McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual page 87

Working with Host Intrusion Prevention Clients
Overview of the Windows client
Responding to Firewall alerts
If you enable firewall protection and the learn mode for either incoming or outgoing traffic, a
firewall alert appears, and the user needs to respond to it.
The Application Information section displays information about the application attempting
network access, including application name, path, and version. The Connection Information
section displays information about the traffic protocol, address, and ports.
NOTE: Previous and Next buttons are available in the Connection Information section if additional
protocol or port information for an application is available. Previous and Next buttons are
available at the bottom of the dialog box if more than one alert has been sent.
Task
1 In the alert dialog box, do one of the following:
• Click Deny to block this and all similar traffic.
• Click Allow to permit this and all similar traffic through the firewall
2 Optional: Select options for the new firewall rule:
Select...
Create a firewall application rule for all ports and
services
Remove this rule when the application terminates
Host Intrusion Prevention creates a new firewall rule based on the options selected, adds
it to the Firewall Rules policy list, and automatically allows or blocks similar traffic.
Responding to Spoof Detected alerts
If you enable firewall protection, a spoof alert automatically appears if Host Intrusion Prevention
detects an application on your computer sending out spoofed network traffic, and a user needs
to respond to it.
This means that the application is trying to make it seem like traffic from your computer actually
comes from a different computer. It does this by changing the IP address in the outgoing
packets. Spoofing is always suspicious activity. If you see this dialog box, immediately investigate
the application that sent the spoofed traffic.
NOTE: The Spoof Detected Alert dialog box appears only if you select the Display pop-up alert
option. If you do not select this option, Host Intrusion Prevention automatically blocks the
spoofed traffic without notifying you.
The Spoof Detected Alert dialog box is very similar to the firewall feature's Learn Mode alert.
It displays information about the intercepted traffic in two areas — the Application Information
section, and the Connection Information section.
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
To do this...
Create a rule to allow or block an application's traffic
over any port or service. If you do not select this option,
the new firewall rule allows or blocks only specific ports:
• If the intercepted traffic uses a port lower than
1024, the new rule allows or blocks only that
specific port.
• If the traffic uses port 1024 or higher, the new rule
allows or blocks the range of ports from 1024 to
65535.
Create a temporary allow or block rule that is deleted
when the application is closed. If you do not select this
options, the new firewall rule is created as a permanent
client rule.
87