1. IPS Logging should not be enabled for self-protection signatures (Windows signatures 1000-1003). They are not meant to be included with normal IPS event tuning (why logging is disabled by default) and can be very noisy.
2. Ensure you have the McAfee Default IPS Rules & Trusted Applications policy assigned to your clients, along with any custom policies.
PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide
FAQ — Multiple-instance policies
Host Intrusion Prevention offers two multiple-instance policies: IPS Rules and Trusted
- Applications. These policies allow the application of more than one policy concurrently on a
single client. All other policies are single-instance policies.
The McAfee Default versions of these policies are automatically updated each time Host Intrusion
Prevention security content is updated. For this reason, these policies always need to be assigned
to clients to ensure that security content updates are applied. When more than one instance is
applied, what results is a union of all the instances, called the effective policy.
Thanks for that, appreciate it. Just a couple of days ago we were wondering why there were multiple policies, that makes sense to know that the default policy is how content is updated.. What's interesting is that on this particular system, McAfee Default is assigned, and I do see that McAfee Common Framework is a trusted app, so it's odd that it's triggering this event:
The McAfee Agent exclusion on the default policy looks like this
And this is the information I got from the exe on the client, they look identical.
Signer = CN="McAfee, Inc.", OU=Engineering, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="McAfee, Inc.", L=Santa Clara, S=Oregon, C=US
Description = NAI Product Manager
Hash = 0x915858F90E68EB58C5DDD1148E7A5FED
NOTE: The following signatures will be triggered regardless of whether an application is Trusted for IPS or not: 428, 432, 801, 992, 1000, 1001, 1002, 1020, 1134, 1137.
Further to this, ktankink I see that our default and custom policies do have logging on signatures 1002 disabled, so it is strange indeed that these HIPS events are popping up. When I look at HIPS reporting, I see that this event has only happened on 44 systems within the last 3 months.
I would check those systems for some type of policy issue. if they are firing and triggering events to the ePO server, then those signatures are enabled locally and should not be. Common causes are policy enforcement issues, policy assignment rule issues (e.g., different policies being assigned when tagged/not tagged), or different policies assigned than what you think are.
I'm just noticing that the events seem to correlate with the HIPS signature updates. Looking at one PC I see it updated it's signature at 10:14, and then less than a minute later, the event was triggered. Very odd.