Release Notes for Host Intrusion Prevention 8.0

About this document

Thank you for choosing this McAfee product. This document contains important information about the current release. We strongly recommend that your read the entire document.

CAUTION: We do not support the automatic upgrade of a pre-release software version. To upgrade to a production release of the software, you must first uninstall the existing version.

New features

Here is a list of new and updated features included with this release of the product.

What's new

IPS
  • New features for the IPS Options policy:
    • Startup protection: Protection at start-up before the IPS services have started
  • New features for the IPS Rules policy:
    • Exceptions based on IP address for Network IPS signatures
    • Trusted networks for both IPS signatures and firewall rules
    • Executable matching for applications is now by path, hash, digital signature and file description for signatures and exceptions instead of path only
Firewall
  • New features for the Firewall Options policy:
    • TrustedSource rating and blocking: Firewall rules block or allow incoming or outgoing traffic according to McAfee TrustedSource ratings
    • IP spoof protection: Firewall rules block outgoing traffic when the local IP address isn't one of the local system's IP addresses, and when a local MAC address is not a VM guest MAC address
    • Bridged VM support: Firewall rules allow traffic with a local MAC address that is not the local system's MAC address but is one of the MAC addresses in the range of supported VM software
    • Startup protection: Firewall rules block all incoming traffic before the firewall services have started
  • New features for the Firewall Rules policy:
    • Firewall rules are much more flexible: A single rule can now contain multiple applications (previously only one), multiple networks (previously only one), a local network and a remote network (previously only a remote network), and VPN media type in addition to wired and wireless
    • Connection-Aware Groups are now simply firewall groups that have location information and schedules with timed access for connections associated with them
    • Executable matching for applications is now by path, hash, digital signature and file description for firewall rules instead of path and hash only
  • Additional firewall policy: Firewall DNS Blocking that consists of a set of domain name patterns that are to be blocked. This policy replaces the Domain Rule that blocked DNS resolution for user-specified domain names
General
  • Application Blocking polices removed and their functionality replaced by two content signatures in the Host IPS Rules policy
  • Firewall Quarantine policies removed
  • New Host IPS Catalog to organize and enable reuse of common policy components among policies, particularly firewall groups, rules, locations, executables, and networks
  • Single standard set of wildcards used throughout the product
  • Logs located in a common folder, with some logs simplified for easier reading
Platform support
  • Full feature parity across 32- and 64-bit Windows platforms (except for Windows XP)
  • Added: Windows 7; SUSE Linux 10 SP3, SUSE Linux 11; Solaris Zone support
  • Removed: Windows 2000, Solaris 8, and SUSE Linux 9
SQL support
  • Added: SQL 2005, SQL 2008
  • Removed: SQL 2000
Extension/client functionality
  • Two versions of Host Intrusion Prevention 8.0: a firewall-only version and a full version containing both firewall and IPS protection
  • Host IPS extension compatibility with ePolicy Orchestrator versions 4.0, 4.5, and 4.6
  • Ability to install the Host IPS 8.0 extension in ePolicy Orchestrator even with earlier versions of Host IPS installed
  • Host IPS 8.0 extension manages only Host IPS 8.0 clients; it cannot support previous client versions
  • Both IPS and firewall protection is disabled on the client after initial installation and requires the application of a policy to enable it
  • On all platforms, upgrade from evaluation version to licensed version from ePolicy Orchestrator without reinstalling a client

Known issues

Here is a list of known issues that we were aware of at production time.

To view an updated list of issues associated with this release, see KnowledgeBase article 69184 at http://knowledge.mcafee.com.

Host Intrusion Prevention Extension

  1. Issue — If the option "Include local subnet automatically" is selected in an assigned Trusted Networks policy and an HTTP or Network IPS event is triggered from a remote system on the local subnet, the remote IP address is reported as trusted in the IPS event details only if the remote IP address is explicitly included in the Trusted Networks policy. (521370)
  2. Issue — Location matching in a firewall rules group can take up to 20 seconds when a new registry value with data is created for the group. (549386)
  3. Issue — The Firewall DNS Blocking policy doesn't currently support localized domain name matching. (577764)
  4. Issue — For custom signatures, exceptions and trusted applications, the code for application paths for remote process and system process should contain brackets:
    • Remote Process match--path <SystemRemoteClient> Executable { Include { -path <SystemRemoteClient> }}
    • System Process match--path <System>

    For example: Executable { Include { -path <SystemRemoteClient>}}

    (566890)
  5. Issue — When the firewall is in adaptive mode, ICMP traffic is blocked and an allow rule is not created.

    Workaround — Apply the Typical Corporate Sample Firewall rules policy because it already contains ICMP rules. (489628)

  6. Issue — If you have defined applications, transport options, or remote networks for a firewall group, and then enable the connection isolation option, all this data is permanently removed from the group. Disabling connection isolation does not restore the applications, transport options, or remote networks for the firewall group. (617832)
  7. Issue — You cannot drag firewall rules to a new empty firewall group.

    Workaround — Move a firewall rule up or down in the list to place it within a new empty firewall group. After the group contains a rule, you can drag rules to the group. (575087)

  8. Issue — A new firewall group with no rules can be added to Host IPS Catalog, but it cannot be edited unless a firewall rule has been added to it.

    Workaround — Make sure any firewall group added to the Host IPS Catalog contains at least one firewall rule. (625030)

  9. Issue — If the Host IPS extensions are removed, and subsequently the same or later versions are installed, you must restart the McAfee ePolicy Orchestrator Event Parser service. Until this service is restarted, events might be lost or displayed incorrectly. (626040).
  10. Issue — If downloading the Host Intrusion Prevention 8.0 extension from the ePolicy Orchestrator 4.6 Software Manager, there could be more than one extension that you are required to install. If in doubt, see the Host Intrusion Prevention 8.0 Installation Guide to make sure you have installed all required extensions. (625745)
  11. Issue — Scrollable areas in some firewall rules that have been migrated to Host Intrusion Prevention 8.0 may fail to scroll if these areas contains a large amount of data. (623329)
  12. Issue — If a firewall group is linked to the Host IPS Catalog, and its linking is broken, the firewall rules within the group remained linked to the Catalog.

    Workaround — Save the policy that contains the firewall group and then re-open the policy. This will break the linking of the rules to the Catalog. (624622)

Host Intrusion Prevention Client

  1. Issue — On Windows clients, the repair option is not available for Host Intrusion Prevention in the Add/Remove Programs control panel.

    Workaround — For repairs on these operating systems, run either of these commands:

    • For 32-bit version: msiexec.exe /fvomus {6B005DF6-6B6E-4551-B632-B0001DF50499} /l*v %windir%\Temp\McAfeeLogs\hip8.0_repair.log
    • For 64-bit version: msiexec.exe /fvomus {D2B9C003-A3CD-44A0-9DE5-52FE986C03E5} /l*v %windir%\Temp\McAfeeLogs\hip8.0_repair.log (573713)
  2. Issue — The Host Intrusion Prevention client occasionally fails to restart after an update.

    Workaround — If the message "Failed to initialize Scrutinizer" is written to both the HIPShield log and the Windows event log and a "Failure stage: initialization - Agent Terminated" System Event is generated, restart the client system.

  3. Issue — Installing on Windows XP sometimes treats Host Intrusion Prevention drivers as unsigned. Please see the description and resolution of this issue in Microsoft Knowledge Base Article 822798. Alternatively, clicking "Continue" in the resulting dialog boxes will allow the software to be installed correctly. (593237)
  4. Issue — HTTP service restarts if it is running when a Host IPS client is installed. (361247)
  5. Issue — IPS alert messages and client exceptions list target executables without listing any standard executable used to open the target executable. The exception includes the union of the two executables, but details appear on the details tab of the exception on the Host IPS tab under Reporting on the ePO server. (590152)
  6. Issue — Host IPS SQL engine does not report remote IP addresses. (591986)
  7. Issue — A dynamic IP Spoof rule created to block traffic associated with an application is deleted if the "Retain existing client rules" is not selected in the Firewall Options policy.

    Workaround — Select the "Retain existing client rules" option in the Firewall Options policy. (590775)

  8. Issue — After successfully installing the Host Intrusion Prevention client with a third-party tool, the client fails to start.

    Workaround — Check to see that the Microsoft Visual C++ 2005 Redistributable file, which is required by the Host Intrusion Prevention client, is installed on the target system. This file is automatically installed when the client is deployed through ePolicy Orchestrator or installed locally with ClientSetup.exe.

  9. Issue — The Host IPS signature details obtained with the ClientControl tool lack the description, severity, status, and logging details found in Network IPS signatures. (610735)
  10. Issue — The remote IP address for a network IPS exception is recognized only when it is a single IP address or IP address range. When this IP address is specified in CIDR subnet notation (for example, 172.16.43.0/24), it is not recognized.

    Workaround — Avoid using CIDR subnet notation for the IP address of these exceptions. (620740)

  11. Issue — There is no HTTP protection for web servers running in a Solaris local zone. Protection is available only when the web server is running in the global zone. (563779)
  12. Issue — When upgrading Host IPS Linux Client 7.1.0 to Host IPS Linux Client 8.0.0, you must restart the Linux system after the new client it is installed. (590169)
  13. Issue — Installing the Citrix SSL VPN client on a system where the Host Intrusion Prevention 8.0 client is installed can cause the system to fail.

    Workaround — Restart the system if this occurs.(626750)

  14. Issue — Installing the Host Intrusion Prevention 8.0 on a system running a NetMotion VPN client disables the VPN client.

    Workaround — Restart the system to restart the VPN client. (625391)

  15. Issue — Application name and Executable names fields can appear blank in Firewall Rules policies migrated from version 6.1 or 7.0. (488049)
  16. Issue — The Host Intrusion Prevention 8.0 Installation Guide lists Nortel Contivity VPN Client 10.x and Microsoft Forefront UAG 2010 as supported VPN clients. The clients have not been tested with the Host Intrusion Prevention 8.0 client and should be removed from the supported VPN list for this release. (626967)
  17. Issue — If VMware is running with IPS protection enabled, and then IPS protection is disabled, IPS protection cannot be re-enabled during the VMware session. To re-enable protection, stop the VMware session and restart it with IPS protection enabled. (594086)

Finding product documentation

McAfee provides the information you need during each phase of product implementation, from installing to using and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.

  1. Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
  2. Under Self Service, access the type of information you need:
    For user documentation For the KnowledgeBase
    1. Click Product Documentation.
    2. Select a Product, then select a Version.
    3. Select a product document.
    • Click Search the KnowledgeBase for answers to your product questions.
    • Click Browse the KnowledgeBase for articles listed by product and version.

COPYRIGHT