Configuring the IPS Protection policy

The IPS Protection policy sets the protective reaction for signature severity levels. These settings instruct agents what to do when an attack or suspicious behavior is detected. Each signature has one of four severity levels:

These levels indicate potential danger to a system and enable you to define specific reactions for different levels of potential harm. You can modify the severity levels and reactions for all signatures. For example, when suspicious activity is unlikely to cause damage, you can select ignore as the reaction. When an activity is likely to be dangerous, you can set prevent as the reaction.

The IPS Protection policy has several preset policies from which to select. If the preset policies do not provide the selected option combination you want, create a new policy and select the required options. Selections in the IPS Protection policy dialog box vary depending on the selected policy.

To configure the IPS Protection policy:

  1. Expand the IPS feature, and click Edit on the IPS Protection category line.
  2. To apply a preset policy, select it in the policy list. Click the policy name icon to view the settings:
  3. Select this policy...
    For these options...
    (Basic Protection
    (McAfee Default))
    Prevent high severity level signatures and ignore the rest.
    (Enhanced Protection)
    Prevent high and medium severity level signatures and ignore the rest.
    (Maximum Protection)
    Prevent high, medium, and low severity level signatures and log the rest.
    (Prepare for Enhanced Protection)
    Prevent high and log medium severity level signatures and ignore the rest.
    (Prepare for Maximum Protection)
    Prevent high and medium severity level signatures, log low severity level signatures, and ignore the rest.
    (Warning)
    Log high severity level signatures and ignore the rest.

  4. Click Apply.

To create a new IPS Protection policy:

  1. Click Edit on the IPS Severity category line, and select New Policy in the policy list.
  2. In the Create New Policy dialog box, select the policy to duplicate, type the name of the new policy, and then click OK.
  3.  

    Create a new, duplicate policy when viewing the details of a preset policy by clicking Duplicate at the bottom of the policy dialog box. Type the name of the new policy and indicate whether to assign the policy immediately to the current node.

    The IPS Protection dialog box appears.

  4. Select the type of reaction for each severity level:
    For this item...
    Select...
    High
    Ignore to permit the event without logging it.
    Log to permit the event and log it.
    Prevent to prevent the event and log it,
    Medium
    Ignore to permit the event without logging it.
    Log to permit the event and log it.
    Prevent to prevent the event and log it,
    Low
    Ignore to permit the event without logging it.
    Log to permit the event and log it.
    Prevent to prevent the event and log it,
    Information
    Ignore to permit the event without logging it.
    Log to permit the event and log it.
  5. Click Apply, and then click Close.
  6. Click Apply on the IPS Protection category line.

     

    Policies can be deleted only in the ePolicy Orchestrator Policy Catalog page and only by global administrators.

Copyright © 2006 McAfee, Inc. All Rights Reserved.