McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual page 21

Managing Your Protection
Policy management
FAQ — Adaptive mode
Adaptive mode is a setting you can apply to the IPS and firewall features when testing rollouts
of new policies. It allows the Host Intrusion Prevention client to automatically create rules to
allow activity while preserving minimum protection from vulnerabilities. The following questions
and answers should help you in using this feature.
How do you turn on adaptive mode?
You turn on adaptive mode by enabling this option in the IPS Options or Firewall Options policy
and applying this policy to the Host Intrusion Prevention client.
How does adaptive mode work differently with IPS and Firewall?
With IPS, the adaptive mode creates client-side rules that are exceptions to existing IPS
signatures. With the firewall, the adaptive mode creates client-side rules to allow network
packets not covered by existing firewall rules.
IPS client exceptions are created on a per-user, per-process, per-signature basis and are
path-based only. Firewall client rules are created on a per-process basis and the processes
associated with firewall client rules are based on path, file description, digital signature, and
MD5 hash.
When is a rule not created automatically with adaptive mode?
With IPS:
• The signature in the effective IPS Rules policy does not allow a client rule to be created.
(This setting is standard for most high-severity IPS signatures. These signatures are tuned
to detect and prevent the most severe threats to your systems, so it is unlikely that normal
business activity would require an automated exception.)
• The reaction to the signature is "Ignore."
• The associated action triggers a network IPS signature.
• A user attempts to stop the McAfee Host IPS service, regardless of the client rule setting for
service self-protection in signature 1000.
• There is already an exception, which excludes the operation in question, in an applied IPS
Rules policy.
• The process associated with the action is trusted for IPS in an applied Trusted Applications
policy, and the signature is not excluded from Trusted Applications.
With the firewall:
• There is no application associated with the packet when examined in the client activity log.
Some of the most common examples include:
• Incoming requests for services that are not running, such as file transfer protocol (FTP)
or Telnet.
• Incoming Internet Control Message Protocol (ICMP), such as an echo request.
• Incoming or outgoing ICMP on the Microsoft Windows Vista operating system.
• Transmission Control Protocol (TCP) packets to port 139 (NetBIOS SSN) or 445 (MSDS),
which might be required for Windows file sharing.
• Internet Protocol Security (IPsec) packets associated with virtual private network (VPN)
client solutions.
• There is already a rule in the applied Firewall Rules policy that blocks or allows the packet.
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 21