Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Configuring IPS Policies Working with IPS Rules policies 1 On the IPS Rule policy Exception Rules tab, click Add Exception. 2 Enter the required data on each tab of the Exception wizard. These include: Signatures, Users, Processes, Advanced Details and General tab. The Summary tab displays the settings made in the previous tabs. Figure 13: IPS Exception 3 Click Save. Working with IPS events An IPS event is triggered when a security violation, as defined by a signature, is detected. For example, Host Intrusion Prevention compares the start of any application against a signature for that operation, which may represent an attack. If a match occurs, an event is generated. When Host Intrusion Prevention recognizes an IPS event, it flags it on the Host IPS Events tab under Reporting with one of four severity level criteria: High, Medium, Low, and Information. NOTE: When two events are triggered by the same operation, the highest signature reaction is taken. From the list of events generated, you can determine which events are allowable and which indicate suspicious behavior. To allow events, configure the system with the following: • Exceptions — rules that override a signature rule. • Trusted Applications — applications that are labeled trusted whose operations may otherwise be blocked by a signature. This tuning process keeps the events that appear to a minimum, providing more time for analysis of the serious events that occur. Reacting to events Under certain circumstances, behavior that is interpreted as an attack can be a normal part of a user’s work routine. When this occurs, you can create an exception rule or a trusted application rule for that behavior. Creating exceptions and trusted applications allows you to diminish false positive alerts, and ensures that the notifications you receive are meaningful. For example, when testing clients, you may find clients recognizing the signature E-mail access. Typically, an event triggered by this signature is cause for alarm. Hackers may install Trojan 40 McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.0
Configuring IPS Policies Working with IPS Rules policies applications that use TCP/IP Port 25 typically reserved for email applications, and this action would be detected by the TCP/IP Port 25 Activity (SMTP) signature. On the other hand, normal email traffic might also match this signature. When you see this signature, investigate the process that initiated the event. If the process is one that is not normally associated with email, like Notepad.exe, you might reasonably suspect that a Trojan was planted. If the process initiating the event is normally responsible for sending email (Eudora, Netscape, Outlook), create an exception to that event. You may also find, for example, that a number of clients are triggering the signature startup programs, which indicates the modification or creation of a value under the registry keys: HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce As the values stored under these keys indicate programs that are started when the computer starts up, recognition of this signature may indicate that someone is attempting to tamper with the system. Or it might indicate something as benign as one of your employees installing RealAudio on their computer. The installation of RealAudio adds the value RealTray to the Run registry key. To eliminate the triggering of events every time someone installs authorized software, you create exceptions to these events. The client will no longer generate events to this authorized installation. Filtering and aggregating events Applying filters generates a list of events that satisfies all of the variables defined in the filter criteria. The result is a list of events that includes all of the criteria.Aggregating events generates a list of events grouped by the value associated with each of the variables selected in the Select columns to aggregate dialog box. The result is a list of events displayed in groups and sorted by the value associated with the selected variables. Tasks Managing IPS events Managing IPS events Use this task to analyze IPS events and, in reaction to them, create exceptions or trusted applications. NOTE: IPS events also appear on the Event Log tab under Reporting combined with all other events for all systems. Access to the events tabs under Reporting requires additional permission sets, including view permissions for Event Log, Systems, and System Tree access. Task For option definitions, click ? on the page displaying the options. 1 Go to Reporting | Host IPS | IPS Events. McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.0 41
- Page 1 and 2: McAfee Host Intrusion Prevention 7.
- Page 3 and 4: Contents Introducing Host Intrusion
- Page 5 and 6: Contents Creating firewall rule gro
- Page 7 and 8: Introducing Host Intrusion Preventi
- Page 9 and 10: Introducing Host Intrusion Preventi
- Page 11 and 12: Introducing Host Intrusion Preventi
- Page 13 and 14: Managing Your Protection Management
- Page 15 and 16: Managing Your Protection Management
- Page 17 and 18: Managing Your Protection Management
- Page 19 and 20: Managing Your Protection Management
- Page 21 and 22: Managing Your Protection Management
- Page 23 and 24: Managing Your Protection Management
- Page 25 and 26: Configuring IPS Policies Overview o
- Page 27 and 28: Configuring IPS Policies Working wi
- Page 29 and 30: Configuring IPS Policies Working wi
- Page 31 and 32: Configuring IPS Policies Working wi
- Page 33 and 34: Configuring IPS Policies Working wi
- Page 35 and 36: Configuring IPS Policies Working wi
- Page 37 and 38: Configuring IPS Policies Working wi
- Page 39: Configuring IPS Policies Working wi
- Page 43 and 44: Configuring IPS Policies Working wi
- Page 45 and 46: Configuring Firewall Policies The F
- Page 47 and 48: Configuring Firewall Policies Overv
- Page 49 and 50: Configuring Firewall Policies Overv
- Page 51 and 52: Configuring Firewall Policies Overv
- Page 53 and 54: Configuring Firewall Policies Overv
- Page 55 and 56: Configuring Firewall Policies Overv
- Page 57 and 58: Configuring Firewall Policies Worki
- Page 59 and 60: Configuring Firewall Policies Worki
- Page 61 and 62: Configuring Firewall Policies Worki
- Page 63 and 64: Configuring Firewall Policies Worki
- Page 65 and 66: Configuring Firewall Policies Worki
- Page 67 and 68: Configuring Firewall Policies Worki
- Page 69 and 70: Configuring Application Blocking Po
- Page 71 and 72: Configuring Application Blocking Po
- Page 73 and 74: Configuring Application Blocking Po
- Page 75 and 76: Configuring Application Blocking Po
- Page 77 and 78: Configuring General Policies Workin
- Page 79 and 80: Configuring General Policies Workin
- Page 81 and 82: Configuring General Policies Workin
- Page 83 and 84: Configuring General Policies Workin
- Page 85 and 86: Configuring General Policies Workin
- Page 87 and 88: Working with Host Intrusion Prevent
- Page 89 and 90: Working with Host Intrusion Prevent
Configuring IPS Policies<br />
Working with IPS Rules policies<br />
1 On the IPS Rule policy Exception Rules tab, click Add Exception.<br />
2 Enter the required data on each tab of the Exception wizard. These include: Signatures,<br />
Users, Processes, Advanced Details and General tab. The Summary tab displays the<br />
settings made in the previous tabs.<br />
Figure 13: IPS Exception<br />
3 Click Save.<br />
Working with IPS events<br />
An IPS event is triggered when a security violation, as defined by a signature, is detected. For<br />
example, <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> compares the start of any application against a signature<br />
<strong>for</strong> that operation, which may represent an attack. If a match occurs, an event is generated.<br />
When <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> recognizes an IPS event, it flags it on the <strong>Host</strong> IPS Events tab<br />
under Reporting with one of four severity level criteria: High, Medium, Low, and In<strong>for</strong>mation.<br />
NOTE: When two events are triggered by the same operation, the highest signature reaction<br />
is taken.<br />
From the list of events generated, you can determine which events are allowable and which<br />
indicate suspicious behavior. To allow events, configure the system with the following:<br />
• Exceptions — rules that override a signature rule.<br />
• Trusted Applications — applications that are labeled trusted whose operations may<br />
otherwise be blocked by a signature.<br />
This tuning process keeps the events that appear to a minimum, providing more time <strong>for</strong> analysis<br />
of the serious events that occur.<br />
Reacting to events<br />
Under certain circumstances, behavior that is interpreted as an attack can be a normal part of<br />
a user’s work routine. When this occurs, you can create an exception rule or a trusted application<br />
rule <strong>for</strong> that behavior.<br />
Creating exceptions and trusted applications allows you to diminish false positive alerts, and<br />
ensures that the notifications you receive are meaningful.<br />
For example, when testing clients, you may find clients recognizing the signature E-mail access.<br />
Typically, an event triggered by this signature is cause <strong>for</strong> alarm. Hackers may install Trojan<br />
40<br />
<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong>