4 Replies Latest reply on Mar 12, 2009 4:26 PM by exesys

    HIPS Blocking Allowed Traffic

    jase4867
      I have a system with HIPS 7 installed, and it's blocking traffic for a program which has an Allow rule created in the Firewall rules. At this point, it only seems specific to this one machine, as I've checked it on another, and it's working properly.

      The Allow Rule states that TCP traffic inbound/outbound is allowed, but when you look at the Activity Log, the traffic is being blocked.

      HIPS 7.0 Patch 2

      The blocked program is AEXNSAGENT, which is the Notification Server Agent for Altiris.

      Any ideas as to where to start troubleshooting?
        • 1. RE: HIPS Blocking Allowed Traffic
          woodsjw
          what happens if you put it in Learning or Adaptive mode? Does it generate a new rule?

          In the existing rule, is the application matched by fingerprint or path? Both?
          • 2. RE: HIPS Blocking Allowed Traffic
            jase4867
            It was the same results with trying to create a new rule. We ended up re-installing HIPS, and it seems to be working now. Not sure what happened, but hope it isn't something that's affecting other machines.

            Thanks,

            Jason
            • 3. RE: HIPS Blocking Allowed Traffic
              Are you sure the machine hadn't been patched up to Patch 3?

              I had some serious issues with Patch 3 silently blocking traffic that should've otherwise been allowed. Seriously buggy...

              - if the machine had learnmode off, the traffic would be blocked and it would NOT log (could prove this was happening by turning the firewall off completely and traffic would go through)

              - if the machine was in learnmode, the traffic would be allowed through but without prompting to add a rule, NOR logging as allowed traffic

              Terrible. After McAfee looked at our logs and rulesets they basically said our best bet was to remove patch 3 completely...nice! Luckily only had it on 200 pilot machines at that point.
              • 4. patch 4
                A couple fixes in patch for could help or resolve the issue.

                Issue: Connection Aware Group matching fails when the incoming traffic destination is localhost. (Reference: 439529)

                Resolution: Fixed matching logic of Connection Aware Groups to identify incoming traffic correctly to localhost.

                <the fix in this area was seen in a CAG but would occur outside of a CAD as well. It was fixed for all instances. You should run patch 4 in Adaptive mode if you suspect this was the cause. The new rules will now be learned correctly.



                Issue: Unrecognized non-IP traffic is not logged. (Reference: 450277)
                Resolution: Added logging for unrecognizable non-IP traffic. Both recognized and unrecognized non-IP traffic is now logged.

                <This may help you see what is being dropped.