Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee

Configuring IPS Policies
Overview of IPS policies
Host Intrusion Prevention combines the use of signature rules and hard-coded behavioral rules.
This hybrid method detects most known attacks as well as previously unknown or zero-day
attacks.
Events
Reactions
IPS events are generated when a client recognizes a violation of a signature or behavioral rule.
Events are logged in the Events tab of the IPS Rules tab under Reporting. Administrators can
view and monitor these events to analyze system rule violations. They can then adjust event
reactions or create exceptions or trusted application rules to reduce the number of events and
fine-tune the protection settings.
A reaction is what a client does when it recognizes a signature of a specific severity.
A client reacts in one of three ways:
• Ignore — No reaction; the event is not logged and the operation is not prevented.
• Log — The event is logged but the operation is not prevented.
• Prevent — The event is logged and the operation is prevented.
A security policy may state, for example, that when a client recognizes an Information level
signature, it logs the occurrence of that signature and allows the operation to occur; and when
it recognizes a High level signature, it prevents the operation.
NOTE: Logging can be enabled directly on each signature.
Exception rules
An exception is a rule for overriding blocked activity. In some cases, behavior that a signature
defines as an attack may be part of a user’s normal work routine or an activity that is legal for
a protected application. To override the signature, you can create an exception that allows
legitimate activity. For example, an exception might state that for a particular client, an operation
is ignored.
You can create these exceptions manually, or place clients in adaptive mode and allow them
to create client exception rules. To ensure that some signatures are never overridden, edit the
signature and disable the Allow Client Rules options. You can track the client exceptions in
the ePolicy Orchestrator console, viewing them in a regular, filtered, and aggregated views.
Use these client rules to create new policies or add them to existing policies that you can apply
to other clients.
Host Intrusion Prevention clients contain a set of IPS signature rules that determine whether
activity on the client computer is benign or malicious. When malicious activity is detected, alerts
known as events are sent to the ePO server and appear in the Host IPS tab under Reporting.
The protection level set for signatures in the IPS Protection policy determines which action a
client takes when an event occurs. Reactions include ignore, log, or prevent the activity.
Events from legitimate activity that are false positives can be overridden by creating an exception
to the signature rule or by qualifying applications as trusted. Clients in adaptive mode
automatically create exceptions, called client rules. Administrators can manually create exceptions
at any time.
Monitoring events and client exception rules helps determine how to tune the deployment for
the most effective IPS protection.
26
McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.0