Unable to import Host IPS policy.xml on Host IPS 8.0 Patch 4 and 8.0 Patch 3 Extension versions due to a signature name with a tab delimiter

Technical Articles ID: KB82599
Last Modified: 8/7/2014

Environment

McAfee Host Intrusion Prevention (Host IPS) 8.0 Patch 4, 8.0 Patch 3

Problem

A Host IPS 8.0 Patch 4 or 8.0 Patch 3 policy export may not import correctly if it include an IPS exception containing a signature name with a tab delimiter.

Cause

When creating an IPS exception directly from the IPS event, it uses the signature name of that event as the exception name. If the signature name contains a tab or '\t' character, the exception name (which will also contain the tab character) is saved in the policy, and may corrupt the policy.

Solution

Host IPS signature content names no longer contain tab characters. This was resolved in May 2014 in content release 5510.

The issue will still remain for policy exports containing tabbed signature name IPS exceptions prior to the 5510 content release.

Workaround 1

For Host IPS signature content versions prior to 5510, do not create IPS exceptions through an IPS event if the signature name includes a tab character.

Workaround 2

Perform the following SQL update to remove IPS exceptions that include tabs.

Before you begin:

Confirm you have a complete and recent backup of the ePO database.
Confirm you have recent Host IPS policy exports to serve as a policy backup.

NOTE: Depending on the speed of the SQL server, whether the database is being heavily utilized, and the number of rows being deleted, this script may take a long time to complete.

Stop all ePO services, including any services on remote Agent Handlers (if you have any):
1. Click Start, Run, type services.msc, and click OK.
2. Right-click the following ePO services and select Stop:
  
  McAfee ePolicy Orchestrator Server
  McAfee ePolicy Orchestrator Event Parser
  McAfee ePolicy Orchestrator Application Server
Open Microsoft SQL Management Studio.
Connect to the ePO database.
Click File, New Query.
Paste the following SQL statement into the query window:

update EPOPolicySettingValues
set SettingValue = replace(SettingValue, CHAR(9), '')
where PolicySettingValuesID in (SELECT PolicySettingValuesID
FROM EPOPolicySettingValues as psv
INNER JOIN EPOPolicySettings as ps
ON psv.policysettingsID = ps.POlicySettingsID
INNER JOIN EPOPolicyTypes as pt
ON pt.typeID = ps.typeID
where pt.FeatureTextID = 'HOSTIPS_8000_IPS'
AND pt.CategoryTextID = 'IPS_Rules'
AND pt.TypeTextID = 'IPS_Rules'
AND psv.SettingName = 'Name'
AND psv.SectionName = 1
AND psv.SettingValue like '%'+CHAR(9)+'%')
Click Execute.
Start all ePO and remote Agent Handler services:
1. Click Start, Run, type services.msc, and click OK.
2. Right-click the following ePO services and select Start:
  
  McAfee ePolicy Orchestrator Server
  McAfee ePolicy Orchestrator Event Parser
  McAfee ePolicy Orchestrator Application Server

Affected Products

Host Intrusion Prevention 8.0 (EOL)
Known Issue/Product Defect

Knowledge Center

Unable to import Host IPS policy.xml on Host IPS 8.0 Patch 4 and 8.0 Patch 3 Extension versions due to a signature name with a tab delimiter

Environment

Problem

Cause

Solution

Workaround 1

Workaround 2

Affected Products

Title

Title

Knowledge Center

Unable to import Host IPS policy.xml on Host IPS 8.0 Patch 4 and 8.0 Patch 3 Extension versions due to a signature name with a tab delimiter

Environment

Problem

Cause

Solution

Workaround 1

Workaround 2

Affected Products

Choose your region

Title

Title