McAfee HISCDE-AB-IA Product Guide

McAfee HISCDE-AB-IA - Host Intrusion Prevention Manual

Get McAfee HISCDE-AB-IA - Host Intrusion Prevention PDF manuals and user guides View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals

McAfee HISCDE-AB-IA manual content summary:

  • McAfee HISCDE-AB-IA | Product Guide - Page 1
    McAfee Host Intrusion Prevention 8.0 Product Guide for use with ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 2
    any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 3
    Exceptions 32 Application protection rules 33 Events 33 Enable IPS protection 33 Configuring the IPS Options policy 34 Set the reaction for IPS signatures 35 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 3
  • McAfee HISCDE-AB-IA | Product Guide - Page 4
    firewall rule groups work 55 How the Host IPS catalog works 58 Firewall stateful packet filtering and inspection 59 How learn and adaptive modes affect the firewall policies 73 Define client functionality 74 4 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 5
    clients 83 Unlocking the Windows client interface 83 Setting client UI options 83 Troubleshooting the Windows client 84 Windows client alerts 86 About the IPS Policy tab 104 Windows custom signatures 107 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 5
  • McAfee HISCDE-AB-IA | Product Guide - Page 6
    113 Windows class Program 116 Windows class Registry 117 Windows class Services 120 Windows class SQL 122 Classes and directives per Windows platform Troubleshooting 136 General issues 136 Host IPS logs 141 Clientcontrol.exe utility 144 6 McAfee Host Intrusion Prevention 8.0 Product Guide
  • McAfee HISCDE-AB-IA | Product Guide - Page 7
    Introducing Host Intrusion Prevention McAfee® Host Intrusion Prevention is a host-based intrusion detection and : • High severity signatures are prevented and all other signatures are ignored • McAfee applications are listed as trusted applications for all rules except IPS self-protection rules
  • McAfee HISCDE-AB-IA | Product Guide - Page 8
    mode for tuning. • Firewall Rules (Windows only). Defines firewall rules. • Firewall DNS Blocking (Windows only). Defines the domain name servers that are to be blocked. 8 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 9
    to the Host Intrusion Prevention user interface on Windows client systems, including troubleshooting options. Also provides password-protection on all non-Windows client systems. Tree. You can break inheritance by McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 9
  • McAfee HISCDE-AB-IA | Product Guide - Page 10
    offers two types of protection: • Basic protection is available through the McAfee Default policy settings. This protection requires little or no tuning and generates The automatic creation of client rules 10 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 11
    generate more events than in a basic environment. If you apply advanced protection, McAfee recommends using the IPS Protection policy to stagger the impact. This entails mapping each and sent as an email message. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 11
  • McAfee HISCDE-AB-IA | Product Guide - Page 12
    a chart-based query to a small web-application, like the MyAvert Threat Service. You can create and edit multiple dashboards if you have the permissions. Use Triggered Signatures • Server Low Triggered Signatures 12 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 13
    client rules. Possible action values are allow, block, • and jump, with jump the action for groups, which • Action Direction Enabled Last Modified Last Modifying User McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 13
  • McAfee HISCDE-AB-IA | Product Guide - Page 14
    > 0. • • Leaf Node ID Local Services Log Status IP Protocol • Match Intrusion • Media Type • Name • Note • Remote Services • Rule ID • Schedule End • Schedule Start Agent type • IPS Adaptive Mode Status 14 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 15
    • Pending Reboot • Plug-in Version • Product Status • Service Running • Hotfix/Patch Version • Product Version • Service Pack • Host IPS Event Info (Hidden, Read) • within Host IPS trusted networks. Networks McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 15
  • McAfee HISCDE-AB-IA | Product Guide - Page 16
    Displays the top 10 most triggered IPS signatures of Low Severity (Notice). Service Status Displays where Host IPS is installed and whether it is running or policy information • View where a policy is assigned 16 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 17
    available for My Default or custom policies). Click View (only available for McAfee Default or preconfigured policies). Click Rename and change the name of the policy severity event occurs on a particular server. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 17
  • McAfee HISCDE-AB-IA | Product Guide - Page 18
    It allows greater protection through custom settings obtained through manual or automatic tuning. Default protection Host Intrusion Prevention ships and access to required information and applications per group type. Manual tuning Manual tuning requires direct monitoring for a set period of time of
  • McAfee HISCDE-AB-IA | Product Guide - Page 19
    they are installed, or you can assign a specific client name during installation. McAfee recommends establishing a naming convention for clients that is easy to interpret by placed clients in adaptive mode, you McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 19
  • McAfee HISCDE-AB-IA | Product Guide - Page 20
    not in others. For example, you might allow Instant Messaging in your Technical Support organization, but prevent its use in your Finance department. You can establish the packet through the firewall, or blocks it. 20 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 21
    signature. • A user attempts to stop the McAfee Host IPS service, regardless of the client rule setting for service self-protection in signature 1000. • There is already policy that blocks or allows the packet. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 21
  • McAfee HISCDE-AB-IA | Product Guide - Page 22
    blocked in Application Blocking Rules policies are not migrated and need to be manually added to the Application Protection Rules in the IPS Rules policy after migration. policy assignment after migrating policies. 22 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 23
    are granted for access to each feature of the product and whether the user has read or read/write permission. This applies to the Host McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 23
  • McAfee HISCDE-AB-IA | Product Guide - Page 24
    . 2 Next to Host Intrusion Prevention, click Edit. 3 Select the desired permission for each feature: • None • View settings only • View and change settings 4 Click Save. 24 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 25
    automatically every 15 minutes and requires no user interaction. You can, however, run it manually if you need to see immediate feedback from actions on the client. Repository Pull that can be saved or emailed. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 25
  • McAfee HISCDE-AB-IA | Product Guide - Page 26
    /Out/Either Host IPS Event Description Detailed description of the event Local IP Address Local IP address of the system involved in the event 26 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 27
    available content appearing in the ePO console. New content is always supported in subsequent versions, so content updates contain mostly new information or click Next. 5 Verify the information, then click Save. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 27
  • McAfee HISCDE-AB-IA | Product Guide - Page 28
    This task downloads the content update package directly from McAfee at the indicated frequency and adds it to the master repository, updating the database with new Host Intrusion Prevention content. You can download an update package and check it in manually if you do not want to use an automatic
  • McAfee HISCDE-AB-IA | Product Guide - Page 29
    Applications policy, this policy category can contain multiple policy instances. Content updates provide new and updated signatures and application protection rules to keep protection current. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 29
  • McAfee HISCDE-AB-IA | Product Guide - Page 30
    works to prevent applications from accessing files, data, registry settings, and services outside their own application envelope. The shielding strategy works to prevent there are tell-tale signs of SQL injection. 30 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 31
    signatures implement database shielding to protect the database's data files, services, and resources. In addition, they implement database enveloping to ensure • Protect servers and the systems that connect to them. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 31
  • McAfee HISCDE-AB-IA | Product Guide - Page 32
    • Protect against network denial-of-service attacks and bandwidth-oriented attacks that an exception might state that for a particular client, an operation is ignored. You can create these exceptions manually, or place McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 33
    exceptions, called client rules. Administrators can manually create exceptions at any time. Monitoring events enabled the "Automatically include network-facing and service based applications" option in the IPS Options McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 33
  • McAfee HISCDE-AB-IA | Product Guide - Page 34
    client, either automatically with adaptive mode or manually on a Windows client, when this policy is file and registry protection rules until the Host IPS service has started on the client. Policy selections This policy McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 35
    protective reaction for signature severity levels. These settings instruct clients what to do when an attack or editable My Default policy, based on the McAfee Default policy. You can view and duplicate policies Name Function Basic Protection (McAfee Default) Prevent high-severity signatures
  • McAfee HISCDE-AB-IA | Product Guide - Page 36
    set the protective reactions for signatures of a particular severity level. These settings instruct clients what to do when an attack or suspicious behavior is detected. Task For for a union of various policy rules. 36 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 37
    additional policy instance. To view the effective or combined effect of multiple instance rule sets, click View Effective Policy. 4 Click Save to save all changes. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 37
  • McAfee HISCDE-AB-IA | Product Guide - Page 38
    on a single client. All other policies are single-instance policies. The McAfee Default versions of these policies are automatically updated each time Host Intrusion is the union of all Trusted Applications. 38 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 39
    and prevent system operations activity attacks, and includes File, Registry, Service, and HTTP rules. They are developed by the Host Intrusion Prevention . NOTE: You cannot create network-based custom signatures. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 39
  • McAfee HISCDE-AB-IA | Product Guide - Page 40
    change. Click OK to save any modifications. NOTE: You can make changes to several signatures at once, by selecting the signatures and clicking Edit 40 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 41
    include: Files, can include a name for the rule. Use ANSI Hook, HTTP, Program, Registry, Services, and format and TCL syntax. SQL. 2 Click OK and the rule is added to the list at least one of these four values: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 41
  • McAfee HISCDE-AB-IA | Product Guide - Page 42
    / and \ . Use to match the root-level contents of a folder with no subfolders. Multiple characters, including / and \ . Wildcard escape. NOTE: For ** the escape is |*|*. 42 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 43
    blocked. This list is updated with content update releases that apply in the McAfee Default IPS Rules policy. In addition, processes that are permitted to hook are a network port or runs as a service. If not, hooking McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 43
  • McAfee HISCDE-AB-IA | Product Guide - Page 44
    the process is not protected; if it listens on a port or runs as a service, hooking is permitted and the process is protected. Figure 1: Application Protection Rules analysis . When the process hooking list is 44 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 45
    can create one. Task For option definitions, click ? in the interface. 1 On the IPS Rules policy Application Protection Rules tab, do one of the following: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 45
  • McAfee HISCDE-AB-IA | Product Guide - Page 46
    list. You can filter on rule status, modified date, or specific text that includes rule or notes text. Click Clear to remove filter settings. 46 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 47
    be blocked by a signature. This tuning process keeps the events that appear to a minimum, providing more time for analysis of the serious events that occur. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 47
  • McAfee HISCDE-AB-IA | Product Guide - Page 48
    IPS events. All events associated with the group appear. By default, not all events are displayed. Only events over the last 30 days appear. 48 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 49
    policy and click OK. The exception is created and added automatically to the bottom of the list of exceptions of the destination IPS Rules policy. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 49
  • McAfee HISCDE-AB-IA | Product Guide - Page 50
    easily finding IPS protection trouble spots on clients. Managing IPS client rules Viewing IPS client rules created automatically in adaptive mode or manually on a client and which you want to display client rules. 50 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 51
    move exceptions to a policy, select one or more exceptions in the list, click Create Exception, then indicate the policy to which to move the exceptions. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 51
  • McAfee HISCDE-AB-IA | Product Guide - Page 52
    and off, defines stateful firewall settings, and enables special firewall-specific protection such as allowing outgoing traffic only until the firewall service has started, and the IP address of the specified domain. 52 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 53
    .10.1. This rule is more specific. • Allow Rule - Allow all traffic using the HTTP service. This rule is more general. You must place the more specific Block Rule higher in the routing, and network control schemes. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 53
  • McAfee HISCDE-AB-IA | Product Guide - Page 54
    /ethernet-numbers. The Host IPS firewall offers full support for IPv4 and IPv6 on Windows XP, Windows communication channel between IP hosts. It is useful in troubleshooting, and necessary to the proper function of an IP McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 55
    an IPv4 network). Users are strongly discouraged from blocking ICMPv6 traffic if IPv6 is supported on their network. Instead of port numbers, both versions of ICMP define a queried to resolve URLs • WINS server used McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 55
  • McAfee HISCDE-AB-IA | Product Guide - Page 56
    connection option is selected under a group's Location settings, and an active Network Interface Card (NIC) matches the group criteria, the only types of traffic 56 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 57
    the corporate network Connection rules are processed until the group with corporate LAN connection rules is encounterd. This group contains these settings: • Media type = Wired McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 57
  • McAfee HISCDE-AB-IA | Product Guide - Page 58
    in a firewall group or rule or in IPS- related applications • Network - List of IP addresses that can be referenced in a firewall group or rule 58 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 59
    protocols. If an inspected packet matches an existing entry in the state table, the packet is allowed without further scrutiny. When a connection is closed or times out, its entry is removed from the state table. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 59
  • McAfee HISCDE-AB-IA | Product Guide - Page 60
    . The state table entries result from network activity and reflect the state of the network stack. Each rule in the state table has only one action, Allow, so that any packet matched to a rule in the state table is automatically permitted. 60 McAfee Host Intrusion Prevention 8.0 Product Guide for
  • McAfee HISCDE-AB-IA | Product Guide - Page 61
    , arriving on FTP destination port 21, and an entry is made in the state table. If the option for FTP inspection has been set with the Firewall Options perform stateful packet inspection on the packets coming through the FTP control channel. McAfee Host Intrusion Prevention 8.0 Product Guide for
  • McAfee HISCDE-AB-IA | Product Guide - Page 62
    set in the Firewall Options policy. When using IPv6, stateful firewall functionality is supported only on Windows Vista and later platforms. TCP DNS state table has not expired. • The response transaction ID matches the one from the request. 62 McAfee Host Intrusion Prevention 8.0 Product Guide
  • McAfee HISCDE-AB-IA | Product Guide - Page 63
    started telnet service, incoming state table and finds no match, then examines the static rule list and finds no match. 2 No entry is made in the state table, but if this is a TCP packet, it is put in a pending list. If not, the packet is dropped. McAfee Host Intrusion Prevention 8.0 Product Guide
  • McAfee HISCDE-AB-IA | Product Guide - Page 64
    in the state table. supports. Use this option to allow traffic through a bridged environment with virtual machines manually on a client, when this policy is enforced. Protection settings These settings enable special firewall-specific protection: 64 McAfee Host Intrusion Prevention 8.0 Product Guide
  • McAfee HISCDE-AB-IA | Product Guide - Page 65
    incoming traffic until the Host IPS firewall service has started on the client. • Enable block. Stateful firewall settings The stateful firewall settings are available: • FTP protocol inspection - A stateful firewall McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 65
  • McAfee HISCDE-AB-IA | Product Guide - Page 66
    two firewall rules are created: TrustedSource -Allow Host IPS Service and TrustedSource -- Get Rating. The first rule allows from customers and partners about the state of Internet threat landscape. The reputation McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 67
    When TrustedSource is contacted to do a reputation lookup, some latency is inevitable. McAfee has done everything it can to minimize this. First, a check of reputations is needs for most organizational firewalls. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 67
  • McAfee HISCDE-AB-IA | Product Guide - Page 68
    contains one preconfigured policy and an editable My Default policy, based on the McAfee Default policy. You can view and duplicate the preconfigured policy, and edit, another policy. 5 Click Save to save changes. 68 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 69
    protocol Applications and executables Status and time settings, including enabling timed groups 3 On the Summary tab, review the details of the group and click Save. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 69
  • McAfee HISCDE-AB-IA | Product Guide - Page 70
    the firewall. This task helps you find and edit existing catalog items, create and add new catalog items, or import and export catalog items. 70 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 71
    client rules Viewing firewall client rules created automatically in adaptive or learn mode or manually on a client and moving them to a Firewall Rules policy can tune and for which you want to display client rules. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 71
  • McAfee HISCDE-AB-IA | Product Guide - Page 72
    not contain path information with slashes, use these wildcards: Character ? (question mark) * (one asterisk) | (pipe) Definition A single character. Multiple characters, including / and \ . Wildcard escape. 72 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 73
    types of intrusion alerts, passwords for access to the client interface, and troubleshooting options. The password functionality is used for clients on both Windows and non- , which aids in tuning a deployment. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 73
  • McAfee HISCDE-AB-IA | Product Guide - Page 74
    server for a period of time. The user might have technical problems with Host Intrusion Prevention or need to perform operations without interaction Client UI page, select a tab (General Options, Advanced Options, Troubleshooting Options) and make any needed changes. See Setting Client UI general
  • McAfee HISCDE-AB-IA | Product Guide - Page 75
    Windows and non-Windows clients. Passwords unlock the Windows client console and access troubleshooting control on Windows and non-Windows clients. When this policy is applied Unlocking the Windows client interface. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 75
  • McAfee HISCDE-AB-IA | Product Guide - Page 76
    IPS engines. When disabling engines, remember to reenable them after completing the troubleshooting. Task 1 Click the Troubleshooting tab in the Client UI policy. 2 Select the policy settings you want to apply: 76 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 77
    an editable My Default policy. You can view and duplicate the preconfigured policy; you can create, edit, rename, duplicate, delete, and export editable custom policies. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 77
  • McAfee HISCDE-AB-IA | Product Guide - Page 78
    susceptible to common vulnerabilities such as buffer overflow and illegal use. Therefore, a trusted application is still monitored and can trigger events to prevent exploits. 78 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 79
    category contains a preconfigured policy, which provides a list of specific McAfee applications and Windows processes. You can view and duplicate the preconfigured , click ? on the page displaying the options. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 79
  • McAfee HISCDE-AB-IA | Product Guide - Page 80
    policy instance. To view the effective or combined effect of multiple instance rule sets, click View Effective Policy. 4 Click Save to save all changes. 80 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 81
    platforms. Only the Windows client has an interface, but all versions have troubleshooting functionality. The basic features of each client version are described here. version number and other product information. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 81
  • McAfee HISCDE-AB-IA | Product Guide - Page 82
    from the tray icon option is selected in an applied Client UI policy: Table 12: McAfee Agent 4.5 menu Quick Settings Click... To do this... Host IPS Toggle Host IPS protection access to the Internet before rules 82 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 83
    to customize these settings for the individual client. Before you begin To perform the following task, you must first unlock the client console with a password. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 83
  • McAfee HISCDE-AB-IA | Product Guide - Page 84
    functions, is delivered as part of the installation and is located on the client at C:\ Program Files\McAfee\Host Intrusion Prevention. See Clientcontrol.exe utility under Appendix B -- Troubleshooting for details. 84 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 85
    Clients Overview of the Windows client Setting options for IPS logging As part of troubleshooting you can create IPS activity logs that can be analyzed on the system or sent to McAfee support to help resolve problems. Use this task to enable IPS logging. Task 1 In the Host IPS console, select
  • McAfee HISCDE-AB-IA | Product Guide - Page 86
    In the Host IPS console, select Help | Troubleshooting, and click Functionality. 2 In the HIPS Engines server operating system. 3 Click OK. 4 After the problem has been resolved, reselect all deselected engines in the HIPS McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 87
    application rule for all ports and services To do this... Create a rule to allow or block an application's traffic over any port or service. If you do not select this , and the Connection Information section. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 87
  • McAfee HISCDE-AB-IA | Product Guide - Page 88
    exceptions to intrusion prevention signatures. Block network intrusion attacks automatically for a set period of time. Indicate the number of minutes in the min. field. 88 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 89
    the minus box to hide the rules. Timed group Indicates the group is a timed group. Location-aware group Indicates the group is a location-aware group. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 89
  • McAfee HISCDE-AB-IA | Product Guide - Page 90
    Enter this information... The name, status, action, and direction of the rule. The IP address, subnet, domain, or other specific identifiers for this rule. 90 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 91
    this column lists the name of the relevant firewall rule. If you added this address manually, this column lists only the IP address that you blocked. Time Time Remaining The time Prevention removes the address from McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 91
  • McAfee HISCDE-AB-IA | Product Guide - Page 92
    shows the list. If you specified that you wanted this address blocked until you manually removed it from the list, this column displays Until removed. Editing the Blocked Hosts name of the application executable. 92 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 93
    event relating to the software's internal components. • Service indicates an event relating to the software's service or drivers. IP Address/User Intrusion Data The to display blocked and allowed firewall traffic. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 93
  • McAfee HISCDE-AB-IA | Product Guide - Page 94
    Protection Rules are not available. Host Intrusion Prevention 8.0 General Client UI Trusted Networks None except administrative or time-based password to allow use of the troubleshooting tool. None 94 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 95
    might encounter problems with the operation of the client. You can check whether the client is running, and stop and restart the client. The Solaris client has no user interface to troubleshoot operation issues. It does offer a command-line troubleshooting tool, hipts, located in the /opt/McAfee/hip
  • McAfee HISCDE-AB-IA | Product Guide - Page 96
    Solaris client is running The client might be installed correctly, but you might encounter problems with its operation. If the client does not appear in the ePO console, and restart it as part of troubleshooting. 96 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 97
    8.0 Firewall None except administrative or time-based password to allow use of the troubleshooting tool. None Only Mark as trusted for IPS and New Process Name to setting to disabled, and restart the client system. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 97
  • McAfee HISCDE-AB-IA | Product Guide - Page 98
    flag: schook: module not supported by Novell, setting U taint flag; hipsec: module not supported by Novell, setting U McAfee is working with Novell to resolve this issue. Troubleshooting the Linux client If a problem was McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 99
    MISC:off 2 Run the command: hipts agent off Restarting the Linux client You might need to stop a running client and restart it as part of troubleshooting. Task 1 Run the command: hipts agent on. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 99
  • McAfee HISCDE-AB-IA | Product Guide - Page 100
    client: • Set IPS Options to On in the ePO console and apply the policy to the client. • Run the command: hipts engines MISC:on 100 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 101
    to the web server that has "subject" in the http request query has the following format: Rule { Class Isapi Id 4001 level 4 query { Include *subject* } McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 101
  • McAfee HISCDE-AB-IA | Product Guide - Page 102
    . Remarks for Windows: • For local user: use /. • For domain user: use the ID of the remote user, but use the local service and its user context instead. You need to plan accordingly when McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 103
    3 - microsoft software validation v2, O=\"mcafee, inc.\", L=santa clara, ST=california, C=us" -desc "On-Access Scanner service"} If a rule applies to all exclude wins over include. Here are three examples: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 103
  • McAfee HISCDE-AB-IA | Product Guide - Page 104
    .txt } dependencies "the general rule" Wildcards and variables Wildcards, meta-symbols, and predefined variables can be used as the value in the available sections. 104 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 105
    24: Windows IIS Web Server Variable Description IIS_BinDir Directory where inetinfo.exe is located IIS_Computer Machine name that IIS runs on IIS_Envelope Includes all files that IIS is allowed to access McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 105
  • McAfee HISCDE-AB-IA | Product Guide - Page 106
    directory All IIS virtual directories Processes with access rights to IIS resources All the services needed for IIS to work properly Description Directories like \WINNT and \WINNT\ to CGI roots of virtual servers 106 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 107
    Class Buffer Overflow Files Hook Illegal API Use Illegal Use Isapi Program Registry Services SQL When to use For protection against buffer overflow For protection of file Buffer_Overflow See Common sections. Notes McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 107
  • McAfee HISCDE-AB-IA | Product Guide - Page 108
    that an API is called from a proper call instruction. bo:target_bytes A hexadecimal string representing 32 bytes of instructions that can be used to create a targeted exception Files See Common sections. Notes 108 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 109
    either be the full path or a wildcard. For example, the following are valid path representations: files { Include "C:\\test\\abc.txt" } files { Include "*\\test\\abc.txt" } McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 109
  • McAfee HISCDE-AB-IA | Product Guide - Page 110
    the executable file path name to "SystemRemoteClient": Executable { Include -path "SystemRemoteClient" } This would prevent any directive to execute if the executable is not local. 110 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 111
    creation of a file. Windows class Hook The following table lists the possible sections and values for the Windows class Hook: Section Class Values Hook Notes McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 111
  • McAfee HISCDE-AB-IA | Product Guide - Page 112
    deployed to Microsoft Windows operating systems via Windows security updates. Here is an example of a signature: Rule { tag "Sample4" Class Illegal_API_Use Id 4001 level 4 112 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 113
    the URL part of an incoming request. See Notes 1-4. One of the required parameters. Matched against the query part of an incoming request. See Notes 1-4. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 113
  • McAfee HISCDE-AB-IA | Product Guide - Page 114
    *;" matches any string containing 'abc;xyz' regardless of length. Note 4 A rule needs to contain at least one of the optional sections url, query, method. 114 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 115
    port number. Information about the Web server where the event is created (that's the machine where the client is installed) in the manner ::. The =ocean would be prevented by this rule. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 115
  • McAfee HISCDE-AB-IA | Product Guide - Page 116
    • PROCESS_TERMINATE - Required to terminate a process. • PROCESS_CREATE_THREAD - Required to create a thread. • PROCESS_VM_WRITE - Required to write to memory. • PROCESS_DUP_HANDLE - Required to duplicate a handle. 116 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 117
    : Not available on Microsoft Vista and later platforms. Windows class Registry The following table lists the possible sections and values for the Windows class Registry: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 117
  • McAfee HISCDE-AB-IA | Product Guide - Page 118
    is replaced by ControlSet. For example the registry value "abc" under registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa is represented as \REGISTRY\MACHINE\SYSTEM\\ControlSet\\Control\\Lsa\\abc. 118 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 119
    Use this syntax \REGISTRY\MACHINE\ \REGISTRY\CURRENT_USER\ \REGISTRY\MACHINE\SOFTWARE\CLASSES\ REGISTRY\MACHINE\SYSTEM\ControlSet\HARDWARE PROFILES\0001 \Control\Lsa" Rule { tag "Sample8" Class Registry Id 4001 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 119
  • McAfee HISCDE-AB-IA | Product Guide - Page 120
    "\\REGISTRY\\MACHINE\SYSTEM\\ControlSet service One of the required parameters.This name appears in the Services manager. See Note 1. services:delete Deletes a service. services:create Creates a service. services:start Starts a service. 120 McAfee Host Intrusion Prevention 8.0 Product Guide
  • McAfee HISCDE-AB-IA | Product Guide - Page 121
    mode that a service has after it was changed, or that it would have if the change went through. Only applicable for changes in the logon mode of a service: logon information (system or user account)used by the service. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator
  • McAfee HISCDE-AB-IA | Product Guide - Page 122
    that specifies whether Windows authentication (set to 1) or SQL authentication (set to 0) was used. Name of the utility sending the Example: OSQL-32, Internet Information Services request on the client system. 122 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 123
    SP2, 32- and 64-bit (2K3) • Windows Vista, 32- and 64-bit (V) • Windows 2008 R2, (32- and 64-bit (2K8) • Windows 7, 32- and 64-bit (7) McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 123
  • McAfee HISCDE-AB-IA | Product Guide - Page 124
    ) hook: XP 2K3 V 2K8 7 XP 2K3 V 2K8 7 set_windows_hook x x xx x x x xx x 64-bit processes on 64-bit Windows OS (x64) XP 2K3 V 2K8 7 xx xx x 124 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 125
    64-bit Windows OS (x32) Windows OS (x64) Windows OS (x64) XP 2K3 V 2K8 7 XP 2K3 V 2K8 7 XP 2K3 V 2K8 7 xx x x xx x xx x xx xx x McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 125
  • McAfee HISCDE-AB-IA | Product Guide - Page 126
    x xx x xx xx x rename xxx xx x xx x Class Services Directives services: start stop pause continue startup profile_enable profile_disable logon create delete 32-bit OS (x64) XP 2K3 V 2K8 7 xx xx 126 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 127
    the working directory. unixfile:chmod Changes the permissions on a directory or file. unixfile:chown Changes the ownership of a directory or file. unixfile:create Creates a file. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 127
  • McAfee HISCDE-AB-IA | Product Guide - Page 128
    of the sections file permissions and new permissions corresponds to the Access Control List (acl). These can have values of "SUID" or "SGID" only. 128 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 129
    to which the link points). Solaris only. Only applicable when creating a new file or when doing a chmod operation: permissions of the new file. Solaris only. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 129
  • McAfee HISCDE-AB-IA | Product Guide - Page 130
    "*"} user_name { Include "*" } directives apache:request } This rule is triggered because {url}=/search/abc.exe, which matches the value of the section "url" (namely, abc). 130 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 131
    sections and values for the Solaris or Linux class UNIX_misc: Section Class Id Values UNIX_misc See Common sections. Notes A miscellaneous class that safeguards access protection. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 131
  • McAfee HISCDE-AB-IA | Product Guide - Page 132
    example, if you have a zone named "app_zone" whose root is /zones/app, then the rule: Rule { ... file { Include "/tmp/test.log" } zone { Include "app_zone" } 132 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 133
    user ID. guid:setreuid Sets the real and effective user ID. guid:setgid Sets group ID to allow a group to run an executable with the permissions of the executable's group. guid:setegid Sets effective group ID. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator
  • McAfee HISCDE-AB-IA | Product Guide - Page 134
    unixfile:priocntl RedHat Linux X X X X X X X X X X X X X X X SuSE Linux X X X X X X X X X X X X X X X Solaris 9 X X X X X X X X X X X X X X X X Solaris 10 X X X X X X Solaris 10 X X X X X X X X X X X X X X X X 134 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 135
    :setuid guid:seteuid guid:setreuid guid:setgid guid:setegid guid:setregid RedHat Linux SuSE Linux X SuSE Linux X X X SuSE Linux SuSE Linux Solaris 9 X Solaris 9 X X X Solaris 9 X X Solaris 9 X X X X X X Solaris 10 X Solaris 10 X X X Solaris 10 X X Solaris 10 X X X X X X McAfee Host Intrusion
  • McAfee HISCDE-AB-IA | Product Guide - Page 136
    on the McAfee Support site http://mcafee.com offer you the most up-to-date support information on issues and troubleshooting. Refer to KB69184 for the latest information. Contents General issues Host IPS logs Clientcontrol.exe utility General issues Which Host Intrusion Prevention services should be
  • McAfee HISCDE-AB-IA | Product Guide - Page 137
    Troubleshooting or some other element that is causing the problem. If the issue occurs because of an IPS and stop the Host Intrusion Prevention client service (FireSvc.exe) , then retest to mcafee.com. 6 Identify the IPS engine that causes the issue. McAfee Host Intrusion Prevention 8.0 Product Guide
  • McAfee HISCDE-AB-IA | Product Guide - Page 138
    log and name it Host IPS Activity Log wProb, for reporting to support. 4 Select Enable Host IPS and verify that the problem returns. Test all IPS engines 1 Click Help and select Troubleshooting. 2 Select Error reporting under IPS logging. 3 Select Log security violations. 4 Click Functionality
  • McAfee HISCDE-AB-IA | Product Guide - Page 139
    the log. 2 Click the IPS Policy tab and select Enable Network IPS. 3 Click the Automatically Block Attackers checkbox. 4 Test the system to determine if the problem recurs. If it does: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 139
  • McAfee HISCDE-AB-IA | Product Guide - Page 140
    Troubleshooting General issues a Deselect Automatically Block Attackers and retest to see if the problem wProb, for reporting to support. 5 If the problem does not recur, deselect problem recurs. If it does: a Deselect Incoming and Outgoing. 140 McAfee Host Intrusion Prevention 8.0 Product Guide for
  • McAfee HISCDE-AB-IA | Product Guide - Page 141
    all blocked hosts from the list. 3 Test the system to determine if the problem recurs. If it does, it is probably not associated with Blocked Hosts. If you still have not found the cause of the issue, contact McAfee Support, explain the issue, and attach data obtained by going through this process
  • McAfee HISCDE-AB-IA | Product Guide - Page 142
    Troubleshooting Host IPS logs • Windows XP, Windows 2003 - C:\Documents and Settings\All Users\Application Data\McAfee\Host Intrusion Prevention • Windows Vista, Windows 2008, Windows 7 - C:\ProgramData\McAfee . 142 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 143
    Troubleshooting collecting data for incidents escalated to McAfee Support, we strongly recommend that the service log Contains this data • Debug level logging • Location matching output • TrustedSource connection rating output • Errors/warnings McAfee Host Intrusion Prevention 8.0 Product Guide
  • McAfee HISCDE-AB-IA | Product Guide - Page 144
    - Troubleshooting Clientcontrol.exe utility Name HipMgtPlugin.log Description McAfee Agent on the McAfee Host IPS client: • Start the Host IPS service. • Stop the Host IPS service (requires registry. 144 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 145
    Troubleshooting Clientcontrol.exe utility The utility records its activities to ClientControl.log at: C:\Documents and Settings\All Users\Application Data\McAfee\Host Intrusion Prevention; or C:\ProgramData\McAfee Host IPS services is successful, policy settings might allow the McAfee Agent to
  • McAfee HISCDE-AB-IA | Product Guide - Page 146
    Appendix B - Troubleshooting Clientcontrol.exe utility Displays command-line syntax and notes. • /start Starts the service. • /stop Stops the service. • /log of export file> 146 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 147
    part of a troubleshooting exercise 1 Open a command shell. 2 Run clientcontrol.exe /log [log type] [log option, ...] 3 Perform activity to generate log entries. 4 Review HipShield.log or FireSvc.log for relevant information. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy
  • McAfee HISCDE-AB-IA | Product Guide - Page 148
    a troubleshooting exercise 1 Open a command shell. 2 Run clientcontrol.exe / [engine type] [engine option] 3 Perform activity to generate reactions and log entries. 4 Review HipShield.log or FireSvc.log for relevant information. 148 McAfee Host Intrusion Prevention 8.0 Product Guide for
  • McAfee HISCDE-AB-IA | Product Guide - Page 149
    communications, Firewall Policy 89 stateful firewall filtering 60 application troubleshooting 76 ClientControl utility command-line syntax 144 function and setup 144 stopping services 144 using to troubleshoot McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 149
  • McAfee HISCDE-AB-IA | Product Guide - Page 150
    113 Windows, Program 116 Windows, Registry 117 Windows, Services 120 Windows, SQL 122 D dashboards default Host IPS Host IPS events and queries 10 how firewall stateful filtering works 60 querying Host IPS activities 13 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 151
    rules and 89 location-aware groups 55 monitoring blocked hosts 91 rule groups 55 stateful firewall, IPv4 vs. IPv6 60 IPS events about 33 exceptions, creating 47 managing with 39 IPS, Host IPS permissions for 23 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 151
  • McAfee HISCDE-AB-IA | Product Guide - Page 152
    141 HipShield.log 141 using for troubleshooting 141 M McAfee Default policy Client UI 74 DNS Blocking Applications 78 Trusted Networks 77 McAfee recommendations contact McAfee support to disable HIPS engine 85 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
  • McAfee HISCDE-AB-IA | Product Guide - Page 153
    how stateful filtering works 60 packet inspection, how it works 61 protocol tracking 62 system call interception 30 system management automatic responses for Host IPS events 26 server tasks for Host IPS 23, 25 updating Host IPS protection 27 McAfee Host Intrusion Prevention 8.0 Product Guide for
  • McAfee HISCDE-AB-IA | Product Guide - Page 154
    83 T troubleshooting, Host IPS using the ClientControl utility 144 verifying services are running 136 Windows client 84, (continued) default policies and 17 manual and automatic 18 policy management 10 Trusted 88 IPS Policy tab 88 overview 81 troubleshooting 84, 85 Windows client console customizing
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
McAfee Host Intrusion Prevention 8.0
Product Guide for use with ePolicy Orchestrator 4.5