Host IPS is a collection of several components that protect the local system from vulnerabilities. It is possible that one component can make the whole package appear to be at fault. This article explains how to isolate the component within Host IPS that might be involved. 
 

1. Verify if IPS is disabled:
   1. Go to the IPS Policy tab.
   2. Make sure that Enable Host IPS is deselected.
   3. Make sure that Enable Network IPS is deselected.
       
2. Verify if Firewall is disabled:
   1. Go to the Firewall Policy tab.
   2. Make sure that Enable Firewall is deselected.
       
3. Clear the Blocked Hosts list:
   1. Go to the Blocked Hosts tab.
   2. Clear the list by selecting each entry and clicking Remove.
       
4. Enable Activity logging:
   1. Go to the Activity Log tab.
   2. Verify that all traffic logging and filter option checkboxes are selected.
       
5. Test the system to verify if the problem recurs:
   • If the problem still occurs, continue to step 6.
   • If the problem does not occur, go to step 1 of the "Iterative testing phase of each component" section below.
      
6. Check the following:
   1. Stop the McAfee Host IPS service and retest.
      If the problem goes away, report the issue as associated directly with the service.
   2. Uninstall the Host IPS agent from the local box and retest.
      If the problem goes away, report the issue as associated to installed files and not a specific component.

Iterative testing phase of each component

1. Test Host IPS:
   1. Go to the Activity Log tab and clear the log.
   2. Go to the IPS Policy tab.
   3. Click Enable Host IPS.
   4. Test the system to determine if the problem recurs:
      • If the problem recurs:
        1. Deselect Enable Host IPS.
        2. Retest to verify that the problem goes away.
           NOTE: If the problem goes away, Host IPS can potentially be associated with the issue.
            
        3. Save a copy of the Activity log and rename it to Host IPS Activity Log wProb.
        4. Click Enable Host IPS and verify the problem returns.
            
      • If the problem does not recur, go to step 5 to test Network IPS.
         
2. Test all IPS engines:
   1. Click Help and select Troubleshooting.
   2. Click Enable IPS Logging.
   3. Select logging for All Message Types.
   4. Select Functionality.
   5. On the HIPS Engines pop-up window, deselect Enable / Disable all engines.
   6. Click OK to close the HIPS Engines pop-up window.
   7. Click OK to close the Troubleshooting pop-up window.
   8. Test the system to determine if the problem recurs:
      • If the problem recurs, the problem is associated with the IPS component, but not the specific engines.
        1. Get the IPS Log and report that the IPS component might be the problem.
      • If the problem does not recur, the issue might be associated with a specific engine. Continue to step 3 to test each IPS engine. 
         
3. Test each IPS engine:
   1. Click Help and select Troubleshooting.
   2. Make sure that Enable IPS Logging is still selected.
   3. Make sure that logging for All Message Types is still selected.
   4. Click Functionality.
   5. Begin at the top, select the first box, and retest to see if the issue recurs:
      1. Click OK.
      2. Work down the list with only one engine enabled for each test.
      3. Note which engines are associated with the issue.
      4. Get the IPS log for each test and label each log with the name of the engine tested.
      5. Follow this process for each engine.
   6. If one or more of the IPS engines are identified, note the IPS engines in the case notes.
   7. When individual testing of the engines is complete, enable all engines to continue to the next step.
       
4. Test IPS Adaptive Mode:
   1. Go to the Activity Log tab and clear the log.
   2. Click Enable Adaptive Mode.
   3. Test the system to determine if the problem recurs:
      • If the problem recurs:
        1. Deselect Enable Adaptive Mode.
        2. Retest to verify if the problem goes away.
        3. If the problem goes away, Host IPS in Adaptive Mode can potentially be associated with the issue.
        4. Save a copy of the Activity log and rename it Host IPS Adaptive Activity Log wProb.
      • If the problem does not recur, deselect Enable Host IPS and continue to the next step.
         
5. Test Network IPS:
   1. Go to the Activity Log tab and clear the log.
   2. Go to the IPS Policy tab.
   3. Select Enable Network IPS.
   4. Test the system to determine if the problem recurs:
      • If the problem recurs:
        1. Deselect Enable Network IPS.
        2. Retest to verify if the problem goes away.
        3. If the problem goes away, Network IPS can potentially be associated with the issue.
        4. Save a copy of the Activity log and rename it Network IPS Activity Log wProb.
      • If the problem does not recur, select Enable Network IPS and continue to the next step.
         
6. Test Automatic Blocking of Network IPS:
   1. Go to the Activity Log tab and clear the log.
   2. Select Automatically Block Attackers.
   3. Test the system to determine if the problem recurs:
      • If the problem recurs:
        1. Deselect Automatically Block Attackers.
        2. Retest to verify if the problem goes away.
        3. If the problem goes away, Network IPS in Block Attackers Mode can potentially be associated with the issue.
        4. Go to the Blocked Hosts tab and identify any new entries to the list.
        5. Note the blocked attacker entries and review for false positives.
        6. Save a copy of the Activity log and rename it Network IPS Adaptive Activity Log wProb.
      • If the problem does not recur, deselect Enable Network IPS and continue to the next step.
         
7. Test Firewall Policy:
   1. Go to the Activity Log tab and clear the log.
   2. Go to the Firewall Policy tab.
   3. Click Enable Firewall.
   4. Test the system to determine if the problem recurs:
      • If the problem recurs:
        1. Deselect Enable Firewall.
        2. Retest to verify if the problem goes away.
        3. If the problem goes away, Host IPS Firewall can potentially be associated with the issue.
        4. Save a copy of the Activity log and rename it Firewall Activity Log wProb.
            
      • If the problem does not recur, select the Enable Firewall checkbox and continue to the next step.
         
8. Test Firewall Learn Mode:
   1. Go to the Activity Log tab and clear the log.
   2. Go to the Firewall Policy tab.
   3. Select Learn Mode Incoming Enabled.
   4. Test the system to determine if the problem recurs. If the problem recurs:
      1. Save a copy of the Activity log and rename it Firewall Activity Log LearnIN wProb.
      2. If the problem goes away, Firewall Incoming Learn Mode can potentially be associated with the issue.
      3. Retest to verify if the problem goes away.
      4. Deselect Learn Mode Incoming Enable.
          
   5. Go to the Activity Log tab and clear the log.
   6. Go to the Firewall Policy tab.
   7. Select Learn Mode Outgoing Enabled (both Incoming and Outgoing must be selected).
   8. Test the system to determine if the problem recurs. If the problem recurs:

      1. Select Learn Mode Outgoing Enabled.
      2. Retest to verify if the problem goes away.
      3. If the problem goes away, Firewall Learn ModeIncoming can potentially be associated with the issue.
      4. Save a copy of the Activity log and rename it Firewall Activity Log LearnINOUT wProb.
          
   9. Go to the Activity Log tab and clear the log.
   10. Go to the Firewall Policy tab.
   11. Select Learn Mode Incoming Enabled (both Incoming and Outgoing must be selected).
   12. Test the system to determine if the problem recurs. If the problem recurs:
       1. Deselect Learn Mode Incoming Enabled.
       2. Retest to verify if the problem goes away.
       3. If the problem ceases, Firewall Outgoing Learn Mode can potentially be associated with the issue.
       4. Save a copy of the Activity log and rename it Firewall Activity Log LearnOUT wProb.
           
   13. Test with the Any Any rule.
       NOTE: You might need to configure this step from the ePO management console. It is imperative that the first rule configured in the firewall rule list is the Any Any test rule. If other policies have been configured from the console, they take precedence over the locally created rules.
        
       1. Create a rule and name it Any Any.
       2. Set the Action to Permit.
       3. Set the Protocol to IP TCP.
       4. Set the Direction to Either and click OK.
       5. If it is being pushed from the console, move the Any Any rule to be the first processed rule in the policy list.
       6. If the rule is created locally, make sure that no other rules continue it.
       7. Test the system to determine if the problem recurs. If the problem recurs:
          1. Deactivate the Any Any rule.
          2. Retest to verify if the problem goes away.
          3. If the problem goes away, there is probably a configuration error with the rules.
          4. Obtain a screenshot of the Agent Configuration UI on the Firewall Policy tab.
          5. Export the Host IPS policy settings from ePO.
          6. Save a copy of the Activity log and rename it to Firewall Activity Log AnyAny Test.
              
   14. Go to the Firewall Policy tab.
   15. Deselect Enable Firewall and continue to the next step. 
        
9. Test Blocked Hosts Policy:
   1. Go to the Activity Log tab and clear the log.
   2. Go to the Blocked Hosts tab.
   3. Remove all blocked hosts from the list.
   4. Test the system to determine if the problem recurs. If the problem recurs, it is probably not associated with the Blocked Hosts Policy.