Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Configuring IPS Policies<br />
Working with IPS Rules policies<br />
4 On the Rule Definition tab, select the item to protect against modifications and enter<br />
details.<br />
Figure 8: Signature Creation Wizard— Rule Definitions<br />
5 Click OK.<br />
Working with IPS Application Protection rules<br />
Application protection rules alleviate compatibility and stability issues resulting from process<br />
hooking. These rules permit or block user-level API hooking <strong>for</strong> defined and generated lists of<br />
processes. Kernel–level file and registry hooking are not affected.<br />
<strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> provides a static list of processes that are permitted or blocked. This<br />
list is updated with content update releases. In addition, processes that are permitted to hook<br />
are added dynamically to the list when process analysis is enabled. This analysis is per<strong>for</strong>med:<br />
• Each time the client is started and running processes are enumerated.<br />
• Each time a process starts.<br />
• Each time the application protection list is updated by the ePolicy Orchestrator server.<br />
• Each time the list of processes that listen on a network port is updated.<br />
This analysis involves checking first if the process is in the blocked list. If not, the permitted list<br />
is checked. If not in that list, the process is analyzed to see if it listens on a network port or<br />
<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong><br />
35