McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual page 137

Appendix B — Troubleshooting
General issues
What should I do if an application fails or functionality is impaired after Host
Intrusion Prevention is installed or content is updated?
If you have an application whose behavior changed after installing or updating the Host Intrusion
Prevention client or a content update, you need to determine if it is a signature or some other
element that is causing the problem.
If the issue occurs because of an IPS signature:
1 Enable IPS logging (written to HipShield.log) and firewall logging (written to FireSvc.log)
on the client or in the Client UI policy on the ePolicy Orchestrator server and reproduce
the issue.
2 Search in HipShield.log for VIOLATION: for any <Event> violation details.
3 If a new signature is blocking activity because of an event, go to the Event tab of Host IPS
under Reporting on the ePolicy Orchestrator server, find the event, and create an exception.
Be sure to make the exception as granular as possible by using the advanced parameters
for the event.
4 If there are limited advanced parameters for the event, view the signature related to the
event. If a Common Vulnerabilities and Exposures (CVE) item is referenced in the IPS
signature description, this indicates a security update patch is available. Apply the patch
and disable the signature.
If the issue is not related to an IPS signature:
1 Disable all Host Intrusion Prevention modules (IPS, Network IPS, and Firewall), and retest
to verify the issue occurs.
2 Disable IPS and stop the Host Intrusion Prevention client service (FireSvc.exe) , then retest
to verify the issue occurs.
3 If issue did not occur, select Allow traffic for unsupported protocols in the Firewall
Options policy from the ePolicy Orchestrator server and apply the policy to the client.
Retest with this option set. Note: Even if the firewall is disabled, traffic can still be dropped
when Host Intrusion Prevention is active.
4 If these steps do not resolve the issue, disable the McAfee NDIS Intermediate Filter Miniport
adapter, and retest to verify if the issue occurs.
5 If these steps do not resolve the issue, uninstall the McAfee NDIS Intermediate Filter
Miniport adapter, and retest to verify if the issue occurs. For details, refer to KnowledgeBase
article 51676 at http://knowledge.mcafee.com.
6 If the issue does not occur with NDIS uninstalled, refer to KnowledgeBase article 68557 at
http://knowledge.mcafee.comand test with NDIS uninstalled and the Microsoft Pass Thru
driver installed.
If the issue occurs only with the IPS module enabled and no <Event> violations occurred in
HipShield.log:
1 Identify the executables associated with the application.
2 Exclude the executables for protection from the Host IPS Application Protection List.
3 Repeat test for application functionality. Note the results.
4 Include the executables you excluded in step 2.
5 Isolate the IPS engine that might be causing the issue. For details, refer to KnowledgeBase
article 54960 at http://knowledge.mcafee.com.
6 Identify the IPS engine that causes the issue.
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 137