1 Reply Latest reply on Apr 21, 2015 6:15 AM by akucyn

    Internet Connectivity lost on installing ndis filter in presence of HIPS 8.0

    raja123

      Hi,

       

      we are planning to deploy/develop ndis filter driver using the sample [Windows NDIS 6.0 Filter Driver sample in C++ for Visual Studio 2013] . As soon i install this ndis filter driver internet connectivity is lost. And I am getting Activity log on HIPS as "Block All Traffic" . Only way to restore internet connectivity is reboot or we need to disconnect and connect back LAN cable.

      This issue is happening only in presence of HIPS 8. on uninstalling the HIPS 8.0 this issue is not reproduced.


      Sample HIPS Activity Log:

       

       

      McAfee Host Intrusion Prevention Log

      Thursday, April 16, 2015 7:56:52 PM

       

       

      Time: 4/16/2015 7:56:49 PM

      Event: Traffic

      IP Address/User: 10.***.***.***

      Message: Blocked Incoming TCP -  Source 10.***.***.*** :  (5061)  Destination 10.***.***.*** :  (58711)

      Matched Rule: Block All Traffic

       

       

      Time: 4/16/2015 7:56:46 PM

      Event: Traffic

      IP Address/User: 10.***.***.***

      Message: Blocked Incoming TCP -  Source 10.***.***.*** :  (5061)  Destination 10.***.***.*** :  (58711)

      Matched Rule: Block All Traffic

       

       

      Time: 4/16/2015 7:56:46 PM

      Event: Traffic

      IP Address/User: 10.***.***.***

      Message: Allowed Incoming UDP -  Source 10.***.***.*** : netbios-ns (137)  Destination 10.***.***.*** : netbios-ns (137)

      Matched Rule: Block Untrusted NetBIOS

       

       

      Time: 4/16/2015 7:56:45 PM

      Event: Traffic

      IP Address/User: 10.***.***.***

      Message: Blocked Incoming TCP -  Source 10.***.***.*** :  (5061)  Destination 10.***.***.*** :  (58711)

      Matched Rule: Block All Traffic

       

       

      Time: 4/16/2015 7:56:44 PM

      Event: Traffic

      IP Address/User: 10.***.***.***

      Message: Blocked Incoming TCP -  Source 10.***.***.*** :  (5061)  Destination 10.***.***.*** :  (58711)

      Matched Rule: Block All Traffic

       

       

      Time: 4/16/2015 7:56:43 PM

      Event: Traffic

      IP Address/User: 10.***.***.***

      Message: Blocked Incoming UDP -  Source 10.***.***.*** : bootpc (68)  Destination 255.255.255.255 : bootps (67)

      Matched Rule: Block All Traffic

       

       

      Time: 4/16/2015 7:56:41 PM

      Event: Traffic

      IP Address/User: 10.***.***.***

      Message: Allowed Incoming UDP -  Source 10.***.***.*** : netbios-dgm (138)  Destination 10.***.***.*** : netbios-dgm (138)

      Matched Rule: Block Untrusted NetBIOS

       

       

      Time: 4/16/2015 7:56:36 PM

      Event: Traffic

      IP Address/User: 10.***.***.***

      Message: Blocked Incoming TCP -  Source 10.***.***.*** : https (443)  Destination 10.***.***.*** :  (58833)

      Matched Rule: Block All Traffic

       

       

      Time: 4/16/2015 7:56:36 PM

      Event: Traffic

      IP Address/User: 10.***.***.***

      Message: Blocked Incoming TCP -  Source 10.***.***.*** : https (443)  Destination 10.***.***.*** :  (58832)

      Matched Rule: Block All Traffic

       

       

      Time: 4/16/2015 7:56:22 PM

      Event: Traffic

      IP Address/User: 10.***.***.***

      Message: Allowed Outgoing UDP -  Source 10.***.***.*** : netbios-ns (137)  Destination 10.***.***.*** : netbios-ns (137)

      Matched Rule: Block Untrusted NetBIOS

       

       

      Time: 4/16/2015 7:56:21 PM

      Event: Traffic

      IP Address/User: 224.0.0.252

      Message: Blocked Outgoing UDP -  Source 10.***.***.*** :  (59910)  Destination 224.0.0.252 :  (5355)

      Matched Rule: Block All Traffic

       

       

      I am not able to decode exact meaning of HIPS log.

       

      Please provide any suggestion to resolve this issue.

        • 1. Re: Internet Connectivity lost on installing ndis filter in presence of HIPS 8.0

          Hey Raja,

           

          From your thread it appear you want to "deploy/develop ndis filter driver"? So this is more a developer question and not a typical user question.

           

          I don't know much developing of NDIS, however, HIPS is sensitive to other NDIS filters and might detect your driver as an intrusion or simply something is wrong. Please make sure that your new filter is not taking a higher place than HIPS NDIS driver, i.e here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network.

           

          Hope this helps.