Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Share Embed Flag
Download ePaper

Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee

Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee

kb.mcafee.com
from kb.mcafee.com More from this publisher
24.10.2014 Views

Configuring IPS Policies Working with IPS Rules policies 1 On the IPS Rule policy Exception Rules tab, click Add Exception. 2 Enter the required data on each tab of the Exception wizard. These include: Signatures, Users, Processes, Advanced Details and General tab. The Summary tab displays the settings made in the previous tabs. Figure 13: IPS Exception 3 Click Save. Working with IPS events An IPS event is triggered when a security violation, as defined by a signature, is detected. For example, Host Intrusion Prevention compares the start of any application against a signature for that operation, which may represent an attack. If a match occurs, an event is generated. When Host Intrusion Prevention recognizes an IPS event, it flags it on the Host IPS Events tab under Reporting with one of four severity level criteria: High, Medium, Low, and Information. NOTE: When two events are triggered by the same operation, the highest signature reaction is taken. From the list of events generated, you can determine which events are allowable and which indicate suspicious behavior. To allow events, configure the system with the following: • Exceptions — rules that override a signature rule. • Trusted Applications — applications that are labeled trusted whose operations may otherwise be blocked by a signature. This tuning process keeps the events that appear to a minimum, providing more time for analysis of the serious events that occur. Reacting to events Under certain circumstances, behavior that is interpreted as an attack can be a normal part of a user’s work routine. When this occurs, you can create an exception rule or a trusted application rule for that behavior. Creating exceptions and trusted applications allows you to diminish false positive alerts, and ensures that the notifications you receive are meaningful. For example, when testing clients, you may find clients recognizing the signature E-mail access. Typically, an event triggered by this signature is cause for alarm. Hackers may install Trojan 40 McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.0

Configuring IPS Policies Working with IPS Rules policies applications that use TCP/IP Port 25 typically reserved for email applications, and this action would be detected by the TCP/IP Port 25 Activity (SMTP) signature. On the other hand, normal email traffic might also match this signature. When you see this signature, investigate the process that initiated the event. If the process is one that is not normally associated with email, like Notepad.exe, you might reasonably suspect that a Trojan was planted. If the process initiating the event is normally responsible for sending email (Eudora, Netscape, Outlook), create an exception to that event. You may also find, for example, that a number of clients are triggering the signature startup programs, which indicates the modification or creation of a value under the registry keys: HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce As the values stored under these keys indicate programs that are started when the computer starts up, recognition of this signature may indicate that someone is attempting to tamper with the system. Or it might indicate something as benign as one of your employees installing RealAudio on their computer. The installation of RealAudio adds the value RealTray to the Run registry key. To eliminate the triggering of events every time someone installs authorized software, you create exceptions to these events. The client will no longer generate events to this authorized installation. Filtering and aggregating events Applying filters generates a list of events that satisfies all of the variables defined in the filter criteria. The result is a list of events that includes all of the criteria.Aggregating events generates a list of events grouped by the value associated with each of the variables selected in the Select columns to aggregate dialog box. The result is a list of events displayed in groups and sorted by the value associated with the selected variables. Tasks Managing IPS events Managing IPS events Use this task to analyze IPS events and, in reaction to them, create exceptions or trusted applications. NOTE: IPS events also appear on the Event Log tab under Reporting combined with all other events for all systems. Access to the events tabs under Reporting requires additional permission sets, including view permissions for Event Log, Systems, and System Tree access. Task For option definitions, click ? on the page displaying the options. 1 Go to Reporting | Host IPS | IPS Events. McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.0 41

Configuring IPS Policies<br />

Working with IPS Rules policies<br />

applications that use TCP/IP Port 25 typically reserved <strong>for</strong> email applications, and this action<br />

would be detected by the TCP/IP Port 25 Activity (SMTP) signature. On the other hand, normal<br />

email traffic might also match this signature. When you see this signature, investigate the<br />

process that initiated the event. If the process is one that is not normally associated with email,<br />

like Notepad.exe, you might reasonably suspect that a Trojan was planted. If the process<br />

initiating the event is normally responsible <strong>for</strong> sending email (Eudora, Netscape, Outlook), create<br />

an exception to that event.<br />

You may also find, <strong>for</strong> example, that a number of clients are triggering the signature startup<br />

programs, which indicates the modification or creation of a value under the registry keys:<br />

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run<br />

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce<br />

As the values stored under these keys indicate programs that are started when the computer<br />

starts up, recognition of this signature may indicate that someone is attempting to tamper with<br />

the system. Or it might indicate something as benign as one of your employees installing<br />

RealAudio on their computer. The installation of RealAudio adds the value RealTray to the<br />

Run registry key.<br />

To eliminate the triggering of events every time someone installs authorized software, you<br />

create exceptions to these events. The client will no longer generate events to this authorized<br />

installation.<br />

Filtering and aggregating events<br />

Applying filters generates a list of events that satisfies all of the variables defined in the filter<br />

criteria. The result is a list of events that includes all of the criteria.Aggregating events generates<br />

a list of events grouped by the value associated with each of the variables selected in the Select<br />

columns to aggregate dialog box. The result is a list of events displayed in groups and sorted<br />

by the value associated with the selected variables.<br />

Tasks<br />

Managing IPS events<br />

Managing IPS events<br />

Use this task to analyze IPS events and, in reaction to them, create exceptions or trusted<br />

applications.<br />

NOTE: IPS events also appear on the Event Log tab under Reporting combined with all other<br />

events <strong>for</strong> all systems. Access to the events tabs under Reporting requires additional permission<br />

sets, including view permissions <strong>for</strong> Event Log, Systems, and System Tree access.<br />

Task<br />

For option definitions, click ? on the page displaying the options.<br />

1 Go to Reporting | <strong>Host</strong> IPS | IPS Events.<br />

<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong><br />

41

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!