3 Replies Latest reply: Apr 12, 2013 2:12 PM by greatscott RSS

    Exception limitations?


      Is there a stated limitation on how many parameters can be listed in a single IPS exception, or listed as exceptions within the expert subrule of a custom signature? For example, if I were listing excepted .exes within an expert subrule, how many total can I have?

        • 1. Re: Exception limitations?
          Kary Tankink

          There isn't a known limitation on the number of parameters that can be listed, but there is a known ePO limitation (2000) of characters that can be in a subrule.


          Also file paths are limited to 100 characters each.

          • 2. Re: Exception limitations?

            If you have to ask this question, then you are definitely way off the mark on tuning. The most common deployments of the software (Prevent High) require 0-3 exception total. The next most common deployment (Prevent High + Medium) requires 1-6 exceptions. If you find yourself outside these then I would strongly recommend you take a second look at your testing methodology (i.e actual usability vs. events that happen). Actual usability always wins as software will trigger events that can safely be ignored.


            We will attempt to help our customers who have problems but realize that if you find yourself outside those norms about then you might want to start over. There is a whitepaper that was written back around version 6.x that is still true with version 7.x and 8.x. It matches the products design and intended use with the easiest methods to deploy and gain value from the product.


            https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 20000/PD20796/en_US/6-cor-hips-bp-001-0608s_2.pdf


            And several of the default dashboards now in the product were first featured in that whitepaper. They aren't just fancy screenshots.


            We're happy to help but down this path lies madness.

            • 3. Re: Exception limitations?

              hmm, way off the mark on tuning? 0-3 exceptions for a high, and 1-6 exceptions for a medium? that is a pretty generalized statement. if that few exceptions were needed, and you are able to predict it with such accuracy, why isn't HIPS tuned straight out of the box?


              my question wasn't surrounding exceptions for existing mcafee ips signatures, so much as it was for including "exclude" rules within the expert subrule of custom ips signatures. if you are creating custom signatures, it is a pertinent question when dealing with complex subrules.