should see the client rules that indicate which client exception rules are being created. By
analyzing this data, you begin to tune the deployment.
To analyze event data, view the Events tab of the Host IPS tab under Reporting. You can drill
down to the details of an event, such as which process triggered the event, when the event
was generated, and which client generated the event. Analyze the event and take the appropriate
action to tune the Host Intrusion Prevention deployment to provide better responses to attacks.
The Events tab displays all Host IPS events, including NIPS, Firewall intrusions, and TrustedSource
block events.
To analyze client rules, view the IPS Client Rules and Firewall Client Rules tabs. You can see
which rules are being created, aggregate them to find the most prevalent common rules, and
move the rules directly to a policy for application to other clients.
In addition, the ePolicy Orchestrator Reporting module provides detailed reports based on
events, client rules, and the Host Intrusion Prevention configuration. Use these queries to
communicate environment activity to other members of your team and management.
Adaptive mode
A major element in the tuning process includes placing Host Intrusion Prevention clients in
adaptive mode for IPS and Firewall. This mode allow computers to create client exception rules
to administrative policies. Adaptive mode does this automatically without user interaction.
This mode analyzes events first for the most malicious attacks, such as buffer overflow. If the
activity is considered regular and necessary for business, client exception rules are created. By
setting representative clients in adaptive mode, you can create a tuning configuration for them.
Host Intrusion Prevention then allows you to take any, all, or none of the client rules and convert
them to server-mandated policies. When tuning is complete, turn off adaptive mode to tighten
the system’s intrusion prevention protection.
• Run clients in adaptive mode for at least a week. This allows the clients time to encounter
all the activity they would normally encounter. Try to do this during times of scheduled
activity, such as backups or script processing.
• As each activity is encountered, IPS events are generated and exceptions are created.
Exceptions are activities that are distinguished as legitimate behavior. For example, a policy
might deem certain script processing as illegal behavior, but certain systems in your
engineering groups need to perform such tasks. Allow exceptions to be created for those
systems, so they can function normally while the policy continues to prevent this activity on
other systems. Then make these exceptions part of a server-mandated policy to cover only
the engineering group.
• You might require software applications for normal business in some areas of the company,
but not in others. For example, you might allow Instant Messaging in your Technical Support
organization, but prevent its use in your Finance department. You can establish the application
as trusted on the systems in Technical Support to allow users full access to it.
• The Firewall feature acts as a filter between a computer and the network or the Internet.
The firewall scans all incoming and outgoing traffic at the packet level. As it reviews each
arriving or departing packet, the firewall checks its list of firewall rules, which is a set of
criteria with associated actions. If a packet matches all the criteria in a rule, the firewall
performs the action specified by the rule — which allows the packet through the firewall, or
blocks it.
Managing Your Protection
Policy management
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.020