How to apply Microsoft Windows Operating System patches when Host Intrusion Prevention 8.0 / 7.0 client is enabled in protect mode
Technical Articles ID: KB54778
Last Modified: 03/18/2011
Rated:
Last Modified: 03/18/2011
Rated:
Environment
McAfee Host Intrusion Prevention 8.0
McAfee Host Intrusion Prevention 7.0
McAfee Host Intrusion Prevention 7.0
Summary
McAfee recommends testing new operating system (OS) Service Pack (SP) installations on McAfee Host Intrusion Protection (Host IPS) clients in Log mode in a non-production test area, to monitor for any security events. After testing, create any appropriate exceptions if required. Alternatively, enable IPS in Adaptive mode, which will create an IPS exception if one is required during the Service Pack install.
Apply the appropriate exception(s) to your named policy for Host IPS before installing the operating system update in your production environment.
Apply the exceptions to the Host IPS policy before installing an OS patch or SP while the Host IPS client has IPS enabled and running in Prevent High severity reaction mode.
Apply the appropriate exception(s) to your named policy for Host IPS before installing the operating system update in your production environment.
Apply the exceptions to the Host IPS policy before installing an OS patch or SP while the Host IPS client has IPS enabled and running in Prevent High severity reaction mode.
For example, three exceptions are required for a Windows XP SP1 to SP2 upgrade when the Host IPS client is in Prevent High severity reaction mode. The exceptions are signatures 885, 850, and 3747 (this is on a workstation, additional server signatures could apply on a server).
The process for applying the exceptions should be defined as drive:\*\i386\update\update.exe
NOTE: * wildcard for the dynamically created parent folder (i.e. d:\813959b0c311cb6685d\i386\update\update.exe).
Steps to perform before applying an OS patch or Service Pack to a Host IPS client running in Prevent High severity reaction mode:
- Run an OS patch or SP on a selected test computer in Warning mode to identify any events that may be triggered.
- Create appropriate exceptions and retest to ensure no other signatures are triggered.
- Apply exceptions to production Host IPS clients before rolling out patch updates.
For Host IPS 8.0, the new option Startup IPS protection enabled may interfere with completing Service Pack updates during system restarts. If you experience this issue, disable this option prior to restarting, when applying updates.
See the Host Intrusion Prevention 8.0 Product Guide (PD22894) for details on this new feature.
Startup IPS protection enabled — Select to apply a hard-coded set of file and registry protection rules until the Host IPS service has started on the client.
Affected Products
Best Practices
Host IPS for Desktops 8.0
Host IPS for Desktops 7.0
