I am running McAfee HIPS firewall, and I need to create some rules outgoing/incoming only for the applications that are running or planned to be running on my system. How can I create a pre-defined rule policy for these apps without going into each and every .EXE file names (using Browse) under Program Files directory? This firewall is very very "noisy" when in learn Mode when it comes to running each application and I want to lessen this by creating a rule that can stop these popups before I run these programs. So, I need to create a rule only for the apps that are planned or on my system already and exclude all others trying to penetrate the system.
Of course, I can be running it in Learn Mode the first time and then enabling the reguler protection after, but I would then have to run every single program in order for the firewall rules to recognize all of them on which apps to allow. This can take alot of time though.
So, basically, I want to have the greatest protection when it comes to firewall policies without seeing all of these constant popup alert warnings.
Thanks in advance!
Adaptive mode can help you here. It does the same thing as Learn mode, but doesn't constantly prompt the user to make a decision. Also, see page 14 of the Host IPS Best Practices Guide.
PD20748 - Host Prevention 7.x Adaptive Mode
PD20796 - Adopting Host Intrusion Prevention - Best practices for quick success
Yes.....But the huge issue with that is this.
When running Skype for instance, it floods the rule table. And before in Learn mode, I would get constant alert messages appearing over and over again even if I clicked on ALLOW....I mean it literally had me flooded with alert messages.....
So what can I do about these programs such as Skype then? How can stop these alerts flooding my rule table?
Also, these were from randon ports and stuff.....
It only does this behaviour when running programs like Skype. I get these constant alert warnings even if I click on ALLOW.
All the rest of the apps dont do this such as Outlook, Google Earth and etc.
Message was edited by: mcuser999 on 2/28/11 1:17:15 PM CST
Message was edited by: mcuser999 on 2/28/11 1:18:06 PM CST
Add rules for Skype in your fw policy applied to the end nodes and enforce the policy. Learn Mode shouldn't pop up if your system has a rule in your applied policy already.
The reason I mentioned Learned Mode, is that was the way I did it before I learned about Adaptive Mode.
But in Adaptive Mode, it just flooded my rule table.
And I guess this would be the case for phoning applications since these programs tend to LISTEN out ever time so the FW policy is constantly alerting users of this.
But its not a malware thats trying to "phone out" its Skype....
Please explain or please post some examples of end nodes.
What rule should policy should I have?
I would appreciate some examples on how you would apply it for Skype..
Now, I have >> Permit >> TCP on the following ports >> 1024-65535
Local Service is left with >> ANY for Skype..
Message was edited by: mcuser999 on 2/28/11 1:57:36 PM CST
Send a TCPView (sysinternals.com) snap shot of a working skype converstaion (without the fw) and we'll suggest firewall rules accordingly. Or, you can open a case with HIPS support for further assistance.
I created a rule set for Skype with Permit mode for ANY Local and Remote services. That should do it.
Message was edited by: mcuser999 on 2/28/11 11:08:10 PM CST