9 Replies Latest reply on Sep 13, 2008 12:39 PM by Raja

    XP SP3 on HIPS enabled host

      Just wondering has anyone looked into deploying SP3 with HIPS enabled host?

      I just ran the <windowsxp-kb936929-sp3-x86-enu_c81472f7eeea2eca421e116cd4c03e2300ebfde4.exe> version of SP3 on an SP2 XP system, and there was a number of alerts appeared, one specifially down to an update to the windows 'screen saver logon.scr'. HIPS popped up an alert with a warning. Other actions blocked were related to the access protection rules of Vscan 8.5i, where changes were being made to the registy.

      My concern would be if we were to release SP3 (when it gets official release via WSUS) will I be facing a large number of systems with alerts apearing.

      any thoughts / experience would be appreciated
        • 1. RE: XP SP3 on HIPS enabled host
          HIP is not currently supported on XP SP3. HIP 7.0 Patch 2 (June) will support it.
          • 2. RE: XP SP3 on HIPS enabled host
            :)

            Hi Everyone,

            I'm looking for information regarding rolling out SP3 via WSUS onto workstations with HIPS installed.

            I know, from tests that HIPS kills the update.

            Are there any rules whic I can add to HIPS to allow the SP to be installed?

            Raja: when in June?


            Cheers

            steve

            happy
            • 3. RE: XP SP3 on HIPS enabled host


              There is a client utlity available for HIPS that can be packaged with SMS or other software deployment system. The utility can disable HIPS and allow the update to occur.
              • 4. RE: XP SP3 on HIPS enabled host


                Neat, where's that then?

                happy
                • 5. RE: XP SP3 on HIPS enabled host
                  It's on the download site.
                  • 6. RE: XP SP3 on HIPS enabled host
                    OK, Now we're cooking...

                    one small snag, what's it called?

                    will it allow for deplyment through WSUS?

                    happy
                    • 7. Having Same Problem


                      I am using Landesk for software deployment and patch management. We recently upgraded to McAfee 8.5 and EPO 4.0. After the update I started getting deployment failures and users calling about a pop-up message referring to access to the registry. I found going to the users machine and manually running the install package created the same error. To finally get the software to install I had to temporairly disable McAfee Access Protection then run the install package (manually). Problem with this method is, EPO will reset the Access Protection back to Enabled as soon as it reports back to the EPO server (every 15 minutes). You don't know if you have 15 minutes or 1 minute to install your software because you don't know when the EPO agent last checked in. Against my recommendations the Security Audit Manger had the EPO administrator set the McAfee 8.5 to Maximum Protection. The McAfee logs on the machines clearly show McAfee blocking the software install package executable. We can add exclusions to help but they would have to enter approx. 125 names to cover all of our install packages. Hoping it would not see something else to stop as the package installs...i.e. registry changes.

                      They are also trying to blame it on HIPS we have running. I don't know if HIPS is the problem...I think it is setting McAfee to MAX protection. If you or anyone out there have run across any fixes, suggestions or helpful utilities to disable McAfee long enough to patch the machine or install software I would appreciate hearing about it.

                      Also, the powers here have decided to try the LandDesk HIPS rather than McAfee thinking it would allow its (Landesk) packages to go through and not block. I hope they are correct but I still think it is McAfee Access Protection being set to high.
                      • 8. RE: Having Same Problem
                        Access protection is a function of VSE 8.5 and has nothing to do with HIP. Who is trying to blame it on HIP?
                        Do you have an SR#?

                        -R-
                        • 9. RE: XP SP3 on HIPS enabled host


                          Won't mind knowing aswell !