I think there is an important feature missing from the product. Long description follows
I am testing HIPS 8.0 with ePO and I have noticed that when an external intruder triggers an IPS signature ( not a network signature) from the Rules policy it does not block or quarantine the intruders connection/session despite the fact that the event is recognised and shown as blocked. However when a network IPS is triggered we have an option to quarantine the intruder, but not the specific connection. The normal and best reaction it should have had (which I am not if it supported) is:
-If an intruder issues an attack against a web server 's URL running HIPS through his browser (forge the URL) and send a malicious request, the session would be disconnected or reset it. At the same time if an intruder opens another tab on his browser and go to the web server's again it will enter without any problem. Only the first session should have been reset.
As mentioned, the reaction I see from McAfee HIPS 8.0 is that it only blocks and logs the event. The intruder's specific malicious connection/session is not blocked/reset or quarantine at all.
Is that how it works or am I missing something?
I've got McAfee Agent 5.0, ePO 5.1 and latest McAfee HIPS extension 8.0.
Intrusion blocking only works for Network IPS signatures and Firewall rules marked with "Treat as Intrusion" option.
We'll need more information but from what I gather, you're talking about a normal HIPS rule firing and blocking. These usually have nothing to do with network connections therefor cannot have an effect on such a thing.
Do you have the events or rules on hand?