Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
877
Views
0
Helpful
5
Replies

HostScan Firewall check fails with McAfee HIPS 8.0 Patch 6 (and later)

Go to solution
AlistairGillespie
Level 1
Level 1

‎03-29-2016 12:52 PM - edited ‎03-10-2019 11:37 PM

Hi

We're using a HostScan Posture check to look for (amongst other things) Firewall enabled.
The Firewall is McAfee Host Intrusion Prevention 8.x
This has been working fine with McAfee 8.0 Patch 5
However - with McAfee 8.0 Patch 6 (and later) it fails.
"Windows Firewall Support Chart for HostScan 4.2.02075" show Shows McAfee Host Intrusion Prevention 8.x is supported and it can check Enabled Status.
I suspect the reason it fails is because McAfee changed the implementation of HIPS in patch 6.
Unlike previously it no longer uses the "McAfee Firewall Core Service".
Whilst that service is still present the service is not started.
Can someone from Cisco confirm
- Have version of McAfee HIPS 8.0 Patch 6 (or later) been tested with this check?
- What is the endpoint check *actually* looking for ? (does it look for the service "McAfee Firewall Core Service"?)
- How can we fix / workaround this issue?
Thanks
-AL
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
5 Replies 5

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎03-29-2016 01:00 PM

More than likely you are going to need to open a case with Cisco TAC about this one.

Have you tried upgrading your AnyConnect client to a newer version in the hope that it has added support for the new McAfee software?

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Philip D'Ath

‎03-29-2016 01:03 PM

Not good news.  Known issue - and Cisco are not planning to fix it.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy17396/?referring_site=bugquickviewredir

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Philip D'Ath

‎03-29-2016 01:04 PM

You should still open a Cisco TAC case, and have it linked to the above issue.  The more cases that get linked to it the more likely Cisco are to consider doing something about it.  I see three cases linked to it at the moment.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Philip D'Ath

‎03-29-2016 01:05 PM

pps.  You could also start a discussion from that bug report so it gets linked against it, and continue this thread in that.

0 Helpful

Go to solution
AlistairGillespie
Level 1
Level 1
In response to Philip D'Ath

‎03-29-2016 01:15 PM

Thanks for the reply - ironically I found the same bug report you mention literally just after posting this article! ;-)

Agree - it totally confirms what we've seen / suspected.

It's kindof "unfortunate" that McAfee changed the behaviour (although it's totally within their remit to do that). However - if Cisco say they support a particular version, then they should test for that and properly support it (not rely on a workaround like this being put in-place).

Not fixing this properly means more people hitting the same problem as they roll onto later versions of McAfee HIPS (and the associated pain for troubleshooting it etc)

0 Helpful
Customers Also Viewed These Support Documents