1 Reply Latest reply on Aug 8, 2012 5:15 PM by Kary Tankink

    HIPS blocking status not reporting correctly

      ePO 4.5 Patch 5

      HIPS 7.0.0.1149

       

      I have a group with ~1000 servers (Win 2008 r2, Win 2003) in it. Of those 1000 servers ~200 are not reporting as blocking High, medium, or low events. The policy "Maximum Protection" (Block high, medium, low enforced) is applied to the group with no broken inheritence. The HIPS service is running, and HIPS is enabled. All systems are checking in and waking up, but the ~200 will not report HIPS as blocking high/medium or low signatures.

       

      In the Host Intrusion Prevention details for the systems, the CounterMeasures section reports PreventHigh, PreventLow, PreventMedium as 0; 100 meaning those are not enabled, or not reported as enabled at any rate. I have no way to verify if the systems are actually blocking events correctly and just reporting incorrectly.

       

      Any thoughts?

        • 1. Re: HIPS blocking status not reporting correctly
          Kary Tankink

          Check to see if HIPS is actually triggering violations.  Copy/rename notepad.exe to notepad.com.exe, and run it.  This should trigger Signature 413 in the Activity log, as well as create events for it locally on the system in the McAfee Agent directory (.\DB\AgentEvents directory); you should see XML files get created when the signature triggers, and then disappear as the event is sent to the ePO server for reporting purposes.