McAfee 6.1 manual Quarantine policies and rules

Quarantine policies and rules

When a client returns to the network after a prolonged absence, the quarantine policies restrict a client’s ability to communicate with the network until ePolicy Orchestrator verifies that the client has all the latest policies, software updates, and DAT files.

Host Intrusion Prevention enforces quarantine rules for all ePolicy Orchestrator-managed applications. If you use ePolicy Orchestrator to manage clients with VirusScan Enterprise, Host Intrusion Prevention will quarantine any returning client where VirusScan Enterprise tasks fail to run; for example, if an update task fails to deliver the latest DAT files.

Out-of-date policies and files can create security holes and leave systems vulnerable to attacks. By quarantining users until ePolicy Orchestrator updates them, unnecessary security risks are avoided. For example, a quarantine policy is useful for laptops whose policies and files may become out of date when they are away from the corporate network for a few days.

When you enable the Quarantine Options policy, both ePolicy Orchestrator and Host Intrusion Prevention participate. ePolicy Orchestrator detects whether a user has all the latest information they need. Host Intrusion Prevention enforces the quarantine until the client has all the necessary policies and files.

If your user connects to the network using VPN software, be sure the quarantine rules allow any traffic required to both connect and authenticate over the VPN.

When you configure the Quarantine Options policy, you specify a list of quarantined IP addresses and subnets. Any user assigned one of these addresses is quarantined by Host Intrusion Prevention upon returning to the network.

When the Quarantine Options policy is applied to a client, Host Intrusion Prevention uses the ePolicy Orchestrator agent to determine if the client has the most recent policies and files. This involves checking if all ePolicy Orchestrator tasks have run properly.

If the user is up-to-date, Host Intrusion Prevention immediately releases the client from quarantine.

If one or more ePolicy Orchestrator tasks have not run, however, the user is not up-to-date and Host Intrusion Prevention does not automatically release the quarantine. The client could remain quarantined for a few minutes while the ePolicy Orchestrator agent updates policies and files. Host Intrusion Prevention can continue or stop the quarantine as determined by settings in the Quarantine Options policy. If you configure Host Intrusion Prevention to continue enforcing the quarantine, clients could remain quarantined for a prolonged period.

With the quarantine policy, Host Intrusion Prevention enforces a strict set of firewall quarantine rules that define with whom quarantined clients can communicate.

Quarantine mode requires Firewall be enabled. Even if the Quarantine mode is enabled, the quarantine does not take effect unless Firewall is also enabled.

77