Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Working with <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> Clients<br />
Overview of the Windows client<br />
<strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> creates a new firewall rule based on the options selected, adds<br />
it to the Firewall Rules list, and automatically allows or blocks similar traffic.<br />
Responding to Application Blocking alerts<br />
When application creation or application hooking is enabled in the Application Blocking<br />
Options policy, <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> monitors application activities and allows or blocks<br />
them based on the rules in the Application Blocking Rules policy.<br />
If you enabled learn mode <strong>for</strong> either creation blocking or hooking blocking, <strong>Host</strong> <strong>Intrusion</strong><br />
<strong>Prevention</strong> displays an Application Creation Alert or Application Hook Alert whenever it<br />
detects an unknown application trying to run or bind to another program.<br />
The Application In<strong>for</strong>mation tab displays in<strong>for</strong>mation about the application attempting to<br />
run (creation) or to hook (hook) to another process, including application name, path, and<br />
version.<br />
Use this dialog box to select an action:<br />
• Click Allow to let the application complete its action:<br />
• For an Application Creation Alert, clicking Allow lets the application run.<br />
• For an Application Hook Alert, clicking Allow lets the application bind itself to another<br />
program.<br />
• Click Deny to block the application:<br />
• For an Application Creation Alert, clicking Deny prevents the application from running.<br />
• For an Application Hook Alert, clicking Deny blocks the application from binding itself to<br />
another program.<br />
When you click Allow or Deny, <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> creates a new application rule based<br />
on your choice. After collecting client properties, this rule is added to the Application Client<br />
Rule tab of the Application Rules policy. The application is then allowed or blocked<br />
automatically.<br />
Responding to Quarantine alerts<br />
If you enable Quarantine mode and include the IP address of the client <strong>for</strong> quarantine<br />
en<strong>for</strong>cement in the Quarantine Options policy, a quarantine alert appears in the following<br />
situations:<br />
• Changing the client computer’s IP address<br />
• Disconnecting and then reconnecting the client Ethernet connection<br />
• Restarting the client<br />
Responding to Spoof Detected alerts<br />
If you enable the IPS feature, this alert automatically appears if <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong><br />
detects an application on your computer sending out spoofed network traffic. This means that<br />
the application is trying to make it seem like traffic from your computer actually comes from a<br />
different computer. It does this by changing the IP address in the outgoing packets. Spoofing<br />
92<br />
<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong>