7 Replies Latest reply: Mar 1, 2013 2:38 PM by greatscott RSS

    IPS Not Triggering Events

    cakeboss

      I'm currently having trouble with the IPS portion of HIPS.  It is currently deployed in adaptive mode to 20 systems, but no events are triggering and no rules have been created (we've been monitoring both the events in ePO and the HIPS UI on the local machine).  I've tried testing by going so far as to enable blocking highs and trying a double file extension execution, but the activity is not blocked nor logged.  The firewall portion is working as intended, creating dynamic rules and triggering events.  I'm not really sure where to go from here.  Any ideas?

       

      HIPS policy configuration:

       

      Options - Host IPS enabled, adaptive mode enabled,

       

      Protection - Log high severity only

       

      Rules - My default and mcafee default

        • 1. Re: IPS Not Triggering Events
          cakeboss

          HIPS 8.0.  Also, I did check to make sure the service is running as well as reboot the system.

           

          Message was edited by: cakeboss on 1/31/13 1:00:13 PM CST
          • 2. Re: IPS Not Triggering Events
            cakeboss

            I was able to pull this from firesvc.log.  Anyone happen to know if it's related?

            01/31/2013 11:07:29 CLmisc.cpp[2789]    ERROR    (6264) PGPclGetServiceStatusByName() - failed to open SCM (1115).

             

            01/31/2013 11:10:26 MAINWRK[436]    ERROR    (2548) forcePolicyEnforcement() - Failed waiting for new policy check to finish.

            01/31/2013 11:11:33 ENTCPWRK[1512]    ERROR    Clear boot time access protection, no action taken.

            01/31/2013 11:12:48 wsc.cpp[435]    ERROR    Failed to register the firewall with the Vista SP1 or later WSC (8000000a).

            • 3. Re: IPS Not Triggering Events
              petersimmons

              Don't use Adaptive mode with IPS. You really do NOT want to create exceptions. If you really want to see what it is going to do then change Prevent to Log. Start with High and then move onto Medium.

               

              Low severity isn't really what you want. Pretty much no one uses that content. Though occasionally you might promote one to medium.

              • 4. Re: IPS Not Triggering Events
                hbssadmin

                I found this on this community: https://community.mcafee.com/message/212795

                 

                Thank Mr Kary Tankink

                 

                Create a file with a double extension <filename>.com.exe

                 

                If you have Host IPS IPS Protection policy is set to HIGH: PREVENT, and Signature 413 is set to HIGH Severity, then executing a filename with <filename>.com.exe will trigger this signature. 

                 

                I use this all the time (on Win7 64-bit) to trigger violations by executing notepad.com.exe or putty.com.exe, etc.  for testing purposes.

                • 5. Re: IPS Not Triggering Events
                  greatscott

                  I would not put your stuff into adaptive. I would probably log all, and look for blocks and do what you please with them.

                   

                  Furthermore, for the 413 IPS Signature, we have found the McAfee signature to be pretty bad at detecting double file extensions. We created a custom and it pretty much catches everything.

                   

                  Message was edited by: greatscott on 2/8/13 9:16:11 AM CST
                  • 6. Re: IPS Not Triggering Events
                    cakeboss

                    This is one of the methods I tried, but thank you.  I was unable to find a solution and opened a ticket with McAfee.  I'm no longer overseeing the systems, however, so will not know how this was resolved.  One problem we were having was the Event Parser service not starting, though that would seem to be unrelated to the event not triggering on the endpoint. 

                    • 7. Re: IPS Not Triggering Events
                      greatscott

                      not related.