McAfee® Host Intrusion Prevention 6.1 Product Guide

Host Intrusion Prevention Client

 

Windows client

9

Figure 9-5 Application Blocking creation and hooking alerts

Quarantine alerts

If you enable Quarantine mode and include the IP address of the client for quarantine enforcement in the Quarantine Options policy, a quarantine alert appears in the following situations:

„Changing the client computer’s IP address

„Disconnecting and then reconnecting the client Ethernet connection

„Restarting the client

Figure 9-6 Quarantine alert

Spoof Detected alerts

If you enable the IPS feature, this alert automatically appears if Host Intrusion Prevention detects an application on your computer sending out spoofed network traffic. This means that the application is trying to make it seem like traffic from your computer actually comes from a different computer. It does this by changing the IP address in the outgoing packets. Spoofing is always suspicious activity. If you see this dialog box, immediately investigate the application that sent the spoofed traffic.

The Spoof Detected Alert dialog box appears only if you select the Display pop-up alert option. If you do not select this option, Host Intrusion Prevention automatically blocks the spoofed traffic without notifying you.

The Spoof Detected Alert dialog box is very similar to the firewall feature’s Learn Mode alert. It displays information about the intercepted traffic on two tabs — the Application Information tab, and the Connection Information tab.

The Application Information tab displays:

„The IP address that the traffic pretends to come from.

140

Page 140
Image 140
McAfee 6.1 manual Quarantine alerts, Spoof Detected alerts, „ The IP address that the traffic pretends to come from 140