I was under the impression that HIPS relied upon the McAfee Agent (MA) similar to how VSE relies upon it.
HIPS relies on the McAfee Agent for policy management, since it is an ePO-managed product only (HIPS will not install unless the McAfee Agent (Framework service) is installed). VSE can be managed by ePO or configured standalone (unlike HIPS).
c) Open a CMD prompt and do the cmdagent /p /c /e thingy
Don't run multiple switches. "cmdagent.exe /p" will perform a Collect and Send Props, and if a new policy is available, it will be enforced automatically. Just run that switch.
d) Open the MA icon (if it's present) on the taskbar and do a: Update Security
"Update Security" runs a McAfee Agent Update task; it does not perform a McAfee Agent ASCI (AGent to Server Communication Interval) to update policies. If you want to update policies, run "cmdagent.exe /p" or "cmdagent.exe /c". See KB52707.
However, in our environment it seems that item "d" updates VSE but not HIPS (ie, we right-click on the MA icon and select: Manage Features -> HIPS -> Firewall Policy) and we never see the new policy that was added.
Make sure the Agent actually getting a new HIPS policy. Also ensure that the HIPS Client UI is locked/closed. If the HIPS Client UI is opened/unlock, policy enforcements will not occur, until you close it, and re-enforce policies.
Thanks for the info. I was being lazy and just put the cmdagent stuff in the posting, even though we do it on 3 separate lines in a .bat file.
Although I didn't think the /p actually enforced it, that's what the /e was for. At least when we called McAfee regarding a VSE policy problem that's what tech support mentioned (there's a KB article as well that indicates the 3 switches are sorta needed to ensure a policy check and enforcement).
We'll look at the last item (HIPS Client UI being closed).
I don't see anything obvious in the MA log files for HIPS like I do for VSE. Normally for VSE I'll see the task names and I think something that indicates it's applying policies.
I don't see that for HIPS in the log for the machine in question, but perhaps I missed something.