McAfee® Host Intrusion Prevention 6.1 Product Guide

IPS Policies

 

IPS Events

4

You can create event-based exceptions or trusted applications directly from an event to prevent the event from reoccurring, or you can create exceptions or trusted application without reference to any particular event. For the latter, refer to Exception Rules on page 42 and Creating and applying Trusted Applications policies on page 112.

Creating exceptions and trusted applications allows you to weed out false positive alerts, and ensures that the notifications you receive are meaningful communications.

Example

For example, during the process of testing clients, you may find clients recognizing the signature E-mail access. Under certain circumstances, an event triggered by this signature is cause for alarm. Hackers may install trojan applications that use TCP/IP Port 25 typically reserved for e-mail applications, and this action would be detected by the TCP/IP Port 25 Activity (SMTP) signature. On the other hand, normal e-mail traffic might also match this signature. When you see this signature, investigate the process that initiated the event. If the process is one that is not normally associated with e-mail, like Notepad.exe, you might reasonably suspect that a trojan was planted. If the process initiating the event is normally responsible for sending e-mail (Eudora, Netscape, Outlook) create an exception to that event.

You may also find, for example, that a number of clients are triggering the signature startup programs, which indicates either the modification or creation of a value under the registry keys:

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce

As the values stored under these keys indicate programs that are started when the computer boots, recognition of this signature may indicate that someone is attempting to tamper with the system. Or it might indicate something as benign as one of your employees installing RealAudio on their computer. The installation of RealAudio adds the value RealTray to the Run registry key.

To eliminate the triggering of events every time someone installs authorized software, you create exceptions to these events. The client will no longer generate events to this authorized installation.

To create an event-based exception:

1Select an event and click Create Exception on the shorcut menu or the toolbar. A prefilled New Exception dialog box appears.

2Follow the directions for creating an exception in Exception Rules on page 42.

To create an event-based trusted application:

1Select an event and click Create Trusted Application on the shorcut menu or the toolbar.

A prefilled New Trusted Application dialog box appears.

2Follow the directions for creating a trusted application in Creating and applying Trusted Applications policies on page 112.

62

Page 61 Page 63
Page 62
Image 62
McAfee 6.1 manual To create an event-based exception, To create an event-based trusted application
Page 61 Page 63
Top Page Image Contents