Creating A Trusted Application From An Event; Monitor Ips Client Rules; Managing Ips Client Rules - McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual

Configuring IPS Policies

Monitor IPS client rules

Creating a trusted application from an event

For an event that appears under Reporting in the Host IPS 8.0 Events tab or on the Event Log
page, you have the option of creating a trusted application.
Task
For option definitions, click ? in the interface.
1 Select the checkbox of the event for which you want to create a trusted application.
2 Select Actions | New Trusted Application.
3 In the dialog box that appears, select a destination Trusted Application policy and click OK.
The exception is created and added automatically to the bottom of the list of exceptions
of the destination Trusted Application policy. From there, you can view or edit details of
the new application.
Monitor IPS client rules
You need to periodically analyze IPS client rules created automatically when clients are in
adaptive mode, or manually on the client whenever the Client UI policy option allows manual
creation of client rules.
IPS client rules are exceptions created on a client to allow a functionality blocked by a signature.
Pay particular attention to exceptions to high severity signatures, as these might indicate a
serious issue or simply a false positive. If a false positive, move the exception to an IPS Rules
policy or adjust the severity of the signature.
NOTE: Access to IPS Client Rules on the Host IPS tab under Reporting requires additional
permissions other than that for Host Intrusion Prevention IPS, including view permissions for
Event Log, Systems, and System Tree access.
You can sort, filter, and aggregate the exceptions and view their details. You can then promote
some or all of the client exceptions to a particular IPS Rules policy to reduce false positives for
a particular system environment.
Use the aggregation feature to combine exceptions that have the same attributes, so that only
one aggregated exception appears, while keeping track of the number of times the exceptions
occur. This allows for easily finding IPS protection trouble spots on clients.

Managing IPS client rules

Viewing IPS client rules created automatically in adaptive mode or manually on a client and
moving them to an IPS Rules or Trusted Application policy allows for easy tuning of IPS
protection.
NOTE: Access to IPS Client Rules on the Host IPS tab under Reporting requires additional
permissions other than that for Host Intrusion Prevention IPS, including view permissions for
Event Log, Systems, and System Tree access.
Task
For option definitions, click ? in the interface.
1 Click Menu | Reporting | Host IPS 8.0, then click IPS Client Rules.
2 Select the group in the System Tree for which you want to display client rules.
50 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5