McAfee HISCDE-AB-IA Product Guide - Page 48
Managing IPS events, Menu | Reporting | Host IPS 8.0, Events
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 48 highlights
Configuring IPS Policies Monitor IPS events Reacting to events Under certain circumstances, behavior that is interpreted as an attack can be a normal part of a user's work routine. When this occurs, you can create an exception rule or a trusted application rule for that behavior. Creating exceptions and trusted applications allows you to diminish false positive alerts, and ensures that the notifications you receive are meaningful. For example, when testing clients, you might find clients recognizing the signature email access. Typically, an event triggered by this signature is cause for alarm. Hackers can install Trojan applications that use TCP/IP Port 25 typically reserved for email applications, and this action would be detected by the TCP/IP Port 25 Activity (SMTP) signature. On the other hand, normal email traffic might also match this signature. When you see this signature, investigate the process that initiated the event. If the process is one that is not normally associated with email, like Notepad.exe, you might reasonably suspect that a Trojan was planted. If the process initiating the event is normally responsible for sending email (for example, Outlook), create an exception to that event. You might also find, for example, that a number of clients are triggering the signature startup programs, which indicates the modification or creation of a value under the registry keys: HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce As the values stored under these keys indicate programs that are started when the computer starts up, recognition of this signature might indicate that someone is attempting to tamper with the system. Or it might indicate something as benign as one of your employees installing WinZip on their computer. The installation of WinZip adds a value to the Run registry key. To eliminate the triggering of events every time someone installs authorized software, you create exceptions for these events. Filtering and aggregating events Applying filters generates a list of events that satisfies all of the variables defined in the filter criteria. The result is a list of events that includes all of the criteria. Aggregating events generates a list of events grouped by the value associated with each of the variables selected in the "Select columns to aggregate" dialog box. The result is a list of events displayed in groups and sorted by the value associated with the selected variables. Managing IPS events Viewing IPS events coming from clients and creating exceptions or trusted applications from them helps tune and tighten security. NOTE: IPS events also appear on the Event Log tab under Reporting combined with all other events for all systems. Access to the events tabs under Reporting requires additional permission sets, including view permissions for Event Log, Systems, and System Tree access. Task For option definitions, click ? in the interface. 1 Click Menu | Reporting | Host IPS 8.0, then click Events. 2 Select the group in the System Tree for which you want to display IPS events. All events associated with the group appear. By default, not all events are displayed. Only events over the last 30 days appear. 48 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5