4 Replies Latest reply: May 14, 2014 7:51 AM by alexk999 RSS

    Purge old Client Rules

    alexk999

      Is there a way to purge all Client Rules from ePO?  I have created all firewall rules in ePO then manually cleared out all Dynamically Created rules from an endpoint.   I have also unchecked the "Don't retain client rules" section.  Then run a Collect and Send Props.  After that run a Host IPS 8.0 Property Translator and waited overnight.  The rules are not disapperaring from the Client Side Rules section in ePO.  The machine in question shows over 630 Client Side Rules in ePO, however the endpoint shows none.  I would like to clear out all ePO Client Rules then the machines will re-send all rules that are created dynamically after that.

        • 1. Re: Purge old Client Rules
          Kary Tankink
          • Clear all the client rules from the HIPS client (using the DO NOT RETAIN EXISTING CLIENT RULES option or manual deletion).  Seems you did this step already.
          • Ensure client is running McAfee Agent ClientUI policy with "" enabled.
          • Perform full Agent Wakeup call with Get Full Props selected.
          • After ASCI, check the ePO Node Properties.  Under HIPS, you should see Local exception rule count set to 0 and no Client firewall rules XXX_XXX entries.
          • Run the HIPS Property Translator task.  The associated client rules, that did exist in the ePO Node properties (and ePO tables) should now match the HIPS Client Rules menu (and HIPS tables) showing client rules removed.

           

          There is no way to manually delete them from ePO.  You must clean out the client data and update the ePO node properties, and use the HIPS Property Translator task to add/delete from the Client Rules menu.  The client rules must be cleared in this order.

           

          Client -> ePO Node properties -> HIPS Property Translator task -> HIPS client rules menu & tables

          • 2. Re: Purge old Client Rules
            alexk999

            Thanks Kary, Can you tell me how to get into the ePO Node Properties?  :-)  I've never been in that section before.  I did see from another thread you said it was in the DB.

            • 3. Re: Purge old Client Rules
              Kary Tankink

              Can you tell me how to get into the ePO Node Properties?

              In the ePO Console, click on the System Tree.  Under any groups, find the System Name (i.e., ePO Node) and click on the node.  This will take you to the system properties of that machine, which gives you all the details of what products are installed, versions, etc.  Click on the Products tab and then the Host Intrusion Prevention product to see the product properties of that system.

              • 4. Re: Purge old Client Rules
                alexk999

                I was able to find that section.  There are Local Exceptions 61-96 in there and Local exception rule count =36.  I checked the endpoint and there aren't any dynamic rules.