity log. If you have the Firewall enabled, and you aren't seeing any firewall events being logged in the Activity log while both Log all blocked and Log all allowed are enabled, then you might need to open a support ticket. The HIPS Activity log is the best log to review for firewall rule issues.
I do have both Filter Options checked. I have opened a support ticket.
Thanks for your help,