McAfee® Host Intrusion Prevention 6.1 Product Guide | Host Intrusion Prevention Client |
| Windows client |
9
Host Intrusion Prevention creates a new firewall rule based on the options selected, adds it to the Firewall Rules list, and automatically allows or blocks similar traffic.
Figure 9-4 Firewall alert—Application Information and Connection Information tabs
Application Blocking alerts
When application creation or application hooking is enabled in the Application Blocking Options policy, Host Intrusion Prevention monitors application activities and allows or blocks them based on the rules in the Application Blocking Rules policy.
If you enabled Learn mode for either creation blocking or hooking blocking, Host Intrusion Prevention displays an Application Creation Alert or Application Hook Alert whenever it detects an unknown application trying to run or bind to another program.
The Application Information tab displays information about the application attempting to run (creation) or to hook (hook) to another process, including application name, path, and version.
Use this dialog box to select an action:
Click Allow to let the application complete its action:
For an Application Creation Alert, clicking Allow lets the application run.
For an Application Hook Alert, clicking Allow lets the application bind itself to another program.
Click Deny to block the application:
For an Application Creation Alert, clicking Deny prevents the application from running.
For an Application Hook Alert, clicking Deny blocks the application from binding itself to another program.
When you click Allow or Deny, Host Intrusion Prevention creates a new application rule based on your choice. After collecting client properties, this rule is added to the to the Application Client Rule tab of the Application Rules policy. The application is then allowed or blocked automatically.
139