McAfee 6.1 manual How do I view IPS events triggered by clients?

Can I view or edit the policies applicable to a specific node or client?

Yes. Host Intrusion Prevention policies have specific categories, such as IPS Rules and IPS Protection, each providing specific settings. Under each Host Intrusion Prevention features, you can see the categories for the selected node on the Policies tab. Each category displays the name of its assigned policy (or policies). Most categories, like IPS Protection, display a single policy, while the IPS Rules and Trusted Applications categories display one or more policy instances. To view the details of each policy, click the name of the policy.

How do I view all available policies and the nodes they are assigned to?

The ePolicy Orchestrator tree has a Policy Catalog node, which displays the list of all policies in each category with a count of their assignments. Click the count value to display a list of all nodes where the policy is directly assigned.The count does not include nodes where the policy has been inherited.

How do I view IPS events triggered by clients?

ePolicy Orchestrator does not have its own event viewer, so events are handled by the Host Intrusion Prevention IPS Events tab within the IPS Rules policy. To view the list of events associated with a selected node, click the Policies tab, and then click the IPS Events link. The IPS Events tab displays the combined set of IPS events generated by clients under the selected node for a specific number of days. The view automatically refreshes as new events are triggered, and offers these operations:

„Sorting events on a single attribute and filtering on various attributes.

„Viewing event details.

„Marking events as read or hidden, and displaying the events in combinations of read, unread, and hidden events.

„Creating exceptions or trusted application based on events.

How do I create an exception based on an IPS Event?

Select a single event in the IPS Events tab and click Create Exception. A pre-filled New Exception dialog box based on the original event appears. A tab in the New Exception dialog box displays a list of target IPS Rules Policy instances into which you will place this Exception upon creation.

The new exception can only be placed in an existing policy that can be edited.

Apply an exception to a specific client or to multiple clients - the target policy for an exception can be a specific client policy, or one that fits a common profile. However, all policies are shareable by default, and appear in the assignment list for each node. It is recommended that a small number of policies be carefully created and maintained, so that they can collectively satisfy the needs of all clients.

Instead of creating a new exception, you can search for and edit an existing exception with similar attributes in an existing policy with the Search Related Exceptions functionality.

How do I refine IPS Rules policies with automated tuning mechanisms?

Host Intrusion Prevention provides an adaptive mode option, which allows clients to automatically and silently create client rules that allow blocked but non malicious activity to occur. After clients have been in adaptive mode for a time, an administrator can do the following:

162