3 Replies Latest reply: Mar 6, 2013 4:04 PM by Kary Tankink RSS

    How does HIPS update policies from ePO?

    kjhurni

      Okay I THOUGHT I understood how HIPS got policy changes from the EPO server.

       

      I was under the impression that HIPS relied upon the McAfee Agent (MA) similar to how VSE relies upon it.

       

      So:

       

      1)  Make a policy change in EPO to HIPS/VSE

      2)  Either

      a)  wait for the agent to server communication interval to kick in (in our case, 240 minutes = 4 hours)

      b)  Issue an agent wakeup call and check the box to enforce policies/full properties thingy

      c)  Open a CMD prompt and do the cmdagent /p /c /e thingy

      d)  Open the MA icon (if it's present) on the taskbar and do a: Update Security

       

      However, in our environment it seems that item "d" updates VSE but not HIPS (ie, we right-click on the MA icon and select: Manage Features -> HIPS -> Firewall Policy) and we never see the new policy that was added.

       

      Same with "b"

       

      Now, is it possible that the MA interface isn't showing updated info and you need to reboot/reload something?  There's no "refresh" on the firewall policy tab on the MA.

       

      We have observed the policy does take effect eventually, and I know "c" works (which we were told that "b" actually did "c")

        • 1. Re: How does HIPS update policies from ePO?
          Kary Tankink
          I was under the impression that HIPS relied upon the McAfee Agent (MA) similar to how VSE relies upon it.

          HIPS relies on the McAfee Agent for policy management, since it is an ePO-managed product only (HIPS will not install unless the McAfee Agent (Framework service) is installed).  VSE can be managed by ePO or configured standalone (unlike HIPS).

           

          c)  Open a CMD prompt and do the cmdagent /p /c /e thingy

          Don't run multiple switches.  "cmdagent.exe /p" will perform a Collect and Send Props, and if a new policy is available, it will be enforced automatically.  Just run that switch.

           

          d)  Open the MA icon (if it's present) on the taskbar and do a: Update Security

          "Update Security" runs a McAfee Agent Update task; it does not perform a McAfee Agent ASCI (AGent to Server Communication Interval) to update policies.  If you want to update policies, run "cmdagent.exe /p" or "cmdagent.exe /c".  See KB52707.

           

          However, in our environment it seems that item "d" updates VSE but not HIPS (ie, we right-click on the MA icon and select: Manage Features -> HIPS -> Firewall Policy) and we never see the new policy that was added.

          Make sure the Agent actually getting a new HIPS policy.  Also ensure that the HIPS Client UI is locked/closed.  If the HIPS Client UI is opened/unlock, policy enforcements will not occur, until you close it, and re-enforce policies.

          • 2. Re: How does HIPS update policies from ePO?
            kjhurni

            Thanks for the info.  I was being lazy and just put the cmdagent stuff in the posting, even though we do it on 3 separate lines in a .bat file.

             

            Although I didn't think the /p actually enforced it, that's what the /e was for.  At least when we called McAfee regarding a VSE policy problem that's what tech support mentioned (there's a KB article as well that indicates the 3 switches are sorta needed to ensure a policy check and enforcement).

             

            We'll look at the last item (HIPS Client UI being closed).

             

            I don't see anything obvious in the MA log files for HIPS like I do for VSE.  Normally for VSE I'll see the task names and I think something that indicates it's applying policies.

             

            I don't see that for HIPS in the log for the machine in question, but perhaps I missed something.

             

            Thank you

             

            --Kevin

            • 3. Re: How does HIPS update policies from ePO?
              Kary Tankink
              Although I didn't think the /p actually enforced it, that's what the /e was for.

              Correct.  /p will enforce policies, if a new policy is downloaded from the ePO server, but if there is no new policy, then /e can be used to enforce the already existing policy on the system.