Filter
Top Products
16
McAfee
®
Host Intrusion Prevention 6.1 Installation/Configuration Guide Basic Concepts
IPS feature
2
Signatures are designed for specific applications and for specific operating systems; for
example, web servers such as Apache, IIS, and NES/iPlanet. The majority of signatures
protect the entire operating system, while some protect specific applications.
Behavioral rules
Hard-coded behavioral rules define a profile of legitimate activity. Activity not matching
the profile is considered suspicious and triggers a response. For example, a behavioral
rule might state that only a web server process should access HTML files. If any other
process attempts to access html files, action is taken. These rules provide protection
against zero-day and buffer overflow attacks.
Events
IPS Events are generated when a client recognizes a signature or behavioral rule
violation. Events are logged in the IPS Events tab of IPS Rules. Administrators can
monitor these events to view and analyze system rule violations. They can then adjust
event reactions or create exceptions or trusted application rules to reduce the number
of events and fine-tune the protection settings.
Reactions
A reaction is what a client does when it recognizes a signature of a specific severity.
A client reacts in one of three ways:
Ignore — No reaction; the event is not logged and the process is not prevented.
Log — The event is logged but the process is not prevented.
Prevent — The event is logged and the process is prevented.
A security policy may state, for example, that when a client recognizes an Information
level signature, it logs the occurrence of that signature and allows the process to be
handled by the operating system; and when it recognizes a
High level signature, it
prevents the process.
Exception rules
An exception is a rule for overriding blocked activity. In some cases, behavior that a
signature defines as an attack may be part of a user’s normal work routine or an activity
that is legal for a protected application. To override the signature, you can create an
exception that allows legitimate activity. For example, an exception might state that for
a particular client, a process is ignored.
You can create these exceptions manually, or place clients in Adaptive mode and allow
them to create client exception rules. To ensure that some signatures are never
overridden, edit the signature and disable the
Allow Client Rules options. You can track
the client exceptions in the ePolicy Orchestrator console, viewing them in a regular and
aggregated view. Use these client rules to create new policies or add them to existing
policies that you can apply to other clients.
Note
Logging can be enabled directly on each signature.