McAfee 6.1 manual Behavioral rules, Events, Reactions, Exception rules

Signatures are designed for specific applications and for specific operating systems; for example, web servers such as Apache, IIS, and NES/iPlanet. The majority of signatures protect the entire operating system, while some protect specific applications.

Behavioral rules

Hard-coded behavioral rules define a profile of legitimate activity. Activity not matching the profile is considered suspicious and triggers a response. For example, a behavioral rule might state that only a web server process should access HTML files. If any other process attempts to access html files, action is taken. These rules provide protection against zero-day and buffer overflow attacks.

Events

IPS Events are generated when a client recognizes a signature or behavioral rule violation. Events are logged in the IPS Events tab of IPS Rules. Administrators can monitor these events to view and analyze system rule violations. They can then adjust event reactions or create exceptions or trusted application rules to reduce the number of events and fine-tune the protection settings.

Reactions

A reaction is what a client does when it recognizes a signature of a specific severity.

A client reacts in one of three ways:

„Ignore — No reaction; the event is not logged and the process is not prevented.

„Log — The event is logged but the process is not prevented.

„Prevent — The event is logged and the process is prevented.

A security policy may state, for example, that when a client recognizes an Information level signature, it logs the occurrence of that signature and allows the process to be handled by the operating system; and when it recognizes a High level signature, it prevents the process.

Logging can be enabled directly on each signature.

Exception rules

An exception is a rule for overriding blocked activity. In some cases, behavior that a signature defines as an attack may be part of a user’s normal work routine or an activity that is legal for a protected application. To override the signature, you can create an exception that allows legitimate activity. For example, an exception might state that for a particular client, a process is ignored.

You can create these exceptions manually, or place clients in Adaptive mode and allow them to create client exception rules. To ensure that some signatures are never overridden, edit the signature and disable the Allow Client Rules options. You can track the client exceptions in the ePolicy Orchestrator console, viewing them in a regular and aggregated view. Use these client rules to create new policies or add them to existing policies that you can apply to other clients.

16