Searching for related exceptions

An event may be a false positive, which is a legitimate operation that incorrectly appears as an intrusion. For false positives you can create an exception and prevent logging future identical events; however, you may have already created several exceptions for similar events. Instead of creating a new exception, you might be able to edit an existing exception to make it apply to the false positive event. Keeping exceptions organized and few in number makes them easier to manage.

The Search for Related Exceptions feature enables you to search for existing exceptions that match one or more attributes that belong to an event. For example, you can search for exceptions matching the event’s signature or process or both. Alternatively, you can search for exceptions that are already deployed on the agent on which the event occurred or perhaps those applied to the user associated with the event.

To search for a related exception:

  1. Select an event on the IPS Events tab for which you want to find related exceptions, and click Search for Related Exceptions or the toolbar or the shortcut menu.
  2. The Search IPS Exception Rules search criteria dialog box appears with prefilled process, signature, and user information.

  3. Select the checkbox for each criterion you want to apply. You can edit the values by clicking Edit.
  4. Click OK.
  5. The Search IPS Exceptions tab displays the results of the search. See Search IPS Exception Rules for more details on using this search feature.

Copyright © 2006 McAfee, Inc. All Rights Reserved.