McAfee® Host Intrusion Prevention 6.1 Product Guide | IPS Policies |
| IPS Client Rules |
Searching for related exceptions
An event may be a false positive, which is a legitimate operation that incorrectly appears as an intrusion. For false positives you can create an exception and prevent logging future identical events; however, you may have already created several exceptions for similar events. Instead of creating a new exception, you might be able to edit an existing exception to make it apply to the false positive event. Keeping exceptions organized and few in number makes them easier to manage.
The Search for Related Exceptions feature enables you to search for existing exceptions that match one or more attributes that belong to an event. For example, you can search for exceptions matching the event’s signature or process or both. Alternatively, you can search for exceptions that are already deployed on the client on which the event occurred or perhaps those applied to the user associated with the event.
To search for a related exception:
1Select an event on the IPS Events tab for which you want to find related exceptions, and click Search for Related Exceptions or the toolbar or the shortcut menu.
The Search IPS Exception Rules search criteria dialog box appears with prefilled process, signature, and user information.
2Select the checkbox for each criterion you want to apply. You can edit the values by clicking Edit.
3Click OK.
The Search IPS Exceptions tab displays the results of the search. See Search IPS Exception Rules on page 66 for more details on using this search feature.
4
IPS Client Rules
When clients are in Adaptive mode, client exception rules are created automatically to allow operations that would otherwise be blocked by
63
