McAfee HISCDE-AB-IA Product Guide - Page 46
How IPS exceptions work, Configuring IPS exceptions
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 46 highlights
Configuring IPS Policies Define IPS protection • Click New. A blank Application page appears. • Select a rule and click Duplicate. After naming and saving the new rule, click Edit. 2 Enter the name (required), status, whether the application rule is included in the protection list, and the executables to which you want to apply the rule. NOTE: You can add an existing executable from the Host IPS Catalog by clicking Add From Catalog. For details on the catalog, see How the Host IPS catalog works under Configuring Firewall Policies. 3 Click Save. How IPS exceptions work Sometimes behavior that would be interpreted as an attack can be a normal part of a user's work routine. This is called a false positive alert. To prevent false positives, create an exception for that behavior. Exceptions enable you to reduce false positive alerts, minimize needless data flowing to the console, and ensure that the alerts are legitimate security threats. For example, during the process of testing clients, a client recognizes the Outlook Envelope Suspicious Executable Mod. signature. This signature signals that the Outlook e-mail application is attempting to modify an application outside the envelope of usual resources for Outlook. Thus, an event triggered by this signature is cause for alarm, because Outlook might be modifying an application not normally associated with email, for example, Notepad.exe. In this instance, you might reasonably suspect that a Trojan horse has been planted. But, if the process initiating the event is normally responsible for sending email, for example, saving a file with Outlook.exe, you need to create an exception that allows this action. TIP: If you create a custom signature that prevents modification of files (editing, renaming, deleting) in a particular folder, but you want to allow a single application to make modifications, create an exception that would allow the application to make changes to the files. Alternatively, you could add in the custom signature's subrule the parameter with the application set to Exclude. Configuring IPS exceptions Edit, add, and delete exceptions and move exceptions to another policy from the Exceptions tab of the IPS Rules policy. Task For option definitions, click ? in the interface. 1 Click Menu | Policy | Policy Catalog and select Host Intrusion Prevention: IPS in the Product list and IPS Rules in the Category list. The list of policies appears. 2 Under Actions, click Edit to make changes on the IPS Rules page, then click the Exception Rules tab. 3 Perform any of the following operations: To... Find an exception rule in the list Do this... Use the filters at the top of the exception list. You can filter on rule status, modified date, or specific text that includes rule or notes text. Click Clear to remove filter settings. 46 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5