3 Replies Latest reply on Feb 2, 2015 12:49 AM by epository

    HIPS Queries - IPS Status vs. IPS Service Running vs. Product Status (Host IPS)

    epository

      All, I am seeing a lot of my machines with the right policies to turn on HIPS, but with one of the above values set to "Disabled"...this is Host IPS 8.0.

       

      What is the difference among all of these values for the Queries, and if I am seeing the IPS Status as "Not Running" or "Disabled", does this mean all HIPS features are inactive?  Blocking, Firewall, Application Whitelisting?

       

      Its only showing this on about 10% of my machines, but I havent been able to find one close by to verify if the service is running or not.

       

      There doesnt seem to be much documentation on this or on the other strange fields available like IPS Fault or Firewall Fault.

       

      Anyone who can shine some light on this?

        • 1. Re: HIPS Queries - IPS Status vs. IPS Service Running vs. Product Status (Host IPS)
          fitchsoccer342

          I'm not sure the exact answers to the query questions, but you can easily connect to another computer using windows computer management to see the running services of that machine. Or use PSEXEC to connect to their cmd and just run the cmd "net start", that will list all running services, just to manually check a couple.

           

          Also, again a more manual method, but you can check registry keys to see if the IPS or FW is enabled as well, if you go here: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\HIP\Config\Settings, take a look at IPS_HipsEnabled & FW_Enabled.. if 1, then enabled.

           

           

          I have a dashboard setup that depicts HIPS statuses for workstations/servers, the ones you see in red are set to disabled. The HIPS service is still runnnig, I just have policies turning pieces of HIPS off.

          • 2. Re: HIPS Queries - IPS Status vs. IPS Service Running vs. Product Status (Host IPS)
            epository

            While trying to construct a query that would show me total compliance for Blocking including machines without HIPS installed, I stumbled across instances where theService Running (Host IPS) was set to "Disabled" while the Product Status (Host IPS) was returning a value of "Enabled" and Host IPS Status (Host IPS) was also "Enabled".

             

            They had the right policies applied so it appeared that Reaction for High was good, and the HIPS should have been enabled, but the IPS Service is reporting as not running..which pretty much kills the IPS and Firewall portions.

             

            Digging in deeper, I saw that the HIPS value of License Status on several of these was "Expired"...not sure why.

             

            Just for a sanity check, if the IPS Service is not running, does that mean Firewall and IPS are not doing anything?  Or are they split out as different services in HIPS 8.0?

            • 3. Re: HIPS Queries - IPS Status vs. IPS Service Running vs. Product Status (Host IPS)
              epository

              See the Dashboard I uploaded here

               

              Dashboard for HIPS Product Codes

               

              Our License Status was showing as expired on a lot of machines...a reinstall of HIPS straightened it out.