Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Configuring IPS Policies<br />
Working with IPS Rules policies<br />
• Low — Signatures that are behavioral in nature and shield applications. Shielding means<br />
locking down application and system resources so that they cannot be changed. Preventing<br />
these signatures increases the security of the underlying system, but requires additional<br />
fine-tuning.<br />
• In<strong>for</strong>mation — Indicates a modification to the system configuration that might create a<br />
benign security risk or an attempt to access sensitive system in<strong>for</strong>mation. Events at this<br />
level occur during normal system activity and generally are not evidence of an attack.<br />
Types of signatures<br />
The IPS Rules policy can contain three types of signatures:<br />
• <strong>Host</strong> signatures — Default host intrusion prevention signatures.<br />
• Custom host signatures — Custom host intrusion prevention signatures that you create.<br />
• Network signatures — Default network intrusion prevention signatures.<br />
Default host IP signatures<br />
<strong>Host</strong>-based intrusion prevention signatures detect and prevent system operations activity attacks,<br />
and includes File, Registry, Service, and HTTP rules. They are developed by the <strong>Host</strong> <strong>Intrusion</strong><br />
<strong>Prevention</strong> security experts and are delivered with the product and with content updates.<br />
Each signature has a description and a default severity level. With appropriate privilege levels,<br />
an administrator can modify the severity level of a signature.<br />
When triggered, host-based signatures generate an IPS event that appears in the Events tab<br />
of the <strong>Host</strong> IPS tab under Reporting.<br />
Custom host IP signatures<br />
Custom signatures are host-based signatures that you can create <strong>for</strong> protection beyond the<br />
default protection. For example, when you create a new folder with important files, you can<br />
create a custom signature to protect it.<br />
NOTE: You cannot create network-based custom signatures.<br />
Network IP signatures<br />
Network-based intrusion prevention signatures detect and prevent known network-based attacks<br />
that arrive on the host system. They appear in the same list of signatures as the host-based<br />
signatures.<br />
Each signature has a description and a default severity level. With appropriate privilege levels,<br />
an administrator can modify the severity level of a signature.<br />
You can create exceptions <strong>for</strong> network-based signatures; however, you cannot specify any<br />
additional parameter attributes such as operating system user or process name. Advanced<br />
details contain network-specific parameters, <strong>for</strong> example IP addresses, which you can specify.<br />
Events generated by network-based signatures are displayed along with the host-based events<br />
in the Events tab and exhibit the same behavior as host-based events.<br />
To work with signatures, click the Signatures tab in the IPS Rules policy.<br />
Tasks<br />
Configuring IPS Rules signatures<br />
Creating signatures<br />
Creating signatures using the wizard<br />
<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong><br />
31