1 2 Previous Next 10 Replies Latest reply on Apr 10, 2012 12:22 PM by oliver

    HIPS 8.0

      I have a test deployment of HIPS 8 which is being controlled by a Mcafee EPO server running version 4.6. I can see some traffic and intrusion events on the HIPS console in the Activity log section, but I cannot see the same on the EPO server. Could anyone suggest what could be the possible reason for this.

        • 1. Re: HIPS 8.0
          Kary Tankink

          HIPS Firewall traffic event is not sent to the ePO server.  IPS Events (Attack Type messages in the Activity log) are sent to ePO server.  In the ePO console, make sure you are looking at the MENU -> Reporting -> Host IPS 8.0 events (not Host IPS, which is for HIPS 7.0).

          1 of 1 people found this helpful
          • 2. Re: HIPS 8.0

            Hi Kery,

             

            Thanks for the reply. I have been attacking a test machine with HIPS 8.0 deployed on it. While I monitored the activity logs, I realised that all the intrusion attacks  I launched were being caught by the Firewall and not the IPS module, hence I dont have any IPS logs.  Could you kindly suggest what kind of Intrusion attacks should I launch, or is there any polies that I would have to put in place (maybe at the EPO), or could you point me towards any attack tool that I could use to try and test my HIPS installation.

            • 3. Re: HIPS 8.0
              Kary Tankink

              A simple test that I typically will use to test the Host IPS module is Signature 413 (Suspicious Double File Extension Execution).  Make a copy of an executable, like notepad.exe, and rename it to notepad.com.exe.  Signature 413 will trigger and if you have HIGH PREVENT mode enabled, it will block you from running this renamed Notepad file (or just log the event if you have HIGH LOG mode enabled).

              1 of 1 people found this helpful
              • 4. Re: HIPS 8.0

                Thanks Kary, that was very helpful. Under the intrusion events, I now have Sig Id 413, 1148 and 344. which is good enough for my testing.

                 

                I can see these events on the HIPS console on my client machine, but I cant see them on the EPO. I used the Mcafee Agent monitor to send the events over to the EPO, but I cant see them there. Any ideas ?

                • 5. Re: HIPS 8.0
                  Kary Tankink

                  Make sure you are looking at the HIPS 8.0 Event section, not HIPS 7.0.  Select My Organization and set the Filter on the right to This group and all subgroups.

                   

                  In the ePO console, make sure you are looking at the MENU -> Reporting -> Host IPS 8.0 events (not Host IPS, which is for HIPS 7.0).


                  The events should be sent to ePO and processed by the Event Parser to be viewed in the ePO console.

                  1 of 1 people found this helpful
                  • 6. Re: HIPS 8.0

                    I have quite a few events on the HIPS 8.0 console, but I noticed that none of them reflect on the EPO server. I looked under MENU->Reporting->HostIPS8.0 and there are no events there. I got into the database to see if there were any HIPS events, but I couldnt see any. any ideas?

                    • 7. Re: HIPS 8.0
                      Kary Tankink

                      oliver wrote:

                       

                      I looked under MENU->Reporting->HostIPS8.0 and there are no events there.

                      Did you set the filter to This group and all subgroups?  If you are at the My Organization level, you'll want to look at all events including subgroups, not just the events at the My Org level.

                      • 8. Re: HIPS 8.0

                        I did set the filter to "This Group and all subgroups" and I cant see events collected by the HIPS. I can see a couple of events collected by the virusscan product

                        • 9. Re: HIPS 8.0
                          Kary Tankink

                          I would ask that you open a Service Request with McAfee Support to have this looked at further.

                          1 2 Previous Next