3 Replies Latest reply: Jul 16, 2013 2:06 PM by keith2045 RSS

    HIPS blocking lsass.exe

    keith2045

      I'm trying to install HIPs on my domain controllers, i have two, one virtual and the other physical. They are both running Windows 2008 R2 OS.

       

      On both machines i have noticed an issue when i have the HIPS gui open (8.0.0) and on the activity log tab. When i have just 'log all blocked' everything works fine, but when i have both 'log all blocked' and 'log all allowed' then i uncheck 'log all allowed' i'm not able to clear or refresh the logs. In order for me to get it working again i have to restart the HIPS service.

       

      Another issue I'm having is with my physical domain controller. For some reason I'm not able to add an exception for the lsass.exe service. In the firewall logs I have noticed that it is blocking incoming requests for a specific port (49,000 something). I have tied that port to the lsass.exe service and have added an exception but that exception seems to get ignored. I can see the rule in the firewall policy on the machine. If i add a rule for the port number it works fine, but not if i specify the application. I think i might try a reinstall on this machine.

        • 1. Re: HIPS blocking lsass.exe
          Kary Tankink
          On both machines i have noticed an issue when i have the HIPS gui open (8.0.0) and on the activity log tab. When i have just 'log all blocked' everything works fine, but when i have both 'log all blocked' and 'log all allowed' then i uncheck 'log all allowed' i'm not able to clear or refresh the logs. In order for me to get it working again i have to restart the HIPS service.

          Are you running HIPS build 8.0.0.2482 when you reproduce this issue?  Check in the HIPS Client UI HELP, ABOUT.   If not, please upgrade to HIPS 8.0 Patch 2 Hotfix 803520 and retest.

           

           

           

          Another issue I'm having is with my physical domain controller. For some reason I'm not able to add an exception for the lsass.exe service. In the firewall logs I have noticed that it is blocking incoming requests for a specific port (49,000 something). I have tied that port to the lsass.exe service and have added an exception but that exception seems to get ignored. I can see the rule in the firewall policy on the machine. If i add a rule for the port number it works fine, but not if i specify the application. I think i might try a reinstall on this machine.

          Does the blocked network traffic event show an application?  If it does not, then you cannot specify an application in the rule; it must remain blank.  If you have an example of the blocked traffic, please post it and I can verify.

          • 2. Re: HIPS blocking lsass.exe
            keith2045

            The blocked network traffic does not show an application. I'm not able to pull up the specific information on the traffic at the moment, but it was coming into port 49155 and since that is a dynamic port i cant really open that port. I think my only option is to try and figure out how to limit the range of ports for lsass.exe

            • 3. Re: HIPS blocking lsass.exe
              keith2045

              Kary Tankink wrote:

               

              On both machines i have noticed an issue when i have the HIPS gui open (8.0.0) and on the activity log tab. When i have just 'log all blocked' everything works fine, but when i have both 'log all blocked' and 'log all allowed' then i uncheck 'log all allowed' i'm not able to clear or refresh the logs. In order for me to get it working again i have to restart the HIPS service.

              Are you running HIPS build 8.0.0.2482 when you reproduce this issue?  Check in the HIPS Client UI HELP, ABOUT.   If not, please upgrade to HIPS 8.0 Patch 2 Hotfix 803520 and retest.

               

               

              I've upgraded to HIPS to 8.0.0.4422 and still notice this issue. Any other suggestions? When this happens I've noticed that it allows traffic in that is normally blocked.