ProTip for Host IPS: Adaptive Mode Best Practices

Version 1

    Intel Security recommends the following best practices when you configure Host IPS Adaptive Mode in your environment:

    • Only use Adaptive Mode temporarily on a small number of systems to aid in firewall rules or IPS exception tuning. Choose a representative system or small group of systems (3-5 at most) that represent the functional business units you are creating rules for.

      NOTE: This mode can create a large number of client rules on endpoint systems, and can cause significant overhead for the ePO server while processing excessive firewall client adaptive rules.
    • Run clients in Adaptive Mode for at least a week, but less than a month to account for normal activity. Include times for scheduled activities, such as backups or script processing.
    • Use Adaptive Mode ony during a time when you can commit to reviewing the exceptions and rules that are created. Deactivate adaptive mode if you cannot review the rules to avoid allowing risky activities.
    • Adaptive Mode is useful when you need to create rules for a new application. Turn on adaptive mode briefly to exercise the application, and then promote appropriate rules.
    • Use the automatically created client rules for each exception to define new, more detailed policies, or add the new rules to existing policies, then apply the updated policies to other clients.

      NOTE: Rules created with Adaptive Mode may need to be made less specific after you add them to a policy. For example, you may need to remove a defined "user" parameter so that the new rule works with all user accounts, not just the one in use when the rule was created.
    • When you enable Adaptive Mode, select the policy option to Retain Client Rules. Otherwise, new rules will be deleted after each policy enforcement interval.
      For more information on Adaptive Mode Best Practices, see:  

    For more resources, visit the ServicePortal and search for related content. Also, visit the McAfee Host IPS Community: https://community.mcafee.com/community/business/system/hip.

    McAfee SNS ProTips help you maximize your protection with troubleshooting, best practices, how-to tips, and links to Knowledge Center resources. To unsubscribe from ProTips or change your SNS settings, visit the SNS Subscription Center.