McAfee HISCDE-AB-IA Product Guide - Page 33
Application protection rules, Events, Enable IPS protection
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 33 highlights
Configuring IPS Policies Enable IPS protection Host Intrusion Prevention clients contain a set of IPS signature rules that determine whether activity on the client computer is benign or malicious. When malicious activity is detected, alerts known as events are sent to the ePO server and appear in the Host IPS tab under Reporting. The protection level set for signatures in the IPS Protection policy determines which action a client takes when an event occurs. Reactions include ignore, log, or prevent the activity. Events from legitimate activity that are false positives can be overridden by creating an exception to the signature rule or by qualifying applications as trusted. Clients in adaptive mode automatically create exceptions, called client rules. Administrators can manually create exceptions at any time. Monitoring events and client exception rules helps determine how to tune the deployment for the most effective IPS protection. Application protection rules Application protection rules provide protection for defined and generated lists of processes against buffer overflow by permitting or blocking user-level API hooking. Buffer overflow protection is generic for Host Intrusion Prevention and is applicable to any process that is hooked. The IPS policy contains a default list of application protection rules for Windows platforms. This list is updated, as needed, whenever you install a content update. You can add network facing and service-based applications to this list automatically if you have enabled the "Automatically include network-facing and service based applications" option in the IPS Options policy. Events IPS events are generated when a client reacts to a triggered signature. Events are logged in the Events tab of the Host IPS tab under Reporting. Administrators can view and monitor these events to analyze system rule violations. They can then adjust event reactions or create exceptions or trusted application rules to reduce the number of events and fine-tune the protection settings. NOTE: The Host Intrusion Prevention client aggregates events so not all events are sent to the ePO server. This prevents numerous events that happen within 20 seconds of each other from being repeatedly sent to the server. If an event reoccurs after 20 seconds, an additional event is reported. Administrators can view all events on the Host IPS tab under Reporting in the ePO console or on the client system. Enable IPS protection The IPS Options policy determines how IPS protection is applied. It offers options for Windows and non-Windows platforms. For all platforms These options are available for clients on all platforms: • Host IPS enabled - Select to turn on IPS protection through the enforcement of host IPS rules. NOTE: This control is also available directly on the client. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 33