McAfee HISCDE-AB-IA Product Guide - Page 48

Managing IPS events, Menu | Reporting | Host IPS 8.0, Events

Get McAfee HISCDE-AB-IA - Host Intrusion Prevention PDF manuals and user guides View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals

Page 48 highlights

Configuring IPS Policies Monitor IPS events Reacting to events Under certain circumstances, behavior that is interpreted as an attack can be a normal part of a user's work routine. When this occurs, you can create an exception rule or a trusted application rule for that behavior. Creating exceptions and trusted applications allows you to diminish false positive alerts, and ensures that the notifications you receive are meaningful. For example, when testing clients, you might find clients recognizing the signature email access. Typically, an event triggered by this signature is cause for alarm. Hackers can install Trojan applications that use TCP/IP Port 25 typically reserved for email applications, and this action would be detected by the TCP/IP Port 25 Activity (SMTP) signature. On the other hand, normal email traffic might also match this signature. When you see this signature, investigate the process that initiated the event. If the process is one that is not normally associated with email, like Notepad.exe, you might reasonably suspect that a Trojan was planted. If the process initiating the event is normally responsible for sending email (for example, Outlook), create an exception to that event. You might also find, for example, that a number of clients are triggering the signature startup programs, which indicates the modification or creation of a value under the registry keys: HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce As the values stored under these keys indicate programs that are started when the computer starts up, recognition of this signature might indicate that someone is attempting to tamper with the system. Or it might indicate something as benign as one of your employees installing WinZip on their computer. The installation of WinZip adds a value to the Run registry key. To eliminate the triggering of events every time someone installs authorized software, you create exceptions for these events. Filtering and aggregating events Applying filters generates a list of events that satisfies all of the variables defined in the filter criteria. The result is a list of events that includes all of the criteria. Aggregating events generates a list of events grouped by the value associated with each of the variables selected in the "Select columns to aggregate" dialog box. The result is a list of events displayed in groups and sorted by the value associated with the selected variables. Managing IPS events Viewing IPS events coming from clients and creating exceptions or trusted applications from them helps tune and tighten security. NOTE: IPS events also appear on the Event Log tab under Reporting combined with all other events for all systems. Access to the events tabs under Reporting requires additional permission sets, including view permissions for Event Log, Systems, and System Tree access. Task For option definitions, click ? in the interface. 1 Click Menu | Reporting | Host IPS 8.0, then click Events. 2 Select the group in the System Tree for which you want to display IPS events. All events associated with the group appear. By default, not all events are displayed. Only events over the last 30 days appear. 48 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
Reacting to events
Under certain circumstances, behavior that is interpreted as an attack can be a normal part of
a user’s work routine. When this occurs, you can create an exception rule or a trusted application
rule for that behavior.
Creating exceptions and trusted applications allows you to diminish false positive alerts, and
ensures that the notifications you receive are meaningful.
For example, when testing clients, you might find clients recognizing the signature email access.
Typically, an event triggered by this signature is cause for alarm. Hackers can install Trojan
applications that use TCP/IP Port 25 typically reserved for email applications, and this action
would be detected by the TCP/IP Port 25 Activity (SMTP) signature. On the other hand, normal
email traffic might also match this signature. When you see this signature, investigate the
process that initiated the event. If the process is one that is not normally associated with email,
like Notepad.exe, you might reasonably suspect that a Trojan was planted. If the process
initiating the event is normally responsible for sending email (for example, Outlook), create an
exception to that event.
You might also find, for example, that a number of clients are triggering the signature startup
programs, which indicates the modification or creation of a value under the registry keys:
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce
As the values stored under these keys indicate programs that are started when the computer
starts up, recognition of this signature might indicate that someone is attempting to tamper
with the system. Or it might indicate something as benign as one of your employees installing
WinZip on their computer. The installation of WinZip adds a value to the Run registry key.
To eliminate the triggering of events every time someone installs authorized software, you
create exceptions for these events.
Filtering and aggregating events
Applying filters generates a list of events that satisfies all of the variables defined in the filter
criteria. The result is a list of events that includes all of the criteria. Aggregating events generates
a list of events grouped by the value associated with each of the variables selected in the "Select
columns to aggregate" dialog box. The result is a list of events displayed in groups and sorted
by the value associated with the selected variables.
Managing IPS events
Viewing IPS events coming from clients and creating exceptions or trusted applications from
them helps tune and tighten security.
NOTE:
IPS events also appear on the Event Log tab under Reporting combined with all other
events for all systems. Access to the events tabs under Reporting requires additional permission
sets, including view permissions for Event Log, Systems, and System Tree access.
Task
For option definitions, click
?
in the interface.
1
Click
Menu | Reporting | Host IPS 8.0
, then click
Events
.
2
Select the group in the System Tree for which you want to display IPS events. All events
associated with the group appear. By default, not all events are displayed. Only events
over the last 30 days appear.
Configuring IPS Policies
Monitor IPS events
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
48