This content has been marked as final. Show 4 replies
No one answers my questions . . . . .:(
HIP has 3 main security modules; HostIPS/NetworkIPS, Application Blocking, and Firewall.
When a new Trusted Application is created, HIP Client creates an Application Blocking rule to allow “creation” (launching) of the process(es) associated with the Trusted Application. This is only relevant if Application Blocking is enabled.
If it's marked Trusted for Firewall, HIP Client creates a firewall rule at the top of the Firewall Rules policy that allows all outgoing IP Protocols for the process(es) associated with the Trusted Application. This is only relevant if Firewall is enabled.
If it's marked Trusted for Application Hooking, HIP Client modifies the existing Application Blocking rule (from step 1 above) so that it is also allowed to “hook” (call the API SetWindowsHookEx or create a thread in another process). This is only relevant if Application Hooking is enabled.
If it's marked Trusted for IPS, HIP Client will ignore Host IPS signatures when the associated process(es) are from the Trusted Application. This will only be relevant if Host IPS is enabled. Note: the following signatures will be triggered regardless of whether an application is Trusted for IPS or not: 428, 432, 801, 992, 1000, 1001, 1002, 1020, 1134, 1137.
In all cases, the application matching is path-based (not hash or “fingerprint”).
Although signature 428 is not affected by Trusted Applications, it will only trigger if the associated process is in the Application Protection List.
You can see the added Application Blocking / Hooking rules and the Firewall rules in the Client GUI.
Thats for the detailed reply. That is interesting. I will have a look at those rule IDs later on. Is there a KB article that references these ID's. I ask as i imagine these will change to include more in the future also
Just for exesys' reponse I think this thread might be flagged sticky...