Related Manuals for McAfee HISCDE-AB-IA - Host Intrusion Prevention
Summary of Contents for McAfee HISCDE-AB-IA - Host Intrusion Prevention
- Page 1 McAfee Host Intrusion Prevention 8.0 Product Guide for use with ePolicy Orchestrator 4.5...
- Page 2 EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
-
Page 3: Table Of Contents
Set the reaction for IPS signatures............35 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 4 FAQ — McAfee TrustedSource and the firewall........
- Page 5 Windows custom signatures..............107 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 6 Clientcontrol.exe utility..............144 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 7: Introducing Host Intrusion Prevention
These settings include: • For IPS protection: • High severity signatures are prevented and all other signatures are ignored • McAfee applications are listed as trusted applications for all rules except IPS self-protection rules • Predefined applications and processes are protected •... -
Page 8: Host Ips Policies
• Firewall Rules (Windows only). Defines firewall rules. • Firewall DNS Blocking (Windows only). Defines the domain name servers that are to be blocked. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 9: Host Ips Policy Management
A policy is a configured group of settings for a specific purpose. You can create, modify, or delete as many policies as needed. Each policy has a preconfigured McAfee Default policy, which cannot be edited or deleted. Except for IPS Rules and Trusted Applications, all policies also have an editable My Default policy based on the default policy. -
Page 10: Host Ips Policy Tracking And Tuning
Preset protection Host Intrusion Prevention offers two types of protection: • Basic protection is available through the McAfee Default policy settings. This protection requires little or no tuning and generates few events. For many environments this basic protection might be sufficient. - Page 11 Stronger IPS rules target a wider range of violations and generate more events than in a basic environment. If you apply advanced protection, McAfee recommends using the IPS Protection policy to stagger the impact. This entails mapping each of the severity levels (High, Medium, Low, and Information) to a reaction (Prevent, Log, Ignore).
-
Page 12: Managing Your Protection
Desktop High Triggered Signatures • Desktop Medium Triggered Signatures • Desktop Low Triggered Signatures • Server High Triggered Signatures • Server Medium Triggered Signatures • Server Low Triggered Signatures McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 13: Host Ips Queries
IPS Catalog firewall groups, and firewall • Last Modified client rules. Possible action values are allow , block , and jump , with jump the action for groups, which • Last Modifying User McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 14 Common Host IPS properties The Host IPS custom queries and some of the other custom queries allow you to include these Host IPS properties: • Agent type • IPS Adaptive Mode Status McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 15 Displays the top 10 most triggered IPS signatures of Low Severity (Notice). Signatures Events From Host IPS Trusted Displays events generated by systems within Host IPS trusted networks. Networks McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 16: Policy Management
• Edit policy assignment • Edit custom policies Use the Policy Catalog to: • Create policies • View and edit policy information • View where a policy is assigned McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 17: Configuring Polices
For details on any of these features, see the ePolicy Orchestrator documentation. Configuring polices After you install the Host Intrusion Prevention software, McAfee recommends that you configure policies to provide the greatest amount of security without conflicting with day-to-day activities. -
Page 18: Default Protection And Tuning
Manual tuning Manual tuning requires direct monitoring for a set period of time of events and client rules that are created. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 19 • Determine your initial client rollout plan. Although you can deploy Host Intrusion Prevention clients to every host (servers, desktops, and laptops) in your company, McAfee recommends that you start by installing clients on a limited number of representative systems and tuning their configuration.
- Page 20 If a packet matches all the criteria in a rule, the firewall performs the action specified by the rule — which allows the packet through the firewall, or blocks it. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 21 • The reaction to the signature is "Ignore." • The associated action triggers a network IPS signature. • A user attempts to stop the McAfee Host IPS service, regardless of the client rule setting for service self-protection in signature 1000.
-
Page 22: Host Ips Policy Migration
Secure Socket Layer (HTTPS) might require multiple attempts to create a firewall rule. Host IPS policy migration You cannot use McAfee Host Intrusion Prevention version 6.1 or 7.0 policies with version 8.0 clients without first migrating version 6.1 or 7.0 policies to version 8.0 format. Host Intrusion Prevention 8.0 provides an easy means to migrate policies with the ePolicy Orchestrator Host... -
Page 23: System Management
With Host Intrusion Prevention, permissions are granted for access to each feature of the product and whether the user has read or read/write permission. This applies to the Host McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 24: Assigning Permission Sets
Click Menu | User Management | Permission Sets. Next to Host Intrusion Prevention, click Edit. Select the desired permission for each feature: • None • View settings only • View and change settings Click Save. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 25: Host Ips Server Tasks
Host Intrusion Prevention policy. Export Queries (Custom) This server task allows you to create a Host Intrusion Prevention query output file that can be saved or emailed. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 26: Host Ips Event Responses
Name of the monitored API that triggered an event Direction In/Out/Either Host IPS Event Description Detailed description of the event Local IP Address Local IP address of the system involved in the event McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 27: Host Ips Protection Updates
Updates include data associated with the IPS Rules policy (IPS signatures and application protection rules) and the Trusted Applications policy (trusted applications). As these updates occur in the McAfee default policy, these policies must be assigned for both IPS Rules and Trusted Applications to take advantage of the updated protection. -
Page 28: Checking In Packages Manually
Schedule the task as desired, then click Next. Review the details, then click Save. Updating content from the client A client can also request updates on demand if a McAfee Agent icon appears in the client computer’s system tray. Task •... -
Page 29: Configuring Ips Policies
Like the Trusted Applications policy, this policy category can contain multiple policy instances. Content updates provide new and updated signatures and application protection rules to keep protection current. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 30: Methods For Delivery Of Ips Protection
Each query is examined to see whether it matches any known attack signatures, if it is well formed, and if there are tell-tale signs of SQL injection. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 31: Signatures
These signatures: • Protect systems located downstream in a network segment. • Protect servers and the systems that connect to them. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 32: Behavioral Rules
Orchestrator console, viewing them in a regular, filtered, and aggregated views. Use these client rules to create new policies or add them to existing policies that you can apply to other clients. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 33: Application Protection Rules
These options are available for clients on all platforms: • Host IPS enabled — Select to turn on IPS protection through the enforcement of host IPS rules. NOTE: This control is also available directly on the client. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 34: Configuring The Ips Options Policy
Policy selections This policy category contains a preconfigured policy, and an editable My Default policy, based on the McAfee Default policy. You can view and duplicate preconfigured policies; you can, create, edit, rename, duplicate, delete, and export custom policies. The preconfigured policy has these settings:... -
Page 35: Set The Reaction For Ips Signatures
Policy selections This policy category contains six preconfigured policies and an editable My Default policy, based on the McAfee Default policy. You can view and duplicate preconfigured policies; you can, create, edit, rename, duplicate, delete, and export custom policies. Preconfigured policies include:... -
Page 36: Configuring The Ips Protection Policy
You can view and duplicate the preconfigured policy; you can edit, rename, duplicate, delete, and export custom policies you create. You can also assign more than one instance of the policy for a union of various policy rules. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 37: Configuring The Ips Rules Policy
NOTE: The McAfee Default policy for both IPS Rules and Trusted Applications are updated when content is update. McAfee recommends that these two policies always be applied to make sure protection as up to date as possible. For the policies that have multiple instances, an Effective Policy link appears to provide a view of the details of the combined policy instances. -
Page 38: Faq - Multiple-Instance Policies
Applications. These policies allow the application of more than one policy concurrently on a single client. All other policies are single-instance policies. The McAfee Default versions of these policies are automatically updated each time Host Intrusion Prevention security content is updated. For this reason, these policies always need to be assigned to clients to ensure that security content updates are applied. -
Page 39: How Ips Signatures Work
For example, when you create a new folder with important files, you can create a custom signature to protect it. NOTE: You cannot create network-based custom signatures. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 40 Description settings, and enter notes in the Note box to document the change. Click OK to save any modifications. NOTE: You can make changes to several signatures at once, by selecting the signatures and clicking Edit McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 41 Include an executable as a parameter with information on at least one of these four values: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 42 ** (two asterisks) Multiple characters, including / and \ . | (pipe) Wildcard escape. NOTE: For ** the escape is |*|*. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 43: How Ips Application Protection Rules Work
Host Intrusion Prevention provides a static list of processes that are permitted or blocked. This list is updated with content update releases that apply in the McAfee Default IPS Rules policy. In addition, processes that are permitted to hook are added dynamically to the list when process analysis is enabled. - Page 44 A hooked process becomes unhooked if the server sends an updated process list that specifies that the already hooked process should no longer be hooked. When the process hooking list is McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 45 If the IPS Rules policy does not have an application protection rule that you need in your environment, you can create one. Task For option definitions, click ? in the interface. On the IPS Rules policy Application Protection Rules tab, do one of the following: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 46: How Ips Exceptions Work
Use the filters at the top of the exception list. You can filter on rule status, modified date, or specific text that includes rule or notes text. Click Clear to remove filter settings. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 47: Monitor Ips Events
• Trusted Applications — Applications that are labeled trusted whose operations might otherwise be blocked by a signature. This tuning process keeps the events that appear to a minimum, providing more time for analysis of the serious events that occur. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 48: Managing Ips Events
Select the group in the System Tree for which you want to display IPS events. All events associated with the group appear. By default, not all events are displayed. Only events over the last 30 days appear. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 49: Creating An Exception From An Event
In the dialog box that appears, select a destination IPS Rules policy and click OK. The exception is created and added automatically to the bottom of the list of exceptions of the destination IPS Rules policy. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 50: Creating A Trusted Application From An Event
For option definitions, click ? in the interface. Click Menu | Reporting | Host IPS 8.0, then click IPS Client Rules. Select the group in the System Tree for which you want to display client rules. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 51 To move exceptions to a policy, select one or more exceptions in the list, click Create Exception, then indicate the policy to which to move the exceptions. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 52: Configuring Firewall Policies
When applied, this policy dynamically adds a rule near the top of the firewall rules list that prevents resolving the IP address of the specified domain. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 53: How Firewall Rules Work
Ethernet LAN (802.3), wireless Wi-Fi (802.11x), and virtual LAN (VPN) are in this layer. Both firewall rules and groups distinguish between wired, wireless, and virtual links. Network Layer The network layer protocols define whole-network addressing schemes, routing, and network control schemes. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 54 IP network, as it is the error reporting mechanism. IPv4 and IPv6 have separate, unrelated ICMP protocol variants. ICMPv4 is often referred to as simply ICMP. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 55: How Firewall Rule Groups Work
On the Location tab: • Connection-specific DNS suffix • Gateway IP • DHCP IP • DNS server queried to resolve URLs • WINS server used McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 56 When the Isolate this connection option is selected under a group's Location settings, and an active Network Interface Card (NIC) matches the group criteria, the only types of traffic McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 57 Connection isolation on the corporate network Connection rules are processed until the group with corporate LAN connection rules is encounterd. This group contains these settings: • Media type = Wired McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 58: How The Host Ips Catalog Works
• Executable — List of executables attached to applications that can be referenced in a firewall group or rule or in IPS- related applications • Network — List of IP addresses that can be referenced in a firewall group or rule McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 59: Firewall Stateful Packet Filtering And Inspection
When a connection is closed or times out, its entry is removed from the state table. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 60 The state table entries result from network activity and reflect the state of the network stack. Each rule in the state table has only one action, Allow, so that any packet matched to a rule in the state table is automatically permitted. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 61 Firewall Options policy, when the firewall encounters a connection opened on port 21, it knows to perform stateful packet inspection on the packets coming through the FTP control channel. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 62: Stateful Protocol Tracking
Query/response matching ensures that return packets are allowed only for legitimate queries, Thus incoming DHCP responses are allowed if: • The connection in the state table has not expired. • The response transaction ID matches the one from the request. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 63: How Learn And Adaptive Modes Affect The Firewall
No entry is made in the state table, but if this is a TCP packet, it is put in a pending list. If not, the packet is dropped. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 64: Firewall Client Rules
Protection settings These settings enable special firewall-specific protection: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 65: Configuring The Firewall Options Policy
Policy selections This policy category contains one preconfigured policy and an editable My Default policy, based on the McAfee Default policy. You can view and duplicate preconfigured policies, and create, edit, rename, duplicate, delete, and export custom policies. The preconfigured policy has these settings:... -
Page 66: Faq - Mcafee Trustedsource And The Firewall
FAQ — McAfee TrustedSource and the firewall Two options in the Firewall Options policy allow you to block incoming and outgoing traffic from a network connection that McAfee TrustedSource™ has rated high risk. This FAQ explains what TrustedSource does and how it affects the firewall. -
Page 67: Define Firewall Protection
Define firewall protection Does it introduce latency? How much? When TrustedSource is contacted to do a reputation lookup, some latency is inevitable. McAfee has done everything it can to minimize this. First, a check of reputations is made only when the options are selected. Second, there is an intelligent caching architecture. -
Page 68: Configuring The Firewall Rules Policy
Firewall DNS Blocking policy selections The Firewall DNS Blocking policy contains one preconfigured policy and an editable My Default policy, based on the McAfee Default policy. You can view and duplicate the preconfigured policy, and edit, rename, duplicate, delete, and export editable custom policies. -
Page 69: Creating And Editing Firewall Rules
Transport Transport protocol Application Applications and executables Schedule Status and time settings, including enabling timed groups On the Summary tab, review the details of the group and click Save. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 70: Creating Connection Isolation Groups
The Host IPS catalog allows you to add new items or reference existing items for use with the firewall. This task helps you find and edit existing catalog items, create and add new catalog items, or import and export catalog items. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 71: Managing Firewall Client Rules
For option definitions, click ? on the page displaying the options. Click Menu | Reporting | Host IPS, then click Firewall Client Rules. Select the group in the System Tree for which you want to display client rules. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 72: Faq - Use Of Wildcards In Firewall Rules
For values that normally do not contain path information with slashes, use these wildcards: Character Definition ? (question mark) A single character. * (one asterisk) Multiple characters, including / and \ . | (pipe) Wildcard escape. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 73: Configuring General Policies
Like the IPS Rules policy, this policy category can contain multiple policy instances. For clients on both Windows and non-Windows platforms. Settings for Trusted Networks and Trusted Applications policies can reduce or eliminate false positives, which aids in tuning a deployment. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 74: Define Client Functionality
In the Client UI page, select a tab (General Options, Advanced Options, Troubleshooting Options) and make any needed changes. See Setting Client UI general options , Setting Client UI advanced options , or Setting Client UI troubleshooting options for details. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 75: Setting Client Ui General Options
NOTE: Policies are not enforced on the client when the client console is unlocked. For details, see Unlocking the Windows client interface . McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 76: Setting Client Ui Troubleshooting Options
IPS engines. When disabling engines, remember to reenable them after completing the troubleshooting. Task Click the Troubleshooting tab in the Client UI policy. Select the policy settings you want to apply: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 77: Define Trusted Networks
My Default policy. You can view and duplicate the preconfigured policy; you can create, edit, rename, duplicate, delete, and export editable custom policies. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 78: Configuring A Trusted Networks Policy
A trusted application is susceptible to common vulnerabilities such as buffer overflow and illegal use. Therefore, a trusted application is still monitored and can trigger events to prevent exploits. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 79: Configuring A Trusted Applications Policy
Configuring General Policies Define trusted applications This policy category contains a preconfigured policy, which provides a list of specific McAfee applications and Windows processes. You can view and duplicate the preconfigured policy, or edit, rename, duplicate, delete, and export custom policies. -
Page 80: Assigning Multiple Instances Of The Policy
NOTE: The McAfee Default policy for both IPS Rules and Trusted Applications are updated when content is update. McAfee recommends that these two policies always be applied to make sure protection as up to date as possible. For the policies that have multiple instances, an Effective Policy link appears to provide a view of the details of the combined policy instances. -
Page 81: Working With Host Intrusion Prevention Clients
Configuring General Policies. System tray icon menu When the McAfee icon appears in the system tray, it provides access to the Host IPS client console. Functionality differs depending on the version of the McAfee Agent that is installed on the client. - Page 82 Both the McAfee Agent and the Host IPS client must be set to display an icon for this access. If the McAfee Agent does not appear in the system tray, there is no access to Host IPS with a system tray icon, even though the client may be set to display a tray icon.
-
Page 83: Client Console For Windows Clients
The Host Intrusion Prevention client console gives you access to several configuration options. To open the console, do one of the following: • With McAfee Agent 4.0, right-click the McAfee icon, select Host Intrusion Prevention, then Configure. • With McAfee Agent 4.5, right-click the McAfee icon, select Manage Features, Host Intrusion Prevention, then Configure.. -
Page 84: Troubleshooting The Windows Client
This command-line utility, which can be included in installation and maintenance scripts to temporarily disable IPS protection and activate logging functions, is delivered as part of the installation and is located on the client at C:\ Program Files\McAfee\Host Intrusion Prevention. See Clientcontrol.exe utility under Appendix B -- Troubleshooting for details. - Page 85 Setting options for IPS logging As part of troubleshooting you can create IPS activity logs that can be analyzed on the system or sent to McAfee support to help resolve problems. Use this task to enable IPS logging. Task In the Host IPS console, select Help | Troubleshooting.
-
Page 86: Windows Client Alerts
Display pop-up alert in the Options dialog box. NOTE: This intrusion alert also appears for firewall intrusions if a firewall rule is matched that has the Treat rule match as an intrusion option selected. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 87 The Spoof Detected Alert dialog box is very similar to the firewall feature’s Learn Mode alert. It displays information about the intercepted traffic in two areas — the Application Information section, and the Connection Information section. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 88: About The Ips Policy Tab
Enable adaptive mode to automatically create exceptions to intrusion prevention signatures. Automatically block attackers Block network intrusion attacks automatically for a set period of time. Indicate the number of minutes in the min. field. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 89: About The Firewall Policy Tab
Firewall group Indicates the group is a timed group. Timed group Indicates the group is a location-aware group. Location-aware group McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 90 For this page... Enter this information... General The name, status, action, and direction of the rule. Networks The IP address, subnet, domain, or other specific identifiers for this rule. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 91: About The Blocked Hosts Tab
How long Host Intrusion Prevention continues to block this address. If you specified an expiration time when you blocked the address, this column shows the number of minutes left until Host Intrusion Prevention removes the address from McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 92: Editing The Blocked Hosts List
Process The application process. The process ID, which is the key for the cache lookup of a process. Application Full Path The full path name of the application executable. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 93: About The Activity Log Tab
Log all blocked firewall traffic. Traffic Logging - Log All Allowed Log all allowed firewall traffic. Filter Options - Traffic Filter the data to display blocked and allowed firewall traffic. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 94: Overview Of The Solaris Client
NIPS signatures and Application Protection Rules are not available. Host Intrusion Prevention 8.0 General Client UI None except administrative or time-based password to allow use of the troubleshooting tool. Trusted Networks None McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 95: Troubleshooting The Solaris Client
Hide all message types when logging is set to “on.” hipts message all:off Turn on the engine indicated. Engine is on by default. hipts engines <engine name>:on Engines include: • MISC • FILES • GUID • MMAP McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 96 • Logged in at root, run the command: hipts engines MISC:off Run the command: /sbin/rc2.d/S99hip stop Restarting the Solaris client You might need to stop a running client and restart it as part of troubleshooting. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 97: Overview Of The Linux Client
• The Host IPS 8.0 Linux client is incompatible with SELinux in enforce mode. To disable the enforce mode, run the command: , change the setting to disabled, system-config-securitylevel and restart the client system. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 98: Troubleshooting The Linux Client
U taint flag; hipsec: module not supported by Novell, setting U taint flag . Novell requirements for third-party modules are causing the Host IPS kernel to be marked tainted. Because the Host IPS 8.0 Linux kernel modules are GPL-licensed, this message should be ignored. McAfee is working with Novell to resolve this issue. - Page 99 TIP: In addition to using the troubleshooting tool, consult the HIPShield.log and HIPClient.log files in the McAfee/hip/log directory to verify operations or track issues. Verifying Linux installation files After an installation, check to see that all the files were installed in the appropriate directory on the client.
- Page 100 Enable IPS protection. Use one of these procedures, depending on which you used to stop the client: • Set IPS Options to On in the ePO console and apply the policy to the client. • Run the command: hipts engines MISC:on McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 101: Appendix A - Writing Custom Signatures And Exceptions
A rule to prevent a request to the web server that has “subject” in the http request query has the following format: Rule { Class Isapi Id 4001 level 4 query { Include *subject* } McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 102: Common Sections
When a process occurs in the context of a Null Session, the user and domain are ‘Anonymous’. If a rule applies to all users, use *. On UNIX, this section is case sensitive. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 103 C:\test\ whose name starts with the string “abc”: files { Include C:\\test\\*.txt } files { Include C:\\test\\abc* } NOTE: In precedence order, exclude wins over include. Here are three examples: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 104: Optional Common Sections
{ Include C:\\test\\abc.txt } dependencies “the general rule” Wildcards and variables Wildcards, meta-symbols, and predefined variables can be used as the value in the available sections. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 105 Table 24: Windows IIS Web Server Variable Description IIS_BinDir Directory where inetinfo.exe is located IIS_Computer Machine name that IIS runs on IIS_Envelope Includes all files that IIS is allowed to access McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 106 Path to document roots UAPACHE_Logs Apache log files UAPACHE_Logs_dir Log file directory UAPACHE_Roots Apache web roots UAPACHE_Users Users that Apache runs as UAPACHE_VcgiRoots Path to CGI roots of virtual servers McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 107: Windows Custom Signatures
For protection of SQL operations Windows class Buffer Overflow The following table lists the possible sections and values for the Windows class Buffer Overflow: Section Values Notes Class Buffer_Overflow See Common sections . McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 108: Windows Class Files
"dependencies 428" in the custom signature. Windows class Files The following table lists the possible sections and values for the Windows class Files: Section Values Notes Class Files See Common sections . level McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 109 If the section files is used, the path to a monitored folder or file can either be the full path or a wildcard. For example, the following are valid path representations: files { Include “C:\\test\\abc.txt” } files { Include “*\\test\\abc.txt” } McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 110 To distinguish between remote file access and local file access for any directive, set the executable file path name to "SystemRemoteClient": Executable { Include -path “SystemRemoteClient” This would prevent any directive to execute if the executable is not local. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 111: Windows Class Hook
• directives files:create: Indicates that this rule covers the creation of a file. Windows class Hook The following table lists the possible sections and values for the Windows class Hook: Section Values Notes Class Hook McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 112: Windows Class Illegal Host Ips Api Use
The primary purpose of a killbit is to close security holes. Killbit updates are typically deployed to Microsoft Windows operating systems via Windows security updates. Here is an example of a signature: Rule { tag "Sample4" Class Illegal_API_Use Id 4001 level 4 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 113: Windows Class Illegal Use
One of the required parameters. Matched against the URL part of an incoming request. See Notes 1-4. query One of the required parameters. Matched against the query part of an incoming request. See Notes 1-4. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 114 'abc' that are 500 characters or more; "*abc;xyz*;" matches any string containing 'abc;xyz' regardless of length. Note 4 A rule needs to contain at least one of the optional sections url, query, method. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 115 { Include “GET” } Executable { Include “*”} user_name { Include “*” } directives isapi:request For example, the GET request http://www.myserver.com/test/ abc.exe?subject=wildlife&environment=ocean would be prevented by this rule. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 116: Windows Class Program
PROCESS_TERMINATE — Required to terminate a process. • PROCESS_CREATE_THREAD — Required to create a thread. • PROCESS_VM_WRITE — Required to write to memory. • PROCESS_DUP_HANDLE — Required to duplicate a handle. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 117: Windows Class Registry
(Open with access to wait, in the user interface.) NOTE: Not available on Microsoft Vista and later platforms. Windows class Registry The following table lists the possible sections and values for the Windows class Registry: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 118 HKEY_LOCAL_MACHINE in a registry path is replaced by \REGISTRY\MACHINE\ and CurrentControlSet is replaced by ControlSet. For example the registry value “abc” under registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa is represented as \REGISTRY\MACHINE\SYSTEM\\ControlSet\\Control\\Lsa\\abc. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 119 The following rule would prevent anybody and any process from deleting the registry value “abc” under registry key “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa” Rule { tag "Sample8" Class Registry Id 4001 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 120: Windows Class Services
Display name of the service One of the required parameters.This name appears in the Services manager. See Note 1. directives services:delete Deletes a service. services:create Creates a service. services:start Starts a service. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 121 Only applicable for changes in the logon mode of a service: logon information (system or user account)used by the service. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 122: Windows Class Sql
Windows authentication (set to 1) or SQL authentication (set to 0) was used. client_agent Name of the utility sending the Example: OSQL-32, Internet Information Services request on the client system. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 123: Classes And Directives Per Windows Platform
• Windows 2003, R2, R2 SP2, 32- and 64-bit (2K3) • Windows Vista, 32- and 64-bit (V) • Windows 2008 R2, (32- and 64-bit (2K8) • Windows 7, 32- and 64-bit (7) McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 124 Class Hook Directives 32-bit processes on 32-bit 32-bit processes on 64-bit 64-bit processes on 64-bit Windows OS (x32) Windows OS (x64) Windows OS (x64) hook: set_wi n dows_hook McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 125 Class Registry Directives 32-bit processes on 32-bit 32-bit processes on 64-bit 64-bit processes on 64-bit Windows OS (x32) Windows OS (x64) Windows OS (x64) registry: create McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 126 Class SQL Directives 32-bit processes on 32-bit 32-bit processes on 64-bit 64-bit processes on 64-bit Windows OS (x32) Windows OS (x64) Windows OS (x64) sql: request McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 127: Non-Windows Custom Signatures
Changes the working directory. unixfile:chmod Changes the permissions on a directory or file. unixfile:chown Changes the ownership of a directory or file. unixfile:create Creates a file. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 128 Note 2 The value of the sections file permissions and new permissions corresponds to the Access Control List (acl). These can have values of “SUID” or “SGID” only. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 129 (the file to which the link points). Solaris only. new permission Only applicable when creating a new file or when doing a chmod operation: permissions of the new file. Solaris only. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 130: Solaris/Linux Class Unix_Apache (Http)
{ Include “*” } application { Include “*”} user_name { Include “*” } directives apache:request This rule is triggered because {url}=/search/abc.exe, which matches the value of the section “url” (namely, abc). McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 131: Solaris/Linux Class Unix_Misc
The following table lists the possible sections and values for the Solaris or Linux class UNIX_misc: Section Values Notes Class UNIX_misc A miscellaneous class that safeguards access protection. See Common sections . McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 132: Solaris Class Unix_Bo
For example, if you have a zone named "app_zone" whose root is /zones/app, then the rule: Rule { file { Include "/tmp/test.log" } zone { Include "app_zone" } McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 133: Solaris Class Unix_Map
Sets the real and effective user ID. guid:setgid Sets group ID to allow a group to run an executable with the permissions of the executable's group. guid:setegid Sets effective group ID. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... -
Page 134: Classes And Directives Per Unix Platform
Class UNIX_file Directives RedHat Linux SuSE Linux Solaris 9 Solaris 10 unixfile:chdir unixfile:chmod unixfile:chown unixfile:create unixfile:link unixfile:mkdir unixfile:read unixfile:rename unixfile:rmhdir unixfile:setattr unixfile:symlink unixfile:unlink unixfile:write unixfile:mknod unixfile:access unixfile:foolaccess unixfile:priocntl McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 135 Class UNIX_map Directives RedHat Linux SuSE Linux Solaris 9 Solaris 10 mmap:mprotect mmap:mmap Class UNIX_GUID Directives RedHat Linux SuSE Linux Solaris 9 Solaris 10 guid:setuid guid:seteuid guid:setreuid guid:setgid guid:setegid guid:setregid McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 136: Appendix B - Troubleshooting
Protocol: 0xXXX, where 0xXXX indicates the IANA Ethernet number of the protocol (see htttp://www.iana.org/assignments/ethernet-numbers). Use this information to determine the non-IP traffic that is needed and create a firewall rule that allows it. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5... - Page 137 Retest with this option set. Note: Even if the firewall is disabled, traffic can still be dropped when Host Intrusion Prevention is active. If these steps do not resolve the issue, disable the McAfee NDIS Intermediate Filter Miniport adapter, and retest to verify if the issue occurs.
- Page 138 • If the problem stops, skip to Step 1 of the Iterative testing phase . Check the following: • Stop the McAfee Host IPS service and retest. If the problem goes away, report the issue as associated directly with the service.
- Page 139 Click the Activity Log tab and clear the log. Click the IPS Policy tab and select Enable Network IPS. Click the Automatically Block Attackers checkbox. Test the system to determine if the problem recurs. If it does: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 140 Click the Firewall Policy tab and select Learn Mode and both Incoming and Outgoing. Test the system to determine if the problem recurs. If it does: Deselect Incoming and Outgoing. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
-
Page 141: Host Ips Logs
Test the system to determine if the problem recurs. If it does, it is probably not associated with Blocked Hosts. If you still have not found the cause of the issue, contact McAfee Support, explain the issue, and attach data obtained by going through this process. - Page 142 Logging can also be set locally by adding the DWORD 'debug_enabled' value in the HKLM\Software\McAfee\HIP registry key. A value of decimal 1 turns on verbose debug logging. The use of the local registry key to enable debug logging overrides any policy set using ePolicy Orchestrator.
- Page 143 NOTE: When collecting data for incidents escalated to McAfee Support, we strongly recommend that the debug_enabled registry value be created and set to 1. This registry value logs all Host and Network IPS events to HIPShield.log, regardless of the Log Status setting under...
-
Page 144: Clientcontrol.exe Utility
IPS protection and activate logging functions. Function and Setup This utility allows administrators to perform the following on the McAfee Host IPS client: • Start the Host IPS service. • Stop the Host IPS service (requires administrator or time-based password). - Page 145 • The McAfee Agent enforces policies at next policy enforcement interval. • If the McAfee Agent enforces policies while you are engaged in an activity that requires that protection be disabled (e.g. patching Windows), your activity might be blocked by the enforced policies.
- Page 146 Exports the event log to a formatted text file. The source file path is optional. Don not include "/s" if there is no source file. • /readNaiLic Display the NaiLite license data. • /exportConfig <path of export file> <config type> McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 147 • There must be at least one space between the argument, the password, and any other required parameters. Sample workflows Applying a patch to a computer protected by McAfee Host IPS Open a command shell. clientcontrol.exe /stop <password> Perform your maintenance activity.
- Page 148 Turning off specific Host IPS engines as part of a troubleshooting exercise Open a command shell. clientcontrol.exe /<password> [engine type] [engine option] Perform activity to generate reactions and log entries. Review HipShield.log or FireSvc.log for relevant information. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 149 Host IPS directives valid on Linux behavioral rules directives valid on Solaris defining legitimate Host IPS activity Linux shielding and enveloping Linux, UNIX_apache (HTTP) Blocked Hosts tab, working with McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 150 68, 89, automatic tuning location-aware groups configuring IPS Rules policy logging options Create Exception McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 151 Host IPS signatures, configuring intrusion prevention (IPS) signatures, working with adaptive mode and exceptions IPS, Host IPS behavioral rules permissions for client rules client rules, overview customizing options McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 152 Policy Catalog assigning 37, Client UI My Default policy custom firewall policies, creating 64, Client UI managing Host IPS policies DNS Blocking ownership for Host IPS policies McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 153 Host IPS system management automatic responses for Host IPS events server tasks for Host IPS 23, server tasks, Host IPS updating Host IPS protection checking in updates McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
- Page 154 Host IPS Firewall Options policy overview how it works system tray icon menu tuning Host IPS unlocking the interface adaptive and learn modes analyzing events McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...