Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1030 Views 3 Replies Latest reply: Jul 16, 2013 2:06 PM by keith2045 RSS
keith2045 Newcomer 29 posts since
May 17, 2012
Currently Being Moderated

Jun 27, 2013 8:19 AM

HIPS blocking lsass.exe

I'm trying to install HIPs on my domain controllers, i have two, one virtual and the other physical. They are both running Windows 2008 R2 OS.

 

On both machines i have noticed an issue when i have the HIPS gui open (8.0.0) and on the activity log tab. When i have just 'log all blocked' everything works fine, but when i have both 'log all blocked' and 'log all allowed' then i uncheck 'log all allowed' i'm not able to clear or refresh the logs. In order for me to get it working again i have to restart the HIPS service.

 

Another issue I'm having is with my physical domain controller. For some reason I'm not able to add an exception for the lsass.exe service. In the firewall logs I have noticed that it is blocking incoming requests for a specific port (49,000 something). I have tied that port to the lsass.exe service and have added an exception but that exception seems to get ignored. I can see the rule in the firewall policy on the machine. If i add a rule for the port number it works fine, but not if i specify the application. I think i might try a reinstall on this machine.

  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    1. Jun 27, 2013 12:10 PM (in response to keith2045)
    Re: HIPS blocking lsass.exe
    On both machines i have noticed an issue when i have the HIPS gui open (8.0.0) and on the activity log tab. When i have just 'log all blocked' everything works fine, but when i have both 'log all blocked' and 'log all allowed' then i uncheck 'log all allowed' i'm not able to clear or refresh the logs. In order for me to get it working again i have to restart the HIPS service.

    Are you running HIPS build 8.0.0.2482 when you reproduce this issue?  Check in the HIPS Client UI HELP, ABOUT.   If not, please upgrade to HIPS 8.0 Patch 2 Hotfix 803520 and retest.

     

     

     

    Another issue I'm having is with my physical domain controller. For some reason I'm not able to add an exception for the lsass.exe service. In the firewall logs I have noticed that it is blocking incoming requests for a specific port (49,000 something). I have tied that port to the lsass.exe service and have added an exception but that exception seems to get ignored. I can see the rule in the firewall policy on the machine. If i add a rule for the port number it works fine, but not if i specify the application. I think i might try a reinstall on this machine.

    Does the blocked network traffic event show an application?  If it does not, then you cannot specify an application in the rule; it must remain blank.  If you have an example of the blocked traffic, please post it and I can verify.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points