Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Configuring IPS Policies<br />
Working with IPS Protection policies<br />
2 In the IPS Options policy list, click Edit under Actions to change the settings <strong>for</strong> a custom<br />
policy.<br />
Figure 2: IPS Options<br />
3 In the IPS Options page that appears, make any needed changes, then click Save.<br />
Working with IPS Protection policies<br />
The IPS Protection policy sets the protective reaction <strong>for</strong> signature severity levels. These settings<br />
instruct clients what to do when an attack or suspicious behavior is detected. Each signature<br />
has one of four severity levels:<br />
• High — Signatures of clearly identifiable security threats or malicious actions. These<br />
signatures are specific to well-identified exploits and are mostly non-behavioral in nature.<br />
Prevent these signatures on every system.<br />
• Medium — Signatures of behavioral activity where applications operate outside their<br />
envelope. Prevent these signatures on critical systems, as well as on web servers and SQL<br />
servers.<br />
• Low — Signatures of behavioral activity where applications and system resources are locked<br />
and cannot be changed. Preventing these signatures increases the security of the underlying<br />
system, but additional fine-tuning is needed.<br />
• In<strong>for</strong>mation — Signatures of behavioral activity where applications and system resources<br />
are modified and might indicate a benign security risk or an attempt to access sensitive<br />
system in<strong>for</strong>mation. Events at this level occur during normal system activity and generally<br />
are not evidence of an attack.<br />
These levels indicate potential danger to a system and enable you to define specific reactions<br />
<strong>for</strong> different levels of potential harm. You can modify the severity levels and reactions <strong>for</strong> all<br />
signatures. For example, when suspicious activity is unlikely to cause damage, you can select<br />
ignore as the reaction. When an activity is likely to be dangerous, you can set prevent as the<br />
reaction.<br />
This policy category contains six preconfigured policies and an editable My Default policy. You<br />
can view and duplicate preconfigured policies; you can, create, edit, rename, duplicate, delete,<br />
and export custom policies.<br />
Preconfigured policies include:<br />
Basic Protection (<strong>McAfee</strong> Default)<br />
• Prevent high severity level signatures and ignore the rest.<br />
Enhanced Protection<br />
28<br />
<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong>