Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Configuring IPS Policies<br />
IPS policies turn host intrusion prevention protection on and off, set the reaction level to events,<br />
and provide details on exceptions, signatures, and application protection rules.<br />
Contents<br />
Overview of IPS policies<br />
Working with IPS Options policies<br />
Working with IPS Protection policies<br />
Working with IPS Rules policies<br />
Overview of IPS policies<br />
The IPS (<strong>Intrusion</strong> <strong>Prevention</strong> System) feature monitors all system and API calls and blocks<br />
those that might result in malicious activity. <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> determines which process<br />
is using a call, the security context in which the process runs, and the resource being accessed.<br />
A kernel-level driver, which receives redirected entries in the user-mode system call table,<br />
monitors the system call chain. When calls are made, the driver compares the call request<br />
against a database of combined signatures and behavioral rules to determine whether to allow,<br />
block, or log an action.<br />
Signature rules and how they work<br />
Signature rules are patterns of characters than can be matched against a traffic stream. For<br />
example, a signature rule might look <strong>for</strong> a specific string in an HTTP request. If the string<br />
matches one in a known attack, action is taken. These rules provide protection against known<br />
attacks.<br />
Signatures are designed <strong>for</strong> specific applications and specific operating systems; <strong>for</strong> example,<br />
web servers such as Apache and IIS. The majority of signatures protect the entire operating<br />
system, while some protect specific applications.<br />
<strong>Host</strong> and network IPS signature rules<br />
Attacks can follow a signature pattern of characters. This signature can identify and prevent<br />
malicious activity. For example, a signature is set to look <strong>for</strong> the string ../ in a web URL. If the<br />
signature is enabled and the system encounters this string, an event is triggered.<br />
Signatures are categorized by severity level and by the danger an attack poses. They are<br />
designed <strong>for</strong> specific applications and <strong>for</strong> specific operating systems. The majority protect the<br />
entire operating system, while some protect specific applications.<br />
24<br />
<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong>