Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2208 Views 9 Replies Latest reply: May 15, 2013 5:04 AM by impulse-mpd RSS
rtgx Newcomer 6 posts since
May 2, 2013
Currently Being Moderated

May 2, 2013 5:26 PM

HIPS 8.0 Activity Logs Blank and Uninstall Failing

Please bare with me as I'm a newb to the forum as well as fairly new to HIPS .  Recently we've run into an issue with HIPS 8.0 which seemed to be performing normally but upon closer examination (and some unusual behavior form machines)we've noticed that some machines (Windows XP/2003 in particular) seem to have their activity logs all of a sudden go blank and aren't reporitng data up to the EPO server either.  After some testing we were able to resolve the issue by running an uninstall of HIPS 7.0 (it appears some remnants were still around) and then disabling everything and uninstalling 8.0 then reinstalling 8.0 with the patches.  We haven't quite figured out yet why the HIPS activity logs all of a sudden went blank and wanted to see if anyone was experiencing the same.  As an additional issue the uninstall both through EPO and manually (after following the instructions unlocking the interface, stopping HIPS, using the apprpriate msiexec uninstall commands) it continues to fail.  The only way we've been unable to remove it is by restarting hte machine and going into safe mode and stopping HIPS and then removing it.  We have a significant amount of machines with the issue so rebooting each of them into safe mode and stopping the machines isn't very practical.  Can anyone provide some advice going forward for either removing HIPS from all of these machines and reinstalling them succesfully or resolving the problem where the HIPS activity logs suddenly go blank.  Has this been seen before at other locations?  Thanks all for your time. 

  • btadams Newcomer 14 posts since
    Jan 13, 2012
    Currently Being Moderated
    1. May 7, 2013 1:20 PM (in response to rtgx)
    Re: HIPS 8.0 Activity Logs Blank and Uninstall Failing

    Check to see if your event.log file has maxed out and has failed to rollover.

     

    Vista/2008+

    C:\ProgramData\McAfee\Host Intrusion Prevention\Event.log

     

    XP/2003

    C:\Documents and settings\all users\apllication data\mcafee\host intrusion prevention\event.log

     

    If the log file has failed to rollover to the new one, you will see an event.log old file that should show as the same size as the event.log file. Reboot into safe mode and delete both files, and your activity log should show activity again once back in normal mode. My organization has a support ticket in now for this issue. You can avoid the issue in the future by disabling network traffic logging from the client UI and/or reducing the activity log size that is set in the EPO policy. We saw the issue occur consistently when it was set to 100MB, but problem did not seem to occur when it was set to 5MB.

  • btadams Newcomer 14 posts since
    Jan 13, 2012
    Currently Being Moderated
    3. May 8, 2013 2:33 PM (in response to rtgx)
    Re: HIPS 8.0 Activity Logs Blank and Uninstall Failing

    The issue has been escalated to Tier4, but no official resolution yet. With HIPS 8.0 I have been unable to successfully stop the services that access this file without entering safe mode, so I have been prevented from executing any resolution to the issue without entering safe mode. Believe me it is problematic to resolve remotely - especially if Bitlocker is in use.

  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    4. May 8, 2013 2:38 PM (in response to rtgx)
    Re: HIPS 8.0 Activity Logs Blank and Uninstall Failing
    Is there any way outside of safe mode to stop HIPs and then move these logs?

    When the Firesvc.exe process is running (the Host Intrusion Prevention Service service), the event.log file is locked.  If you stop the HIPS service, the file should be unlocked (unless there is a 3rd party app that also has a lock on it; verify with ProcessExplorer).  You will need to disable the Host IPS module first (if in PREVENT mode).

     

    Disable the Host IPS module:

    1. Open the Host IPS Client user interface (UI) by doing one of the following:
      • Click the product tray icon.
      • Run McAfeeFire.exe from: C:\Program Files\McAfee Host Intrusion Prevention
    2. Click File, Unlock User Interface.
    3. Deselect Enable Host IPS (and click Apply, if using Host IPS 8.0). You see a status message in the bottom left corner stating that Host IPS is disabled.
    4. Minimize the Host IPS Client UI.


    NOTE:
    Alternatively, you can use the ClientControl utility (with the /stop switch) to disable the Host IPS services. For details, see the following:

    • The Host Intrusion Prevention 7.0 ClientControl utility is available for download from the McAfee Downloads site with your Grant Number.
      PD22145 - Host Intrusion Prevention - Client Control Utility information
    • The Host Intrusion Prevention 8.0 ClientControl utility is embedded in the product installation directory (C:\Program Files\McAfee Host Intrusion Prevention\) after installing the product.
      PD23014 - Host Intrusion Prevention 8.0 ClientControl.exe Utility Readme
  • btadams Newcomer 14 posts since
    Jan 13, 2012


    Kary,

     

    When this problem has occured I have been unsuccessful in executing the above steps. I can disable the Host IPS and Network IPS from the GUI, but when I try to stop the service from the windows services manager, I get an error that access is denied. The client behaves like HIPS is still enabled and in self protection mode.

     

    Bryan

  • impulse-mpd Newcomer 2 posts since
    May 14, 2013
    Currently Being Moderated
    7. May 14, 2013 4:39 AM (in response to rtgx)
    Re: HIPS 8.0 Activity Logs Blank and Uninstall Failing

    I basically ran the sysinternals movefile.exe to delete those files at next reboot.  Since the ClientControl.exe utility locks up, and uninstallation will not work since HIPS is in self-protect mode, not to mention (at least for me the HIPS console on the local machine locks up and is unresponsive); that is pretty much the way I ran it on a large scale (roughly on 700 machines PSExec'ed it out)

     

    Once the files are written in the registry for deletion, just remotely reboot the machine.

  • impulse-mpd Newcomer 2 posts since
    May 14, 2013
    Currently Being Moderated
    9. May 15, 2013 5:12 AM (in response to rtgx)
    Re: HIPS 8.0 Activity Logs Blank and Uninstall Failing

    Yes,

     

    First the file movefile.exe needs to be on the remote machine.  (Unfortunately this cannot be done remotely like PSKill)

     

    Basically, I created a bat file with the following contents and ran it with PSExec.

     

    xcopy "\\ServerThatHostsTheFile\SharedFolder\movefile.exe" "%windir%\system32\" /F /Y  (or you can put the movefile somewhere else and change directory to it.)

     

    reg.exe ADD "HKCU\Software\Sysinternals\MoveFile" /v EulaAccepted /t REG_DWORD /d 1 /f   (This is the key that it needs to run remotely via the admin account you are running it as (also the regkey you are looking for since without it, like you said, it seems like it is waiting for something and the process freezes).)

     

    movefile "%allusersprofile%\Application Data\McAfee\Host Intrusion Prevention\Event.log" ""

    movefile "%allusersprofile%\Application Data\McAfee\Host Intrusion Prevention\Event.log old" ""      (the "" means delete file at next reboot, but I'm sure you read the help portion...)

     

    and then reboot the machine either at the end of the script or when the user closes everything out.

     

    Message was edited by: impulse-mpd on 5/15/13 5:12:40 AM CDT

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points