0 Replies Latest reply on Oct 11, 2015 12:03 PM by nexact

    HIPS activity logs is (sometimes) showing a blocked incoming data before the incoming connection is fully established

    nexact

      Hello,

       

      I've been experimenting some weird problem with the log generated by McAfee HIPS. I wrote a quick python script that perform 100 requests to a website and for some reason that I don't understand, I see "blocked incoming traffic" even if the connection is not yet established !

      I've uninstalled the Microsoft QoS driver from the wireless card just in case that it was interfering with the packet order ... and fire up Wireshark to see if my script was doing anything weird but all requests are made exactly the same way.

       

      I'm using McAfee HIPS 8.0.0.6661 build 2919.

       

      Any ideas why it's causing this ? Is there a patch available ?

       

      Is it a false positive ? It looks like it is, the data is received even if it's written has blocked.

       

      Additional information :

      1. The script I've used to produce this bug

      2. A screenshot from my activity log (looks at the blocked incoming data)

      3. The raw log file McAfeeFireLog6.txt

       

      EDIT (additional information)

      Problem seems to be similar to this one: HIPS firewall  blocks incoming UDP 53, and 389 on windows 8.1

      However, it looks like it covers all the ports and the protocol no matter what the interface that is being used...

      I've tested on HTTPs too, working on a proof of concept for UDP (DNS, LDAP).


      EDIT 2 (additional information)

      McAfee HIPS on Windows 8 is randomly sending spurious packet even after a FIN, ACK has been sent by the client.

      Wireshark capture screenshot of one of the occurence that happened

       

      Thanks