1. Manuals
  2. Brands
  3. McAfee Manuals
  4. Software
  5. HISCDE-AB-IA - Host Intrusion Prevention
  6. Product manual

How Ips Application Protection Rules Work - McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual

Product guide for use with epolicy orchestrator 4.5
Hide thumbs
Table of Contents

Advertisement

Configuring IPS Policies
Define IPS protection
Which wildcards can I use for all other values?
For values that normally do not contain path information with slashes, use these wildcards;
Character
? (question mark)
* (one asterisk)
| (pipe)
Which wildcards can I use for signature expert subrule values?
For all values when creating a subrule using the expert method:
Character
? (question mark)
* (one asterisk)
& (ampersand)
! (exclamation point)

How IPS application protection rules work

Application protection rules control which processes receive generic buffer overflow protection
from Host Intrusion Prevention. These rules permit or block user-level API hooking for defined
and generated lists of processes. Kernel-level file and registry hooking are not affected. Only
processes in the list with the inclusion status of included receive the buffer overflow protection.
Host Intrusion Prevention provides a static list of processes that are permitted or blocked. This
list is updated with content update releases that apply in the McAfee Default IPS Rules policy.
In addition, processes that are permitted to hook are added dynamically to the list when process
analysis is enabled. This analysis is performed under these circumstances:
• Each time the client is started and running processes are enumerated.
• Each time a process starts.
• Each time the application protection list is updated by the ePolicy Orchestrator server.
• Each time the list of processes that listen on a network port is updated.
NOTE:
For the dynamic update of the list, the IPS Options policy option to "automatically include
network-facing and service-based applications in the application protection list" must be selected.
This option implicitly includes all Windows services and applications that listen on network ports.
This analysis involves checking first if the process is excluded from the Application Protection
list. If not, it checks whether the process is included in the Application Protection list. If not,
the process is analyzed to see if it listens on a network port or runs as a service. If not, hooking
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Definition
A single character.
Multiple characters, including / and \ .
Wildcard escape.
Definition
A single character.
Multiple characters, including / and \. Example:
Include "C:\*.txt" " }
Multiple characters except / and \. Use to match the
root-level contents of a folder but not any subfolders.
files { Include "C:\test\\&.txt" }
Example:
files { Include
Wildcard escape. Example:
"C:\test\\yahoo!.txt" }
files {
43

Advertisement

Table of Contents
loading

Related Manuals for McAfee HISCDE-AB-IA - Host Intrusion Prevention

Related Content for McAfee HISCDE-AB-IA - Host Intrusion Prevention

This manual is also suitable for:

Host intrusion prevention 8.0

Table of Contents