5 Replies Latest reply on Jul 30, 2012 1:02 PM by Kary Tankink

    Deploying HIPS - ClientControl.exe

      We are trying to deploy HIPS 7 with Patch 2 through SMS and are running into issues where the HIPS service will not stop and allow the patch to run. I've read through the McAfee HIPS 7 Product Guide with ePO 4.0 and page 89 refers to the clientcontrol.exe utility for third-party software upgrades. Does McAfee provide a way to secure the admin password if the install is executed through a batch file? I don't have any documentation that accompanies the clientcontrol utility and am not aware of any other options other then running clientcontrol.exe /? from the command line to see the optional switches.

      HIPS 7 installs fine through SMS and gets to file version
      Our goal is to get HIPS to version
      Here is the error from the McAfeeHIP7_Patch.log on the client for Patch 2:
      02-12 11:26:18 [03116] INFO: Setting TARGETDIR to C:\Program Files\McAfee\Host Intrusion Prevention\
      02-12 11:26:18 [03116] INFO: Stopping enterceptAgent service
      02-12 11:26:18 [03116] DEBUG: SI Service want state Not Running(1), service enterceptAgent
      02-12 11:26:18 [03116] INFO: Err - Unable to stop enterceptAgent service
      02-12 11:26:18 [03116] INFO: -- OnAbort --

      Thanks for any help!
        • 1. RE: Deploying HIPS - ClientControl.exe
          Unfortunately there isn't away around this that I'm aware of. Companies who use other methods for distributing software (SMS, Altiris, etc) apparently are not too important to McAfee in this regard as they provide just the bare minimum needed to get the job done.

          You may feel better building a simple .net wrapper app around the ClientControl program to at least not leave the password in plain text (although if you use a tool like ProcessExplorer while it is running, you will see the password because it is passed in as a command line argument).

          the HIPS service takes its own time stopping. We eventually just set an arbitrary time limit for the service to stop before applying the patch. Most of the time it works, but occasionally fails.

          Don't get me started about them distributing patches using .msp format, but then don't include the ability to easily rollback that patch using msiexec. Its bad enough when we have to rollback their buggy patches (cough...HIPS 7 patch 3), but its REALLY annoying when their only mitigation path is to reinstall the ENTIRE HIPS program and then patch back up. Not excusable!
          • 2. RE: Deploying HIPS - ClientControl.exe
            Has anyone had any success having the McAfee Agent, HIPS 7 with Patches, and VirusScan 8.5 or 8.7 as part of an image so as soon as the user logs into a new workstation for the first time, they are immediately protected?

            I've read about having the McAfee Agent installed and deleting a specifice GUID registry key, but wasn't aware about HIPS and VirusScan being part of an image.
            • 3. RE: Deploying HIPS - ClientControl.exe
              Yes this is possible, but requires some custom development. Basically you just want to automate (msi) the installs of both CMA/HIPS and VSE and be sure they run when the machine is setting up for the first time. We include the fireprefs.txt (HIPS ruleset) with the install package so the machine has some rules immediately...and then after the ePO agent is setup and the ePO server is reachable it'll go out and grab the latest rules (and dat/engine/etc).
              • 4. Re: RE: Deploying HIPS - ClientControl.exe

                Where can we find a download of HIPS 7 clientcontrol.exe? I did not see it on the McAfee website. Any guidances would be greatly appreciated.

                • 5. Re: RE: Deploying HIPS - ClientControl.exe
                  Kary Tankink

                  willjones17 wrote:


                  Where can we find a download of HIPS 7 clientcontrol.exe? I did not see it on the McAfee website. Any guidances would be greatly appreciated.

                  You'll find it on the McAfee Download site where you supply your active Support grant number.