cancel
Showing results for 
Search instead for 
Did you mean: 

IPS policy to stop an event or attack without sending alert to epo server

Jump to solution

We have testing group, this group has some computers that are protected by host ips policy with prevent critical enabled. This group is keeping sending host ips events to epo 4.6 server. I like to create a policy that stop this  event or attack without sending alert to epo server

1 Solution

Accepted Solutions
Highlighted

Re: IPS policy to stop an event or attack without sending alert to epo server

Jump to solution

I'm not sure if I understand the question but i will try to answer it:

If events are showing up within ePO in your threat event log or HIPS log, then you need to decide if it is legitimate activity. If it is legitimate, then you will want to create an exception.

To do this, while viewing the event, go to the actions button at the bottom of the page, and select create exceptions from the popup list. Another popup will appear and you need to select the policy that is applied to the test group and it will automatically generate an exception for you. You can then wake up the agents so they get the new policy or wait for the next policy enforcement.

Another option:

Find out which signature is generating all the traffic, go to the IPS Rules policy in question, find that signature, disable logging. By doing this, the signature will still be active but you will not know when it gets triggered. Important Note: this can adversely affect your troubleshooting efforts. Not recommended but in rare cases, it is an option.

View solution in original post

2 Replies
Highlighted

Re: IPS policy to stop an event or attack without sending alert to epo server

Jump to solution

I'm not sure if I understand the question but i will try to answer it:

If events are showing up within ePO in your threat event log or HIPS log, then you need to decide if it is legitimate activity. If it is legitimate, then you will want to create an exception.

To do this, while viewing the event, go to the actions button at the bottom of the page, and select create exceptions from the popup list. Another popup will appear and you need to select the policy that is applied to the test group and it will automatically generate an exception for you. You can then wake up the agents so they get the new policy or wait for the next policy enforcement.

Another option:

Find out which signature is generating all the traffic, go to the IPS Rules policy in question, find that signature, disable logging. By doing this, the signature will still be active but you will not know when it gets triggered. Important Note: this can adversely affect your troubleshooting efforts. Not recommended but in rare cases, it is an option.

View solution in original post

Re: IPS policy to stop an event or attack without sending alert to epo server

Jump to solution

hello hbssadmin

the problem with the first option the it will not prevent the event, and the second one will disable the logging on the client log, but it will still send event to the epo server!

thanks

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community