Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Configuring Application Blocking Policies<br />
The Application Blocking feature of <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> manages a set of applications<br />
that you allow to run (known as application creation) or bind (known as application hooking)<br />
with other applications.<br />
Contents<br />
Overview of Application Blocking policies<br />
Working with Application Blocking policies<br />
Working with Application Blocking Rules policies<br />
Overview of Application Blocking policies<br />
The Application Blocking feature monitors applications being used and allows or blocks them.<br />
<strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> offers two types of application blocking:<br />
• Application creation<br />
• Application hooking<br />
When <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> monitors application creation, it looks <strong>for</strong> programs that are<br />
trying to run. In most cases, there is no problem; but some viruses, <strong>for</strong> example, try to run<br />
programs that harm a system. You can prevent this by creating application rules, similar to<br />
firewall rules, which only allow programs to run that are permitted.<br />
When <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> monitors application hooking, it looks <strong>for</strong> programs that are<br />
trying to bind or “hook” themselves to other applications. Sometimes this behavior is harmless,<br />
but sometimes this is suspicious behavior that can indicate a virus or other attack on your<br />
system.<br />
You can configure <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> to monitor only application creation, only application<br />
hooking, or both.<br />
With Application Blocking, create a list of application rules, one rule <strong>for</strong> each application you<br />
want to allow or block. Each time <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> detects an application trying to<br />
start or hook to another application, it checks its application rule list to determine whether to<br />
allow or block the application.<br />
Application Blocking client rules<br />
Clients in adaptive or learn mode can create client rules to allow blocked application creation<br />
or hooking. You can view these rules in a filtered or aggregated view to analyze them to create<br />
create new policies or add them to existing policies.<br />
<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong><br />
69