Please bare with me as I'm a newb to the forum as well as fairly new to HIPS . Recently we've run into an issue with HIPS 8.0 which seemed to be performing normally but upon closer examination (and some unusual behavior form machines)we've noticed that some machines (Windows XP/2003 in particular) seem to have their activity logs all of a sudden go blank and aren't reporitng data up to the EPO server either. After some testing we were able to resolve the issue by running an uninstall of HIPS 7.0 (it appears some remnants were still around) and then disabling everything and uninstalling 8.0 then reinstalling 8.0 with the patches. We haven't quite figured out yet why the HIPS activity logs all of a sudden went blank and wanted to see if anyone was experiencing the same. As an additional issue the uninstall both through EPO and manually (after following the instructions unlocking the interface, stopping HIPS, using the apprpriate msiexec uninstall commands) it continues to fail. The only way we've been unable to remove it is by restarting hte machine and going into safe mode and stopping HIPS and then removing it. We have a significant amount of machines with the issue so rebooting each of them into safe mode and stopping the machines isn't very practical. Can anyone provide some advice going forward for either removing HIPS from all of these machines and reinstalling them succesfully or resolving the problem where the HIPS activity logs suddenly go blank. Has this been seen before at other locations? Thanks all for your time.
Check to see if your event.log file has maxed out and has failed to rollover.
C:\ProgramData\McAfee\Host Intrusion Prevention\Event.log
C:\Documents and settings\all users\apllication data\mcafee\host intrusion prevention\event.log
If the log file has failed to rollover to the new one, you will see an event.log old file that should show as the same size as the event.log file. Reboot into safe mode and delete both files, and your activity log should show activity again once back in normal mode. My organization has a support ticket in now for this issue. You can avoid the issue in the future by disabling network traffic logging from the client UI and/or reducing the activity log size that is set in the EPO policy. We saw the issue occur consistently when it was set to 100MB, but problem did not seem to occur when it was set to 5MB.
This was definitely the problem. Fortunately we don't have a huge amount of machines with this issue but it does mean having to physically go to each box and reboot into safe mode and do work from there. Have you heard back on any official fixes for this issue? Is there any way outside of safe mode to stop HIPs and then move these logs?
The issue has been escalated to Tier4, but no official resolution yet. With HIPS 8.0 I have been unable to successfully stop the services that access this file without entering safe mode, so I have been prevented from executing any resolution to the issue without entering safe mode. Believe me it is problematic to resolve remotely - especially if Bitlocker is in use.
Is there any way outside of safe mode to stop HIPs and then move these logs?
When the Firesvc.exe process is running (the Host Intrusion Prevention Service service), the event.log file is locked. If you stop the HIPS service, the file should be unlocked (unless there is a 3rd party app that also has a lock on it; verify with ProcessExplorer). You will need to disable the Host IPS module first (if in PREVENT mode).
Disable the Host IPS module:
- Open the Host IPS Client user interface (UI) by doing one of the following:
- Click the product tray icon.
- Run McAfeeFire.exe from: C:\Program Files\McAfee Host Intrusion Prevention
- Click File, Unlock User Interface.
- Deselect Enable Host IPS (and click Apply, if using Host IPS 8.0). You see a status message in the bottom left corner stating that Host IPS is disabled.
- Minimize the Host IPS Client UI.
NOTE: Alternatively, you can use the ClientControl utility (with the /stop switch) to disable the Host IPS services. For details, see the following:
- The Host Intrusion Prevention 7.0 ClientControl utility is available for download from the McAfee Downloads site with your Grant Number.
PD22145 - Host Intrusion Prevention - Client Control Utility information
- The Host Intrusion Prevention 8.0 ClientControl utility is embedded in the product installation directory (C:\Program Files\McAfee Host Intrusion Prevention\) after installing the product.
PD23014 - Host Intrusion Prevention 8.0 ClientControl.exe Utility Readme
When this problem has occured I have been unsuccessful in executing the above steps. I can disable the Host IPS and Network IPS from the GUI, but when I try to stop the service from the windows services manager, I get an error that access is denied. The client behaves like HIPS is still enabled and in self protection mode.
Yes I'm in the same boat as btadams where I can't really stop the HIPS. Even when you unlock HIPS it continues going and you are unable to stop the service. We've tried removing it but it continues to block so the uninstall fails either when on the machine or from the console. We've also tried upgrading it but really it's just kind of stuck in that form. I'll try out the client control utility and see where that gets me. THank you both for your assistance!
I basically ran the sysinternals movefile.exe to delete those files at next reboot. Since the ClientControl.exe utility locks up, and uninstallation will not work since HIPS is in self-protect mode, not to mention (at least for me the HIPS console on the local machine locks up and is unresponsive); that is pretty much the way I ran it on a large scale (roughly on 700 machines PSExec'ed it out)
Once the files are written in the registry for deletion, just remotely reboot the machine.
I'm testing out the movefile and it works while directly on the machine perfectly. The only problem I'm having is getting it to run remotely. How were you able to execute it remotely through psexec? It seems to freeze when being utilized remotely (I assume on the agreement part of movefile like several other psexec tools). Is there a registry key I need to deploy on each machine prior to using movefile that gets it past that prompt?
First the file movefile.exe needs to be on the remote machine. (Unfortunately this cannot be done remotely like PSKill)
Basically, I created a bat file with the following contents and ran it with PSExec.
xcopy "\\ServerThatHostsTheFile\SharedFolder\movefile.exe" "%windir%\system32\" /F /Y (or you can put the movefile somewhere else and change directory to it.)
reg.exe ADD "HKCU\Software\Sysinternals\MoveFile" /v EulaAccepted /t REG_DWORD /d 1 /f (This is the key that it needs to run remotely via the admin account you are running it as (also the regkey you are looking for since without it, like you said, it seems like it is waiting for something and the process freezes).)
movefile "%allusersprofile%\Application Data\McAfee\Host Intrusion Prevention\Event.log" ""
movefile "%allusersprofile%\Application Data\McAfee\Host Intrusion Prevention\Event.log old" "" (the "" means delete file at next reboot, but I'm sure you read the help portion...)
and then reboot the machine either at the end of the script or when the user closes everything out.
Message was edited by: impulse-mpd on 5/15/13 5:12:40 AM CDT