Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Managing Your Protection<br />
Management of systems<br />
1 Describe the rule.<br />
2 Set filters <strong>for</strong> the rule.<br />
3 Set thresholds <strong>for</strong> the rule.<br />
4 Create the message to be sent and the type of delivery.<br />
Notification categories<br />
<strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> supports the following product-specific notification categories:<br />
• <strong>Host</strong> <strong>Intrusion</strong> detected and handled<br />
• Network <strong>Intrusion</strong> detected and handled<br />
• Application blocked<br />
• Quarantined computer update failed<br />
• Unknown<br />
Notifications can be configured <strong>for</strong> all or none of the <strong>Host</strong> (or Network) IPS signatures. <strong>Host</strong><br />
<strong>Intrusion</strong> <strong>Prevention</strong> supports the specification of a single IPS signature ID as the threat or rule<br />
name in the notification rule configuration. By internally mapping the signature ID attribute of<br />
an event to the threat name, a rule is created to uniquely identify an IPS signature.<br />
The specific mappings of <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> parameters allowed in the subject/body of<br />
a message include:<br />
Parameters<br />
<strong>Host</strong> and Network IPS<br />
Events Values<br />
Blocked Application<br />
Event Values<br />
Quarantine Event Values<br />
Actual threat or rule names<br />
SignatureID<br />
none<br />
none<br />
Source systems<br />
Remote IP address<br />
computer name<br />
computer name<br />
Affected objects<br />
Process Name<br />
Application name<br />
IP address of computer<br />
Time notification sent<br />
Incident time<br />
Incident time<br />
Incident time<br />
Event IDs<br />
<strong>ePO</strong> mapping of event ID<br />
<strong>ePO</strong> mapping of event ID<br />
<strong>ePO</strong> mapping of event ID<br />
AdditionalIn<strong>for</strong>mation<br />
Localized Signature Name<br />
(from client computer)<br />
Application full path<br />
none<br />
<strong>Host</strong> IPS protection updates<br />
<strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> supports multiple versions of client content and code, with the latest<br />
available content appearing in the <strong>ePO</strong> console. New content is always supported in subsequent<br />
versions, so content updates contain mostly new in<strong>for</strong>mation or minor modifications to existing<br />
in<strong>for</strong>mation.<br />
Updates are handled by a content update package. This package contains content version<br />
in<strong>for</strong>mation and updating scripts. Upon check-in, the package version is compared to the version<br />
of the most recent content in<strong>for</strong>mation in the database. If the package is newer, the scripts<br />
from this package are extracted and executed. This new content in<strong>for</strong>mation is then passed to<br />
clients at the next agent-server communication.<br />
NOTE: <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> content updates must be checked into the <strong>ePO</strong> master<br />
repository <strong>for</strong> distribution to clients. <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> clients obtain updates only<br />
through communication with the <strong>ePO</strong> server, and not directly through FTP or HTTP protocols.<br />
The basic process includes checking in the update package to the <strong>ePO</strong> master repository, then<br />
sending the updated in<strong>for</strong>mation to the clients.<br />
22<br />
<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong>