This content has been marked as final. Show 4 replies
what happens if you put it in Learning or Adaptive mode? Does it generate a new rule?
In the existing rule, is the application matched by fingerprint or path? Both?
It was the same results with trying to create a new rule. We ended up re-installing HIPS, and it seems to be working now. Not sure what happened, but hope it isn't something that's affecting other machines.
Are you sure the machine hadn't been patched up to Patch 3?
I had some serious issues with Patch 3 silently blocking traffic that should've otherwise been allowed. Seriously buggy...
- if the machine had learnmode off, the traffic would be blocked and it would NOT log (could prove this was happening by turning the firewall off completely and traffic would go through)
- if the machine was in learnmode, the traffic would be allowed through but without prompting to add a rule, NOR logging as allowed traffic
Terrible. After McAfee looked at our logs and rulesets they basically said our best bet was to remove patch 3 completely...nice! Luckily only had it on 200 pilot machines at that point.
A couple fixes in patch for could help or resolve the issue.
Issue: Connection Aware Group matching fails when the incoming traffic destination is localhost. (Reference: 439529)
Resolution: Fixed matching logic of Connection Aware Groups to identify incoming traffic correctly to localhost.
<the fix in this area was seen in a CAG but would occur outside of a CAD as well. It was fixed for all instances. You should run patch 4 in Adaptive mode if you suspect this was the cause. The new rules will now be learned correctly.
Issue: Unrecognized non-IP traffic is not logged. (Reference: 450277)
Resolution: Added logging for unrecognizable non-IP traffic. Both recognized and unrecognized non-IP traffic is now logged.
<This may help you see what is being dropped.