5 Replies Latest reply on Jul 11, 2008 8:08 AM by protector

    Can't see HIPS events in EPO

      After succesfully deploying several HIPS 7.0 (with SP 2) clients through EPO 4.0 I don't get any HIPS related events.

      Logging level is set to informational, but that seems to only log to the local C-drive file on the client PC.

      In the over-all events list I don't get any events related to HIPS. I have several firewall rules in place, and locally on the client I see the firewall blocking things on a regular basis.

      How come I don't get these events in my EPO 4?
        • 1. RE: Can't see HIPS events in EPO
          Firewall "events" are not sent back to the ePO server. Only IPS events.
          The activity log is for local client viewing. It only retains 1 meg of text data. Afer that it starts appending.
          • 2. RE: Can't see HIPS events in EPO
            An easy way to test this is to set signature 1002 or 1001 to log and try to modify or change a HIP file or HIP registry value. This should send an event to the ePO server.

            • 3. RE: Can't see HIPS events in EPO
              Signature 1001 and 1002 are IPS signatures. Triggering those will send an event back to the ePO server.
              I believe Eric wanted the blocked firewall packets that show up in the local UI to be sent back to the ePO server. As Joe pointed out, that's not possible. If HIP was to send every blocked packet that was logged, the ePO server would be overwhelmed in five minutes.

              • 4. RE: Can't see HIPS events in EPO

                Here's what I want: I want to deploy HIPS to tens or hundreds of computer, with firewall used to block networking to all applications but the ones I list. So I added for example FIREFOX.EXE and IEXPLORE.EXE and allow these to communicate on ports 80 and 443. But when someone installs Safari as a browser, it won't communicate. I would like that to show up on my ePO server, that SAFARI.EXE is trying to communicate over port 80.
                • 5. RE: Can't see HIPS events in EPO
                  The only way you can get a FW rule to send events over to the ePO server is to create a BLOCK rule and mark the option "Treat Match as Intrusion".