manualshive.com logo in svg

McAfee HISCDE-AB-IA - Host Intrusion Prevention, Product Manual

Share
Download
McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual Download Page 119

Note 2

The data of the section new data must be in hexadecimal. For example, the data ‘def’ of registry
value “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\abc” must be
represented as old_data { Include “%64%65%66”}.

Advanced details

Some or all of the following parameters appear in the Advanced Details tab of security events
for the class Registry. The values of these parameters can help you understand why a signature
is triggered.

Explanation

GUI name

Name of the registry key affected, including the path name. Note the following:

Use this syntax

For this key

Registry Key

\REGISTRY\MACHINE\

HKEY_LOCAL_MACHINE\

\REGISTRY\CURRENT_USER\

HKEY_CURRENT_USER\

\REGISTRY\MACHINE\SOFTWARE\CLASSES\

HKEY_CLASSES_ROOT\

REGISTRY\MACHINE\SYSTEM\ControlSet\HARDWARE
PROFILES\0001\

HKEY_CURRENT_CONFIG\

\REGISTRY\USER\

HKEY_USERS\

Name of the registry value concatenated with the full name of its key. Note the following:

Use this syntax

For values in this key

Registry Values

\REGISTRY\MACHINE\Test\*

HKEY_LOCAL_MACHINE\Test

\REGISTRY\CURRENT_USER\Test\*

HKEY_CURRENT_USER\Test

\REGISTRY\MACHINE\SOFTWARE\CLASSES\Test\*

HKEY_CLASSES_ROOT\Test

REGISTRY\MACHINE\SYSTEM\ControlSet\HARDWARE
PROFILES\0001\Test\*

HKEY_CURRENT_CONFIG\Test

\REGISTRY\USER\Test\*

HKEY_USERS\Test

Only applicable for registry value changes: data that a registry value contained before it was
changed or attempted to be changed.

old data

Only applicable for registry value changes: data that a registry value contains after it was
changed or that it would contain if the change went through.

new data

Only applicable for registry value changes: type of data type that a registry value contains
before it was changed or attempted to be changed.

old data type

Only applicable for registry value changes: type of data that a registry value would contain
after it was changed or that it would contain if the change went through.

new data type

The following rule would prevent anybody and any process from deleting the registry value
“abc” under registry key “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa”

Rule {

tag "Sample8"

Class Registry

Id 4001

Appendix A — Writing Custom Signatures and Exceptions
Windows custom signatures

119

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Summary of Contents for HISCDE-AB-IA - Host Intrusion Prevention

Page 1: ...McAfee Host Intrusion Prevention 8 0 Product Guide for use with ePolicy Orchestrator 4 5 ...

Page 2: ... and unregistered trademarks herein are the sole property of their respective owners LICENSE INFORMATION License Agreement NOTICE TO ALL USERS CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED PLEASE CONSULT THE SA...

Page 3: ...ing 18 Host IPS policy migration 22 System management 23 Host IPS permission sets 23 Host IPS server tasks 25 Host IPS event responses 26 Host IPS protection updates 27 Configuring IPS Policies 29 Overview of IPS policies 29 Methods for delivery of IPS protection 30 Signatures 31 Behavioral rules 32 Reactions 32 Exceptions 32 Application protection rules 33 Events 33 Enable IPS protection 33 Confi...

Page 4: ...55 How the Host IPS catalog works 58 Firewall stateful packet filtering and inspection 59 How learn and adaptive modes affect the firewall 63 Firewall client rules 64 Enable firewall protection 64 Configuring the Firewall Options policy 65 FAQ McAfee TrustedSource and the firewall 66 Define firewall protection 67 Configuring the Firewall Rules policy 68 Creating and editing firewall rules 69 Creat...

Page 5: ... UI options 83 Troubleshooting the Windows client 84 Windows client alerts 86 About the IPS Policy tab 88 About the Firewall Policy tab 89 About the Blocked Hosts tab 91 Editing the Blocked Hosts list 92 About the Application Protection List tab 92 About the Activity Log tab 93 Overview of the Solaris client 94 Policy enforcement with the Solaris client 94 Troubleshooting the Solaris client 95 Ove...

Page 6: ...nd directives per Windows platform 123 Non Windows custom signatures 127 Solaris Linux class UNIX_file 127 Solaris Linux class UNIX_apache HTTP 130 Solaris Linux class UNIX_Misc 131 Solaris class UNIX_bo 132 Solaris class UNIX_map 133 Solaris class UNIX_GUID 133 Classes and directives per UNIX platform 134 Appendix B Troubleshooting 136 General issues 136 Host IPS logs 141 Clientcontrol exe utilit...

Page 7: ...evention IPS feature Host Intrusion Prevention is fully integrated with ePolicy Orchestrator and uses its framework to deliver and enforce policies This approach provides a single management solution that allows for mass deployment of up to 100 000 systems in multiple languages across an entire enterprise for true global coverage Contents Host IPS protection Host IPS policies Host IPS policy manag...

Page 8: ...r Deleting a policy can be done only in the Policy Catalog IPS policies The IPS feature contains three policies that protect both Windows and non Windows computers It details exceptions signatures application protection rules events and client generated exceptions IPS Options All platforms Turns on or off IPS protection and application of adaptive mode for tuning IPS Protection All platforms Defin...

Page 9: ...t Intrusion Prevention is grouped by feature and category Each policy category refers to a specific subset of policies A policy is a configured group of settings for a specific purpose You can create modify or delete as many policies as needed Each policy has a preconfigured McAfee Default policy which cannot be edited or deleted Except for IPS Rules and Trusted Applications all policies also have...

Page 10: ...n place systems that fit a common usage profile into a common group on the System Tree In fact you might name a group after its usage profile for example Web Servers With computers grouped in the System Tree according to type function or geographic location you can easily divide administrative functions along the same lines With Host Intrusion Prevention you can divide administrative duties based ...

Page 11: ...events This process is called tuning Stronger IPS rules target a wider range of violations and generate more events than in a basic environment If you apply advanced protection McAfee recommends using the IPS Protection policy to stagger the impact This entails mapping each of the severity levels High Medium Low and Information to a reaction Prevent Log Ignore By initially setting all severity rea...

Page 12: ...from a chart based query to a small web application like the MyAvert Threat Service You can create and edit multiple dashboards if you have the permissions Use any chart based query as a dashboard that refreshes at a specified frequency so you can put your most useful queries on a live dashboard Host Intrusion Prevention provides two default dashboards with these monitors Table 1 Host IPS dashboar...

Page 13: ...port export these settings as a template After creating custom templates organize them in logical groupings so that you can run them as needed on a daily weekly or monthly basis After a report is generated you view summary information as determined by the filter if any that you have set From the summary information you drill down to one or two levels for detailed information all in the same report...

Page 14: ...Signer Name Host IPS 8 0 IPS Client Rules Creation Date Description Executable Name Executable Path Fingerprint Full Executable Name Include All Executables Include All Signatures Include All Users Last Modified Date Local Version Reaction Signature ID Signer Name Status User Name Host IPS 8 0 IPS Exceptions IPS Exception Rule IPS Rules Policy Common Host IPS properties The Host IPS custom queries...

Page 15: ... Displays firewall client rules listed by protocol and port range Client Rules By Protocol Port Range Displays firewall client rules listed by protocol and process Client Rules by Protocol Process Displays top three client versions with a single category for all other versions Client Versions Displays managed systems where Host IPS is deployed and the installer needs to restart the system Clients ...

Page 16: ...nts Top 10 IPS Events by Target Displays the top 10 network intrusion events by source IP addresses for the past three months Top 10 NIPS By Source IP Displays the top 10 triggered IPS signatures Top 10 Triggered Signatures Policy management Management of policies involves configuring and applying policies and the tuning of protection for system resources and applications Part of this process requ...

Page 17: ... to the desired location Export all policies Click Import at the top of the Policy Catalog page select the policy XML file then click OK Import policies For details on any of these features see the ePolicy Orchestrator documentation Configuring polices After you install the Host Intrusion Prevention software McAfee recommends that you configure policies to provide the greatest amount of security w...

Page 18: ...t Assignment For a system go to Systems System Tree select a group that contains the system and then on the System tab select the system and select Actions Agents Modify Policies on a Single System Default protection and tuning Host Intrusion Prevention works with default policies for basic protection It allows greater protection through custom settings obtained through manual or automatic tuning ...

Page 19: ...ermine your initial client rollout plan Although you can deploy Host Intrusion Prevention clients to every host servers desktops and laptops in your company McAfee recommends that you start by installing clients on a limited number of representative systems and tuning their configuration After you have fine tuned the deployment you can then deploy more clients and leverage the policies exceptions ...

Page 20: ...n then allows you to take any all or none of the client rules and convert them to server mandated policies When tuning is complete turn off adaptive mode to tighten the system s intrusion prevention protection Run clients in adaptive mode for at least a week This allows the clients time to encounter all the activity they would normally encounter Try to do this during times of scheduled activity su...

Page 21: ...ty IPS signatures These signatures are tuned to detect and prevent the most severe threats to your systems so it is unlikely that normal business activity would require an automated exception The reaction to the signature is Ignore The associated action triggers a network IPS signature A user attempts to stop the McAfee Host IPS service regardless of the client rule setting for service self protec...

Page 22: ...Blocking Rules policies are migrated into IPS Rules policies named Application Hooking and Invocation Protection name 6 1 or 7 0 these policies were removed in version 8 0 After these policies are migrated into IPS Rules policies their Application Protection Rules list is blank and the Exceptions list contains exceptions for all default trusted application set to Trusted for Application Hooking To...

Page 23: ... IPS 6 1 or 7 0 policies in an xml file click Migrate 3 Select the Host IPS 6 1 or 7 0 version xml file previously exported then click OK The xml file is converted to policy version 8 0 format 4 Right click the link to the converted MigratedPolicies xml file and save it for importing 5 Import the xml file in to the ePO Policy Catalog System management As part of managing the Host Intrusion Prevent...

Page 24: ...s Threat Event Log Host IPS client events and client rules Server Tasks Host IPS server tasks Software Host IPS packages in repository Automatic Responses Event Notifications Client Events Host IPS automatic responses For more information on permission sets see the ePolicy Orchestrator documentation Assigning permission sets Use this task to assign permissions to Host Intrusion Prevention features...

Page 25: ...ver Task This server task translates Host Intrusion Prevention client rules that are stored in the ePolicy Orchestrator database Host IPS Property Translator Preconfigured to handle Host Intrusion Prevention sorting grouping and filtering of data This task runs automatically every 15 minutes and requires no user interaction You can however run it manually if you need to see immediate feedback from...

Page 26: ...re the email SMTP server at Server Settings Email contacts list Specify the list from which you select recipients of notification messages at Contacts Registered executables Specify a list of registered executables to run when the conditions of a rule are met Server tasks Create server tasks for use as actions to be carried out as a result of a response rule SNMP servers Specify a list of SNMP ser...

Page 27: ...otection The basic process includes checking in the update package to the ePO master repository then sending the updated information to the clients Clients obtain updates only through communication with the ePO server and not directly through FTP or HTTP protocols TIP Always assign the McAfee Default IPS Rules policy and McAfee Default Trusted Applications policy to benefit from any content update...

Page 28: ...r repository you can send the updates to the client by scheduling an update task or by sending an agent wake up call to update immediately Task 1 Go to Systems System Tree Client Tasks select the group where you want to send content updates and click New Task 2 Name the task select Product Update as the type of task then click Next 3 Select Selected packages select Host Intrusion Prevention Conten...

Page 29: ...bined signatures and behavioral rules to determine whether to allow block or log an action This hybrid method detects most known attacks as well as previously unknown or zero day attacks Protection also comes from exceptions which override signatures that block legitimate activity and application protection rules which describe which processes to protect Available policies There are three IPS poli...

Page 30: ...alling a kernel level driver and redirecting the entries in the system call table When an application requests a file it is directed to the Host Intrusion Prevention driver which checks the request against its set of signatures and behavioral rules to determine whether to allow or block the request HTTP engine for web servers Host Intrusion Prevention gives protection against attacks directed at w...

Page 31: ...e application s write file command These signatures Protect against an attack and the results of an attack such as preventing a program from writing a file Protect laptops when they are outside the protected network Protect against local attacks introduced by CDs or USB devices These attacks often focus on escalating the user s privileges to root or administrator to compromise other systems in the...

Page 32: ...ays Ignore No reaction the event is not logged and the operation is not prevented Log The event is logged but the operation is not prevented Prevent The event is logged and the operation is prevented A security policy might state for example that when a client recognizes a low severity signature it logs the occurrence of that signature and allows the operation to occur and when it recognizes a hig...

Page 33: ...r you install a content update You can add network facing and service based applications to this list automatically if you have enabled the Automatically include network facing and service based applications option in the IPS Options policy Events IPS events are generated when a client reacts to a triggered signature Events are logged in the Events tab of the Host IPS tab under Reporting Administr...

Page 34: ...rk facing and service based applications in the application protection list Select to allow a client to add high risk applications automatically to the list of protected applications in the IPS Rules policy Startup IPS protection enabled Select to apply a hard coded set of file and registry protection rules until the Host IPS service has started on the client Policy selections This policy category...

Page 35: ... system resources are locked and cannot be changed Preventing these signatures increases the security of the underlying system but additional fine tuning is needed Information Signatures of behavioral activity where applications and system resources are modified and might indicate a benign security risk or an attempt to access sensitive system information Events at this level occur during normal s...

Page 36: ...ange the settings for a custom policy NOTE For editable policies other options include Rename Duplicate Delete and Export For non editable policies options include View and Duplicate 3 In the IPS Protection page that appears make any needed changes then click Save Define IPS protection The IPS Rules policy applies intrusion prevention safeguards This policy is a multiple instance policy that can h...

Page 37: ...licy and an IIS policy the latter two configured to specifically target systems running as IIS servers When assigning multiple instances you are assigning a union of all the elements in each instance of the policy NOTE The McAfee Default policy for both IPS Rules and Trusted Applications are updated when content is update McAfee recommends that these two policies always be applied to make sure pro...

Page 38: ...er this create instances of IPS Rules and Trusted Applications policies for each group of users one IPS Rules policy for a particular department one for a particular location and one for a particular computer type then apply the appropriate instance Without a multiple instance IPS Rules policy a combination of three departments three locations and three computer types would require 27 policies wit...

Page 39: ...benign security risk or an attempt to access sensitive system information Events at this level occur during normal system activity and generally are not evidence of an attack Types of signatures The IPS Rules policy can contain three types of signatures Host IPS signatures Default host intrusion prevention signatures Custom IPS signatures Custom host intrusion prevention signatures that you create...

Page 40: ...e Category list The list of policies appears 2 Under Actions click Edit to make changes on the IPS Rules page then click the Signatures tab 3 Do any of the following Do this To Use the filters at the top of the signatures list You can filter on signature severity type platform log status Find a signature in the list whether client rules are allowed or specific text that includes signature name not...

Page 41: ... protecting This description appears in the IPS Event when the signature is triggered 4 On the Subrules tab select New Standard Sub Rule or New Expert Subrule to create a rule Expert method Standard method The Expert method recommended only for advanced users enables you to provide the rule syntax without The Standard method limits the number of types you can include in the signature rule limiting...

Page 42: ...ures tab click New Wizard 2 On the Basic Information tab type a name and select the platform severity level log status and whether to allow the creation of client rules Click Next to continue 3 On the Description tab type a description of what the signature is protecting This description appears in the IPS Event when the signature is triggered 4 On the Rule Definition tab select the item to protec...

Page 43: ...ow protection Host Intrusion Prevention provides a static list of processes that are permitted or blocked This list is updated with content update releases that apply in the McAfee Default IPS Rules policy In addition processes that are permitted to hook are added dynamically to the list when process analysis is enabled This analysis is performed under these circumstances Each time the client is s...

Page 44: ...orresponding entry in its running processes list A process that is not already hooked and is not part of the static block list is then hooked The firewall provides the PID Process ID which is the key for the cache lookup of a process The API exported by the IPS component also allows the client user interface to retrieve the list of currently hooked processes which is updated whenever a process is ...

Page 45: ...ars 2 Under Actions click Edit to make changes on the IPS Rules page then click the Application Protection Rules tab 3 Perform any of the following operations Do this To Use the filters at the top of the application list You can filter on rule status inclusion or specific text that Find an application rule in the list includes process name process path or computer name Click Clear to remove filter...

Page 46: ...Notepad exe In this instance you might reasonably suspect that a Trojan horse has been planted But if the process initiating the event is normally responsible for sending email for example saving a file with Outlook exe you need to create an exception that allows this action TIP If you create a custom signature that prevents modification of files editing renaming deleting in a particular folder bu...

Page 47: ...vioral exception to the signature 4 Click Save Monitor IPS events An IPS event is triggered when a security violation as defined by a signature is detected and reported to the ePO server The IPS event appears on the Events tab of the Host IPS tab or the Event Log tab along with all the other events for all the other products that ePolicy Orchestrator is managing under Reporting with one of four se...

Page 48: ...n the computer starts up recognition of this signature might indicate that someone is attempting to tamper with the system Or it might indicate something as benign as one of your employees installing WinZip on their computer The installation of WinZip adds a value to the Run registry key To eliminate the triggering of events every time someone installs authorized software you create exceptions for...

Page 49: ...ons Mark Unread Hide the event Actions Mark Hidden Show hidden events Note You must first filter for hidden events to be able to select them Actions Mark Unhidden 5 Create an exception or trusted application rule Select an event and select Actions New Exception to create an exception or select Actions New Trusted Application to create an application rule See Creating an exception from an event or ...

Page 50: ...Client Rules on the Host IPS tab under Reporting requires additional permissions other than that for Host Intrusion Prevention IPS including view permissions for Event Log Systems and System Tree access You can sort filter and aggregate the exceptions and view their details You can then promote some or all of the client exceptions to a particular IPS Rules policy to reduce false positives for a pa...

Page 51: ...ception criteria search text box and press Return Click Clear to remove filter settings Click Aggregate select the criteria on which to aggregate exceptions then click OK Click Clear to remove aggregation settings Aggregate exceptions 4 To move exceptions to a policy select one or more exceptions in the list click Create Exception then indicate the policy to which to move the exceptions Configurin...

Page 52: ...icies There are three Firewall policies Firewall Options Enables firewall protection It turns firewall protection on and off defines stateful firewall settings and enables special firewall specific protection such as allowing outgoing traffic only until the firewall service has started and blocking IP spoofing and malicious traffic Firewall Rules Defines firewall protection It consists of a set of...

Page 53: ...requests except from a specific address for example IP address 10 10 10 1 you need to create two rules Block Rule Block HTTP traffic from IP address 10 10 10 1 This rule is more specific Allow Rule Allow all traffic using the HTTP service This rule is more general You must place the more specific Block Rule higher in the firewall rules list than the more general Allow Rule This ensures that when t...

Page 54: ... Ports 0 to 1023 are reserved as well known ports Numbers in this range are usually assigned to protocols by the IANA www iana org assignments protocol numbers and most operating systems require a process to have special permissions to listen on one of these ports Firewall rules are generally constructed to block certain ports and allow others thereby limiting the activities that can occur on the ...

Page 55: ...tion Allow traffic for unsupported protocols in the Firewall Options policy is selected How firewall rule groups work Group firewall rules for easier management Rule groups do not affect the way Host Intrusion Prevention handles the rules within them they are still processed from top to bottom Groups are associated with many of the items associated with rules including network options transport op...

Page 56: ...t match at least one of the list entries If DHCP Server is selected the adapter DHCP server IP must match at least one of the list entries If DNS Server List is selected the adapter DNS server IP address must match any of the list entries If Primary WINS Server is selected the adapter primary WINS server IP address must match at least one of the list entries If Secondary WINS Server is selected th...

Page 57: ... a corporate environment and a hotel The active firewall rules list contains rules and groups in this order 1 Rules for basic connection 2 VPN connection rules 3 Group with corporate LAN connection rules 4 Group with VPN connection rules Connection isolation on the corporate network Connection rules are processed until the group with corporate LAN connection rules is encounterd This group contains...

Page 58: ... hotel guests to access the computer over the network either wired or wireless are blocked How the Host IPS catalog works The Host IPS catalog simplifies firewall rule and group creation by allowing you to reference existing rules groups network addresses applications executables and group location data In addition you can reference executables for applications involved in IPS protection When refe...

Page 59: ...hen creating or editing rules or groups using the Firewall Rule Builder or Firewall Group Builder Click Import to add previously exported Host iPS catalog data in xml format NOTE Policy Catalog exports in xml format are not compatible with the Host IPS Catalog xml format This means you cannot export a Firewall Rules policy from the Policy Catalog and import it in to the Host IPS Catalog to populat...

Page 60: ...s policy after which the entry is removed from the table if no packet matching the connection is received The timeout for TCP connections is enforced only when the connection is not established Direction The direction incoming or outgoing of the traffic that triggered the entry After a connection is established bidirectional traffic is allowed even with unidirectional rules provided the entry matc...

Page 61: ...Figure 3 Stateful filtering process How stateful packet inspection works Stateful packet inspection combines stateful filtering with access to application level commands which secures protocols such as FTP FTP involves two connections control for commands and data for the information When a client connects to an FTP server the control channel is established arriving on FTP destination port 21 and ...

Page 62: ...for virtual connections is set in the Firewall Options policy When using IPv6 stateful firewall functionality is supported only on Windows Vista and later platforms TCP protocol works on the S3 way handshake When a client computer initiates a new connection it sends a packet to its target with a SYN bit that is set indicating a new connection The target TCP responds by sending a packet to the clie...

Page 63: ...o allow or block any traffic that does not match an existing rule and automatically creates corresponding dynamic rules for the non matching traffic You can enable learn mode for incoming communication only for outgoing communication only or both In adaptive mode Host Intrusion Preventionn automatically creates an allow rule to allow all traffic that does not match any existing block rule and auto...

Page 64: ... available Enabled Select to make the firewall active and then select the type of protection Regular default Use this setting when not tuning a deployment Adaptive mode Select to have rules created automatically to allow traffic Use only temporarily while tuning a deployment Learn mode Select to have rules created after input from the user to allow traffic Select also to allow incoming or outgoing...

Page 65: ...this option is not selected FTP connections require an additional rule for incoming FTP client traffic and outgoing FTP server traffic This should always be selected TCP connection timeout The time in seconds a TCP connection that is not established remains active if no more packets matching the connection are sent or received UDP and ICMP echo virtual connection timeout The time in seconds a UDP ...

Page 66: ...base of reputation scores for IP addresses domains specific messages URLs and images How does it work When the TrustedSource options are selected two firewall rules are created TrustedSource Allow Host IPS Service and TrustedSource Get Rating The first rule allows a connection to TrustedSource and the second rule blocks or allows traffic based on the the connection s reputation and the block thres...

Page 67: ...the McAfee Default policy You can view and duplicate the preconfigured policy and edit rename duplicate delete and export editable custom policies Table 8 Preconfigured Firewall Rules policies Usage Policy Use this policy for default minimal protection lt does the following Minimal Default Blocks any incoming ICMP traffic that an attacker could use to gather information about your computer Host IP...

Page 68: ...e Delete and Export For non editable policies options include View and Duplicate 3 Do any of the following Do this To Click New Rule or Add Rule from Catalog See Creating and editing firewall rules or Using the Host IPS catalog for details Add a firewall rule Click New Group or Add Group from Catalog See Creating and editing firewall rule groups or Using the Host IPS catalog for details Add a fire...

Page 69: ...for a Firewall Rules policy to create a set of rules with a single purpose Use a single purpose group with rules to allow for example VPN connection Groups appear in the rule list preceded by an arrow which can be clicked to show or hide the rules within the group Task 1 On the Firewall Rules policy page click New Group to create a new group click Edit under Actions to edit an existing group 2 Ent...

Page 70: ...into it from the firewall rule list or the Host IPS catalog Blocking DNS traffic To refine firewall protection you can create a list of domain name servers that Host IPS blocks by not allowing the resolving of their IP address NOTE Do not use this feature to block fully qualified domains instead block the FQDN remote address in a firewall rule Task For option definitions click on the page displayi...

Page 71: ... of the catalog type NOTE To add an item from the catalog while creating a firewall rule or group click Add From Catalog at the bottom of the appropriate builder page To add an item that you created while working in the firewall rule or group builder click the Add to Catalog link next to the item When you add an item from or to the catalog you create a dependent link between the item and the catal...

Page 72: ... or more in the list click Create Firewall Rule then indicate the policy to which to move the rules FAQ Use of wildcards in Firewall Rules When entering values in certain fields in firewall rules Host IPS permits the use of wildcards Which wildcards can I use for path and address values For paths of files registry keys executables and URLs use these wildcards Definition Character A single characte...

Page 73: ...ay types of intrusion alerts passwords for access to the client interface and troubleshooting options The password functionality is used for clients on both Windows and non Windows platforms Trusted Networks Lists IP addresses and networks including TrustedSource exceptions that are safe for communication Trusted networks can include individual IP addresses or ranges of IP addresses Marking networ...

Page 74: ...rative tasks Administrative tasks for both disconnected and administrator users include Administrator Enabling or disabling IPS and Firewall policies Creating additional IPS and Firewall rules if certain legitimate activity is blocked NOTE Administrative policy changes made from the ePolicy Orchestrator console will be enforced only after the password expires Client rules created during this time ...

Page 75: ... from the tray icon and select any or all of the features to be disabled 2 Under Upon intrusion event select the options that control how the client reacts when it encounters an intrusion Setting Client UI advanced options and passwords Configure settings on the Advance Options tab of the Client UI policy for password access on Windows and non Windows clients Passwords unlock the Windows client co...

Page 76: ... Tree 4 Apply the Client UI policy to the group that contains the single system to which to apply the password 5 Select the group then on the Systems tab select a single system 6 Select Actions Create Time Based Password 7 Set the password expiration date and time then click Compute time based password The password appears in the dialog box Setting Client UI troubleshooting options Configure setti...

Page 77: ...m Data McAfee Host Intrusion Prevention HipShield log Select Log security violations to have security violations events appear in the IPS log Include security violations in the IPS log Change the size of the log from the default 1 MB to a larger number Set the size in MB of the events log on the client Deselect the checkbox to disable an engine then reselect it to reenable the engine Turn engines ...

Page 78: ...atures Click the Remove or Add button Remove or add a trusted network address entry 4 Click Save to save any changes Define trusted applications The Trusted Applications policy is the mechanism you use to create a list of applications that are trusted and should cause no event to be generated Maintaining a list of safe applications for a system reduces or eliminates most false positives The Truste...

Page 79: ...on rules for details Add an application Select them and click Perform an action on one or more applications at the same time Enable to enable a disabled application Disable to disable an enabled application Delete to delete applications Copy to to copy applications to another policy You are prompted to indicate the policy Click To perform an action on a single application Edit to edit an existing ...

Page 80: ...igured to specifically target systems running as IIS servers When assigning multiple instances you are assigning a union of all the elements in each instance of the policy NOTE The McAfee Default policy for both IPS Rules and Trusted Applications are updated when content is update McAfee recommends that these two policies always be applied to make sure protection as up to date as possible For the ...

Page 81: ...y view current settings For complete control of all settings in the console unlock the interface with a password For details on creating and using passwords see Setting Client UI advanced options and passwords under Configuring General Policies System tray icon menu When the McAfee icon appears in the system tray it provides access to the Host IPS client console Functionality differs depending on ...

Page 82: ...d Firewall Groups Status With McAfee Agent 4 5 Right click the McAfee Agent icon in the system tray then select Manage Features Host Intrusion Prevention to open the console NOTE Both the McAfee Agent and the Host IPS client must be set to display an icon for this access If the McAfee Agent does not appear in the system tray there is no access to Host IPS with a system tray icon even though the cl...

Page 83: ...revent accidental changes Fixed passwords that do not expire and temporary time based passwords allow an administrator or user to temporarily unlock the interface and make changes Before you begin Be sure that the Host IPS General Client UI policy which contains the password settings has been applied to the client This occurs at the scheduled policy update or by forcing an immediate policy update ...

Page 84: ... Show tray icon Troubleshooting the Windows client Host Intrusion Prevention includes a troubleshooting function which is available from the Help menu when the interface is unlocked These options are available Table 15 Troubleshooting options Definition Option Determines which Firewall message type to log Logging Firewall Determines which IPS message type to log Logging IPS Enable the logging of I...

Page 85: ...lve problems Use this task to enable Firewall logging Task 1 In the Host IPS console select Help Troubleshooting 2 Select the Firewall message type Debug Disabled Error Information Warning If the message type is set to Disabled no message is logged 3 Click OK The information is written to FireSvc log at C Documents and Settings All Users Application Data McAfee Host Intrusion Prevention on Windows...

Page 86: ... intercepted it In addition a generic administrator specified message can appear You can ignore the event by clicking Ignore or create an exception rule for the event by clicking Create Exception The Create Exception button is active only if the Allow Client Rules option is enabled for the signature that caused the event to occur If the alert is the result of a Host IP signature the exception rule...

Page 87: ...Create a temporary allow or block rule that is deleted when the application is closed If you do not select this Remove this rule when the application terminates options the new firewall rule is created as a permanent client rule Host Intrusion Prevention creates a new firewall rule based on the options selected adds it to the Firewall Rules policy list and automatically allows or blocks similar tr...

Page 88: ...lient and provides summary and detailed information for each rule Table 16 IPS Policy tab Displays This column The name of the exception Exception The name of the signature against which the exception is created Signature The application that this rule applies to including the program name and executable file name Application Customizing IPS Policy options Options at the top of the tab control set...

Page 89: ...f you do not click this button after making changes a dialog box appears asking you to save the changes Apply changes immediately About the Firewall Policy tab Use the Firewall Policy tab to configure the Firewall feature which allows or blocks network communication based on rules that you define From this tab you can enable or disable functionality and configure client firewall rules For details ...

Page 90: ... for outgoing traffic Adaptive Mode Enable adaptive mode Trusted Networks View trusted networks Creating and editing Firewall rules View create and edit Firewall ruleson the Firewall Policy tab on the client Task 1 In the Firewall Policy tab click Add to add a rule NOTE You can create only rules and not groups in the client console 2 On the General page type the name of the rule and select informa...

Page 91: ...tection is enabled If Create Client Rules is selected in the IPS Options policy in the ePolicy Orchestrator console you can add to and edit the list of blocked hosts The blocked hosts list shows all hosts currently blocked by Host Intrusion Prevention Each line represents a single host You can get more information on individual hosts by reading the information in each column Table 18 Blocked Hosts...

Page 92: ...To Double click a host entry or select a host and click Properties The Blocked Host dialog box displays information that can be edited View the details of or edit a blocked host Select a host and click Remove Delete a blocked host Click Apply If you do not click this button after making changes a dialog box appears asking you to save the changes Apply changes immediately About the Application Prot...

Page 93: ...ght click the log entry to save the data to a Sniffer file NOTE This column appears only if you select Create Sniffer Capture in the McAfee Options dialog box The program that caused the action Application A description of the action with as much detail as possible Message The name of the rule that was matched NOTE This column is located on the far right of the screen so you must scroll or resize ...

Page 94: ... protects the server s operating system along with Apache and Sun web servers with an emphasis on preventing buffer overflow attacks Policy enforcement with the Solaris client Not all policies that protect a Windows client are available for the Solaris client In brief Host Intrusion Prevention protects the host server from harmful attacks but does not offer firewall protection The valid policies a...

Page 95: ...ssword set with the policy and use this password Use the troubleshooting tool to Indicate the logging settings and engine status for the client Turn message logging on and off Turn engines on and off Log on as root and run the following commands to aid in troubleshooting Run To hipts status Obtain the current status of the client indicating which type of logging is enabled and which engines are ru...

Page 96: ...p install log Refer to this file for any questions about the installation or removal process of the Host Intrusion Prevention client Verifying the Solaris client is running The client might be installed correctly but you might encounter problems with its operation If the client does not appear in the ePO console for example check that it is running using either of these commands etc rc2 d S99hip s...

Page 97: ...e policies that are valid are listed here Table 21 Linux client policies Available options Policy Host Intrusion Prevention 8 0 IPS IPS Options Enable HIPS Enable Adaptive Mode Retain existing Client Rules All IPS Protection IPS Rules Exception Rules Signatures default and custom HIPS rules only NOTE NIPS signatures and Application Protection Rules are not available Host Intrusion Prevention 8 0 G...

Page 98: ...word Use the default password that ships with the client abcde12345 or send a Client UI policy to the client with an administrator s password or a time based password set with the policy and use this password Use the troubleshooting tool to Indicate the logging settings and engine status for the client Turn message logging on and off Turn engines on and off Log on as root and run the following com...

Page 99: ...nstallation history is written to opt McAfee etc hip install log Refer to this file for any questions about the installation or removal process of the Host Intrusion Prevention client Verifying the Linux client is running If the client does not appear in the ePO console for example check that the client is running To do this run this command ps ef grep Hip Stopping the Linux client You might need ...

Page 100: ...op the client Set IPS Options to On in the ePO console and apply the policy to the client Run the command hipts engines MISC on Working with Host Intrusion Prevention Clients Overview of the Linux client McAfee Host Intrusion Prevention 8 0 Product Guide for ePolicy Orchestrator 4 5 100 ...

Page 101: ... line Optional sections vary according to the operating system and the class of the rule Each section defines a rule category and its value One section always identifies the class of the rule which defines the rule s overall behavior The basic structure of a rule is the following Rule SectionA value SectionB value SectionC value NOTE Be sure to review the syntax for writing strings and escape sequ...

Page 102: ... on operating system Indicates the class this rule applies to Class Name of the subrule Name of the rule in quotes tag The unique ID number of the signature The numbers are the ones available for custom rules 4000 5999 Id The severity level of the signature 0 Disabled 0 1 level 1 Log 2 2 Low 3 3 Medium 4 4 High The users to whom the rule applies Specify particular users or all users Include Exclud...

Page 103: ... and level sections Use of Include and Exclude When you mark a section value as Include the section works on the value indicated when you mark a section value as Exclude the section works on all values except the one indicated When you use these keywords they are enclosed in brackets NOTE With the standard subrule use a single backslash in file paths with the export subrule use double backslashes ...

Page 104: ... Section Defines dependencies between rules and prevents the triggering of dependent rules Include Exclude id of a rule dependencies Events from the signature are not sent to the ePO server no_log attributes No exceptions are generated for the signature when adaptive mode is applied not_auditable The trusted application list does not apply to this signature no_trusted_apps The signature is disable...

Page 105: ...txt exclamation point Use of environment variables Use environment variables the iEnv command with one parameter the variable name in square brackets as a shorthand to specify Windows file and directory path names What it represents Environment variable C winnt where C is the drive that contains the Windows System folder Example files Include iEnv SystemRoot system32 abc txt iEnv SystemRoot C wher...

Page 106: ...difiable MSSQL_Allowed_Modification_Paths The auxiliary MS SQL services found on the system MSSQL_Auxiliary_Services The core MS SQL services found on the system MSSQL_Core_Services All other data files associated with MS SQL that may be outside of the MSSQL_DataRoot_Path directory MSSQL_Data_Paths The path to the MS SQL data files for each instance MSSQL_DataRoot_Paths The name of each installed ...

Page 107: ...or those classes and parameters without a user interface the expert method for rule creation is the only way to access them For Windows these classes are available When to use Class For protection against buffer overflow Buffer Overflow For protection of file or directory operations Files For protection of API process hooking Hook For protection against illegal use of the Host IPS API Illegal API ...

Page 108: ...ing representing 32 bytes of instructions that can be used to create a targeted bo target_bytes exception for a false positive without disabling buffer overflow for the entire process Checks that code sequence prior to return address is not a call bo call_not_found Checks that return adress is not readable memory bo call_return_unreadable Checks that call target does not match hooked target bo cal...

Page 109: ...ther directory files create directives Opens the file with read only access files read Opens the file with read write access files write Executes the file executing a directory means that this directory will become the current directory files execute Deletes the file from a directory or moves it to another directory files delete Renames a file in the same directory See Note 2 files rename Changes ...

Page 110: ...tives files rename Combined with section dest_file it means that no file can be renamed to the file in the section dest_file For example the following rule monitors renaming of any file to C test abc txt Rule tag Sample2 Class Files Id 4001 level 4 dest_file Include test abc txt Executable Include user_name Include directives files rename The section files is not mandatory when the section dest_fi...

Page 111: ...ules would need to use the same level files Include C test abc txt Indicates that the rule covers the specific file and path C test abc txt If the rule were to cover multiple files you would add them in this section in different lines For example when monitoring for files C test abc txt and C test xyz txt the section changes to files Include C test abc txt C test xyz txt Executable Include Indicat...

Page 112: ...re CLSIDs detailed_event_info as FAC7A6FB 0127 4F06 9892 8D2FC56E3F76 illegal_api_use bad_parameter directives illegal_api_use invalid_call Use this class to create a custom killbit signature The killbit is a security feature in web browsers and other applications that use ActiveX A killbit specifies the object class identifier CLSID for ActiveX software controls that are identified as security vu...

Page 113: ... user_name Executable One of three values LsarLookupNames name LsarLookupSids or ADMCOMConnect illegal api directives Windows class Isapi HTTP The following table lists the possible sections and values for the Windows class Isapi with IIS Notes Values Section Isapi Class See Common sections Id level time user_name Executable One of the required parameters Matched against the URL part of an incomin...

Page 114: ...ed by IIS Rule tag Sample6 Class Isapi Id 4001 level 1 url Include abc Executable Include user_name Include directives isapi request This rule is triggered because url search abc exe which matches the value of the section url i e abc Note 2 Before matching is done sections url and query are decoded and normalized so that requests cannot be filled with encoding or escape sequences Note 3 A maximum ...

Page 115: ...est only available if the request is authenticated user Client name or IP address of the computer where the HTTP request originated The address contains three parts host name address port number source Information about the Web server where the event is created that s the machine where the client is installed server in the manner host name IP address port The host name is the host variable from th...

Page 116: ...in which a process runs If you want to limit your rule to specific user contexts spell them out here in the form Local user or Domain user See Common Sections for details directives isapi request Indicates that this rule covers an HTTP request Windows class Program The following table lists the possible sections and values for the Windows class Program Notes Values Section Program Class See Common...

Page 117: ...licate a handle PROCESS_SET_INFORMATION Required to set certain information about a process such as its priority class PROCESS_SUSPEND_RESUME Required to suspend or resume a process Open with access to modify in the user interface Select to prevent these process specific access rights program open_with_terminate PROCESS_SUSPEND_RESUME Required to suspend or resume a process PROCESS_TERMINATE Requi...

Page 118: ...try key registry permissions Obtains registry key information number of subkeys etc or gets the content of a registry value registry read Enumerates a registry key that is gets the list of all the key s subkeys and values registry enumerate Requests to monitor a registry key registry monitor Restores a hive from file like the regedit32 restore function registry restore Restores a registry setting ...

Page 119: ... Test HKEY_CURRENT_USER Test REGISTRY MACHINE SOFTWARE CLASSES Test HKEY_CLASSES_ROOT Test REGISTRY MACHINE SYSTEM ControlSet HARDWARE PROFILES 0001 Test HKEY_CURRENT_CONFIG Test REGISTRY USER Test HKEY_USERS Test Only applicable for registry value changes data that a registry value contained before it was changed or attempted to be changed old data Only applicable for registry value changes data ...

Page 120: ... name user_name Include Indicates that this rule is valid for all users or more precisely the security context in which a process runs If you want to limit your rule to specific user contexts spell them out here in the form Local user or Domain user See Common Sections for details directives registry delete Indicates that this rule covers deletion of a registry key or value Windows class Services ...

Page 121: ...derstand why a signature is triggered Possible values Explanation GUI name Name of the Windows service displayed in the Services manager display names System name of the Windows service in services HKLM CurrentControlSet Services This may be different from the name displayed in the Services manager Only applicable for starting a service parameters passed to the service upon activation params Boot ...

Page 122: ...cesses If you want to limit your rule to specific processes spell them out here complete with path name user_name Include Indicates that this rule is valid for all users or more precisely the security context in which a process runs If you want to limit your rule to specific user contexts spell them out here in the form Local user or Domain user See Common Sections for details directives service s...

Page 123: ...ontains the full SQL query exactly as it was received sql_original_query including strings and whitespaces This is the SQL query string with string values whitespaces and sql_query everything behind the comments stripped out This is always be set to 0 for non SQL users This is set to 1 if the password is NULL and 0 otherwise sql_user_password On MSSQL 2005 2008 this is hard coded to Shared memory ...

Page 124: ...es on 32 bit Windows OS x32 Directives 7 2K8 V 2K3 XP 7 2K8 V 2K3 XP 7 2K8 V 2K3 XP files x x x x x x x x x x x x x x x create x x x x x x x x x x x x x x x read x x x x x x x x x x x x x x x write x x x x x x x x x x x x x x x execute x x x x x x x x x x x x x x x delete x x x x x x x x x x x x x x x rename x x x x x x x x x x x x x x x attribute x x x x x x x x x x x x x x x writeop x x x x x x ...

Page 125: ...sapi x x x x x x request x x x x x x requrl x x x x x x reqquery x x x x x x rawdata x x x x x x response Class Program 64 bit processes on 64 bit Windows OS x64 32 bit processes on 64 bit Windows OS x64 32 bit processes on 32 bit Windows OS x32 Directives 7 2K8 V 2K3 XP 7 2K8 V 2K3 XP 7 2K8 V 2K3 XP program x x x x x x x x x x x x x run x x x x x x x x x x x x x open_with_any x x x x x x x x x x ...

Page 126: ...n 64 bit Windows OS x64 32 bit processes on 32 bit Windows OS x32 Directives 7 2K8 V 2K3 XP 7 2K8 V 2K3 XP 7 2K8 V 2K3 XP services x x start x x stop x x pause x x continue x x x x x x x x x x x x x x x startup x x x x x x x x x x x x x x x profile_enable x x x x x x x x x x x x x x x profile_disable x x x x x x x x x x x x x x x logon x x x x x x x x x x x x x x x create x x x x delete Class SQL ...

Page 127: ...ID Solaris Linux class UNIX_file The following table lists the possible sections and values for the Unix based class UNIX_file Notes Values Section UNIX_file Class See Common sections Id level time user_name Executable One of the required parameters Files to look for See Note 1 File or folder involved in the operation files One of the required parameters See Note 1 Target file names source Solaris...

Page 128: ...d attributes are Read only Hidden Archive and System unixfile access Solaris Only File name has 512 consecutive unixfile foolaccess Solaris Only Displays or sets scheduling parameters unixfile priocntl Note 1 Relevant directives per section New Permission File Permission Source File Directive X X chdir X X X chmod X chown X X X create X link X mkdir X read X X rename X rmdir X setattr X X X symlin...

Page 129: ... apply only to the file in the zone app_zone and not in the global zone Note that in this release web server protection cannot be restricted to a particular zone Advanced details Some or all of the following parameters appear in the Advanced Details tab of security events for the class UNIX_file The values of these parameters can help you understand why a signature is triggered Explanation GUI nam...

Page 130: ...ing http request can be represented as http www myserver com url query In this document we refer to url as the url part of the http request and query as the query part of the http request Using this naming convention we can say that the section url is matched against url and the section query is matched against query For example the following rule is triggered if the http request http www myserver...

Page 131: ...ections url query method Note 5 By default all zones are protected by the signature To restrict protection to a particular zone add a zone section in the signature and include the name of the zone For example if you have a zone named app_zone whose root is zones app then the rule Rule file Include tmp test log zone Include app_zone would apply only to the file in the zone app_zone and not in the g...

Page 132: ...o binargs directives Illegal address such as running a program from the stack unixbo illegal_address Program execution unixbo exec Program environment unixbo environment Binary environment unixbo binenv Used when the return address for a function is not in the proper stack frame unixbo libc Note 1 By default all zones are protected by the signature To restrict protection to a particular zone add a...

Page 133: ...sections and values for the Solaris class UNIX_GUID Notes Values Section Use this class to set Unix access rights flags that allow users to run an executable with the permissions of the executable s owner or group UNIX_GUID Class See Common sections Id level time user_name Executable Solaris 10 or later Name of the zone to which the signature applies zone Sets user ID to allow a user to run an exe...

Page 134: ...Solaris 9 SuSE Linux RedHat Linux Directives X X X X unixfile chdir X X X X unixfile chmod X X X X unixfile chown X X X X unixfile create X X X X unixfile link X X X X unixfile mkdir X X X X unixfile read X X X X unixfile rename X X X X unixfile rmhdir X X unixfile setattr X X X X unixfile symlink X X X X unixfile unlink X X X X unixfile write X X X X unixfile mknod X X X X unixfile access X X uni...

Page 135: ... Class UNIX_map Solaris 10 Solaris 9 SuSE Linux RedHat Linux Directives X X mmap mprotect X X mmap mmap Class UNIX_GUID Solaris 10 Solaris 9 SuSE Linux RedHat Linux Directives X X guid setuid X X guid seteuid X X guid setreuid X X guid setgid X X guid setegid X X guid setregid Appendix A Writing Custom Signatures and Exceptions Non Windows custom signatures 135 McAfee Host Intrusion Prevention 8 0...

Page 136: ...trusion Prevention system tray icon service FireTray exe McAfee Host Intrusion Prevention client console McAfeeFire exe How do I prevent the firewall from blocking non IP traffic Unless specifically indicated in a firewall rule some types of non IP traffic are not recognized by the firewall and as a result are blocked Additionally the adaptive and learn modes do not dynamically detect and create f...

Page 137: ... the Host Intrusion Prevention client service FireSvc exe then retest to verify the issue occurs 3 If issue did not occur select Allow traffic for unsupported protocols in the Firewall Options policy from the ePolicy Orchestrator server and apply the policy to the client Retest with this option set Note Even if the firewall is disabled traffic can still be dropped when Host Intrusion Prevention is...

Page 138: ... the problem goes away report the issue as associated directly with the service Uninstall the Host IPS client from the local system and retest If the problem goes away report the issue as associated with installed files and not a specific component Iterative Testing phase of each component Test Host IPS 1 Click the Activity Log tab and clear the log 2 Click the IPS Policy tab and select Enable Hos...

Page 139: ... problem is resolved If it is Host IPS in Adaptive Mode can potentially be associated with the issue Save a copy of the Activity log and name it Host IPS Adaptive Activity Log wProb for reporting to support If the problem does not recur deselect Enable Host IPS and continue to the next step Test Network IPS 1 Click the Activity Log tab and clear the log 2 Click the IPS Policy tab and select Enable...

Page 140: ...cy tab and select Learn Mode and Incoming Deselect Outgoing 3 Test the system to determine if the problem recurs If it does a Deselect Incoming b Retest to verify the problem is resolved If it is Firewall Incoming Learn Mode can potentially be associated with the issue c Save a copy of the Activity log and name it Firewall Activity Log LearnIN wProb for reporting to support d Click the Activity Lo...

Page 141: ...oblem is resolved If it is there is probably a configuration error with the rules c Take a screenshot of the list of firewall on the Firewall Policy tab d Save a copy of the Activity log and name it to Firewall Activity Log AnyAny Test e Export the Host IPS policy settings a Log on to the ePO console b Navigate to the Policy Catalog object in the ePO System Tree c Locate Host IPS and expand it d C...

Page 142: ... debug logging The use of the local registry key to enable debug logging overrides any policy set using ePolicy Orchestrator To enable logging from ePolicy Orchestrator 1 Under Host IPS General edit the Client UI policy that is to be applied to a client 2 Click the Troubleshooting tab 3 Select the required logging settings Debug logs all messages Information logs Information Warning and Error mess...

Page 143: ...n of the Scrutinizer which depends on the above mentioned files having been copied properly A line beginning with New Process Pid indicates the Host IPS component is able to monitor process creation A line beginning with IIS Start indicates that IIS monitoring is beginning A line beginning with Scrutinizer started successfully ACTIVATED status indicates that the Scrutinizer has successfully starte...

Page 144: ...ssigning a value to the above registry key sets the maximum size of all these log files Clientcontrol exe utility This command line utility helps automate upgrades and other maintenance tasks when third party software is used to deploy Host Intrusion Prevention on client computers It can be included in installation and maintenance scripts to temporarily disable IPS protection and activate logging ...

Page 145: ... are engaged in an activity that requires that protection be disabled e g patching Windows your activity might be blocked by the enforced policies Even if stopping Host IPS services is successful policy settings might allow the McAfee Agent to restart them at the next Agent Server Communication Interval ASCI To prevent this 1 In ePolicy Orchestrator open the Host Intrusion Prevention General polic...

Page 146: ... on Engine type definitions 0 all 1 Buffer Overflow 2 SQL server only 3 Registry 4 Services 5 Files 6 HTTP server only 7 Host IPS API 8 Illegal Use 9 Program 10 Hook Engine option definitions 0 off 1 on export s path of export source file path of event log export file Exports the event log to a formatted text file The source file path is optional Don not include s if there is no source file readNa...

Page 147: ... the password and any other required parameters Sample workflows Applying a patch to a computer protected by McAfee Host IPS 1 Open a command shell 2 Run clientcontrol exe stop password 3 Perform your maintenance activity 4 Run clientcontrol exe start to restart Host IPS services Exporting the Host IPS Activity Log to a text file 1 Open a command shell 2 Run clientcontrol exe export path of export...

Page 148: ...lientcontrol exe password engine type engine option 3 Perform activity to generate reactions and log entries 4 Review HipShield log or FireSvc log for relevant information Appendix B Troubleshooting Clientcontrol exe utility McAfee Host Intrusion Prevention 8 0 Product Guide for ePolicy Orchestrator 4 5 148 ...

Page 149: ...guring Trusted Applications policy 78 IPS behavioral rules and 32 preventing on Solaris client 94 C client rules Firewall 64 71 creating with adaptive and learn modes 10 creatng exceptions 32 Firewall 64 71 Host IPS queries 13 IPS 36 IPS Rules policy overview 50 Client UI policy about 8 configuring 74 define 74 General tab configuring 75 options 83 overview 73 passwords 75 tray icon control config...

Page 150: ...eption rules about 32 aggregation and client rules 50 automatic tuning 20 configuring IPS Rules policy 46 Create Exception 86 exception rules continued creating 47 creating based on an event 47 defined 10 editing IPS policies 89 events and 47 IPS Rules policy 36 46 list Windows client and 88 working with 46 F false positives exceptions and IPS Rules policy 46 Trusted Applications policy reducing 7...

Page 151: ...13 intrusion prevention IPS adaptive mode and exceptions 32 behavioral rules 32 client rules 13 client rules overview 50 customizing options 88 intrusion prevention IPS continued delivery methods 30 editing exception rules 89 engines and drivers 30 enveloping and shielding 30 exceptions 32 Firewall logging options 85 HIPS about 31 IPS Protection policy 35 logging options 85 NIPS about 31 overview ...

Page 152: ...7 80 My Default policy Client UI 74 DNS Blocking 67 My Default policy continued Firewall Options 64 Firewall Rules 67 Host IPS 9 IPS Options 33 IPS Protection 35 IPS Rules 36 Trusted Applications 78 Trusted Networks 77 N network adapters conditions to allow connection 55 network intrusion prevention signatures 31 NIPS network intrusion prevention signatures 91 P packages Host IPS content updates 2...

Page 153: ... Host IPS checking in updates 27 server tasks Host IPS continued Export Policies 25 Export Queries 25 managing deployment 23 25 Property Translator 25 Purge Event Log 25 Purge Threat Event Log 25 Repository Pull 25 Run Query 25 severity levels IPS events and 47 IPS Protection policy 35 mapping to a reaction 10 setting and tuning protection 18 setting reactions for 36 tuning 10 17 working with sign...

Page 154: ...Options policy 66 how it works 66 tuning Host IPS adaptive and learn modes 20 analyzing events 16 tuning Host IPS continued default policies and 17 manual and automatic 18 policy management 10 Trusted Applications policies 78 usage profiles 10 U updating checking in Host IPS packages 27 Host IPS content package 27 Host IPS methods 28 signatures Host IPS 27 usage profiles grouping Host IPS systems ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands