7 Replies Latest reply on Mar 9, 2016 2:11 PM by McDuff

    McAfee Products like NAPRDMGR.EXE Triggering HIPS IPS Events

    McDuff

      Hello

       

      I'm noticing a number of HIPS IPS Events that are being trigged by a component of the McAfee Agent.  Has anyone noticed this before? 

       

      Host IPS Event Description:  C:\PROGRAM FILES\MCAFEE\COMMON FRAMEWORK\NAPRDMGR.EXE running with the privileges of user NT AUTHORITY\SYSTEM on the system with Agent XXXXXX attempted to perform the following operation(s) on the registry value \REGISTRY\MACHINE\SOFTWARE\MCAFEE\HIP\CONFIG\TRUSTEDAPP\213:create

       

      Source Process Name:  C:\PROGRAM FILES\MCAFEE\COMMON FRAMEWORK\NAPRDMGR.EXE


      Threat Event ID:  18000

       

      Threat Name:  1002


      Looks like the solution would be to add the McAfee signed files to the exclusions as per McAfee KnowledgeBase - How to obtain executable information for Host Intrusion Prevention 8.0 using the ClientControl.ex… but I'm wondering why by default HIPS wouldn't automatically exclude McAfee signed files?  Am I missing something?