Today I was asked to help figure out how to install HIPS to a machine with no access to the core server. I figured it would be a simple matter of creating a self-extracting .exe, but when you do that HIPS is installed with the default configuration instead of whatever you've configured. As much as I hate advanced edit of agents, that was the right solution for this problem.

First, you'll need to copy ldlogon\agentbehaviors\hipsbehavior_5.zip to ldlogon. This shouldn't be necessary in theory, but it was one of the things I did in practice. hipsbehavior_5.zip is the name of the default configuration, adjust accordingly if you really need to deploy hipsbehavior_13.zip or something.

Second, you'll need to do some advanced agent editing. To do it to a single agent, you can just right-click the agent configuration and select Advanced Edit... To do it to everyone, edit ldlogon\ntstacfg.in#, then run ldmain\stamper.exe, then click Rebuild All in Agent Configuration. The changes you'll make are:

;-----------------------------------------------------------------------------------------
;**** Beginning of LANDesk HIPS component ****
;-----------------------------------------------------------------------------------------
[LANDesk HIPS]
DisplayName=HIPS_DISPLAY_NAME
DiskSpace=5000000

[LANDesk HIPS Help]
L0=HIPS_HELP

[LANDesk HIPS Dependencies]
D1=Common Base Agent

[LANDesk HIPS Pre Copy]
ADDDIR0=%DEST%\HIPS
ADDDIR1=%DEST%\HIPS\LANG

[LANDesk HIPS Files]
XCOPY0=HIPS,%DEST%\HIPS,RECURSIVE
FILE1=HipsBehavior_5.zip

[LANDesk HIPS Post Copy]
EXEC01=%DEST%\vulscan.exe, /changeSettingsNoReport /showui=false, INSTALLONLY
EXEC02=xcopy "%DEST%\HipsBehavior_5.zip" "C:\Documents and Settings\All Users\Application Data\vulScan\"
EXEC03=%DEST%\vulscan.exe, /installhips /noupdate /rebootaction=never /showui=false, INSTALLONLY

The first change is in [LANDesk HIPS Files] and it's the line beginning FILE1. The second change is in [LANDesk HIPS Post Copy]; I've inserted a new EXEC statement which xcopy's the file, and I've renumbered the EXEC statements. Note that these files are case-sensitive... File1=HipsBehavior_5.zip won't work.

In a perfect world, something like this would work and you wouldn't need the FILE1 statement in [LANDesk HIPS Files]:

[LANDesk HIPS Post Copy]
EXEC01=%DEST%\vulscan.exe, /changeSettingsNoReport /showui=false, INSTALLONLY
FILE02="agentbehaviors\HipsBehavior_5.zip", "C:\Documents and Settings\All Users\Application Data\vulScan\"
EXEC03=%DEST%\vulscan.exe, /installhips /noupdate /rebootaction=never /showui=false, INSTALLONLY

This methodology works for lots of things of course, but it'll all end in tears if you don't document it (or your minions don't read the documentation... it's hard to find good minions these days).