Support User Manuals

McAfee 6.1 Marine Radio User Manual

Open as PDF

of 201

42

McAfee

®

Host Intrusion Prevention 6.1 Product Guide IPS Policies

IPS Rules policy details

4

IPS Rules policy details

The IPS Rules policy allows you to create and apply one or more policies that define

IPS settings. Policies should be based on common usage, location, or access rights and

privileges. For example, you might assign an IIS Server a Global Policy, a Server Client

Policy, and an IIS Policy.

Each policy details:

 Exception Rules

 Signatures

 Application Protection Rules

All available IPS policies are in the Policies list in the IPS Rules Policy Settings dialog box.

Policies applied to the selected node appear in bold. Click

Effective Policy to view a union

of all exception rules, signatures, and include/exclude rules that apply to the selected

node.

The IPS Rules

Policy Settings dialog box also provides access to the following IPS

policy-related features:

 IPS Events

 IPS Client Rules

 Search IPS Exception Rules

Exception Rules

Sometimes behavior that would be interpreted as an attack can actually be a normal

part of a user’s work routine. This is called a false positive alert. To prevent false

positives, create an exception for that behavior.

The exceptions feature enables you to weed out false positive alerts, minimizes

needless data flowing to the console, and ensures that the alerts are legitimate security

threats.

For example, during the process of testing clients, a client recognizes the

Outlook

Envelope - Suspicious Executable Mod.

signature. This signature signals that the Outlook

e-mail application is attempting to modify an application outside the envelope of usual

resources for Outlook. Thus, an event triggered by this signature is cause for alarm,

because Outlook may be modifying an application not normally associated with e-mail,

for example,

Notepad.exe. In this instance, you might reasonably suspect that a Trojan

horse has been planted. But, if the process initiating the event is normally responsible

for sending e-mail, for example, saving a file with

Outlook.exe, you need to create an

exception that allows this action.

You can view a list of exceptions, and create and modify them on the

Exceptions tab in

the

IPS Rules dialog box.

previous next