cancel
Showing results for 
Search instead for 
Did you mean: 

Best practice for initial signature configuration with HIPS?

Jump to solution


Hi all,

I am looking at doing the initial configuration of HIPS on a system. A number of the signatures are not applicable to us as, for example, we do not use that version of the OS or that application. Is there any value in taking the time to disable such signatures now or is HIPS clever enough to realise that such a signatureis of no use on a particular client anyway? I read that McAfee say you should disable signatures if you get false positives of them and they are not needed. I am just trying to pre-empt this process.

Are there any performance implications to having signatures on even when not needed? .

Regards

Matt

1 Solution

Accepted Solutions

Re: Best practice for initial signature configuration with HIPS?

Jump to solution

HIPS is smart enought to determine the OS and not bother with the non-related OS signatures.

You can create a "IPS Options" policy to enable HIPS, and then create your "IPS Protection" policy to just log all High/Medium/Low signatures. That way you can run the IPS running in log only mode so you can review what is being blocked, and start making your Exception Rules from there.

You can go through and Disable signatures, right now there are 1087 signatures in my HIPS 8.0 catalog, and 322 are disabled, just to give you an idea.

4 Replies

Re: Best practice for initial signature configuration with HIPS?

Jump to solution

HIPS is smart enought to determine the OS and not bother with the non-related OS signatures.

You can create a "IPS Options" policy to enable HIPS, and then create your "IPS Protection" policy to just log all High/Medium/Low signatures. That way you can run the IPS running in log only mode so you can review what is being blocked, and start making your Exception Rules from there.

You can go through and Disable signatures, right now there are 1087 signatures in my HIPS 8.0 catalog, and 322 are disabled, just to give you an idea.

theglot
Level 10
Report Inappropriate Content
Message 3 of 5

Re: Best practice for initial signature configuration with HIPS?

Jump to solution

Also, a hard lesson learned, if you nest policies like I do:  System Baseline- Servers- SQL Servers, something we didn't know because our training implied different, when you modify a signature from the McAfee Default, it becomes a custom signature.  Now we should all know that the highest Signature in nested group is what is used, but if you change one of them "say from High to Off" then even though the other two policies has that Signature as a HIGH, because you changed it in one, that custom Off is now the policy when nested.

theglot
Level 10
Report Inappropriate Content
Message 4 of 5

Re: Best practice for initial signature configuration with HIPS?

Jump to solution

Some other Items:  If you have many systems buildt off an image, pick only one to start your logging and later blocking to build your baselines and exceptions.

2- Start with Highs and work your way down.

3- When ever possible, don't turn on enterprise wide if you don't have to.  Do it in a phases.

Re: Best practice for initial signature configuration with HIPS?

Jump to solution

Hi Michael,

Thanks for the advice. I have a feeling the 'experts' around here want to do it in a big bang approach that I have long argued will not work and goes against McAfee Best Practice.

That is a problem for another day!

Regards

Matt


More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community