cancel
Showing results for 
Search instead for 
Did you mean: 
mjw3428
Level 8

Best practice for initial signature configuration with HIPS?

Jump to solution


Hi all,

I am looking at doing the initial configuration of HIPS on a system. A number of the signatures are not applicable to us as, for example, we do not use that version of the OS or that application. Is there any value in taking the time to disable such signatures now or is HIPS clever enough to realise that such a signatureis of no use on a particular client anyway? I read that McAfee say you should disable signatures if you get false positives of them and they are not needed. I am just trying to pre-empt this process.

Are there any performance implications to having signatures on even when not needed? .

Regards

Matt

0 Kudos
1 Solution

Accepted Solutions
fitchsoccer342
Level 13

Re: Best practice for initial signature configuration with HIPS?

Jump to solution

HIPS is smart enought to determine the OS and not bother with the non-related OS signatures.

You can create a "IPS Options" policy to enable HIPS, and then create your "IPS Protection" policy to just log all High/Medium/Low signatures. That way you can run the IPS running in log only mode so you can review what is being blocked, and start making your Exception Rules from there.

You can go through and Disable signatures, right now there are 1087 signatures in my HIPS 8.0 catalog, and 322 are disabled, just to give you an idea.

0 Kudos
4 Replies
fitchsoccer342
Level 13

Re: Best practice for initial signature configuration with HIPS?

Jump to solution

HIPS is smart enought to determine the OS and not bother with the non-related OS signatures.

You can create a "IPS Options" policy to enable HIPS, and then create your "IPS Protection" policy to just log all High/Medium/Low signatures. That way you can run the IPS running in log only mode so you can review what is being blocked, and start making your Exception Rules from there.

You can go through and Disable signatures, right now there are 1087 signatures in my HIPS 8.0 catalog, and 322 are disabled, just to give you an idea.

0 Kudos
theglot
Level 7

Re: Best practice for initial signature configuration with HIPS?

Jump to solution

Also, a hard lesson learned, if you nest policies like I do:  System Baseline- Servers- SQL Servers, something we didn't know because our training implied different, when you modify a signature from the McAfee Default, it becomes a custom signature.  Now we should all know that the highest Signature in nested group is what is used, but if you change one of them "say from High to Off" then even though the other two policies has that Signature as a HIGH, because you changed it in one, that custom Off is now the policy when nested.

0 Kudos
theglot
Level 7

Re: Best practice for initial signature configuration with HIPS?

Jump to solution

Some other Items:  If you have many systems buildt off an image, pick only one to start your logging and later blocking to build your baselines and exceptions.

2- Start with Highs and work your way down.

3- When ever possible, don't turn on enterprise wide if you don't have to.  Do it in a phases.

0 Kudos
mjw3428
Level 8

Re: Best practice for initial signature configuration with HIPS?

Jump to solution

Hi Michael,

Thanks for the advice. I have a feeling the 'experts' around here want to do it in a big bang approach that I have long argued will not work and goes against McAfee Best Practice.

That is a problem for another day!

Regards

Matt


0 Kudos