I am looking for some best practices and guidance on how to setup the HIPS General Trusted Networks policy in ePO.
My first thoughts are to exclude the McAfee MVM scanners we have on our networks, but is it recommended to add more subnets? My concern is that if I add a subnet, I may miss an internal threat against a machine. Valid concern, or no?
Could I at least added known network devices, loopbacks, uplinks, IDFs, etc. to that listing?
Thanks in advance!
The Trusted Networks policy serves a few purposes. Add IPs as needed.
1. If you are using the Firewall, you can create a firewall rule and have it apply to the Trusted object. This would ALLOW/BLOCK traffic to all the IP addresses listed in the Trusted Networks policy. Also, you don't have to use the Trusted object, as you can either list multiple IP addresses/ranges/subnets/etc. or use a HIPS Catalog network, in the Firewall rule itself.
2. If you want a blanket Network IPS exception for an IP address (like a Port Scanner, RSD sensor, MVM scanner, etc.), then add the IP address to the policy and enable Trust for IPS.
3. If HIPS TrustedSource is blocking an IP address, then you can add that IP to the Trusted Networks policy as a TrustedSource exclusion.