McAfee HISCDE-AB-IA Product Guide - Page 87
Responding to Firewall alerts, Responding to Spoof Detected alerts, Allow
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 87 highlights
Working with Host Intrusion Prevention Clients Overview of the Windows client Responding to Firewall alerts If you enable firewall protection and the learn mode for either incoming or outgoing traffic, a firewall alert appears, and the user needs to respond to it. The Application Information section displays information about the application attempting network access, including application name, path, and version. The Connection Information section displays information about the traffic protocol, address, and ports. NOTE: Previous and Next buttons are available in the Connection Information section if additional protocol or port information for an application is available. Previous and Next buttons are available at the bottom of the dialog box if more than one alert has been sent. Task 1 In the alert dialog box, do one of the following: • Click Deny to block this and all similar traffic. • Click Allow to permit this and all similar traffic through the firewall 2 Optional: Select options for the new firewall rule: Select... Create a firewall application rule for all ports and services To do this... Create a rule to allow or block an application's traffic over any port or service. If you do not select this option, the new firewall rule allows or blocks only specific ports: • If the intercepted traffic uses a port lower than 1024, the new rule allows or blocks only that specific port. • If the traffic uses port 1024 or higher, the new rule allows or blocks the range of ports from 1024 to 65535. Remove this rule when the application terminates Create a temporary allow or block rule that is deleted when the application is closed. If you do not select this options, the new firewall rule is created as a permanent client rule. Host Intrusion Prevention creates a new firewall rule based on the options selected, adds it to the Firewall Rules policy list, and automatically allows or blocks similar traffic. Responding to Spoof Detected alerts If you enable firewall protection, a spoof alert automatically appears if Host Intrusion Prevention detects an application on your computer sending out spoofed network traffic, and a user needs to respond to it. This means that the application is trying to make it seem like traffic from your computer actually comes from a different computer. It does this by changing the IP address in the outgoing packets. Spoofing is always suspicious activity. If you see this dialog box, immediately investigate the application that sent the spoofed traffic. NOTE: The Spoof Detected Alert dialog box appears only if you select the Display pop-up alert option. If you do not select this option, Host Intrusion Prevention automatically blocks the spoofed traffic without notifying you. The Spoof Detected Alert dialog box is very similar to the firewall feature's Learn Mode alert. It displays information about the intercepted traffic in two areas - the Application Information section, and the Connection Information section. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 87