Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
459 Views 3 Replies Latest reply: Oct 23, 2013 9:22 AM by c8822131 RSS
c8822131 Newcomer 14 posts since
Jun 13, 2013
Currently Being Moderated

Sep 25, 2013 11:46 AM

HIPS 8 - IPS blocking JInitiator based access to Oracle DB via IE

Hi all,

 

Just ran a pilot deployment to 900 machines which has been very successful with the exception of 10 machines.

 

These machines are accessing an Oracle DB via a web interface using Jinitiator which is being blocked by IPS (confirmed by giving HIPS admin access to the machine and allowing the end user to disable IPS)

but I'm unable to determine which signature is causing the block.

I've checked event logs on the machines highlighted with the issue and I can only see events being triggered by signature 1002 (Windows Agent Shielding - Registry Access)

 

Has anyine out there experienced anything similar ?

 

Thanks

 

Mike

  • greatscott Champion 283 posts since
    Jul 18, 2011

    i am not having the issue, but signature 1002 is set to not log, by default. you need to go into your IPS rules policy and modify it to log to see the events in ePO. once you do this, you can probably get better information via an event, to make an exception.

  • Kary Tankink McAfee Employee 655 posts since
    Mar 3, 2010

    Signature 1002 is a HIPS self-protection rule.  Enabling logging will only generate an ePO event of the same data you will find in the Hipshield.log file.  It's not recommended to create IPS exceptions for Signature 1000-1003 (unless you consult with McAfee Support on the issue), since these are the signatures that protect the HIPS installation on the system. 

     

    Signatures 1000-1003 are set to not generate ePO events, as they can cause a huge amount of events that are reported to ePO, that do not need tuning.  I would not recommend setting these signatures to log ePO events; just review the local hipshield.log file for events (as you have done).  Test an IPS exception if you'd like, but I would not recommend creating exceptions for these signatures.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points