4 Replies Latest reply on Feb 9, 2017 7:42 AM by albertop

    Event ID 18007, Threat Name 6065

    ittech

      Hey everyone! I've been getting a few of these the past couple of weeks.

       

      Event Category:Network intrusion detected
      Event ID:18007
      Threat Severity:Information
      Threat Name:6065

       

      Coming from an IPv6 address of :: (or 0::0 or all zeros, if you prefer).

       

      I've read McAfee KnowledgeBase - Host IPS 8.0 Patch 6 for Windows: Policy failover feature and while the Event and Threats are the same number, it mentions different Event Categories.

       

      Specifically these:

      McAfee Agent delivered an invalid policy.
      McAfee Agent delivered a correct policy.
      McAfee Host Intrusion Prevention failed to read policy from registry.
      McAfee Host Intrusion Prevention successfully read policy from registry.

       

      Has anyone else seen this or have any clues as to how I can figure out what is triggering it?

        • 1. Re: Event ID 18007, Threat Name 6065
          Kary Tankink

          This is an ePO or Agent issue with bad HIPS policies.  The Agent is delivering a bad policy to HIPS, and when HIPS detects this it prevents the bad policy from being applied (if running HIPS 8 P6 client or higher; P5 and lower client may apply the bad policy causing problems).  This is a preventative issue in HIPS and HIPS is not the cause of the issue.  You would need to troubleshoot the ePO Server/Agent Handler/McAfee Agent issue.

           

          Related KBs:

          KB84505 - Either the client-side default firewall policy or an incomplete set of firewall rules are enforced on Host IPS clients

          • 2. Re: Event ID 18007, Threat Name 6065
            Moe Hassan

            We recently upgraded some clients to Hips 8, p7 with MA 503. We are seeing quite few systems with hip.reaction.permit action. Policies have not been modified in a while and we were NOT seeing this prior to patch 7 upgrade. Sample alert below.

             

            Event description: Policy Load Status

            System Information [source]: name:  || IP:  || User:

            System Information [target]: name: JOHN-DOE  || IP: 1.2.3.4 || User:

            Threat name: 6065

            Action taken: hip.reaction.permit

            Threat handled: False

            Detecting Product: name: McAfee Host Intrusion Prevention || product version: 8.0.0 || DAT version:

            Detection time: 06/03/16 18:20:08 UTC

            File location:

             

            I have read https://kc.mcafee.com/corporate/index?page=content&id=KB85187

             

            We are actually seeing "McAfee Agent delivered an invalid policy" status on few systems. Interestingly the same system would correct itself after few minutes with a "McAfee Agent delivered a correct policy" status. This cycle continues randomly and we are receiving tons of email alerts for the blocked action. These systems are with HIPS p7. Firewall is disabled.

            • 3. Re: Event ID 18007, Threat Name 6065
              jcorradin

              Hi Moe,

               

              Did you resolve this?  If so, howso?

              • 4. Re: Event ID 18007, Threat Name 6065
                albertop

                Does anyone close the issue relative to the

                Event ID 18007, Threat Name 6065

                 

                Best Regards

                Alberto