Search IPS Exception Rules

You can search for exceptions in any IPS Rules policy on the Search IPS Exception Rules tab. This search function enables you to determine if an exception is required for a signature rule. It also enables you to manage exceptions by deleting duplicate exception rules or creating trusted applications to allow a blocked process. Search criteria include the processes that triggered an event, the signatures that caused the event to be triggered, and the users affected by the exception rule. After you have found the related exception rules you are searching for, you are advised to manage this list to keep the number of overall exceptions to a minimum. You can do this by deleting ones that are not needed because exceptions already exist for a particular processes or signature, or by duplicating and editing an exception to replace several similar exceptions. The Search IPS Exceptions tab also enables you to disable exceptions instead of permanently deleting them, and to find exceptions that match a profile to copy to other IPS policies.

To search for exceptions and manage the list of exceptions:

  1. On the Search IPS Exception Rules tab, click Search.
  2. The Search IPS Exception Rules dialog box appears.

  3. Select the appropriate criteria and do one of the following:
    • select All (the default) for all processes.
    • select Specific and click Edit to indicate specific processes. In the Search for Specific [Criteria] dialog box, move items from the available list to the selected list and click OK.
  4. Click OK.
  5. The list of exceptions matching the search criteria appears.

     

    When you select several criteria, the results that appear matches any of the criteria you selected, not all the criteria. For example, if you select two specific processes, the exceptions that appear match either of the two processes; what does not appear are exceptions that match both processes only.

  6. Select an exception in the list and use commands on the shortcut menu or the toolbar to enable/disable it, move it from one policy to another, create a new exception by duplicating it, or delete it. For more details, see Exception Rules.

Copyright © 2006 McAfee, Inc. All Rights Reserved.