We are getting problems installing the configmgr 2007 agent and it appears to be HIPS as we can install without any problems when we disable HIPS. The issue is that msiexec is trying to register DLLs which HIPS doesnt like. Strange thing is that 75% of machines install OK even with HIPS installed.
I just wanted to confirm that there are only 3 answers to our problem:
Dont use mcafee - We cannot do that one
exclude msiexec (windows installer) - We would not be allowed to do that one
Upgrade to HIPS v8 - we are currently running version 7. Can anyone confirm that v8 will definitely fix the problem? And if so, how is v8 different that it now allows dll registration by msiexec?
HIPS 7.0 has an architecture issue with msiexec.exe. This has been resolved in HIPS 8.0. The only workarounds with HIPS 7.0 are to disable the Host IPS module when performing any MSI-based actions, or implement the workaround in the below KB article.
See: KB60391 - Third-party software fails to install with Host Intrusion Prevention 7.0 IPS module enabled
Thanks for your response. Id be interested to know why 75% of installations succeed. Does HIPS use some kind of fuzzy logic to detect numer of dll registrations within a given amount of time?
It has to do with the process injection into short-lived msiexec processes. Sometimes msiexec spawns non-short-lived processes and HIPS handles those threads fine.
Thanks - We are unable to install V8. Therefore it appears that disabling the Host IPS module temporarily for the duration of the install is the only way we can do this.
Do you have a KB article that describes how to do this? Remembering that the service is configured to be unstoppable and unpausible - we are looking to create an MSI wrapper that programmatically disables HIPS, installs the agent, then re-enables HIPS. This MSI will run under the SYSTEM context during machine startup. So we need actual programming sequence code - is that available? Im thinking that it may be a regedit then stopping service(s)?
After a bit more digging would I be able to do this by downloading the clientcontrol utility, executing a /stop, installing my agent, then executing a /start?
Yes, the Host IPS ClientControl tool is the utility I would recommend using.
PD22145 - Host Intrusion Prevention - Client Control Utility information
Thanks Kary - You have been enormously helpful!
One last thing - To run this utility with the /stop switch you need a password. What tool is used to find/set this password? Is it a password that stays the same until you reset it or is it a password that automatically changes on a regular basis? All the doco says is that it is an "administrator or time based" password.
Yes, it is the HIPS Administrator password set by ePO policy or a generated time-based password.
Sorry to trouble you again - our security team has never dealt with this before and are having trouble finding this in their documentation.
Exactly how do you generate a time based password for use by the clientcontrol utility and how long does the password last? Is the time also configurable? Do you have a link to any doco that describes in detail how to configure the time based password please?