Just ran a pilot deployment to 900 machines which has been very successful with the exception of 10 machines.
These machines are accessing an Oracle DB via a web interface using Jinitiator which is being blocked by IPS (confirmed by giving HIPS admin access to the machine and allowing the end user to disable IPS)
but I'm unable to determine which signature is causing the block.
I've checked event logs on the machines highlighted with the issue and I can only see events being triggered by signature 1002 (Windows Agent Shielding - Registry Access)
Has anyine out there experienced anything similar ?
i am not having the issue, but signature 1002 is set to not log, by default. you need to go into your IPS rules policy and modify it to log to see the events in ePO. once you do this, you can probably get better information via an event, to make an exception.
Signature 1002 is a HIPS self-protection rule. Enabling logging will only generate an ePO event of the same data you will find in the Hipshield.log file. It's not recommended to create IPS exceptions for Signature 1000-1003 (unless you consult with McAfee Support on the issue), since these are the signatures that protect the HIPS installation on the system.
Signatures 1000-1003 are set to not generate ePO events, as they can cause a huge amount of events that are reported to ePO, that do not need tuning. I would not recommend setting these signatures to log ePO events; just review the local hipshield.log file for events (as you have done). Test an IPS exception if you'd like, but I would not recommend creating exceptions for these signatures.
Looks like we resolved this with re builds of the affected machines.
They were on 1st edtion Win XP gold builds (our version 1.1) from 6 years ago ! the local guys have re built and the issue has gone.