Table of Contents
Advertisement
Configuring IPS Policies
Define IPS protection
is blocked and the process is not protected; if it listens on a port or runs as a service, hooking
is permitted and the process is protected.
Figure 1: Application Protection Rules analysis
The IPS component maintains an information cache on running processes, which tracks hooking
information. The firewall component determines if a process listens on a network port, calls an
API exported by the IPS component, and passes the information to the API to be added to the
monitored list. When the API is called, the IPS component locates the corresponding entry in
its running processes list. A process that is not already hooked and is not part of the static block
list is then hooked. The firewall provides the PID (Process ID), which is the key for the cache
lookup of a process.
The API exported by the IPS component also allows the client user interface to retrieve the list
of currently hooked processes, which is updated whenever a process is hooked or unhooked.
A hooked process becomes unhooked if the server sends an updated process list that specifies
that the already hooked process should no longer be hooked. When the process hooking list is
44
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Advertisement
Table of Contents
Troubleshooting
Related Manuals for McAfee HISCDE-AB-IA - Host Intrusion Prevention
Related Products for McAfee HISCDE-AB-IA - Host Intrusion Prevention
- McAfee Agent 4.0
- MCAFEE AGENT 4.0 PATCH 2 - FOR WINDOWS S 10-03-2009
- MCAFEE ANTI-THEFT FILE PROTECTION
- McAfee AVDCDE-AA-AA - Active Virus Defense Suite
- McAfee AVDCDE-BA-CA - Active Virus Defense Suite
- McAfee AVM85M - VirusScan For Mac
- McAfee Data Loss Prevention 9.2.1
- McAfee DFFCDE-AA-DA - Endpoint Encryption For Files