cancel
Showing results for 
Search instead for 
Did you mean: 
ittech
Level 13

HIPS 8.0 & Adaptive Mode

Jump to solution

We have recently deployed HIPS with only logging enabled, but the task of reading through all of the logs (most of which are repetitive) is becoming too time consuming.

Would adaptive mode be a good recommendation here?

Does anyone know of the downsides to Adaptive Mode?

Thanks!

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: HIPS 8.0 & Adaptive Mode

Jump to solution

Please make sure you are following the Best Practices information in the HIPS 8 Product Guide (Page 11, Section: Best Practices for Quick Success).  Do enable too much protection at one time (particularly with IPS; start with HIGH only, and work down as needed; don't enable all Protection levels, as it will generate a lot of events).  Also read the section tilted Activate adaptive mode.

Adaptive mode is meant for learning rules for a short period of time.  Do not leave it on for months at a times, as it could create just too many rules to review and could also cause errors on the ePO server (see KB71607).

PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide

0 Kudos
4 Replies
McAfee Employee

Re: HIPS 8.0 & Adaptive Mode

Jump to solution

Please make sure you are following the Best Practices information in the HIPS 8 Product Guide (Page 11, Section: Best Practices for Quick Success).  Do enable too much protection at one time (particularly with IPS; start with HIGH only, and work down as needed; don't enable all Protection levels, as it will generate a lot of events).  Also read the section tilted Activate adaptive mode.

Adaptive mode is meant for learning rules for a short period of time.  Do not leave it on for months at a times, as it could create just too many rules to review and could also cause errors on the ePO server (see KB71607).

PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide

0 Kudos
ittech
Level 13

Re: HIPS 8.0 & Adaptive Mode

Jump to solution

Good info!

Thanks for the links

0 Kudos
McAfee Employee

Re: HIPS 8.0 & Adaptive Mode

Jump to solution
 Do enable too much protection at one time

Sorry, that should be Do not.

0 Kudos
petersimmons
Level 12

Re: HIPS 8.0 & Adaptive Mode

Jump to solution

I can't echo Kary's statement too strongly (the one about not doing too much). The most common mistake is logging too much information. Test the levels within Host IPS individually. Test the High level content. Don't bother with Logging and then staring at the events. Go out and pilot it on actual machines. What you will see if that there are a lot of applications that may be poorly written. Those apps make bad API calls and Host IPS silent drops them. The real life scenario is that the vast majority of these simply aren't needed. Nothing beats actual testing.

In a real life deployment of those product you should expect a maximum of about FIVE (5) excpetions for an entire enterprise across the High and Medium level content. Two of them usually relate to VNC if that is an application you use. Nothing beats a real pilot test.

0 Kudos