This one is probably an easy one for any HIPs admin. Just wanted to confirm what I think. We have a HIPs policy to block HIGH and Medium, log low and ignore informational. We have gotten SQL blocked and IIS a couple of times where SQL was trying to call upon a .net file or the same with IIS. The event was a warning, but it was blocked. What I think is true is thatr HIPs is detecting specific vulnerability or known behaviors that are malicious and they are detected as High, Medium, Low or informational and based on those events you can Block, log, or ignore. The warning block I am getting is from application protection where the SQL or IIS service is protecting against "any" calls outside of its own service. So the category "Warning" is unique to application protection and its either settings are allow or warn. Am i right on this explanation?
You might need to call into McAfee Support to verify what you're seeing here. The information you provided is pretty vague and to try to verify your explanation, I think we might need more details that given.