Summary of Contents for McAfee HISCDE-AB-IA - Host Intrusion Prevention
Page 1
McAfee Host Intrusion Prevention 8.0 Product Guide for use with ePolicy Orchestrator 4.5...
Page 2
EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
These settings include: • For IPS protection: • High severity signatures are prevented and all other signatures are ignored • McAfee applications are listed as trusted applications for all rules except IPS self-protection rules • Predefined applications and processes are protected •...
• Firewall Rules (Windows only). Defines firewall rules. • Firewall DNS Blocking (Windows only). Defines the domain name servers that are to be blocked. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
A policy is a configured group of settings for a specific purpose. You can create, modify, or delete as many policies as needed. Each policy has a preconfigured McAfee Default policy, which cannot be edited or deleted. Except for IPS Rules and Trusted Applications, all policies also have an editable My Default policy based on the default policy.
Preset protection Host Intrusion Prevention offers two types of protection: • Basic protection is available through the McAfee Default policy settings. This protection requires little or no tuning and generates few events. For many environments this basic protection might be sufficient.
Page 11
Stronger IPS rules target a wider range of violations and generate more events than in a basic environment. If you apply advanced protection, McAfee recommends using the IPS Protection policy to stagger the impact. This entails mapping each of the severity levels (High, Medium, Low, and Information) to a reaction (Prevent, Log, Ignore).
Desktop High Triggered Signatures • Desktop Medium Triggered Signatures • Desktop Low Triggered Signatures • Server High Triggered Signatures • Server Medium Triggered Signatures • Server Low Triggered Signatures McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
IPS Catalog firewall groups, and firewall • Last Modified client rules. Possible action values are allow , block , and jump , with jump the action for groups, which • Last Modifying User McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 14
Common Host IPS properties The Host IPS custom queries and some of the other custom queries allow you to include these Host IPS properties: • Agent type • IPS Adaptive Mode Status McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 15
Displays the top 10 most triggered IPS signatures of Low Severity (Notice). Signatures Events From Host IPS Trusted Displays events generated by systems within Host IPS trusted networks. Networks McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
• Edit policy assignment • Edit custom policies Use the Policy Catalog to: • Create policies • View and edit policy information • View where a policy is assigned McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
For details on any of these features, see the ePolicy Orchestrator documentation. Configuring polices After you install the Host Intrusion Prevention software, McAfee recommends that you configure policies to provide the greatest amount of security without conflicting with day-to-day activities.
Manual tuning Manual tuning requires direct monitoring for a set period of time of events and client rules that are created. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 19
• Determine your initial client rollout plan. Although you can deploy Host Intrusion Prevention clients to every host (servers, desktops, and laptops) in your company, McAfee recommends that you start by installing clients on a limited number of representative systems and tuning their configuration.
Page 20
If a packet matches all the criteria in a rule, the firewall performs the action specified by the rule — which allows the packet through the firewall, or blocks it. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 21
• The reaction to the signature is "Ignore." • The associated action triggers a network IPS signature. • A user attempts to stop the McAfee Host IPS service, regardless of the client rule setting for service self-protection in signature 1000.
Secure Socket Layer (HTTPS) might require multiple attempts to create a firewall rule. Host IPS policy migration You cannot use McAfee Host Intrusion Prevention version 6.1 or 7.0 policies with version 8.0 clients without first migrating version 6.1 or 7.0 policies to version 8.0 format. Host Intrusion Prevention 8.0 provides an easy means to migrate policies with the ePolicy Orchestrator Host...
With Host Intrusion Prevention, permissions are granted for access to each feature of the product and whether the user has read or read/write permission. This applies to the Host McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Click Menu | User Management | Permission Sets. Next to Host Intrusion Prevention, click Edit. Select the desired permission for each feature: • None • View settings only • View and change settings Click Save. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Host Intrusion Prevention policy. Export Queries (Custom) This server task allows you to create a Host Intrusion Prevention query output file that can be saved or emailed. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Name of the monitored API that triggered an event Direction In/Out/Either Host IPS Event Description Detailed description of the event Local IP Address Local IP address of the system involved in the event McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Updates include data associated with the IPS Rules policy (IPS signatures and application protection rules) and the Trusted Applications policy (trusted applications). As these updates occur in the McAfee default policy, these policies must be assigned for both IPS Rules and Trusted Applications to take advantage of the updated protection.
Schedule the task as desired, then click Next. Review the details, then click Save. Updating content from the client A client can also request updates on demand if a McAfee Agent icon appears in the client computer’s system tray. Task •...
Like the Trusted Applications policy, this policy category can contain multiple policy instances. Content updates provide new and updated signatures and application protection rules to keep protection current. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Each query is examined to see whether it matches any known attack signatures, if it is well formed, and if there are tell-tale signs of SQL injection. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
These signatures: • Protect systems located downstream in a network segment. • Protect servers and the systems that connect to them. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Orchestrator console, viewing them in a regular, filtered, and aggregated views. Use these client rules to create new policies or add them to existing policies that you can apply to other clients. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
These options are available for clients on all platforms: • Host IPS enabled — Select to turn on IPS protection through the enforcement of host IPS rules. NOTE: This control is also available directly on the client. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Policy selections This policy category contains a preconfigured policy, and an editable My Default policy, based on the McAfee Default policy. You can view and duplicate preconfigured policies; you can, create, edit, rename, duplicate, delete, and export custom policies. The preconfigured policy has these settings:...
Policy selections This policy category contains six preconfigured policies and an editable My Default policy, based on the McAfee Default policy. You can view and duplicate preconfigured policies; you can, create, edit, rename, duplicate, delete, and export custom policies. Preconfigured policies include:...
You can view and duplicate the preconfigured policy; you can edit, rename, duplicate, delete, and export custom policies you create. You can also assign more than one instance of the policy for a union of various policy rules. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
NOTE: The McAfee Default policy for both IPS Rules and Trusted Applications are updated when content is update. McAfee recommends that these two policies always be applied to make sure protection as up to date as possible. For the policies that have multiple instances, an Effective Policy link appears to provide a view of the details of the combined policy instances.
Applications. These policies allow the application of more than one policy concurrently on a single client. All other policies are single-instance policies. The McAfee Default versions of these policies are automatically updated each time Host Intrusion Prevention security content is updated. For this reason, these policies always need to be assigned to clients to ensure that security content updates are applied.
For example, when you create a new folder with important files, you can create a custom signature to protect it. NOTE: You cannot create network-based custom signatures. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 40
Description settings, and enter notes in the Note box to document the change. Click OK to save any modifications. NOTE: You can make changes to several signatures at once, by selecting the signatures and clicking Edit McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 41
Include an executable as a parameter with information on at least one of these four values: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 42
** (two asterisks) Multiple characters, including / and \ . | (pipe) Wildcard escape. NOTE: For ** the escape is |*|*. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Host Intrusion Prevention provides a static list of processes that are permitted or blocked. This list is updated with content update releases that apply in the McAfee Default IPS Rules policy. In addition, processes that are permitted to hook are added dynamically to the list when process analysis is enabled.
Page 44
A hooked process becomes unhooked if the server sends an updated process list that specifies that the already hooked process should no longer be hooked. When the process hooking list is McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 45
If the IPS Rules policy does not have an application protection rule that you need in your environment, you can create one. Task For option definitions, click ? in the interface. On the IPS Rules policy Application Protection Rules tab, do one of the following: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Use the filters at the top of the exception list. You can filter on rule status, modified date, or specific text that includes rule or notes text. Click Clear to remove filter settings. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
• Trusted Applications — Applications that are labeled trusted whose operations might otherwise be blocked by a signature. This tuning process keeps the events that appear to a minimum, providing more time for analysis of the serious events that occur. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Select the group in the System Tree for which you want to display IPS events. All events associated with the group appear. By default, not all events are displayed. Only events over the last 30 days appear. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
In the dialog box that appears, select a destination IPS Rules policy and click OK. The exception is created and added automatically to the bottom of the list of exceptions of the destination IPS Rules policy. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
For option definitions, click ? in the interface. Click Menu | Reporting | Host IPS 8.0, then click IPS Client Rules. Select the group in the System Tree for which you want to display client rules. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 51
To move exceptions to a policy, select one or more exceptions in the list, click Create Exception, then indicate the policy to which to move the exceptions. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
When applied, this policy dynamically adds a rule near the top of the firewall rules list that prevents resolving the IP address of the specified domain. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Ethernet LAN (802.3), wireless Wi-Fi (802.11x), and virtual LAN (VPN) are in this layer. Both firewall rules and groups distinguish between wired, wireless, and virtual links. Network Layer The network layer protocols define whole-network addressing schemes, routing, and network control schemes. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 54
IP network, as it is the error reporting mechanism. IPv4 and IPv6 have separate, unrelated ICMP protocol variants. ICMPv4 is often referred to as simply ICMP. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
On the Location tab: • Connection-specific DNS suffix • Gateway IP • DHCP IP • DNS server queried to resolve URLs • WINS server used McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 56
When the Isolate this connection option is selected under a group's Location settings, and an active Network Interface Card (NIC) matches the group criteria, the only types of traffic McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 57
Connection isolation on the corporate network Connection rules are processed until the group with corporate LAN connection rules is encounterd. This group contains these settings: • Media type = Wired McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
• Executable — List of executables attached to applications that can be referenced in a firewall group or rule or in IPS- related applications • Network — List of IP addresses that can be referenced in a firewall group or rule McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
When a connection is closed or times out, its entry is removed from the state table. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 60
The state table entries result from network activity and reflect the state of the network stack. Each rule in the state table has only one action, Allow, so that any packet matched to a rule in the state table is automatically permitted. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 61
Firewall Options policy, when the firewall encounters a connection opened on port 21, it knows to perform stateful packet inspection on the packets coming through the FTP control channel. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Query/response matching ensures that return packets are allowed only for legitimate queries, Thus incoming DHCP responses are allowed if: • The connection in the state table has not expired. • The response transaction ID matches the one from the request. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
No entry is made in the state table, but if this is a TCP packet, it is put in a pending list. If not, the packet is dropped. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Policy selections This policy category contains one preconfigured policy and an editable My Default policy, based on the McAfee Default policy. You can view and duplicate preconfigured policies, and create, edit, rename, duplicate, delete, and export custom policies. The preconfigured policy has these settings:...
FAQ — McAfee TrustedSource and the firewall Two options in the Firewall Options policy allow you to block incoming and outgoing traffic from a network connection that McAfee TrustedSource™ has rated high risk. This FAQ explains what TrustedSource does and how it affects the firewall.
Define firewall protection Does it introduce latency? How much? When TrustedSource is contacted to do a reputation lookup, some latency is inevitable. McAfee has done everything it can to minimize this. First, a check of reputations is made only when the options are selected. Second, there is an intelligent caching architecture.
Firewall DNS Blocking policy selections The Firewall DNS Blocking policy contains one preconfigured policy and an editable My Default policy, based on the McAfee Default policy. You can view and duplicate the preconfigured policy, and edit, rename, duplicate, delete, and export editable custom policies.
Transport Transport protocol Application Applications and executables Schedule Status and time settings, including enabling timed groups On the Summary tab, review the details of the group and click Save. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
The Host IPS catalog allows you to add new items or reference existing items for use with the firewall. This task helps you find and edit existing catalog items, create and add new catalog items, or import and export catalog items. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
For option definitions, click ? on the page displaying the options. Click Menu | Reporting | Host IPS, then click Firewall Client Rules. Select the group in the System Tree for which you want to display client rules. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
For values that normally do not contain path information with slashes, use these wildcards: Character Definition ? (question mark) A single character. * (one asterisk) Multiple characters, including / and \ . | (pipe) Wildcard escape. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Like the IPS Rules policy, this policy category can contain multiple policy instances. For clients on both Windows and non-Windows platforms. Settings for Trusted Networks and Trusted Applications policies can reduce or eliminate false positives, which aids in tuning a deployment. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
In the Client UI page, select a tab (General Options, Advanced Options, Troubleshooting Options) and make any needed changes. See Setting Client UI general options , Setting Client UI advanced options , or Setting Client UI troubleshooting options for details. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
NOTE: Policies are not enforced on the client when the client console is unlocked. For details, see Unlocking the Windows client interface . McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
IPS engines. When disabling engines, remember to reenable them after completing the troubleshooting. Task Click the Troubleshooting tab in the Client UI policy. Select the policy settings you want to apply: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
My Default policy. You can view and duplicate the preconfigured policy; you can create, edit, rename, duplicate, delete, and export editable custom policies. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
A trusted application is susceptible to common vulnerabilities such as buffer overflow and illegal use. Therefore, a trusted application is still monitored and can trigger events to prevent exploits. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Configuring General Policies Define trusted applications This policy category contains a preconfigured policy, which provides a list of specific McAfee applications and Windows processes. You can view and duplicate the preconfigured policy, or edit, rename, duplicate, delete, and export custom policies.
NOTE: The McAfee Default policy for both IPS Rules and Trusted Applications are updated when content is update. McAfee recommends that these two policies always be applied to make sure protection as up to date as possible. For the policies that have multiple instances, an Effective Policy link appears to provide a view of the details of the combined policy instances.
Configuring General Policies. System tray icon menu When the McAfee icon appears in the system tray, it provides access to the Host IPS client console. Functionality differs depending on the version of the McAfee Agent that is installed on the client.
Page 82
Both the McAfee Agent and the Host IPS client must be set to display an icon for this access. If the McAfee Agent does not appear in the system tray, there is no access to Host IPS with a system tray icon, even though the client may be set to display a tray icon.
The Host Intrusion Prevention client console gives you access to several configuration options. To open the console, do one of the following: • With McAfee Agent 4.0, right-click the McAfee icon, select Host Intrusion Prevention, then Configure. • With McAfee Agent 4.5, right-click the McAfee icon, select Manage Features, Host Intrusion Prevention, then Configure..
This command-line utility, which can be included in installation and maintenance scripts to temporarily disable IPS protection and activate logging functions, is delivered as part of the installation and is located on the client at C:\ Program Files\McAfee\Host Intrusion Prevention. See Clientcontrol.exe utility under Appendix B -- Troubleshooting for details.
Page 85
Setting options for IPS logging As part of troubleshooting you can create IPS activity logs that can be analyzed on the system or sent to McAfee support to help resolve problems. Use this task to enable IPS logging. Task In the Host IPS console, select Help | Troubleshooting.
Display pop-up alert in the Options dialog box. NOTE: This intrusion alert also appears for firewall intrusions if a firewall rule is matched that has the Treat rule match as an intrusion option selected. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 87
The Spoof Detected Alert dialog box is very similar to the firewall feature’s Learn Mode alert. It displays information about the intercepted traffic in two areas — the Application Information section, and the Connection Information section. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Enable adaptive mode to automatically create exceptions to intrusion prevention signatures. Automatically block attackers Block network intrusion attacks automatically for a set period of time. Indicate the number of minutes in the min. field. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Firewall group Indicates the group is a timed group. Timed group Indicates the group is a location-aware group. Location-aware group McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 90
For this page... Enter this information... General The name, status, action, and direction of the rule. Networks The IP address, subnet, domain, or other specific identifiers for this rule. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
How long Host Intrusion Prevention continues to block this address. If you specified an expiration time when you blocked the address, this column shows the number of minutes left until Host Intrusion Prevention removes the address from McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Process The application process. The process ID, which is the key for the cache lookup of a process. Application Full Path The full path name of the application executable. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
NIPS signatures and Application Protection Rules are not available. Host Intrusion Prevention 8.0 General Client UI None except administrative or time-based password to allow use of the troubleshooting tool. Trusted Networks None McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Hide all message types when logging is set to “on.” hipts message all:off Turn on the engine indicated. Engine is on by default. hipts engines <engine name>:on Engines include: • MISC • FILES • GUID • MMAP McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 96
• Logged in at root, run the command: hipts engines MISC:off Run the command: /sbin/rc2.d/S99hip stop Restarting the Solaris client You might need to stop a running client and restart it as part of troubleshooting. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
• The Host IPS 8.0 Linux client is incompatible with SELinux in enforce mode. To disable the enforce mode, run the command: , change the setting to disabled, system-config-securitylevel and restart the client system. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
U taint flag; hipsec: module not supported by Novell, setting U taint flag . Novell requirements for third-party modules are causing the Host IPS kernel to be marked tainted. Because the Host IPS 8.0 Linux kernel modules are GPL-licensed, this message should be ignored. McAfee is working with Novell to resolve this issue.
Page 99
TIP: In addition to using the troubleshooting tool, consult the HIPShield.log and HIPClient.log files in the McAfee/hip/log directory to verify operations or track issues. Verifying Linux installation files After an installation, check to see that all the files were installed in the appropriate directory on the client.
Page 100
Enable IPS protection. Use one of these procedures, depending on which you used to stop the client: • Set IPS Options to On in the ePO console and apply the policy to the client. • Run the command: hipts engines MISC:on McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
A rule to prevent a request to the web server that has “subject” in the http request query has the following format: Rule { Class Isapi Id 4001 level 4 query { Include *subject* } McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
When a process occurs in the context of a Null Session, the user and domain are ‘Anonymous’. If a rule applies to all users, use *. On UNIX, this section is case sensitive. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 103
C:\test\ whose name starts with the string “abc”: files { Include C:\\test\\*.txt } files { Include C:\\test\\abc* } NOTE: In precedence order, exclude wins over include. Here are three examples: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
{ Include C:\\test\\abc.txt } dependencies “the general rule” Wildcards and variables Wildcards, meta-symbols, and predefined variables can be used as the value in the available sections. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 105
Table 24: Windows IIS Web Server Variable Description IIS_BinDir Directory where inetinfo.exe is located IIS_Computer Machine name that IIS runs on IIS_Envelope Includes all files that IIS is allowed to access McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 106
Path to document roots UAPACHE_Logs Apache log files UAPACHE_Logs_dir Log file directory UAPACHE_Roots Apache web roots UAPACHE_Users Users that Apache runs as UAPACHE_VcgiRoots Path to CGI roots of virtual servers McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
For protection of SQL operations Windows class Buffer Overflow The following table lists the possible sections and values for the Windows class Buffer Overflow: Section Values Notes Class Buffer_Overflow See Common sections . McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
"dependencies 428" in the custom signature. Windows class Files The following table lists the possible sections and values for the Windows class Files: Section Values Notes Class Files See Common sections . level McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 109
If the section files is used, the path to a monitored folder or file can either be the full path or a wildcard. For example, the following are valid path representations: files { Include “C:\\test\\abc.txt” } files { Include “*\\test\\abc.txt” } McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 110
To distinguish between remote file access and local file access for any directive, set the executable file path name to "SystemRemoteClient": Executable { Include -path “SystemRemoteClient” This would prevent any directive to execute if the executable is not local. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
• directives files:create: Indicates that this rule covers the creation of a file. Windows class Hook The following table lists the possible sections and values for the Windows class Hook: Section Values Notes Class Hook McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
The primary purpose of a killbit is to close security holes. Killbit updates are typically deployed to Microsoft Windows operating systems via Windows security updates. Here is an example of a signature: Rule { tag "Sample4" Class Illegal_API_Use Id 4001 level 4 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
One of the required parameters. Matched against the URL part of an incoming request. See Notes 1-4. query One of the required parameters. Matched against the query part of an incoming request. See Notes 1-4. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 114
'abc' that are 500 characters or more; "*abc;xyz*;" matches any string containing 'abc;xyz' regardless of length. Note 4 A rule needs to contain at least one of the optional sections url, query, method. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 115
{ Include “GET” } Executable { Include “*”} user_name { Include “*” } directives isapi:request For example, the GET request http://www.myserver.com/test/ abc.exe?subject=wildlife&environment=ocean would be prevented by this rule. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
PROCESS_TERMINATE — Required to terminate a process. • PROCESS_CREATE_THREAD — Required to create a thread. • PROCESS_VM_WRITE — Required to write to memory. • PROCESS_DUP_HANDLE — Required to duplicate a handle. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
(Open with access to wait, in the user interface.) NOTE: Not available on Microsoft Vista and later platforms. Windows class Registry The following table lists the possible sections and values for the Windows class Registry: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 118
HKEY_LOCAL_MACHINE in a registry path is replaced by \REGISTRY\MACHINE\ and CurrentControlSet is replaced by ControlSet. For example the registry value “abc” under registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa is represented as \REGISTRY\MACHINE\SYSTEM\\ControlSet\\Control\\Lsa\\abc. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 119
The following rule would prevent anybody and any process from deleting the registry value “abc” under registry key “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa” Rule { tag "Sample8" Class Registry Id 4001 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Display name of the service One of the required parameters.This name appears in the Services manager. See Note 1. directives services:delete Deletes a service. services:create Creates a service. services:start Starts a service. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 121
Only applicable for changes in the logon mode of a service: logon information (system or user account)used by the service. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Windows authentication (set to 1) or SQL authentication (set to 0) was used. client_agent Name of the utility sending the Example: OSQL-32, Internet Information Services request on the client system. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
• Windows 2003, R2, R2 SP2, 32- and 64-bit (2K3) • Windows Vista, 32- and 64-bit (V) • Windows 2008 R2, (32- and 64-bit (2K8) • Windows 7, 32- and 64-bit (7) McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 124
Class Hook Directives 32-bit processes on 32-bit 32-bit processes on 64-bit 64-bit processes on 64-bit Windows OS (x32) Windows OS (x64) Windows OS (x64) hook: set_wi n dows_hook McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 125
Class Registry Directives 32-bit processes on 32-bit 32-bit processes on 64-bit 64-bit processes on 64-bit Windows OS (x32) Windows OS (x64) Windows OS (x64) registry: create McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 126
Class SQL Directives 32-bit processes on 32-bit 32-bit processes on 64-bit 64-bit processes on 64-bit Windows OS (x32) Windows OS (x64) Windows OS (x64) sql: request McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Changes the working directory. unixfile:chmod Changes the permissions on a directory or file. unixfile:chown Changes the ownership of a directory or file. unixfile:create Creates a file. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 128
Note 2 The value of the sections file permissions and new permissions corresponds to the Access Control List (acl). These can have values of “SUID” or “SGID” only. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 129
(the file to which the link points). Solaris only. new permission Only applicable when creating a new file or when doing a chmod operation: permissions of the new file. Solaris only. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
{ Include “*” } application { Include “*”} user_name { Include “*” } directives apache:request This rule is triggered because {url}=/search/abc.exe, which matches the value of the section “url” (namely, abc). McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
The following table lists the possible sections and values for the Solaris or Linux class UNIX_misc: Section Values Notes Class UNIX_misc A miscellaneous class that safeguards access protection. See Common sections . McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
For example, if you have a zone named "app_zone" whose root is /zones/app, then the rule: Rule { file { Include "/tmp/test.log" } zone { Include "app_zone" } McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Sets the real and effective user ID. guid:setgid Sets group ID to allow a group to run an executable with the permissions of the executable's group. guid:setegid Sets effective group ID. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Class UNIX_file Directives RedHat Linux SuSE Linux Solaris 9 Solaris 10 unixfile:chdir unixfile:chmod unixfile:chown unixfile:create unixfile:link unixfile:mkdir unixfile:read unixfile:rename unixfile:rmhdir unixfile:setattr unixfile:symlink unixfile:unlink unixfile:write unixfile:mknod unixfile:access unixfile:foolaccess unixfile:priocntl McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 135
Class UNIX_map Directives RedHat Linux SuSE Linux Solaris 9 Solaris 10 mmap:mprotect mmap:mmap Class UNIX_GUID Directives RedHat Linux SuSE Linux Solaris 9 Solaris 10 guid:setuid guid:seteuid guid:setreuid guid:setgid guid:setegid guid:setregid McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Protocol: 0xXXX, where 0xXXX indicates the IANA Ethernet number of the protocol (see htttp://www.iana.org/assignments/ethernet-numbers). Use this information to determine the non-IP traffic that is needed and create a firewall rule that allows it. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 137
Retest with this option set. Note: Even if the firewall is disabled, traffic can still be dropped when Host Intrusion Prevention is active. If these steps do not resolve the issue, disable the McAfee NDIS Intermediate Filter Miniport adapter, and retest to verify if the issue occurs.
Page 138
• If the problem stops, skip to Step 1 of the Iterative testing phase . Check the following: • Stop the McAfee Host IPS service and retest. If the problem goes away, report the issue as associated directly with the service.
Page 139
Click the Activity Log tab and clear the log. Click the IPS Policy tab and select Enable Network IPS. Click the Automatically Block Attackers checkbox. Test the system to determine if the problem recurs. If it does: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 140
Click the Firewall Policy tab and select Learn Mode and both Incoming and Outgoing. Test the system to determine if the problem recurs. If it does: Deselect Incoming and Outgoing. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Test the system to determine if the problem recurs. If it does, it is probably not associated with Blocked Hosts. If you still have not found the cause of the issue, contact McAfee Support, explain the issue, and attach data obtained by going through this process.
Page 142
Logging can also be set locally by adding the DWORD 'debug_enabled' value in the HKLM\Software\McAfee\HIP registry key. A value of decimal 1 turns on verbose debug logging. The use of the local registry key to enable debug logging overrides any policy set using ePolicy Orchestrator.
Page 143
NOTE: When collecting data for incidents escalated to McAfee Support, we strongly recommend that the debug_enabled registry value be created and set to 1. This registry value logs all Host and Network IPS events to HIPShield.log, regardless of the Log Status setting under...
IPS protection and activate logging functions. Function and Setup This utility allows administrators to perform the following on the McAfee Host IPS client: • Start the Host IPS service. • Stop the Host IPS service (requires administrator or time-based password).
Page 145
• The McAfee Agent enforces policies at next policy enforcement interval. • If the McAfee Agent enforces policies while you are engaged in an activity that requires that protection be disabled (e.g. patching Windows), your activity might be blocked by the enforced policies.
Page 146
Exports the event log to a formatted text file. The source file path is optional. Don not include "/s" if there is no source file. • /readNaiLic Display the NaiLite license data. • /exportConfig <path of export file> <config type> McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 147
• There must be at least one space between the argument, the password, and any other required parameters. Sample workflows Applying a patch to a computer protected by McAfee Host IPS Open a command shell. clientcontrol.exe /stop <password> Perform your maintenance activity.
Page 148
Turning off specific Host IPS engines as part of a troubleshooting exercise Open a command shell. clientcontrol.exe /<password> [engine type] [engine option] Perform activity to generate reactions and log entries. Review HipShield.log or FireSvc.log for relevant information. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 149
Host IPS directives valid on Linux behavioral rules directives valid on Solaris defining legitimate Host IPS activity Linux shielding and enveloping Linux, UNIX_apache (HTTP) Blocked Hosts tab, working with McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 151
Host IPS signatures, configuring intrusion prevention (IPS) signatures, working with adaptive mode and exceptions IPS, Host IPS behavioral rules permissions for client rules client rules, overview customizing options McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 152
Policy Catalog assigning 37, Client UI My Default policy custom firewall policies, creating 64, Client UI managing Host IPS policies DNS Blocking ownership for Host IPS policies McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 153
Host IPS system management automatic responses for Host IPS events server tasks for Host IPS 23, server tasks, Host IPS updating Host IPS protection checking in updates McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...
Page 154
Host IPS Firewall Options policy overview how it works system tray icon menu tuning Host IPS unlocking the interface adaptive and learn modes analyzing events McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5...