McAfee® Host Intrusion Prevention 6.1 Product Guide | Maintenance |
|
8
From the list of generated events, determine which indicate no risk and which indicate suspicious behavior. To allow events, configure the system with the following:
Exceptions — allow or block rules that override a signature rule.
Trusted Applications — allow internal applications whose operations may be blocked by a signature.
This
Creating exception rules and trusted application rules
After analyzing the list of IPS events, you can create exception rules or trusted application rules for each false positive event per user profile. This keeps the list of events to a minimum, allows for better understanding of malicious attacks, and ensures that systems are protected against such attacks.
From the IPS Events tab, you can create an exception or a trusted application based on a particular event. For details, see Creating
Working with client exception rules
An easy approach to creating exceptions is to place clients in Adaptive mode, and allow the clients to automatically create client exception rules to allow
To obtain the most frequently generated rules, use the aggregated view of client rules, which group similar rules. The rules could then be moved to administrative policies.
For details on working with client rules, see:
IPS Client Rules on page 63.
Configuring the Firewall Rules policy on page 81.
Configuring the Application Blocking Rules policy on page 98.
Creating and applying new policies
After creating new exception rules and trusted applications, add these to existing policies where appropriate. You can also create new IPS and Trusted Application policies based on the one that required the creation of exceptions and trusted applications.
For details on creating and applying new policies, see:
Configuring the IPS Rules policy on page 41.
Configuring the Firewall Rules policy on page 81.
Configuring the Application Blocking Rules policy on page 98.
