Filter
Top Products
163
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Frequently Asked Questions
10
View the list of client rules created on a set of clients having a similar profile, and
create a new policy based on the information. This new policy can then be applied
to a larger set of clients with the same profile.
Determine that specific client rules represent security violations and block these
rules as part of the IPS Rules policy.
View an aggregated list of exceptions to obtain an idea of the prevalence of the
same operation on different clients with the same profile.
Move a client exception rule to the list of policy exceptions.
Search existing policy exceptions to find an exception similar to a client exception
that can be edited.
How do I create custom signatures for an IPS Policy?
Custom signatures are part of the IPS Rules policy and can be created to meet a
profile’s specific security needs. A custom signature wizard is available for simple
signatures, while custom signature Standard and Expert modes are available for
advanced users.
How do I reorganize existing exceptions and custom signatures into a new
policy?
As administrator you have identified some false-positive on a few clients and created
exceptions for them. Given that these false-positive events seemed isolated, you
initially placed these into various policies. Taking a second look at the exceptions, you
see a new pattern – one that can be isolated into its own policy.
To reorganize these exceptions into a new policy, create a new IPS Rules policy and
add it to the list of IPS Rules policy for the appropriate node. View the list of all
exceptions from the various policies assigned to that node. Select one or more of the
appropriate exceptions, and move them to the new policy.
This new policy can then be applied to other clients that fit the newly identified profile,
either individually or as a group.
How do I find existing policies that match a given profile?
Typically, an organization will have multiple IPS Rules policies, one per client profile,
such as IIS Server and SQL Server. Given that multiple administrators typically manage
different parts of the system, sometimes working in different shifts, it is essential to
have a small number well-maintained policies. This will help you as an administrator to
quickly understand the current organization of policies and find what you are searching
for.
You can use the IPS Exception Search to search for exceptions based on their
attributes, and locate their parent policy in the process. The search allows you to:
Find policies that contain an exception for an application.
Find exceptions created for a signature.
Find policies that contain exceptions matching one or more attributes of a false
positive event.