McAfee 6.1 Application Blocking feature, General feature

18

McAfee® Host Intrusion Prevention6.1 Installation/Configuration Guide Basic Concepts

Application Blocking feature 2

Application Blocking feature

The Application Blocking feature monitors applications being used and either allows or

blocks them.

Host Intrusion Prevention offers two types of application blocking:

Application creation

Application hooking

When Host Intrusion Prevention monitors application creation, it looks for programs

that are trying to run. In most cases, there is no problem; but, there are some viruses,

for example, that try to run programs that harm a system. You can prevent this by

creating application rules, similar to firewall rules, which only allow programs to run that

are permitted for a user.

When Host Intrusion Prevention monitors application hooking, it looks for programs

that are trying to bind or “hook” themselves to other applications. Sometimes, this

behavior is harmless, but sometimes this is suspicious behavior that can indicate a

virus or other attack on your system.

You can configure Host Intrusion Prevention to monitor only application creation, only

application hooking, or both.

The Application Blocking feature works like the Firewall feature. Create a list of

application rules; one rule for each application you want to allow or block. Each time

Host Intrusion Prevention detects an application trying to start or hook to another

application, it checks its application rule list to determine whether to allow or block the

application.

Client application blocking rules

Clients in Adaptive or Learn mode can create client rules to allow blocked application

creation or hooking, which appear in both a regular and aggregated view. Use these

client rules, just as you wold with the IPS and firewall client rules, to create new

policies or add them to existing policies that can be applied to other clients.

General feature

The Host Intrusion Prevention General feature provides access to policies that are

general in nature and not specific to IPS, Firewall, or Application Blocking features. This

includes:

Enabling or disabling the enforcement of all policies.

Determining how the client interface appears and is accessed.

Creating and editing trusted network addresses and subnets.

Creating and editing trusted applications to prevent triggering false positive events.

Contents

Main Page Page COPYRIGHT TRADEMARK ATTRIBUTIONS LICENSE INFORMATION License Agreement Attributions PATENT INFORMATION Contents 1 Introducing Host Intrusion Prevention 9 2Basic Concepts 15 3 Using ePolicy Orchestrator 23 4 IPS Policies 33 5 Firewall Policies 68 6 Application Blocking Policies 94 7 General Policies 103 8 Maintenance 115 9 Host Intrusion Prevention Client 132 Page 1 Prevention Whats new in this release Changes from the previous release New features Using this guide Audience Conventions This guide uses the following conventions: Bold Condensed Getting product information Standard documentation Contact information Threat Center: McAfee Avert Labs http://www.mcafee.com/us/threat_center/default.asp Download Site Technical Support Customer Service 2 IPS feature Signature rules Behavioral rules Events Reactions Exception rules Firewall feature Firewall rules Client firewall rules Application Blocking feature Client application blocking rules General feature Policy management Policy enforcement Policies and policy categories Policy inheritance and assignment Policy ownership Policy assignment locking Deployment and management Preset protection Adaptive and Learn mode Tuning Reports 3 ePolicy Orchestrator operations used with Host Intrusion Prevention ePolicy Orchestrator console Policy management Assigning owners to policies Generating notifications Generating reports Host Intrusion Prevention operations Installing the Host Intrusion Prevention server Deploying Host Intrusion Prevention clients Viewing and working with client data Placing clients in Adaptive or Learn mode Configuring policies Policy viewing alerts Fine-tuning Using Help Help navigation procedures Help in the user interface Table3-1 Host Intrusion Prevention icons IPS Events/Signatures IPS Signature Rules 4 Host and network IPS signature rules HIPS NIPS Behavioral rules Preset IPS policies Configuring the IPS Options policy Page Configuring the IPS Protection policy Page The IPS Protection dialog box appears. 3Select the type of reaction for each severity level: 4Click Apply, and then click Close. 5Click Apply on the IPS Protection category line. Configuring the IPS Rules policy IPS Rules policy details Exception Rules Creating exception rules Editing exception rules Enabling and disabling exception rules Deleting exception rules Moving exception rules to another policy Signatures Types of signatures Viewing signatures Modifying host and network signatures Creating custom signatures Using the wizard to create signatures Using the standard mode to create signatures Page 5Click Apply to apply the new settings, and then OK. Editing custom signatures Deleting custom signatures To use Standard Method: To use Expert Method: Application Protection Rules Page Page Editing Application Protection Rules Enabling and disabling Application Protection Rules Deleting Application Protection Rules IPS Events Viewing events Configuring the event view Filtering events Marking events Marking similar events Viewing event details Creating event-based exceptions and trusted applications Example Searching for related exceptions IPS Client Rules Regular View Aggregated View Search IPS Exception Rules Page 5 HIP 6.0 rules HIP 6.1 rules State table State table functionality How firewall rules work Ordering the firewall rule list How stateful filtering works How stateful packet inspection works Stateful protocol tracking Firewall rule groups and connection-aware groups Page Firewall Learn and Adaptive modes Stateful filtering Quarantine policies and rules Migrating custom 6.0 firewall rules to 6.1 rules Preset Firewall policies Configuring the Firewall Options policy Page Configuring the Firewall Rules policy Creating new Firewall Rules policies Minimal (Default) Subnet Automatically Learning Starter Subnet Automatically Client Medium The Create New Policy dialog box appears. Viewing and editing firewall rules Creating a new firewall rule or firewall group Page Deleting a firewall rule or group Viewing firewall client rules Page Configuring the Quarantine Options policy Configuring the Quarantine Rules policy Creating new Quarantine Rules policies Viewing and editing quarantine rules Creating a new quarantine rule or group Deleting a quarantine rule or group 6 Application creation Application hooking Preset Application Blocking policies Configuring the Application Blocking Options policy Page Configuring the Application Blocking Rules policy Creating new Application Blocking Rules policies Viewing and editing Application Blocking Rules Creating new Application Blocking Rules Deleting an application blocking rule Viewing application client rules Page 7 Preset General policies Configuring Enforce Policies Configuring the Client UI policy Creating and applying a Client UI policy Setting passwords Page Tray icon control Configuring the Trusted Networks policy 5Do any of the following: Configuring the Trusted Applications policy Creating and applying Trusted Applications policies Creating trusted applications Editing trusted applications Enabling and disabling trusted applications Deleting trusted applications 8 Fine-tuning a deployment Analyzing IPS events Creating exception rules and trusted application rules Working with client exception rules Creating and applying new policies Policy maintenance and tasks Policies tab Policy inheritance and assignment Page Policy Catalog Viewing policy information Editing policy information Page Running server tasks Directory Gateway Event Archiver Property Translator Setting up notifications for events How notifications work Creating rules Host Intrusion Prevention notifications Running reports Pre-defined reports Report repository Summary information and details Report content control Host Intrusion Prevention reports The Host Intrusion Prevention report templates include: IPS Events Summary by Signature Use this report to view IPS events per signature. Details include: Filters on signature, recording time, severity level, OS user, reaction, process, and source IP. IPS Event Summary by Target Use this report to view IPS events per host. Details include: Filters on signature, recording time, severity level, OS user, reaction, process, and source IP. Network Intrusion Summary by Source IP Use this report to view network intrusion events per source IP. Details include: Top 10 Attacked Nodes for IPS Filters on platform and signature type. Top 10 Triggered Signatures Use this report to view a bar chart of the 10 most triggered IPS signatures. Details include: Filters on platform and signature type. Top 10 Blocked Applications Use this report to view a bar chart of the 10 most blocked applications. Details include: Filters on application description, host name, and event time. Failed Quarantine Updates Use this report to view failed quarantine updates per host. Details include: Updating Checking in the update package Updating clients 9 Windows client System tray icon Client console Unlocking the client interface Setting options Error Reporting Troubleshooting Logging Host IPS engines Alerts Intrusion alerts Firewall alerts Application Blocking alerts Quarantine alerts Spoof Detected alerts Page IPS Policy tab IPS Policy options IPS Policy exception rules Exception rules list Firewall Policy tab Firewall Policy options Firewall Policy Rules Firewall rules list Application Policy tab Application Policy options Application Policy rules Application rules list Blocked Hosts tab Blocked Hosts list Page Application Protection tab Application Protection list Activity Log tab Activity Log options Activity Log list You can clear the list either by deleting the log contents or saving it to a .txt file. Note: McAfee Host Intrusion Prevention Options Solaris client Policy enforcement with the Solaris client Troubleshooting Client installation issues Verifying installation files Client operations issues Starting and stopping the client Linux client Policy enforcement with the Linux client Notes about the Linux client Troubleshooting Client installation issues Verifying installation files Verifying the client is running Client operations issues Troubleshooting tool Starting and stopping the client 10 Page Page Page A Rule Structure See Windows Custom Signatures for an explanation of the various sections and values. Mandatory common sections Use of Include and Exclude Optional common sections Use of the dependencies section Section value variables Use of wildcards Use of environment variables Use of predefined variables MS SQL Database Server Solaris Apache and iPlanet Windows Custom Signatures The following table lists the possible sections of the class Files. Class Files Page Page Class Isapi Page Page Class Registry Page Class Services The following rule would prevent deactivation of the Alerter service. The various sections of this rule have the following meaning: every one of these rules would need to use the same ID. Page Solaris Custom Signatures The following table lists the possible sections of the class Files. Class UNIX_file Page Advanced Details Class UNIX_apache Page Linux Custom Signatures The following table lists the possible sections of the class Files. Class UNIX_file Summary of parameters and directives The following is a summary of parameters and directives according to type. List of parameters according to type List of directives according to type Glossary Page Page Page Page Page Page Page Page Index A B C D G H I K L Q R S T U