Exception Rules

Sometimes behavior that would be interpreted as an attack can actually be a normal part of a user’s work routine. This is called a false positive alert. To prevent false positives, create an exception for that behavior.

The exceptions feature enables you to weed out false positive alerts, minimizes needless data flowing to the console, and ensures that the alerts are legitimate security threats.

For example, during the process of testing agents, an agent recognizes the Outlook Envelope - Suspicious Executable Mod. signature. This signature signals that the Outlook e-mail application is attempting to modify an application outside the envelope of usual resources for Outlook. Thus, an event triggered by this signature is cause for alarm, because Outlook may be modifying an application not normally associated with e-mail, for example, Notepad.exe. In this instance, you might reasonably suspect that a Trojan horse has been planted. But, if the process initiating the event is normally responsible for sending e-mail, for example, saving a file with Outlook.exe, you need to create an exception that allows this action.

You can view a list of exceptions, and create and modify them on the Exceptions tab in the IPS Rules dialog box.

Copyright © 2006 McAfee, Inc. All Rights Reserved.