Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Managing Your Protection<br />
Management of systems<br />
<strong>Host</strong> IPS server tasks<br />
<strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> provides a single server task that enables review and promotion of<br />
client rules to administrative policy.<br />
Property Translator<br />
The Property Translator server task translates <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> client rules that are<br />
stored in the ePolicy Orchestrator database to handle <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> sorting, grouping,<br />
and filtering of data. This task, which runs automatically every 15 minutes and requires no user<br />
interaction. You can, however, select it and run it immediately if needed. For more in<strong>for</strong>mation<br />
on server tasks, see the ePolicy Orchestrator <strong>4.0</strong> documentation.<br />
Notifications <strong>for</strong> <strong>Host</strong> IPS events<br />
Notifications can alert you to any events that occur on <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> client systems.<br />
You can configure rules to send email or SNMP traps, or run external commands when specific<br />
events are received and processed by the ePolicy Orchestrator server. You can specify the event<br />
categories that generate a notification message and the frequency that notifications are sent.<br />
For complete details, see the ePolicy Orchestrator <strong>4.0</strong> documentation.<br />
How notifications work<br />
In the <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> environment, when events occur they are delivered to the<br />
ePolicy Orchestrator server. Notification rules are associated with the group or site that contains<br />
the affected systems, and are applied to the events. If the conditions of a rule are met, a<br />
notification message is sent,or an external command is run, as specified by the rule.<br />
You can configure independent rules at different levels of the System Tree. You can also configure<br />
when notification messages are sent by setting thresholds that are based on aggregation and<br />
throttling.<br />
ePolicy Orchestrator provides default rules that you can enable <strong>for</strong> immediate use. Be<strong>for</strong>e<br />
enabling any of the default rules:<br />
1 Specify the email server from which the notification messages are sent.<br />
2 Check that the recipient email address is the one you want to receive email messages.<br />
Notification rules<br />
You can create rules <strong>for</strong> many event categories, including:<br />
• Access Protection rule violation detected • Policy en<strong>for</strong>cement failed<br />
and blocked • Repository update or replication failed<br />
• Access Protection rule violation detected<br />
and NOT blocked<br />
• Computer placed in quarantine mode<br />
• Email content filtered or blocked<br />
• <strong>Intrusion</strong> detected<br />
• Non-compliant computer detected<br />
• Normal operation<br />
All rules are created in the same basic manner:<br />
• Software deployment failed<br />
• Software deployment succeeded<br />
• Software failure or error<br />
• Unknown category<br />
• Update/upgrade failed<br />
• Update/upgrade succeeded<br />
<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong><br />
21