Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee

More documents

Recommendations

Info

Managing Your Protection Management of information You can produce queries for a group of selected client systems, or limit report results by product or system criteria. You can export reports into a variety of file formats, including HTML and Microsoft Excel. Your options include: • Setting a filter to gather only selected information. Choose which group or tags to include in the report. • Setting a data filter using logical operators, to define precise filters on the data returned by the report. • Generating graphical reports from the information in the database, and filter the reports as needed. You can print the reports and export them to other software. • Running queries of computers, events, and installations. Predefined and custom queries to analyze your protection The reporting feature contains predefined queries from Host Intrusion Prevention and allows you to create custom queries. You can organize and maintain these queries to suit your needs. For example, if you customize settings for a report, you can export these settings as a template. You can also create custom templates and organize templates in logical groupings. For example, you can group queries that you run daily, weekly, and monthly. After a report is generated, you view summary information, as determined by the filter, if any, that you have set. From the summary information you can drill down to one or two levels for detailed information, all in the same report. You can control how much report information is visible to different users; for example, global administrators versus other users. Some users can only view reports on systems in sites where they have permissions. Report information is also controlled by applying filters. Custom queries You can create threeHost IPS queries with the Query Builder wizard: Application Blocking Client Rules, Firewall Client Rules, and IPS Client Rules. Query parameters include: Application Blocking Client Rules Firewall Client Rules IPS Client Rules • Create Reaction • Creation Date • Creation Date • Creation Date • Direction • Enabled • Enabled • Domain List • Full Process Name • Full Process Name • Effective Reaction • Include All Processes • Hash • Enabled • Include All signatures • Hook Reaction • End Time • Include All Users • Local Version • Full Process Name • Last Modified Date • Modified Date • Hash • Local Version • Process Eval Option • IP Protocol • Process Name • Process Name • Local Service • Process Path • Process Path • Local Service type • Reaction • Local Version • Signature ID • Log Status • User Name • Match Intrusion • Modified Date 14 McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.0
Managing Your Protection Management of information Application Blocking Client Rules Firewall Client Rules • Non-IP Protocol • Process Eval Option • Process Name • Process Path • Props schema ID • Reaction • Remote Address • Remote Address Type • Remote Service • Rule Name • Start Time • Switch When Expired • Time Restriction • Time Task IPS Client Rules In addition, you can create queries using these Host IPS properties: • Agent type • Firewall Status • Application Blocking Adaptive Mode Status • IPS Status • Application Blocking Learn Mode Status • Install Directory • Application Blocking Status • IPS Adaptive Mode Status • Blocked Attackers • Language • Client Version • Local Exception Rule Count • Content Version • NIPS Status • Firewall Adaptive Mode Status • Plug-in Version • Firewall Inbound Learn Mode Status • Product Status • Firewall Outbound Learn Mode Status • Service Running • Firewall Rule Count Pre-defined queries Select from these Host IPS queries: HIP Query App Block Create Status App Block Hook Status Client Versions Content Versions Firewall Status Host IPS Status Service Status Count of AB Client rules Count of FW Client Rules Summary Displays where Application Blocking Creation is enabled on managed systems. Displays where Application Blocking Hooking is enabled or disabled on managed systems. Displays top three client versions with a single category for all other versions. Displays top three content versions with a single category for all other versions. Displays where Firewall protection is enabled or disabled on managed systems. Displays where IPS protection is enabled or disabled on managed systems. Displays where Host IPS is installed and an update has occurred in the last week on managed systems. Displays the number of Application Blocking client rules created over time. Displays the number of Firewall client rules created over time. McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.0 15
Page 1 and 2: McAfee Host Intrusion Prevention 7.
Page 3 and 4: Contents Introducing Host Intrusion
Page 5 and 6: Contents Creating firewall rule gro
Page 7 and 8: Introducing Host Intrusion Preventi
Page 13: Managing Your Protection Management
Page 17 and 18: Managing Your Protection Management
Page 25 and 26: Configuring IPS Policies Overview o
Page 27 and 28: Configuring IPS Policies Working wi
Page 45 and 46: Configuring Firewall Policies The F
Page 47 and 48: Configuring Firewall Policies Overv
Page 57 and 58: Configuring Firewall Policies Worki
Page 65 and 66:
Configuring Firewall Policies Worki
Page 67 and 68:
Configuring Firewall Policies Worki
Page 69 and 70:
Configuring Application Blocking Po
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Configuring General Policies Workin
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Working with Host Intrusion Prevent
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Index clients (continued) updating
Page 109 and 110:
Index McAfee Default policy (contin
Page 111 and 112:
Index T troubleshooting, Host IPS C
show all

Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee

Create successful ePaper yourself

Delete template?

Save as template?