KB73399 - FAQs for Host Intrusion Prevention 8.0
Client IPS/FAQ - IPS Events
IPS signature events are one of the top call generators for the Host Intrusion Prevention (Host IPS) product. Normally, these inquires are the result of IPS Signature Event triggers. In general, Host IPS offers IPS and firewall protection for endpoint systems as part of a layered protection strategy. This layered protection strategy should include Network gateway firewall/intrusion systems or filtering, endpoint anti-virus, and endpoint anti-malware applications, in addition to Host IPS.
Host IPS signature content provides security to protect against known system vulnerabilities and unknown (zero-day) vulnerabilities. Zero-day is defined as the gap between unpatched systems and subsequently applying released security updates for confirmed vulnerabilities. Host IPS content contains generic buffer overflow and other generic signature mechanisms to protect systems during this zero-day gap period. However, McAfee recommends that you apply all operating system and application-specific security updates as soon as practical within your environment to reduce frequent or repeated IPS signature detections.
McAfee advises that you follow a general methodology for reviewing operating system and application-specific security updates, and also patch systems and applications on a monthly or regular basis. McAfee also advises that you review monthly Host IPS signature updates for correlation to specific vendor security updates that are released. Host IPS signatures mapping directly to vendor-available security updates can be safely disabled on updated systems. McAfee recommends that you review enabled signature content and system patching with available security updates monthly to reduce the likelihood of excessive false positives on already updated systems.
Use the following general methodology when assessing IPS signature events:
- Identify the signature number that is being triggered.
- Review the IPS Signature number description information from the IPS Rules policy in ePolicy Orchestrator (ePO).
- Review the References CVE description link(s), if any are included in the description information for that signature.
- Identify whether any Microsoft Technet Security Bulletins are linked for the applicable vulnerability, and identify whether any Microsoft security updates have been released that resolve the vulnerability.
- Verify whether systems reporting the IPS event have any applicable Microsoft Security Updates applied (as noted above):
- If so, the applicable IPS Signature may be disabled on the systems having the associated Microsoft Security Updates applied.
- If not, McAfee recommends that you apply the applicable Microsoft Security Updates to the affected systems at your earliest convenience.
- If no CVE description links are noted for the triggering IPS signature, review all advanced details for the received IPS event.
- Identify whether the event triggers correlate to normal business usage or process.
- Identify whether the systems experiencing the event have all of the latest Microsoft Security Updates applied.
- Identify whether the IPS event is specific for a third-party process, such as Adobe or other non-Microsoft application, process, or other tool. If so, review all applicable security updates from the vendor and ensure they are applied on the systems.
- If the signature is still triggering after an applicable vendor security update has been applied, consider the event a false positive and either disable the signature to the updated systems, or create an IPS exception for the updated systems to stop all further signature detections.
- If there is no applicable vendor security update available, determine whether the affected systems have current anti-virus and anti-malware definitions for McAfee VirusScan or other installed endpoint protection application. Perform a full scan on the affected systems.
- Determine whether the affected systems are protected by other perimeter security measures, such as Network Intrusion Detection.
- Enable verbose debug logging by enabling Log security violations for Host IPS so advanced information can be collected in the HipShield.log. See article KB54473 for relevant information regarding IPS security violations in the HipShield.log.
- Contact McAfee support for further analysis.
Thanks for the update. I will check whether end user system running with latest security patches and EPO anti virus.