This content has been marked as final. Show 4 replies
no ideas guys?
That is more or less consistent with what I have seen. Except that the rule isn't void, it's still active but it won't work on any systems where said application has been modified - it may work on 50% of your managed systems and not on other(*).
And since it(*) doesn't know when/how to take a new hash and the user usually has no access to that interface (that's why we're using ePO), we have to get the new MD5 and update the rule on the ePO server...
Which means that the rule will only work on those systems with a specific version of the software application (e.g. Firefox).
Which in turns explains why we aren't using this for common applications (e.g. Firefox) as you'd have to take too many possible MD5 values into consideration. We do use it for specific "special" applications.
(*) hereby making you crazy trying to figure out why the thing isn't working...
(*) define "it" : McAfee HIPS
cheers thats great info, this is what i was concerned of. I will make the ammendments i feel i require
sorry to bring this up again, but i just had another thought.
It clearly says 'By Path then Fingerprint'. This could be interpeted two ways, as gramatically it has caused problems happy . The first way, as i mentioned above it would use path on the client, then fingerprint it, storing this value on the client, and using this from that point onwards (which would be lame, and cause problems)
Do you not think it means that it will first look for a match by path (whatever the patch has been set as in the Firewall Rule Policy) and then by fingerprint (whatever the fingerprint has been set within the EPO policy).
So basically, it looks in the path file for an entry (the less secure method), and if blank, will then try the fingerprint field, which, may or may not have an MH5 has value in it (the more secure method).
So if you wanted to do it less securely, you would but in a path or just process name, and that would work, but as the fingerprint field is blank it would ignore.
But if you wanted to do it more securely you would leave the path field blank and JUST but a fingerprint in instead?
Its an either/OR thing
in which case, i need to change nothing, leaving it on path then fingerprint would be just fine. . . ?
im confused, and the documentation is NOT helpful in anyway