Release Notes

McAfee Host Intrusion Prevention 8.0.0 Patch 4 Software

About this release
New features
New features — Windows client
New features — Linux client
New features — Extension
Resolved issues
Issues resolved in this release
Issues resolved in Patch 3
Issues resolved in Patch 2
Issues resolved in Patch 1
Installation instructions
Install the product directly to a client system
Install the extension in ePolicy Orchestrator
Deploy the product from ePolicy Orchestrator
Verify the installation
File inventory
Remove installation files
Known issues
Find product documentation

About this release

Thank you for using this McAfee product. This document contains important information about the current release. We strongly recommend that you read the entire document.

Purpose

This release of McAfee® Host Intrusion Prevention contains a variety of improvements and fixes. Although McAfee has thoroughly tested this release, we strongly recommend that you verify this update in test and pilot groups prior to mass deployment. Review the New features, Resolved issues, and Known issues sections for additional information.

For a list of supported environments and latest information for Host Intrusion Prevention 8.0.0 on Microsoft Windows, see KnowledgeBase article KB70778.

Important To install Host Intrusion Prevention on a server, you must purchase a license for Host Intrusion Prevention for Server or a server suite that includes Host Intrusion Prevention for Server (such as Total Protection for Server). You cannot install Host Intrusion Prevention for Desktop on a server. For additional information, contact your McAfee sales or support representative.

Patch version

This Host Intrusion Prevention 8.0.0 release includes two packages:

Patch 4 — Updates Host Intrusion Prevention 8.0.0 clients, with or without Patch 1, Patch 2, or Patch 3.
Repost Patch 4 — Includes the full Host Intrusion Prevention installation.

Extension version

This Host Intrusion Prevention 8.0.0 release includes extension packages for McAfee ePolicy Orchestrator (McAfee ePO):

Firewall — McAfee_HostFW_Extension_838.zip
Intrusion Prevention System— McAfee_HostIPS_Extension_838.zip

This release supports the following ePolicy Orchestrator versions:

5.0 (1160) and later
4.6 (1089) and later
4.5.6 (137) and later

Use this extension for both new installations and to update previous versions of Host Intrusion Prevention 8.0 Extension.

Refer to KnowledgeBase article KB70760 for the most current Host Intrusion Prevention 8.0 details.

Package date

December 18, 2013

Rating

High Priority — McAfee rates this release as a high priority for all environments to avoid a potential business impact. This update should be applied as soon as possible.

For more information about patch ratings, see McAfee KnowledgeBase article KB51560.

New features

This release of the product includes these new features.

New features — Windows client

This release of the Host Intrusion Prevention Windows client includes these new features.

Support for Windows 8.1 (Blue) and Server 2012 R2

This release of Host Intrusion Prevention includes support for:

Windows 8.1 (Blue)
Server 2012 R2

Reporting for timed groups usage

In this release of Host Intrusion Prevention, each time a user triggers a timed group, Host Intrusion Prevention generates an McAfee ePO event on the client and logs that action. The McAfee ePO administrator can then run a report to query the usage of timed groups.

NoteFor reporting on the usage of timed groups to work properly, you must run the Patch 4 version on both the clients and Extension.

For information on configuring timed groups and running reports, see New features — Extension.

GPEP signature content support

In this release, the Host Intrusion Prevention Windows client supports Generic Privilege Escalation Prevention (GPEP) signature content, providing coverage for privilege escalation exploits in kernel mode and user mode. GPEP-specific signature content is expected to release in Q4 2013.

Updated components

This release of Host Intrusion Prevention includes an updated VSCore: version 15.1.0.543.11.

New features — Linux client

This release of the Host Intrusion Prevention Linux client includes these new features.

Support for the latest versions of SUSE Linux

This release of the Host Intrusion Prevention Linux client includes support for:

SUSE 11 SP1
SUSE 10 SP4
SUSE 10 SP3

Support for the latest versions of Red Hat Enterprise Linux

This release of the Host Intrusion Prevention Linux client includes support for:

Red Hat Enterprise Linux 6.4
Red Hat Enterprise Linux 6.3
Red Hat Enterprise Linux 5.9
Red Hat Enterprise Linux 5.8

New features — Extension

This release of the Host Intrusion Prevention Extension includes these new features.

Adaptive mode

In this release, Host Intrusion Prevention displays the following alert when you enable Adaptive mode in the Firewall Options policy: 

McAfee recommends that you enable adaptive mode on selected systems for a limited amount
of time only. Enabling adaptive mode on many systems for a long time can significantly 
impact performance for the Host IPS Property Translator server task on ePolicy Orchestrator.
For more information, see McAfee Host IPS FAQ KB73399.

Hotfix installation report

This release includes a new property in the ePolicy Orchestrator Query Builder to report on HotFixes that are installed on Host Intrusion Prevention client systems.

Feature Group Result Type Property (Column)
System Management Managed Systems Host IPS 8.0 Properties | Installed Hot fixes (Host IPS)

To run an ePolicy Orchestrator report that lists the HotFixes that have been installed on Host Intrusion Prevention client systems:

1Select Queries & Reports.
2Click the Query tab, then click New.
3Select System Management from the Feature Group and Managed Systems from the Result Types, then click Next.
4Specify the Chart options, then click Next.
5From Available Columns, select Host IPS 8.0 Properties | Installed Hot fixes (Host IPS), then click Next.
6Specify the Filter options, then click Run.

For information on queries and reports, see the ePolicy Orchestrator Help.

Reporting for timed groups usage on Windows clients

In this release, each time a user triggers a timed group, Host Intrusion Prevention sends an event to McAfee ePO.

To view events generated by timed groups, select Reporting | Host IPS 8.0 | Events. Click on an event to display event details, such as Enabled, Group Name, and TimedGroupSetting.

NoteUse Threat Source IP Address to include remote IP addresses in a report.

To run an ePolicy Orchestrator report that queries the usage of timed groups:

1Select Queries & Reports.
2Click the Query tab, then click New.
3Select Events from the Feature Group and Threat Events from the Result Types, then click Next.
4Specify the Chart options, then click Next.
5From Available Columns, select Threat Source IP Address and Event Category, then click Next.
6From the Filter page, select Event Category and select Timed Group from the Value drop-down menu.
7Click Run.

Resolved issues

Here is a list of issues from this and previous releases of the software that have been fixed.

Issues resolved in this release

These issues were resolved in the Host Intrusion Prevention Patch 4 release.

Windows client

1Issue — Latency connecting GFOS X/Time application to its backend server. (Reference: 811938)

Resolution — Optimized the authentication logic for remote modules.

2IssueHost Intrusion Prevention 8.0 installation resets static IP address settings to DHCP. (Reference: 699352)

Resolution — Added static IP addressing preservation steps.

3IssueHost Intrusion Prevention Patch 2 with HotFix HF803520 installation downgrades content delivered firenfcp.sys. (Reference: 798760)

Resolution — Content now upgrades correctly.

4IssueHost Intrusion Prevention 8.0, Patch 2, and the HotFix HF803520 resulted in a kernel memory leak on Windows 2008 Server. (Reference: 876969)

Resolution — Resolved the memory leak.

5Issue — Kernel memory leak on Windows 2008 Server. (Reference: 886370)

Resolution — Resolved the memory leak.

6Issue — Some third-party plugins running in Internet Explorer 8 are incompatible with the Host Intrusion Prevention 8.0 Buffer Overflow Engine. (Reference: 845300).

Resolution — Added the Buffer Overflow Compatibility mode to the Buffer Overflow Engine. See KnowledgeBase article KB79343 for more information.

7IssueHost Intrusion Prevention 8.0 Patch 2 with Hotfix 771202 causes application memory leak in services.exe. (Reference: 820331)

Resolution — Services.exe no longer leaks memory.

8IssueHost Intrusion Prevention 8.0 causes significant delay when viewing NetApp directories. (Reference: 893759)

Resolution — Fixed a packet processing bug.

9Issue — A new installation of Host Intrusion Prevention 8.0 Patch 2 failed with error code RC 1633. (Reference: 821069)

Resolution — Modified the installation to suppress .ini file redirection (enabling the installation to read the installation configuration file, setup.ini) during installation. The installer then restores .ini file redirection after installation.

10Issue — DirectAccess and some VPN clients are slow to connect when switching networks. (Reference: 887718)

Resolution — Optimized the TrustedSource checking logic for better performance.

11Issue — The client was erroneously sending ePolicy Orchestrator administrator-created firewall rules and groups as client rules to ePolicy Orchestrator. (Reference: 881696)

Resolution — The client now sends only user-created rules to ePolicy Orchestrator.

12Issue — Server becomes unresponsive when too many connections are active on the system. (Reference: 895694)

Resolution — Improved firewall drivers to avoid the system hang.

13Issue — On Windows 8, if Startup IPS protection is enabled, McAfee Host Intrusion Prevention lpc Service does not start automatically. (Reference: 906278)

Resolution — Updated McAfee Host Intrusion Prevention content to allow McAfee Host Intrusion Prevention lpc Service to start correctly, even when Startup IPS protection is enabled.

14IssueHost Intrusion Prevention 8.0 is incompatible with Microsoft's EMET. (Reference: 903736)

Resolution — Fixed a stack alignment issue.

15Issue — An encrypted USB drive's password input program hangs. (Reference: 846848 )

Resolution — Provided a workaround for a Microsoft Windows issue.

16Issue — On x64 systems, if a 32-bit application is large-address aware and is protected by Host Intrusion Prevention, the system crashes when that process uses a lot of memory. (Reference: 906224)

Resolution — Modified Host Intrusion Prevention driver to ensure that the crash does not occur under those conditions.

17Issue — Servers are limited to 32K simultaneous network connections when running McAfee Host IPS 8.0. (Reference: 917307)

Resolution — The McAfee Host IPS ClientControl utility now includes a new /fwStateTableSize option, which allows modification of the state table size beyond the default 32K value. Increasing the state table size allows for more concurrent connections on high availability servers. See KnowledgeBase article KB77178 for more information.

18Issue — When McAfee Host IPS blocks a request in IIS, it doesn't return the correct HTTP status code to the browser. (Reference: 911356)

ResolutionHost Intrusion Prevention now sends the correct HTTP status code back to the browser.

Linux client

1IssueHost Intrusion Prevention Linux client uses an unexpected amount of CPU on multi-CPU systems. (Reference: 725694)

Resolution — Redesigned Host Intrusion Prevention Linux client to take advantage of the modern multi-CPU systems. Host Intrusion Prevention now distributes the workload across multiple CPUs, eliminating bottlenecks and high single-CPU utilization.

2IssueHost Intrusion Prevention Linux client causes a kernel panic if installed on Red Hat 4 (64-bit) LargeSMP systems. (Reference: 649718)

ResolutionHost Intrusion Prevention Linux client now supports the RedHat Linux 4 (64-bit) LargeSMP kernel.

3Issue — On systems, such as Oracle database servers, that heavily utilize the /proc file system, McAfee Host IPS excessively impacted performance. (Reference: 912518)

Resolution — Removed nonessential scanning of the /proc file system to decrease latency and increase system performance.

Solaris client

1Issue — Installing Host Intrusion Prevention 8.0 on Solaris systems with Audit Mode enabled caused a kernel panic. (Reference: 833947)

Resolution — Fixed a kernel panic by verifying the zone path is not an empty string.

2Issue — On Solaris systems with Audit Mode enabled, the Host Intrusion Prevention daemon failed to start. (Reference: 923592)

Resolution — The Host Intrusion Prevention local configuration file has been updated to correct this issue.

Extension (8.0.4.838)

1Issue — Upgrading the McAfee Host IPS Extension downgrades the content version. (Reference: 904448)

Resolution — After upgrading the McAfee Host IPS Extension, the ePolicy Orchestrator Master Repository displays the correct content version.

Issues resolved in Patch 3

These issues were resolved in the Host Intrusion Prevention Patch 3 release.

Windows client

1Issue — A vulnerability allowed for unauthorized privilege escalation by an authenticated user. (Reference: 791162)

Resolution — This update resolves the vulnerability. Refer to online Security Bulletin SB10034 for the most current details.

2Issue — Some VPN clients failed to establish a VPN link when Host Intrusion Prevention 8.0 was installed on the system. (Reference: 771202)

Resolution — Updated the firewall logic to meet certain VPN client requirements.

3IssueHost Intrusion Prevention Content version 4517 caused Firefox and IE browsers to hang with the API engine. (Reference: 793215)

Resolution — Extended the logic to handle some duplicate Windows notifications.

4Issue — Invalid firewall policies caused Naprdmgr.exe to crash during policy enforcement. (Reference: 798767)

Resolution — Added logic to better handle invalid policies.

5Issue — Firesvc.exe caused high CPU usage. (Reference: 803520)

Resolution — Improved the efficiency of the service.

6Issue — System bugcheck D1 in mfefirek.sys when using Host Intrusion Prevention 8.0 Patch 2 and certain VPN clients. (Reference: 806069)

Resolution — Certain VPN clients exposed a compatibility issue between Microsoft's WFP framework and the McAfee WFP driver. McAfee implemented a workaround in the WFP driver which resolves the issue.

7Issue — DriverVerifier testing caused Mfehidk.sys bugcheck C1 on Microsoft Windows 7. (Reference: 807869)

Resolution — Fixed a buffer overrun issue.

8IssueHost Intrusion Prevention 8.0 did not register for ownership of firewall categories required for Microsoft DirectAccess. (Reference: 813045)

ResolutionHost Intrusion Prevention now registers for the BootTimeRuleCategory, FirewallRuleCategory, and StealthRuleCategory categories.

9Issue — McTray.exe caused an error at system logon. (Reference: 788146)

Resolution — Fixed some asynchronous RPC issues.

10Issue — Excessive memory usage by NaPrdMgr.exe when Host Intrusion Prevention 8.0 is installed. (Reference: 782946)

Resolution — Fixed a memory leak.

11IssueHost Intrusion Prevention blocked traffic in a Location Aware Group for Checkpoint VPN. (Reference: 733085)

Resolution — Fixed Location Aware Group matching logic.

12IssueHost Intrusion Prevention 8.0 fails to parse certain FQDN rules. (Reference: 818082)

Resolution — Fixed the parsing logic to correctly handle all FQDN rules.

13IssueHost Intrusion Prevention 8.0 causes Windows 8 machines to automatically restart. (Reference: 823785)

Resolution — Updated core components to support Windows 8 and Server 2012.

14IssueHost Intrusion Prevention 8.0 prevents Windows Firewall from being used. (Reference: 843301)

Resolution — Cleaned up Host Intrusion Prevention registration with Windows Firewall.

15Issue — Explorer crashes when running Host Intrusion Prevention 8 Patch 2. (Reference: 821363)

Resolution — Modified the handling of certain exceptions to avoid the crash.

Solaris client

1 Issue — A panic occurs on Solaris 10 4u systems with Host Intrusion Prevention installed. (Reference: 758336)

Resolution — The Solaris client used an OS macro in an unsupported way which led to undefined behavior and core dumps, particularly under Solaris Audit mode. This usage has been corrected.

2 Issue — Solaris 8.0 system fails to install with this error: ERROR: failed to find requisite MFEcma package. (Reference: 804674)

Resolution - The installation script now bypasses the check that incorrectly fails.

Extension (8.0.3.762)

1 Issue — Policy migration fails for certain policies created with Host Intrusion Prevention 7.0. (Reference: 755156, 763627)

Resolution — Fixed a null pointer exception in the policy migrator.

2 Issue — Some policies are not viewable after being migrated from Host Intrusion Prevention 7.0. (Reference: 773226)

Resolution — Corrected the handling of an optional tag in the policy XML file.

3 Issue — Changes made to any predefined firewall groups are lost when the Host Intrusion Prevention Extension is upgraded to a newer version. (Reference: 732673)

Resolution — No longer alter predefined firewall groups during Extension upgrade.

4 Issue — Under certain circumstances, notes are not properly displayed in Effective View. (Reference: 719044)

Resolution — Notes are now displayed properly in Effective View.

5 Issue — An Unexpected Error occurred when clicking Action in the Firewall Rules Edit Group window. (Reference: 805652)

Resolution — Corrected the issue to prevent the Unexpected Error.

6 Issue — When saving a network policy, multiple entries appear in the McAfee ePO 4.6.3 server audit log. (Reference: 834915)

Resolution — The McAfee ePO server audit log now displays a single entry for each save.

7 Issue - Unable to migrate Host Intrusion Prevention version 7.0 policies that have empty notes. (Reference: 773226, 807769)

Resolution — The empty values are now handled properly to allow migration to complete.

8 IssueHost Intrusion Prevention Extension version 7.0 sub-rule names, which ended in a backslash, caused migration to fail. (Reference: 763627, 755156)

Resolution — During migration, trailing backslashes in sub-rule names are removed. Policies from Host Intrusion Prevention Extension version 7.0 now migrate properly.

Issues resolved in Patch 2

These issues were resolved in the Host Intrusion Prevention Patch 2 release.

1Issue — System Bugcheck 7f when using certain third-party VPN clients. (Reference: 716205, 725914 )

Resolution — This could occur with the McAfee filter driver due to lost content header information when transmitting through a raw socket on Windows 7. The McAfee filter driver now ensures header information is preserved and forwarded through a raw socket.

2Issue — A process could hang when running Host Intrusion Prevention and certain third-party applications. (Reference: 712198, 705273)

Resolution — When certain third-party applications perform process injections and cause Kernel32.dll to load unexpectedly, a timing issue with the Host Intrusion Prevention buffer overflow engine could result in a corrupt thread state. This potential timing issue is now avoided by using an alternative Windows API function.

3Issue — Checking in a Host Intrusion Prevention 8.0 incremental patch to the evaluation branch in McAfee ePO requires a Host Intrusion Prevention 8.0 full installation package. (Reference: 709188, 727693)

Resolution — Removed an unnecessary incremental patch check-in restriction.

4IssueVirusScan Enterprise 8.7 Buffer Overflow Protection is disabled after installing Host Intrusion Prevention 8.0 Firewall-only client. (Reference: 697222)

Resolution — Updated the Buffer Overflow interaction logic to correctly handle the Firewall-only client.

5Issue — Firewall rule does not trigger when using the "Allow any signature" option. (Reference: 695368)

Resolution — Fixed the digital signature-matching logic.

6Issue — Upgrading from Host Intrusion Prevention 7.0 to Host Intrusion Prevention 8.0 on an IIS 6 based system leaves the legacy ISAPI filter behind. (Reference: 691280)

Resolution — Removed the legacy ISAPI filter entry and modules when adding new engines.

7IssueHost Intrusion Prevention 8.0 uninstallation fails if the McAfeeLogs folder has been deleted. (Reference: 648538)

Resolution — Fixed the installer logic to handle the missing McAfeeLogs folder.

8IssueHost Intrusion Prevention content update does not apply from evaluation or previous branch. (Reference: 708494, 709299)

Resolution — Modified the update logic to update evaluation and previous versions successfully.

9Issue — Services.exe crashes on HcSvc.dll. (Reference: 682442)

Resolution — Restructured the integration with services to avoid the crash.

10Issue — Application list fails to populate when the option "Automatically include network-facing and service-based applications in the application protection list" is enabled. (Reference: 675658)

Resolution — Fixed logic in the Host Intrusion Prevention client to handle list population.

11Issue — Under certain circumstances, Host Intrusion Prevention adds duplicate entries into the access control list. Eventually, this can lead to the list reaching a maximum size and cause policy applications to fail. (Reference: 715967)

ResolutionHost Intrusion Prevention no longer adds duplicate entries.

12Issue — Microsoft SQL 2005 runs out of resources and becomes non-functional. (Reference: 715941, 719013)

Resolution — Modified the working set logic to fix this issue.

13Issue — Microsoft Project might experience latency caused by Host Intrusion Prevention Buffer Overflow Engine. (Reference: 698505, 698680)

Resolution — Optimized the Buffer Overflow Engine detection mechanism for better performance.

14IssueHost Intrusion Prevention sets IrpStackSize instead of IRPStackSize. (Reference: 708512)

Resolution — Fixed the installer to correctly set the case-sensitive registry key value.

15IssueHost Intrusion Prevention 8.0 Exclusion parameter "Group Name" does not work properly. (Reference: 688393)

Resolution — Fixed the IPS exception parsing logic to correct this behavior.

16Issue — "Create a firewall application rule for all Ports and protocols" is not honored if there is an existing application rule for specific port or protocol. (Reference: 725733)

Resolution — Fixed the related learn mode logic to correct this behavior.

17Issue — System Bugcheck in mfehidk.sys or HipShieldK.sys when certain third-party tools are installed. (Reference: 699334)

Resolution — Fixed the binary querying logic to correct this behavior.

18Issue — Delayed restart time occurs when Host Intrusion Prevention is installed on Linux RedHat Enterprise. (Reference: 713569)

Resolution — Handle the received SIGTERM signal from the OS and immediately shut down HipClient.

19IssueHost Intrusion Prevention fails to detect buffer overflow for various CVE vulnerabilities. (Reference: 708803, 667445, 665359, 702042)

Resolution — Added additional protection to cover new vulnerabilities.

20Issue — System Bugcheck after upgrading from Host Intrusion Prevention 7.0 to to Host Intrusion Prevention 8.0. (Reference: 709280)

Resolution — Updated the Host Intrusion Prevention 8.0 installer to help recover from a broken Host Intrusion Prevention 7.0 installation.

21Issue — Wireless connection fails if the system is restarted and the Ethernet cable is not connected. (Reference: 728156)

Resolution — Fixed the boot-time and run-time firewall policies to correct this behavior.

22Issue — McTray crashes randomly. (Reference: 733395)

Resolution — Fixed an RPC issue that was causing this behavior.

23Issue — VPN connections terminate randomly. (Reference: 697716)

Resolution — Updated the stateful firewall logic to properly handle VPN tunnel connections not going through the McAfee NDIS driver.

24Issue — Windows desktop fails to load properly on systems running Host Intrusion Prevention and Blue Coat. (Reference: 736186)

Resolution — Modified the injection logic to handle unexpected scenarios caused by certain third party applications.

25Issue — System hangs after installing Host Intrusion Prevention 8.0.0 Patch 1 and restarting. (Reference: 737277, 765242)

Resolution — Fixed a race condition between Microsoft TCP/IP and the WFP driver to avoid the hang.

26Issue — Some custom signatures fail to match if the executable has been renamed. (Reference: 707321)

Resolution — Implemented an alternative solution to handle related operating system limitations.

27Issue — System hangs when a USB drive is connected. (Reference: 760418)

Resolution — Fixed a potential deadlock issue.

28Issue — Custom IPS signatures report the user information as DOMAIN UNKNOWN / USER UNKNOWN when triggered, making it impossible to create an exclusion for a specific user. (Reference: 770081)

Resolution — Implemented an alternative solution for gathering domain/user information.

29Issue — Trusted Source blocks incoming ICMP traffic. (Reference: 759077)

Resolution — Re-evaluated the security requirements for ICMP and ICMPv6 and adjusted the Trusted Source logic accordingly.

Issues resolved in Patch 1

These issues were resolved in the Host Intrusion Prevention Patch 1 release.

1Issue — Some systems lose network connectivity during upgrade from Host Intrusion Prevention 7.0 to 8.0. (Reference: 661416)

Resolution — Updated the installer for Host Intrusion Prevention 8.0 to recover from an occasional failure during uninstallation of the Host Intrusion Prevention 7.0 NDIS filter driver.

2Issue — The Host Intrusion Prevention 8.0 upgrade is interrupted, leaving the system with an incomplete installation. (Reference: 664654, 664659)

Resolution — Updated the installer to prevent Host Intrusion Prevention 7.0 from performing a policy enforcement which could interrupt the Host Intrusion Prevention 8.0 installation.

3Issue — Trusted Source lookup causes VPN to fail. (Reference: 666991, 676489)

Resolution — Updated the Firewall component to prevent VPN failure during Trusted Source lookup.

4Issue — BugCheck during the installation of a 3rd party VPN software. (Reference: 670709, 677894, 678618, 689466, 689933, 693416)

Resolution — Updated String operation errors to prevent BugCheck.

5Issue — Security vulnerabilities found in the included Visual C++ 2005 package. (Reference: 678336)

ResolutionHost Intrusion Prevention 8.0 RTW was confirmed not to be affected by the vulnerabilities found in the original Visual C++ 2005 package. Regardless, Patch 1 now includes the updated Microsoft Visual C++ 2005 Service Pack 1 redistributables which include fixes for these vulnerabilities.

6IssueHost Intrusion Prevention 8.0 causes explorer.exe to hang when enabling a USB external hard drive. (Reference: 683143, 683222)

Resolution — Fixed a deadlock issue to prevent explorer.exe from hanging.

7Issue — Network Performance degrades after installing Host Intrusion Prevention 8.0. (Reference: 659781)

Resolution — Updated internal algorithms to improve network performance.

8Issue — Activity Log tab shows blank entries for Intrusion events on Trusted Networks. (Reference: 678330, 683970, 684963, 688320, 689625, 698629)

Resolution — Added logic to ensure that the signature info is populated.

9Issue — Dynamically learned rule causes policy enforcement failure on McAfee ePO managed systems. (Reference: 682892)

Resolution — Updated string operation errors to prevent failure.

10IssueHost Intrusion Prevention 8.0 FireTray.exe crashes with an application error. (Reference: 688732)

Resolution — Fixed an error to prevent the failure.

11IssueHost Intrusion Prevention 8.0 Connection Aware Group is unable to match traffic to the loopback interface on Vista and older operating systems. (Reference: 645792, 649041, 650988, 658430, 666469)

Resolution — Added loopback interface support on Vista and older platforms.

12Issue — IPv6 encapsulated in IPv4 is blocked inside Connection Aware Group rules. (Reference: 647941)

Resolution — Extended FireCore logic to correctly parse this traffic type.

13Issue — Memory leak in mfevtps.exe. (Reference: 668024, 668596, 670452)

Resolution — Resolved a potential issue with Windows DLL to prevent the error.

14Issue — System instability with Host Intrusion Prevention 8.0 installed. (Reference: 660568, 647259, 660979, 663429, 664933, 667040, 667240, 668589)

Resolution — Resolved several issues with Host Intrusion Prevention for enhanced stability.

Installation instructions

Use these instructions to install, verify, and remove this Host Intrusion Prevention 8.0.0 Patch release.

Install the product directly to a client system

Follow these steps to install the package directly to a target client system.

NoteHost Intrusion Prevention Patch 4 installation does not require a restart but might cause a brief interruption in network traffic.
Task
1 Download the package:
Patch 4 — HIP80P4.Zip
Repost Patch 4 — HIP80LMLRP4.Zip
2 Extract the patch files to a temporary folder on your hard drive.
3 Disable Host Intrusion Prevention protection with an ePolicy Orchestrator delivered policy or in the local client interface.
4 Run the appropriate client installer file in the temporary folder created in Step 2:
Windows client — Double-click the setup file:
Patch 4 — McAfeeHIP_ClientPatch4.exe
Repost Patch 4 — McAfeeHIP_ClientSetup.exe
Linux client
Repost Patch 4 — Use the appropriate rpm files for the version of Linux that you are installing. See the Host Intrusion Prevention Installation Guide for details.
Solaris client
Repost Patch 4 — MFEhip.pkg
5 Follow the installation wizard instructions.
6 Enable Host Intrusion Prevention protection.

For more information, see the Host Intrusion Prevention Installation Guide.

Install the extension in ePolicy Orchestrator

Install the Host Intrusion Prevention 8.0 Patch 4 Extension in ePolicy Orchestrator.

Task

For option definitions, click ? in the interface.

1 In ePolicy Orchestrator, select Menu | Software | Extensions.
2 Click Install Extension.
3 Browse to and select the extension .zip file, then click OK.
NoteThis process might take several minutes to complete.
4 Verify that the product name appears in the Extensions list.
The Host Intrusion Prevention 8.0.4.838 Extension reports Extension Version 8.0.4.838.

For more information, see Bring products under management in the ePolicy Orchestrator online help.

Deploy the product from ePolicy Orchestrator

Follow these steps to deploy this release to managed systems using ePolicy Orchestrator version 5.0, 4.6, or 4.5.

Task

For option definitions, click ? in the interface.

1 Check the package into the ePolicy Orchestrator Master Repository:
a Select Menu | Software | Master Repository, then click Check In Package.
b Select the Product or Update (.ZIP) package type.
c Click Choose File and select the Host Intrusion Prevention zip package:
Patch 4 — HIP80P4.Zip
Repost Patch 4 — HIP80LMLRP4.Zip

This process might take several minutes to complete.

For more information, see Checking in packages manually in the ePolicy Orchestrator online help.

2 Deploy the Patch 4 package to the client systems:
Patch 4 — Use a McAfee Agent Product Update client task.

During an upgrade from Host Intrusion Prevention 7.0, if the 7.0 NDIS fails to uninstall, the installer automatically restarts the system after 10 minutes. To modify this behavior, add options to the Command line field in the Product Deployment Task:

To change the default timeout value: REBOOTINSECONDS=xxx
To disable the automatic reboot: BYPASSREBOOT=1

For more information, see KB76609.

Repost Patch 4 — Use a McAfee Agent Product Deployment client task.

For more information, see the Host Intrusion Prevention Installation Guide.

Verify the installation

After installing the Host Intrusion Prevention Patch 4 package, verify that the product installed correctly on the client systems.

Important Releases are not displayed or do not report installed if an error occurred during installation, or if a file did not install correctly.
Task
1 In ePolicy Orchestrator, run the Host IPS: Client Versions query.
For systems with Patch 4 installed, the Client Version (Host IPS) is 8.0.0.2919.
2 Click on the version number to display the system names.

File inventory

This release of the software includes these files.

File inventory — Windows

Files for both 32- and 64-bit systems
Folder name File name Version
Program Files\Common Files\McAfee\SystemCore fwinfo.exe 15.1.0.656
mfeapfa.dll 15.1.0.656
mfeavfa.dll 15.1.0.656
mfefire.exe 15.1.0.656
mfefwctl.dll 15.1.0.656
mfehida.dll 15.1.0.656
mfehidk_messages.dll 15.1.0.656
mfevtpa.dll 15.1.0.656
Program Files\McAfee\Host Intrusion Prevention ClientControl.exe 8.0.0.2919
DebugLog.dll 8.0.0.2919
FireCL.dll 8.0.0.2919
FireCNL.dll 8.0.0.2919
FireComm.dll 8.0.0.2919
FireCore.dll 8.0.0.2919
FireEpo.dll 8.0.0.2919
FireSvc.exe 8.0.0.2919
FireTray.exe 8.0.0.2919
HcApi.dll 8.0.0.2919
HcCode.dll 8.0.0.2919
HcSql.dll 8.0.0.2919
HcSvc.dll 8.0.0.2919
HcThe.dll 8.0.0.2919
Helper.exe 8.0.0.2919
HipMgtPlugin.dll 8.0.0.2919
HipRc.dll 8.0.0.2919
HipShield.dll 8.0.0.2919
HpmRegistry.dll 8.0.0.2919
McAfeeFire.exe 8.0.0.2919
mcafeewin32guisupportdll.dll 8.0.0.2919
MngFirecore.dll 8.0.0.2919
SecCtrFw.exe * 8.0.0.2919

Program Files\McAfee\Host Intrusion Prevention\VSCore\release

Program Files (x86)\McAfee\Host Intrusion Prevention\VSCore\release

Program Files (x86)\McAfee\Host Intrusion Prevention\VSCore\x64

fwinfo.exe 15.1.0.656
HipShieldK.sys 8.0.0.2919
mfeapfa.dll 15.1.0.656
mfeapfk.sys 15.1.0.656
mfeavfa.dll 15.1.0.656
mfeavfk.sys 15.1.0.656
mfefire.exe 15.1.0.656
mfefirek.sys 15.1.0.656
mfefwctl.dll 15.1.0.656
mfehida.dll 15.1.0.656
mfehidin.exe 15.1.0.656
mfehidk.sys 15.1.0.656
mfehidk_messages.dll 15.1.0.656
mfendisk.sys 15.1.0.656
mfenlfk.sys 15.1.0.656
mfetdi2k.sys 15.1.0.656
mfevtpa.dll 15.1.0.656
mfevtps.exe 15.1.0.656
mfewfpk.sys 15.1.0.656
[Windows]\System32 mfevtps.exe 15.1.0.656
[Windows]\System32\Drivers mfeapfk.sys 15.1.0.656
mfeavfk.sys 15.1.0.656
mfefirek.sys 15.1.0.656
mfehidk.sys 15.1.0.656
mfewfpk.sys 15.1.0.656
* New with Patch 4.
Files specific to 32-bit operating systems
Folder name File name Version
Program Files\McAfee\Host Intrusion Prevention McTrayHipPlugin.dll 8.0.0.2919
HipMgmt.exe * 8.0.0.2919
HipMgmtHpr.dll * 8.0.0.2919
* New with Patch 4.    
Files specific to 64-bit operating systems
Folder name File name Version
Program Files (x86)\Common Files\McAfee\SystemCore mfeavfa.dll 15.1.0.656
mfefwctl.dll 15.1.0.656
mfehida.dll 15.1.0.656
Program Files (x86)\McAfee\Host Intrusion Prevention DebugLog.dll 8.0.0.2919
FireCL.dll 8.0.0.2919
FireCNL.dll 8.0.0.2919
FireComm.dll 8.0.0.2919
FireCore.dll 8.0.0.2919
FireEpo.dll 8.0.0.2919
HcApi.dll 8.0.0.2919
HcCode.dll 8.0.0.2919
HcSql.dll 8.0.0.2919
HcThe.dll 8.0.0.2919
Helper.exe 8.0.0.2919
HipMgmt.exe * 8.0.0.2919
HipMgmtHpr.dll * 8.0.0.2919
HipMgtPlugin.dll 8.0.0.2919
HpmRegistry.dll 8.0.0.2919
McTrayHipPlugin.dll 8.0.0.2919
MngFirecore.dll 8.0.0.2919
* New with Patch 4.

File inventory — Linux client

To query the contents of the Host Intrusion Prevention .rpm packages, enter the following command at the command prompt:

rpm -qpl package_name.rpm

Where package_name is the name of one of the rpm files for the version of Linux that you are installing. See the Host Intrusion Prevention Installation Guide for details.

File inventory — Solaris client

To query the contents of the Host Intrusion Prevention .pkg package, enter the following commands at the command prompt:

pkgtrans MFEhip.pkg /tmp

cat /tmp/MFEhip.pkg/pkgmap

cat /tmp/MFEhip.pkg /pkginfo

Remove installation files

You can remove the Host Intrusion Prevention patch from ePolicy Orchestrator or directly from the client computer.

For information, see the McAfee Host Intrusion Prevention Installation Guide.

Known issues

For a list of known issues in this product release, see this McAfee KnowledgeBase article: KB78494.

Find product documentation

McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.

Task
1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
2 Under Self Service, access the type of information you need:
To access... Do this...
User documentation
1Click Product Documentation.
2Select a product, then select a version.
3Select a product document.
KnowledgeBase
Click Search the KnowledgeBase for answers to your product questions.
Click Browse the KnowledgeBase for articles listed by product and version.

Copyright © 2013 McAfee, Inc. Do not copy without permission.

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.