Unable to import Host IPS policy.xml on Host IPS 8.0 Patch 4 and 8.0 Patch 3 Extension versions due to a signature name with a tab delimiter
Technical Articles ID:
KB82599
Last Modified: 8/7/2014
Last Modified: 8/7/2014
Unable to import Host IPS policy.xml on Host IPS 8.0 Patch 4 and 8.0 Patch 3 Extension versions due to a signature name with a tab delimiter
Technical Articles ID:
KB82599
Last Modified: 8/7/2014 EnvironmentMcAfee Host Intrusion Prevention (Host IPS) 8.0 Patch 4, 8.0 Patch 3
ProblemA Host IPS 8.0 Patch 4 or 8.0 Patch 3 policy export may not import correctly if it include an IPS exception containing a signature name with a tab delimiter.
CauseWhen creating an IPS exception directly from the IPS event, it uses the signature name of that event as the exception name. If the signature name contains a tab or '\t' character, the exception name (which will also contain the tab character) is saved in the policy, and may corrupt the policy.
SolutionHost IPS signature content names no longer contain tab characters. This was resolved in May 2014 in content release 5510. The issue will still remain for policy exports containing tabbed signature name IPS exceptions prior to the 5510 content release.
Workaround 1For Host IPS signature content versions prior to 5510, do not create IPS exceptions through an IPS event if the signature name includes a tab character.
Workaround 2Perform the following SQL update to remove IPS exceptions that include tabs.
Before you begin:
NOTE: Depending on the speed of the SQL server, whether the database is being heavily utilized, and the number of rows being deleted, this script may take a long time to complete.
Affected Products |
|