0 Replies Latest reply on Feb 10, 2016 6:14 AM by sivansigal

    Problem with newly-written IPS rules




      Lately I had to write several new rules (ePO version 4.6.6, HIPS version in order to monitor different possibilities for a registry value under a certain key.

      The new rules worked well, so I disabled the old rule which generally monitored changes in the requested key's value (I needed to have different rules with different event codes - just mind that this rule was also written by me and not a default IPS rule).

      Several days later, I have stopped receiving events from my newly-written rules for no reason at all, as the policy hasn't changed since I started enforcing my new set of rules.

      Not only that, but I also started to receive events from the old rule again, even though it is STILL set to be disabled.


      I couldn't find any good explanation online, as well as resolve this problem myself...

      I would appreciate if anyone could help me with this issue - has anyone experienced it before?
      How can I fix this and start receiving events from my new, better rules again?
      And how can I avoid running into the same problem again in the future?


      Thank you!