Technical Articles ID:
KB73399
Last Modified: 5/16/2022
Environment
Host Intrusion Prevention (Host IPS) 8.0
Summary
Recent updates to this article
Date
Update
May 16, 2022
Minor formatting changes; no content changes.
This article is a consolidated list of common questions and answers. It's intended for users who are new to the product, but can be of use to all users.
NOTE:This article deals with general questions regarding Host IPS.
Click to expand the section you want to view:
Client IPS and IPS events
IPS signature events are one of the top call generators for Host IPS. Normally, these inquiries are the result of IPS Signature Event triggers. In general, Host IPS offers IPS and firewall protection for endpoint systems as part of a layered protection strategy. In addition to Host IPS, layered protection strategy should include either of the following:
Network gateway firewall or intrusion systems
Filtering, endpoint antivirus, and endpoint antimalware applications
Host IPS signature content provides security to protect against known and unknown (zero-day) system vulnerabilities. Zero-day is the gap between unpatched systems and the application of released security updates for confirmed vulnerabilities. Host IPS content contains generic buffer overflow and other generic signature mechanisms to protect systems during this period. But, we recommend that you apply operating system and application-specific security updates as quickly as possible within your environment. This action can reduce frequent or repeated IPS signature detections.
We advise the following:
Follow a general method to review operating system and application-specific security updates.
Patch systems and applications on a monthly or regular basis.
Review monthly Host IPS signature updates for correlation to specific vendor security updates that are released. You can safely disable host IPS signatures mapping directly to vendor-available security updates on updated systems.
Review enabled signature content and system patching with available security updates monthly to reduce the likelihood of excessive false positives on already updated systems.
Use the following general method when you assess IPS signature events:
Identify the signature number that's being triggered.
Review the IPS Signature number description information from the IPS Rules policy in ePolicy Orchestrator (ePO).
Review the reference CVE description links, if any are included in the description information for that signature.
Identify whether any Microsoft TechNet Security Bulletins are linked for the applicable vulnerability. Also, identify whether there are Microsoft security updates available that resolve the vulnerability.
Verify whether systems reporting the IPS event have any applicable Microsoft Security Updates applied, as noted above:
If so, the applicable IPS Signature might be disabled on the systems that have the associated Microsoft Security Updates applied.
If not, we recommend that you apply the applicable Microsoft Security Updates to the affected systems at your earliest convenience.
If no CVE description links are noted for the triggering IPS signature, review all advanced details for the received IPS event.
Identify whether the event triggers correlate to normal business use or process.
Identify whether the systems experiencing the event have the latest Microsoft Security Updates applied.
Identify whether the IPS event is specific for a third-party process such as Adobe, a process, or another tool. If so, review all applicable security updates from the vendor and make sure they're applied on the systems.
If the signature still triggers after an applicable vendor security update has been applied, consider the event as a false positive. Either disable the signature on the updated systems, or create an IPS exception for the updated systems to stop all further signature detections.
If there's no applicable vendor security update available, determine whether the affected systems have current antivirus and antimalware definitions for VirusScan or other installed endpoint protection application. Perform a full scan on the affected systems.
Determine whether the affected systems are protected by other perimeter security measures, such as Network Intrusion Detection.
Client firewall and firewall rules
Common firewall policy configuration questions include which firewall rules should be configured on endpoint systems. Typical enterprise customer firewall policies range from simple rule sets that use connection and location aware groups, to complex rule policies that define process executable hashes, which encompass hundreds of inbound and outbound firewall rules. Large firewall policies add complexity for management and can contribute to decreased performance on lower spec systems. Large rule sets can also add performance overhead on the ePO server during policy configurations and increased overhead for the McAfee Agent (MA) during policy enforcement intervals.
The Host IPS 8.0 firewall includes several features that allow for simplified policy configurations:
Host IPS 8.0 includes simplified default firewall policy rule templates on which you can base your policy. We recommend that you use simplified rule sets using the stateful firewall, trusted networks, and trusted applications for internal corporate network policies.
The firewall is considered a stateful firewall, which reduces the need for excessive inbound firewall rules. Rule policies can be much more simplified. The firewall state table dynamically stores information about active outbound traffic connections from the system. The firewall state table rules filter and allow the associated return traffic, which negates the need to define complex inbound rule sets.
The use of Location Aware groups further defines rule sets for remote users off the normal LAN. You can configure simplified rule sets within a Location Aware group. This action enables remote users to connect using a company VPN, and then use normal firewall rules.
Trusted Networks—Lists IP addresses and networks, including TrustedSource exceptions, that are safe for communication. Trusted networks can include individual IP addresses or ranges of IP addresses. Listing networks as trusted eliminates or reduces the need for network IPS exceptions and more firewall rules (for Windows clients only).
Trusted Applications—Lists applications that are safe and have no known vulnerabilities. Marking applications as trusted eliminates or reduces the need for IPS exceptions and more firewall rules. Like the IPS Rules policy, this policy category can contain multiple policy instances (for clients on both Windows and non-Windows platforms).
Firewall Adaptive Mode—An aid for firewall tuning.
NOTE: Only use Adaptive Mode temporarily on a few systems for firewall rules tuning. This mode can create many client rules on end systems. So, it can also create a significant overhead for the ePO server while processing excessive firewall client adaptive rules. We recommend limiting the Adaptive Mode for firewalls to a few systems for a limited time as an aid in firewall policy tuning.
Review client adaptive rules daily or at a minimum, weekly, while target systems have Adaptive Mode enabled. After you initially deploy Adaptive Mode for firewalls, disable Adaptive Mode on target systems with the Retain client rules option deselected. This action makes sure that all learned client rules on the target system are purged. From the ePO console, review the firewall client rules. Identify rules to apply to a tuning firewall rules policy on the end system before you re-enable the firewall with Adaptive Mode. Take these iterative steps to achieve a final firewall rules policy before deployment to all systems. Adaptive Mode might not recognize some network traffic related to applications, and you might have to configure firewall rules manually. Contact your application vendor for information about application-specific firewall configurations to ensure functionality.
Installation, setup, uninstall, and deployment using ePO
Most support calls in this category consist of questions that are addressed in the Host Intrusion Prevention 8.0 Installation Guide.
We recommend that you thoroughly test and baseline any new security application installations for your production environments before you deploy to all systems. Although we thoroughly test and validates security products before the release, the same is true before you deploy Host IPS to all nodes in an enterprise environment. Third-party products and network infrastructures adapt new security features at a rapid rate because of technology advances. Product interoperability remains a moving target for all vendors, and base customer images must be validated with changes to any product. After you validate Host IPS in test or pilot environments, we recommend a production pilot or phased approach to the enterprise production deployment.
New installation failed
Host IPS is deployed with IPS and firewall features turned off by default. We recommend that you select systems that represent the applications and configurations for all groups within their environment. If you have standardized images, it's easier to validate Host IPS for your environment. If you have dissimilar systems, you might have challenges when you validate interoperability. It's easier for Technical Support to resolve interoperability issues before enterprise-wide deployment, rather than resolve critical issues that you find after or during an enterprise-wide deployment.
What if I have a problem with third-party software?
Issues that involve third-party software can happen, especially when it involves third-party security software. See the following articles:
IMPORTANT: If you contact Technical Support for an issue that you can't resolve, you must also engage the third-party vendor for analysis in parallel with us. Many interoperability issues require resolution by the third-party vendor and not us. We're committed to working closely with third-party vendors to resolve any interoperability issues.
What makes Host IPS a 64-bit product?
Host IPS 8.0 installs both 32-bit and 64-bit binaries on x64 systems. The 64-bit product binaries are installed to an x64 subfolder from the installation path. Other binaries, such as drivers, are installed to their appropriate places in the Windows file system. The product doesn't adhere to installation guidelines for 64-bit files in the \program files folder, but the product supports x64 natively.
What runs in 32-bit compatibility mode on x64 systems?
Some third-party applications run as 32-bit, so Host IPS 8.0 loads the appropriate 32-bit IPS engines for them.
Why should I install MA on laptops that rarely connect to the network?
MA is an ePO agent that provides policy enforcement. After you install the agent and it receives your policy, which is configured at the ePO server, the policy you define is enforced at the policy enforcement interval you define whether the laptop is on or off the network. This action makes sure that your company settings for your products are always in place.
Can I use Host IPS 8.0 to block access to USB devices?
Not effectively. It's possible to block access to USB devices using a custom IPS signature with Host IPS 8.x. But, there are security limitations when using an IPS signature.
To efficiently block USB devices, we recommend that you use Data Loss Prevention.
Why are the Host IPS 8.0 incremental patch (MSP) packages larger than the full Host IPS installation that includes the patch?
MSP packages continue to get larger because each time we release a new patch, the MSP must contain the information needed to upgrade every previously released patch and the General Availability version of the product. Because of this requirement, there is a transform (MST) embedded in the MSP for each of these previous versions, rather than only a copy of the new files.
The MST transform is basically an MSI diff that takes a previously known MSI and updates it to the latest MSI the patch is based on. Because the MSI tables contain binary data for things such as the embedded custom action code and some of our support utilities (for example, clientcontrol.exe), these MSI differences can be large, which causes each subsequent patch to grow.
How do I install Host IPS 8.0 locally or with third-party solutions?
Extract the installation files from the .zip to a temporary folder, run Setup.exe, and then complete the installation.Setup.exe supports many of the MSI command-line options.
How do I install Host IPS using ePO?
Add the installation package to your repository, and then create or modify a Deployment Task. The Deployment Task also allows you to specify command-line options. This ability allows you to make simple changes to the installation, such as not installing a particular feature. For a complete list of options, see theHost Intrusion Prevention 8.0 Installation Guide.
Why does the product install to the Program Files (x86) folder?
Host IPS installs both 32-bit and 64-bit binaries on x64 systems. The 64-bit product binaries are installed to an x64 subfolder from the installation path. Other binaries, such as drivers, are installed to their appropriate places in the Windows file system. The product doesn't adhere to installation guidelines for 64-bit files in the \program files folder, but the product supports x64 natively.
Is there any Host IPS Signature content in the installation package?
Host IPS ships with signature content 8.0.0.3709, which allows Host IPS to function after an installation if an ePO server can't be contacted for signature updates. We recommend that you configure a regularly scheduled update task to include Host IPS Signature Content for installed systems.
How often is Host IPS content updated?
Host IPS is updated to the common repository on the second Tuesday of every month by 8 p.m. GMT. The second Tuesday of every month is also when Microsoft Windows Security Updates are released (also known as Microsoft Patch Tuesday).
Do I have to restart after I install?
For new systems, you don't have to restart to begin using Host IPS 8.0. But, we recommend that you restart to ensure a cleaner Windows environment.
NOTE:If you upgrade Host IPS 7.0 systems, you might need to restart, depending on your operating system. We recommend that you validate against your specific images.
How do I remove Host IPS?
You can remove Host IPS using an ePO Deployment Task, or locally using Programs and Features or Apps & features, depending on your version of Windows. You must disable IPS protection on the system before removing Host IPS locally.
Is my product version supported?
For End of Life (EOL) information, visit the Knowledge Center page.
How do I add multiple IP addresses for my firewall rules?
You can define a new "network" item in the Host IPS Catalog. You can define the network object container with a single or multiple IP addresses, subnet, local subnet, IP range, FQDN, any local, any IPv4, or any IPv6 as trusted. After you've defined a network catalog object, you can use this catalog object in your firewall rules Network Options by clicking Add from Catalog when you edit firewall rules. If IP addresses need to change for any rule using the catalog object, you can update the IP addresses in your network catalog object from the Host IPS Catalog. All firewall rules that refer to the catalog object receive the updated network IP addresses.
How do I stop the Host IPS service?
Host IPS uses a self-protection mechanism to prevent even administrators from stopping the service. It's controlled using the IPS policy, and self-protection is turned off when IPS is disabled. You can also disable IPS locally using the Host IPS client user interface (UI) tray icon. You need a Host IPS administrator password to unlock the client UI and disable the IPS.
How do I configure Application Blocking on Host IPS 8.0?
The Application Blocking feature was removed for Host IPS 8.0, but you can configure application blocking and hooking protection using IPS signatures 6010 and 6011. For more information, see KB71794 - Application blocking functionality with Host Intrusion Prevention 8.0.
How do I investigate performance issues?
There are several approaches to investigate performance issues. Perform the actions in the following steps sequentially to help identify the issue. After you identify the issue, you can take appropriate steps to resolve it. The following steps are intended as guidelines rather than comprehensive instructions. More tools are listed in KB72766 - Utilities used for troubleshooting.
Task Manager—Press Ctrl+Shift+Esc to open the Task Manager. Sort by the CPU column to see which processes are using the CPU.
NOTE: The number is a percentage of all available processors or cores. So, 25% on a four-CPU system would mean that a process is pegging one of the cores, which usually indicates a problem. You can investigate more after you identify the offending processes.
Performance Monitor—Use the Performance Monitor (PerfMon) to convey the specifics of how much CPU is being used and for how long. This action gives you information about how the system or users are impacted. Use PerfMon to monitor the performance object's process, processor, and memory, and capture all counters and instances. We advise that you use a sampling rate of one second for most issues that occur within a brief window of time or are predictable. To reduce the potential size of the log generated, you can use fewer and more specific counters instead of capturing everything. This approach allows the capture to run for longer periods of time without creating an unwieldy log file.
Windows Performance Monitoring Tool (XPerf)—In Microsoft Vista and newer operating systems, Microsoft provides a powerful tool that gives detailed information about a performance problem, including the API that's being called the most. Vendors typically use this information at an engineering or development level, where symbol files for source code are accessible. This information helps clarify what code paths are being used.
VSE Profiler (when VSE is also running on system)—The VSE Profiler provides visibility into what the product is doing, such as what files are being scanned. This tool provides a way to generate reports, which can help you understand the collected data.
To download the VSE Profiler, go to the Profiler page. You might be able to create exclusions or apply the Hi/Low/Default scanning profiles to create a configuration that improves performance.
IMPORTANT: We recommend working with Technical Support if your performance issues aren't addressed after you follow the above steps.
Why is the ePO server using so much CPU when the Property Translator server task is running?
The Host IPS ePO Property Translator server task runs every 15 minutes by default. This task converts system client properties into adaptive client rules that are displayed in the client rules tabs of the Host IPS Event Reporting display. Excessive processing of client rules can cause increased CPU consumption for ePO-related processes. Also, malformed properties collected from the end system might cause Property Translator errors. The Host IPS 8.0 Patch 4 and later extensions display the following alert when you enable Adaptive Mode in the Firewall Options policy:
We recommend that you enable Adaptive Mode on selected systems for a limited amount of time only. Enabling Adaptive Mode on many systems for a long time can significantly impact performance for the Host IPS Property Translator server task on ePO.
For more information, see the following related articles:
How do I prevent the firewall from blocking non-IP traffic?
The firewall doesn't recognize some non-IP traffic types, so they're blocked unless they're specified in a firewall rule. Also, the adaptive and learn modes don't dynamically detect and create firewall rules for non-IP protocols. To prevent non-IP protocols from being dropped, select Allow traffic for unsupported protocols in the Firewall Options policy, and then check the Activity Log for Allowed Incoming/Outgoing Non-IP Protocol: 0xXXX, where 0xXXX indicates the IANA Ethernet number of the protocol (see this document). Use this information to determine the non-IP traffic that's needed and create a firewall rule that allows it.
How does Host IPS protection work?
Host IPS protection monitors executable system calls made using Application Programming Interfaces (APIs) on the protected system. These system calls are made to and from the operating system kernel for processing resources. Host IPS monitoring detects anomalies in system calls and blocks or logs those calls for analysis. Host IPS uses several monitoring-class engines to achieve this goal. For information regarding the Buffer Overflow, Files, Hook, Illegal API Use, Illegal Use, ISAPI, Program, Registry, Services, and SQL engine classes, see the Host Intrusion Prevention 8.0 Product Guide.
How does Buffer Overflow Protection (BOP) work?
BOP monitors executables and APIs on the protected system. It checks for code execution from a buffer overflow or buffer overrun. BOP doesn't stop the overrun from occurring, but stops code execution that occurs from that overrun. This exploit method is common, and is used by malware against vulnerable applications to gain access to data or the system, and to further propagate itself.
Protection occurs by having kernel-level hooks, also known as Kernel Patching of various system tables, detour code execution through our tests for safety, before it returns to the previously scheduled programming. This feature is limited in support on 64-bit platforms because the kernel allows limited patching. You can make this BOP redundant if Data Execution Prevention is in place. For information about coverage details for supported Windows platforms, see KB51504 - REGISTERED - Signature Directive support.
NOTE: The referenced content is available only to logged in ServicePortal users. To view the content, click the link and log in when prompted. What's Network IPS Protection?
The Network IPS protection filter driver inspects data that communicates between the protected system and the network. Packets are examined against malicious attack profiles. If an attack is identified, the offending data is discarded or blocked from passing through the system. Host IPS contains a default list of network IPS signatures for Windows platforms. You can edit the severity level, log status, and client rule creation setting of these signatures. But, you can't presently add custom network signatures. Network signatures perform the following:
Protect systems located downstream in a network segment
Protect servers and the systems that connect to them
Protect against network denial-of-service attacks and bandwidth-oriented attacks that deny or degrade network traffic
Is the Host IPS Firewall filter driver Network Driver Interface Specification (NDIS) 5.0 or NDIS 6.0?
The NDIS is the API for network adapters and network filter drivers operating on Microsoft operating systems. Microsoft and 3COM Corporation originally developed this specification together. Windows 7, Windows Vista, Windows Server 2008, and newer operating systems use the NDIS 6.x API. These operating systems also provide backward compatibility for the NDIS 5.x filter drivers through a Microsoft compatibility layer.
Host IPS 8.0 includes two versions of the firewall driver:
One firewall driver is built on the NDIS 6.x specification for Vista and newer operating systems.
The other firewall driver is built on the NDIS 5.x specification for Windows XP and Windows 2003.
NOTE: We recommend that you run Host IPS 8.0 on Vista and newer operating systems when practical because NDIS 6.x drivers run the updated programming interface on Vista and newer operating systems.
Microsoft ended extended support for Windows Server 2003 SP2 on July 14, 2015. As of the end of 2015, the only product we support with Windows Server 2003 SP2 is Application and Change Control.
What's the Host IPS HTTP engine?
The Host IPS 8.0 HTTP engine consists of two components: a stub and an engine. The stub is a thin wrapper that IIS loads, which then loads the main HTTP engine depending on control values stored in the registry. The HTTP engine uses a stub, so policy changes that relate to the HTTP engine don't require a restart of IIS. When the HTTP engine is disabled from IPS Troubleshooting, it removes the entry from IIS. The engine builds queries from the HTTP request and passes it to the HIP client for matching. Depending on whether the request is blocked, it then allows the HTTP request to continue. No POST data is included in the raw data section. The raw data section contains the header variables for all versions of IIS.
Which Host IPS services should use a client for the software to function properly?
Make sure that the following services are active to provide intrusion prevention protection with either or both IPS and firewall:
Host IPS notification area icon service (FireTray.exe)
Host IPS client console (McAfeeFire.exe)
Where are log files located?
All log files are located in the C:\ProgramData\McAfee\Host Intrusion Prevention\ directory on the client system.
Which log files are associated with the Host IPS component?
The primary log file for the Host IPS component is HipShield.log. This log file grows to 128 MB and rotates with one backup. The DWORD entries log_rotate_size_kband log_rotate_countcontrol log file rotation. The entries are located in the following:
The log_rotate_count key determines the number of backup log files to preserve, and the DWORD entry log_rotate_size_kb is the approximate size in kilobytes of a backup log file, where 0 means log rotation is disabled. When the log_rotate_size_kb specified size is exceeded, the file is closed and renamed with the suffix .1. If a file with that name exists, the suffix increments by one. When the specified number of backup files is reached, the oldest is deleted.
What are things to look for in HipShield.log?
A run of the Host IPS component begins with a banner statement that identifies the build run, and the date and time stamp of the session. Each entry of the HipShield log shows a date and time stamp, followed by an indication of whether this data is informational, debugging, or error. The data contained in the HipShield is ad-hoc, and differs between parts of the Host IPS component. Key areas of interest are as follows:
Lines that begin with In install modules new describe the copying of files as part of the start of the Host IPS component. Failure to copy these files prevents the Host IPS component from starting.
A line that begins with Scrutinizer initialized successfully indicates that the Host IPS component is loaded successfully through the initialization of the Scrutinizer. This action depends on the above-mentioned files having been copied properly.
A line that begins with New Process: PID = indicates the Host IPS component can monitor process creation.
A line that begins withIIS - Startindicates that IIS monitoring is beginning.
A line that begins with Scrutinizer started successfully ACTIVATED status indicates that the Scrutinizer has successfully started.
A line that begins with Hooking xxx indicates that process hooking is proceeding. The number xxx indicates the process ID (PID) of the process being hooked.
A series of lines that begin with Processing Buffer xxx.scn reports the results of the Scanner processing of scanfile xxx.scn, where xxx is a name such as EnterceptMgmtServer, as shown above. Errors in the Scanner processing of scan files are reported here.
Lines in the format signature=111 level=2, log=True report that an individual signature has been loaded. The signature ID and level are included with an indication of whether logging is enabled for this signature.
NOTE: The Shield.dband except.dbfiles are created in the same directory as the logs only when debugging is enabled. These files contain a dump of the rules and exceptions that are sent to the kernel after the AgentNT.dll has processed the content.
Which log files are associated with the firewall component?
Debug level logging
Policy enforcement timing statistics
Errors or warnings
FireTray.log / McTrayHip.log
(Tray log)
Debug level logging
Errors or warnings
FireUI.log
(Client UI log)
Debug level logging
Errors or warnings
These log files grow until they reach the default maximum size of 100 MB. If you require larger or smaller log files, you can control the size by adding the following registry value: [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP\MaxFwLogSize]
To set the log size, see the "Which log files are associated with the firewall component?" section of the Host Intrusion Prevention 8.0 Product Guide.
What's the ClientControl command-line utility?
This command-line utility helps automate upgrades and other maintenance tasks if you use third-party software to deploy Host IPS on clients. You can include it in installation and maintenance scripts to temporarily disable IPS protection and activate logging functions. For more information, see the Host IPS 8.0 ClientControl.exe Utility document.