![](/images/new-backgrounds/1255644/25564435x1.webp)
McAfee® Host Intrusion Prevention 6.1 Installation/Configuration Guide | Basic Concepts |
| Application Blocking feature |
2
Application Blocking feature
The Application Blocking feature monitors applications being used and either allows or blocks them.
Host Intrusion Prevention offers two types of application blocking:
Application creation
Application hooking
When Host Intrusion Prevention monitors application creation, it looks for programs that are trying to run. In most cases, there is no problem; but, there are some viruses, for example, that try to run programs that harm a system. You can prevent this by creating application rules, similar to firewall rules, which only allow programs to run that are permitted for a user.
When Host Intrusion Prevention monitors application hooking, it looks for programs that are trying to bind or “hook” themselves to other applications. Sometimes, this behavior is harmless, but sometimes this is suspicious behavior that can indicate a virus or other attack on your system.
You can configure Host Intrusion Prevention to monitor only application creation, only application hooking, or both.
The Application Blocking feature works like the Firewall feature. Create a list of application rules; one rule for each application you want to allow or block. Each time Host Intrusion Prevention detects an application trying to start or hook to another application, it checks its application rule list to determine whether to allow or block the application.
Client application blocking rules
Clients in Adaptive or Learn mode can create client rules to allow blocked application creation or hooking, which appear in both a regular and aggregated view. Use these client rules, just as you wold with the IPS and firewall client rules, to create new policies or add them to existing policies that can be applied to other clients.
General feature
The Host Intrusion Prevention General feature provides access to policies that are general in nature and not specific to IPS, Firewall, or Application Blocking features. This includes:
Enabling or disabling the enforcement of all policies.
Determining how the client interface appears and is accessed.
Creating and editing trusted network addresses and subnets.
Creating and editing trusted applications to prevent triggering false positive events.
18