McAfee® Host Intrusion Prevention 6.1 Product Guide

Maintenance

 

Fine-tuning a deployment

8

From the list of generated events, determine which indicate no risk and which indicate suspicious behavior. To allow events, configure the system with the following:

„Exceptions — allow or block rules that override a signature rule.

„Trusted Applications — allow internal applications whose operations may be blocked by a signature.

This fine-tuning process keeps false positives to a minimum, providing more time for analysis of serious events. For more details, see IPS Events on page 56.

Creating exception rules and trusted application rules

After analyzing the list of IPS events, you can create exception rules or trusted application rules for each false positive event per user profile. This keeps the list of events to a minimum, allows for better understanding of malicious attacks, and ensures that systems are protected against such attacks.

From the IPS Events tab, you can create an exception or a trusted application based on a particular event. For details, see Creating event-based exceptions and trusted applications on page 61.

Working with client exception rules

An easy approach to creating exceptions is to place clients in Adaptive mode, and allow the clients to automatically create client exception rules to allow non-malicious behavior. All client rules appear on the Client Rules tab of the IPS Rules policy. The Firewall Rules and the Application Blocking Rules policies also display client rules created through Adaptive or Learn mode.

To obtain the most frequently generated rules, use the aggregated view of client rules, which group similar rules. The rules could then be moved to administrative policies.

For details on working with client rules, see:

„IPS Client Rules on page 63.

„Configuring the Firewall Rules policy on page 81.

„Configuring the Application Blocking Rules policy on page 98.

Creating and applying new policies

After creating new exception rules and trusted applications, add these to existing policies where appropriate. You can also create new IPS and Trusted Application policies based on the one that required the creation of exceptions and trusted applications.

For details on creating and applying new policies, see:

„Configuring the IPS Rules policy on page 41.

„Configuring the Firewall Rules policy on page 81.

„Configuring the Application Blocking Rules policy on page 98.

116

Page 116
Image 116
McAfee 6.1 manual Creating exception rules and trusted application rules, Working with client exception rules, 116