SCSP: Disable Intrusion Prevention [IPS] for Solaris|AIX|Linux|Windows
search cancel

SCSP: Disable Intrusion Prevention [IPS] for Solaris|AIX|Linux|Windows

book

Article ID: 180885

calendar_today

Updated On:

Products

Critical System Protection Data Center Security Server Advanced Data Center Security Monitoring Edition Data Center Security Server

Issue/Introduction

SCSP: Disable Intrusion Prevention [IPS] for Solaris|AIX|Linux|Windows 

Environment

Solaris
AIX
Linux
Windows 

Resolution

Disable Intrusion Prevention [IPS]:

Command to disable Prevention Feature (IPS). A reboot is required.
 
CAUTION: Run this command only once. This is a toggle command.
Example of disabling IPS: In the output below, the user has disabled IPS. If the user runs the command again, it will re-enable IPS.
 
Solaris|AIX|Linux:   su - sisips -c "./sisipsconfig.sh -i"
 
Windows:             sisipsconfig -i
 
---------------------------------------------------------------------------
Agent Configuration Tool version 
---------------------------------------------------------------------------
The Prevention Feature is disabled. You must reboot to complete the change.
 
Make sure you get this message "The Prevention Feature is disabled. You must reboot to complete the change." after the command and reboot the system.
 
Do I really need to disable?
 
Run the following command to determine the state of the Prevention Feature.
Example of checking to see if IPS is disabled: In the output below, the user runs the command to confirm that the prevention feature is disabled.  If the Prevention Feature is disabled, you do not need to take further action on this system.
The command would generate following info on the screen/console.
 
Solaris|AIX|Linux:    su - sisips -c "./sisipsconfig.sh -v"
  
---------------------------------------------------------------------------
Agent Configuration Tool version 
---------------------------------------------------------------------------
 
Server Host List – scspmanager1.example.com
Current Management Server - scspmanager1.example.com
Port - 4433
Protocol - https
CertFile - C:\Program Files\Symantec\Critical System Protection\Agent\IPS\certs\keystore
Failback Interval - 60 minutes
Tracing - false
Force Retranslation - false
Prevention Feature – disabled
 
Do I need to Reboot after running the command above?
 
If the system has been rebooted since the SCSP agent installation(default install settings), prevention drivers would be loaded. You MUST REBOOT to disable (prevention feature). You may use following command to verify. 
 
·         On Solaris:        modinfo |grep sisips
·         On AIX:            genkex |grep sisips
·         On Linux:         lsmod |grep sisip
 
On Solaris, AIX, or Linux, if  the following command returns with some entries, prevention is enabled and IPS drivers are loaded. For Windows, if the driver state is “running” the driver is loaded. You must reboot.
 
If the system has NOT been rebooted since SCSP agent installation. The above command should not return anything for Unix systems and for Windows the driver state should be “stopped”. 
·         Then you just need to restart SCSP IPS daemon to clear reboot pending flag. No reboot is required. 
·         A blue triangle next to agent name is the indicator on SCSP console, which will be cleared once IPS daemon is restarted.
 
Run the following command to restart IPS daemon:  
 
On Solaris|Linux:    /etc/init.d/sisipsagent restart
On AIX:              /etc/rc.sisipsagent restart
   
What do these following commands do to the system?
Solaris|AIX|Linux:   su - sisips -c "./sisipsconfig.sh -i"
On Windows system sisipsconfig -i command toggles a registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SISIPSxxxx\start, where SISIPSxxxx  represents a set of prevention kernel drivers. It toggles between values 1 and 3. Value 1 would load the driver at start up and the value 3 would not load the driver at system start up.  The command also set the state of prevention feature (IPS) in a file located in “<installed dir>\Critical System Protection\Agent\IPS\agent.ini”. SCSP IPS service looks at  “<installed dir>\Critical System Protection\Agent\IPS\agent.ini” for the parameter “ips.enabled” on service start up and if it is set to “false” than it will not communicate with the kernel driver. 
           Windows:          sisipsconfig -i
           Windows:          net stop sisipsservice  net start sisipsservice  
           Windows:          driverquery /v | find “SISIPSDriver”
           Windows:          sisipsconfig -v