McAfee® Host Intrusion Prevention 6.1 Product Guide | IPS Policies |
| IPS Events |
Editing Application Protection Rules
You can view and edit the properties of an existing application rule, changing its inclusion status from include to exclude and vice versa.
To edit application rule properties:
1On the Application Protection Rules tab, select an application and click Properties on the toolbar or shortcut menu; or,
The Application Protection Rules Properties dialog box appears.
2Modify any data on the two tabs, and then click OK.
4
Enabling and disabling Application Protection Rules
Instead of deleting application rules not in use, you can disable them temporarily, and later enable them to put them into effect.
To disable/enable an application rule:
1On the Application Protection Rules tab, select the enabled rule you want to disable or the disabled one you want to enable.
2Click Disable or Enable on the toolbar or shortcut menu.
The status of the application on the Application Protection Rules tab changes accordingly.
Deleting Application Protection Rules
To permanently delete an application protection rule, select it on the Application Protection Rules tab, and then click Delete on the toolbar or the shortcut menu. The rule is removed from the tab.
IPS Events
An IPS event is triggered when a security violation, as defined by a signature, is detected. For example, Host Intrusion Prevention compares the start of any application against a signature for that operation, which may represent an attack. If a match occurs, an event is generated. If not, perhaps because of an exception to the signature or if the application has been designated as trusted, no event is generated.
When Host Intrusion Prevention recognizes an IPS event, it flags it on the IPS Events tab with one of four severity level criteria: High, Medium, Low, and Information.
When two events are triggered by the same operation, the highest reaction is taken.
56