I have two questions regarding the McAfee HIPS, I have found these settings and would like to know a few things.
Setting: Retain existing client rules when the policy is enforced - What does this mean, which policy will be retained.
Setting: Retain Blocked hosts - What does this mean and why?
Retain existing client rules when the policy is enforced - Rule which has been created locally by adaptive mode will not be purge.
Retain Blocked hosts - Goes with IPS and it will not be overwrite by ePO policy when machine communicate to ePO console, it will append new block hosts.
From the ePO server console help:
Retain blocked hosts
Retain existing client rules when this policy is enforced
When the McAfee Agent enforces the HIPS policy on a system, the client rules (created by Adaptive/Learn mode, or created manually) will be deleted. If Adaptive/Learn mode is enabled, the rule might be recreated, if the policy doesn't cover it.