Think you are using an unortodoks practice.
Do this instead.
Make a new policy rule where 6010 and 6011 are enabled
In the assignmen create a new Policy Instance and add your new rule.
Verify the rules are enabled by using the View effective police function at the assignment
And finaly test, test and test
Does this mean they're still disabled or is that severity setting not accurate, and things will work as intended?
It's only a UI issue. It's just showing the default state of the siganture; not the actual modified state. Make sure you're on the latest extension (HIPS 18.104.22.1682), as this was fixed in one of the more recent versions.
PD23958 - Host Intrusion Prevention 22.214.171.1243 Extension Release Notes
Issue: When an IPS signature is edited to alter the severity, the default severity is retained. (Reference: 722290)
Resolution: The severity level is now correctly modified and displayed.
We started by changing both signatures from Disabled to Medium in the IPS Rules signatures. We block Medium here so we want that effect eventually to block files not in the whitelist.
We then created a single exception with both 6010 and 6011 as the signatures in the rule. Weh then set the Paremeters, New Executable and put *.* That let all files run. We then broke the New Executables down to slightly more specific directories like so:
c:\Program files\**\*.exe (this lets all files under program files to run no matter the subdirectory name)
c:\program files (x86)\**\*.exe (same thing but for 64-bit files)
c:\windows\**\*.com (same thing but lets .com files run vs. .exe files)
c:\windows\*.exe (lets files only directly under the c:\windows directory to run, not subdirectories)
After letting that rule run for a week we checked the threat event log for threat names 6010 and 6011 and had a very large list. We're considering using that to build our white and blacklist. In the query you'll be able to see if the file was allowed or not. For example, using the rules above any exe run from c:\temp won't work, so it's blocked. The only downside I found is when a file is blocked the user does not get notified via a pop-up. That might just be an IPS option set wrong, though.
As you can see our rules were very loose. This was to start creating a whitelist without hurting the users. You can break the rules down to single executables, use wildcards, use fingerprints and even certain digital signatures only. Seriously considering, say, all Microsoft signed files to run but weighing that against how easy or difficult it is to spoof a signature.
Hope this helps!