McAfee HISCDE-AB-IA Product Guide - Page 29
Configuring IPS Policies, Overview of IPS policies
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 29 highlights
Configuring IPS Policies IPS policies turn host intrusion prevention protection on and off, set the reaction level to events, and provide protection through the application of exceptions, signatures, and application protection rules. IPS protection is kept up-to-date with monthly content updates that contain new and revised signatures and application protection rules. Contents Overview of IPS policies Enable IPS protection Set the reaction for IPS signatures Define IPS protection Monitor IPS events Monitor IPS client rules Overview of IPS policies The IPS (Intrusion Prevention System) feature monitors all system (kernel-level) and API (user-level) calls and blocks those that might result in malicious activity. Host Intrusion Prevention determines which process is using a call, the security context in which the process runs, and the resource being accessed. A kernel-level driver, which receives redirected entries in the user-mode system call table, monitors the system call chain. When calls are made, the driver compares the call request against a database of combined signatures and behavioral rules to determine whether to allow, block, or log an action. This hybrid method detects most known attacks as well as previously unknown or zero-day attacks. Protection also comes from exceptions, which override signatures that block legitimate activity, and application protection rules, which describe which processes to protect. Available policies There are three IPS policies: IPS Options - Enables IPS protection by turning on and off host and network IPS protection and applying options specific to Windows systems. IPS Protection - Tells the system how to react (block, ignore, log) when signatures of a specific severity (high, medium, low) are triggered. IPS Rules - Defines IPS protection by applying signatures and behavioral analysis to protect against known and zero-day attacks. Exceptions, which override signatures that block legitimate activity, and application protection rules, which indicate which processes to protect, complement the signatures. Like the Trusted Applications policy, this policy category can contain multiple policy instances. Content updates provide new and updated signatures and application protection rules to keep protection current. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 29