I'm having issues with HIPS on a Windows 2008 R2 64 bit domain controller. I have pushed HIPS 220.127.116.115 to several Windows 2008 R2 64 bit machines and my primary domain controller is the only machine that is having this issue.
I have HIPS icon enabled via a Policy and have the McAfee agent icon enabled as well. On all of my machines i can see the HIPS icon, but on my primary domain controller i cant. I was able to but it appears that it crashes, if i reboot the machine it appears again, but since it s a domain controller i cant reboot it every time i need to look at HIPS on it. If i try launching McAfeeFire.exe manually nothing happens, the process just closes. It does work at first for a little while, not sure how long (at least a few hours)
What log would this information be logged in? I've looked in c:\ProgramData\McAfee\Host Intrustion Prevention, not sure which log contains useful information, i've looked several but nothing stands out.
Any help would be appreciated.
For HIPS 8.0, you access the HIPS tray icon via the McAfee Agent tray icon (Rclick McAfee Agent tray icon -> Manage Features -> Host Intrusion Prevention). Can you access the McAfee Agent tray icon? You may not be able to if you're using RDP to access the server (check via a local login).
There is no single tray icon for HIPS 8.0 (if you're using McAfee Agent 4.5 or higher).
KB70943 - Host Intrusion Prevention 8.0 tray icon requires McAfee Agent tray icon to be displayed
Also, McAfeeFire.exe is the HIPS Client UI interface, not the tray icon.
Right after i reboot the machine i Right click on the McAfee Agent tray icon and go to Manage Features and Host Intrustion Prevention is listed, but after so long (not sure how long) it is no longer on the list. In order to open the HIPS Client UI Interface i have to reboot the machine, I cant use McAfeeFire.exe to launch it, it does nothing.
I know the logs are located in C:\ProgramData\McAfee\Host Intrusion Prevention, but i'm not sure which one i should be focusing on, as i looked over most of them and havent found anything useful.
Keith - send a HIPS Uninstall task from your ePO to the affected DC. Then send a wakeup call to the same DC. Login to the DC, do a local "Enforce Policies" and a couple of "Collect and Send Props". Allow the DC to uninstall HIPS. Check the McAfee tray icon "About" if HIPS still listed. Reboot DC if necessary.
Now, delete the DC from ePO but do not delete the McAfee Agent. This will refresh the GUID of the DC. Allow the DC to report back to ePO. Delete or edit the HIPS Uninstall task created above. Once it reported back to ePO, send a HIPS Install task to the DC and do a wakeup call. Make sure the task is "Immediate".
This will uninstall the old HIPS and its setting remnants and install a fresh HIPS with your new settings.