FAQs for Host Intrusion Prevention 8.0
Technical Articles ID:
KB73399
Last Modified: 5/9/2018
Rated:
Last Modified: 5/9/2018
Rated:
Environment
McAfee Host Intrusion Prevention (Host IPS) 8.0
Summary
This article is a consolidated list of common questions and answers. It is mainly intended for users who are new to the product, but can be of use to all users.
NOTE: This article deals with general questions regarding Host IPS.
NOTE: This article deals with general questions regarding Host IPS.
Top Issues Top issues or questions reported by customers. Compatibility Interaction between other products and software. Installation/Upgrade Information about installing, removing, or upgrading. Configuration Includes best practices, optimizing, and configuring. Functionality Product features and functions, including Buffer Overflow, Host IPS Protection, Network IPS, and Firewall.
Top Issues
Client IPS/IPS events
IPS signature events are one of the top call generators for Host IPS. Normally, these inquiries are the result of IPS Signature Event triggers. In general, Host IPS offers IPS and firewall protection for endpoint systems as part of a layered protection strategy. This layered protection strategy should include Network gateway firewall/intrusion systems or filtering, endpoint anti-virus, and endpoint anti-malware applications, in addition to Host IPS.
Host IPS signature content provides security to protect against known system vulnerabilities and unknown (zero-day) vulnerabilities. Zero-day is defined as the gap between unpatched systems and subsequently applying released security updates for confirmed vulnerabilities. Host IPS content contains generic buffer overflow and other generic signature mechanisms to protect systems during this zero-day gap period. However, McAfee recommends that you apply all operating system and application-specific security updates as soon as practical within your environment to reduce frequent or repeated IPS signature detections.
McAfee advises that you follow a general methodology for reviewing operating system and application-specific security updates, and also patch systems and applications on a monthly or regular basis. McAfee also advises that you review monthly Host IPS signature updates for correlation to specific vendor security updates that are released. Host IPS signatures mapping directly to vendor-available security updates can be safely disabled on updated systems. McAfee recommends that you review enabled signature content and system patching with available security updates monthly to reduce the likelihood of excessive false positives on already updated systems.
Use the following general methodology when assessing IPS signature events:
Client firewall/firewall rules
Firewall policy configuration questions are common; including what firewall rules should be configured on endpoint systems. Typical enterprise customer firewall policies range from very simple rule sets leveraging connection/location aware groups to extremely complex rule policies defining process executable hashes encompassing hundreds of inbound/outbound firewall rules. Large firewall policies add complexity for management and can contribute to decreased performance on lower spec systems. Large rule sets can also add performance overhead on the ePO server during policy configurations and increased overhead for the McAfee Agent during policy enforcement intervals.
The Host IPS 8.0 firewall includes a number of features that allow for simplified policy configurations:
Most support calls falling into this category consist of questions that are addressed in the Host Intrusion Prevention 8.0 Installation Guide (PD22891).
McAfee recommends that you thoroughly test and baseline any new security applications installations for your production environments before deployment to all systems. Although McAfee thoroughly tests and validates security products prior to release, the same is true before deploying Host IPS to all nodes in an enterprise environment. Third-party products and network infrastructures are adapting new security features at a rapid rate because of technology advances. Product interoperability continues to be a moving target for all vendors, and it is essential that base customer images are validated with changes to any product. After validating Host IPS in test or pilot environments, McAfee recommends a production pilot or phased approach to the enterprise production deployment.
New installation failed
Host IPS is deployed with IPS and firewall features turned off by default. McAfee recommends that you select systems representing the applications and configurations for all groups within their environment. If you have standardized images, it is easier to validate Host IPS for your environment. If you have dissimilar systems, you have a more difficult challenge when validating interoperability. It is easier for Technical Support to resolve interoperability issues prior to enterprise-wide deployment, rather than resolving critical issues found after or during an enterprise-wide deployment.
IPS signature events are one of the top call generators for Host IPS. Normally, these inquiries are the result of IPS Signature Event triggers. In general, Host IPS offers IPS and firewall protection for endpoint systems as part of a layered protection strategy. This layered protection strategy should include Network gateway firewall/intrusion systems or filtering, endpoint anti-virus, and endpoint anti-malware applications, in addition to Host IPS.
Host IPS signature content provides security to protect against known system vulnerabilities and unknown (zero-day) vulnerabilities. Zero-day is defined as the gap between unpatched systems and subsequently applying released security updates for confirmed vulnerabilities. Host IPS content contains generic buffer overflow and other generic signature mechanisms to protect systems during this zero-day gap period. However, McAfee recommends that you apply all operating system and application-specific security updates as soon as practical within your environment to reduce frequent or repeated IPS signature detections.
McAfee advises that you follow a general methodology for reviewing operating system and application-specific security updates, and also patch systems and applications on a monthly or regular basis. McAfee also advises that you review monthly Host IPS signature updates for correlation to specific vendor security updates that are released. Host IPS signatures mapping directly to vendor-available security updates can be safely disabled on updated systems. McAfee recommends that you review enabled signature content and system patching with available security updates monthly to reduce the likelihood of excessive false positives on already updated systems.
Use the following general methodology when assessing IPS signature events:
- Identify the signature number that is being triggered.
- Review the IPS Signature number description information from the IPS Rules policy in ePolicy Orchestrator (ePO).
- Review the References CVE description link(s), if any are included in the description information for that signature.
- Identify whether any Microsoft Technet Security Bulletins are linked for the applicable vulnerability, and identify whether any Microsoft security updates have been released that resolve the vulnerability.
- Verify whether systems reporting the IPS event have any applicable Microsoft Security Updates applied (as noted above):
- If so, the applicable IPS Signature may be disabled on the systems having the associated Microsoft Security Updates applied.
- If not, McAfee recommends that you apply the applicable Microsoft Security Updates to the affected systems at your earliest convenience.
- If no CVE description links are noted for the triggering IPS signature, review all advanced details for the received IPS event.
- Identify whether the event triggers correlate to normal business usage or process.
- Identify whether the systems experiencing the event have all of the latest Microsoft Security Updates applied.
- Identify whether the IPS event is specific for a third-party process, such as Adobe or other non-Microsoft application, process, or other tool. If so, review all applicable security updates from the vendor and ensure they are applied on the systems.
- If the signature is still triggering after an applicable vendor security update has been applied, consider the event a false positive and either disable the signature on the updated systems, or create an IPS exception for the updated systems to stop all further signature detections.
- If there is no applicable vendor security update available, determine whether the affected systems have current anti-virus and anti-malware definitions for VirusScan or other installed endpoint protection application. Perform a full scan on the affected systems.
- Determine whether the affected systems are protected by other perimeter security measures, such as Network Intrusion Detection.
- Enable verbose debug logging by enabling Log security violations for Host IPS so advanced information can be collected in the HipShield.log. See KB54473 for relevant information regarding IPS security violations in the HipShield.log.
- Contact Technical Support for further analysis.
Client firewall/firewall rules
Firewall policy configuration questions are common; including what firewall rules should be configured on endpoint systems. Typical enterprise customer firewall policies range from very simple rule sets leveraging connection/location aware groups to extremely complex rule policies defining process executable hashes encompassing hundreds of inbound/outbound firewall rules. Large firewall policies add complexity for management and can contribute to decreased performance on lower spec systems. Large rule sets can also add performance overhead on the ePO server during policy configurations and increased overhead for the McAfee Agent during policy enforcement intervals.
The Host IPS 8.0 firewall includes a number of features that allow for simplified policy configurations:
- Host IPS 8.0 includes simplified default firewall policy rule templates to base your policy on. McAfee recommends that you utilize simplified rule sets leveraging the stateful firewall, trusted networks, and trusted applications whenever possible for internal corporate network policies.
- The firewall is considered a stateful firewall, which reduces the need for excessive inbound firewall rules. Rule policies can be much more simplified. The firewall state table dynamically stores information about active outbound traffic connections from the system. The firewall state table rules filter and allow the associated return traffic. This negates the need to define large, complex inbound rule sets.
- The use of Location Aware groups further define rule sets for remote users off the normal LAN. Simplified rule sets can be configured within a Location Aware group, which enables remote users to connect via a company VPN and then utilize normal firewall rules.
- Trusted Networks - lists IP addresses and networks, including TrustedSource exceptions, that are safe for communication. Trusted networks can include individual IP addresses or ranges of IP addresses. Marking networks as trusted eliminates or reduces the need for network IPS exceptions and additional firewall rules. (For Windows clients only.)
- Trusted Applications - lists applications that are safe and have no known vulnerabilities. Marking applications as trusted eliminates or reduces the need for IPS exceptions and additional firewall rules. Like the IPS Rules policy, this policy category can contain multiple policy instances. (For clients on both Windows and non-Windows platforms.)
- Firewall Adaptive Mode - an aid for firewall tuning.
NOTE: Only use Adaptive Mode temporarily on a small number of systems to aid in firewall rules tuning. This mode can create a large number of client rules on end systems, and can also create a significant overhead for the ePO server while processing excessive firewall client adaptive rules. McAfee recommends limiting Adaptive Mode for firewalls to a few systems for a limited period of time as an aid in firewall policy tuning.
Review client adaptive rules daily or at a minimum, weekly, while target systems have Adaptive Mode enabled. After initially deploying Adaptive Mode for firewalls, disable Adaptive Mode on target systems with the Retain client rules option deselected to ensure all learned client rules on the target system are purged. From the ePO console, review the firewall client rules and identify rules to apply to a tuning firewall rules policy on the end system before re-enabling the firewall with Adaptive Mode. Take these iterative steps to achieve a final firewall rules policy before deployment to all systems. Some network traffic related to applications might not be recognized by the Adaptive Mode, and you might have to configure firewall rules manually. Consult with your application vendor for information on application-specific firewall configurations to ensure functionality.
Most support calls falling into this category consist of questions that are addressed in the Host Intrusion Prevention 8.0 Installation Guide (PD22891).
McAfee recommends that you thoroughly test and baseline any new security applications installations for your production environments before deployment to all systems. Although McAfee thoroughly tests and validates security products prior to release, the same is true before deploying Host IPS to all nodes in an enterprise environment. Third-party products and network infrastructures are adapting new security features at a rapid rate because of technology advances. Product interoperability continues to be a moving target for all vendors, and it is essential that base customer images are validated with changes to any product. After validating Host IPS in test or pilot environments, McAfee recommends a production pilot or phased approach to the enterprise production deployment.
New installation failed
Host IPS is deployed with IPS and firewall features turned off by default. McAfee recommends that you select systems representing the applications and configurations for all groups within their environment. If you have standardized images, it is easier to validate Host IPS for your environment. If you have dissimilar systems, you have a more difficult challenge when validating interoperability. It is easier for Technical Support to resolve interoperability issues prior to enterprise-wide deployment, rather than resolving critical issues found after or during an enterprise-wide deployment.
What if I have a problem with other third-party software?
Issues involving other third-party software can happen, especially those involving other third-party security software. For help, see the following articles:
Issues involving other third-party software can happen, especially those involving other third-party security software. For help, see the following articles:
- KB67055 - How to troubleshoot a network facing application or traffic is blocked by Host Intrusion Prevention firewall
- KB67056 - Third-party application stops working or is impaired after Host Intrusion Prevention is installed or content is updated
If you have contact Technical Support for an irresolvable issue, it is important that you also engage the third-party vendor for analysis in parallel with McAfee. Many interoperability issues require resolution by the third-party vendor and not McAfee. McAfee is committed to working closely with third-party vendors to resolve any interoperability issues.
What makes Host IPS a 64-bit product?
Host IPS 8.0 installs both 32-bit and 64-bit binaries on x64 systems. The 64-bit product binaries are installed to an x64 subfolder from the installation path. Other binaries, such as drivers, are installed to their appropriate places in the Windows file system. The product does not adhere to installation guidelines for 64-bit files in the \program files folder, but the product supports x64 natively.
What runs in 32-bit compatibility mode on x64 systems?
Some third-party applications run as 32-bit. Therefore, Host IPS 8.0 loads the appropriate 32-bit IPS engines for them.
Why should I install the McAfee (ePO) Agent on laptops that rarely connect to the network?
The ePO agent provides policy enforcement. After you have installed the agent and it has received your policy, configured at the ePO server, the policy you defined is going to be enforced at the policy enforcement interval you defined whether the laptop is on the network or off the network. This ensures that your company settings for your McAfee products are in place no matter where you roam.
What makes Host IPS a 64-bit product?
Host IPS 8.0 installs both 32-bit and 64-bit binaries on x64 systems. The 64-bit product binaries are installed to an x64 subfolder from the installation path. Other binaries, such as drivers, are installed to their appropriate places in the Windows file system. The product does not adhere to installation guidelines for 64-bit files in the \program files folder, but the product supports x64 natively.
What runs in 32-bit compatibility mode on x64 systems?
Some third-party applications run as 32-bit. Therefore, Host IPS 8.0 loads the appropriate 32-bit IPS engines for them.
Why should I install the McAfee (ePO) Agent on laptops that rarely connect to the network?
The ePO agent provides policy enforcement. After you have installed the agent and it has received your policy, configured at the ePO server, the policy you defined is going to be enforced at the policy enforcement interval you defined whether the laptop is on the network or off the network. This ensures that your company settings for your McAfee products are in place no matter where you roam.
Can I use Host IPS 8.0 to block access to USB devices?
Not effectively. It is possible to block access to USB devices utilizing a custom IPS signature with Host IPS 8.x. However, there are current security limitations when using an IPS signature.
To efficiently block USB devices, McAfee recommends McAfee Data Loss Prevention (http://www.mcafee.com/us/products/data-protection/index.aspx).
For information on preventing users from connecting to a USB storage device, see Microsoft support article 823732 at support.microsoft.com/kb/823732.
Back to Contents
Not effectively. It is possible to block access to USB devices utilizing a custom IPS signature with Host IPS 8.x. However, there are current security limitations when using an IPS signature.
To efficiently block USB devices, McAfee recommends McAfee Data Loss Prevention (http://www.mcafee.com/us/products/data-protection/index.aspx).
For information on preventing users from connecting to a USB storage device, see Microsoft support article 823732 at support.microsoft.com/kb/823732.
Back to Contents
Why are the Host IPS 8.0 incremental patch (MSP) packages larger than the full Host IPS installation that includes the patch?
MSP packages keep getting larger, for good reason. Each time McAfee releases a new patch the MSP must contain the information necessary to upgrade every previously released patch and the RTW version of the product. Because of this requirement, there is a transform (MST) embedded in the MSP for each of these previous versions, not just a copy of the new files.
The MST transform is, basically, an MSI diff that will take a previously known MSI and update it to the latest MSI the patch was based on. Because the MSI tables contain Binary data for things like the embedded custom action code and some of our support utilities (for example, clientcontrol.exe), these MSI differences can be quite large, causing each subsequent patch to grow.
How do I install Host IPS 8.0 locally or with third-party solutions?
Extract the installation files from the .zip to a temporary folder, run Setup.exe, and then complete the installation. Setup.exe supports many of the MSI command line options. For more information, see KB51689.
How do I install Host IPS via ePO?
Add the installation package to your repository, then create/modify a Deployment Task. For more information, see the ePolicy Orchestrator 5.3.0 Product Guide (PD25504). The Deployment Task also allows command line options to be specified. This allows you to make simple changes to the installation, such as not installing a particular feature. For a complete list of options, see the Host Intrusion Prevention 8.0 Installation Guide (PD22891).
Why does the product install to the Program Files (x86) folder?
Host IPS installs both 32-bit and 64-bit binaries on x64 systems. The 64-bit product binaries are installed to an x64 subfolder from the installation path. Other binaries, such as drivers, are installed to their appropriate places in the Windows file system. The product does not adhere to installation guidelines for 64-bit files in the \program files folder, but the product supports x64 natively.
Is there any Host IPS Signature content in the installation package?
Host IPS ships with signature content 8.0.0.3709. This allows Host IPS to function after an installation in the event that an ePO server cannot be contacted for signature updates. McAfee recommends that you configure a regularly scheduled update task to include Host IPS Signature Content for installed systems.
How often is Host IPS content updated?
Host IPS is updated to the common repository on the second Tuesday of every month by 8:00 P.M. GMT. The second Tuesday of every month is also when Microsoft Windows Security Updates are released (also known as Microsoft Patch Tuesday).
Do I have to restart after installing?
For new systems, you do not have to restart to begin taking advantage of Host IPS 8.0 functionality. However, McAfee recommends that you restart to ensure a cleaner Windows environment.
For upgrading Host IPS 7.0 systems, you might have to restart, depending on your operating system. McAfee recommends that you validate against your specific images.
How do I remove the product?
You can remove Host IPS using an ePO Deployment Task, or locally using Programs and Features or Apps & features (depending on your version of Windows). You must disable IPS protection on the system prior to removing Host IPS locally.
Is my product version supported?
For End of Life and End of Support information, go to: www.mcafee.com/us/support/support-eol.aspx.
Back to Contents
MSP packages keep getting larger, for good reason. Each time McAfee releases a new patch the MSP must contain the information necessary to upgrade every previously released patch and the RTW version of the product. Because of this requirement, there is a transform (MST) embedded in the MSP for each of these previous versions, not just a copy of the new files.
The MST transform is, basically, an MSI diff that will take a previously known MSI and update it to the latest MSI the patch was based on. Because the MSI tables contain Binary data for things like the embedded custom action code and some of our support utilities (for example, clientcontrol.exe), these MSI differences can be quite large, causing each subsequent patch to grow.
How do I install Host IPS 8.0 locally or with third-party solutions?
Extract the installation files from the .zip to a temporary folder, run Setup.exe, and then complete the installation. Setup.exe supports many of the MSI command line options. For more information, see KB51689.
How do I install Host IPS via ePO?
Add the installation package to your repository, then create/modify a Deployment Task. For more information, see the ePolicy Orchestrator 5.3.0 Product Guide (PD25504). The Deployment Task also allows command line options to be specified. This allows you to make simple changes to the installation, such as not installing a particular feature. For a complete list of options, see the Host Intrusion Prevention 8.0 Installation Guide (PD22891).
Why does the product install to the Program Files (x86) folder?
Host IPS installs both 32-bit and 64-bit binaries on x64 systems. The 64-bit product binaries are installed to an x64 subfolder from the installation path. Other binaries, such as drivers, are installed to their appropriate places in the Windows file system. The product does not adhere to installation guidelines for 64-bit files in the \program files folder, but the product supports x64 natively.
Is there any Host IPS Signature content in the installation package?
Host IPS ships with signature content 8.0.0.3709. This allows Host IPS to function after an installation in the event that an ePO server cannot be contacted for signature updates. McAfee recommends that you configure a regularly scheduled update task to include Host IPS Signature Content for installed systems.
How often is Host IPS content updated?
Host IPS is updated to the common repository on the second Tuesday of every month by 8:00 P.M. GMT. The second Tuesday of every month is also when Microsoft Windows Security Updates are released (also known as Microsoft Patch Tuesday).
Do I have to restart after installing?
For new systems, you do not have to restart to begin taking advantage of Host IPS 8.0 functionality. However, McAfee recommends that you restart to ensure a cleaner Windows environment.
For upgrading Host IPS 7.0 systems, you might have to restart, depending on your operating system. McAfee recommends that you validate against your specific images.
How do I remove the product?
You can remove Host IPS using an ePO Deployment Task, or locally using Programs and Features or Apps & features (depending on your version of Windows). You must disable IPS protection on the system prior to removing Host IPS locally.
Is my product version supported?
For End of Life and End of Support information, go to: www.mcafee.com/us/support/support-eol.aspx.
Back to Contents
How do I add multiple IP addresses for my firewall rules?
You can define a new "network" item in the Host IPS Catalog. You can define the network object container with a single or multiple IP addresses, subnet, local subnet, IP range, FQDN, any local, any IPv4, or any IPv6 as trusted. Once you have defined a network catalog object, you can use this catalog object in your firewall rule(s), Network Options, by clicking "Add from Catalog" when editing firewall rules. If IP addressing need to change for any rule using the catalog object, you can just update the IP addresses in your network catalog object, from the Host IPS Catalog. All firewall rules referring to that catalog object will now have the updated network IP addresses.
How do I stop the Host IPS service?
Host IPS utilizes a self-protection mechanism to prevent even administrators from stopping the service. It is controlled via the IPS policy, and self-protection is turned off when IPS is disabled. You can also disable IPS locally using the Host IPS client UI tray icon. You will need a Host IPS administrator password to unlock the client UI and disable the IPS.
How do I configure Application Blocking on Host IPS 8.0?
The Application Blocking feature was removed for Host IPS 8.0, but you can configure application blocking and hooking protection using IPS signatures 6010 and 6011. For more information, see KB71794.
How do I investigate performance issues?
There are a number of approaches to investigating performance issues. Perform the actions in the following steps sequentially to gain information on what the issue might be. After you have identified the issue, you can take appropriate steps to resolve the issue. The following steps are intended as a guideline rather than comprehensive instructions. You can find additional information on using the tools mentioned from the Internet. Additional tools are listed in KB72766.
You can define a new "network" item in the Host IPS Catalog. You can define the network object container with a single or multiple IP addresses, subnet, local subnet, IP range, FQDN, any local, any IPv4, or any IPv6 as trusted. Once you have defined a network catalog object, you can use this catalog object in your firewall rule(s), Network Options, by clicking "Add from Catalog" when editing firewall rules. If IP addressing need to change for any rule using the catalog object, you can just update the IP addresses in your network catalog object, from the Host IPS Catalog. All firewall rules referring to that catalog object will now have the updated network IP addresses.
How do I stop the Host IPS service?
Host IPS utilizes a self-protection mechanism to prevent even administrators from stopping the service. It is controlled via the IPS policy, and self-protection is turned off when IPS is disabled. You can also disable IPS locally using the Host IPS client UI tray icon. You will need a Host IPS administrator password to unlock the client UI and disable the IPS.
How do I configure Application Blocking on Host IPS 8.0?
The Application Blocking feature was removed for Host IPS 8.0, but you can configure application blocking and hooking protection using IPS signatures 6010 and 6011. For more information, see KB71794.
How do I investigate performance issues?
There are a number of approaches to investigating performance issues. Perform the actions in the following steps sequentially to gain information on what the issue might be. After you have identified the issue, you can take appropriate steps to resolve the issue. The following steps are intended as a guideline rather than comprehensive instructions. You can find additional information on using the tools mentioned from the Internet. Additional tools are listed in KB72766.
- Task Manager: Press CTRL+SHIFT+ESC to open Task Manager. Sort by the CPU column to see what process or processes are using CPU. Note that the number is a percentage of all available processors or cores, so 25 percent on a four-CPU system would mean a process is pegging one of the cores, which is usually indicative of a problem. You can investigate further after the offending process or processes have been identified.
- Performance Monitor: Use the Performance Monitor (PerfMon) to convey the specifics of how much CPU is being used and for how long, giving you an idea of how the system or users are being impacted. Use PerfMon to monitor the performance object's process, processor, and memory, capturing all counters and instances. McAfee advises that you use a sampling rate of one second for most issues that occur within a brief window of time or are predictable. To reduce the potential size of the log generated, you can use fewer and more specific counters instead of capturing everything because this allows the capture to run for longer periods of time without creating an unwieldy log file.
- Windows Performance Monitoring Tool (XPerf): In Microsoft Vista and newer operating systems, Microsoft has provided a powerful tool that can give detailed information about a performance problem, including the API that is being called the most. Vendors can use this information typically at an engineering/development level where symbols files for source code are accessible. This helps to clarify what code paths are being exercised.
- VSE Profiler (when VSE is also running on system): The VSE Profiler provides visibility into what the product is doing, such as what files are being scanned. The tool provides a mechanism for generating reports to add understanding to the data that is collected. For more information, see the Profiler 1.1 Release Notes (PD22737).
To download the VSE Profiler, go to: https://support.mcafee.com/ServicePortal/faces/tools/toolsMcAfeeProfiler. You might be able to create exclusions and/or leverage the Hi/Low/Default scanning profiles to create a configuration that improves performance.
IMPORTANT: McAfee recommends working with Technical Support if your performance issues have not been addressed after following these steps.
Why is the ePO server using so much CPU when the Property Translator server task is running?
The Host IPS ePO Property Translator server task runs every 15 minutes by default to convert system client properties into adaptive client rules that are displayed in the client rules tabs of the Host IPS Event Reporting display. Excessive processing of client rules can cause increased CPU consumption for ePO-related processes. Additionally, malformed properties collected from the end system might cause Property Translator errors. The Host IPS 8.0 Patch 4 (and later) extension displays the following alert when you enable Adaptive Mode in the Firewall Options policy:
McAfee recommends that you enable Adaptive Mode on selected systems for a limited amount
of time only. Enabling Adaptive Mode on many systems for a long time can significantly
impact performance for the Host IPS Property Translator server task on ePolicy Orchestrator.
of time only. Enabling Adaptive Mode on many systems for a long time can significantly
impact performance for the Host IPS Property Translator server task on ePolicy Orchestrator.
For more information, see the following related articles:
- KB80102 - ePolicy Orchestrator console stops responding or takes several minutes to open when editing the Host Intrusion Prevention 8.0 Catalog
- KB71607 - Excessive Malformed Rule String Detected, Unparseable Date or other Host IPS Property Translator messages (in ePolicy Orchestrator 5.x Orion.log)
- KB71520 - Host Intrusion Prevention 8.0 property translator error failing on POSTALCODE
How do I prevent the firewall from blocking non-IP traffic?
Unless specifically indicated in a firewall rule, some types of non-IP traffic are not recognized by the firewall and as a result are blocked. Additionally, the adaptive and learn modes do not dynamically detect and create firewall rules for non-IP protocols. To prevent non-IP protocols from being dropped, select Allow traffic for unsupported protocols in the Firewall Options policy. Then check the Activity Log for Allowed Incoming/Outgoing Non-IP Protocol: 0xXXX, where 0xXXX indicates the IANA Ethernet number of the protocol (see http://www.iana.org/assignments/ethernet-numbers). Use this information to determine the non-IP traffic that is needed and create a firewall rule that allows it.
Back to Contents
How does Host IPS protection work?
Host IPS protection monitors executable system calls made using Application Programming Interfaces (APIs) on the protected system. These system calls are made to/from the operating system kernel for processing resources. Host IPS monitoring detects anomalies in system calls and blocks or logs those calls for analysis. Host IPS uses several monitoring Class engines to achieve this goal. For information regarding the Buffer Overflow, Files, Hook, Illegal API Use, Illegal Use, ISAPI, Program, Registry, Services, and SQL engine classes, see the Host Intrusion Prevention 8.0 Product Guide (PD22894).
How does Buffer Overflow Protection work?
Buffer Overflow Protection (BOP) monitors executables and APIs on the protected system, checking for code execution from a buffer overflow or buffer overrun. BOP does not stop the overrun from occurring, but stops code execution that occurs from that overrun. This is a common exploit method, used by malware against vulnerable applications, to gain access to data or the system and/or to further propagate itself.
Protection is accomplished by having kernel-level hooks (also known as Kernel Patching of various system tables) detour code execution through our tests for safety, before returning to their previously scheduled programming. This feature is limited in support on 64-bit platforms as its kernel allows limited patching. For information regarding coverage details for supported Windows platforms, see KB51504. You can make this BOP redundant if Data Execution Prevention is in place.
The referenced article is available only to registered ServicePortal users.
To view registered articles:
What is Network IPS Protection?
The Network IPS protection filter driver inspects data communicating between the protected system and the network. Packets are examined against malicious attack profiles. If an attack is identified, the offending data is discarded or blocked from passing through the system. Host IPS contains a default list of network IPS signatures for Windows platforms. You can edit the severity level, log status, and client rule creation setting of these signatures, but you cannot presently add custom network signatures. Network signatures do the following:
Is the Host IPS Firewall filter driver NDIS 5.0 or NDIS 6.0?
The Network Driver Interface Specification is the API for network adapters and network filter drivers operating on Microsoft operating systems. This specification was originally developed jointly by Microsoft and 3COM Corporation. Windows 7, Windows Vista, Windows Server 2008, and newer operating systems use the NDIS 6.x API (these operating systems also provide backward compatibility for the NDIS 5.x filter drivers through a Microsoft compatibility layer).
Where are log files located?
All log files are located in the C:\ProgramData\McAfee\Host Intrusion Prevention\ directory on the client system.
Which log files are associated with the Host IPS component?
The primary log file for the Host IPS component is HipShield.log. This log file grows to 128 MB and rotates with one back up. Log file rotation is controlled by the DWORD entries log_rotate_size_kb and log_rotate_count in the [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP] registry key. The log_rotate_count key determines the number of backup log files to preserve, and the DWORD entry log_rotate_size_kb is the approximate size in KB of a backup log file, where 0 means log rotation is disabled. When the log_rotate_size_kb specified size has been exceeded, the file is closed and renamed with the suffix '.1'. If a file with that name already exists, the suffix is incremented by one. When the specified number of backup files is reached, the oldest is deleted.
What are things to look for in HipShield.log?
A run of the Host IPS component begins with a banner statement that identifies the build run and the date/time stamp of the session. Each entry of the HipShield log shows a date/time stamp, followed by an indication of whether this data is informational, debugging, or error. The data contained in the HipShield is ad-hoc, and differs between portions of the Host IPS component. Key areas of interest:
These log files grow until they reach the default maximum size of 100 MB. If you require larger or smaller log files, you can control the size by adding the following registry value: [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP\MaxFwLogSize]
To set the log size, see the "Which log files are associated with the firewall component?" section of the Host Intrusion Prevention 8.0 Product Guide (PD22894).
What is the ClientControl command line utility?
This command line utility helps automate upgrades and other maintenance tasks if you use third-party software to deploy Host IPS on clients. You can include it in installation and maintenance scripts to temporarily disable IPS protection and activate logging functions. For more information, see the Host Intrusion Prevention 8.0 ClientControl.exe Utility Readme (PD23014).
Back to Contents
Host IPS protection monitors executable system calls made using Application Programming Interfaces (APIs) on the protected system. These system calls are made to/from the operating system kernel for processing resources. Host IPS monitoring detects anomalies in system calls and blocks or logs those calls for analysis. Host IPS uses several monitoring Class engines to achieve this goal. For information regarding the Buffer Overflow, Files, Hook, Illegal API Use, Illegal Use, ISAPI, Program, Registry, Services, and SQL engine classes, see the Host Intrusion Prevention 8.0 Product Guide (PD22894).
Buffer Overflow Protection (BOP) monitors executables and APIs on the protected system, checking for code execution from a buffer overflow or buffer overrun. BOP does not stop the overrun from occurring, but stops code execution that occurs from that overrun. This is a common exploit method, used by malware against vulnerable applications, to gain access to data or the system and/or to further propagate itself.
Protection is accomplished by having kernel-level hooks (also known as Kernel Patching of various system tables) detour code execution through our tests for safety, before returning to their previously scheduled programming. This feature is limited in support on 64-bit platforms as its kernel allows limited patching. For information regarding coverage details for supported Windows platforms, see KB51504. You can make this BOP redundant if Data Execution Prevention is in place.
The referenced article is available only to registered ServicePortal users.
To view registered articles:
- Log on to the ServicePortal at http://support.mcafee.com.
- Type the article ID in the search field on the home page.
- Click Search or press Enter.
What is Network IPS Protection?
The Network IPS protection filter driver inspects data communicating between the protected system and the network. Packets are examined against malicious attack profiles. If an attack is identified, the offending data is discarded or blocked from passing through the system. Host IPS contains a default list of network IPS signatures for Windows platforms. You can edit the severity level, log status, and client rule creation setting of these signatures, but you cannot presently add custom network signatures. Network signatures do the following:
-
Protect systems located downstream in a network segment
-
Protect servers and the systems that connect to them
-
Protect against network denial-of-service attacks and bandwidth-oriented attacks that deny or degrade network traffic
The Network Driver Interface Specification is the API for network adapters and network filter drivers operating on Microsoft operating systems. This specification was originally developed jointly by Microsoft and 3COM Corporation. Windows 7, Windows Vista, Windows Server 2008, and newer operating systems use the NDIS 6.x API (these operating systems also provide backward compatibility for the NDIS 5.x filter drivers through a Microsoft compatibility layer).
Host IPS 8.0 includes two versions of the firewall driver:
What is the Host IPS HTTP engine?
The Host IPS 8.0 HTTP engine consists of two components: a stub and an engine. The stub is a thin wrapper that is loaded by IIS which then loads the main HTTP engine depending on control values stored in the registry. The HTTP engine utilizes a stub so policy changes relating to the HTTP engine do not require a restart of IIS. Disabling the HTTP engine from IPS Troubleshooting removes the entry from IIS. The engine builds queries from the HTTP request and passes it to the HIP client for matching and then, depending on whether the request is blocked, allows the HTTP request to continue. No POST data is included in the raw data section. The raw data section contains all the header variables for all versions of IIS.
Which Host IPS services should use a client for the software to function properly?
Ensure the following services are active to provide intrusion prevention protection with either or both IPS and firewall:
-
One firewall driver is built on the NDIS 6.x specification for Vista and newer operating systems
-
The other firewall driver is built on the NDIS 5.x specification for Windows XP and Windows 2003
NOTE: McAfee recommends that you run Host IPS 8.0 on Vista and newer operating systems when practical because NDIS 6.x drivers run the updated programming interface on Vista and newer operating systems.
Microsoft ended extended support for Windows XP SP3 on April 8, 2014. For best results and optimal security, upgrade to a supported operating system. See KB78434 for details.
Microsoft ended extended support for Windows Server 2003 SP2 on July 14, 2015. As of the end of 2015, the only McAfee product supported with Windows Server 2003 SP2 is Application and Change Control. See KB81563 for details.
What is the Host IPS HTTP engine?
The Host IPS 8.0 HTTP engine consists of two components: a stub and an engine. The stub is a thin wrapper that is loaded by IIS which then loads the main HTTP engine depending on control values stored in the registry. The HTTP engine utilizes a stub so policy changes relating to the HTTP engine do not require a restart of IIS. Disabling the HTTP engine from IPS Troubleshooting removes the entry from IIS. The engine builds queries from the HTTP request and passes it to the HIP client for matching and then, depending on whether the request is blocked, allows the HTTP request to continue. No POST data is included in the raw data section. The raw data section contains all the header variables for all versions of IIS.
Which Host IPS services should use a client for the software to function properly?
Ensure the following services are active to provide intrusion prevention protection with either or both IPS and firewall:
-
McAfee Host Intrusion Prevention Service (FireSvc.exe)
-
McAfee Firewall Core Service (mfefire.exe) - not started automatically with Host IPS 8.0 Patch 6 (and later). See KB85374.
- McAfee Validation Trust Protection Service (mfevtps.exe)
- McAfee Host Intrusion Prevention Local Procedure Call (LPC) Service (HipMgmt.exe) - added with Host IPS 8.0 Patch 3 (and later). See KB81474.
- McAfee Host Intrusion Prevention system tray icon service (FireTray.exe)
- McAfee Host Intrusion Prevention client console (McAfeeFire.exe)
Where are log files located?
All log files are located in the C:\ProgramData\McAfee\Host Intrusion Prevention\ directory on the client system.
Which log files are associated with the Host IPS component?
The primary log file for the Host IPS component is HipShield.log. This log file grows to 128 MB and rotates with one back up. Log file rotation is controlled by the DWORD entries log_rotate_size_kb and log_rotate_count in the [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP] registry key. The log_rotate_count key determines the number of backup log files to preserve, and the DWORD entry log_rotate_size_kb is the approximate size in KB of a backup log file, where 0 means log rotation is disabled. When the log_rotate_size_kb specified size has been exceeded, the file is closed and renamed with the suffix '.1'. If a file with that name already exists, the suffix is incremented by one. When the specified number of backup files is reached, the oldest is deleted.
What are things to look for in HipShield.log?
A run of the Host IPS component begins with a banner statement that identifies the build run and the date/time stamp of the session. Each entry of the HipShield log shows a date/time stamp, followed by an indication of whether this data is informational, debugging, or error. The data contained in the HipShield is ad-hoc, and differs between portions of the Host IPS component. Key areas of interest:
-
Lines beginning with In install modules new describe the copying of files as part of the start of the Host IPS component. Failure to copy these files prevents the Host IPS component from starting.
-
A line beginning with Scrutinizer initialized successfully indicates that loading of the Host IPS component has been successful up through the initialization of the Scrutinizer, which depends on the above-mentioned files having been copied properly.
-
A line beginning with New Process: PID = indicates the Host IPS component is able to monitor process creation.
-
A line beginning with IIS - Start indicates that IIS monitoring is beginning.
-
A line beginning with Scrutinizer started successfully ACTIVATED status indicates that the Scrutinizer has successfully started.
-
A line beginning with Hooking xxx indicates that process hooking is proceeding. The number xxx indicates the PID (process ID) of the process being hooked.
-
A series of lines beginning with Processing Buffer xxx.scn is reporting the results of the Scanner processing of scanfile xxx.scn, where xxx is a name like EnterceptMgmtServer, as shown above. Errors in the Scanners processing of scan files are reported here.
-
Lines in the format signature=111 level=2, log=True report that an individual signature has been loaded. The signature ID and level are included along with an indication of whether logging is enabled for this signature.
NOTE: Shield.db and except.db are created in the same directory as the logs only when debugging is enabled. These files contain a dump of the rules and exceptions that are sent to the kernel after the AgentNT.dll has processed the content.
| FireSvc.log (Main service log) |
Debug level logging Location matching output TrustedSource connection rating output Errors/warnings |
| HipMgtPlugin.log (McAfee Agent plug-in log) |
Debug level logging Policy enforcement timing statistics Errors/warnings |
| FireTray.log / McTrayHip.log (Tray log) |
Debug level logging Errors/warnings |
| FireUI.log (Client UI log) |
Debug level logging Errors/warnings |
To set the log size, see the "Which log files are associated with the firewall component?" section of the Host Intrusion Prevention 8.0 Product Guide (PD22894).
What is the ClientControl command line utility?
This command line utility helps automate upgrades and other maintenance tasks if you use third-party software to deploy Host IPS on clients. You can include it in installation and maintenance scripts to temporarily disable IPS protection and activate logging functions. For more information, see the Host Intrusion Prevention 8.0 ClientControl.exe Utility Readme (PD23014).
Back to Contents
Affected Products
Getting Started
Host Intrusion Prevention 8.0
Languages:
This article is available in the following languages:
GermanEnglish United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional
Beta
Translate
with
Select a desired language below to translate this page.
