McAfee HISCDE-AB-IA Product Guide - Page 32

Behavioral rules, Reactions, Exceptions, Ignore, Prevent

Get McAfee HISCDE-AB-IA - Host Intrusion Prevention PDF manuals and user guides View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals

Page 32 highlights

Configuring IPS Policies Overview of IPS policies • Protect against network denial-of-service attacks and bandwidth-oriented attacks that deny or degrade network traffic. Host Intrusion Prevention contains a default list of a small number of network IPS signatures for Windows platforms. You can edit the severity level, log status, and client rule creation setting of these signatures, but you cannot presently add custom network signatures. The list of signatures is updated if needed whenever you install a content update. Behavioral rules Behavioral rules block zero-day attacks and enforce proper operating system and application behavior. Heuristic behavioral rules define a profile of legitimate activity. Activity not matching these rules is considered suspicious and triggers a response. For example, a behavioral rule might state that only a web server process can access HTML files. If any other process attempts to access HTML files, action is taken. This type of protection, called application shielding and enveloping, prevents compromise of applications and their data and prevents applications from being used to attack other applications. In addition, behavioral rules block buffer overflow exploits, preventing code execution resulting from a buffer overflow attack, one of the most common methods of attacking servers and desktops. Reactions A reaction is what the Host Intrusion Prevention client does when a signature of a specific severity is triggered. The client reacts in one of three ways: • Ignore - No reaction; the event is not logged and the operation is not prevented. • Log - The event is logged but the operation is not prevented. • Prevent - The event is logged and the operation is prevented. A security policy might state, for example, that when a client recognizes a low-severity signature, it logs the occurrence of that signature and allows the operation to occur; and when it recognizes a high-severity signature, it prevents the operation. NOTE: Logging can be enabled directly on each signature. The IPS Protection policy automatically sets the reaction for signatures depending on severity level. Exceptions An exception overrides an activity blocked by the reaction to a signature. In some cases, behavior that a signature defines as an attack might be part of a user's normal work routine or an activity that is legal for a protected application. To override the signature, you can create an exception that allows legitimate activity. For example, an exception might state that for a particular client, an operation is ignored. You can create these exceptions manually, or place clients in adaptive mode and allow them to create client exception rules. To ensure that some signatures are never overridden, edit the signature and disable the Allow Client Rules options. You can track the client exceptions in the ePolicy Orchestrator console, viewing them in a regular, filtered, and aggregated views. Use these client rules to create new policies or add them to existing policies that you can apply to other clients. 32 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
Protect against network denial-of-service attacks and bandwidth-oriented attacks that deny
or degrade network traffic.
Host Intrusion Prevention contains a default list of a small number of network IPS signatures
for Windows platforms. You can edit the severity level, log status, and client rule creation setting
of these signatures, but you cannot presently add custom network signatures. The list of
signatures is updated if needed whenever you install a content update.
Behavioral rules
Behavioral rules block zero-day attacks and enforce proper operating system and application
behavior. Heuristic behavioral rules define a profile of legitimate activity. Activity not matching
these rules is considered suspicious and triggers a response. For example, a behavioral rule
might state that only a web server process can access HTML files. If any other process attempts
to access HTML files, action is taken. This type of protection, called application shielding and
enveloping, prevents compromise of applications and their data and prevents applications from
being used to attack other applications.
In addition, behavioral rules block buffer overflow exploits, preventing code execution resulting
from a buffer overflow attack, one of the most common methods of attacking servers and
desktops.
Reactions
A reaction is what the Host Intrusion Prevention client does when a signature of a specific
severity is triggered.
The client reacts in one of three ways:
Ignore
— No reaction; the event is not logged and the operation is not prevented.
Log
— The event is logged but the operation is not prevented.
Prevent
— The event is logged and the operation is prevented.
A security policy might state, for example, that when a client recognizes a low-severity signature,
it logs the occurrence of that signature and allows the operation to occur; and when it recognizes
a high-severity signature, it prevents the operation.
NOTE:
Logging can be enabled directly on each signature. The IPS Protection policy automatically
sets the reaction for signatures depending on severity level.
Exceptions
An exception overrides an activity blocked by the reaction to a signature.
In some cases, behavior that a signature defines as an attack might be part of a user’s normal
work routine or an activity that is legal for a protected application. To override the signature,
you can create an
exception
that allows legitimate activity. For example, an exception might
state that for a particular client, an operation is ignored.
You can create these exceptions manually, or place clients in adaptive mode and allow them
to create client exception rules. To ensure that some signatures are never overridden, edit the
signature and disable the Allow Client Rules options. You can track the client exceptions in the
ePolicy Orchestrator console, viewing them in a regular, filtered, and aggregated views. Use
these client rules to create new policies or add them to existing policies that you can apply to
other clients.
Configuring IPS Policies
Overview of IPS policies
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
32