5 Replies Latest reply on Oct 28, 2008 8:20 AM by jsuuronen

    Remotely Determining if HIPS IPS or Firewall is Disabled

    McDuff
      Hello,

      Is there a way that you can remotely tell if somebody has disabled the firewall or IPS on their HIPS 6.1 client? If so, is there any way this could generate an alert in ePO 3.6.1
      alert?

      Thanks in advance.
        • 1. RE: Remotely Determining if HIPS IPS or Firewall is Disabled
          There is no way, currently, to determine if the firewall has been disabled.
          If you don't want end users from turning it off, you can lock down the local GUI.

          -R-
          • 2. RE: Remotely Determining if HIPS IPS or Firewall is Disabled
            lfah2000

            ExcludeServers=0
            Display=1
            LocalLog=1
            ServerLog=1

            and this the log
            "ComputerName","User ID","UserName","Model","Serial","Tijd","FrameworkPath","FrameWorkVersion","Fram eworkStatus","FrameworkStartup","Framework Install","VSEPath","VSEVersion","EngineVersion","DATVersion","DATDate","McShiel dStatus","McShieldStartup","TaskManagerStatus","TaskManagerStartup","HIPPath","H IPVersion","HIPHotFix","HostIntrusionStatus","HostIntrusionStartup","FireWallSta tus","OS","Service Pack","Type"
            "XXX","XXX","ADName","Latitude D610","1234","2008:10:06:08:25:12","C:\Program Files\McAfee\Common Framework","4.0.0.1180","SERVICE_RUNNING","SERVICE_AUTO_START","NO","C:\Program Files\McAfee\VirusScan Enterprise\","8.7.0.570","5300.2777","5398","2008/10/03","SERVICE_RUNNING","SER VICE_AUTO_START","SERVICE_RUNNING","SERVICE_AUTO_START","0","0","0","Service does not exist","Service does not exist","XP Firewall Stopped","Windows Vista","Service Pack 1","Workstation"

            The size of the logfile is limited to 6 Mb. It will start a new one.

            If you want I can put it somewhere or email it.

            (you can view the file with excel, it is a CSV)
            • 3. RE: Remotely Determining if HIPS IPS or Firewall is Disabled


              Yes. go into ePO console and look up the system properties for the host.

              You will see settings like...

              fwenable=true/false
              HostIPSenable=true/false
              OnAccess=true/false

              etc.

              I don't remember the exact names, but it is all in ePO. We do custom queries on this data.
              • 4. RE: Remotely Determining if HIPS IPS or Firewall is Disabled
                That data in the ePO console only reflects the state at the last ASCI. It's possible that ePO could show it on and it's really off.

                -R-
                • 5. RE: Remotely Determining if HIPS IPS or Firewall is Disabled
                  is that really much different than any product managed in EPO?

                  if you really want to, send a wakeup call and collect details from the box prior to checking in EPO.

                  but setting a local policy to enable ips, with a short enforcement time should keep the data in EPO pretty accurate, unless the agent breaks (which seems to be often, unfortunately).