4 Replies Latest reply on Sep 30, 2011 5:03 PM by petersimmons

    HIPS 8.0 & Adaptive Mode


      We have recently deployed HIPS with only logging enabled, but the task of reading through all of the logs (most of which are repetitive) is becoming too time consuming.


      Would adaptive mode be a good recommendation here?


      Does anyone know of the downsides to Adaptive Mode?



        • 1. Re: HIPS 8.0 & Adaptive Mode
          Kary Tankink

          Please make sure you are following the Best Practices information in the HIPS 8 Product Guide (Page 11, Section: Best Practices for Quick Success).  Do enable too much protection at one time (particularly with IPS; start with HIGH only, and work down as needed; don't enable all Protection levels, as it will generate a lot of events).  Also read the section tilted Activate adaptive mode.


          Adaptive mode is meant for learning rules for a short period of time.  Do not leave it on for months at a times, as it could create just too many rules to review and could also cause errors on the ePO server (see KB71607).


          PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide

          • 2. Re: HIPS 8.0 & Adaptive Mode

            Good info!


            Thanks for the links

            • 3. Re: HIPS 8.0 & Adaptive Mode
              Kary Tankink
              Do enable too much protection at one time

              Sorry, that should be Do not.

              • 4. Re: HIPS 8.0 & Adaptive Mode

                I can't echo Kary's statement too strongly (the one about not doing too much). The most common mistake is logging too much information. Test the levels within Host IPS individually. Test the High level content. Don't bother with Logging and then staring at the events. Go out and pilot it on actual machines. What you will see if that there are a lot of applications that may be poorly written. Those apps make bad API calls and Host IPS silent drops them. The real life scenario is that the vast majority of these simply aren't needed. Nothing beats actual testing.


                In a real life deployment of those product you should expect a maximum of about FIVE (5) excpetions for an entire enterprise across the High and Medium level content. Two of them usually relate to VNC if that is an application you use. Nothing beats a real pilot test.