4 Replies Latest reply on Feb 11, 2009 11:27 AM by Dogers

    Remove Clients HIPS Rules

      Is there a way to blank out a clients HIPS (7.0 p3) rules from ePO?

      We've had a user set up a ton of rules which they don't actually need/want, but besides talking them through deleting them all is there another way?
        • 1. RE: Remove Clients HIPS Rules
          woodsjw
          Both the Firewall Options and IPS Options policies have a check box to specify whether or not you want to retain locally created rules when the policy is enforced.
          • 2. RE: Remove Clients HIPS Rules
            I can see that option in IPS and App Blocking, but not the firewall options?

            Also, what does it class as enforcing the rules? Is it when an agent wake up is done? Or even the periodical agent check in?

            Sorry for all the questions, but the help files are a little self referential!
            • 3. RE: Remove Clients HIPS Rules
              woodsjw


              heh...I know what you mean about the help docs. I love when there's a text box labeled something like "Settings" and the help file says, "This is where you put settings." Really? :D

              I just realized I answered not knowing which version of ePO you're on. I'm running ePO4.0 and when I open the policies for HIPS 6.1 and 7.0 Firewall Options the setting is right there. I can't remember what 3.6 looks like. Have you kept the HIPS extensions current along with the client packages?

              As far as agent communication goes, a wake up call should do the trick, especially if the policy has been modified. I have seen wake up calls that just resulted in "No package to receive" and nothing happens. But if the policy's been modified it should download and enforce the new policy package.

              Aside from that there's the McAfee Agent policies which specify how often to check for new policies/tasks (ASCI) as well as how often to enforce the currently downloaded policy package.
              • 4. RE: Remove Clients HIPS Rules
                Unfortunately we're still ePO 3.6 as we have DFW still in use until I can set up rules and convince people to start using it..

                Good point about the extensions, I think we're still using the original 7.0.0 extensions, so I'll look into updating them.

                Looking at the agent, it's set to McAfees default 5mins at the moment, so I guess that would overwrite the client rules every 5mins which would drive them mad happy