McAfee® Host Intrusion Prevention 6.1 Product Guide

IPS Policies

 

IPS Events

Editing Application Protection Rules

You can view and edit the properties of an existing application rule, changing its inclusion status from include to exclude and vice versa.

To edit application rule properties:

1On the Application Protection Rules tab, select an application and click Properties on the toolbar or shortcut menu; or, double-click the selected trusted application.

The Application Protection Rules Properties dialog box appears.

2Modify any data on the two tabs, and then click OK.

4

Enabling and disabling Application Protection Rules

Instead of deleting application rules not in use, you can disable them temporarily, and later enable them to put them into effect.

To disable/enable an application rule:

1On the Application Protection Rules tab, select the enabled rule you want to disable or the disabled one you want to enable.

2Click Disable or Enable on the toolbar or shortcut menu.

The status of the application on the Application Protection Rules tab changes accordingly.

Deleting Application Protection Rules

To permanently delete an application protection rule, select it on the Application Protection Rules tab, and then click Delete on the toolbar or the shortcut menu. The rule is removed from the tab.

IPS Events

An IPS event is triggered when a security violation, as defined by a signature, is detected. For example, Host Intrusion Prevention compares the start of any application against a signature for that operation, which may represent an attack. If a match occurs, an event is generated. If not, perhaps because of an exception to the signature or if the application has been designated as trusted, no event is generated.

When Host Intrusion Prevention recognizes an IPS event, it flags it on the IPS Events tab with one of four severity level criteria: High, Medium, Low, and Information.

When two events are triggered by the same operation, the highest reaction is taken.

56

Page 56
Image 56
McAfee 6.1 manual IPS Events, Editing Application Protection Rules, Enabling and disabling Application Protection Rules