McAfee HISCDE-AB-IA, Host Intrusion Prevention 8.0 Product Manual

McAfee Host Intrusion Prevention 8.0

Product Guide for use with ePolicy Orchestrator 4.5

COPYRIGHT

Copyright © 2010 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE
EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,
WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in
connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property
of their respective owners.

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.52

Contents

Introducing Host Intrusion Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Managing Your Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Host IPS protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Host IPS policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Host IPS policy management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Host IPS policy tracking and tuning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Information management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Host IPS dashboards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Host IPS queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Policy management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Where to find policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Configuring polices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Default protection and tuning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Host IPS policy migration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

System management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Host IPS permission sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Host IPS server tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Host IPS event responses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Host IPS protection updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Configuring IPS Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Overview of IPS policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Methods for delivery of IPS protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Signatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Behavioral rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Reactions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Exceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Application protection rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Enable IPS protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Configuring the IPS Options policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Set the reaction for IPS signatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Contents

Configuring the IPS Protection policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Define IPS protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Configuring the IPS Rules policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Assigning multiple instances of the policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

FAQ — Multiple-instance policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

How IPS signatures work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

How IPS application protection rules work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

How IPS exceptions work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Monitor IPS events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Managing IPS events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Creating an exception from an event. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Creating a trusted application from an event. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Monitor IPS client rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Managing IPS client rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Configuring Firewall Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Overview of Firewall policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

How firewall rules work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

How firewall rule groups work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

How the Host IPS catalog works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Firewall stateful packet filtering and inspection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

How learn and adaptive modes affect the firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Firewall client rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Enable firewall protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Configuring the Firewall Options policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

FAQ — McAfee TrustedSource and the firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Define firewall protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Configuring the Firewall Rules policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Creating and editing firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Creating and editing firewall rule groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Creating connection isolation groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Blocking DNS traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Using the Host IPS catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Managing firewall client rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

FAQ — Use of wildcards in Firewall Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Configuring General Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Overview of General policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Define client functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.54

Contents

Configuring a Client UI policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Setting Client UI general options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Setting Client UI advanced options and passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Setting Client UI troubleshooting options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Define trusted networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Configuring a Trusted Networks policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Define trusted applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Configuring a Trusted Applications policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Creating and editing Trusted Application rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Assigning multiple instances of the policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Working with Host Intrusion Prevention Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Overview of the Windows client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

System tray icon menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Client console for Windows clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Unlocking the Windows client interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Setting client UI options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Troubleshooting the Windows client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Windows client alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

About the IPS Policy tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

About the Firewall Policy tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

About the Blocked Hosts tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Editing the Blocked Hosts list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

About the Application Protection List tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

About the Activity Log tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Overview of the Solaris client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Policy enforcement with the Solaris client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Troubleshooting the Solaris client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Overview of the Linux client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Policy enforcement with the Linux client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Notes about the Linux client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Troubleshooting the Linux client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Appendix A — Writing Custom Signatures and Exceptions. . . . . . . . . . . . . . . . . . . . . . . . . 101

Rule structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Common sections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Optional common sections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Wildcards and variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Windows custom signatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

5McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Contents

Windows class Buffer Overflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Windows class Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Windows class Hook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Windows class Illegal Host IPS API Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Windows class Illegal Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Windows class Isapi (HTTP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Windows class Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Windows class Registry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Windows class Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Windows class SQL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Classes and directives per Windows platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Non-Windows custom signatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Solaris/Linux class UNIX_file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Solaris/Linux class UNIX_apache (HTTP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Solaris/Linux class UNIX_Misc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Solaris class UNIX_bo. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Solaris class UNIX_map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Solaris class UNIX_GUID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Classes and directives per UNIX platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Appendix B — Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

General issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Host IPS logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Clientcontrol.exe utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.56

Introducing Host Intrusion Prevention

McAfee®Host Intrusion Prevention is a host-based intrusion detection and prevention system
that protects system resources and applications from external and internal attacks. It provides
a manageable and scalable intrusion prevention solution for workstations, notebooks, and critical
servers, including web and database servers. Its patented technology blocks zero-day and
known attacks.

Host Intrusion Prevention (sometimes abbreviated in the product as Host IPS or HIP) can protect
information and prevent the compromising of system and network resources and applications
that store and deliver information. It accomplishes this with an end-point firewall feature and
an intrusion prevention system (IPS) feature. The IPS feature has monthly content updates,
which reduces the urgency of patches for new threats. The Host Intrusion Prevention firewall
feature is purchased separately or in combination with the Host Intrusion Prevention IPS feature.

Host Intrusion Prevention is fully integrated with ePolicy Orchestrator and uses its framework
to deliver and enforce policies. This approach provides a single management solution that allows
for mass deployment of up to 100,000 systems in multiple languages across an entire enterprise
for true global coverage.

Contents

Host IPS protection

Host IPS policies

Host IPS policy management

Host IPS policy tracking and tuning

Host IPS protection

After all the required components for Host Intrusion Prevention are installed and communicating,
you are ready to apply protection, monitor events, and update policies and content as needed.

Basic protection

Host Intrusion Prevention ships with a set of default settings that provide basic protection for
your environment. These settings include:

• For IPS protection:

• High severity signatures are prevented and all other signatures are ignored

• McAfee applications are listed as trusted applications for all rules except IPS self-protection
rules

• Predefined applications and processes are protected

• For firewall protection:

7McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Introducing Host Intrusion Prevention
Host IPS policies

Basic network connectivity is allowed•

NOTE: When Host Intrusion Prevention 8.0 is first installed no protection is enabled. You must

enable protection in the IPS Options or Firewall Options policy and apply the policy to the client.

Advanced protection

For advanced protection, switch from the default settings to stronger preset settings, or create
custom settings.

Start with a sample deployment to monitor and tune the new settings. Tuning involves balancing
intrusion prevention protection and access to required information and applications per group
type.

Host IPS policies

A policy is a collection of settings that you configure and enforce through the ePolicy Orchestrator
console. Applying policies ensures that your security needs on managed systems are met. Host
Intrusion Prevention provides three policy features, each with a set of security options. These
are: IPS, Firewall, and General. IPS and firewall features contain a “rules” policy with rules
that define behavior, and an “options” policy that enables or disables the rules.

Ownership of policies is assigned in the Policy Catalog. After a policy is created, it can be
edited or deleted only by the creator of the policy, the person associated as an owner of the
policy, or the global administrator. Deleting a policy can be done only in the Policy Catalog.

IPS policies

The IPS feature contains three policies that protect both Windows and non-Windows computers.
It details exceptions, signatures, application protection rules, events, and client-generated
exceptions.

• IPS Options (All platforms). Turns on or off IPS protection and application of adaptive
mode for tuning.

• IPS Protection (All platforms). Defines the protection reaction to events that signatures
generate.

• IPS Rules (All platforms). Defines signatures, exceptions, and application protection rules.
This policy is a multiple instance policy, which allows for several IPS Rules policies, instead
of a single policy, to be assigned to a system. The effective policy is then the result of the
merged contents of the policies. If there are conflicting settings, the most protective explicit
setting is applied.

Firewall policies

The Firewall feature contains three policies that protect Windows computers only. It filters
network traffic, allowing legitimate traffic through the firewall and blocking the rest.

• Firewall Options (Windows only). Turns on or off firewall protection and application of
adaptive or learn mode for tuning.

• Firewall Rules (Windows only). Defines firewall rules.

• Firewall DNS Blocking (Windows only). Defines the domain name servers that are to be
blocked.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.58

Introducing Host Intrusion Prevention
Host IPS policy management

General policies

The General feature contains three policies that can apply to both the IPS and Firewall features.

• Client UI (Windows only). Defines access to the Host Intrusion Prevention user interface
on Windows client systems, including troubleshooting options. Also provides
password-protection on all non-Windows client systems.

• Trusted Networks (Windows only). Lists IP addresses and networks that are safe for
communication. Used with the IPS and Firewall features.

• Trusted Applications (All platforms). Lists applications that are trusted to perform most
operations. Used with the IPS feature. This policy is also a multiple instance policy, which
allows for several Trusted Applications policies, instead of a single policy, to be assigned to
a system. The effective policy is the result of the merged contents of the policies. If there
are conflicting settings, the most protective setting is applied.

Host IPS policy management

The ePolicy Orchestrator console allows you to configure Host Intrusion Prevention policies
from a central location.

How policies are enforced

When you change Host Intrusion Prevention policies in the ePolicy Orchestrator console, the
changes take effect on the managed systems at the next agent-server communication. This
interval is set to occur once every 60 minutes by default. To enforce policies immediately, you
can send an agent wake-up call from the ePolicy Orchestrator console.

Policies and their categories

Policy information for Host Intrusion Prevention is grouped by
category refers to a specific subset of policies.

A

policy

is a configured group of settings for a specific purpose. You can create, modify, or

delete as many policies as needed.

Each policy has a preconfigured McAfee Default policy, which cannot be edited or deleted.
Except for IPS Rules and Trusted Applications, all policies also have an editable My Default
policy based on the default policy. Some policy categories include several read-only preconfigured
policies. If these preconfigured policies meet your needs, you can apply any one of them. These
read-only policies, like all policies, can be duplicated and the duplicate customized, if needed.

IPS Rules and Trusted Applications policies are
multiple policy instances under a single policy. The policy instances are automatically combined
into one effective policy.

TIP: The McAfee Default policies for IPS Rules and Trusted Applications are automatically

updated as part of the content update process. McAfee recommends always assigning these
policies to all clients and creating additional policy instances to customize the behavior of these
two policies.

multiple-instance policies

feature

and

category

because you can assign

. Each policy

How policies are applied

Policies are applied to any System Tree group or system by inheritance or assignment.

Inheritance

By default, inheritance is enabled throughout the System Tree. You can break inheritance by

determines whether the policy settings for any system are taken from its parent.

9McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Introducing Host Intrusion Prevention
Host IPS policy tracking and tuning

direct policy
you to create policies and assign them without regard to inheritance. When you break this
inheritance by assigning a new policy, all groups and systems below inherit the new policy.

Policy ownership

Each policy is required to have an assigned owner. Ownership ensures that no one can modify
the policy other than the global administrator, the creator of the policy, or the person associated
as the policy owner. Any administrator can use any policy that exists in the catalog, but only
the creator, owner, or global administrator can modify it.

TIP: Rather than use a policy owned by a different administrator, we recommend that you

duplicate the policy, then assign the duplicate. Otherwise, if you assign a policy that you do
not own to System Tree groups that you administer, and the owner of the policy modifies it,
all systems to which this policy is assigned receive these modifications.

assignment

. Host Intrusion Prevention, as managed by ePolicy Orchestrator, enables

Host IPS policy tracking and tuning

The deployment and management of Host Intrusion Prevention clients are handled from ePolicy
Orchestrator. In the ePO System Tree you can group systems hierarchically by attributes. For
example, you might group a first level by geographic location and a second level by operating
system platform or IP address. McAfee recommends grouping systems by Host Intrusion
Preventionn configuration criteria, including system type (server or desktop), use of major
applications (web, database, or mail server), and strategic locations (DMZ or intranet). You can
place systems that fit a common usage profile into a common group on the System Tree. In
fact, you might name a group after its usage profile, for example,

With computers grouped in the System Tree according to type, function, or geographic location,
you can easily divide administrative functions along the same lines. With Host Intrusion
Prevention you can divide administrative duties based on product features, such as IPS or
firewall.

Deploying Host Intrusion Prevention to thousands of computers is easily managed because
most computers fit into a few usage profiles. Managing a large deployment is reduced to
maintaining a few policy rules. As a deployment grows, newly added systems should fit one or
more existing profiles, and be placed under the correct group on the System Tree.

Web Servers

.

Preset protection

Host Intrusion Prevention offers two types of protection:

• Basic protection is available through the McAfee Default policy settings. This protection
requires little or no tuning and generates few events. For many environments this basic
protection might be sufficient.

• Advanced protection is also available from some preconfigured IPS and firewall policies or
by creating custom policies. Servers, for example, need stronger protection than that offered
in basic protection.

Both scenarios require some tuning of protection settings for actual working environments is
required.

Adaptive mode

To help tune protection settings, Host Intrusion Prevention clients can create client-side rules
to server-mandated policies that block legitimate activity. The automatic creation of client rules

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.510

Introducing Host Intrusion Prevention
Host IPS policy tracking and tuning

is permitted when clients are placed in

adaptive

mode. In adaptive mode, client rules are created
without interaction from the user. After client rules are created, you need to carefully analyze
them and decide which to convert to server-mandated policies.

Often in a large organization, avoiding disruption to business takes priority over security concerns.
For example, new applications might need to be installed periodically on some computers, and
you might not have the time or resources to immediately tune them. Host Intrusion Prevention
enables you to place specific computers in adaptive mode for IPS protection. Those computers
can profile a newly installed application, and forward the resulting client rules to the ePolicy
Orchestrator server. The administrator can promote these client rules to an existing or new
policy, then apply the policy to other computers to handle the new software.

Systems in adaptive mode have virtually no protection, so the adaptive mode should be used
only for tuning an environment and eventually turned off to tighten the system’s protection.

Tuning

As part of Host Intrusion Prevention deployment, you need to identify a small number of distinct
usage profiles and create policies for them. The best way to achieve this is to set up a test
deployment, then begin reducing the number of false positives and generated events. This
process is called

tuning

.

Stronger IPS rules target a wider range of violations and generate more events than in a basic
environment. If you apply advanced protection, McAfee recommends using the IPS Protection
policy to stagger the impact. This entails mapping each of the severity levels (High, Medium,
Low, and Information) to a reaction (Prevent, Log, Ignore). By initially setting all severity
reactions except High to Ignore, only the High severity signatures are applied. The other levels
can be raised incrementally as tuning progresses.

You can reduce the number of false positives by creating
and

firewall rules

.

exception rules,trusted applications

• Exception rules are mechanisms for overriding an IPS signature in specific circumstances.

• Trusted applications are application processes that ignore all IPS or Firewall rules.

• Firewall rules determine whether traffic is permissible, and block packet reception or allow

or block packet transmission.

,

Dashboards and queries

Dashboards enable you to track your environment by displaying several queries at once. These
queries can be constantly refreshed or run at a specified frequency.

Queries enable you to obtain data about a particular item and filter the data for specific subsets
of that data; for example, high-level events reported by particular clients for a specified time
period. Reports can be scheduled and sent as an email message.

11McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Managing Your Protection

Management of a Host Intrusion Prevention deployment includes monitoring, analyzing, and
reacting to activities; changing and updating policies; and performing system tasks.

Contents

Information management

Policy management

System management

Information management

After you have installed Host Intrusion Prevention, you can track and report on security issues
that arise in your environment. Use the dashboards for a daily view of the security situation or
to run queries for detailed information on particular issues.

Host IPS dashboards

Dashboards are a collection of monitors that are an essential tool for managing your environment.
Monitors can be anything from a chart-based query to a small web-application, like the MyAvert
Threat Service. You can create and edit multiple dashboards if you have the permissions. Use
any chart-based query as a dashboard that refreshes at a specified frequency, so you can put
your most useful queries on a live dashboard.

Host Intrusion Prevention provides two default dashboards with these monitors:

Table 1: Host IPS dashboards and monitors

Host IPS • Firewall Status

Host IPS Triggered Signatures • Desktop High Triggered Signatures

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.512

MonitorsDashboard

• Host IPS Status

• Service Status

• Count of IPS Client Rules

• Content Versions

• Top 10 NIPS Events by Source IP

• Desktop Medium Triggered Signatures

• Desktop Low Triggered Signatures

• Server High Triggered Signatures

• Server Medium Triggered Signatures

• Server Low Triggered Signatures

Managing Your Protection
Information management

For more information about creating and using dashboards, see the ePolicy Orchestrator
documentation.

Host IPS queries

Host Intrusion Prevention includes query functionality through ePolicy Orchestrator. You can
create useful queries from events and properties stored in the ePO database or use predefined
queries.

You can produce queries for a group of selected client systems, or limit report results by product
or system criteria. You can export reports into a variety of file formats, including HTML and
Microsoft Excel.

Query options:

• Setting a filter to gather only selected information. Choose which group or tags to include

in the report.

• Setting a data filter using logical operators, to define precise filters on the data returned by

the report.

• Generating graphical reports from the information in the database, filtering the reports as

needed, printing the reports, and exporting them to other software.

• Running queries of computers, events, and installations.

Predefined and custom queries to analyze your protection

The reporting feature contains predefined queries from Host Intrusion Prevention and allows
you to create custom queries.

Organize and maintain custom queries to suit your needs. For example, if you customize settings
for a report, export these settings as a template. After creating custom templates, organize
them in logical groupings so that you can run them as needed on a daily, weekly, or monthly
basis.

After a report is generated, you view summary information, as determined by the filter, if any,
that you have set. From the summary information you drill down to one or two levels for detailed
information, all in the same report.

You control how much report information is visible to different users; for example, global
administrators versus other users. Some users view reports only on systems in sites where they
have permissions. Report information is also controlled by applying filters.

Custom queries

You can create four specific Host IPS queries with the Query Builder under Others: Host IPS

8.0 Firewall Client Rules, Host IPS 8.0 Firewall Client Rule Executables, Host IPS 8.0 IPS Client
Rules, and Host IPS 8.0 IPS Exceptions.

Parameters for these queries include:

Table 2: Host IPS queries and parameters

ParametersQuery

Host IPS 8.0 Catalog Firewall Rules and Firewall
Client Rules

NOTE: This query returns IPS Catalog firewall

rules, IPS Catalog firewall groups, and firewall
client rules. Possible action values are
and

jump

, with jump the action for groups, which

allow,block

• Action

• Direction

• Enabled

• Last Modified

,

• Last Modifying User

13McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Managing Your Protection
Information management

ParametersQuery

have no allow/block action. IPS Catalog rules and
groups have the
so to view firewall client rules only, set the
leafNodeId filter value to

Host IPS 8.0 Firewall Client Rule Executables • Fingerprint

leafNodeId

> 0

filter value set to0,

.

• Leaf Node ID

• Local Services

• Log Status

• IP Protocol

• Match Intrusion

• Media Type

• Name

• Note

• Remote Services

• Rule ID

• Schedule End

• Schedule Start

• Switch When Expired

• Transport Protocol

• Name

• Note

• Path

• Rule ID

• Signer Name

Host IPS 8.0 IPS Client Rules • Creation Date

• Description

• Executable Name

• Executable Path

• Fingerprint

• Full Executable Name

• Include All Executables

• Include All Signatures

• Include All Users

• Last Modified Date

• Local Version

• Reaction

• Signature ID

• Signer Name

• Status

• User Name

Host IPS 8.0 IPS Exceptions • IPS Exception Rule

• IPS Rules Policy

Common Host IPS properties

The Host IPS custom queries and some of the other custom queries allow you to include these
Host IPS properties:

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.514

• IPS Adaptive Mode Status• Agent type

Managing Your Protection
Information management

• Blocked Attackers • Language

• Local Exception Rule Count• Client Version

• Content Version • Network IPS Status

• Pending Reboot• Firewall Adaptive Mode Status

• Firewall Fault (Errors) • Plug-in Version

• Product Status• Firewall Inbound Learn Mode Status

• Firewall Outbound Learn Mode Status • Service Running

• Hotfix/Patch Version• Firewall Rule Count

• Firewall Status • Product Version

• Service Pack• Host IPS Fault (Errors)

• Host IPS Status • Host IPS Event Info (Hidden, Read)

•• Signature NameInstall Directory

Pre-defined queries

In addition to custom queries, you can use several pre-defined queries as is, or edit them to
obtain just the information you need. Select from these Host IPS predefined queries:

Range

Protocol/System Name

Range

Protocol/Process

Clients Pending Restart

Signatures

SummaryHIP Query

Displays firewall client rules listed by process.Client Rules By Process

Displays firewall client rules listed by process and port range.Client Rules By Process/Port

Displays firewall client rules listed by process and user.Client Rules By Process/User

Displays firewall client rules listed by protocol and system name.Client Rules By

Displays firewall client rules listed by protocol and port range.Client Rules By Protocol/Port

Displays firewall client rules listed by protocol and process.Client Rules by

Displays top three client versions with a single category for all other versions.Client Versions

Displays managed systems where Host IPS is deployed and the installer needs to
restart the system.

Displays top three content versions with a single category for all other versions.Content Versions

Displays the number of Firewall client rules created over time.Count of FW Client Rules

Displays the number of IPS client rules created over time.Count of IPS Client Rules

Displays the top 10 most triggered IPS signatures of High Severity (Critical).Desktop High Triggered

Signatures

Signatures

Networks

Displays the top 10 most triggered IPS signatures of Medium Severity (Warning).Desktop Medium Triggered

Displays the top 10 most triggered IPS signatures of Low Severity (Notice).Desktop Low Triggered

Displays events generated by systems within Host IPS trusted networks.Events From Host IPS Trusted

15McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Managing Your Protection
Policy management

SummaryHIP Query

Firewall Errors

Host IPS Errors

Signatures

Signatures

Signatures

Service Status

Top 10 NIPS By Source IP

Displays managed systems where the Firewall feature is enabled by policy but didn't
start successfully.

Displays where Firewall protection is enabled or disabled on managed systems.Firewall Status

Displays managed systems where the IPS feature is enabled by policy but didn't start
successfully.

Displays where IPS protection is enabled or disabled on managed systems.Host IPS Status

Displays IPS Rule policies that use IPS exceptions.IPS Exceptions Report

Displays the top 10 most triggered IPS signatures of High Severity (Critical).Server High Triggered

Displays the top 10 most triggered IPS signatures of Medium Severity (Warning).Server Medium Triggered

Displays the top 10 most triggered IPS signatures of Low Severity (Notice).Server Low Triggered

Displays where Host IPS is installed and whether it is running or not on managed
systems.

Displays the top 10 systems with the most IPS events.Top 10 IPS Events by Target

Displays the top 10 network intrusion events by source IP addresses for the past three
months.

Displays the top 10 triggered IPS signatures.Top 10 Triggered Signatures

Policy management

Management of policies involves configuring and applying policies and the tuning of protection
for system resources and applications. Part of this process requires an analysis of events and
client rules.

Where to find policies

ePolicy Orchestrator provides two locations to view and manage Host Intrusion Prevention
policies: the Assigned Policies tab (Systems | System Tree | Assigned Policies tab for a
selected group in the System Tree) and the Policy Catalog tab (Systems | Policy Catalog).

For a selected group or system, use the Assigned Policies tab to:

• View the available policies of a particular feature of the product

• View details of the policy

• View inheritance information

• Edit policy assignment

• Edit custom policies

Use the Policy Catalog to:

• Create policies

• View and edit policy information

• View where a policy is assigned

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.516

Managing Your Protection
Policy management

• View the settings and owner of a policy

• View assignments where policy enforcement is disabled

Do this...To...

Click New Policy, name it, and edit the settings.Create a policy

Click Edit (only available for My Default or custom policies).Edit a policy

Click View (only available for McAfee Default or preconfigured policies).View a policy

Rename a policy

Delete a policy

Assign a policy owner

Export a policy

Export all policies

Import policies

For details on any of these features, see the ePolicy Orchestrator documentation.

Configuring polices

Click Rename and change the name of the policy (not available for default
or preconfigured policies).

Click Duplicate, change the name of the policy, and edit the settings.Duplicate a policy

Click Delete (not available for default or preconfigured policies).

NOTE: When you delete a policy, all groups to which it is currently applied

inherit the policy of this category from their parent. Before deleting a policy,
look at all of the systems where it is assigned, and assign a different policy
if you don’t want the policy to inherit from the parent. If you delete a policy
that is applied at the top level, the default policy of this category is applied.

Click the owner of the policy and select another owner from a list (not available
for default or preconfigured policies).

Click Export, then name and save the policy (an XML file) to the desired
location.

Click Export all policies, then name and save the policy XML file to the
desired location.

Click Import at the top of the Policy Catalog page, select the policy XML file,
then click OK.

After you install the Host Intrusion Prevention software, McAfee recommends that you configure
policies to provide the greatest amount of security without conflicting with day-to-day activities.
The default policies in Host Intrusion Prevention fit the broadest set of customer environments
and might meet your needs. To tune policies to fit your particular setting, we recommend the
following:

• Carefully define your Host Intrusion Prevention security configuration. Evaluate who is

responsible for configuring particular parts of the system and grant them appropriate
permissions.

• Change the default IPS Protection or Firewall Rules policies, which provide increasing levels

of preset protection.

• Modify severity levels of specific signatures. For example, when a signature is triggered by

the day-to-day work of users, adjust the severity to a lower level.

• Configure dashboards for a quick overview of compliance and issues.

• Configure automatic responses to alert specific individuals when particular events occur. For

example, a notification can be sent when an activity that triggers a High severity event
occurs on a particular server.

17McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Managing Your Protection
Policy management

Creating a new policy

To create a new policy, you copy of an existing one and name the new copy. You can do this
either in the Policy Catalog or from a Policy page.

Task

For option definitions, click ? in the interface.

• Do one of the following from the Policy Catalog:

• Click the New Policy button. Select the policy you want to make a copy of, type the
name of the new policy, and click OK.

• Click the Duplicate link for a policy. Type the name of the new policy, and click OK.

• Click the View or Edit link for a policy, then on the Policy page, click the Duplicate
button. Type the name of the new policy, and click OK. The duplicated policy appears.
Edit the policy and click Save.

Changing policy assignment

Use this task to change the Host Intrusion Prevention policy assignment for a group or a single
system in the ePolicy Orchestrator System Tree.

Task

For option definitions, click ? in the interface.

• Do one of the following:

• For a group, go to Systems | System Tree, select a group, and then on the Assigned
Policies tab click Edit Assignment.

• For a system go to Systems | System Tree, select a group that contains the system,
and then on the System tab, select the system and select Actions | Agents | Modify

Policies on a Single System.

Default protection and tuning

Host Intrusion Prevention works with default policies for basic protection. It allows greater
protection through custom settings obtained through manual or automatic tuning.

Default protection

Host Intrusion Prevention ships with a set of default policies that provide basic protection for
your environment. Both IPS and firewall protection are off by default and must enabled to allow
default rules policies to be enforced.

For advanced protection, switch from the default IPS policies to stronger preset policies, or
create custom policies.

Start with a sample deployment to monitor and tune the new settings. Tuning involves balancing
intrusion prevention protection and access to required information and applications per group
type.

Manual tuning

Manual tuning requires direct monitoring for a set period of time of events and client rules that
are created.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.518

Managing Your Protection
Policy management

• For IPS protection, monitor events for false positives and create exceptions or trusted
applications to prevent these events from reoccurring.

• For firewall protection, monitor network traffic and add trusted networks to allow appropriate
network traffic.

• Monitor the effects of the new exceptions, trusted applications, and trusted networks.

• If these rules succeed in preventing false positives, keeping network traffic to a minimum,
and allowing legitimate activity, make them part of a new or existing policy.

• Apply the new policy to a set of computers and monitor the results.

• Repeat this process with each production group type.

Automatic tuning

Automatic tuning removes the need to constantly monitor all events and activities for all users.

• Apply adaptive mode for IPS and Firewall policies.

• In adaptive mode, IPS events are not triggered and activity is not blocked, except for
malicious exploits. Client rules are created automatically to allow legitimate activity.

• Review the lists of client rules.

• Promote appropriate client rules to administrative policy rules.

• After a few weeks, turn off the adaptive mode.

• Monitor the test group for a few days to be sure the policy settings are appropriate and offer
the desired protection.

• Repeat this process with each production group type.

Clients and planning your deployment

The Host Intrusion Prevention client is the essential component providing protection. When
deploying clients, we recommend a phased approach:

• Determine your initial client rollout plan. Although you can deploy Host Intrusion
Prevention clients to every host (servers, desktops, and laptops) in your company, McAfee
recommends that you start by installing clients on a limited number of representative systems
and tuning their configuration. After you have fine-tuned the deployment, you can then
deploy more clients and leverage the policies, exceptions, and client rules created in the
initial rollout.

• Establish a naming convention for your clients. Clients are identified by name in the
System Tree, in certain reports, and in event data generated by activity on the client. Clients
can take the names of the hosts where they are installed, or you can assign a specific client
name during installation. McAfee recommends establishing a naming convention for clients
that is easy to interpret by anyone working with the Host Intrusion Prevention deployment.

• Install the clients. Clients can be installed with a default set of IPS and firewall policies.
New policies with updated rules can later be pushed from the server.

• Group the clients logically. Clients can be grouped according to any criteria that fits in
the System Tree hierarchy. For example, you might group clients according to their geographic
location, corporate function, or the characteristics of the system.

Client data and what it tells you

After you install and group your clients, the deployment is complete. You should begin to see
events triggered by activity on the clients. If you have placed clients in adaptive mode, you

19McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Managing Your Protection
Policy management

should see the client rules that indicate which client exception rules are being created. By
analyzing this data, you begin to tune the deployment.

To analyze event data, view the Events tab of the Host IPS tab under Reporting. You can drill
down to the details of an event, such as which process triggered the event, when the event
was generated, and which client generated the event. Analyze the event and take the appropriate
action to tune the Host Intrusion Prevention deployment to provide better responses to attacks.
The Events tab displays all Host IPS events, including NIPS, Firewall intrusions, and TrustedSource
block events.

To analyze client rules, view the IPS Client Rules and Firewall Client Rules tabs. You can see
which rules are being created, aggregate them to find the most prevalent common rules, and
move the rules directly to a policy for application to other clients.

In addition, the ePolicy Orchestrator Reporting module provides detailed reports based on
events, client rules, and the Host Intrusion Prevention configuration. Use these queries to
communicate environment activity to other members of your team and management.

Adaptive mode

A major element in the tuning process includes placing Host Intrusion Prevention clients in
adaptive mode for IPS and Firewall. This mode allow computers to create client exception rules
to administrative policies. Adaptive mode does this automatically without user interaction.

This mode analyzes events first for the most malicious attacks, such as buffer overflow. If the
activity is considered regular and necessary for business, client exception rules are created. By
setting representative clients in adaptive mode, you can create a tuning configuration for them.
Host Intrusion Prevention then allows you to take any, all, or none of the client rules and convert
them to server-mandated policies. When tuning is complete, turn off adaptive mode to tighten
the system’s intrusion prevention protection.

• Run clients in adaptive mode for at least a week. This allows the clients time to encounter
all the activity they would normally encounter. Try to do this during times of scheduled
activity, such as backups or script processing.

• As each activity is encountered, IPS events are generated and exceptions are created.
Exceptions are activities that are distinguished as legitimate behavior. For example, a policy
might deem certain script processing as illegal behavior, but certain systems in your
engineering groups need to perform such tasks. Allow exceptions to be created for those
systems, so they can function normally while the policy continues to prevent this activity on
other systems. Then make these exceptions part of a server-mandated policy to cover only
the engineering group.

• You might require software applications for normal business in some areas of the company,
but not in others. For example, you might allow Instant Messaging in your Technical Support
organization, but prevent its use in your Finance department. You can establish the application
as trusted on the systems in Technical Support to allow users full access to it.

• The Firewall feature acts as a filter between a computer and the network or the Internet.
The firewall scans all incoming and outgoing traffic at the packet level. As it reviews each
arriving or departing packet, the firewall checks its list of firewall rules, which is a set of
criteria with associated actions. If a packet matches all the criteria in a rule, the firewall
performs the action specified by the rule — which allows the packet through the firewall, or
blocks it.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.520

Managing Your Protection
Policy management

FAQ — Adaptive mode

Adaptive mode is a setting you can apply to the IPS and firewall features when testing rollouts
of new policies. It allows the Host Intrusion Prevention client to automatically create rules to
allow activity while preserving minimum protection from vulnerabilities. The following questions
and answers should help you in using this feature.

How do you turn on adaptive mode?

You turn on adaptive mode by enabling this option in the IPS Options or Firewall Options policy
and applying this policy to the Host Intrusion Prevention client.

How does adaptive mode work differently with IPS and Firewall?

With IPS, the adaptive mode creates client-side rules that are exceptions to existing IPS
signatures. With the firewall, the adaptive mode creates client-side rules to allow network
packets not covered by existing firewall rules.

IPS client exceptions are created on a per-user, per-process, per-signature basis and are
path-based only. Firewall client rules are created on a per-process basis and the processes
associated with firewall client rules are based on path, file description, digital signature, and
MD5 hash.

When is a rule not created automatically with adaptive mode?

With IPS:

• The signature in the effective IPS Rules policy does not allow a client rule to be created.
(This setting is standard for most high-severity IPS signatures. These signatures are tuned
to detect and prevent the most severe threats to your systems, so it is unlikely that normal
business activity would require an automated exception.)

• The reaction to the signature is "Ignore."

• The associated action triggers a network IPS signature.

• A user attempts to stop the McAfee Host IPS service, regardless of the client rule setting for
service self-protection in signature 1000.

• There is already an exception, which excludes the operation in question, in an applied IPS
Rules policy.

• The process associated with the action is trusted for IPS in an applied Trusted Applications
policy, and the signature is not excluded from Trusted Applications.

With the firewall:

• There is no application associated with the packet when examined in the client activity log.
Some of the most common examples include:

• Incoming requests for services that are not running, such as file transfer protocol (FTP)

or Telnet.

• Incoming Internet Control Message Protocol (ICMP), such as an echo request.

• Incoming or outgoing ICMP on the Microsoft Windows Vista operating system.

• Transmission Control Protocol (TCP) packets to port 139 (NetBIOS SSN) or 445 (MSDS),

which might be required for Windows file sharing.

• Internet Protocol Security (IPsec) packets associated with virtual private network (VPN)

client solutions.

• There is already a rule in the applied Firewall Rules policy that blocks or allows the packet.

21McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Managing Your Protection
Policy management

• The applied Firewall Rules policy has a location-aware group with connection isolation
enabled, an active network interface card (NIC) matches the group, and the packet is sent
or received on a NIC that does not match the group.

• The packet is not TCP, user datagram protocol (UDP), or ICMP .

• More than one user is logged on to the system, or no user is logged on to the system.

Are there other limitations?

• IPS might fail to detect the user associated with some client rules (displayed as "domain
unknown/user unknown" in the client rule on ePolicy Orchestrator). Exceptions can still be
created with these client rules, but they apply to all users.

• Some incoming TCP connections such as remote desktop or Hypertext Transfer Protocol
over Secure Socket Layer (HTTPS) might require multiple attempts to create a firewall rule.

Host IPS policy migration

You cannot use McAfee Host Intrusion Prevention version 6.1 or 7.0 policies with version 8.0
clients without first migrating version 6.1 or 7.0 policies to version 8.0 format. Host Intrusion
Prevention 8.0 provides an easy means to migrate policies with the ePolicy Orchestrator Host
IPS Policy Migration feature under Automation. This migration involves translating and
moving policies. After the policy is migrated it appears under the Policy Catalog's corresponding
Host IPS 8.0 product feature and category with [6.1] or [7.0] following the name of the policy.

All policies are translated and migrated to corresponding version 8.0 policies, except for the
following:

• Application Blocking Options policies are not migrated (these policies were removed in version

8.0).

• Application Blocking Rules policies are migrated into IPS Rules policies named Application
Hooking and Invocation Protection <name> [6.1 or 7.0] (these policies were removed in
version 8.0). After these policies are migrated into IPS Rules policies, their Application
Protection Rules list is blank, and the Exceptions list contains exceptions for all default trusted
application set to "Trusted for Application Hooking." To use this migrated policy you must
also assign the My Default IPS Rules policy in a multiple-policy instance setting, as it contains
the latest application protection list through content updates.

NOTE: Applications for which hooking is blocked in Application Blocking Rules policies are

not migrated and need to be manually added to the Application Protection Rules in the IPS
Rules policy after migration. Also, if you migrate a Trusted Applications policy with applications
marked "Trusted for application hooking" to version 8.0, you must create an exception for
that application in signature 6010 (Generic Application Hooking Protection)in a Host IPS
Rules policy to preserve the application hooking protection.

• Firewall Quarantine Options policies are not migrated (these policies were removed in version

8.0).

• Firewall Quarantine Rules policies are not migrated (these policies were removed in version

8.0).

• IPS Client Rules and Firewall Client Rules are not migrated.

NOTE: Policy assignments are carried over during migration. If inheritance is broken at a

particular location in the System Tree, the assignment is not overwritten, but inheritance may
be broken at other points of the System Tree, as migrated assignments are merged. Always
review policy assignment after migrating policies.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.522

Managing Your Protection
System management

Migrating policies directly

After installing the Host Intrusion Prevention 8.0 extension, the easiest way to migrate
existing policies is to migrate policies directly.

1 Click Automation | Host IPS Policy Migration.

2 Under Action for Host IPS 6.1 or 7.0 policies in the ePO policy catalog, click Migrate.

3 When policy migration is complete, click Close.

All version 6.1/7.0 IPS, Firewall, and General feature policies are converted to version 8.0 and
appear with [6.1] or [7.0] after their name.

NOTE: Running the policy migration a second time overwrites any policies of the same name

that were migrated previously. This process is not selective, as all existing 6.1 or 7.0 policies
are migrated. If you want to selectively migrate policies, you migrate using the xml file process.

Migrating policies through an xml file

If the Host Intrusion Prevention 6.1/7.0 extension is not installed and you have previously
exported selected single policies to an xml file, or if you want to selectively migrate version

6.1/7.0 policies instead of all policies at once, you do this by migrating through an xml file. The

process involves first exporting single Host Intrusion Prevention 6.1/7.0 policies to xml format,
converting the contents of the xml file to Host Intrusion Prevention 8.0 policy versions, and
later importing the migrated xml file into the ePO Policy Catalog.

1 Click Automation | Host IPS Policy Migration.

2 Under Action for Host IPS 6.1 or 7.0 policies in an xml file, click Migrate.

3 Select the Host IPS 6.1 or 7.0 version xml file previously exported, then click OK. The xml

file is converted to policy version 8.0 format.

4 Right-click the link to the converted MigratedPolicies.xml file and save it for importing.

5 Import the xml file in to the ePO Policy Catalog.

all

System management

As part of managing the Host Intrusion Prevention deployment, you need to perform occasional
system tasks. These include setting up user permissions, server tasks, notifications, and content
updating.

Host IPS permission sets

A permission set is a group of permissions granted to a user account for specific products or
features of a product. One or more permission sets can be assigned. All permissions to all
products and features are automatically assigned to global administrators. Permission sets only
grant permissions — they never remove a permission.

Global administrators can assign existing permission sets when creating or editing user accounts
and when creating or editing permission sets.

The Host Intrusion Prevention extension adds a Host Intrusion Prevention section to the
permission sets without applying any permissions. The global administrators must grant Host
IPS permissions to existing permission sets or create new permission sets and add them there.

With Host Intrusion Prevention, permissions are granted for access to each feature of the
product and whether the user has read or read/write permission. This applies to the Host

23McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Managing Your Protection
System management

Intrusion Prevention policy pages and the Host Intrusion Prevention event and client rules pages
under Reporting.

These permissions are available...For this Host IPS feature...

None, view settings only, or view and change settings.IPS

None, view settings only, or view and change settings.Firewall

None, view settings only, or view and change settings.General

The global administrator also needs to give ePolicy Orchestrator permissions to handle other
areas that work with Host Intrusion Prevention, including queries and dashboards. For example,
to analyze and manage firewall client rules found on the Host IPS pages under Reporting, a
user needs view permissions for Event Log, view permissions for Systems, view permissions
for System Tree access, and view and change permission for the Host Intrusion Prevention
Firewall feature.

Table 3: Permissions required for working with various features

These permission sets are requiredFor these Host IPS features

Dashboards, QueriesHost IPS dashboards

For more information on permission sets, see the ePolicy Orchestrator documentation.

Assigning permission sets

Use this task to assign permissions to Host Intrusion Prevention features on the ePO server.

Before you begin

Determine the Host Intrusion Prevention features to which you want to give access and the
additional permission sets that must be assigned to access all aspects of that Host Intrusion
Prevention feature. For example, to view Firewall Client rules, the user must have permission
to the Firewall feature in the Host Intrusion Prevention permission set, as well as to Event log,
Systems, and System Tree access permission sets.

Task

For option definitions, click ? in the interface.

1 Click Menu | User Management | Permission Sets.

2 Next to Host Intrusion Prevention, click Edit.

3 Select the desired permission for each feature:

• None

• View settings only

• View and change settings

QueriesHost IPS queries

Systems, System Tree access, Threat Event LogHost IPS client events and client rules

Server TasksHost IPS server tasks

SoftwareHost IPS packages in repository

Automatic Responses, Event Notifications, Client EventsHost IPS automatic responses

4 Click Save.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.524

Managing Your Protection
System management

5 Assign other permission sets as required:

Assign this permission setFor this Host IPS feature

Host IPS events

Host IPS client IPS rules

Host IPS client firewall rules

Host IPS server tasks

Host Intrusion Prevention provides several preconfigured and configurable server tasks that
you can set to run on a specified schedule or immediately as part of Host Intrusion Prevention
protection maintenance. You can create custom Host Intrusion Prevention server tasks by
clicking New Task and selecting one or more Host IPS properties on the Actions tab of the
Server Task Builder. For more information on using and creating server tasks, see the ePolicy
Orchestrator documentation.

To work with an existing server task, click Menu | Automation | Server Tasks, then click
the appropriate command under Actions. To create a custom server task, click New Task and
follow the steps in the Server Task Builder wizard.

Table 4: Preconfigured and custom server tasks

Host Intrusion Prevention — IPS, Event log, Systems,
System Tree access

Host Intrusion Prevention — IPS, Event log, Systems,
System Tree access

Host Intrusion Prevention — Firewall, Event log,
Systems, System Tree access

Dashboard, QueriesHost IPS dashboards

QueriesHost IPS queries

DescriptionServer Task

Host IPS Property Translator (Preconfigured)

Repository Pull (Custom)

Run Query (Custom)

Purge Threat Event Log (Custom)

Export Policies (Custom)

Export Queries (Custom)

This server task translates Host Intrusion Prevention client
rules that are stored in the ePolicy Orchestrator database
to handle Host Intrusion Prevention sorting, grouping, and
filtering of data. This task runs automatically every 15
minutes and requires no user interaction. You can,
however, run it manually if you need to see immediate
feedback from actions on the client.

This server task allows you to create a custom task to
retrieve packages from the source site and place them in
the master repository. Select the Host IPS Content as a
package type to retrieve content updates automatically.

This server task allows you to create a custom task to run
Host Intrusion Prevention preconfigured queries at a
specified time and schedule.

This server task allows you to create a custom task to
purge threat event logs based on a Host Intrusion
Prevention query. Select a Host IPS Events query to purge
from the log.

This server task allows you to download an xml file that
contains the associated Host Intrusion Prevention policy.

This server task allows you to create a Host Intrusion
Prevention query output file that can be saved or emailed.

25McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Managing Your Protection
System management

Host IPS event responses

Automatic responses can alert you to any events that occur on Host Intrusion Prevention client
systems. You can configure responses when specific events are received and processed by the
ePolicy Orchestrator server. Configured responses are:

• Create issues

• Execute scheduled tasks

• Run external commands

• Send SNMP traps

• Send email

You can specify the event properties specific to Host Intrusion Prevention that generate a
response and the frequency that responses are sent. For complete details, see the ePolicy
Orchestrator 4.5 documentation.

Preparing to create Automatic Responses

When creating Automatic Responses, be sure to do the following:

1 Understand Automatic Responses and how it works with the System Tree and your network.

2 Plan your implementation, keeping in mind that certain users need to know about certain

events.

3 Prepare the components and permissions used with Automatic Responses, including:

• Automatic Responses permissions — Create or edit permission sets and ensure that
they are assigned to the appropriate ePO users.

• Email server — Configure the email (SMTP) server at Server Settings.

• Email contacts list — Specify the list from which you select recipients of notification
messages at Contacts.

• Registered executables — Specify a list of registered executables to run when the
conditions of a rule are met.

• Server tasks — Create server tasks for use as actions to be carried out as a result of a
response rule.

• SNMP servers — Specify a list of SNMP servers to use while creating rules. You can
configure rules to send SNMP traps to SNMP servers when the conditions are met to
initiate a notification message.

Tips on using automatic responses

The areas that are specific to Host Intrusion Prevention information, the Host IPS Advanced
Properties, are involved in setting filters, aggregating events, and configuring the action for the
rule. To use these properties, set the event group to ePO Notification Events and the event
type to Threat.

Table 5: Host IPS Advanced Properties

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.526

ValueProperties

Name of the monitored API that triggered an eventAPI Name

In/Out/EitherDirection

Detailed description of the eventHost IPS Event Description

Local IP address of the system involved in the eventLocal IP Address

Managing Your Protection
System management

ValueProperties

Path of a threat source executableProcess ID

IP protocol (UDP, TCP, ICMP)Protocol

Remote IP address of the system involved in the eventRemote IP Address

Name of the system involved in the eventWorkstation Name

Host IPS protection updates

Host Intrusion Prevention supports multiple versions of client content and code, with the latest
available content appearing in the ePO console. New content is always supported in subsequent
versions, so content updates contain mostly new information or minor modifications to existing
information.

Updates are handled by a content update package. This package contains content version
information and updating scripts. Upon check-in, the package version is compared to the version
of the most recent content information in the database. If the package is newer, the scripts
from this package are extracted and executed. This new content information is then passed to
clients at the next agent-server communication.

Updates include data associated with the IPS Rules policy (IPS signatures and application
protection rules) and the Trusted Applications policy (trusted applications). As these updates
occur in the McAfee default policy, these policies must be assigned for both IPS Rules and
Trusted Applications to take advantage of the updated protection.

The basic process includes checking in the update package to the ePO master repository, then
sending the updated information to the clients. Clients obtain updates only through
communication with the ePO server, and not directly through FTP or HTTP protocols.

TIP: Always assign the McAfee Default IPS Rules policy and McAfee Default Trusted Applications

policy to benefit from any content updates. If you modify these default policies, the modification
is not overwritten with an update because modified settings in these policies take precedence
over default settings.

Checking in update packages

You can create an ePO pull task that automatically checks in content update packages to the
master repository. This task downloads the content update package directly from McAfee at
the indicated frequency and adds it to the master repository, updating the database with new
Host Intrusion Prevention content.

Task

1 Click Menu | Software | Master Repository, then click Actions |Schedule Pull.

2 Name the task, for example, HIP Content Updates, then click Next.

3 Select Repository Pull as the task type, the source of the package (McAfeeHttp or

McAfeeFtp), the branch to receive the package (Current, Previous, Evaluation), and
a selected package (Host Intrusion Prevention Content), then click Next.

4 Schedule the task as needed, then click Next.

5 Verify the information, then click Save.

27McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Managing Your Protection
System management

Checking in packages manually

This task downloads the content update package directly from McAfee at the indicated frequency
and adds it to the master repository, updating the database with new Host Intrusion Prevention
content.

You can download an update package and check it in manually if you do not want to use an
automatic pull task.

Task

1 Download the file from McAfeeHttp or McAfeeFtp.

2 Click Menu | Software | Master Repository, then click Actions | Check in package.

3 Select the package type and package location, then click Next. The Package Options

page appears.

4 Select the branch where to install the package, then click Save. The package appears on

the Master Repository tab.

Updating clients with content

After the update package is checked in to the master repository, you can send the updates to
the client by scheduling an update task or by sending an agent wake-up call to update
immediately.

Task

1 Go to Systems | System Tree | Client Tasks, select the group where you want to send

content updates, and click New Task.

2 Name the task, select Product Update as the type of task, then click Next.

3 Select Selected packages, select Host Intrusion Prevention Content, then click Next.

4 Schedule the task as desired, then click Next.

5 Review the details, then click Save.

Updating content from the client

A client can also request updates on demand if a McAfee Agent icon appears in the client
computer’s system tray.

Task

• Right-click the McAfee Agent icon in the system tray and select Update Now. The McAfee
AutoUpdate progress dialog box appears and content updates are pulled and applied to

the client.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.528

Configuring IPS Policies

IPS policies turn host intrusion prevention protection on and off, set the reaction level to events,
and provide protection through the application of exceptions, signatures, and application
protection rules. IPS protection is kept up-to-date with monthly content updates that contain
new and revised signatures and application protection rules.

Contents

Overview of IPS policies

Enable IPS protection

Set the reaction for IPS signatures

Define IPS protection

Monitor IPS events

Monitor IPS client rules

Overview of IPS policies

The IPS (Intrusion Prevention System) feature monitors all system (kernel-level) and API
(user-level) calls and blocks those that might result in malicious activity.

Host Intrusion Prevention determines which process is using a call, the security context in which
the process runs, and the resource being accessed. A kernel-level driver, which receives
redirected entries in the user-mode system call table, monitors the system call chain. When
calls are made, the driver compares the call request against a database of combined signatures
and behavioral rules to determine whether to allow, block, or log an action. This hybrid method
detects most known attacks as well as previously unknown or zero-day attacks.

Protection also comes from exceptions, which override signatures that block legitimate activity,
and application protection rules, which describe which processes to protect.

Available policies

There are three IPS policies:

IPS Options — Enables IPS protection by turning on and off host and network IPS protection
and applying options specific to Windows systems.

IPS Protection — Tells the system how to react (block, ignore, log) when signatures of a
specific severity (high, medium, low) are triggered.

IPS Rules — Defines IPS protection by applying signatures and behavioral analysis to protect
against known and zero-day attacks. Exceptions, which override signatures that block legitimate
activity, and application protection rules, which indicate which processes to protect, complement
the signatures. Like the Trusted Applications policy, this policy category can contain multiple
policy instances. Content updates provide new and updated signatures and application protection
rules to keep protection current.

29McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring IPS Policies
Overview of IPS policies

Methods for delivery of IPS protection

Shielding and enveloping, system call interception, and installation of specific engines and
drivers are the methods used to deliver IPS protection.

Enveloping and shielding

Host Intrusion Prevention uses enveloping and shielding signatures to protect against attacks.
The enveloping strategy works to prevent applications from accessing files, data, registry
settings, and services outside their own application envelope. The shielding strategy works to
prevent application files, data, registry settings, and services from being the accessed by an
exploit from outside their own application envelope.

System call interception

Host Intrusion Prevention monitors all system and API calls and blocks malicious activity. It
determines which process is using a call, the security context in which the process runs, and
the resource being accessed. A Host Intrusion Prevention kernel-level driver, which receives
redirected entries in the user-level system call table, monitors the system call chain. When calls
are made, the driver compares the call request against a database of combined signatures and
behavioral rules to determine whether to allow, block, or log an action.

User-level programs use the functionality provided by the kernel to access disk drives, network
connections, and shared memory. Because the processor prevents direct access to kernel-level
functions, user-level programs use system calls, which permit communication between user
and kernel modes. System calls expose all kernel functionality that user-level programs require
and are implemented inside the operating system using a system call table. Host Intrusion
Prevention inserts itself into the system call chain by installing a kernel-level driver and redirecting
the entries in the system call table. When an application requests a file, it is directed to the
Host Intrusion Prevention driver, which checks the request against its set of signatures and
behavioral rules to determine whether to allow or block the request.

HTTP engine for web servers

Host Intrusion Prevention gives protection against attacks directed at web applications and
systems with its HTTP protection engine. It protects by parsing the HTTP stream coming in to
an application and matching patterns on incoming HTTP requests. The HTTP Protection engine
installs between the web server's SSL decryption and decoding element that turns requests into
plain text and the web server's engine. This guarantees that the Host Intrusion Prevention
engine sees requests in plain text and blocks malicious requests before they are processed.
HTTP signatures prevent directory traversal and Unicode attacks, web defacement, data theft,
and server hacking.

SQL engine for SQL servers

Host Intrusion Prevention protects against attacks on database servers with its SQL inspection
engine, which installs between database network libraries and the database engine. It examines
all SQL requests and blocks any that could trigger an event. SQL protection rules, which
differentiate on user, query origination location, query validity, and other parameters.

SQL database signatures build on the core protection provided by standard signatures and add
specific database interception and protection rules. The Host IPS SQL engine intercepts incoming
database queries before they are processed by the database engine. Each query is examined
to see whether it matches any known attack signatures, if it is well formed, and if there are
tell-tale signs of SQL injection.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.530

Configuring IPS Policies
Overview of IPS policies

SQL database signatures implement database shielding to protect the database's data files,
services, and resources. In addition, they implement database enveloping to ensure that the
database operates within its well-defined, behavioral profile.

Signatures

Signatures are collections of intrusion prevention rules that can be matched against a traffic
stream. For example, a signature might look for a specific string in an HTTP request. If the
string matches one in a known attack, action is taken. These rules provide protection against
known attacks.

Signatures are designed for specific applications and specific operating systems; for example,
web servers such as Apache and IIS. The majority of signatures protect the entire operating
system, while some protect specific applications.

Host IPS signatures

Host Intrusion Prevention protection resides on individual systems such as servers, workstations,
or laptop. The Host Intrusion Preventionn client inspects traffic flowing into or out of a system
and examines the behavior of the applications and operating system for attacks. When an attack
is detected, the client can block it at the network segment connection, or can issue commands
to stop the behavior initiated by the attack. For example, buffer overflow is prevented by blocking
malicious programs inserted into the address space exploited by an attack. Installation of back
door programs with applications like Internet Explorer is blocked by intercepting and denying
the application’s “write file” command.

These signatures:

• Protect against an attack and the results of an attack, such as preventing a program from
writing a file.

• Protect laptops when they are outside the protected network.

• Protect against local attacks introduced by CDs or USB devices. These attacks often focus
on escalating the user’s privileges to “root” or “administrator” to compromise other systems
in the network.

• Provide a last line of defense against attacks that have evaded other security tools.

• Prevent internal attack or misuse of devices located on the same network segment.

• Protect against attacks where the encrypted data stream terminates at the system being
protected by examining the decrypted data and behavior.

• Protect systems on obsolete or unusual network architectures such as Token Ring or FDDI.

Host Intrusion Prevention contains a large default list of host IPS signatures for all platforms.
You can edit the severity level, log status, and client rule creation setting of these signatures,
or add custom signatures to the list. The list of signatures is updated if needed whenever you
install a content update.

Network IPS signatures

Network IPS protection also resides on individual systems. All data that flows between the
protected system and the rest of the network is examined for an attack. When an attack is
identified, the offending data is discarded or blocked from passing through the system.

These signatures:

• Protect systems located downstream in a network segment.

• Protect servers and the systems that connect to them.

31McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring IPS Policies
Overview of IPS policies

• Protect against network denial-of-service attacks and bandwidth-oriented attacks that deny
or degrade network traffic.

Host Intrusion Prevention contains a default list of a small number of network IPS signatures
for Windows platforms. You can edit the severity level, log status, and client rule creation setting
of these signatures, but you cannot presently add custom network signatures. The list of
signatures is updated if needed whenever you install a content update.

Behavioral rules

Behavioral rules block zero-day attacks and enforce proper operating system and application
behavior. Heuristic behavioral rules define a profile of legitimate activity. Activity not matching
these rules is considered suspicious and triggers a response. For example, a behavioral rule
might state that only a web server process can access HTML files. If any other process attempts
to access HTML files, action is taken. This type of protection, called application shielding and
enveloping, prevents compromise of applications and their data and prevents applications from
being used to attack other applications.

In addition, behavioral rules block buffer overflow exploits, preventing code execution resulting
from a buffer overflow attack, one of the most common methods of attacking servers and
desktops.

Reactions

A reaction is what the Host Intrusion Prevention client does when a signature of a specific
severity is triggered.

The client reacts in one of three ways:

• Ignore — No reaction; the event is not logged and the operation is not prevented.

• Log — The event is logged but the operation is not prevented.

• Prevent — The event is logged and the operation is prevented.

A security policy might state, for example, that when a client recognizes a low-severity signature,
it logs the occurrence of that signature and allows the operation to occur; and when it recognizes
a high-severity signature, it prevents the operation.

NOTE: Logging can be enabled directly on each signature. The IPS Protection policy automatically

sets the reaction for signatures depending on severity level.

Exceptions

An exception overrides an activity blocked by the reaction to a signature.

In some cases, behavior that a signature defines as an attack might be part of a user’s normal
work routine or an activity that is legal for a protected application. To override the signature,
you can create an
state that for a particular client, an operation is ignored.

You can create these exceptions manually, or place clients in adaptive mode and allow them
to create client exception rules. To ensure that some signatures are never overridden, edit the
signature and disable the Allow Client Rules options. You can track the client exceptions in the
ePolicy Orchestrator console, viewing them in a regular, filtered, and aggregated views. Use
these client rules to create new policies or add them to existing policies that you can apply to
other clients.

exception

that allows legitimate activity. For example, an exception might

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.532

Configuring IPS Policies
Enable IPS protection

Host Intrusion Prevention clients contain a set of IPS signature rules that determine whether
activity on the client computer is benign or malicious. When malicious activity is detected, alerts
known as events are sent to the ePO server and appear in the Host IPS tab under Reporting.

The protection level set for signatures in the IPS Protection policy determines which action a
client takes when an event occurs. Reactions include ignore, log, or prevent the activity.

Events from legitimate activity that are false positives can be overridden by creating an exception
to the signature rule or by qualifying applications as trusted. Clients in adaptive mode
automatically create exceptions, called
at any time.

Monitoring events and client exception rules helps determine how to tune the deployment for
the most effective IPS protection.

Application protection rules

Application protection rules provide protection for defined and generated lists of processes
against buffer overflow by permitting or blocking user-level API hooking.

Buffer overflow protection is generic for Host Intrusion Prevention and is applicable to any
process that is hooked. The IPS policy contains a default list of application protection rules for
Windows platforms. This list is updated, as needed, whenever you install a content update. You
can add network facing and service-based applications to this list automatically if you have
enabled the "Automatically include network-facing and service based applications" option in the
IPS Options policy.

client rules

. Administrators can manually create exceptions

Events

IPS events are generated when a client reacts to a triggered signature.

Events are logged in the Events tab of the Host IPS tab under Reporting. Administrators can
view and monitor these events to analyze system rule violations. They can then adjust event
reactions or create exceptions or trusted application rules to reduce the number of events and
fine-tune the protection settings.

NOTE: The Host Intrusion Prevention client aggregates events so not all events are sent to the

ePO server. This prevents numerous events that happen within 20 seconds of each other from
being repeatedly sent to the server. If an event reoccurs after 20 seconds, an additional event
is reported. Administrators can view all events on the Host IPS tab under Reporting in the ePO
console or on the client system.

Enable IPS protection

The IPS Options policy determines how IPS protection is applied. It offers options for Windows
and non-Windows platforms.

For all platforms

These options are available for clients on all platforms:

• Host IPS enabled — Select to turn on IPS protection through the enforcement of host IPS
rules.

NOTE: This control is also available directly on the client.

33McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring IPS Policies
Enable IPS protection

• Adaptive mode enabled (rules are learned automatically) — Select to enable adaptive
mode, where clients create exception rules automatically to allow blocked behavior. Use
only temporarily while tuning a deployment.

NOTE: This control is also available directly on the client.

• Retain existing client rules when this policy is enforced — Select to allow clients to
keep exception rules created on the client, either automatically with adaptive mode or
manually on a Windows client, when this policy is enforced.

For Windows platforms only

These options are available for clients on Windows platforms only:

• Network IPS enabled — Select to enforce network IPS rules. This option is available
independently from the application of host IPS rules.

• Automatically block network intruders — Select this option to block incoming and
outgoing traffic on a host until it is manually removed from a blocked list on the client for
the number of minutes indicated. Available only if Network IPS is enabled.

NOTE: These controls are also available directly on the client.

• Retain blocked hosts — Select to allow a client to block a host IP address until the
parameters set under "Automatically block network intruders." If not selected, the host is
blocked only until the next policy enforcement.

• Automatically include network-facing and service-based applications in the
application protection list — Select to allow a client to add high-risk applications
automatically to the list of protected applications in the IPS Rules policy.

• Startup IPS protection enabled — Select to apply a hard-coded set of file and registry
protection rules until the Host IPS service has started on the client.

Policy selections

This policy category contains a preconfigured policy, and an editable My Default policy, based
on the McAfee Default policy. You can view and duplicate preconfigured policies; you can,
create, edit, rename, duplicate, delete, and export custom policies.

The preconfigured policy has these settings:

McAfee Default

Host IPS and Network IPS protection is disabled, and these options are are seleted to be applied
when IPS protection is enabled:

• Automatically block network intruders for 10 minutes (Windows only)

• Retain blocked hosts (Windows only)

• Retain client rules

TIP: To activate IPS protection on client systems, the Host Intrusion Prevention administrator

must first enable the Host IPS and Network IPS options in this policy, and then apply the policy
to client systems. IPS protection on client systems is not automatic as in earlier versions of the
product.

Configuring the IPS Options policy

Configure settings in this policy to turn IPS protection on and off or apply adaptive mode.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.534

Configuring IPS Policies
Set the reaction for IPS signatures

Task

For option definitions, click ? in the interface.

1 Click Menu | Policy | Policy Catalog and select Host Intrusion Prevention:IPS in

the Product list and IPS Options in the Category list. The list of policies appears.

2 In the IPS Options policy list, click Edit under Actions to change the settings for a custom

policy.

NOTE: For editable policies, other options include: Rename, Duplicate, Delete, and Export.

For non-editable policies, options include View and Duplicate.

3 In the IPS Options page that appears, make any needed changes, including status, startup,

and network IPS settings, then click Save.

Set the reaction for IPS signatures

The IPS Protection policy sets the protective reaction for signature severity levels. These settings
instruct clients what to do when an attack or suspicious behavior is detected.

Each signature has one of four severity levels:

• High — Signatures of clearly identifiable security threats or malicious actions. These
signatures are specific to well-identified exploits and are mostly non-behavioral in nature.
Prevent these signatures on every system.

• Medium — Signatures of behavioral activity where applications operate outside their
envelope. Prevent these signatures on critical systems, as well as on web servers and SQL
servers.

• Low — Signatures of behavioral activity where applications and system resources are locked
and cannot be changed. Preventing these signatures increases the security of the underlying
system, but additional fine-tuning is needed.

• Information — Signatures of behavioral activity where applications and system resources
are modified and might indicate a benign security risk or an attempt to access sensitive
system information. Events at this level occur during normal system activity and generally
are not evidence of an attack.

These severity levels indicate potential danger to a system and enable you to define specific
reactions for different levels of potential harm. You can modify the severity levels and reactions
for all signatures. For example, when suspicious activity is unlikely to cause damage, you can
select ignore as the reaction. When an activity is likely to be dangerous, you can set prevent
as the reaction.

Policy selections

This policy category contains six preconfigured policies and an editable My Default policy,
based on the McAfee Default policy. You can view and duplicate preconfigured policies; you
can, create, edit, rename, duplicate, delete, and export custom policies.

Preconfigured policies include:

Table 6: IPS Protection policies

Enhanced Protection

FunctionName

Prevent high-severity signatures and ignore the rest.Basic Protection (McAfee Default)

Prevent high- and medium-severity signatures and ignore
the rest.

35McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring IPS Policies
Define IPS protection

FunctionName

Maximum Protection

Prepare for Enhanced Protection

Prepare for Maximum Protection

Prevent high-, medium-, and low-severity signatures and
log the rest.

Prevent high-severity signatures, log medium-severity
signatures, and ignore the rest.

Prevent high- and medium-severity signatures, log
low-severity signatures, and ignore the rest.

Log high-severity signatures and ignore the rest.Warning

Configuring the IPS Protection policy

Configure settings in this policy to set the protective reactions for signatures of a particular
severity level. These settings instruct clients what to do when an attack or suspicious behavior
is detected.

Task

For option definitions, click ? in the interface.

1 Click Menu | Policy | Policy Catalog and select Host Intrusion Prevention: IPS in

the Product list and IPS Protection in the Category list.

2 In the IPS Protection policy list that appears, click Edit under Actions to change the

settings for a custom policy.

NOTE: For editable policies, other options include Rename, Duplicate, Delete, and Export.

For non-editable policies, options include View and Duplicate.

3 In the IPS Protection page that appears, make any needed changes, then click Save.

Define IPS protection

The IPS Rules policy applies intrusion prevention safeguards. This policy is a multiple-instance
policy that can have multiple instances assigned.

Each IPS Rules policy contains configurable details on:

• Signatures

• Application Protection Rules

• Exception Rules

You also need to go to the Host IPS page under Reporting to work with:

• IPS Events

• IPS Client Rules

Policy selections

This policy category contains a preconfigured default policy, which provides basic IPS protection.
You can view and duplicate the preconfigured policy; you can edit, rename, duplicate, delete,
and export custom policies you create. You can also assign more than one instance of the policy
for a union of various policy rules.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.536

Configuring IPS Policies
Define IPS protection

Configuring the IPS Rules policy

Configure settings in this policy to define signatures, applications protection rules, and exceptions.

Task

For option definitions, click ? in the interface.

1 Click Menu | Policy | Policy Catalog and select Host Intrusion Prevention: IPS in

the Product list and IPS Rules in the Category list. The list of policies appears.

2 In the IPS Rules policy list, click Edit under Actions to change the settings for a custom

policy.

NOTE: For editable policies, other options include: Rename, Duplicate, Delete, and Export.

For non-editable policies, options include View and Duplicate.

3 In the IPS Rulespage that appears, make any needed changes, then click Save. See

Configuring IPS signatures,Configuring IPS application protection rules
IPS exceptions

for details.

, and

Configuring

Assigning multiple instances of the policy

Assigning one or more instances of the policy to a group or system in the ePolicy Orchestrator
System Tree provides for single policy multi-purpose protection.

The IPS Rules policy and the Trusted Applications policy are multiple-instance policies that can
have more than one instance assigned. A multiple-instance policy can be useful for an IIS
Server, for example, where you might apply a general default policy, a server policy, and an
IIS policy, the latter two configured to specifically target systems running as IIS servers. When
assigning multiple instances, you are assigning a union of all the elements in each instance of
the policy.

NOTE: The McAfee Default policy for both IPS Rules and Trusted Applications are updated when

content is update. McAfee recommends that these two policies always be applied to make sure
protection as up to date as possible.

For the policies that have multiple instances, an Effective Policy link appears to provide a view
of the details of the combined policy instances.

Task

For option definitions, click ? in the interface.

1 Click Menu | Systems | System Tree and select a group in the System Tree.

NOTE: For a single system, select a group in the System Tree that contains the system,

then on the Systems tab, select the system and select Actions | Agent | Modify Policies

on a Single System.

2 Under Assigned Policies, select Host Intrusion Prevention 8.0 : IPS/General in the

Product list, and for IPS Rules/Trusted Applications click Edit Assignments.

3 On the Policy Assignment page, click New Policy Instance, and select a policy from

the Assigned Polices list for the additional policy instance. To view the effective or
combined effect of multiple instance rule sets, click View Effective Policy.

4 Click Save to save all changes.

37McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring IPS Policies
Define IPS protection

FAQ — Multiple-instance policies

Host Intrusion Prevention offers two multiple-instance policies: IPS Rules and Trusted
Applications. These policies allow the application of more than one policy concurrently on a
single client. All other policies are single-instance policies.

The McAfee Default versions of these policies are automatically updated each time Host Intrusion
Prevention security content is updated. For this reason, these policies always need to be assigned
to clients to ensure that security content updates are applied. When more than one instance is
applied, what results is a union of all the instances, called the

How can I use multi-slot policy assignment to streamline my deployment?

First, define groups of users for the deployment that have an essential property in common
that dictates what resources need to be protected and what resources need exceptions to work
properly. This property could be based on:

• Department — Each department should require protection of a unique set of resources and
exceptions for a unique set of business activities.

• Location — Each location may have its own unique security standards or unique set of
resources that need to be protected, and exceptions required for business activity.

• Computer type — Each type of computer (laptops, workstations, servers ) might have a
unique set of applications that need to be protected but also allowed to perform essential
business functions.

Next, protect resources and create exceptions and trusted applications for each group. You can
use adaptive mode to determine which resources to protect or trust for a given group. After
this, create instances of IPS Rules and Trusted Applications policies for each group of users
(one IPS Rules policy for a particular department, one for a particular location, and one for a
particular computer type), then apply the appropriate instance. Without a multiple-instance IPS
Rules policy, a combination of three departments, three locations, and three computer types
would require 27 policies; with the multiple-instance approach, only nine are needed.

effective policy

.

But rules in different assigned policies contradict each other! How is the effective
policy calculated?

It is possible that a rule in one instance has settings that contradict those for the same rule in
another policy instance. Host IPS has rules for handling these conflicts in establishing the total
effective policy.

For IPS Rules:

• The effective severity for a signature is the highest customized severity. The precedence is:
High, Medium, Low, Information, Disabled. If the severity is not customized, the default
value is applied.

• The effective log status for a signature is the customized log status. If customized in two or
more applied IPS Rules policies, enabled customized log status takes precedence over
disabled. If the log status is not customized, the default value is applied.

• The effective client rules setting for a signature is the customized setting. If customized in
two or more assigned IPS Rules policies, enabled customized client rules takes precedence
over disabled. If the client rules setting is not customized, the default value is applied.

• The effective set of exceptions is the union of all applied exceptions.

For Trusted Applications:

• The effective set of Trusted Applications is the union of all Trusted Applications.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.538

Configuring IPS Policies
Define IPS protection

• Marking an application as Trusted for IPS or Firewall takes precedence even if the same
application is not marked as Trusted for that feature in another assigned Trusted Applications
policy.

How IPS signatures work

Signatures describe security threats, attack methodologies, and network intrusions. Each
signature has a default severity level, which describes the potential danger of an attack:

• High — Signatures that protect against clearly identifiable security threats or malicious
actions. Most of these signatures are specific to well-identified exploits and are mostly
non-behavioral in nature. They should be prevented on every host.

• Medium — Signatures that are behavioral in nature and deal with preventing applications
from operating outside of their environment (relevant for clients protecting web servers and
Microsoft SQL Server 2000). On critical servers, you might want to prevent those signatures
after fine-tuning.

• Low — Signatures that are behavioral in nature and shield applications. Shielding means
locking down application and system resources so that they cannot be changed. Preventing
these signatures increases the security of the underlying system, but requires additional
fine-tuning.

• Information — Indicates a modification to the system configuration that might create a
benign security risk or an attempt to access sensitive system information. Events at this
level occur during normal system activity and generally are not evidence of an attack.

Types of signatures

The IPS Rules policy can contain three types of signatures:

• Host IPS signatures — Default host intrusion prevention signatures.

• Custom IPS signatures — Custom host intrusion prevention signatures that you create.

• Network IPS signatures — Default network intrusion prevention signatures.

Host IPS signatures

Host-based intrusion prevention signatures detect and prevent system operations activity attacks,
and includes File, Registry, Service, and HTTP rules. They are developed by the Host Intrusion
Prevention security experts and are delivered with the product and with content updates.

Each signature has a description and a default severity level. With appropriate privilege levels,
an administrator can modify the severity level of a signature.

When triggered, host-based signatures generate an IPS event that appears in the Events tab
of the Host IPS tab under Reporting.

Custom IPS signatures

Custom signatures are host-based signatures that you can create for protection beyond the
default protection. For example, when you create a new folder with important files, you can
create a custom signature to protect it.

NOTE: You cannot create network-based custom signatures.

39McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring IPS Policies
Define IPS protection

Network IPS signatures

Network-based intrusion prevention signatures detect and prevent known network-based attacks
that arrive on the host system. They appear in the same list of signatures as the host-based
signatures.

Each signature has a description and a default severity level. With appropriate privilege levels,
an administrator can modify the severity level of a signature.

You can create exceptions for network-based signatures; however, you cannot specify any
additional parameter attributes such as operating system user or process name. Advanced
details contain network-specific parameters, for example IP addresses, which you can specify.

Events generated by network-based signatures are displayed along with the host-based events
in the Events tab and exhibit the same behavior as host-based events.

To work with signatures, click the Signatures tab in the IPS Rules policy.

Configuring IPS signatures

Edit default signatures, add custom signatures, and move signatures to another policy from the
Signatures tab of the IPS Rules policy.

Task

For option definitions, click ? in the interface.

1 Click Menu | Policy | Policy Catalog and select Host Intrusion Prevention: IPS in

the Product list and IPS Rules in the Category list. The list of policies appears.

2 Under Actions, click Edit to make changes on the IPS Rules page, then click the

Signatures tab.

3 Do any of the following:

Do this...To...

Find a signature in the list

Use the filters at the top of the signatures list. You can
filter on signature severity, type, platform, log status,
whether client rules are allowed, or specific text that
includes signature name, notes, or content version.
Click Clear to remove filter settings.

Under Actions, click Edit.Edit a signature

• If the signature is a default signature, you can
modify the Severity Level, Client Rules, or Log
Status settings, and enter notes in the Note box
to document the change. Click OK to save any
modifications. Edited default signatures can be
reverted to their default settings by clicking Revert
under Actions.

NOTE: When you edit a signature and save the

change, the signature is resorted in the list. As a
result, you might need to search the list to find the
edited signature.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.540

• If the signature is a custom signature, modify the

Severity Level, Client Rules, Log Status or
Description settings, and enter notes in the Note

box to document the change. Click OK to save any
modifications.

NOTE: You can make changes to several signatures at

once, by selecting the signatures and clicking Edit

Configuring IPS Policies
Define IPS protection

Do this...To...

Multiple. In the page that appears, select the settings

for the three editable items, then click OK .

Click New or New (Wizard).Add a signature

Delete a custom signature

Copy a signature to another policy

4 Click Save to save any changes.

Creating custom signatures

Create custom host intrusion prevention signatures from the Signatures tab of the IPS Rules
policy to protect specific operations not covered by default signatures.

Task

For option definitions, click ? in the interface.

1 On the IPS Rules policy Signatures tab, click New. A blank Signature page appears.

2 On the signature’s IPS Signature tab, type a name (required) and select the platform,

severity level, log status, and whether to allow the creation of client rules. For severity
level, client rules, and log status, select the checkbox to change the default values.

3 On the Description tab, type a description of what the signature is protecting. This

description appears in the IPS Event when the signature is triggered.

4 On the Subrules tab, select New Standard Sub-Rule or New Expert Subrule to create

a rule.

Under Actions, click Delete.

NOTE: Only custom signatures can be deleted.

Select a signature and click Copy To to copy it to
another policy. Indicate the policy to which to copy the
signature and click OK.

NOTE: You can copy several signatures at one time by

selecting all the signatures before clicking Copy To.

The Standard method limits the number of types you
can include in the signature rule.

1 Type a name for the signature (required) and

choose a rule class type. Options include: Files,
Hook, HTTP, Program, Registry, Services, and
SQL.

and will trigger the signature. the syntax is verified. If the rule fails verification,

3 Indicate whether to include or exclude a

particular parameter, what the parameter is and
its value.

4 Include an executable as a parameter with

information on at least one of these four values:

blocked

Expert methodStandard method

The Expert method, recommended only for advanced
users, enables you to provide the rule syntax without
limiting the number of types you can include in the
signature. Before writing a rule, make sure you
understand rule syntax.

1 Type the rule syntax for the signatures, which

can include a name for the rule. Use ANSI
format and TCL syntax.

2 Click OK and the rule is added to the list at the

top of the Subrule tab. The rule is compiled and2 Specify the class operations that are

a dialog box describing the error appears. Fix
the error and verify the rule again.

41McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring IPS Policies
Define IPS protection

Expert methodStandard method

file description, file name, MD5 hash fingerprint,
or signer.

5 Click OK and the rule is added to the list at the

top of the Subrule tab. The rule is compiled and
the syntax is verified. If the rule fails verification,
a dialog box describing the error appears. Fix
the error and verify the rule again.

For details in working with class types, operations, and parameters, aee the appropriate
class section of

Writing Custom Signatures and Exceptions

5 Click OK.

NOTE: You can include multiple rules in a signature.

Creating custom signatures with a wizard

Use the custom signature wizard to simplify creating new signatures.

.

NOTE: Signatures created with the wizard do not offer any flexibility for the operations that the

signature is protecting because you cannot change, add, or delete operations.

Task

For option definitions, click ? in the interface.

1 On the IPS Rules Signatures tab, click New (Wizard).

2 On the Basic Information tab, type a name and select the platform, severity level, log

status, and whether to allow the creation of client rules. Click Next to continue.

3 On the Description tab, type a description of what the signature is protecting. This

description appears in the IPS Event when the signature is triggered.

4 On the Rule Definition tab, select the item to protect against modifications and enter

details.

5 Click OK.

FAQ — Use of wildcards in IPS Rules

Host IPS Rules permits the use of wildcards when entering values in certain fields.

Which wildcards can I use for path and address values?

For paths of files, registry keys, executables, and URLs, use these wildcards:

* (one asterisk)

| (pipe)

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.542

DefinitionCharacter

A single character.? (question mark)

Multiple characters, excluding / and \ . Use to match the
root-level contents of a folder with no subfolders.

Multiple characters, including / and \ .** (two asterisks)

Wildcard escape.

NOTE: For ** the escape is |*|*.

Configuring IPS Policies
Define IPS protection

Which wildcards can I use for all other values?

For values that normally do not contain path information with slashes, use these wildcards;

DefinitionCharacter

A single character.? (question mark)

Multiple characters, including / and \ .* (one asterisk)

Wildcard escape.| (pipe)

Which wildcards can I use for signature expert subrule values?

For all values when creating a subrule using the expert method:

DefinitionCharacter

A single character.? (question mark)

* (one asterisk)

& (ampersand)

! (exclamation point)

Multiple characters, including / and \. Example: files {

Include “C:\*.txt” ” }

Multiple characters except / and \. Use to match the
root-level contents of a folder but not any subfolders.
Example: files { Include “C:\test\\&.txt” }

Wildcard escape. Example: files { Include

“C:\test\\yahoo!.txt” }

How IPS application protection rules work

Application protection rules control which processes receive generic buffer overflow protection
from Host Intrusion Prevention. These rules permit or block user-level API hooking for defined
and generated lists of processes. Kernel-level file and registry hooking are not affected. Only
processes in the list with the inclusion status of

Host Intrusion Prevention provides a static list of processes that are permitted or blocked. This
list is updated with content update releases that apply in the McAfee Default IPS Rules policy.
In addition, processes that are permitted to hook are added dynamically to the list when process
analysis is enabled. This analysis is performed under these circumstances:

• Each time the client is started and running processes are enumerated.

• Each time a process starts.

• Each time the application protection list is updated by the ePolicy Orchestrator server.

• Each time the list of processes that listen on a network port is updated.

included

receive the buffer overflow protection.

NOTE: For the dynamic update of the list, the IPS Options policy option to "automatically include

network-facing and service-based applications in the application protection list" must be selected.
This option implicitly includes all Windows services and applications that listen on network ports.

This analysis involves checking first if the process is excluded from the Application Protection
list. If not, it checks whether the process is included in the Application Protection list. If not,
the process is analyzed to see if it listens on a network port or runs as a service. If not, hooking

43McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring IPS Policies
Define IPS protection

is blocked and the process is not protected; if it listens on a port or runs as a service, hooking
is permitted and the process is protected.

Figure 1: Application Protection Rules analysis

The IPS component maintains an information cache on running processes, which tracks hooking
information. The firewall component determines if a process listens on a network port, calls an
API exported by the IPS component, and passes the information to the API to be added to the
monitored list. When the API is called, the IPS component locates the corresponding entry in
its running processes list. A process that is not already hooked and is not part of the static block
list is then hooked. The firewall provides the PID (Process ID), which is the key for the cache
lookup of a process.

The API exported by the IPS component also allows the client user interface to retrieve the list
of currently hooked processes, which is updated whenever a process is hooked or unhooked.
A hooked process becomes unhooked if the server sends an updated process list that specifies
that the already hooked process should no longer be hooked. When the process hooking list is

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.544

Configuring IPS Policies
Define IPS protection

updated, every process listed in the information cache of running processes is compared against
the updated list. If the list indicates that a process should be hooked and it’s not already hooked,
that process is hooked. If the lists indicate that a process should not be hooked and it is already
hooked, that process is unhooked.

The process hooking lists can be viewed and edited on the Application Protection Rules tab.
The client user interface, unlike the view on the IPS Rules policy, shows a static list of all hooked
application processes.

NOTE: To prevent injection of a DLL into an executable when using hook:set_windows_hook,

include the executable in the Application Protection List.

Configuring IPS application protection rules

Edit, add, and delete rules and move rules to another policy from the Application Protection
Rules tab of the IPS Rules policy.

Task

For option definitions, click ? in the interface.

1 Click Menu | Policy | Policy Catalog and select Host Intrusion Prevention: IPS in

the Product list and IPS Rules in the Category list. The list of policies appears.

2 Under Actions, click Edit to make changes on the IPS Rules page, then click the

Application Protection Rules tab.

3 Perform any of the following operations:

Find an application rule in the list

Copy an application rule to another policy

4 Click Save to save any changes.

Creating application protection rules

If the IPS Rules policy does not have an application protection rule that you need in your
environment, you can create one.

Do this...To...

Use the filters at the top of the application list. You can
filter on rule status, inclusion, or specific text that
includes process name, process path, or computer
name. Click Clear to remove filter settings.

Under Actions, click Edit.Edit an application rule

Click New.Add an application rule

Under Actions, click Delete.Delete an application rule

Select a rule and click Copy To to copy it to another
policy. Indicate the policy to which to copy the rule and
click OK.

NOTE: You can copy several rules at one time by

selecting all the rules before clicking Copy To.

Task

For option definitions, click ? in the interface.

1 On the IPS Rules policy Application Protection Rules tab, do one of the following:

45McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring IPS Policies
Define IPS protection

Click New. A blank Application page appears.•

• Select a rule and click Duplicate. After naming and saving the new rule, click Edit.

2 Enter the name (required), status, whether the application rule is included in the protection

list, and the executables to which you want to apply the rule.

NOTE: You can add an existing executable from the Host IPS Catalog by clicking Add From

Catalog. For details on the catalog, see

Firewall Policies

.

3 Click Save.

How IPS exceptions work

Sometimes behavior that would be interpreted as an attack can be a normal part of a user’s
work routine. This is called a
for that behavior.

Exceptions enable you to reduce false positive alerts, minimize needless data flowing to the
console, and ensure that the alerts are legitimate security threats.

For example, during the process of testing clients, a client recognizes the Outlook Envelope ­Suspicious Executable Mod. signature. This signature signals that the Outlook e-mail application
is attempting to modify an application outside the envelope of usual resources for Outlook.
Thus, an event triggered by this signature is cause for alarm, because Outlook might be modifying
an application not normally associated with email, for example, Notepad.exe. In this instance,
you might reasonably suspect that a Trojan horse has been planted. But, if the process initiating
the event is normally responsible for sending email, for example, saving a file with Outlook.exe,
you need to create an exception that allows this action.

false positive alert

How the Host IPS catalog works

under

Configuring

. To prevent false positives, create an exception

TIP: If you create a custom signature that prevents modification of files (editing, renaming,

deleting) in a particular folder, but you want to allow a single application to make modifications,
create an exception that would allow the application to make changes to the files. Alternatively,
you could add in the custom signature's subrule the parameter with the application set to
Exclude.

Configuring IPS exceptions

Edit, add, and delete exceptions and move exceptions to another policy from the Exceptions
tab of the IPS Rules policy.

Task

For option definitions, click ? in the interface.

1 Click Menu | Policy | Policy Catalog and select Host Intrusion Prevention: IPS in

the Product list and IPS Rules in the Category list. The list of policies appears.

2 Under Actions, click Edit to make changes on the IPS Rules page, then click the

Exception Rules tab.

3 Perform any of the following operations:

Find an exception rule in the list

Do this...To...

Use the filters at the top of the exception list. You can
filter on rule status, modified date, or specific text that
includes rule or notes text. Click Clear to remove filter
settings.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.546

Configuring IPS Policies
Monitor IPS events

Do this...To...

Under Actions, click Edit.Edit an exception rule

Click New.Add an exception rule

Under Actions, click Delete.Delete an exception rule

Copy an exception rule to another policy

4 Click Save to save changes.

Creating exception rules

To allow behavior prevented by a signature, create an exception for that signature. This can
entail defining exception parameters and values. See
for details on this aspect.

Task

For option definitions, click ? in the interface.

1 On the IPS Rule policy Exception Rules tab, click New.

2 Name the exception, be sure it is enabled, then include the signatures to which the exception

applies.

3 Set executables, parameters, or Domain groups that play a role as a behavioral exception

to the signature.

4 Click Save.

Select a rule and click Copy To to copy it to another
policy. Indicate the policy to which to copy the rule and
click OK.

NOTE: You can copy several rules at one time by

selecting all the rules before clicking Copy To.

Writing Custom Signatures and Exceptions

Monitor IPS events

An IPS event is triggered when a security violation, as defined by a signature, is detected and
reported to the ePO server.

The IPS event appears on the Events tab of the Host IPS tab (or the Event Log tab along with
all the other events for all the other products that ePolicy Orchestrator is managing) under
Reporting with one of four severity level criteria: High, Medium, Low, and Information.

NOTE: When two events are triggered by the same operation, the highest signature reaction

is taken.

From the list of events generated, you can determine which events are allowable and which
indicate suspicious behavior. To allow events, configure the system with the following:

• Exceptions — Rules that override a signature rule.

• Trusted Applications — Applications that are labeled trusted whose operations might
otherwise be blocked by a signature.

This tuning process keeps the events that appear to a minimum, providing more time for analysis
of the serious events that occur.

47McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring IPS Policies
Monitor IPS events

Reacting to events

Under certain circumstances, behavior that is interpreted as an attack can be a normal part of
a user’s work routine. When this occurs, you can create an exception rule or a trusted application
rule for that behavior.

Creating exceptions and trusted applications allows you to diminish false positive alerts, and
ensures that the notifications you receive are meaningful.

For example, when testing clients, you might find clients recognizing the signature email access.
Typically, an event triggered by this signature is cause for alarm. Hackers can install Trojan
applications that use TCP/IP Port 25 typically reserved for email applications, and this action
would be detected by the TCP/IP Port 25 Activity (SMTP) signature. On the other hand, normal
email traffic might also match this signature. When you see this signature, investigate the
process that initiated the event. If the process is one that is not normally associated with email,
like Notepad.exe, you might reasonably suspect that a Trojan was planted. If the process
initiating the event is normally responsible for sending email (for example, Outlook), create an
exception to that event.

You might also find, for example, that a number of clients are triggering the signature startup
programs, which indicates the modification or creation of a value under the registry keys:

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce

As the values stored under these keys indicate programs that are started when the computer
starts up, recognition of this signature might indicate that someone is attempting to tamper
with the system. Or it might indicate something as benign as one of your employees installing
WinZip on their computer. The installation of WinZip adds a value to the Run registry key.

To eliminate the triggering of events every time someone installs authorized software, you
create exceptions for these events.

Filtering and aggregating events

Applying filters generates a list of events that satisfies all of the variables defined in the filter
criteria. The result is a list of events that includes all of the criteria. Aggregating events generates
a list of events grouped by the value associated with each of the variables selected in the "Select
columns to aggregate" dialog box. The result is a list of events displayed in groups and sorted
by the value associated with the selected variables.

Managing IPS events

Viewing IPS events coming from clients and creating exceptions or trusted applications from
them helps tune and tighten security.

NOTE: IPS events also appear on the Event Log tab under Reporting combined with all other

events for all systems. Access to the events tabs under Reporting requires additional permission
sets, including view permissions for Event Log, Systems, and System Tree access.

Task

For option definitions, click ? in the interface.

1 Click Menu | Reporting | Host IPS 8.0, then click Events.

2 Select the group in the System Tree for which you want to display IPS events. All events

associated with the group appear. By default, not all events are displayed. Only events
over the last 30 days appear.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.548

Configuring IPS Policies
Monitor IPS events

3 Determine how you want to view the list of events:

Do this...To...

Select columns to display

Filter for groups

Filter for events criteria

Aggregate exceptions

Select Options | Choose Columns. In the Select
Columns page, add, remove, or reorder the columns
for the display.

Click the column header.Sort by a column

From the Filter menu, select This Group Only or This
Group and All Subgroups.

Select event type, marked status (read, unread, hidden,
unhidden), severity level, or date of creation. Click
Clear to remove filter settings.

Click Aggregate, select the criteria on which to
aggregate events, then click OK. Click Clear to remove
aggregation settings.

Click the event. The Event Log details page appears.View details of the event

4 Mark events to facilitate their filtering and tracking: select the checkbox of one or more

events, then select the appropriate command.

To...Select...

Mark the event as readActions | Mark Read

Mark a read event as unreadActions | Mark Unread

Hide the eventActions | Mark Hidden

Actions | Mark Unhidden

Show hidden events. Note: You must first filter for
hidden events to be able to select them.

5 Create an exception or trusted application rule. Select an event and select Actions | New

Exception to create an exception; or select Actions | New Trusted Application to

create an application rule. See

application from an event

Creating an exception from an eventorCreating a trusted

for details.

Creating an exception from an event

For an event that appears under Reporting in the Host IPS 8.0 Events tab or on the Event Log
page, you have the option of creating an exception.

Task

For option definitions, click ? in the interface.

1 Select the checkbox of the event for which you want to create an exception.

2 Select Actions | New Exception.

3 In the dialog box that appears, select a destination IPS Rules policy and click OK. The

exception is created and added automatically to the bottom of the list of exceptions of the
destination IPS Rules policy.

49McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring IPS Policies
Monitor IPS client rules

Creating a trusted application from an event

For an event that appears under Reporting in the Host IPS 8.0 Events tab or on the Event Log
page, you have the option of creating a trusted application.

Task

For option definitions, click ? in the interface.

1 Select the checkbox of the event for which you want to create a trusted application.

2 Select Actions | New Trusted Application.

3 In the dialog box that appears, select a destination Trusted Application policy and click OK.

The exception is created and added automatically to the bottom of the list of exceptions
of the destination Trusted Application policy. From there, you can view or edit details of
the new application.

Monitor IPS client rules

You need to periodically analyze IPS client rules created automatically when clients are in
adaptive mode, or manually on the client whenever the Client UI policy option allows manual
creation of client rules.

IPS client rules are exceptions created on a client to allow a functionality blocked by a signature.
Pay particular attention to exceptions to high severity signatures, as these might indicate a
serious issue or simply a false positive. If a false positive, move the exception to an IPS Rules
policy or adjust the severity of the signature.

NOTE: Access to IPS Client Rules on the Host IPS tab under Reporting requires additional

permissions other than that for Host Intrusion Prevention IPS, including view permissions for
Event Log, Systems, and System Tree access.

You can sort, filter, and aggregate the exceptions and view their details. You can then promote
some or all of the client exceptions to a particular IPS Rules policy to reduce false positives for
a particular system environment.

Use the aggregation feature to combine exceptions that have the same attributes, so that only
one aggregated exception appears, while keeping track of the number of times the exceptions
occur. This allows for easily finding IPS protection trouble spots on clients.

Managing IPS client rules

Viewing IPS client rules created automatically in adaptive mode or manually on a client and
moving them to an IPS Rules or Trusted Application policy allows for easy tuning of IPS
protection.

NOTE: Access to IPS Client Rules on the Host IPS tab under Reporting requires additional

permissions other than that for Host Intrusion Prevention IPS, including view permissions for
Event Log, Systems, and System Tree access.

Task

For option definitions, click ? in the interface.

1 Click Menu | Reporting | Host IPS 8.0, then click IPS Client Rules.

2 Select the group in the System Tree for which you want to display client rules.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.550

Configuring IPS Policies
Monitor IPS client rules

3 Determine how you want to view the list of client exceptions:

Do this...To...

Click the column header.Sort by a column

Filter for groups

Filter for exception criteria

Aggregate exceptions

From the Filter menu select This Group Only or This

Group and All Subgroups.

Select time criteria; type process path, process name,
user name, computer name, or signature ID in the
search text box and press Return. Click Clear to remove
filter settings.

Click Aggregate, select the criteria on which to
aggregate exceptions, then click OK. Click Clear to
remove aggregation settings.

4 To move exceptions to a policy, select one or more exceptions in the list, click Create

Exception, then indicate the policy to which to move the exceptions.

51McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring Firewall Policies

The Host Intrusion Prevention firewall policies turn protection on and off and provide rules to
stop network intrusions that could compromise data, applications, or the operating system.

Contents

Overview of Firewall policies

Enable firewall protection

Define firewall protection

Overview of Firewall policies

The Host Intrusion Prevention firewall feature provides security by filtering traffic into and out
of networked systems running Windows. Stateful filtering and packet inspection identify packets
for different types of connections, and hold in memory the attributes of network connections
from start-to-finish of transmission.

A Host IPS catalog simplifies rule creation by allowing you to add existing rules, groups, network
options, applications, executables, and locations from the catalog to new and existing firewall
rules and groups. It also allows the addition of these elements to the catalog either on an
item-by-item basis or by batch process.

Available policies

There are three Firewall policies:

Firewall Options — Enables firewall protection. It turns firewall protection on and off, defines
stateful firewall settings, and enables special firewall-specific protection such as allowing outgoing
traffic only until the firewall service has started, and blocking IP spoofing and malicious traffic.

Firewall Rules — Defines firewall protection. It consists of a set of rules that defines what
traffic is allowed and what is blocked. You can define rules broadly (for example, all IP traffic)
or narrowly (for example, identifying a specific application or service), with various network,
transport, application, and schedule options. You can group rules according to a work function,
service, or application for easier management. Like rules, rule groups can be defined by network,
transport, application, schedule, and location options.

Firewall DNS Blocking — Defines a set of domain name patterns, which can include wildcards,
that are to be blocked. When applied, this policy dynamically adds a rule near the top of the
firewall rules list that prevents resolving the IP address of the specified domain.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.552

Configuring Firewall Policies
Overview of Firewall policies

How firewall rules work

Firewall rules determine how to handle network traffic. Each rule provides a set of conditions
that traffic has to meet and an action to allow or block traffic. When Host Intrusion Prevention
finds traffic that matches a rule’s conditions, it performs the associated action.

Host Intrusion Prevention uses precedence to apply rules: the rule at the top of the firewall
rules list is applied first. If the traffic meets this rule’s conditions, Host Intrusion Prevention
allows or blocks the traffic. It does not try to apply any other rules in the list. If, however, the
traffic does not meet the first rule’s conditions, Host Intrusion Prevention looks at the next rule
in the list. It works its way down through the firewall rules list until it finds a rule that the traffic
matches. If no rule matches, the firewall automatically blocks the traffic. If learn mode is
activated, the user is prompted for an action to be taken. If adaptive mode is activated, an
allow rule is created for the traffic. Sometimes the intercepted traffic matches more than one
rule in the list. In this case, precedence means that Host Intrusion Prevention applies only the
first matching rule in the list.

Best practices

When you create or customize a firewall rules policy, place the more specific rules at the top
of the list, and the more general rules at the bottom. This ensures that Host Intrusion Prevention
filters traffic appropriately.

For example, to allow all HTTP requests except from a specific address (for example, IP address

10.10.10.1), you need to create two rules:

• Block Rule — Block HTTP traffic from IP address 10.10.10.1. This rule is more specific.

• Allow Rule — Allow all traffic using the HTTP service. This rule is more general.

You must place the more specific Block Rule higher in the firewall rules list than the more general
Allow Rule. This ensures that when the firewall intercepts the HTTP request from address

10.10.10.1, the first matching rule it finds is the one that blocks this traffic through the firewall.

If you placed the more general Allow Rule higher than the more specific Block Rule, Host
Intrusion Prevention would match all HTTP requests against the Allow Rule before it found the
Block Rule. It would thus allow the traffic, even though you wanted to block the HTTP request
from a specific address.

Firewall protocols

Firewall protection works at several layers of the network architecture, where different criteria
are used to restrict network traffic. This network architecture is built on the Transmission Control
Protocol/Internet Protocol (TCP/IP) suite.

Link Layer

The link layer protocol describes the media access control (MAC) method, and some minor
error-detection facilities.

Ethernet LAN (802.3), wireless Wi-Fi (802.11x), and virtual LAN (VPN) are in this layer. Both
firewall rules and groups distinguish between wired, wireless, and virtual links.

Network Layer

The network layer protocols define whole-network addressing schemes, routing, and network
control schemes.

53McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring Firewall Policies
Overview of Firewall policies

It likewise supports arbitrary non-IP protocols, but cannot detect any network or transport layer
parameters for them. At best, this allows the administrator to block or allow these network
layer protocols. The numbers associated with the non-IP protocols are based on the Ethernet
numbers defined by the Internet Assigned Numbers Authority (IANA), and published at

http://www.iana.org/assignments/ethernet-numbers.

The Host IPS firewall offers full support for IPv4 and IPv6 on Windows XP, Windows Vista,
Windows Server 2008, and Windows 7.

Transport Layers

IP can be used as the network protocol for a number of different transport protocols. In practice,
four are commonly used: TCP, the User Datagram Protocol (UDP), the Internet Control Message
Protocol version 4 and version 6 (ICMPv4 and ICMPv6).

TCP

TCP is a connection-oriented reliable transport protocol. It guarantees that the data contained
in network packets are delivered reliably, and in order. It also controls the rate at which data
is received and transmitted. This entails a certain amount of overhead, and makes the timing
of TCP operations unpredictable when network conditions are sub-optimal.

TCP is the transport layer for the vast majority of application protocols. HTTP, FTP, SMTP, RDP,
SSH, POP, and IMAP all use TCP.

TCP multiplexes between application-layer protocols using the concept of “ports.” Each TCP
packet contains a source and destination port number, from 0 to 65535. Usually, the server
end of a TCP connection listens for connections on a fixed port.

Ports 0 to 1023 are reserved as “well-known ports.” Numbers in this range are usually assigned
to protocols by the IANA (www.iana.org/assignments/protocol-numbers), and most operating
systems require a process to have special permissions to listen on one of these ports.

Firewall rules are generally constructed to block certain ports and allow others, thereby limiting
the activities that can occur on the network.

UDP

UDP is a connectionless best-effort transport protocol. It makes no guarantees about reliability
or packet order, and lacks flow control features. In practice, it has some very desirable properties
for certain classes of traffic.

UDP is often used as a transport protocol for performance-critical applications (which might
implement some of the reliability and packet-ordering features of TCP in the application protocol),
and in real-time multi-media applications, where a dropped packet causes only a momentary
glitch in the data stream, and is thus more acceptable than a stream that has to stop and wait
for re-transmission. IP telephony and videoconferencing software often uses UDP, as do some
multi-player video games.

The UDP multiplexing scheme is identical to that of TCP: each datagram has a source and
destination port, ranging from 0 to 65535.

ICMP

ICMP is used as an out-of-band communication channel between IP hosts. It is useful in
troubleshooting, and necessary to the proper function of an IP network, as it is the error reporting
mechanism.

IPv4 and IPv6 have separate, unrelated ICMP protocol variants. ICMPv4 is often referred to as
simply ICMP.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.554

Configuring Firewall Policies
Overview of Firewall policies

ICMPv6 is additionally important in an IPv6 network, as it is used for several critical tasks, such
as neighbor discovery (which ARP handles in an IPv4 network). Users are strongly discouraged
from blocking ICMPv6 traffic if IPv6 is supported on their network.

Instead of port numbers, both versions of ICMP define a handful of “message types.” "Echo
Request" and "Echo Reply" are used for ping. "Destination Unreachable" messages indicate
routing failures. ICMP also implements a Traceroute facility, though UDP and TCP can be used
for this purpose as well.

Other transport protocols

IP supports well over a hundred other transport protocols, but most are rarely used. Nevertheless,
the complete list of IANA-recognized protocols is at least minimally supported. Rules can be
created to block or allow traffic over all IP transport protocols, though the firewall does not
support any multiplexing mechanism these protocols might use.

Several are used to overlay other types of networks on top of an IP network (network tunneling).
Some of these (notably GRE, AH, and ESP) are used for IP encryption and VPNs.

IP protocol numbers are listed at www.iana.org/assignments/protocol-numbers.

Common Unsupported Protocols

There are several network protocols that the Host IPS firewall does not support. Traffic belonging
to these protocols, usually with an unparsible EtherType, is either always blocked, or always
allowed, depending on whether the option "Allow traffic for unsupported protocols" in the
Firewall Options policy is selected.

How firewall rule groups work

Group firewall rules for easier management. Rule groups do not affect the way Host Intrusion
Prevention handles the rules within them; they are still processed from top to bottom.

Groups are associated with many of the items associated with rules, including network options,
transport options, applications, and schedules. In addition to these, groups have location settings,
which allow you to make groups location-aware and create connection isolation. The settings
for the group are processed before the settings for the rules it contains. If there is any conflict
between these, the settings of the group take precedence.

NOTE: If connection isolation on the Location tab is enabled, a group cannot have associated

transport options and applications.

Making groups location-aware

Host Intrusion Prevention allows you to make a group and the rules it contains location-aware.
The Location tab and the Network Options tab of the group allows you to make the groups
network adapter-aware, so that computers with multiple network interfaces can have rules
apply that are adapter-specific. After enabling location status and naming the location, parameters
for allowed connections can include any or all of the following for each network adapter:

On the Location tab:

• Connection-specific DNS suffix

• Gateway IP

• DHCP IP

• DNS server queried to resolve URLs

• WINS server used

55McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring Firewall Policies
Overview of Firewall policies

• Registry key

On the Network Options tab:

• Local IP address

• Media type

If two location-aware groups apply to a connection, Host Intrusion Prevention uses normal
precedence and processes the first applicable group in its rule list. If no rule in the first group
matches, rule processing continues and might match a rule in the next group.

When Host Intrusion Prevention matches a location-aware group’s parameters to an active
connection, it applies the rules within the group. It treats the rules as a small rule set and uses
normal precedence. If some rules do not match the intercepted traffic, the firewall ignores
them.

Note the following:

• If Location status is selected, a location name is required.

• If Local Network is selected, the IP address of the adapter must match one of the list
entries.

• If DNS Suffix is selected, the DNS suffix of the adapter must match one of the list entries.

• If Default Gateway is selected, the default adapter Gateway IP must match at least one
of the list entries.

• If DHCP Server is selected, the adapter DHCP server IP must match at least one of the list
entries.

• If DNS Server List is selected, the adapter DNS server IP address must match any of the
list entries.

• If Primary WINS Server is selected, the adapter primary WINS server IP address must
match at least one of the list entries.

• If Secondary WINS Server is selected, the adapter secondary WINS server IP address
must match at least one of the list entries.

Firewall rule group connection isolation

A connection isolation option is available for groups to prevent undesirable traffic from accessing
a designated network. This can be done through other active network interfaces on a computer,
such as a wireless adapter connecting to a wi-fi hotspot while a wired adapter is connected to
a LAN.

When the Isolate this connection option is selected under a group's Location settings, and
an active Network Interface Card (NIC) matches the group criteria, the only types of traffic

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.556

Configuring Firewall Policies
Overview of Firewall policies

processed are traffic matching allow rules above the group in the firewall rules list, and traffic
matching the group criteria. All other traffic is blocked.

NOTE: Any group with connection isolation enabled cannot have associated transport options

or applications.

Figure 2: Network connection isolation

As examples of using the connection isolation option, consider two settings: a corporate
environment and a hotel. The active firewall rules list contains rules and groups in this order:

1 Rules for basic connection

2 VPN connection rules

3 Group with corporate LAN connection rules

4 Group with VPN connection rules

Connection isolation on the corporate network

Connection rules are processed until the group with corporate LAN connection rules is encounterd.
This group contains these settings:

• Media type = Wired

57McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring Firewall Policies
Overview of Firewall policies

• Connection-specific DNS suffix = mycompany.com

• Default gateway address

• Isolate this Connection = yes

The computer has both LAN and wireless network adapters and connects to the corporate
network with a wired connection, but the wireless interface is still active, so it connects to a
hotspot outside the office. The computer connects to both networks because the rules for basic
access are at the top of the firewall rules list. The wired LAN connection is active and meets
the criteria of the corporate LAN group. The firewall processes the traffic through the LAN but
because connection isolation is enabled, all other traffic not through the LAN is blocked.

Connection isolation at a hotel

Connection rules are processed until the group with VPN connection rules is encounterd. This
group contains these settings:

• Connection type = virtual

• DNS suffix = vpn.mycompany.com

• IP Address = an address in a range specific to the VPN concentrator

• Isolate this Connection = yes

General connection rules allow the set-up of a timed account at the hotel to gain internet access.
The VPN connection rules allow connection and use of the VPN tunnel. After the tunnel is
established, the VPN client creates a virtual adapter that matches the criteria of the VPN group.
The only traffic the firewall allows is inside the VPN tunnel and the basic traffic on the actual
adapter. Attempts by other hotel guests to access the computer over the network, either wired
or wireless, are blocked.

How the Host IPS catalog works

The Host IPS catalog simplifies firewall rule and group creation by allowing you to reference
existing rules, groups, network addresses, applications, executables, and group location data.
In addition, you can reference executables for applications involved in IPS protection.

When referencing a catalog item, you create a dependent link between it and a firewall rule or
group. This means a change of the item in the catalog changes it wherever it is used. You can
also break the link between the catalog item and a rule or group, to remove the dependency.

The Host IPS Catalog, found in ePolicy Orchestrator under Policy, contains six pages listing
previously placed firewall rule and firewall group items. Items can be created individually in the
catalog, added by linking to them to ones created in new firewall and rule groups, or imported
from xml-format exports of Firewall Rules policies.

The catalog pages include:

• Group — List of firewall groups and properties

• Rule — List of firewall rules and properties

• Application — List of applications that can be referenced in a firewall group or rule

• Executable — List of executables attached to applications that can be referenced in a firewall
group or rule or in IPS- related applications

• Network — List of IP addresses that can be referenced in a firewall group or rule

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.558

Configuring Firewall Policies
Overview of Firewall policies

• Location — List of location-specific information for firewall groups

Table 7: Host IPS Catalog as source for items

DependencyCatalog itemPolicy itemPolicyFeature

YesRuleFirewall RuleFirewall RulesFirewall

YesGroupFirewall GroupFirewall RulesFirewall

YesLocationFirewall Group LocationFirewall RulesFirewall

YesNetworkFirewall Rule/GroupFirewall RulesFirewall

YesApplicationFirewall Rule/GroupFirewall RulesFirewall

YesExecutableFirewall Rule/Group ApplicationFirewall RulesFirewall

NoExecutableApplication Protection RuleIPS RulesIPS

NoExecutableTrusted ApplicationTrusted ApplicationsGeneral

Catalog filters

Each catalog page contains a filter to search for items in the list on the page. Click Hide/Show
Filter Options to hide or show the filter, click Set Filter to filter with the criteria entered, click
Clear to reset the filter.

Copying from the catalog

When using the Firewall Rule Builder or Firewall Group Builder, click the Add from Catalog
button to add the appropriate item from the catalog. This creates a dependent link between
the items, which can be broken when required.

Adding to the catalog

You add to the catalog in one of three ways:

• Click New in the catalog page, enter the information, and save the item.

• Click Add to Catalog next to the item when creating or editing rules or groups using the
Firewall Rule Builder or Firewall Group Builder.

• Click Import to add previously exported Host iPS catalog data in .xml format.

NOTE: Policy Catalog exports in .xml format are not compatible with the Host IPS Catalog

.xml format. This means you cannot export a Firewall Rules policy from the Policy Catalog
and import it in to the Host IPS Catalog to populate it with firewall rules data from the policy.
To get firewall policy data into the Host IPS Catalog, use the Add to Catalog links.

Firewall stateful packet filtering and inspection

The firewall in Host Intrusion Prevention provides both stateful packet filtering and stateful
packet inspection.

Stateful packet filtering is the stateful tracking of TCP/UDP/ICMP protocol information at Transport
Layer 4 and lower of the OSI network stack. Each packet is examined and if the inspected
packet matches an existing firewall allow rule, the packet is allowed and an entry is made in a
state table. The state table dynamically tracks connections previously matched against a static
rule set, and reflects the current connection state of the TCP/UDP/ICMP protocols. If an inspected
packet matches an existing entry in the state table, the packet is allowed without further scrutiny.
When a connection is closed or times out, its entry is removed from the state table.

59McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring Firewall Policies
Overview of Firewall policies

Stateful packet inspection is the process of stateful packet filtering and tracking commands at
Application Layer 7 of the network stack. This combination offers a strong definition of the
computer’s connection state. Access to the application level commands provides error-free
inspection and securing of the FTP protocol.

Firewall state table

A stateful firewall includes a state table that dynamically stores information about active
connections created by allow rules.

Each entry in the table defines a connection based on:

• Protocol — The predefined way one service talks with another; includes TCP, UDP and
ICMP protocols.

• Local and remote computer IP addresses — Each computer is assigned a unique IP
address. IPv4, the current standard for IP addresses permits addresses 32 bits long, whereas
IPv6, a newer standard, permits addresses 128 bits long. IPv6 is already supported by some
operating systems, such as Windows Vista and several Linux distributions. Host Intrusion
Prevention supports both standards.

• Local and remote computer port numbers — A computer sends and receives services
using numbered ports. For example, HTTP service typically is available on port 80, and FTP
services on port 21. Port numbers range from 0 to 65535.

• Process ID (PID) — A unique identifier for the process associated with a connection’s
traffic.

• Timestamp — The time of the last incoming or outgoing packet associated with the
connection.

• Timeout — The time limit (in seconds), set with the Firewall Options policy, after which
the entry is removed from the table if no packet matching the connection is received. The
timeout for TCP connections is enforced only when the connection is not established.

• Direction — The direction (incoming or outgoing) of the traffic that triggered the entry.
After a connection is established, bidirectional traffic is allowed even with unidirectional
rules, provided the entry matches the connection’s parameters in the state table.

Note the following about the state table:

• If firewall rule sets change, all active connections are checked against the new rule set. If
no matching rule is found, the connection entry is discarded from the state table.

• If an adapter obtains a new IP address, the firewall recognizes the new IP configuration and
drops all entries in the state table with an invalid local IP address.

• When the process ends all entries in the state table associated with a process are deleted.

How stateful filtering works

Stateful filtering involves processing a packet against two rule sets, a configurable firewall rule
set and a dynamic firewall rule set or state table.

The configurable rules have two possible actions:

• Allow — The packet is permitted and an entry is made in the state table.

• Block — The packet is blocked and no entry is made in the state table.

The state table entries result from network activity and reflect the state of the network stack.
Each rule in the state table has only one action, Allow, so that any packet matched to a rule
in the state table is automatically permitted.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.560

Configuring Firewall Policies
Overview of Firewall policies

The filtering process includes the following:

1 The firewall compares an incoming packet against entries in the state table. If the packet

matches any entry in the table, the packet is immediately allowed. If not, the configurable
firewall rules list is examined.

NOTE: A state table entry is considered a match if the Protocol, Local Address, Local Port,

Remote Address and Remote Port match those of the packet.

2 If the packet matches an allow rule, it is allowed and an entry is created in the state table.

3 If the packet matches a block rule, it is blocked.

4 If the packet does not match any configurable rule, it is blocked.

Figure 3: Stateful filtering process

How stateful packet inspection works

Stateful packet inspection combines stateful filtering with access to application-level commands,
which secures protocols such as FTP.

FTP involves two connections:
client connects to an FTP server, the control channel is established, arriving on FTP destination
port 21, and an entry is made in the state table. If the option for FTP inspection has been set
with the Firewall Options policy, when the firewall encounters a connection opened on port 21,
it knows to perform stateful packet inspection on the packets coming through the FTP control
channel.

control

for commands and

data

for the information. When a

61McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring Firewall Policies
Overview of Firewall policies

With the control channel open, the client communicates with the FTP server. The firewall parses
the PORT command in the packet and creates a second entry in the state table to allow the
data connection.

When the FTP server is in active mode, it opens the data connection; in passive mode, the
client initiates the connection. When the FTP server receives the first data transfer command
(LIST), it opens the data connection toward the client and transfers the data. The data channel
is closed after the transmission is completed.

The combination of the control connection and one or more data connections is called a session,
and FTP dynamic rules are sometimes referred to as session rules. The session remains
established until its control channel entry is deleted from the state table. During the periodic
cleanup of the table, if a session’s control channel has been deleted, all data connections are
subsequently deleted.

Stateful protocol tracking

The types of protocol connections monitored by the stateful firewall and how they are handled
are summarized here.

Description of handlingProtocol

UDP

ICMPv4/v6

TCP

DNS

A UDP connection is added to the state table when a matching static rule is found and the action
from the rule is Allow. Generic UDP connections, which carry Application-Level protocols unknown
to the firewall, remain in the state table as long as the connection is not idle longer than the specified
timeout period.

Only ICMP Echo Request and Echo Reply message types are tracked.

NOTE: In contrast to the reliable, connection-oriented TCP protocol, UDP and ICMPv4/v6 are less

reliable, connectionless protocols. To secure these protocols, the firewall considers generic UDP
and ICMP connections to be virtual connections, held only as long as the connection is not idle
longer than the timeout period specified for the connection. The timeout for virtual connections is
set in the Firewall Options policy.

When using IPv6, stateful firewall functionality is supported only on Windows Vista and later
platforms.

TCP protocol works on the S3-way handshake. When a client computer initiates a new connection,
it sends a packet to its target with a SYN bit that is set, indicating a new connection. The target
responds by sending a packet to the client with a SYN-ACK bit set. The client responds then by
sending a packet with an ACK bit set and the stateful connection is established. All outgoing packets
are allowed, but only incoming packets that are part of the established connection are allowed. An
exception is when the firewall first queries the TCP protocol and adds all pre-existing connections
that match the static rules. Pre-existing connections without a matching static rule are blocked. The
TCP connection timeout, which is set in the Firewall Options policy, is enforced only when the
connection is not established. A second or forced TCP timeout applies to established TCP connections
only. This timeout is controlled by a registry setting and has a default value of one hour. Every four
minutes the firewall queries the TCP stack and discards connections that are not reported by TCP.

Query/response matching ensures DNS responses are only allowed to the local port that originated
the query and only from a remote IP address that has been queried within the UDP Virtual Connection
Timeout interval. Incoming DNS responses are allowed if:

• The connection in the state table has not expired.

• The response comes from the same remote IP address and port where the request was sent.

DHCP

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.562

Query/response matching ensures that return packets are allowed only for legitimate queries, Thus
incoming DHCP responses are allowed if:

• The connection in the state table has not expired.

• The response transaction ID matches the one from the request.

Configuring Firewall Policies
Overview of Firewall policies

Description of handlingProtocol

FTP • The firewall performs stateful packet inspection on TCP connections opened on port 21.

Inspection occurs only on the control channel, the first connection opened on this port.

• FTP inspection is performed only on the packets that carry new information. Retransmitted
packets are ignored.

• Dynamic rules are created depending on direction (client/server) and mode (active/passive):

• Client FTP Active Mode: the firewall creates a dynamic incoming rule after parsing the

incoming port command, provided the port command RFC 959 compliant. The rule is deleted
when the server initiates the data connection or the rule expires.

• Server FTP Active Mode: the firewall creates a dynamic outgoing rule after parsing the

incoming port command.

• Client FTP Passive Mode: the firewall creates a dynamic outgoing rule when it reads the

PASV command response sent by the FTP server, provided it has previously seen the PASV
command from the FTP client and the PASV command is RFC 959 compliant. The rule is
deleted when the client initiates the data connection or the rule expires.

• Server FTP Passive Mode: the firewall creates a dynamic incoming rule.

How learn and adaptive modes affect the firewall

When you enable the firewall, Host Intrusion Prevention continually monitors the network traffic
that a computer sends and receives. It allows or blocks traffic based on the Firewall Rules policy.
If the traffic cannot be matched against an existing rule, it is automatically blocked unless the
firewall is operating in learn mode or adaptive mode.

In learn mode, Host Intrusion Prevention displays a learn mode alert when it intercepts unknown
network traffic. This alert prompts the user to allow or block any traffic that does not match an
existing rule, and automatically creates corresponding dynamic rules for the non-matching
traffic. You can enable learn mode for incoming communication only, for outgoing communication
only, or both.

In adaptive mode, Host Intrusion Preventionn automatically creates an allow rule to allow all
traffic that does not match any existing block rule, and automatically creates dynamic allow
rules for non-matching traffic. For more information on using the adaptive mode with the firewall,
see

FAQ — Adaptive mode

For security reasons, when the learn mode or adaptive mode is applied, incoming pings are
blocked unless an explicit allow rule is created for incoming ICMP traffic. In addition, incoming
traffic to a port that is not open on the host is blocked unless an explicit allow rule is created
for the traffic. For example, if the host has not started telnet service, incoming TCP traffic to
port 23 (telnet) is blocked even when there is no explicit rule to block this traffic. You can create
an explicit allow rule for any desired traffic.

Host Intrusion Prevention displays all the rules created on clients through learn mode or adaptive
mode, and allows these rules to be saved and migrated to administrative rules.

under

Managing Your Protection

.

Stateful filtering

When adaptive or learn mode is applied with the stateful firewall, the filtering process creates
a new rule to handle the incoming packet. This is the filtering process:

1 The firewall compares an incoming packet against entries in the state table and finds no

match, then examines the static rule list and finds no match.

2 No entry is made in the state table, but if this is a TCP packet, it is put in a pending list. If

not, the packet is dropped.

63McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring Firewall Policies
Enable firewall protection

3 If new rules are permitted, a unidirectional static allow rule is created. If this is s a TCP

packet, an entry is made in the state table.

4 If a new rule is not permitted, the packet is dropped.

Firewall client rules

A client in adaptive or learn mode creates firewall client rules to allow blocked activity. Rules
can also be created manually on the client computer. You can track the client rules and view
them in a filtered or aggregated view. Use these client rules to create new policies or add them
to existing policies.

Filtering and aggregating rules

Applying filters generates a list of rules that satisfies all of the variables defined in the filter
criteria. The result is a list of rules that includes all of the criteria. Aggregating rules generates
a list of rules grouped by the value associated with each of the variables selected in the Select
columns to aggregate dialog box. The result is a list of rules displayed in groups and sorted
by the value associated with the selected variables.

Enable firewall protection

The Firewall Options policy enables firewall protection and provides TrustedSource™and stateful
firewall settings.

General settings

These general options are available:

• Enabled: Select to make the firewall active, and then select the type of protection:

• Regular (default) — Use this setting when not tuning a deployment.

• Adaptive mode — Select to have rules created automatically to allow traffic. Use only
temporarily while tuning a deployment.

• Learn mode — Select to have rules created after input from the user to allow traffic.
Select also to allow incoming or outgoing traffic or both. Use only temporarily while tuning
a deployment.

• Allow traffic for unsupported protocols — Select to allow all traffic that uses
unsupported protocols. With this option disabled, all traffic using unsupported protocols is
blocked.

• Allow bridged traffic — Select to allow traffic with a local MAC address that is not the
local system's MAC address but is one of the MAC addresses in the list of VMs that the firewall
supports. Use this option to allow traffic through a bridged environment with virtual machines.

• Retain existing client rules when this policy is enforced — Select to allow clients to
keep rules created on the client, automatically with adaptive mode, through user interaction
with learn mode, or manually on a client, when this policy is enforced.

Protection settings

These settings enable special firewall-specific protection:

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.564

Configuring Firewall Policies
Enable firewall protection

• Allow only outgoing traffic until the Host IPS service has started — Select to allow
outgoing traffic but no incoming traffic until the Host IPS firewall service has started on the
client.

• Enable IP spoof protection — Select to block network traffic from non-local host IP
addresses or from local processes that attempt to spoof their IP address.

• Send events to ePO for TrustedSource violations — Select to send events to the ePO
server if the TrustedSource block threshold setting for incoming or outgoing traffic is matched.

• Incoming TrustedSource block threshold — Select from the list the TrustedSource
rating at which to block incoming traffic from a network connection. Options include: High
Risk, Medium Risk, Unverified, and Do not block.

• Outgoing TrustedSource block threshold — Select from the list the TrustedSource
rating at which to block outgoing traffic to a network connection. Options include: High

Risk, Medium Risk, Unverified, and Do not block.

Stateful firewall settings

The stateful firewall settings are available:

• FTP protocol inspection — A stateful firewall setting that allows FTP connections to be
tracked so that they require only one firewall rule for outgoing FTP client traffic, and one
for incoming FTP server traffic. If this option is not selected, FTP connections require an
additional rule for incoming FTP client traffic and outgoing FTP server traffic. This should
always be selected.

• TCP connection timeout — The time in seconds a TCP connection that is not established
remains active if no more packets matching the connection are sent or received.

• UDP and ICMP echo virtual connection timeout — The time in seconds a UDP or ICMP
echo virtual connection remains active if no more packets matching the connection are sent
or received. It is reset to its configured value every time a packet that matches the virtual
connection is sent or received.

Policy selections

This policy category contains one preconfigured policy and an editable My Default policy, based
on the McAfee Default policy. You can view and duplicate preconfigured policies, and create,
edit, rename, duplicate, delete, and export custom policies.

The preconfigured policy has these settings:

McAfee Default

Firewall protection is disabled, and these options are selected to be applied when the firewall
is enabled:

• Allow bridged traffic

• Retain client rules

• Enable IP spoof protection

• Use FTP protocol inspection

Configuring the Firewall Options policy

Configure settings in this policy to turn firewall protection on and off or apply adaptive or learn
mode.

65McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring Firewall Policies
Enable firewall protection

Task

For option definitions, click ? on the page displaying the options.

1 Click Menu | Policy | Policy Catalog and select Host Intrusion Prevention: Firewall

in the Product list and Firewall Options in the Category list. The list of policies appears.

2 In the Firewall Options policy list, click Edit under Actions to change the settings for a

custom policy.

NOTE: For editable policies, other options include Rename, Duplicate, Delete, and Export.

For non-editable policies, options include View and Duplicate.

3 In the Firewall Options page that appears, change the default settings as needed, then

click Save.

FAQ — McAfee TrustedSource and the firewall

Two options in the Firewall Options policy allow you to block incoming and outgoing traffic from
a network connection that McAfee TrustedSource™ has rated high risk. This FAQ explains what
TrustedSource does and how it affects the firewall.

What is TrustedSource?

TrustedSource is a global Internet reputation intelligence system that determines what is good
and bad behavior on the Internet by using real-time analysis of worldwide behavioral and
sending patterns for email, web activity, malware, and system-to-system behavior. Using data
obtained from the analysis, TrustedSource dynamically calculates reputation scores that represent
the level of risk posed to your network when you visit a web page. The result is a database of
reputation scores for IP addresses, domains, specific messages, URLs, and images.

How does it work?

When the TrustedSource options are selected, two firewall rules are created: TrustedSource -­Allow Host IPS Service and TrustedSource -- Get Rating. The first rule allows a connection to
TrustedSource and the second rule blocks or allows traffic based on the the connection's
reputation and the block threshold set.

What do you mean by "reputation"?

For each IP address on the Internet, TrustedSource calculates a reputation value based on
sending or hosting behavior and various environmental data that TrustedSource automatically
collects, aggregates and correlates from customers and partners about the state of Internet
threat landscape. The reputation is expressed in four classes:

• Minimal Risk (Do Not Block) — Our analysis indicates this is a legitimate source or
destination of content/traffic.

• Unverified — Our analysis indicates that this appears to be a legitimate source or destination
of content/traffic, but also displays certain properties suggesting that further inspection is
necessary.

• Medium Risk — Our analysis indicates that this source/destination shows behavior we
believe is suspicious and content/traffic to or from it requires special scrutiny.

• High Risk — Our analysis indicates that this source/destination does or will send/host
potentially malicious content/traffic and we believe it presents a serious risk.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.566

Configuring Firewall Policies
Define firewall protection

Does it introduce latency? How much?

When TrustedSource is contacted to do a reputation lookup, some latency is inevitable. McAfee
has done everything it can to minimize this.

First, a check of reputations is made only when the options are selected. Second, there is an
intelligent caching architecture. In normal network usage patterns, most desired connections
are resolved by the cache without a live reputation query.

What if the firewall can't reach the TrustedSource servers? Does traffic stop?

If the firewall cannot reach any of the TrustedSource servers, it automatically assigns all
applicable connections a default reputation that is allowed and an analysis of the rules that
follow continues.

Define firewall protection

Firewall rules determine how a system operates when it intercepts network traffic, permitting
or blocking it. You create and manage firewall rules by applying a Firewall Rules policy and
a Firewall DNS Blocking policy with the appropriate settings.

Firewall Rules policy selections

The Firewall Rules policy category contains two preconfigured policies and an editable My
Default policy, based on the McAfee Default policy. You can view and duplicate the

preconfigured policy, and edit, rename, duplicate, delete, and export editable custom policies.

Table 8: Preconfigured Firewall Rules policies

UsagePolicy

Minimal (Default)

Typical Corporate Environment

Use this policy for default minimal protection. lt does the
following:

• Blocks any incoming ICMP traffic that an attacker could
use to gather information about your computer. Host
IPS allows all other ICMP traffic.

• Allows Windows file sharing requests from computers
in the same subnet, and blocks file sharing requests
from anyone else (Trusted Networks policy must have
Include Local Subnet Automatically selected).

• Allows you to browse Windows domains, workgroups,
and computers.

• Allows all high incoming and outgoing UDP traffic.

• Allows traffic that uses BOOTP, DNS, and Net Time
UDP ports.

Use this policy as a starting point and combine with the
results from applying the adaptive mode to learn and verify
any additional rules. This policy should generate fewer
learned client rules in adaptive mode as compared to
existing default firewall policies.

The policy is full-featured and meets the needs for most
organizational firewalls.

67McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring Firewall Policies
Define firewall protection

Firewall DNS Blocking policy selections

The Firewall DNS Blocking policy contains one preconfigured policy and an editable My Default
policy, based on the McAfee Default policy. You can view and duplicate the preconfigured policy,
and edit, rename, duplicate, delete, and export editable custom policies.

Configuring the Firewall Rules policy

Configure settings in this policy to define rules for firewall protection.

TIP: Do not try to create a policy from scratch. Simply duplicate an existing policy then edit the

rules and groups in the policy to meet your needs.

Task

For option definitions, click ? on the page displaying the options.

1 Click Menu | Policy | Policy Catalog and select Host Intrusion Prevention: Firewall

in the Product list and Firewall Rules in the Category list. The list of policies appears.

2 In the Firewall Rules policy list, click Edit under Actions to change the settings for a

custom policy.

NOTE: For editable custom policies, other options include Rename, Duplicate, Delete, and

Export. For non-editable policies, options include View and Duplicate.

3 Do any of the following:

Do this...To...

Add a firewall rule

Add a firewall group

Perform an action on a single rule or group • Select the rule or group to display a summary of

Click New Rule or Add Rule from Catalog. See

Creating and editing firewall rulesorUsing the Host IPS
catalog

for details.

Click New Group or Add Group from Catalog. See

Creating and editing firewall rule groupsorUsing the
Host IPS catalog

the item's settings in the right-hand pane.

• Select the rule or group and click:

• Edit under Actions to edit an item.

• Add to Catalog under Actions to add the
item to the firewall catalog.

• Move Up to move the item up in the list.

• Move Down to move the item down in the
list.

• Duplicate to make a copy of the item.

• Delete to delete the item.

for details.

4 Click Export to export the all the rule and group information in the policy to an xml file.

This file can then be imported into the firewall catalog or to another policy.

5 Click Save to save changes.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.568

Configuring Firewall Policies
Define firewall protection

Creating and editing firewall rules

Edit or add a new firewall rule to the list of rules in a Firewall Rules policy if specific operations
are not covered by the default list.

Task

For option definitions, click ? on the page displaying the options.

1 On the Firewall Rules policy page, click New Rule to create a new rule; click Edit under

Actions to edit an existing rule.

2 Enter the appropriate information on each tab, which you access by clicking Next or the

tab link.

Set these options...On this tab...

Name (required), action, direction, status.Description

Network protocol, media type, local and remote networksNetwork

Transport protocolTransport

Applications and executablesApplication

Status and time settingsSchedule

3 On the Summary tab, review the details of the rule and click Save.

Creating and editing firewall rule groups

Create or edit a firewall rule group for a Firewall Rules policy to create a set of rules with a
single purpose.

Use a single purpose group with rules to allow, for example, VPN connection. Groups appear
in the rule list preceded by an arrow, which can be clicked to show or hide the rules within the
group.

Task

1 On the Firewall Rules policy page, click New Group to create a new group; click Edit

under Actions to edit an existing group.

2 Enter the appropriate information on each tab, which you access by clicking Next or the

tab link.

Set these options...On this tab...

Name (required), direction, statusDescription

Location-aware settings, including connection isolationLocation

3 On the Summary tab, review the details of the group and click Save.

Network protocol, media type (wired, wireless, virtual), local and remote networksNetwork

Transport protocolTransport

Applications and executablesApplication

Status and time settings, including enabling timed groupsSchedule

69McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring Firewall Policies
Define firewall protection

4 Create new rules within this group, or move existing rules into it from the firewall rule list

or the Host IPS catalog.

Creating connection isolation groups

Create a connection isolation firewall rules group to establish a set of rules that apply only when
connecting to a network with particular parameters.

Task

For option definitions, click ? on the page displaying the options.

1 On the Firewall Rules policy page, click New Group or Add Group from Catalog.

2 On the Description tab, type a descriptive name in the Name field.

3 On the Location tab, select Enabled for both Location status and Connection isolation,

type a Name for the location, then select a DNS suffix, default gateway, or other criteria
for matching.

4 On the Network tab, under Media types, select the type of connection (Wired, Wireless,

Virtual) to which to apply the rules in this group.

NOTE: Transport Options and Applications are not available for connection isolation groups.

5 On the Summary tab, click Save.

6 Create new rules within this group, or move existing rules into it from the firewall rule list

or the Host IPS catalog.

Blocking DNS traffic

To refine firewall protection you can create a list of domain name servers that Host IPS blocks
by not allowing the resolving of their IP address.

NOTE: Do not use this feature to block fully qualified domains; instead, block the FQDN remote

address in a firewall rule.

Task

For option definitions, click ? on the page displaying the options.

1 On the Firewall DNS Blocking policy page, click New Rule to create a new rule; click Edit

under Actions to edit an existing rule.

2 Click Add Blocked Domain.

3 In the text box type the name of the domain name server you want to block. Use the

wildcards * and ?; for example, *domain.com. One name per entry.

4 Click the add button to add other addresses, click the remove button to delete addresses.

5 Click Save to save any changes.

Using the Host IPS catalog

The Host IPS catalog allows you to add new items or reference existing items for use with the
firewall. This task helps you find and edit existing catalog items, create and add new catalog
items, or import and export catalog items.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.570

Configuring Firewall Policies
Define firewall protection

Task

For option definitions, click ? in the interface.

1 Click Menu | Policy | Host IPS Catalog.

2 Under Item Type select a catalog item. Choices include: Group, Rule, Application,

Process, Network, and Location.

3 Do any of the following on the catalog page:

Do this...To...

Filter for an item

Change the view of items

Edit an item

Create and add an item

Export all items of the catalog type

Import items of the catalog type

Enter filter criteria, then click Set Filter. Click Clear
to return to the default view.

Select Options | Choose Columns, select, remove,
or reorder columns, then click Save.

Click the link associated with the item. Click Edit to edit
the item, click Duplicate to create a copy of the item,
click Delete to remove the item.

NOTE: If you delete an item that has a dependent link,

a new and independent copy of the deleted item is
placed with the linking rule or group.

Click New. In the page or pages that appear, enter the
appropriate data, then click Save.

Click the Export link associated with the item.Export a single item

Click Export in the upper-right corner of the page, then
name and save the xml-format file.

Click Import in the upper-right corner of the page,
then locate and open the xml-format file with catalog
data.

NOTE: To add an item from the catalog while creating a firewall rule or group, click Add

From Catalog at the bottom of the appropriate builder page. To add an item that you
created while working in the firewall rule or group builder, click the Add to Catalog link
next to the item. When you add an item from or to the catalog you create a dependent
link between the item and the catalog with a Break Catalog Reference link. Clicking this
link breaks the dependency between the item and the catalog and creates a new and
independent item in its place with the linking rule or group.

Managing firewall client rules

Viewing firewall client rules created automatically in adaptive or learn mode or manually on a
client and moving them to a Firewall Rules policy can tune and tighten security.

NOTE: Access to Firewall Client Rules on the Host IPS tab under Reporting requires additional

permissions other than that for Host Intrusion Prevention Firewall, including view permissions
for Event Log, Systems, and System Tree access.

Task

For option definitions, click ? on the page displaying the options.

1 Click Menu | Reporting | Host IPS, then click Firewall Client Rules.

2 Select the group in the System Tree for which you want to display client rules.

71McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring Firewall Policies
Define firewall protection

3 Determine how you want to view the list of client rules:

Do this...To...

Select columns to display

Filter for groups

Filter for creation time

Filter for searched text

Aggregate rules

Select Choose Columns from the Options menu. In
the Select Columns page, add, remove, or reorder the
columns for the display.

Click the column header.Sort by a column

From the Filter menu select This Group Only or This
Group and All Subgroups.

Select the time the rule was created: None, Since, or
Between. When selecting Since, enter a beginning date;
when selecting Between, enter both a beginning and
ending date. Click Clear to remove filter settings.

Type the process path, process name, user name,
computer name, or signature ID to filter on. Click Clear
to remove filter settings.

Click Aggregate, select the criteria on which to
aggregate rules., then click OK. Click Clear to remove
aggregation settings.

4 To move rules to a policy, select one or more in the list, click Create Firewall Rule, then

indicate the policy to which to move the rules.

FAQ — Use of wildcards in Firewall Rules

When entering values in certain fields in firewall rules, Host IPS permits the use of wildcards.

Which wildcards can I use for path and address values?

For paths of files, registry keys, executables, and URLs, use these wildcards:

DefinitionCharacter

A single character.? (question mark)

* (one asterisk)

| (pipe)

Multiple characters, excluding / and \. Use to match the
root-level contents of a folder with no subfolders.

Multiple characters, including / and \ .** (two asterisks)

Wildcard escape.

NOTE: For ** the escape is |*|*.

NOTE: Registry key paths for firewall group locations do not recognize wildcard values.

Which wildcards can I use for all other values?

For values that normally do not contain path information with slashes, use these wildcards:

DefinitionCharacter

A single character.? (question mark)

Multiple characters, including / and \ .* (one asterisk)

Wildcard escape.| (pipe)

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.572

Configuring General Policies

The General feature of Host Intrusion Prevention provides access to policies that are general
in nature and not specific to either IPS or the firewall.

Contents

Overview of General policies

Define client functionality

Define trusted networks

Define trusted applications

Overview of General policies

General policies work with both the IPS and firewall features and control client access and both
trusted networks and applications.

All policies and options apply to Windows operating systems. On non-Windows systems, only
select policies and options apply. For details refer to

client

under

Working with Host IPS Clients

.

Policy enforcement with the Solaris/Linux

Available policies

There are three General policies:

Client UI — Determines which options are available for a Windows client computer, including
whether the Host IPS client icon appears in the system tray, types of intrusion alerts, passwords
for access to the client interface, and troubleshooting options. The password functionality is
used for clients on both Windows and non-Windows platforms.

Trusted Networks — Lists IP addresses and networks, including TrustedSource exceptions,
that are safe for communication. Trusted networks can include individual IP addresses or ranges
of IP addresses. Marking networks as trusted eliminates or reduces the need for network IPS
exceptions and additional firewall rules. For Windows clients only.

Trusted Applications — Lists applications that are safe and have no known vulnerabilities.
Marking applications as trusted eliminates or reduces the need for IPS exceptions and additional
firewall rules. Like the IPS Rules policy, this policy category can contain multiple policy instances.
For clients on both Windows and non-Windows platforms.

Settings for Trusted Networks and Trusted Applications policies can reduce or eliminate
false positives, which aids in tuning a deployment.

73McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring General Policies
Define client functionality

Define client functionality

The Client UI policy determines how Host IPS clients appear and function. For Windows clients
this includes icon display settings, intrusion event reactions, and access for administrators and
client users. For non-Windows clients, only the password feature for administrative access is
valid.

The options in this policy make it possible to meet the demands of three typical user roles:

FunctionalityUser type

Regular

Disconnected

Administrator

The average user who has the Host Intrusion Prevention client installed on a desktop or
laptop. The Client UI policy enables this user to:

• View the Host Intrusion Prevention client icon in the system tray and launch the client
console.

• Get pop-up intrusion alerts or prevent them.

• Temporarily turn off IPS and firewall protection.

The user, perhaps with a laptop, who is disconnected from the Host Intrusion Prevention
server for a period of time. The user might have technical problems with Host Intrusion
Prevention or need to perform operations without interaction with it. The Client UI policy
enables this user to obtain a time-based password to perform administrative tasks, or to
turn protection features on or off.

An IT administrator for all computers who needs to perform special operations on a client
computer, overriding any administrator-mandated policies. The Client UI policy enables this
user to obtain a non-expiring administrator password to perform administrative tasks.

Administrative tasks for both disconnected and administrator users include:

• Enabling or disabling IPS and Firewall policies.

• Creating additional IPS and Firewall rules if certain legitimate activity is blocked.

NOTE: Administrative policy changes made from the ePolicy Orchestrator console will be

enforced only after the password expires. Client rules created during this time are retained
if allowed by administrative rules.

The Client UI policy contains a preconfigured policy and an editable My Default policy. You can
view and duplicate the preconfigured policy; you can, create, edit, rename, duplicate, delete,
and export editable custom policies.

Configuring a Client UI policy

Configure the settings in the policy to indicate icon display, intrusion event reactions, and
administrator and client user access on Windows clients and administrator access on
non-Windows clients.

Task

For option definitions, click ? on the page displaying the options.

1 Click Menu | Policy | Policy Catalog and select Host Intrusion Prevention: General

in the Product list and Client UI in the Category list. The list of policies appears.

2 In the Client UI policy list, click Edit under Actions to change the settings for a custom

policy.

3 In the Client UI page, select a tab (General Options, Advanced Options,

Troubleshooting Options) and make any needed changes. See

options,Setting Client UI advanced options

for details.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.574

Setting Client UI general

, or

Setting Client UI troubleshooting options

Configuring General Policies
Define client functionality

4 Click Save to save any changes.

Setting Client UI general options

Configure settings on the General Settings tab of the Client UI policy to determine icon display
and intrusion event reactions for Windows clients only.

On this tab you set the Client UI display options and indicate how the client responds upon an
intrusion event.

Task

For option definitions, click ? in the interface.

1 Click the General Settings tab of the Client UI policy and under Display options select

the option to display the tray icon for menu access to the client console or display the
application in the Add/Remove Programs list.

NOTE: Users who need to temporarily turn off a Host Intrusion Prevention feature to access

a legitimate but blocked application or network site, they can use the Host Intrusion
Prevention tray icon menu to disable a feature without opening the client console. The
disabled feature remains disabled until restored by the menu command or the next policy
enforcement. Note the following:

• Disabling IPS disables both host IPS and network IPS protection.

• If the Client UI is unlocked, the menu commands have no effect.

For this feature, select to display the icon, then on the Advanced Options tab, select
Allow disabling of features from the tray icon and select any or all of the features to
be disabled.

2 Under Upon intrusion event, select the options that control how the client reacts when

it encounters an intrusion.

Setting Client UI advanced options and passwords

Configure settings on the Advance Options tab of the Client UI policy for password access on
Windows and non-Windows clients.

Passwords unlock the Windows client console and access troubleshooting control on Windows
and non-Windows clients. When this policy is applied to the client, the password is activated.

Two types of passwords are available:

• An administrator password, which an administrator can configure and is valid as long as the
policy is applied to the client. The client console remains unlocked until it is closed. To reopen
the client console controls, retype the administrator password.

• A time-based password, which has an expiration date and time. This password is automatically
generated. You can indicate the single system on which to create the password or create
the password in the Client UI policy for all systems to which the policy is applied. The client
console remains unlocked until it is closed.

NOTE: Policies are

For details, see

not

enforced on the client when the client console is unlocked.

Unlocking the Windows client interface

.

75McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring General Policies
Define client functionality

Task

1 Click the Advanced Options tab in the Client UI policy that is applied to a system or a

group.

2 Determine the type of password you want to create.

Do this...For this type of password...

Administrator • Type a password in the Password text box. It must have at least

Time-based • Select Enable time-based password.

ten characters.

• Retype the password in the Confirm Password text box.

• Click Save.

• Enter the date and time when the password expires, then click
Compute time-based password. The password and its
expiration date and time appear in a dialog box.

• Click Save.

Creating passwords on a per system basis

You can create and assign time-based passwords on a per system basis.

Task

1 Verify on the Advanced tab in the Client UI policy that the time-based passwords option is

enabled.

2 Click Save if you made any changes to the policy.

3 Go to Systems | System Tree.

4 Apply the Client UI policy to the group that contains the single system to which to apply

the password.

5 Select the group, then on the Systems tab select a single system.

6 Select Actions | Create Time-Based Password.

7 Set the password expiration date and time, then click Compute time-based password.

The password appears in the dialog box.

Setting Client UI troubleshooting options

Configure settings on the Troubleshooting tab of the Client UI policy for logging options and
turning on and off engines.

Instead of using the troubleshooting feature on the individual client, you can apply policy-level
troubleshooting options that trigger logging of IPS and firewall events and that disable particular
IPS engines. When disabling engines, remember to reenable them after completing the
troubleshooting.

Task

1 Click the Troubleshooting tab in the Client UI policy.

2 Select the policy settings you want to apply:

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.576

Configuring General Policies
Define trusted networks

Do this...To

Turn on firewall logging

Turn on IPS logging

Select from the list the message type to trigger logging
of Firewall events.

• Debug logs all messages

• Information logs Information, Warning, and Error
messages

• Warning logs Warning and Error messages

• Error logs error messages

• Disabled logs no messages

The path of the log file on Windows clients is:
C:\Documents and Settings\All Users\Application
Data\McAfee\Host Intrusion Prevention\FireSvc.log;
on Windows Vista, Windows 2008, and Windows 7:
C:\Program Data\McAfee\Host Intrusion
Prevention\FireSvc.log.

Select from the list the message type to trigger logging
of IPS events.

• Debug logs all messages

• Information logs Information, Warning, and Error
messages

• Warning logs Warning and Error messages

• Error logs error messages

• Disabled logs no messages

The path of the log file on Windows clients is:
C:\Documents and Settings\All Users\Application
Data\McAfee\Host Intrusion Prevention\HipShield.log;
on Windows Vista, Windows 2008, and Windows 7:
C:\Program Data\McAfee\Host Intrusion
Prevention\HipShield.log

Include security violations in the IPS log

Set the size in MB of the events log on the client

Turn engines on and off

NOTE: For details on working with the HIP client directly, see

Prevention Clients

.

Define trusted networks

The Trusted Networks policy maintains a list of network addresses and subnets, which you can
tag as trusted for clients on Windows and apply to firewall rules whose remote address is set
to trusted and network IPS exceptions.

This policy category contains a preconfigured policy, which includes local subnets automatically
but lists no network addresses, and an editable My Default policy. You can view and duplicate
the preconfigured policy; you can create, edit, rename, duplicate, delete, and export editable
custom policies.

Select Log security violations to have security
violations events appear in the IPS log.

Change the size of the log from the default 1 MB to a
larger number.

Deselect the checkbox to disable an engine, then
reselect it to reenable the engine.

Working with Host Intrusion

77McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring General Policies
Define trusted applications

Configuring a Trusted Networks policy

Configure settings in this policy to set trusted network options and maintain a list of network
addresses and subnets mark as trusted for Windows clients only.

You can:

• Set up trusted network options, including TrustedSource exceptions.

• Add or delete addresses or subnets in the trusted list.

NOTE: For firewall rules, you must set the remote address to Trusted to take advantage of

this feature.

Task

For option definitions, click ? on the page displaying the options.

1 Click Menu | Policy | Policy Catalog and select Host Intrusion Prevention: General

in the Product list and Trusted Networks in the Category list. The list of policies
appears.

2 In the Trusted Networks policy list, click Edit under Actions to change the settings for

a custom policy.

3 Do any of the following:

Automatically treat all users on the same subnet as
trusted, even those not in the list,

Add a trusted network address to the list,

or HTTP type host and custom IPS signatures,

4 Click Save to save any changes.

Define trusted applications

The Trusted Applications policy is the mechanism you use to create a list of applications that
are trusted and should cause no event to be generated. Maintaining a list of safe applications
for a system reduces or eliminates most false positives.

The Trusted Applications policy is a multiple instance policy, so you can assign more than one
policy instance, which allows for a more detailed profile of trusted application usage.

In tuning a deployment, creating IPS exception rules is one way to reduce false positives. This
is not always practical when dealing with several thousand clients or having limited time and
resources. A better solution is to create a list of trusted applications, which are applications
known to be safe in a particular environment. For example, when you run a backup application,
many false positive events can be triggered. To avoid this, make the backup application a trusted
application.

Do this...To...

Select Enabled under Include Local Subnet
Automatically.

Type a trusted IP address, address range, or subnet in
the Trusted Networks text box.

Select Trust for IPS.Mark the network as trusted for network IPS signatures

Click the Remove ( – ) or Add ( + ) button.Remove or add a trusted network address entry,

NOTE: A trusted application is susceptible to common vulnerabilities such as buffer overflow

and illegal use. Therefore, a trusted application is still monitored and can trigger events to
prevent exploits.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.578

Configuring General Policies
Define trusted applications

This policy category contains a preconfigured policy, which provides a list of specific McAfee
applications and Windows processes. You can view and duplicate the preconfigured policy, or
edit, rename, duplicate, delete, and export custom policies.

Configuring a Trusted Applications policy

Configure settings in the policy to list applications deemed safe in a particular environment.

Task

For option definitions, click ? on the page displaying the options.

1 Click Menu | Policy | Policy Catalog and select Host Intrusion Prevention: General

in the Product list and Trusted Applications in the Category list. The list of policies
appears.

2 In the Trusted Applications policy list, click Edit under Actions to change the settings

for a custom policy.

3 Do any of the following:

Do this...To...

Add an application

same time

Click Add Application. See Creating and editing
Trusted Application rules for details.

Select them and click:Perform an action on one or more applications at the

• Enable to enable a disabled application.

• Disable to disable an enabled application.

• Delete to delete applications.

• Copy to to copy applications to another policy.

You are prompted to indicate the policy.

Click:To perform an action on a single application

• Edit to edit an existing application. See Creating

and editing Trusted Application rules for details.

• Duplicate to make a copy of the application

within the same policy and named ‘copy of’ the
original application.

• Delete to remove the application from the list.

4 Click Save to save changes.

Creating and editing Trusted Application rules

Edit existing or create new trusted applications to have a list of all applications deemed safe
for your environment.

Task

For option definitions, click ? on the page displaying the options.

79McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Configuring General Policies
Define trusted applications

1 On the Trusted Applications policy page, click New Trusted Application to create a new

rule; click Edit under Actions to edit an existing rule.

NOTE: You can also create trusted applications based on an event. For details, see

a trusted application from an event

under

Configuring IPS Policies

2 Type or edit the name and indicate the status of the application, including whether the

application is trusted for IPS, firewall, or both.

3 Click New to add an executable for the application.

NOTE: You can add an existing executable from the Host IPS Catalog by clicking Add From

Catalog. For details on the catalog, see

Firewall Policies

.

How the Host IPS catalog works

4 Click OK to save changes.

Assigning multiple instances of the policy

Assigning one or more instances of the policy to a group or system in the ePolicy Orchestrator
System Tree provides for single policy multi-purpose protection.

The IPS Rules policy and the Trusted Applications policy are multiple-instance policies that can
have more than one instance assigned. A multiple-instance policy can be useful for an IIS
Server, for example, where you might apply a general default policy, a server policy, and an
IIS policy, the latter two configured to specifically target systems running as IIS servers. When
assigning multiple instances, you are assigning a union of all the elements in each instance of
the policy.

Creating

.

under

Configuring

NOTE: The McAfee Default policy for both IPS Rules and Trusted Applications are updated when

content is update. McAfee recommends that these two policies always be applied to make sure
protection as up to date as possible.

For the policies that have multiple instances, an Effective Policy link appears to provide a view
of the details of the combined policy instances.

Task

For option definitions, click ? in the interface.

1 Click Menu | Systems | System Tree and select a group in the System Tree.

NOTE: For a single system, select a group in the System Tree that contains the system,

then on the Systems tab, select the system and select Actions | Agent | Modify Policies

on a Single System.

2 Under Assigned Policies, select Host Intrusion Prevention 8.0 : IPS/General in the

Product list, and for IPS Rules/Trusted Applications click Edit Assignments.

3 On the Policy Assignment page, click New Policy Instance, and select a policy from

the Assigned Polices list for the additional policy instance. To view the effective or
combined effect of multiple instance rule sets, click View Effective Policy.

4 Click Save to save all changes.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.580

Working with Host Intrusion Prevention Clients

The Host Intrusion Prevention client can be installed on Windows, Solaris, and Linux platforms.
Only the Windows client has an interface, but all versions have troubleshooting functionality.
The basic features of each client version are described here.

Contents

Overview of the Windows client

Overview of the Solaris client

Overview of the Linux client

Overview of the Windows client

Direct client-side management of the Host Intrusion Prevention Windows client is available
through a client console. To display it, use the McAfee tray icon menu, or run McAfeeFire.exe
in C:\Program Files\McAfee\Host Intrusion Prevention.

When the client console first appears, options are locked and you can only view current settings.
For complete control of all settings in the console, unlock the interface with a password. For
details on creating and using passwords, see
under Configuring General Policies.

Setting Client UI advanced options and passwords

System tray icon menu

When the McAfee icon appears in the system tray, it provides access to the Host IPS client
console. Functionality differs depending on the version of the McAfee Agent that is installed on
the client.

With McAfee Agent 4.0

Right-click the McAfee Agent icon, then select Host Intrusion Prevention to display a shortcut
menu, from which you can open the console.

Table 9: McAfee Agent 4.0 menu

About...

To do this...Click...

Open the Host Intrusion Prevention client console.Configure

Open the About Host Intrusion Prevention dialog box,
which displays the version number and other product
information.

81McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Working with Host Intrusion Prevention Clients
Overview of the Windows client

IfAllow disabling of features from the tray icon is selected in an applied Client UI policy,
these additional commands are available:

Table 10: McAfee Agent 4.0 menu with Allow disabling

To do this...Click...

Restore Settings

Disable All

Disable IPS

Disable Firewall

Enable all disabled features. Available only if either feature
has been disabled.

Disable IPS and Firewall features. Available only if both
features are enabled.

Disable the IPS feature. This includes both Host IPS and
Network IPS functionality. Available only if the feature is
enabled.

Disable the Firewall feature. Available only if the feature
is enabled.

If Enable timed group from McAfee tray icon menu on the Schedule tab is selected for a
firewall group in an applied Firewall Rules policy, these additional commands are available:

Table 11: McAfee Agent 4.0 menu with Enable timed group

To do this...Click...

Enable Host IPS Timed Firewall Groups

View Host IPS Timed Firewall Groups Status

Enable timed firewall groups for a set amount of time to
allow non-network access to the Internet before rules
restricting access are applied. Each time you select this
command, you reset the time for the groups.

View the names of the timed groups and the amount of
time remaining for each group to be active.

With McAfee Agent 4.5

Right-click the McAfee Agent icon in the system tray, then select Manage Features | Host
Intrusion Prevention to open the console.

NOTE: Both the McAfee Agent and the Host IPS client must be set to display an icon for this

access. If the McAfee Agent does not appear in the system tray, there is no access to Host IPS
with a system tray icon, even though the client may be set to display a tray icon.

Under Quick Settings, these Host Intrusion Prevention options are available if the Allow
disabling of features from the tray icon option is selected in an applied Client UI policy:

Table 12: McAfee Agent 4.5 menu Quick Settings

To do this...Click...

Toggle Host IPS protection on and off.Host IPS

Toggle Network IPS protection on and offNetwork IPS

Toggle Firewall protection on and off.Firewall

Also under Quick Settings, if the Enable timed group from McAfee tray icon menu
option on the Schedule tab is selected for a firewall group in an applied Firewall Rules policy,
these additional commands are available:

Table 13: McAfee Agent 4.5 menu with Enable timed group

To do this...Click...

Enable Host IPS Timed Firewall Groups

Enable timed firewall groups for a set amount of time to
allow non-network access to the Internet before rules

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.582

Working with Host Intrusion Prevention Clients
Overview of the Windows client

To do this...Click...

restricting access are applied. Each time you select this
command, you reset the time for the groups.

View Host IPS Timed Firewall Groups Status

View the names of the timed groups and the amount of
time remaining for each group to be active.

Client console for Windows clients

The Host Intrusion Prevention client console gives you access to several configuration options.
To open the console, do one of the following:

• With McAfee Agent 4.0, right-click the McAfee icon, select Host Intrusion Prevention,
then Configure.

• With McAfee Agent 4.5, right-click the McAfee icon, select Manage Features, Host
Intrusion Prevention, then Configure..

• In the C:\Program Files\McAfee\Host Intrusion Prevention folder, run McAfeeFire.exe.

The console lets you configure and view information about Host Intrusion Prevention features.
It contains several tabs, which correspond to a specific Host Intrusion Prevention feature.

Unlocking the Windows client interface

An administrator remotely managing Host Intrusion Prevention using ePolicy Orchestrator can
password protect the interface to prevent accidental changes. Fixed passwords that do not
expire and temporary time-based passwords, allow an administrator or user to temporarily
unlock the interface and make changes.

Before you begin

Be sure that the Host IPS General: Client UI policy, which contains the password settings, has
been applied to the client. This occurs at the scheduled policy update or by forcing an immediate
policy update. The client does not recognize the password until the policy update takes place.

Task

1 Obtain a password from the Host Intrusion Prevention administrator.

NOTE: For details on creating a password, see

passwords

under

Configuring General Policies

2 Open the client console, and select Task | Unlock User Interface.

3 In the Login dialog box, type the password and click OK.

Setting client UI options

The Host Intrusion Prevention client console provides access to some settings delivered by the
Client UI policy, and enables you to customize these settings for the individual client.

Before you begin

To perform the following task, you must first unlock the client console with a password.

Setting Client UI advanced options and

.

83McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Working with Host Intrusion Prevention Clients
Overview of the Windows client

Task

1 In the client console select Task | Set User Interface Language.

2 Select the language for the client console interface and click OK. Options include: Chinese,

English, French, German, Italian, Japanese, Korean, Portuguese, Russian, Spanish. Selecting
"Automatic" displays the interface in the language of the operating system on which the
client is installed.

3 Select Edit | Options.

4 In the Host Intrusion Prevention Options dialog box, select and deselect options as

needed, then click OK.

Table 14: Client console options

To have this happen...Select...

An alert appears when an attack occurs (IPS only).Display pop-up alert

A sound plays when an attack occurs (IPS only).Play sound

Display notification on system tray

Create Sniffer capture if available

Show tray icon

The system tray icon indicates an attack status when
an attack occurs (IPS only).

A capture column is added to the Activity Log, indicating
that sniffer intrusion data has been captured. It is saved
to a FirePacketX.cap file at C:\Program
Data\McAfee\Host Intrusion Prevention\McAfee Fire
Saved Events or C:\Documents and Settings\All
Users\Application Data\McAfee\Host Intrusion
Prevention\McAfee Fire Saved Events (IPS only).

Host Intrusion Prevention appears under the McAfee
Agent system tray icon menu.

Troubleshooting the Windows client

Host Intrusion Prevention includes a troubleshooting function, which is available from the Help
menu when the interface is unlocked. These options are available:

Table 15: Troubleshooting options

DefinitionOption

Determines which Firewall message type to log.Logging: Firewall

Determines which IPS message type to log.Logging: IPS *

Enable the logging of IPS security violations in the IPS log.Log security violations *

Show product in Add/Remove Program list

Functionality *

* This option is available only with IPS protection.

NOTE: McAfee provides a utility (ClientControl.exe) to help automate upgrades and other

maintenance tasks when third-party software is used for deploying Host Intrusion Prevention
on client computers. This command-line utility, which can be included in installation and
maintenance scripts to temporarily disable IPS protection and activate logging functions, is
delivered as part of the installation and is located on the client at C:\ Program Files\McAfee\Host
Intrusion Prevention. See
details.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.584

Clientcontrol.exe utility

Allow Host IPS to appear in the Add/Remove Program list
and be removed from the client.

Disable/re-enable Host IPS class engines as part of
troubleshooting.

under

Appendix B -- Troubleshooting

for

Working with Host Intrusion Prevention Clients
Overview of the Windows client

Setting options for IPS logging

As part of troubleshooting you can create IPS activity logs that can be analyzed on the system
or sent to McAfee support to help resolve problems. Use this task to enable IPS logging.

Task

1 In the Host IPS console, select Help | Troubleshooting.

2 Select the IPS message type:

• Debug

• Disabled

• Error

• Information

• Warning
If the message type is set to Disabled, no message is logged.

3 Click OK. The information is written to HipShield.log at C:\Documents and Settings\All

Users\Application Data\McAfee\Host Intrusion Prevention; on Windows Vista and late at
C:\Program Data\McAfee\Host Intrusion Prevention\.

Settings options for Firewall logging

As part of troubleshooting you can create firewall activity logs that can be analyzed on the
system or sent to McAfee support to help resolve problems. Use this task to enable Firewall
logging.

Task

1 In the Host IPS console, select Help | Troubleshooting.

2 Select the Firewall message type:

• Debug

• Disabled

• Error

• Information

• Warning
If the message type is set to Disabled, no message is logged.

3 Click OK. The information is written to FireSvc.log at C:\Documents and Settings\All

Users\Application Data\McAfee\Host Intrusion Prevention\; on Windows Vista and later at
C:\Program Data\McAfee\Host Intrusion Prevention\. After the file reaches 100 MB, a new
file is created.

Disabling Host IPS engines

As part of troubleshooting, you can also disable class engines that protect a client. McAfee
recommends that only administrators communicating with McAfee support use this
troubleshooting procedure. For a better understanding of what each class protects, see the
section on

Writing Custom Signatures

.

85McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Working with Host Intrusion Prevention Clients
Overview of the Windows client

Task

For option definitions, click ? in the interface.

1 In the Host IPS console, select Help | Troubleshooting, and click Functionality.

2 In the HIPS Engines dialog box, deselect one or more engines. To disable all engines,

deselect Enable/Disable all engines.

NOTE: SQL and HTTP appear in the list only if the client is running a server operating

system.

3 Click OK.

4 After the problem has been resolved, reselect all deselected engines in the HIPS Engines

dialog box.

Windows client alerts

A user can encounter several types of alert messages and needs to react to them. These include
intrusion detection, firewall, and spoof detection alerts. Firewall alerts appear only when the
client is in learn mode for these features.

Responding to Intrusion alerts

If you enable IPS protection and the Display pop-up alert option, an alert appears automatically
when Host Intrusion Prevention detects a potential attack. If the client is in adaptive mode, this
alert appears only if the Allow Client Rules option is disabled for the signature that caused the
event to occur.

The Intrusion Information tab displays details about the attack that generated the alert, including
a description of the attack, the user/client computer where the attack occurred, the process
involved in the attack, and the time and date when Host Intrusion Prevention intercepted it. In
addition, a generic administrator-specified message can appear.

You can ignore the event by clicking Ignore, or create an exception rule for the event by
clicking Create Exception. The Create Exception button is active only if the Allow Client Rules
option is enabled for the signature that caused the event to occur.

If the alert is the result of a Host IP signature, the exception rule dialog box is prefilled with
the name of the process, user, and signature. You can select All Signatures or All Processes,
but not both. The user name is always included in the exception.

If the alert is the result of a Network IPS signature, the exception rule dialog box is prefilled
with the signature name and the host IP address. You can optionally select All Hosts.

In addition, you can click Notify Adminto send information about the event to the Host Intrusion
Prevention administrator. This button is active only if the Allow user to notify administrator
option is enabled in the applied Client UI policy.

Select Do not show any alerts for IPS Events to stop displaying IPS Event alerts. To have
the alerts reappear after selecting this option, select Display pop-up alert in the Options
dialog box.

NOTE: This intrusion alert also appears for firewall intrusions if a firewall rule is matched that

has the Treat rule match as an intrusion option selected.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.586

Working with Host Intrusion Prevention Clients
Overview of the Windows client

Responding to Firewall alerts

If you enable firewall protection and the learn mode for either incoming or outgoing traffic, a
firewall alert appears, and the user needs to respond to it.

The Application Information section displays information about the application attempting
network access, including application name, path, and version. The Connection Information
section displays information about the traffic protocol, address, and ports.

NOTE: Previous and Next buttons are available in the Connection Information section if additional

protocol or port information for an application is available. Previous and Next buttons are
available at the bottom of the dialog box if more than one alert has been sent.

Task

1 In the alert dialog box, do one of the following:

• Click Deny to block this and all similar traffic.

• Click Allow to permit this and all similar traffic through the firewall

2 Optional: Select options for the new firewall rule:

To do this...Select...

Create a firewall application rule for all ports and
services

Remove this rule when the application terminates

Host Intrusion Prevention creates a new firewall rule based on the options selected, adds
it to the Firewall Rules policy list, and automatically allows or blocks similar traffic.

Responding to Spoof Detected alerts

If you enable firewall protection, a spoof alert automatically appears if Host Intrusion Prevention
detects an application on your computer sending out spoofed network traffic, and a user needs
to respond to it.

This means that the application is trying to make it seem like traffic from your computer actually
comes from a different computer. It does this by changing the IP address in the outgoing
packets. Spoofing is always suspicious activity. If you see this dialog box, immediately investigate
the application that sent the spoofed traffic.

Create a rule to allow or block an application’s traffic
over any port or service. If you do not select this option,
the new firewall rule allows or blocks only specific ports:

• If the intercepted traffic uses a port lower than
1024, the new rule allows or blocks only that
specific port.

• If the traffic uses port 1024 or higher, the new rule
allows or blocks the range of ports from 1024 to

65535.

Create a temporary allow or block rule that is deleted
when the application is closed. If you do not select this
options, the new firewall rule is created as a permanent
client rule.

NOTE: The Spoof Detected Alert dialog box appears only if you select the Display pop-up alert

option. If you do not select this option, Host Intrusion Prevention automatically blocks the
spoofed traffic without notifying you.

The Spoof Detected Alert dialog box is very similar to the firewall feature’s Learn Mode alert.
It displays information about the intercepted traffic in two areas — the Application Information
section, and the Connection Information section.

87McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Working with Host Intrusion Prevention Clients
Overview of the Windows client

The Application Information section displays:

• The IP address that the traffic pretends to come from.

• Information about the program that generated the spoofed traffic.

• The time and date when Host Intrusion Prevention intercepted the traffic.

The Connection Information section provides further networking information. In particular, Local
Address shows the IP address that the application is pretending to have, while Remote Address
shows your actual IP address.

When Host Intrusion Prevention detects spoofed network traffic, it blocks both the traffic and
the application that generated it.

About the IPS Policy tab

Use the IPS Policy tab to configure the IPS feature, which protects against host intrusion attacks
based on signature and behavioral rules. From this tab you can enable or disable functionality
and configure client exception rules. For more details on IPS policies, see

policies

IPS Policy tab displays exception rules relevant to the client and provides summary and detailed
information for each rule.

.

Configuring IPS

Table 16: IPS Policy tab

Signature

Application

Customizing IPS Policy options

Options at the top of the tab control settings delivered by the server-side IPS policies after the
client interface is unlocked.

Task

1 In the Host IPS client console, click the IPS Policy tab.

2 Select or deselect an option as needed.

DisplaysThis column...

The name of the exception.Exception

The name of the signature against which the exception is
created.

The application that this rule applies to, including the
program name and executable file name.

To do this...Select...

Enable host intrusion prevention protection.Enable Host IPS

Enable network intrusion prevention protection.Enable Network IPS

Enable Adaptive Mode

Automatically block attackers

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.588

Enable adaptive mode to automatically create
exceptions to intrusion prevention signatures.

Block network intrusion attacks automatically for a set
period of time. Indicate the number of minutes in the
min. field.

Working with Host Intrusion Prevention Clients
Overview of the Windows client

Creating and editing IPS Policy exception rules

View, create, and edit IPS exception rules on the IPS Policy tab on the client.

Task

1 In the IPS Policy tab, click Add to add a rule.

2 In the Exception Rule dialog box, type a description for the rule.

3 Select the application the rule applies to from the application list, or click Browse to locate

the application.

4 Select Exception rule is Active to make the rule active. Exception applies to all

signatures, which is not enabled and selected by default, applies the exception to all

signatures.

5 Click OK.

6 For other edits, do one of the following:

Do this...To...

View the details of a rule or edit a rule

Make a rule active/inactive

Apply changes immediately

About the Firewall Policy tab

Use the Firewall Policy tab to configure the Firewall feature, which allows or blocks network
communication based on rules that you define. From this tab you can enable or disable
functionality and configure client firewall rules. For details on firewall policies, see

Firewall Policies

The firewall rules list displays rules and rule groups relevant to the client and provides summary
and detailed information for each rule. Rules in italics cannot be edited.

Table 17: Firewall Policy tab

.

Double-click a rule, or select a rule and click
Properties. The Exception Rule dialog box appears
displaying rule information that can be edited.

Select or clear the Exception rule is Active checkbox in
the Exception Rule dialog box. You can also select or
clear the checkbox next to the rule icon in the list.

Select a rule and click Remove.Delete a rule

Click Apply. If you do not click this button after making
changes, a dialog box appears asking you to save the
changes.

Configuring

DescriptionItem

Checkbox

Firewall group

Timed group

Location-aware group

Indicates whether the rule is enabled (checked) or disabled
(unchecked). For rules not in italics, you can enable and
disable the rule with the checkbox.

Displays the list of rules it contains. Click the plus box to
display the rules; click the minus box to hide the rules.

Indicates the group is a timed group.

Indicates the group is a location-aware group.

89McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Working with Host Intrusion Prevention Clients
Overview of the Windows client

Firewall rule

DescriptionItem

Displays the basic properties of the rule. Click the plus box
to display the properties; click the minus box to hide the
properties.

Rule action

Rule direction

Customizing Firewall Policy options

Options at the top of the tab control settings delivered by the server-side Firewall policies after
the client interface is unlocked.

Task

1 In the Host IPS client console, click the Firewall Policy tab.

2 Select or deselect an option as needed.

Indicates whether the rule allows traffic, or blocks

it.

Indicates whether the rule applies to incoming traffic,

outgoing traffic, or both .

Select...To...

Enable FirewallEnable firewall policy protection

Learn Mode IncomingEnable learn mode for incoming traffic

Learn Mode OutgoingEnable learn mode for outgoing traffic

Creating and editing Firewall rules

View, create, and edit Firewall ruleson the Firewall Policy tab on the client.

Task

1 In the Firewall Policy tab, click Add to add a rule.

NOTE: You can create only rules and not groups in the client console.

2 On the General page, type the name of the rule and select information on rule action and

direction.

3 Click Next to proceed to the other pages to change the default settings.

NOTE: Each page of the rule builder corresponds to a tab of the firewall rule builder in the

Firewall Rules policy.

Enter this information...For this page...

The name, status, action, and direction of the rule.General

The IP address, subnet, domain, or other specific identifiers for this rule.Networks

Adaptive ModeEnable adaptive mode

Trusted NetworksView trusted networks

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.590

Working with Host Intrusion Prevention Clients
Overview of the Windows client

Enter this information...For this page...

Transport

The protocol and the local or remote addresses where this rule applies. You
can define an individual address, a range of addresses, a list of specific
addresses, or specify all addresses.

The applications that this rule applies to, including the executable file name.Applications

The schedule, if any, for the rule.Schedule

4 Click Finish to save the new rule.

5 For other edits, do one of the following:

Do this...To...

View the details of a rule or
edit a rule

Make a rule active/inactive

Apply changes immediately

Select a rule and click Properties. The firewall rule builder dialog box appears
displaying rule information. If the rule is not in italic, you can edit it.

Select or clear the checkbox next to Enabled on the General page of the firewall
rule. You can also select or clear the checkbox next to the rule in the list.

Select the rule, usually a default rule that cannot be edited, and click Duplicate.Make a copy of an existing rule

Select a rule and click Remove.Delete a rule

Click Apply. If you do not click this button after making changes, a dialog box
appears asking you to save the changes.

About the Blocked Hosts tab

Use the Blocked Hosts tab to monitor a list of blocked hosts (IP addresses) that is automatically
created when Network IPS (NIPS) protection is enabled. If Create Client Rules is selected in
the IPS Options policy in the ePolicy Orchestrator console, you can add to and edit the list of
blocked hosts.

The blocked hosts list shows all hosts currently blocked by Host Intrusion Prevention. Each line
represents a single host. You can get more information on individual hosts by reading the
information in each column.

Table 18: Blocked Hosts tab

What it showsColumn

The IP address that Host Intrusion Prevention is blocking.Source

Blocked Reason

Time

Time Remaining

An explanation of why Host Intrusion Prevention is blocking
this address.

If Host Intrusion Prevention added this address to the
list because of an attempted attack on your system, this
column describes the type of attack. If Host Intrusion
Prevention added this address because one of its firewall
rules used the Treat rule match as intrusion option,
this column lists the name of the relevant firewall rule.
If you added this address manually, this column lists only
the IP address that you blocked.

The time and date when you added this address to the
blocked addresses list.

How long Host Intrusion Prevention continues to block this
address.

If you specified an expiration time when you blocked the
address, this column shows the number of minutes left
until Host Intrusion Prevention removes the address from

91McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Working with Host Intrusion Prevention Clients
Overview of the Windows client

Editing the Blocked Hosts list

Edit the list of blocked addresses to add, remove, change, or view blocked hosts.

Task

1 Click Add to add a host.

2 In the Blocked Host dialog box, enter the IP address you want to block. To search for an

IPS address by domain name, click DNS Lookup. If you find the host name there, click
Use.

3 Type the number of minutes, up to 60, to block the IP address.

4 Click OK.

What it showsColumn

the list. If you specified that you wanted this address
blocked until you manually removed it from the list, this
column displays Until removed.

NOTE: After you create a blocked address, Host Intrusion Prevention adds a new entry to

the list on the Application Protection tab. It blocks any communication attempt from
that IP address until you remove it from the blocked addresses list, or a set period of time
expires.

5 For other edits, do one of the following:

Do this...To...

View the details of or edit a blocked host

Apply changes immediately

Double-click a host entry, or select a host and click
Properties. The Blocked Host dialog box displays
information that can be edited.

Select a host and click Remove.Delete a blocked host

Click Apply. If you do not click this button after making
changes, a dialog box appears asking you to save the
changes.

About the Application Protection List tab

The Application Protection List tab displays a list of applications protected on the client. This is
a view-only list populated by administrative policy and a client-specific application list created
heuristically.

This list shows all monitored processes on the client.

Table 19: Application Protection tab

PID

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.592

What it showsColumn

The application process.Process

The process ID, which is the key for the cache lookup of
a process.

The full path name of the application executable.Application Full Path

Working with Host Intrusion Prevention Clients
Overview of the Windows client

About the Activity Log tab

Use the Activity Log tab to configure the logging feature and track Host Intrusion Prevention
actions.

The Activity Log contains a running log of activity. Most recent activity appears at the bottom
of the list.

What it showsColumn

The date and time of the Host Intrusion Prevention action.Time

The feature that performed the action.Event

• Traffic indicates a firewall action.

• Application indicates an application blocking action.

• Intrusion indicates an IPS action.

• System indicates an event relating to the software's internal
components.

• Service indicates an event relating to the software's service or drivers.

IP Address/User

Intrusion Data

Matched rule

The remote address that this communication was either sent to, or sent
from.

An icon indicating that Host Intrusion Prevention saved the packet data
associated with this attack (appears only for IPS log entries). You can export
the packet data associated with this log entry. Right-click the log entry to
save the data to a Sniffer file.

NOTE: This column appears only if you select Create Sniffer Capture...

in the McAfee Options dialog box.

The program that caused the action.Application

A description of the action, with as much detail as possible.Message

The name of the rule that was matched.

NOTE: This column is located on the far right of the screen, so you must

scroll or resize the columns to view the column and its contents.

Customizing Activity Log options

Options at the top of the tab control logging settings delivered by the server-side Client UI
policies after the client interface is unlocked.

Task

1 In the Host IPS client console, click the Activity Log tab.

2 Select or deselect an option as needed.

Filter Options - Traffic

To do this...Select...

Log all blocked firewall traffic.Traffic Logging - Log All Blocked

Log all allowed firewall traffic.Traffic Logging - Log All Allowed

Filter the data to display blocked and allowed firewall
traffic.

93McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Working with Host Intrusion Prevention Clients
Overview of the Solaris client

To do this...Select...

Filter the data to display intrusions.Filter Options - Intrusions

NOTE: You can enable and disable logging for the firewall traffic, but not for the IPS feature.

However, you can choose to hide these events in the log by filtering them out.

3 Do any of the following to change the display:

Do this...To...

Click Refresh.Refresh the display

Click Clear.Permanently delete the contents of the log

Save the contents of the log and delete the list
from the tab

Apply changes immediately

Click Export. In the dialog box that appears, name and
save the .txt file.

Click Apply. If you do not click this button after making
changes, a dialog box appears asking you to save the
changes.

Overview of the Solaris client

The Host Intrusion Prevention Solaris client identifies and prevents potentially harmful attempts
to compromise a Solaris server’s files and applications. It protects the server’s operating system
along with Apache and Sun web servers, with an emphasis on preventing buffer overflow attacks.

Policy enforcement with the Solaris client

Not all policies that protect a Windows client are available for the Solaris client. In brief, Host
Intrusion Prevention protects the host server from harmful attacks but does not offer firewall
protection. The valid policies are listed here.

Table 20: Solaris client policies

Available optionsPolicy

Host Intrusion Prevention 8.0 IPS

IPS Options

• Enable HIPS

• Enable Adaptive Mode

• Retain existing Client Rules

IPS Rules • Exception Rules

Host Intrusion Prevention 8.0 General

Client UI

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.594

AllIPS Protection

• Signatures (default and custom HIPS rules only)

NOTE: NIPS signatures and Application Protection Rules

are not available.

None except administrative or time-based password to
allow use of the troubleshooting tool.

NoneTrusted Networks

Working with Host Intrusion Prevention Clients
Overview of the Solaris client

Available optionsPolicy

Trusted Applications

Troubleshooting the Solaris client

If a problem was caused while installing or uninstalling the client, there are several things to
investigate. These can include ensuring that all required files were installed in the correct
directory, uninstalling and then reinstalling the client, and checking process logs. In addition,
you might encounter problems with the operation of the client. You can check whether the
client is running, and stop and restart the client.

The Solaris client has no user interface to troubleshoot operation issues. It does offer a
command-line troubleshooting tool,
tool, you must provide a Host Intrusion Prevention client password. Use the default password
that ships with the client (abcde12345), or send a Client UI policy to the client with either an
administrator’s password or a time-based password set with the policy, and use this password.

Use the troubleshooting tool to:

• Indicate the logging settings and engine status for the client.

• Turn message logging on and off.

• Turn engines on and off.

Log on as root and run the following commands to aid in troubleshooting:

hipts,

located in the /opt/McAfee/hip directory. To use this

Only Mark as trusted for IPS and New Process Name to
add trusted applications.

NoneHost Intrusion Prevention 8.0 Firewall

type of logging is enabled, and which engines are running.

default.

“on.” Messages include:

• error

• warning

• debug

• info

• violations

“on.” Message error is off by default.

Engines include:

• MISC

• FILES

• GUID

• MMAP

Run...To...

hipts statusObtain the current status of the client indicating which

hipts logging onTurn on logging of specific messages types.

hipts logging offTurn off logging of all message types. Logging is off by

hipts message <message name>:onDisplay the message type indicated when logging is set to

hipts message <message name>:offHide the message type indicated when logging is set to

hipts message all:onDisplay all message types when logging is set to “on.”

hipts message all:offHide all message types when logging is set to “on.”

hipts engines <engine name>:onTurn on the engine indicated. Engine is on by default.

95McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Working with Host Intrusion Prevention Clients
Overview of the Solaris client

• BO

• HTTP

TIP: In addition to using the troubleshooting tool, consult the HIPShield.log and HIPClient.log

files in the /opt/McAfee/hip/log directory to verify operations or track issues.

Verifying Solaris installation files

After an installation, check that all the files were installed in the appropriate directory on the
client. The /opt/McAfee/hip directory should contain these essential files and directories:

DescriptionFile/Directory Name

Solaris clientHipClient; HipClient-bin

Run...To...

hipts engines <engine name>:offTurn off the engine indicated.

hipts engines all:onTurn on all engines.

hipts engines all:offTurn off all engines.

Policy rulesHipClientPolicy.xml

Troubleshooting toolhipts; hipts-bin

Host Intrusion Prevention and McAfee Agent shared object modules*.so

Contains debug and error log fileslog directory

Installation history is written to /opt/McAfee/etc/hip-install.log. Refer to this file for any questions
about the installation or removal process of the Host Intrusion Prevention client.

Verifying the Solaris client is running

The client might be installed correctly, but you might encounter problems with its operation. If
the client does not appear in the ePO console, for example, check that it is running, using either
of these commands:

• /etc/rc2.d/S99hip status

• ps –ef | grep Hip

Stopping the Solaris client

You might need to stop a running client and restart it as part of troubleshooting.

Task

1 To stop a running client, first disable IPS protection. Use one of these procedures:

• Set IPS Options to Off in the ePO console and apply the policy to the client.

• Logged in at root, run the command: hipts engines MISC:off

2 Run the command: /sbin/rc2.d/S99hip stop

Restarting the Solaris client

You might need to stop a running client and restart it as part of troubleshooting.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.596

Working with Host Intrusion Prevention Clients
Overview of the Linux client

Task

1 Run the command: /sbin/rc2.d/S99hip restart.

2 Enable IPS protection. Use one of these procedures, depending on which you used to stop

the client:

• Set IPS Options to On in the ePO console and apply the policy to the client.

• Logged in at root, run the command: hipts engines MISC:on

Overview of the Linux client

The Host Intrusion Prevention Linux client identifies and prevents potentially harmful attempts
to compromise a Linux server’s files and applications. It protects the server’s operating system
along with Apache web servers, with an emphasis on preventing buffer overflow attacks.

Policy enforcement with the Linux client

Not all policies that protect a Windows client are available for the Linux client. In brief, Host
Intrusion Prevention protects the host server from harmful attacks but does not offer network
intrusion protection, including buffer overflow. The policies that are valid are listed here.

Table 21: Linux client policies

Available optionsPolicy

Host Intrusion Prevention 8.0 IPS

IPS Options

IPS Rules • Exception Rules

Host Intrusion Prevention 8.0 General

Client UI

Trusted Applications

• Enable HIPS

• Enable Adaptive Mode

• Retain existing Client Rules

AllIPS Protection

• Signatures (default and custom HIPS rules only)

NOTE: NIPS signatures and Application Protection Rules

are not available.

None except administrative or time-based password to
allow use of the troubleshooting tool.

NoneTrusted Networks

Only Mark as trusted for IPS and New Process Name to
add trusted applications.

NoneHost Intrusion Prevention 8.0 Firewall

Notes about the Linux client

• The Host IPS 8.0 Linux client is incompatible with SELinux in enforce mode. To disable the
enforce mode, run the command: system-config-securitylevel, change the setting to disabled,
and restart the client system.

97McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Working with Host Intrusion Prevention Clients
Overview of the Linux client

• When the Host IPS 8.0 Linux kernel modules are loaded, the SUSE kernel is reported to be
tainted. The kernel log indicates this flag:

U taint flag; hipsec: module not supported by Novell, setting U taint flag

for third-party modules are causing the Host IPS kernel to be marked tainted. Because the
Host IPS 8.0 Linux kernel modules are GPL-licensed, this message should be ignored. McAfee
is working with Novell to resolve this issue.

Troubleshooting the Linux client

If a problem was caused while installing or uninstalling the client, there are several things to
investigate. These can include ensuring that all required files were installed in the correct
directory, uninstalling and reinstalling the client, and checking process logs. In addition, you
might encounter problems with the operation of the client. You can check whether the client
is running, and stop and restart the client.

The Linux client has no user interface for troubleshooting operation issues. It does offer a
command-line troubleshooting tool,
tool, you must provide a Host Intrusion Prevention client password. Use the default password
that ships with the client (abcde12345), or send a Client UI policy to the client with an
administrator’s password or a time-based password set with the policy, and use this password.

Use the troubleshooting tool to:

• Indicate the logging settings and engine status for the client.

• Turn message logging on and off.

• Turn engines on and off.

Log on as root and run the following commands to aid in troubleshooting:

hipts,

located in the opt/McAfee/hip directory. To use this

schook: module not supported by Novell, setting

. Novell requirements

type of logging is enabled, and which engines are running.

default.

“on.” Messages include:

• error

• warning

• debug

• info

• violations

“on.” Message error is off by default.

Engines include:

• MISC

• FILES

• HTTP

Run...To...

hipts statusObtain the current status of the client indicating which

hipts logging onTurn on logging of specific messages types.

hipts logging offTurn off logging of all message types. Logging is off by

hipts message <message name>:onDisplay the message type indicated when logging is set to

hipts message <message name>:offHide the message type indicated when logging is set to

hipts message all:onDisplay all message types when logging is set to “on.”

hipts message all:offHide all message types when logging is set to “on.”

hipts engines <engine name>:onTurn on the engine indicated. Engine is on by default.

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.598

Working with Host Intrusion Prevention Clients
Overview of the Linux client

TIP: In addition to using the troubleshooting tool, consult the HIPShield.log and HIPClient.log

files in the McAfee/hip/log directory to verify operations or track issues.

Verifying Linux installation files

After an installation, check to see that all the files were installed in the appropriate directory
on the client. The opt/McAfee/hip directory should contain these essential files and directories:

Run...To...

hipts engines <engine name>:offTurn off the engine indicated.

hipts engines all:onTurn on all engines.

hipts engines all:offTurn off all engines.

DescriptionFile Name

Linux clientHipClient; HipClient-bin

Policy rulesHipClientPolicy.xml

Troubleshooting toolhipts; hipts-bin

Host Intrusion Prevention and McAfee Agent shared object modules*.so

Contains debug and error log fileslog directory

Installation history is written to /opt/McAfee/etc/hip-install.log. Refer to this file for any questions
about the installation or removal process of the Host Intrusion Prevention client.

Verifying the Linux client is running

If the client does not appear in the ePO console, for example, check that the client is running.
To do this, run this command:

ps –ef | grep Hip

Stopping the Linux client

You might need to stop a running client and restart it as part of troubleshooting.

Task

1 To stop a client, disable IPS protection. Use one of these procedures:

• Set IPS Options to Off in the ePO console and apply the policy to the client.

• Run the command: hipts engines MISC:off

2 Run the command: hipts agent off

Restarting the Linux client

You might need to stop a running client and restart it as part of troubleshooting.

Task

1 Run the command: hipts agent on.

99McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

Working with Host Intrusion Prevention Clients
Overview of the Linux client

2 Enable IPS protection. Use one of these procedures, depending on which you used to stop

the client:

• Set IPS Options to On in the ePO console and apply the policy to the client.

• Run the command: hipts engines MISC:on

McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5100