2 Replies Latest reply on Jan 30, 2015 7:16 PM by tauhs

    HIPS Tuning Guide - Making HIPS work

    tauhs

      I originally wrote this up a few years ago. The Product guide provided by McAfee was good, but I needed a better explanation at the time. So,  I hope this helps others that may cringe when the acronym for HIPS is uttered.

       

      I have placed an attachment to this discussion.

       

      ********************************

       

      If you cant download the zip.

       

      The following policies will need to be modified to allow Programs to work as intended.
      A. Host Intrusion Prevention 8.0.0: General -> Trusted Networks
      B. Host Intrusion Prevention 8.0.0: General -> Trusted Applications
      C. Host Intrusion Prevention 8.0.0: Firewall -> Firewall Rules

       

      I. ** HIPS Build for Application Programs **

      Place Program in separate container!!

      (A) Create Trusted Application Policy for the Program: (for example purposes, will use Retina)
      1. In the system tree select the container which contains assets to be scanned by the Retina Scanner.
      2. Select the Assigned Polices tab.
      3. Change the Product drop down to Host Intrusion Prevention 8.0.0: General.
      4. Click on the currently assigned Trusted Applications Policy ** If "McAfee Default" See NOTE
      5. Click the "Add Application" button.
      6. Enter Application Name -> Retina
      a. Check "Mark trusted for IPS"
      b. Check "Mark trusted for firewall"
      C. Enter path to executable. Enter each of the following. Note enter drive letter, D or C. (C is used in this example. Retina used as example)

      C:\Program Files\eEye Digital Security\Retina 5\Retina.exe
      C:\Program Files\eEye Digital Security\Retina 5\retprc_client.exe
      C:\Program Files\eEye Digital Security\Retina 5\Tools\Audits Wizard.exe
      C:\Program Files\eEye Digital Security\Retina 5\Scanner\RetinaEngine.exe
      C:\Program Files\eEye Digital Security\Retina 5\Scanner\Scanner.exe
      C:\Program Files\eEye Digital Security\Retina 5\Tools\VMSExportWizard.exe
      C:\Program Files\eEye Digital Security\Retina 5\Scanner\xccdf_engine.exe

      Click OK and save the policy.

      Assign the New Policy:
      1. Systems -> CONTAINER WHERE Retina Scanner Resides
      2. Assigned Policies -> Product = Host Intrusion Prevention 8.0.0: General
      3. For Trusted Applications click Edit Assignments.
      4. Change "Inherit From" and "Select Break inheritance and assign the policy and settings below."
      5. Change the assigned policy to the newly created policy and Save.


      (B) Create Trusted Network Policy
      1. Menu -> Policy -> Policy Catalog
      2. Product = Host Intrusion Prevention 8.0.0: General
      3. Category = Trusted Networks
      4. Click New Policy Button
      5. Select the "McAfee Default" Policy in the "Create a policy based on this existing policy:" dropdown.
      7. Enter a name for the new policy. <OK>
      8. Uncheck "include local subnet automatically".
      9. Enter the IP address of the Retina Scanner.
      10. Check "Trust for network IPS"

      Assign the New Policy:
      1. Systems -> CONTAINER WHERE Retina Scanner Resides
      2. Assigned Policies -> Product = Host Intrusion Prevention 8.0.0: General
      3. For Trusted Networks click Edit Assignments.
      4. Change "Inherit From" and "Select Break inheritance and assign the policy and settings below."
      5. Change the assigned policy to the newly created policy and Save.

      Send Agent Wakeup Call to All Systems.

      II. ** Polices for systems scanned by Retina ***


      A. Trusted Networks
      1. In the system tree select the container which contains assets to be scanned by the Retina Scanner.
      2. Select the Assigned Polices tab.
      3. Change the Product drop down to Host Intrusion Prevention 8.0.0: General.
      4. Click on the currently assigned Trusted Networks Policy
      5. Duplicate the policy and give the policy a name.
      6. Uncheck "include local subnet automatically".
      7. Enter the IP address of the Retina Scanner.
      8. Check "Trust for network IPS"
      9. Save Policy
      10. Assign this new policy to the container.

      B. Trusted Applications
      1. In the system tree select the container which contains assets to be scanned by the Retina Scanner.
      2. Select the Assigned Polices tab.
      3. Change the Product drop down to Host Intrusion Prevention 8.0.0: General.
      4. Click on the currently assigned Trusted Applications Policy.
      5. Duplicate the policy and give the policy a name.
      6. Click the "Add Application" button.
      7. Enter Application Name -> Retina
      a. Check "Mark trusted for IPS"
      b. Check "Mark trusted  for firewall"
      c. Enter path to executable. Enter each of the following. Note enter drive letter, D or C. (C is used in this example.)
        C:\Program Files\eEye Digital Security\Retina 5\Retina.exe
        C:\Program Files\eEye Digital Security\Retina 5\Scanner\RetinaEngine.exe
        C:\Program Files\eEye Digital Security\Retina 5\Scanner\Scanner.exe
      8. Click OK and save the policy.
      9. Assign this new policy to the container.

      C. Firewall Rules
      1. In the system tree select the container which contains assets to be scanned by the Retina Scanner.
      2. Select the Assigned Polices tab.
      3. Change the Product drop down to Host Intrusion Prevention 8.0.0: Firewall.
      4. Click on the currently assigned Firewall Rules Policy
      5. Duplicate the policy and give the policy a name.
      6. Click Add Rule.
      a. Action -> Allow
      b. Enter a name for the rule
      c. Direction -> In/Out
      d. Network Protocol -> IP
      e. Remote Address -> Single; Enter the IP address of the Retina Scanner
      f. Local Service -> Leave Blank
      g. Remote Service -> Leave Blank
      h. ** Suggestion** Use Rule Schedule if Retina scans are scheduled for certain days / times. This would be an extra layer of security.
      7. Ensure that this rule is above any rules that would block this IP action.
      8. Save the Firewall rule.
      9. Assign this new policy to the container. (Or the top of the tree if only one policy is used)


      The policy modification steps would need to be performed at every level in the system tree where inheritance had been broken and a different policy applied.

      There is the possibility that other site HIPS polices could block the Retina Scanner. Review the HIPS events for an asset that indicate the Retina scanner has been blocked. The event will indicate which product is blocking Retina (e.g. VirusScan)

      Scott Culbertson
      Cyber Security Specialist

        • 1. Re: HIPS Tuning Guide - Making HIPS work
          fitchsoccer342

          Not trying to knock your post or anything but this is really only a guide on how to add a program as a trusted application/network. I wouldn't advise this as a "tuning guide" because when you do this is basically ignores the IPS signatures and firewall rules for the associated processes. This is only needed is real specific situations and not to be done as general tuning.

           

          I understand Retina, as being DoD I know the requirements behind it. But you still don't need to make Retina a trusted application, only within the trusted networks for the scanning.

          • 2. Re: HIPS Tuning Guide - Making HIPS work
            tauhs

            It is an old doc, I believe at that time when I tried to give Retina access to the network this was the fix for it. Got a whole new doc now for ACAS.

             

            This is more of an understanding on placing the right info in not just the signature line, but to look at Trusted Applications, Trusted Networks, and Firewall rules when troubleshooting HIPS issues

             

             

             

            A. Trusted Networks

            1. In the system tree select the container which contains assets to be scanned by the Retina Scanner.

            2. Select the Assigned Polices tab.

            3. Change the Product drop down to Host Intrusion Prevention 8.0.0: General.

            4. Click on the currently assigned Trusted Networks Policy

            5. Duplicate the policy and give the policy a name.

            6. Uncheck "include local subnet automatically".

            7. Enter the IP address of the Retina Scanner.

            8. Check "Trust for network IPS" - I should have said the following - (Only check IPS when scanning, then turn IPS bypass off)