McAfee UTILITIES 4.0 Betriebsanweisung

McAfee Host Intrusion Prevention 7.0Product Guidefor use with ePolicy Orchestrator 4.0

The two Host Intrusion Prevention policies without a My Default policy, IPS Rules and TrustedApplications, are called multiple-instance policies becau

Solaris client issuesAfter the Solaris client is installed and started, it protects its host. However, you may need totroubleshoot installation or ope

that ships with the client (abcde12345), or send a Client UI policy to the client with either anadministrator’s password or a time-based password set

Set IPS Options to Off in the ePO console and apply the policy to the client.•• Run the command: hipts engines MISC:off.2 Run the command: /etc/rc2.d/

These options are available...With this policy...AllIPS Client RulesAllSearch IPS Exception RulesNoneHIP 7.0 FIREWALLNoneHIP 7.0 APPLICATION BLOCKINGN

DescriptionFile NameHost Intrusion Prevention and ePO agent shared object modules*.soContains debug and error log fileslog directoryInstallation histo

To do this...Run this command...Turn off the engine indicated.hipts engines <engine name>:offTurn on all engines.hipts engines all:onTurn off al

IndexAactivity logs, Host IPScustomizing options 98deleting entries 98firewall logging options 90IPS logging options 89viewing 98working with Activity

clients(continued)updating with task or agent wake-up call 23Windows (See Windows client) 86working with, in Host IPS 18clients rulescreating, with ad

groups, Host IPS(continued)firewall connection-aware, creating 62firewall rule groups, creating 61how policies are applied 10notifications and 21quara

McAfee Default policy(continued)Host Intrusion Prevention 9McAfee recommendationscontact McAfee support to disable HIPS engine 90duplicate a policy be

Prevention you can divide administrative duties based on product features, such as IPS orfirewall.Deploying Host Intrusion Prevention to thousands of

preconfigured policies(continued)Application Blocking Rules 71Client UI 77Firewall Rules 57IPS Options 27IPS Protection 28Quarantine Options 64Trusted

Ttroubleshooting, Host IPSClient UI 80disabling Host IPS engines 90error reporting 88Firewall logging, setting options 90hipts tool 100, 104installing

McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.0112Index

You can reduce the number of false positives by creatingexception rules,trusted applications,andfirewall rules.• Exception rules are mechanisms for ov

Managing Your ProtectionManagement of a Host IPS deployment includes monitoring, analyzing, and reacting to activities;changing and updating policies;

You can produce queries for a group of selected client systems, or limit report results by productor system criteria. You can export reports into a va

IPS Client RulesFirewall Client RulesApplication Blocking Client Rules• Non-IP Protocol• Process Eval Option• Process Name• Process Path• Props schema

SummaryHIP QueryDisplays the number of IPS client rules created over time.Count of IPS Client RulesDisplays the top 10 blocked applications for the pa

• Apply the new policy to a set of computers and monitor the results.• Repeat this process with each production group type.Automatic tuningAutomatic t

Do this...To...Click Delete (not available for default or preconfigured policies).NOTE: When you delete a policy, all groups to which it is currently

• Establish a naming convention for your clients. Clients are identified by name in theSystem Tree, in certain reports, and in event data generated by

COPYRIGHTCopyright © 2007 McAfee, Inc. All Rights Reserved.No part of this publication may be reproduced, transmitted, transcribed, stored in a retrie

might deem certain script processing as illegal behavior, but certain systems in yourengineering groups need to perform such tasks. Allow exceptions t

Host IPS server tasksHost Intrusion Prevention provides a single server task that enables review and promotion ofclient rules to administrative policy

1 Describe the rule.2 Set filters for the rule.3 Set thresholds for the rule.4 Create the message to be sent and the type of delivery.Notification cat

Checking in update packagesYou can create an ePO pull task that automatically checks in content update packages to themaster repository, or you can do

Configuring IPS PoliciesIPS policies turn host intrusion prevention protection on and off, set the reaction level to events,and provide details on exc

Host intrusion prevention signaturesHost IPS protection resides on individual systems such as servers, workstations or laptop. TheHost Intrusion Preve

Host Intrusion Prevention combines the use of signature rules and hard-coded behavioral rules.This hybrid method detects most known attacks as well as

Working with IPS Options policiesThe IPS Options policy turns on and off IPS protection and allows you to apply adaptive modeon clients to create new

2 In the IPS Options policy list, click Edit under Actions to change the settings for a custompolicy.Figure 2: IPS Options3 In the IPS Options page th

• Prevent high and medium severity level signatures and ignore the rest.Maximum Protection• Prevent high, medium, and low severity level signatures an

ContentsIntroducing Host Intrusion Prevention 7.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Host Int

Working with IPS Rules policiesThe IPS Rules policy applies intrusion prevention safeguards. This policy is a multiple-instancepolicy that can have mu

• Low — Signatures that are behavioral in nature and shield applications. Shielding meanslocking down application and system resources so that they ca

Configuring IPS Rules signaturesUse this task to edit default signatures; create, edit or delete custom signatures; and movesignatures to another poli

8 Click Save to save changes.Creating signaturesUse this task to create custom host intrusion prevention signatures to protect specific operations.Tas

To use Expert method:To use Standard method:signature. Before writing a rule, make sure youunderstand rule syntax.1 Type the rule syntax for the signa

4 On the Rule Definition tab, select the item to protect against modifications and enterdetails.Figure 8: Signature Creation Wizard— Rule Definitions5

runs as a service. If not, it is blocked; if it listens on a port or runs as a service, it is permittedto hook.Figure 9: Application Protection Rules

TasksConfiguring IPS Rules application protection rulesCreating application protection rulesConfiguring IPS Rules application protection rulesUse this

TaskFor option definitions, click ? on the page displaying the options.1 On the IPS Rule policy Application Protection Rules tab, do one of the follow

Configuring IPS Rules exceptionsUse this task to create, view, edit, or delete exception rules and move exception rules to anotherpolicyTaskFor option

Configuring IPS Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 On the IPS Rule policy Exception Rules tab, click Add Exception.2 Enter the required data on each tab of the Exception wizard. These include: Signat

applications that use TCP/IP Port 25 typically reserved for email applications, and this actionwould be detected by the TCP/IP Port 25 Activity (SMTP)

2 Select the group in the System Tree for which you want to display IPS events. All eventsassociated with the group appear. By default, not all events

exception under Creating exception rules, for creating a trusted application under Creatingand editing Trusted Application rules.Managing IPS client r

Do this...To...Select time criteria; type process path, process name,user name, computer name, or signature ID in theFilter for exception criteriasear

Configuring Firewall PoliciesThe Firewall policies of Host Intrusion Prevention protect computers by filtering all networktraffic, allowing legitimate

network architecture is built on the seven-layer Open System Interconnection (OSI) model,where each layer handles specific network protocols.Figure 16

computer’s connection state. Access to the application level commands provides error-freeinspection and securing of the FTP protocol.State tableA stat

If, however, the traffic does not meet the first rule’s conditions, Host Intrusion Prevention looksat the next rule in the list. It works its way down

4 If the packet does not match any configurable rule, it is blocked.Figure 17: Stateful filtering processHow stateful packet inspection worksStateful

Creating firewall rule groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Creat

Description of handlingProtocolA UDP connection is added to the state table when a matching static rule is found and the actionfrom the rule is Allow.

Host Intrusion Prevention also supports a type of rule group that does affect how rules arehandled. These groups are calledconnection-awaregroups. Rul

Connection isolation in connection-aware groupsThe connection isolation option in Connection-Aware Groups (CAG) prevents undesirable trafficfrom acces

• If the traffic through a NIC does not match the CAG criteria, and the connection isolationoption is enabled, the traffic is blocked.Figure 18: Netwo

Connection isolation on the corporate networkConnection rules are processed until the Connection-Aware Group with corporate LAN connectionrules is enc

Host Intrusion Prevention displays all the rules created on clients through learn mode or adaptivemode, and allows these rules to be saved and migrate

When you configure the Quarantine Options policy, you specify a list of protected IP addressesand subnets. Any user assigned one of these addresses is

Change the policy’s assignment on the Policy Assignment page. For a group, go to Systems| System Tree, select a group, and then on the Policies tab cl

• Allows Windows file sharing requests from computers in the same subnet, and blocks filesharing requests from anyone else. (The Trusted Networks poli

• Allows only UDP traffic necessary for accessing IP information (such as your own IP addressor the network time).• Blocks Windows file sharing.On the

Unlocking the Windows client interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Setting clie

Do thisTo...Click Add Rule or Add Predefined Rules. SeeWorking with firewall rulesorWorking with predefinedfirewall rulesfor details.Add a ruleClick A

1 On the Firewall Rules policy page, click Add Rule to create a new rule; click Edit underActions to edit an existing rule.Figure 21: Firewall Rule2 S

Creating firewall connection-aware groupsUse this task to create a connection-aware group. These groups let you manage a set of rulesthat apply only w

Access to Firewall Client Rules on the Host IPS tab under Reporting requires additionalpermissions other than that for Host Intrusion Prevention Firew

Working with Quarantine Options policiesThe Quarantine Options policy turns on and off quarantine mode and quarantine notifications,defines quarantine

Working with Quarantine Rules policiesThe Quarantine Rules policy is a special set of firewall rules that is enforced when quarantinemode is enabled.

2 Click Edit to make changes on the Quarantine Rules page.Figure 24: Quarantine Rules listDo this...To...Click Add Rule or Predefined Rules. SeeWorkin

1 On the Quarantine Rules policy page, click Add Rule to create a new rule; click Editunder Actions to edit an existing rule.Figure 25: Quarantine Rul

Adding predefined quarantine rulesUse this task to add predefined quarantine rules that match your needs immediately or afteryou have edited them.Task

Configuring Application Blocking PoliciesThe Application Blocking feature of Host Intrusion Prevention manages a set of applicationsthat you allow to

Introducing Host Intrusion Prevention 7.0McAfee Host Intrusion Prevention is a host-based intrusion detection and prevention systemthat protects syste

Filtering and aggregating rulesApplying filters generates a list of rules that satisfies all of the variables defined in the filtercriteria. The resul

1 Go to Systems | Policy Catalog and select Host Intrusion Prevention: ApplicationBlocking in the Product list and Application Blocking Options in the

Creating and editing Application Blocking rulesManaging Application Blocking client rulesConfiguring an Application Blocking Rules policyUse this task

Do this...To...Click:Edit to edit an existing rule. See Creating and editingApplication Blocking rules for details.To perform an action on a single ru

To do this...Select this option...Allow the application to bind to other applications.Allow application to hook other applications5 Select Matching Op

2 Select the group in the System Tree for which you want to display client rules.3 Determine how you want to view the list of client rules:Do this...T

Configuring General PoliciesThe General feature of Host Intrusion Prevention provides access to policies that are generalin nature and not specific to

FunctionalityUser typeThe average user who has the Host Intrusion Prevention client installed on a desktop orlaptop. The Client UI policy enables this

1 Go to Systems | Policy Catalog and select Host Intrusion Prevention: General inthe Product list and Client UI in the Category list. The list of poli

Task1 Click the Advanced Options tab in the Client UI policy.Figure 31: Client UI—Advanced Options tab2 Determine the type of password you want to cre

Basic protectionHost Intrusion Prevention ships with a set of default settings that provide basic “out-of-the-box”protection for your environment. The

• If the Client UI is unlocked, the menu commands have no effect.For details on using the tray icon menu, see the section on working with the Host IPS

Do this...ToSelect from the list the message type to trigger logging of IPSevents. Debug logs all messages; Information logs Information,Turn on IPS l

TaskFor option definitions, click ? on the page displaying the options.1 Go to Systems | Policy Catalog and select Host Intrusion Prevention: General

Change the policy’s assignment on the Policy Assignment page. For a group, go to Systems| System Tree, select a group, and then on the Policies tab cl

Do this...To...Select them and click:Perform an action on one or more applications at thesame timeEnable to enable a disabled application.Disable to d

7 Click Save to apply all changes.Creating and editing Trusted Application rulesUse this task to create a new trusted application or edit an existing

Working with Host Intrusion Prevention ClientsThe Host Intrusion Prevention client can be installed on Windows, Solaris, and Linux platforms.Only the

To do this...Click...Open the About Host Intrusion Prevention dialog box, which displays the versionnumber and other product information.About...If th

Task1 On the client console Edit menu, click Options.2 In the Host Intrusion Prevention Options dialog box, select and deselect options asneeded.For t

Troubleshooting the Windows clientHost Intrusion Prevention includes a Troubleshooting option on the Help menu, which isavailable when the interface i

• Firewall Options. Turns on or off firewall protection and application of adapative or learnmode.• Firewall Rules. Defines firewall rules.• Quarantin

Settings options for Firewall loggingAs part of troubleshooting you can create firewall activity logs that can be analyzed on thesystem or sent to McA

mode, this alert appears only if the Allow Client Rules option is disabled for the signaturethat caused the event to occur.The Intrusion Information t

Host Intrusion Prevention creates a new firewall rule based on the options selected, addsit to the Firewall Rules list, and automatically allows or bl

is always suspicious activity. If you see this dialog box, immediately investigate the applicationthat sent the spoofed traffic.NOTE: The Spoof Detect

To do this...Select...Enable network intrusion prevention protection.Enable Network IPSEnable adaptive mode to automatically create exceptions to intr

Displays...This column...Whether Host Intrusion Prevention treats traffic that matches this rule as an intrusion(an attack) on your system.Whether thi

The application rules list displays rules relevant to the client and provides summary and detailedinformation for each rule.Displays...This column...T

What it showsColumnTime• The time and date when you added this address to the blocked addresses list.Time Remaining• How long Host Intrusion Preventio

About the Activity Log tabUse the Activity Log tab to configure the logging feature and track Host Intrusion Preventionactions.The Activity Log contai

To do this...Select...Filter the data to display events caused by applications.Filter Options - ApplicationsFilter the data to display intrusions.Filt