Configuring A Trusted Networks Policy; Define Trusted Applications - McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual

Configuring General Policies

Define trusted applications

Configuring a Trusted Networks policy

Configure settings in this policy to set trusted network options and maintain a list of network
addresses and subnets mark as trusted for Windows clients only.
You can:
• Set up trusted network options, including TrustedSource exceptions.
• Add or delete addresses or subnets in the trusted list.
NOTE: For firewall rules, you must set the remote address to Trusted to take advantage of
this feature.
Task
For option definitions, click ? on the page displaying the options.
1 Click Menu | Policy | Policy Catalog and select Host Intrusion Prevention: General
in the Product list and Trusted Networks in the Category list. The list of policies
appears.
2 In the Trusted Networks policy list, click Edit under Actions to change the settings for
a custom policy.
3 Do any of the following:
To...
Automatically treat all users on the same subnet as
trusted, even those not in the list,
Add a trusted network address to the list,
Mark the network as trusted for network IPS signatures
or HTTP type host and custom IPS signatures,
Remove or add a trusted network address entry,
4 Click Save to save any changes.
Define trusted applications
The Trusted Applications policy is the mechanism you use to create a list of applications that
are trusted and should cause no event to be generated. Maintaining a list of safe applications
for a system reduces or eliminates most false positives.
The Trusted Applications policy is a multiple instance policy, so you can assign more than one
policy instance, which allows for a more detailed profile of trusted application usage.
In tuning a deployment, creating IPS exception rules is one way to reduce false positives. This
is not always practical when dealing with several thousand clients or having limited time and
resources. A better solution is to create a list of trusted applications, which are applications
known to be safe in a particular environment. For example, when you run a backup application,
many false positive events can be triggered. To avoid this, make the backup application a trusted
application.
NOTE: A trusted application is susceptible to common vulnerabilities such as buffer overflow
and illegal use. Therefore, a trusted application is still monitored and can trigger events to
prevent exploits.
78 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Do this...
Select Enabled under Include Local Subnet
Automatically.
Type a trusted IP address, address range, or subnet in
the Trusted Networks text box.
Select Trust for IPS.
Click the Remove ( – ) or Add ( + ) button.