1 Reply Latest reply: Sep 17, 2013 8:07 AM by john.ruiz RSS

    HIPS 8 Events not showing up in ePO console

    john.ruiz

      Has anyone experienced anything similar?

       

      I've tested out HIPS 8 on my machine by renaming my notepad.exe to 'notepad.com.exe' and then executing it to trigger Signature 413 - Double File Extension Execution. i can see it in my Activity Log just fine. But when I look for ANY HIPS 8 events, I cannot see any. I can see HIPS 7 events just fine and sending events from my workstation seems to work.

       

      I've even tried specifically querying for HIPS 8 events in the Threat Event Log and Host IPS 8.0 Events section with no luck.

       

      Befuddled

      Johnny

        • 1. Re: HIPS 8 Events not showing up in ePO console
          john.ruiz

          I answered my own question:

           

          The problem being experienced was that there were absolutely no HIPS 8 specific events showing up via ePO console. This was very unusual, especially after having deployed HIPS 8 to approximately 60 workstations and reviewing the logs for several days, specifically the Menu > Reporting > Host IPS 8.0 section. I was able to figure out why. This is the troubleshooting history:

           

          1) After chatting in the HBSS community room, the general consensus seemed to be that HIPS 7 to HIPS 8 policy migration was problematic due to different syntax being used in the IPS exception language, esp the wildard characters. One of the participants stated that they solved their problem by recreating all their HIPS 8 policies and checking all the exceptions manually for that incorrect syntax. I copied over all the HIPS 7 exceptions to newly recreated HIPS 8 policies making sure to remove any wildcard c haracters from the exceptions if found (I did not find any wildcard characters). I also removed the migrated HIPS 7 policies and un-assigned them from any group and/or individual node. This process took a few days as we had several dozen exceptions spread across several policies.

           

          2) This did not work.

           

          3) I double checked all my IPS OPtions policies to make sure that at the very least, "Informational" severity events were logged and that they were assigned correctly to the appropriate groups. This was affirmative.

           

          3) The next thing to try was to trigger a HIPS 8 event on my local workstation to determine that HIPS 8 was actually working and logging locally and then sending that event up to the ePO server to determine if it was actually getting processed.

           

          4) I discovered that the easiest way to trigger a HIPS 8 event was by renaming an executable on my local workstation so that the extension ends in "*.com.exe" and then executing it. This will trigger  Signature 413: "Suspicious Double File Extension Execution" in the IPS policy. I renamed "putty.exe" on my Desktop to "putty.com.exe" and then executed it. I could see this event being logged as a High Severity event in my local HIPS console in the 'Activity Log' section. Please see https://community.mcafee.com/message/212795#212795

           

          5) I then opened the Mcafee Agent Status Monitor on my workstation and clicked on "Send Events". I could see that 1 event was being sent to the ePO server; I assumed that this was the newly generated 413 event I triggered as I did not intentionally violate any other HIPS and/or VirusScan policy on my workstation.

           

          6) Being familiar with the structure of the ePO database, I checked the "dbo.HIP8_EventInfo" table and it was empty. I then compared that to the "dbo.HIP7_EventInfo" table, which was heavily populated with events. This told me that the events were not even reaching the SQL database. Perhaps there was some process that was hampered on the ePO server itself and was not correctly taking in events from the clients.

           

          7) One of the dead ends I ran into was thinking that it was the "Host IPS 8.0 Property Translator". I knew this Server Task was run for older HIPS versions to process some types of events. So I executed this task on the Server in the hopes that this would process HIPS 8 events and put them in the database at least. This was not the case.

           

          8) The next process to troubleshoot was the "Event Parser" service. I knew this service was necessary to parse events from the clients for insertion into the database. I reviewed the Event Parser logs located in "D:\Program Files\Mcafee\Epolicy orchestrator\DB\Logs\EventParser.log" and noticed this entry:

           

          Server_ProcessXMLFile: Failed to create parser extension for <HostIPS8>

           

          9) I performed a Google search for the string "Server_ProcessXMLFile: Failed to create parser extension" to see if I could get broader results for other ePO modules that were experiencing similar problems. I found my answer at:

           

          https://kc.mcafee.com/corporate/index?page=content&id=KB71211&cat=SEARCH_CATEGOR IES&actp=LIST

           

          10) I altered the instructions in the KB article and applied them to the Host Intrusion Prevention module. So in Steps 3 and 4 where you delete the "DATALOSS2000" folder and restart the McAfee services (Event Parser and Application Server services) on the ePO server to recreate the Event Parser extension plugin specifically for DLP, I deleted the HOSTIPS_8000 plugin instead, restarted the McAfee services, and then regenerated and resent the Signature 413 events to the ePO server in the hopes that the HOSTIPS_8000 Event Parser plugin would be recreated. This was a sucess.

           

          11) I could now see HIPS 8 specific events in the Host IPS 8 reporting section.