8 Replies Latest reply on Aug 15, 2011 2:01 PM by lrock

    Automatically display learned application block rules in ePO

      Hi,

       

      Environment for implementation

      We manage computer labs for a university for different faculties and each lab uses different software. I would like to create whitelist for each lab.

       

      What I would like to do.

       

      I would like to see the applications that are run on the machines in ePO without having to manually put them there. The reason for this is the the labs each have about 40 uniquie software packages in them and to create rules in ePO for each .exe used would be tedious. Basically, I would like the application blocking policies to self populated with the applications running on the machines so that I can choose whether they should be blocked or not. Is this possible?

       

       

      Message was edited by: zain on 5/21/10 11:53:36 AM GMT+02:00
        • 2. Re: Automatically display learned application block rules in ePO

          I have found the solution for this.


          Create an application block policy to use adaptive mode.

          When the clients use the software, the agent will record its usage and report it to the ePO server.

          Open ePO console | Queries and search for query Client Rules by Process/Port  Range or Client Rules by  Protocol/Process.

          These queries will show the processes recorded by HIPS and will allow you to added them to the appication blocking policies as required

          • 3. Re: Automatically display learned application block rules in ePO

            If you plan to use Application Blocking there is a better way to view the client rules created.  The query you mentioned will allow you to create FW rules, not AB rules.  In ePO 4.0 if you navigate to Reporting\Host IPS\Application Blocking Client Rules you can view the rules created locally on your clients, and add those to your policy.

            • 4. Re: Automatically display learned application block rules in ePO

              We used general rules that are applied across the board and do not allow clients to set policies for HIPS. In ePO 4.5 + HIPS 8, we are able to create AB rules from the query.

              • 5. Re: Automatically display learned application block rules in ePO

                get directory outputs via a DIR command from the machines in the environment, then create exceptions based on this output. if you make exceptions based on just the .exe, which is what you get from viewing the applications listed in ePO under app blocking client rules, this is less secure then using an absolute path provided by directory output from the local machine.

                • 6. Re: Automatically display learned application block rules in ePO
                  lrock

                  I see Zain's suggestion to use AB in adaptive mode, but instead of a machine learning on it's own, I'd like our IT group to choose which exe's should be allowed or denyed.

                   

                  I have enabled AB in Learn mode for our IT group. When an AB HIPS event pops for lets say outlook.exe, I click allow and then send events. I see one event uploaded to ePO. I then go to Host IPS AB client rules and do not see the outlook event. I also check Host IPS Events tab, event type AB events. I see only blocked actions.

                   

                  Should I see allowed events within the Host IPS Events area?

                  When an action is taken from a client in learn mode, should I not be taking that event, selecting create exception, and tie that rule in with the active policy in the group in question? In other words, I'm trying not to add rules for executables such as outlook.exe manually and instead am trying to create rules based off learned events. That way I am allowing the executable from the correct location the exe should be and not just any executable in any location.

                   

                  ePO 4.5 MR2

                   

                  Any feedback you can provide would be helpful.

                   

                  Thanks

                  • 7. Re: Automatically display learned application block rules in ePO
                    Kary Tankink
                    Should I see allowed events within the Host IPS Events area?

                     

                    For HIPS Application Blocking events, only BLOCKED actions are sent to the ePO server.

                     

                     

                     

                    When an action is taken from a client in learn mode, should I not be taking that event, selecting create exception, and tie that rule in with the active policy in the group in question?

                     

                    Learned Application Blocking client rules are not sent to the ePO server as Events.  They are sent via product properties, which requires the McAfee Agent to perform an ASCI (Agent-to-Server Communication Interval) to upload the latest properties to the ePO server.  The HIPS Property Translator task will then run automatically every 15minutes to convert these learned client rules to the HIPS Client Rules you see via the HIPS  Reporting menu (IPS, Firewall, Application Blocking Client Rules tabs).  Also make sure the McAfee Agent policy is set to send FULL PROPERTIES (KB58949), instead of MINIMAL properties.  As the rules are displayed as Client Rules in the ePO console, yes, you can then add these rules to the Application Blocking Rules policy.

                    • 8. Re: Automatically display learned application block rules in ePO
                      lrock

                      Interesting - shall digest and reply more tomorrow. One thing I noticed right off the bat - agent to server comms was set to 60 minutes with minimal properties. Changed to more frequently intervention and to Full properties for McAfee Agent policy.

                       

                      Thank you very much for the quick feedback.