Host Intrusion Prevention agents have a database of IPS signature rules that determine whether activity on the client computer is benign or malicious. When malicious activity is detected, alerts known as events are sent to the ePO console and appear in the Host Intrusion Prevention IPS Rules policy.
The protection level set for signatures in the IPS Protection policy determines which action an agent takes when an event occurs. Responses or reactions include ignore, log, or prevent the activity.
Events that are false positives arising from legitimate activity can be overridden by creating an exception to the signature rule or by qualifying applications as trusted. Agents in Adaptive mode automatically create exceptions, called client rules. Administrators can manually create exceptions at anytime.
Monitoring the events that occur and the client exception rules that are created helps determine how to tune the deployment for the best IPS protection.