cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
McDuff
Level 11
Report Inappropriate Content
Message 1 of 8

McAfee Products like NAPRDMGR.EXE Triggering HIPS IPS Events

Jump to solution

Hello

I'm noticing a number of HIPS IPS Events that are being trigged by a component of the McAfee Agent.  Has anyone noticed this before? 

 

Host IPS Event Description:  C:\PROGRAM FILES\MCAFEE\COMMON FRAMEWORK\NAPRDMGR.EXE running with the privileges of user NT AUTHORITY\SYSTEM on the system with Agent XXXXXX attempted to perform the following operation(s) on the registry value \REGISTRY\MACHINE\SOFTWARE\MCAFEE\HIP\CONFIG\TRUSTEDAPP\213:create

Source Process Name:  C:\PROGRAM FILES\MCAFEE\COMMON FRAMEWORK\NAPRDMGR.EXE


Threat Event ID:  18000

 

Threat Name:  1002


Looks like the solution would be to add the McAfee signed files to the exclusions as per McAfee KnowledgeBase - How to obtain executable information for Host Intrusion Prevention 8.0 using ... but I'm wondering why by default HIPS wouldn't automatically exclude McAfee signed files?  Am I missing something?

 

 

 

1 Solution

Accepted Solutions
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: McAfee Products like NAPRDMGR.EXE Triggering HIPS IPS Events

Jump to solution

Trusted Application rules do not apply to certain signatures.

KB71704 - Host Intrusion Prevention Trusted Applications defined

View solution in original post

7 Replies
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: McAfee Products like NAPRDMGR.EXE Triggering HIPS IPS Events

Jump to solution

1. IPS Logging should not be enabled for self-protection signatures (Windows signatures 1000-1003).  They are not meant to be included with normal IPS event tuning (why logging is disabled by default) and can be very noisy.

2. Ensure you have the McAfee Default IPS Rules & Trusted Applications policy assigned to your clients, along with any custom policies.

PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide


Page 38



FAQ — Multiple-instance policies


Host Intrusion Prevention offers two multiple-instance policies: IPS Rules and Trusted



  1. Applications. These policies allow the application of more than one policy concurrently on a


single client. All other policies are single-instance policies.



The McAfee Default versions of these policies are automatically updated each time Host Intrusion


Prevention security content is updated. For this reason, these policies always need to be assigned


to clients to ensure that security content updates are applied. When more than one instance is


applied, what results is a union of all the instances, called the effective policy.


 


 


 


McDuff
Level 11
Report Inappropriate Content
Message 3 of 8

Re: McAfee Products like NAPRDMGR.EXE Triggering HIPS IPS Events

Jump to solution

Thanks for that, appreciate it.  Just a couple of days ago we were wondering why there were multiple policies, that makes sense to know that the default policy is how content is updated..  What's interesting is that on this particular system, McAfee Default is assigned, and I do see that McAfee Common Framework is a trusted app, so it's odd that it's triggering this event:

The McAfee Agent exclusion on the default policy looks like this

And this is the information I got from the exe on the client, they look identical.

Signer = CN="McAfee, Inc.", OU=Engineering, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="McAfee, Inc.", L=Santa Clara, S=Oregon, C=US

Description = NAI Product Manager

Hash = 0x915858F90E68EB58C5DDD1148E7A5FED

ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: McAfee Products like NAPRDMGR.EXE Triggering HIPS IPS Events

Jump to solution

Trusted Application rules do not apply to certain signatures.

KB71704 - Host Intrusion Prevention Trusted Applications defined

View solution in original post

McDuff
Level 11
Report Inappropriate Content
Message 5 of 8

Re: McAfee Products like NAPRDMGR.EXE Triggering HIPS IPS Events

Jump to solution

Yes, you're right, McAfee KnowledgeBase - Explanation of the Host Intrusion Prevention Trusted Applications dialog box

NOTE: The following signatures will be triggered regardless of whether an application is Trusted for IPS or not: 428, 432, 801, 992, 1000, 1001, 1002, 1020, 1134, 1137.

McDuff
Level 11
Report Inappropriate Content
Message 6 of 8

Re: McAfee Products like NAPRDMGR.EXE Triggering HIPS IPS Events

Jump to solution

Further to this, I see that our default and custom policies do have logging on signatures 1002 disabled, so it is strange indeed that these HIPS events are popping up.  When I look at HIPS reporting, I see that this event has only happened on 44 systems within the last 3 months.

ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 8

Re: McAfee Products like NAPRDMGR.EXE Triggering HIPS IPS Events

Jump to solution

I would check those systems for some type of policy issue.  if they are firing and triggering events to the ePO server, then those signatures are enabled locally and should not be.  Common causes are policy enforcement issues, policy assignment rule issues (e.g., different policies being assigned when tagged/not tagged), or different policies assigned than what you think are.

McDuff
Level 11
Report Inappropriate Content
Message 8 of 8

Re: McAfee Products like NAPRDMGR.EXE Triggering HIPS IPS Events

Jump to solution

I'm just noticing that the events seem to correlate with the HIPS signature updates.  Looking at one PC I see it updated it's signature at 10:14, and then less than a minute later, the event was triggered.  Very odd.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community