McAfee HISCDE-AB-IA Product Guide - Page 137

What should I do if an application fails or functionality is impaired after Host

Get McAfee HISCDE-AB-IA - Host Intrusion Prevention PDF manuals and user guides View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals

Page 137 highlights

Appendix B - Troubleshooting General issues What should I do if an application fails or functionality is impaired after Host Intrusion Prevention is installed or content is updated? If you have an application whose behavior changed after installing or updating the Host Intrusion Prevention client or a content update, you need to determine if it is a signature or some other element that is causing the problem. If the issue occurs because of an IPS signature: 1 Enable IPS logging (written to HipShield.log) and firewall logging (written to FireSvc.log) on the client or in the Client UI policy on the ePolicy Orchestrator server and reproduce the issue. 2 Search in HipShield.log for VIOLATION: for any violation details. 3 If a new signature is blocking activity because of an event, go to the Event tab of Host IPS under Reporting on the ePolicy Orchestrator server, find the event, and create an exception. Be sure to make the exception as granular as possible by using the advanced parameters for the event. 4 If there are limited advanced parameters for the event, view the signature related to the event. If a Common Vulnerabilities and Exposures (CVE) item is referenced in the IPS signature description, this indicates a security update patch is available. Apply the patch and disable the signature. If the issue is not related to an IPS signature: 1 Disable all Host Intrusion Prevention modules (IPS, Network IPS, and Firewall), and retest to verify the issue occurs. 2 Disable IPS and stop the Host Intrusion Prevention client service (FireSvc.exe) , then retest to verify the issue occurs. 3 If issue did not occur, select Allow traffic for unsupported protocols in the Firewall Options policy from the ePolicy Orchestrator server and apply the policy to the client. Retest with this option set. Note: Even if the firewall is disabled, traffic can still be dropped when Host Intrusion Prevention is active. 4 If these steps do not resolve the issue, disable the McAfee NDIS Intermediate Filter Miniport adapter, and retest to verify if the issue occurs. 5 If these steps do not resolve the issue, uninstall the McAfee NDIS Intermediate Filter Miniport adapter, and retest to verify if the issue occurs. For details, refer to KnowledgeBase article 51676 at http://knowledge.mcafee.com. 6 If the issue does not occur with NDIS uninstalled, refer to KnowledgeBase article 68557 at http://knowledge.mcafee.comand test with NDIS uninstalled and the Microsoft Pass Thru driver installed. If the issue occurs only with the IPS module enabled and no violations occurred in HipShield.log: 1 Identify the executables associated with the application. 2 Exclude the executables for protection from the Host IPS Application Protection List. 3 Repeat test for application functionality. Note the results. 4 Include the executables you excluded in step 2. 5 Isolate the IPS engine that might be causing the issue. For details, refer to KnowledgeBase article 54960 at http://knowledge.mcafee.com. 6 Identify the IPS engine that causes the issue. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 137

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
What should I do if an application fails or functionality is impaired after Host
Intrusion Prevention is installed or content is updated?
If you have an application whose behavior changed after installing or updating the Host Intrusion
Prevention client or a content update, you need to determine if it is a signature or some other
element that is causing the problem.
If the issue occurs because of an IPS signature:
1
Enable IPS logging (written to HipShield.log) and firewall logging (written to FireSvc.log)
on the client or in the Client UI policy on the ePolicy Orchestrator server and reproduce
the issue.
2
Search in HipShield.log for VIOLATION: for any <Event> violation details.
3
If a new signature is blocking activity because of an event, go to the Event tab of Host IPS
under Reporting on the ePolicy Orchestrator server, find the event, and create an exception.
Be sure to make the exception as granular as possible by using the advanced parameters
for the event.
4
If there are limited advanced parameters for the event, view the signature related to the
event. If a Common Vulnerabilities and Exposures (CVE) item is referenced in the IPS
signature description, this indicates a security update patch is available. Apply the patch
and disable the signature.
If the issue is not related to an IPS signature:
1
Disable all Host Intrusion Prevention modules (IPS, Network IPS, and Firewall), and retest
to verify the issue occurs.
2
Disable IPS and stop the Host Intrusion Prevention client service (FireSvc.exe) , then retest
to verify the issue occurs.
3
If issue did not occur, select
Allow traffic for unsupported protocols
in the
Firewall
Options
policy from the ePolicy Orchestrator server and apply the policy to the client.
Retest with this option set. Note: Even if the firewall is disabled, traffic can still be dropped
when Host Intrusion Prevention is active.
4
If these steps do not resolve the issue, disable the McAfee NDIS Intermediate Filter Miniport
adapter, and retest to verify if the issue occurs.
5
If these steps do not resolve the issue, uninstall the McAfee NDIS Intermediate Filter
Miniport adapter, and retest to verify if the issue occurs. For details, refer to KnowledgeBase
article 51676 at
.
6
If the issue does not occur with NDIS uninstalled, refer to KnowledgeBase article 68557 at
and test with NDIS uninstalled and the Microsoft Pass Thru
driver installed.
If the issue occurs only with the IPS module enabled
and
no <Event> violations occurred in
HipShield.log:
1
Identify the executables associated with the application.
2
Exclude the executables for protection from the Host IPS Application Protection List.
3
Repeat test for application functionality. Note the results.
4
Include the executables you excluded in step 2.
5
Isolate the IPS engine that might be causing the issue. For details, refer to KnowledgeBase
article 54960 at
.
6
Identify the IPS engine that causes the issue.
Appendix B — Troubleshooting
General issues
137
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5