I can't help for the custom signatures...
I'm assuming by "HIPS Console" you mean that you have some queries or a dashboard on EPO that shows your HIP versions?
If so, and you have a HIP query that is based on "Client Version", you need to either:
- Make a seperate query for HIPS 8.0 Client Versions, because the Client Version property is different for HIP 7 and 8
- Re-make your query to show HIP Product Versions instead of Client versions. It looks like the Product Version property is the only one that will show HIP 7 and HIP 8 clients in the same query.
Let me know if this helps or if I misread your question.
Thanks for the reply, yes you guessed right, I meant the Hips Dashboard.
I've tried your suggestion, if I modify the query to look at Product version, I can see 8 but then 7 is not listed.
Surely with the HIPS 8 extensions added there should be no need to modify anything? Otherwise every HIP query needs modifying such as services running etc..............................
1 of 1 people found this helpful
To be more specific, when you are making HIP queries based on "Managed Systems" when you have both the 7.x and 8.x extensions checked in, there are 3 categories you can choose from:
- Host Intrusion Prevention Properties
- Host IPS 8.0 Properties
- Host IPS Properties
If you choose any of the properties from category 2 or 3, it will only show results from systems with either 7 or 8 installed, not both. If you want a query that shows both HIP 7 and 8 clients, you have to choose a property from the first category (Host Intrusion Prevention Properties):
A query based on this will show machines with both 7 and 8:
And yes, unfortunately for all your other queries, you will have to make seperate queries for them. I have no idea why they made it that way, because it makes it a lot more complicated.
Thanks for that, it does indeed allow me to see both versions.
I still have a few gaping holes though as it still leaves the HIPS dashboards pretty unusable as they are, there is still no way (that I can see) to show content versions for both clients, service status etc for both clients in a shared chart.
Some of my other issues relating to custom signatures not working is down to the fact that:
A) HIPS 7 to 8 policy migration randomly adds wildcard characters to the new new file paths (apparently my fault as they were incorrect to start with but strangely they all worked on 7!)
B) HIPS 8 doesn't support some of the older 7 formats, full paths now required for executables, registry paths have changed, some wildcard values appear not to work etc
So all in all a very dis-jointed product when it comes to running both HIPS 7 and HIPS 8 on the same ePO system.