This is an ePO or Agent issue with bad HIPS policies. The Agent is delivering a bad policy to HIPS, and when HIPS detects this it prevents the bad policy from being applied (if running HIPS 8 P6 client or higher; P5 and lower client may apply the bad policy causing problems). This is a preventative issue in HIPS and HIPS is not the cause of the issue. You would need to troubleshoot the ePO Server/Agent Handler/McAfee Agent issue.
KB84505 - Either the client-side default firewall policy or an incomplete set of firewall rules are enforced on Host IPS clients
We recently upgraded some clients to Hips 8, p7 with MA 503. We are seeing quite few systems with hip.reaction.permit action. Policies have not been modified in a while and we were NOT seeing this prior to patch 7 upgrade. Sample alert below.
Event description: Policy Load Status
System Information [source]: name: || IP: || User:
System Information [target]: name: JOHN-DOE || IP: 220.127.116.11 || User:
Threat name: 6065
Action taken: hip.reaction.permit
Threat handled: False
Detecting Product: name: McAfee Host Intrusion Prevention || product version: 8.0.0 || DAT version:
Detection time: 06/03/16 18:20:08 UTC
We are actually seeing "McAfee Agent delivered an invalid policy" status on few systems. Interestingly the same system would correct itself after few minutes with a "McAfee Agent delivered a correct policy" status. This cycle continues randomly and we are receiving tons of email alerts for the blocked action. These systems are with HIPS p7. Firewall is disabled.
Did you resolve this? If so, howso?