4 Replies Latest reply on May 24, 2011 1:46 AM by StefanT

    HIPS 8 Not Sending Custom Signatures Alerts And ePO Can't See HIPS 8 Version

    StefanT

      I have a couple of issues after recently installing HIPS 8.

       

      I installed the HIPS 8 extension in to my ePO 4.5 server, ran the policy migration wizard but I have various issues:

       

      When looking at the HIPS Console there is no sign of the HIPS 8 clients I have installed, the client and content version fields are blank

       

      None of my custom signatures created originally under HIPS 7 work, for example I have a custom signature that monitors changes to the Hosts files, on a HIPS 8 client with the original HIPS 7 migrated to HIPS 8 policies applied when making changes to trigger the signature nothing is sent, the Agent events folder doesn't receive the alert and of course nothing is passed to the ePO server.

       

      If I perform a double extension test then this bit works fine. (Shows alert in Threat Event Log of course, not in Host IPS 8.0)

       

      I also tried to remove the HIPS 7 extensions but this then gave me errors in the HIPS console stating "This query cannot be displayed because it is in an invalid state"

       

      I have a call logged, I can't run MER or present any of the logs etc for security reasons.

       

      Anyone else had these issues or have any ideas?

       

      Stef

       

      Message was edited by: StefanT on 11/05/11 14:44:05 IST
        • 1. Re: HIPS 8 Not Sending Custom Signatures Alerts And ePO Can't See HIPS 8 Version
          RRMX

          I can't help for the custom signatures...

           

          I'm assuming by "HIPS Console" you mean that you have some queries or a dashboard on EPO that shows your HIP versions?

           

          If so, and you have a HIP query that is based on "Client Version", you need to either:

          • Make a seperate query for HIPS 8.0 Client Versions, because the Client Version property is different for HIP 7 and 8

           

          Or...

          • Re-make your query to show HIP Product Versions instead of Client versions. It looks like the Product Version property is the only one that will show HIP 7 and HIP 8 clients in the same query.

           

          Let me know if this helps or if I misread your question.

          • 2. Re: HIPS 8 Not Sending Custom Signatures Alerts And ePO Can't See HIPS 8 Version
            StefanT

            Thanks for the reply, yes you guessed right, I meant the Hips Dashboard.

             

            I've tried your suggestion, if I modify the query to look at Product version, I can see 8 but then 7 is not listed.

             

            Surely with the HIPS 8 extensions added there should be no need to modify anything? Otherwise every HIP query needs modifying such as services running etc..............................

             

            Regards

             

            Stefan

            • 3. Re: HIPS 8 Not Sending Custom Signatures Alerts And ePO Can't See HIPS 8 Version
              RRMX

              To be more specific, when you are making HIP queries based on "Managed Systems" when you have both the 7.x and 8.x extensions checked in, there are 3 categories you can choose from:

               

              • Host Intrusion Prevention Properties
              • Host IPS 8.0 Properties
              • Host IPS Properties

               

              If you choose any of the properties from category 2 or 3, it will only show results from systems with either 7 or 8 installed, not both. If you want a query that shows both HIP 7 and 8 clients, you have to choose a property from the first category (Host Intrusion Prevention Properties):

              HIP-Product-Versions.JPG

               

              A query based on this will show machines with both 7 and 8:

               

              HIP-Product-Versions-Query.JPG

               

              And yes, unfortunately for all your other queries, you will have to make seperate queries for them. I have no idea why they made it that way, because it makes it a lot more complicated.

              1 of 1 people found this helpful
              • 4. Re: HIPS 8 Not Sending Custom Signatures Alerts And ePO Can't See HIPS 8 Version
                StefanT

                Thanks for that, it does indeed allow me to see both versions.

                 

                I still have a few gaping holes though as it still leaves the HIPS dashboards pretty unusable as they are, there is still no way (that I can see) to show content versions for both clients, service status etc for both clients in a shared chart.

                 

                Some of my other issues relating to custom signatures not working is down to the fact that:

                 

                A) HIPS 7 to 8 policy migration randomly adds wildcard characters to the new new file paths (apparently my fault as they were incorrect to start with but strangely they all worked on 7!)

                 

                B) HIPS 8 doesn't support some of the older 7 formats, full paths now required for executables, registry paths have changed, some wildcard values appear not to work etc

                 

                So all in all a very dis-jointed product when it comes to running both HIPS 7 and HIPS 8 on the same ePO system.

                 

                Stef