cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Dvanmeter
Level 10
Report Inappropriate Content
Message 1 of 4
‎03-19-2014 07:54 AM

Prevent HIPS service from being disabled

Jump to solution

Where is the policy to prevent the McAfee Host Intrusion Prevention Service (entercept) service from being disabled and also the McAfee Host Intrusion Prevention lpc Service.  I notice the Firewall portion is blocked from tampering but not the other two

0 Kudos
Reply
1 Solution

Accepted Solutions
ktankink
Employee
Employee
Report Inappropriate Content
Message 2 of 4
‎03-19-2014 10:42 AM

Re: Prevent HIPS service from being disabled

Jump to solution

1. Ensure the Host IPS module is enabled via policy.

2. Ensure you have the "McAfee Default" policy assigned to HIPS 8.0 IPS Rules and Trusted Applications policy assignments, in addition to custom policies.

3. Ensure you have the Protection Policy set to HIGH: PREVENT mode.

4. In the IPS Rules policy, ensue that Signatures 1000-1003 are set to HIGH severity.

5. Ensure you don' thave any IPS exceptions for Signature 1000-1003.

With the above set, you should not be able to stop the HIPS services (LPC and Host Intrusion Prevention, specifically), regardless if you have admin rights to the system.  If you have debug logging enabled, the Hipshield.log file should record Sig 1000 event violations if you try to stop the services.

View solution in original post

0 Kudos
Reply
3 Replies
ktankink
Employee
Employee
Report Inappropriate Content
Message 2 of 4
‎03-19-2014 10:42 AM

Re: Prevent HIPS service from being disabled

Jump to solution

1. Ensure the Host IPS module is enabled via policy.

2. Ensure you have the "McAfee Default" policy assigned to HIPS 8.0 IPS Rules and Trusted Applications policy assignments, in addition to custom policies.

3. Ensure you have the Protection Policy set to HIGH: PREVENT mode.

4. In the IPS Rules policy, ensue that Signatures 1000-1003 are set to HIGH severity.

5. Ensure you don' thave any IPS exceptions for Signature 1000-1003.

With the above set, you should not be able to stop the HIPS services (LPC and Host Intrusion Prevention, specifically), regardless if you have admin rights to the system.  If you have debug logging enabled, the Hipshield.log file should record Sig 1000 event violations if you try to stop the services.

0 Kudos
Reply
Dvanmeter
Level 10
Report Inappropriate Content
Message 3 of 4
‎03-19-2014 10:47 AM

Re: Prevent HIPS service from being disabled

Jump to solution

ok, thank you for the reply.  I thought those had to do with the mcafee agent, not HIPS.  I will test it out

0 Kudos
Reply
Dvanmeter
Level 10
Report Inappropriate Content
Message 4 of 4
‎03-19-2014 10:52 AM

Re: Prevent HIPS service from being disabled

Jump to solution

yes, that did the trick. Thank you.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC