4 Replies Latest reply on Sep 18, 2014 10:02 AM by mjw3428

    Best practice for initial signature configuration with HIPS?

    mjw3428


      Hi all,

       

      I am looking at doing the initial configuration of HIPS on a system. A number of the signatures are not applicable to us as, for example, we do not use that version of the OS or that application. Is there any value in taking the time to disable such signatures now or is HIPS clever enough to realise that such a signatureis of no use on a particular client anyway? I read that McAfee say you should disable signatures if you get false positives of them and they are not needed. I am just trying to pre-empt this process.

       

      Are there any performance implications to having signatures on even when not needed? .

       

      Regards

       

      Matt

        • 1. Re: Best practice for initial signature configuration with HIPS?
          fitchsoccer342

          HIPS is smart enought to determine the OS and not bother with the non-related OS signatures.

           

          You can create a "IPS Options" policy to enable HIPS, and then create your "IPS Protection" policy to just log all High/Medium/Low signatures. That way you can run the IPS running in log only mode so you can review what is being blocked, and start making your Exception Rules from there.

           

          You can go through and Disable signatures, right now there are 1087 signatures in my HIPS 8.0 catalog, and 322 are disabled, just to give you an idea.

          • 2. Re: Best practice for initial signature configuration with HIPS?
            theglot

            Also, a hard lesson learned, if you nest policies like I do:  System Baseline- Servers- SQL Servers, something we didn't know because our training implied different, when you modify a signature from the McAfee Default, it becomes a custom signature.  Now we should all know that the highest Signature in nested group is what is used, but if you change one of them "say from High to Off" then even though the other two policies has that Signature as a HIGH, because you changed it in one, that custom Off is now the policy when nested.

            • 3. Re: Best practice for initial signature configuration with HIPS?
              theglot

              Some other Items:  If you have many systems buildt off an image, pick only one to start your logging and later blocking to build your baselines and exceptions.

              2- Start with Highs and work your way down.

              3- When ever possible, don't turn on enterprise wide if you don't have to.  Do it in a phases.

              • 4. Re: Best practice for initial signature configuration with HIPS?
                mjw3428

                Hi Michael,

                 

                Thanks for the advice. I have a feeling the 'experts' around here want to do it in a big bang approach that I have long argued will not work and goes against McAfee Best Practice.

                 

                That is a problem for another day!

                 

                Regards

                 

                Matt