Windows operating systems (Options 1 and 2)
Option 1 - Enable debug logging via an ePolicy Orchestrator (ePO) policy (recommended)
NOTE: If you want to duplicate your current Host IPS Client UI policy, modify the duplicate policy to enable Host IPS debug logging, then assign the duplicate policy to a single system.
- Log on to the ePO console.
- Click Menu, Policy, Policy Catalog.
- Select Host Intrusion Prevention x.x.x General in the Product drop-down list, and Client UI (Windows) in the Category drop-down list.
- Click Edit Settings under the Actions column for the policy.
- Click the Troubleshooting tab.
- Set both Firewall and IPS logging entries to Debug.
- Select Log Security Violations in IPS logging field.
- Click Save.
- Perform an ePO agent wakeup call to the system.
- Open the Host IPS Client UI via the McAfee Agent Tray Icon on the client.
NOTE: You can also access the executable from the following path:
<Program Files>\McAfee\Host Intrusion Prevention\McAfeeFire.exe
- Verify that Host IPS debugging is enabled (open the Host IPS ClientUI and click HELP, TROUBLESHOOTING):
Verify that IPS and Firewall logging is set to Debug and that Log Security Violations is enabled. You can also check the following registry values:
32-bit: HKLM\Software\McAfee\HIP\Config\Settings\
64-bit: HKLM\Software\Wow6432Node\McAfee\HIP\Config\Settings\
"Client_LogLevelFw"=dword:00000001 (1)
"Client_LogLevelIps"=dword:00000004 (4)
"ClientUI_IpsLogViolations"=dword:00000001 (1)
NOTE: You can also enable debug logging via the local Client UI (without modifying the ePO policy) by following only Steps 10 and 11 above. Logging might be disabled automatically if you close or lock the Host IPS Client UI. McAfee recommends that you enable debug logging only via the policy while troubleshooting an issue, and then disable it when you are finished.
Back to Contents
Option 2 - Enable Host IPS debug logging via the local registry using
Regedit.exe
Restarting the Host IPS service is not required. See below for details, and also see
KB51517 for additional debug options. The steps below are useful if debug logging is required to investigate Host IPS policy enforcement issues (for example, if debug logging is not correctly being enabled via policy).
CAUTION: This article contains information about opening or modifying the registry.
- The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
- Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
- Do not run a REG file that is not confirmed to be a genuine registry import file.
- To enable debug logging via Registry:
- Disable the Host IPS module, or, if at HIPS 8.0 Update 9 or later, disable the Enable Self Protection option.
- Create a DWORD 'debug_enabled' value under the applicable registry location below:
32-bit: HKLM\Software\McAfee\HIP\
64-bit: HKLM\Software\Wow6432Node\McAfee\HIP\
A value of decimal 1 turns on verbose debug logging.
A value of decimal 0 disables logging.
- After troubleshooting the issue, disable debug logging via Registry by performing the following steps:
- Disable the Host IPS module OR, if at HIPS 8.0 Update 9 or later, disable the Enable Self Protection option.
- Remove the DWORD debug_enabled value.
Back to Contents
