McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual page 42

Configuring IPS Policies
Define IPS protection
Standard method
file description, file name, MD5 hash fingerprint,
or signer.
5 Click OK and the rule is added to the list at the
top of the Subrule tab. The rule is compiled and
the syntax is verified. If the rule fails verification,
a dialog box describing the error appears. Fix
the error and verify the rule again.
For details in working with class types, operations, and parameters, aee the appropriate
class section of Writing Custom Signatures and Exceptions .
5 Click OK.
NOTE: You can include multiple rules in a signature.
Creating custom signatures with a wizard
Use the custom signature wizard to simplify creating new signatures.
NOTE: Signatures created with the wizard do not offer any flexibility for the operations that the
signature is protecting because you cannot change, add, or delete operations.
Task
For option definitions, click ? in the interface.
1 On the IPS Rules Signatures tab, click New (Wizard).
2 On the Basic Information tab, type a name and select the platform, severity level, log
status, and whether to allow the creation of client rules. Click Next to continue.
3 On the Description tab, type a description of what the signature is protecting. This
description appears in the IPS Event when the signature is triggered.
4 On the Rule Definition tab, select the item to protect against modifications and enter
details.
5 Click OK.
FAQ — Use of wildcards in IPS Rules
Host IPS Rules permits the use of wildcards when entering values in certain fields.
Which wildcards can I use for path and address values?
For paths of files, registry keys, executables, and URLs, use these wildcards:
Character
? (question mark)
* (one asterisk)
** (two asterisks)
| (pipe)
42 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Expert method
Definition
A single character.
Multiple characters, excluding / and \ . Use to match the
root-level contents of a folder with no subfolders.
Multiple characters, including / and \ .
Wildcard escape.
NOTE: For ** the escape is |*|*.