
McAfee® Host Intrusion Prevention 6.1 Product Guide | Host Intrusion Prevention Client |
| Windows client |
9
You can ignore the event by clicking Ignore, or create an exception rule for the event by clicking Create Exception. The Create Exception button is active only if the Allow Client Rules option is enabled for the signature that caused the event to occur.
If the alert is the result of a HIP signature, the exception rule dialog box is prefilled with the name of the process, user, and signature. You can select All Signatures or All Processes, but not both. The user name will always be included in the exception.
If the alert is the result of a NIP signature, the exception rule dialog box is prefilled with the signature name and the host IP address. You can optionally select All Hosts.
.
In addition, you can click Notify Admin to send information about the event to the Host Intrusion Prevention administrator. This button is active only if the Allow user to notify administrator option is enabled in the applied Client UI policy.
Select Do not show any alerts for IPS Events to stop displaying IPS Event alerts. To have the alerts reappear after selecting this option, select Display
This intrusion alert also appears for firewall intrusions if a firewall rule is matched that
has the Treat rule match as an intrusion option selected.
Firewall alerts
If you enable firewall protection and the Learn mode for either incoming or outgoing traffic, a firewall alert appears. The Application Information tab displays information about the application attempting network access, including application name, path, and version. The Connection Information tab displays information about the traffic protocol, address, and ports.
To respond to a firewall Learn Mode alert
1On the Application Information tab of the alert dialog box, do one of the following:
Click Deny to block this and all similar traffic.
Click Allow to permit this and all similar traffic through the firewall
2Optional: On the Connection Information tab, select possible options for the new firewall rule:
Select... | To do this... |
|
|
Create a firewall application rule | Create a rule to allow or block an application’s traffic |
for all ports and services | over any port or service. If you do not select this |
| option, the new firewall rule allows or blocks only |
| specific ports: |
| If the intercepted traffic uses a port lower than |
| 1024, the new rule allows or blocks only that |
| specific port. |
| If the traffic uses port 1024 or higher, the new rule |
| allows or blocks the range of ports from 1024 to |
| 65535. |
|
|
Remove this rule when the | Create a temporary allow or block rule that is deleted |
application terminates | when the application is closed. If you do not select this |
| options, the new firewall rule is created as a |
| permanent client rule. |
|
|