How Ips Signatures Work - McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual

Configuring IPS Policies
Define IPS protection
• Marking an application as Trusted for IPS or Firewall takes precedence even if the same
application is not marked as Trusted for that feature in another assigned Trusted Applications
policy.

How IPS signatures work

Signatures describe security threats, attack methodologies, and network intrusions. Each
signature has a default severity level, which describes the potential danger of an attack:
• High — Signatures that protect against clearly identifiable security threats or malicious
actions. Most of these signatures are specific to well-identified exploits and are mostly
non-behavioral in nature. They should be prevented on every host.
• Medium — Signatures that are behavioral in nature and deal with preventing applications
from operating outside of their environment (relevant for clients protecting web servers and
Microsoft SQL Server 2000). On critical servers, you might want to prevent those signatures
after fine-tuning.
• Low — Signatures that are behavioral in nature and shield applications. Shielding means
locking down application and system resources so that they cannot be changed. Preventing
these signatures increases the security of the underlying system, but requires additional
fine-tuning.
• Information — Indicates a modification to the system configuration that might create a
benign security risk or an attempt to access sensitive system information. Events at this
level occur during normal system activity and generally are not evidence of an attack.
Types of signatures
The IPS Rules policy can contain three types of signatures:
• Host IPS signatures — Default host intrusion prevention signatures.
• Custom IPS signatures — Custom host intrusion prevention signatures that you create.
• Network IPS signatures — Default network intrusion prevention signatures.
Host IPS signatures
Host-based intrusion prevention signatures detect and prevent system operations activity attacks,
and includes File, Registry, Service, and HTTP rules. They are developed by the Host Intrusion
Prevention security experts and are delivered with the product and with content updates.
Each signature has a description and a default severity level. With appropriate privilege levels,
an administrator can modify the severity level of a signature.
When triggered, host-based signatures generate an IPS event that appears in the Events tab
of the Host IPS tab under Reporting.
Custom IPS signatures
Custom signatures are host-based signatures that you can create for protection beyond the
default protection. For example, when you create a new folder with important files, you can
create a custom signature to protect it.
NOTE: You cannot create network-based custom signatures.
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 39