3 Replies Latest reply on Oct 2, 2009 8:39 AM by wyodoc

    "Bad packets" anyone ?


      We've been seeing messages saying "bad packet" in the McAfee Host IPS "Activity Log" window for some time now. Whenever a system has such messages, it has problems with the Windows DC connection.

      The only place where I could find a mention of bad packet was in the "Release Notes for McAfee(R) Desktop Firewall(TM) - Version 8.0.493"


      The Activity Log may occasionally log an event with the description "bad packet." These entries indicate that the software intercepted and discarded an improperly formed packet. These entries do not indicate an attack, and you do not have to take any action.

      Now, we're using McAfee Host IPS 7.0 P3 and have this issue on many systems and I can't find any information related to this message. Even if HIPS apparently doesn't treat this "bad packet" as an intrusion and doesn't block any further communication, it seems the "bad" packets are important for Windows...

      Any ideas anyone ?
        • 1. We resolved it
          We had similar issue with a wireless connections using Cisco AP. We resolved it with patch 5 of HIPs.

          As we read the details, patch 5 allowed for the odd sized packets that the AP was delivering.

          If you are not wireless, you may look down the avenue of packet size, ours were encrypted on the AP and this just caused fits.
          • 2. RE: We resolved it
            Thanks for this answer.

            We're not wireless, but we do have packet encryption between sites and I thought there might be an issue in that direction.

            I don't know how to check or fix packet size though.

            McAfee support hasn't helped much so far. Then it's getting hard to follow up on this since we're in GMT+1 and I get the feeling support origin varies between GMT, GMT-7 and GMT+5... And each time, I have to delegate part of the tests to (my) local sites...

            thanks for your help
            • 3. Try patch 5
              Based upon your signature, you are down a couple of patches on HIPS, try installing Patch 5, which you probably have control over, which ignored the non-standard packet size to see if that takes care of things. We were at patch 4 previously, and patch 5 cleared the errors. We had this issue only on our network segments, Access Points, where we had end to end encryption.