Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1269 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HIPS detecting / alerting when disabled

chavez243

A large division of our business is software development, unfortunately a good sum of executables created by the dev team is detected by HIPS as suspicious behaviour - usually IP/Connect type. The onslaught of alerts to the IT team and the endless pop-ups have prompted us to disable HIPS for that division. Despite that and verifying that all Policies are in effect for that particular group, they still get the HIPS detections.

Any ideas why that might be?

:29581


This thread was automatically locked due to age.
Parents
  • 0

    It is not easy to confirm the state of the client - I was relying on the Mgmt Console. It would certainly be a huge disadvantage for me to have to visit desktops across a geographically dispersed organization to confirm that policies applied from the console are actually applied at the client esp. when the console tells me they are in compliance.

    I currently have 10 Suspicious behaviour/file alerts outstanding, 9 are IPconnect - only one of those is from the dept. in question though.. however it was from this morning and HIPS is supposedly disabled. The one possibility is that that particular user was not in compliance with the AV policy yet, as sometimes the policies do apply as expeditiously as I would like.

    When I turned it off originally, I did notice in the console all the hosts change to Awaiting policy which slowly changed to Same as policy and the one particular user I was communicating with indicated he could then run the app in question without an alert. The next morning the alert was back.

    :29585
Reply
  • 0

    It is not easy to confirm the state of the client - I was relying on the Mgmt Console. It would certainly be a huge disadvantage for me to have to visit desktops across a geographically dispersed organization to confirm that policies applied from the console are actually applied at the client esp. when the console tells me they are in compliance.

    I currently have 10 Suspicious behaviour/file alerts outstanding, 9 are IPconnect - only one of those is from the dept. in question though.. however it was from this morning and HIPS is supposedly disabled. The one possibility is that that particular user was not in compliance with the AV policy yet, as sometimes the policies do apply as expeditiously as I would like.

    When I turned it off originally, I did notice in the console all the hosts change to Awaiting policy which slowly changed to Same as policy and the one particular user I was communicating with indicated he could then run the app in question without an alert. The next morning the alert was back.

    :29585
Children
No Data