3 Replies Latest reply: Dec 6, 2012 10:14 AM by Kary Tankink RSS

    Manually creating IPS exclusions

    jason.fraioli

      I am trying to enable application whitelisting and I have some concerns. Is it possible to export the IPS policy, edit the XML manually, and then re-import? It looks as though the <EPOPolicySettings> tag generates a "name" attribute that contains a GUID of some sort. I'm not sure where that GUID is derived, but its existence leads me to believe that manually editing the XML is not going to work. The problem I am trying to solve is how to best achieve application whitelisting without manually creating thousands of entries in an IPS policy.  I could always write a program to automate this for me, but the existence of that GUID in the "name" attribute makes me think that it may not be possible.

       

      Thoughts?

        • 1. Re: Manually creating IPS exclusions
          Kary Tankink
          Is it possible to export the IPS policy, edit the XML manually, and then re-import?

           

          Making modifications to a XML policy directly (and re-importing) is not supported by McAfee and could cause policy issues.

          • 2. Re: Manually creating IPS exclusions
            jason.fraioli

            Thanks for the reply Mr. Tankink.  Do you know of a streamlined approach to enter thousands of lines of executables that should be whitelisted (excluded from IPS signatures 6010 and 6011)?  I know McAfee has the MCC product which appears to do just that, but unfortunately it is not available to me,...yet.  I need to know if there is an easier way to manage application whitelisting, via IPS.

             

            Thanks!

            • 3. Re: Manually creating IPS exclusions
              Kary Tankink

              The only supported method of making rules/exception is via the ePO console.  In HIPS 8.0, you can use criteria to match a number of exectuables, rather than instead each individual exectuable (e.g., match exectuables by path with wildcards, or by digital signer information, i.e., "Trusted all Microsoft-signed applications").  This would help with not having to enter every single executable name/path in, if you choose to use this functionality.