epolicy Orchestrator 5.3.1
Mcafee Agent 5.x
I have just implimented HIPs in a customer environment in "Adaptive Mode" and my question is as follows,
From the diagram which is attached that shows permitted and blocked events, when i eventually change from "adaptive mode" to "regular protection", what will be the impact on events that it does not know about at the moment and would i have to add exceptions
to the ones i have already got?
Adaptive mode just creates a client side rule to allow that activity, if the signature allows it (signatures that have ALLOW CLIENT RULES enabled in the IPS Rules policy). What determines if the activity gets blocked or not depends on your IPS Protection policy. If you have a Severity set to PREVENT, then all applicable signatures in that severity level will get blocked, if you don't have IPS exceptions for them. If set to LOG, then logged only; no block.
I find that tuning IPS events is easier/better (opinions may vary) if you don't use Adaptive mode, and just review the IPS events to determine if an IPS exception is needed (using the View Host IPS Event Description link in an event, or run Host IPS in LOG mode only vs PREVENT mode if you don't want it blocking anything). You then decide YES or NO to that signature violation. Adaptive makes that YES decision for you and just presents you with the IPS exception to add to your policy, without all the details that reviewing the IPS event will provide.
Thank you very much for the reply is was a great exponentiation.
So correct me if i am wrong on a couple of things;
1- if i was to disable adaptive mode now, everything that says blocked will be blocked and the allow will be allowed or would i still have to add an exception?
2- To add the exception would you need to goto host IPS>actions>new exception
1. Disable Adaptive mode just disables the learning feature. If you disable the Retain Existing Client Rules option, then all local client rules will be deleted and the activity can be triggered (whether in PREVENT or LOG mode). As long as the client rules are in place, the activity will be allowed (as they are local client-side exceptions).
2. Yes, create new exceptions by adding the client side rule to the policy, or create new exception from an IPS event.
Ok great, i will disable the adaptive mode and retain the rules that are already in place.
I will properly get back to you in about 7 days and let me you know what happens.
Thanks again, you have been a great help.