none
McAfee Host Intrusion Prevention System (HIPS) version 7 and IAG 2007 RRS feed

  • Question

  • Hi all,

    We are currently replacing our eGap IAG3.6 server with IAG2007.  At the same time we are migrating our endpoints from McAfee ePO3.6 with VScan 8.5i and HIPS6 to ePO4.5 with VScan8.7i and HIPS7.

    After testing access to the IAG2007 box with a laptop running epo4.5, VScan8.7i and HIPS7 I have found that the desktop firewall HIPS isn't being recognised (strangely it IS recognised on the old 3.6 IAG).  The following page confirms it isn't supported out-the-box; http://technet.microsoft.com/en-us/library/cc303255.aspx

    So my question is, how do I get IAG2007 to detect HIPS7!?  Anyone done this already ?  Any help greatly appreciated.

    Tuesday, August 17, 2010 11:02 AM

Answers

All replies

  • Further to the above, according to the "About Configuration" we are currently running IAG 2007, version 3.7.2.0.37, service pack 2.18, update 2.37 with no hotfixes.

    Here's the script from the Policy Editor;

    ( PFW_McAfeeHIPS_Installed AND PFW_McAfeeHIPS_Running ) AND (AV_McAfee_Installed AND AV_McAfee_Running AND DateDiff("d",AV_McAfee_LastUpdate,Now)<14)

    Tuesday, August 17, 2010 1:09 PM
  • Hello Eric

     

    First of all you need to upgrade the IAG box to Service pack 2 update 3. After tahn u may wanna check the wmi or try to create a custom detection policy.

    The below link may give u more insight into it.

    http://blogs.technet.com/b/ben/archive/2009/06/08/policy-chase.aspx

    Tuesday, August 17, 2010 1:45 PM
  • We ran into this as well.  Turns out the registry location for HIPS changes in version 7, which is why OOTB IAG won't detect it.

    I've attempted going down the WMI route as the workaround, but have as yet been unsuccessful in creating a successful custom policy. I'd be interested to know if you come up with a successful workaround.

    Tuesday, August 17, 2010 1:52 PM
  • Thanks you both for your replies and the link.  I will investigate the SP2 update 3 first, I do wish to have the box patched to the latest version before going live.

    I'll post back when I've got it working :)

    Tuesday, August 17, 2010 2:05 PM
  • This is where I got to with a custom policy, unfortunately other priorities came up and I haven't quite figured out why this won't work:

    ( PFW_WMI_Installed_1 ) AND ( PFW_WMI_Running_1 ) AND ( CInt ( Left ( PFW_WMI_Version_Product_1,2 ) ) >=7 ) AND ( Instr ( LCase ( PFW_WMI_Name_1 ), "mcafee host intrusion prevention" ) >=1 )

    It's definitely a problem with detecting the correct PFW_WMI_Name_1 value...

    Tuesday, August 17, 2010 2:30 PM
  • Hello DNG

    You are true about the registry setting in the whaledetection script have not been updated that may cause the latest version of the antivirus being not detected by the IAG. 

     

     

    Tuesday, August 17, 2010 2:31 PM
  • We're talking Personal Firewalls here, not AV Ashish.  VScan is being detected fine.


    Thanks for posting that DNG, it's very similar to what I've come up with so far too.  I'll work on it some more tomorrow.

    If I can't get it working that way then I define my own custom variable to get it to work.

    I've been through the information on SP2 update 3 too and I can't see that I would benefit from applying it.  In fact it would cause me more work due to it resetting some of our customisations which I'd then have to re-create, so I probably won't be applying it.

    Tuesday, August 17, 2010 8:03 PM
  • Update

    I found your other thread here DNG (http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/c5545f18-4088-478c-9696-bf459acfaf33) where you had originally raised this issue.  It looks like some parameters simply cannot be queried on and the ones we need are not query-able.

    As an acceptable solution I have enabled a policy that looks like follows;

    PFW_WMI_Installed_1  AND PFW_WMI_Running_1  AND ( Network_Domains_NetBIOS ="COMPANY_DOMAIN_NAME" OR Network_Domains_NetBIOS ="COMPANY_DOMAIN_NAME.NET" )

    I plan to further lock this down but this does enable me to get up and running with HIPS7.

    As an alternative I could deploy a registry key (possibly using the McAfee Installation Designer for VirusScan Enterprise) and query on this.  This blogpost details how this can be achieved; http://blogs.technet.com/b/amolrb/archive/2009/07/03/creating-custom-endpoint-detection-policy-and-script-for-iag.aspx

    Thanks for your input :)

    • Marked as answer by Erez Benari Sunday, August 22, 2010 8:43 AM
    Wednesday, August 18, 2010 3:38 PM
  • Oh ya, totally forgot about that thread :)
    Wednesday, August 18, 2010 3:41 PM