2 Replies Latest reply on Jun 25, 2010 4:10 AM by WormH013

    HIPS App Blocking

    WormH013

      Hi, I'm quite new to HIPS and would like to seek the experts' guidance.

       

      My organization uses HIPS 7.0.4 and we would like to use Application Blocking feature to block inappropriate applications such as P2P, yet allow other apps to run smoothly. We also have a software development division so we have to ensure they're not disrupted. I know that it is possible to do this using Adaptive Mode but McAfee mentioned that it's not a good idea to use this mode indefnitely. So my question is, can I use Regular Protection on both Application Creation as well as Hooking and achieve the same result? If I create an allow rule using wildcards (*.*) as application path, will it help?

       

      Please advise. Thank you.

        • 1. Re: HIPS App Blocking
          Kary Tankink

          In your App Blocking policy, create the rules to block applications that you want.  The last rule in your policy should be "Allow *".  If you using *.*, then all applications must match a name.ext format.  I have seen applications (the one example I saw was a 3rd party product update) that use exectuables that do not have an extension and *.* will not match those, and block it.   Using just a single * will allow all applications, regardless of extension.

           

          *NOTE: By putting an Allow * rule at the bottom of your policy, Adapative/Learn mode will not function after that.  Just FYI.  In order for Adaptive/Learn mode to function, the application being checked must check the rules and not find a matching rule, which is then matched against the assumed DENY ALL rule at the bottom of the policy (works like the Firewall; if not allowed, then denied).

           

           

          Added note about Adaptive/Learn mode: Kary Tankink on 6/24/10 9:59:28 AM CDT
          • 2. Re: HIPS App Blocking
            WormH013

            Thanks a lot, Kary. It really works.