4 Replies Latest reply on Apr 3, 2012 5:55 PM by Kary Tankink

    HIPS 8.0 learned Client Rules not showing in ePO 4.6

    sporcello

      We have a couple test machines with HIPS 8.0 installed with adaptive mode enabled and set to retain client rules. IPS events are sent to ePO, however the rules learned from adaptive mode on the client do not show up under the "IPS Client Rules" in ePO under Menu -> Reporting -> Host IPS 8.0. I have no creation time filter on and the drop-down filter is set to This Group and All Subgroups.

       

      I know the clients are learning rules because I can see them populate in the local HIPS console. Only HIPS is enabled, the firewall is currently disabled and the clients are set to retain learned rules. The agent communicates with ePO just fine (thats how the IPS events are visible in ePO), I just cannot see the learned Client Rules.

       

      Does anyone have any ideas what may be causing this? I believe everything is configured correctly to be able to see them in ePO.

        • 1. Re: HIPS 8.0 learned Client Rules not showing in ePO 4.6
          Kary Tankink

          Try: KB58949 - Host Intrusion Prevention client rules do not display in the ePO console

          • 2. Re: HIPS 8.0 learned Client Rules not showing in ePO 4.6
            sporcello

            All managed clients already send full properties to the ePO server every time it communicates with ePO, this has been checked in our Agent policy since we deployed the new ePO server.

             

            Message was edited by: sporcello on 3/23/12 1:32:51 PM CDT
            • 3. Re: HIPS 8.0 learned Client Rules not showing in ePO 4.6
              sporcello

              I found my answer in another post (https://community.mcafee.com/message/150205#150205)

               

               

              1. Client rules created locally on the client (manually or via adaptive/learn mode).

              2. McAfee Agent sends those rules to ePO server via ASCI (full property collection must be enabled in McAfee Agent policy; not minimal properly collection).

              3. Client node properties in ePO console show FirewallRuleList{#} and ProcessList{#} entries for client-side rules.

              4. Host IPS Property Translator task runs (automatically inside the ePO database every 15minutes).  ePO server Property Translator task is used if you wish to run the task immediately and not wait 15minutes.

              5. Firewall and App Blocking Client Rules section (in the ePO Reporting, Host IPS section of the menu) is populated with local client-side rules.

              6. Client Rules can then be added to your policy, as desired.

               

              The server task "Host IPS Property Translator" was disabled for some reason, and this was not populating the database with learned client rules. I ran it once and the table was populated so I just enabled it to run every hour.

              1 of 1 people found this helpful
              • 4. Re: HIPS 8.0 learned Client Rules not showing in ePO 4.6
                Kary Tankink
                The server task "Host IPS Property Translator" was disabled for some reason, and this was not populating the database with learned client rules. I ran it once and the table was populated so I just enabled it to run every hour.

                The Host IPS Property Translator server task should be left disabled, as it's only meant to be ran manually if you don't want to wait 15 minutes for the database task to run.  The Property Translator task already runs within the ePO database itself every 15 minutes (you don't see anything in the ePO console).  Enabling the server task will duplicate the work that's being done for client rules, and might cause resource issues for the ePO server.

                 

                If you aren't seeing the client rules populate automatically without the server task enabled and running regularly, you might need to have McAfee Support troubleshoot your ePO server further to find out why.