4 Replies Latest reply on Aug 12, 2008 2:18 PM by exsult

    HIPS 7.0 Patch 2 and Windows XP preSP3

      Wonder if anyone else seen this issue. We've just began a test rollout of HIPS to our clients. What we've discovered is that after the install machines would start locking up, at least once every couple of hours. Yes, we are doing a reboot after the install.
      Turning off IPS portion resolved the issue even though the IPS was running in log high alerts and ignore all else.
      We did have a few users that were working just fine though. We traced the difference to those users having Windows XP service pack 3 installed. So with SP3 installed we could turn on the IPS portion and it would work just fine.
      Any ideas?
      Thx
        • 1. RE: HIPS 7.0 Patch 2 and Windows XP preSP3
          Did you install patch 2 before installing SP3?
          What you've described is what happens when you install SP3 first and then install patch 2.

          You'll need to download HIP 7.0 patch 2 full agent install and remove what's there and re-intsall it. Otherwise the IPS module will never function properly.

          Joe
          • 2. Nope
            Thanks for your reply.

            To answer your question. HIPS product was never upgraded. All of our installs were done with HIPS 7 integrated with Patch2.
            So machines that have Windows Service Pack 2 are crashing and the machines having XP Service Pack 3 are working fine.
            I have the debug logging enabled so hopefully it's just a signature that needs to be turned off.
            • 3. RE: HIPS 7.0 Patch 2 and Windows XP preSP3
              There is a difference between crashing and locking up. Is the computer blue screening?
              Do you have the computer set to save a full memory dump?

              The best way to figure out what's going on is to enable "crash-crtl-scroll" and get a full memory dump to support. When the computer locks up you initiate a blue screen.

              How to enable "crash-crtl-scroll", http://support.microsoft.com/kb/Q244139

              Engineering will need to look at the dump to see what's going on. More than likely some sort of dead-lock.

              -R-
              • 4. Found the solution
                Thanks for your reply. We've finally narrowed down the problem to a conflict between McAfee HIPS 7 and Citrix EdgeSight 4.5. Apparently EdgeSight is not compatible with it. We've temporarily removed winlogon.exe from the list of protected applications which resolved our problem, until either McAfee or Citrix release a fix for it.