Filter
Top Products
116
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Maintenance
Fine-tuning a deployment
8
From the list of generated events, determine which indicate no risk and which indicate
suspicious behavior. To allow events, configure the system with the following:
Exceptions — allow or block rules that override a signature rule.
Trusted Applications — allow internal applications whose operations may be blocked
by a signature.
This fine-tuning process keeps false positives to a minimum, providing more time for
analysis of serious events. For more details, see IPS Events on page 56.
Creating exception rules and trusted application rules
After analyzing the list of IPS events, you can create exception rules or trusted
application rules for each false positive event per user profile. This keeps the list of
events to a minimum, allows for better understanding of malicious attacks, and
ensures that systems are protected against such attacks.
From the
IPS Events tab, you can create an exception or a trusted application based on
a particular event. For details, see Creating event-based exceptions and trusted
applications on page 61.
Working with client exception rules
An easy approach to creating exceptions is to place clients in Adaptive mode, and allow
the clients to automatically create client exception rules to allow non-malicious
behavior. All client rules appear on the
Client Rules tab of the IPS Rules policy. The Firewall
Rules
and the Application Blocking Rules policies also display client rules created through
Adaptive or Learn mode.
To obtain the most frequently generated rules, use the aggregated view of client rules,
which group similar rules. The rules could then be moved to administrative policies.
For details on working with client rules, see:
IPS Client Rules on page 63.
Configuring the Firewall Rules policy on page 81.
Configuring the Application Blocking Rules policy on page 98.
Creating and applying new policies
After creating new exception rules and trusted applications, add these to existing
policies where appropriate. You can also create new IPS and Trusted Application
policies based on the one that required the creation of exceptions and trusted
applications.
For details on creating and applying new policies, see:
Configuring the IPS Rules policy on page 41.
Configuring the Firewall Rules policy on page 81.
Configuring the Application Blocking Rules policy on page 98.