McAfee HISCDE-AB-IA Product Guide - Page 44
Application Protection Rules analysis
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 44 highlights
Configuring IPS Policies Define IPS protection is blocked and the process is not protected; if it listens on a port or runs as a service, hooking is permitted and the process is protected. Figure 1: Application Protection Rules analysis The IPS component maintains an information cache on running processes, which tracks hooking information. The firewall component determines if a process listens on a network port, calls an API exported by the IPS component, and passes the information to the API to be added to the monitored list. When the API is called, the IPS component locates the corresponding entry in its running processes list. A process that is not already hooked and is not part of the static block list is then hooked. The firewall provides the PID (Process ID), which is the key for the cache lookup of a process. The API exported by the IPS component also allows the client user interface to retrieve the list of currently hooked processes, which is updated whenever a process is hooked or unhooked. A hooked process becomes unhooked if the server sends an updated process list that specifies that the already hooked process should no longer be hooked. When the process hooking list is 44 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5