Adaptive and Learn Mode

To further tune protection settings, Host Intrusion Prevention agents can create client-side exception rules to server-mandated policies that block legitimate activity. The creation of client rules is permitted when agents are placed in Adaptive or Learn Mode. In Adaptive Mode, available for IPS, Firewall, and Application Blocking features, client rules are created without interaction from the user. In Learn Mode, available for Firewall and Application Blocking features, the user must tell the system whether or not to create a client rule.

In both modes, events are first analyzed for the most malicious attacks, such as buffer overflow. If the activity is considered regular and necessary for business, Host Intrusion Prevention agents create client rules to allow operations that would otherwise be blocked. By placing agents in Adaptive or Learn mode, you can obtain a tuning configuration for them. Host Intrusion Prevention then allows you to take any, all, or none of the client rules and convert them to server-mandated policies. The Adaptive and Learn Modes can be turned off at any time to tighten the system’s intrusion prevention protection.

Often in a large organization, avoiding disruption to business takes priority over security concerns. For example, new applications may need to be installed periodically on some client computers, and you may not have the time or resources to immediately tune them. Host Intrusion Prevention enables you to place specific agents in Adaptive mode for IPS protection. Those computers will profile a newly installed application, and forward the resulting client rules to the server. The administrator can promote these client rules to existing or new policies and apply the policy to other computers to handle the new software.

Copyright © 2006 McAfee, Inc. All Rights Reserved.