2 Replies Latest reply on Mar 11, 2016 12:23 PM by shakira

    IPS signatures do not block or quarantine intruder's connection (HIPS for ePO)

    vpatsalos

      Hi all,

       

      I think there is an important feature missing from the product. Long description follows

       

      I am testing HIPS 8.0 with ePO and I have noticed that when an external intruder triggers an IPS signature ( not a network signature) from the Rules policy it does not block or quarantine the intruders connection/session despite the fact that the event is recognised and shown as blocked. However when a network IPS is triggered we have an option to quarantine the intruder, but not the specific connection. The normal and best reaction it should have had (which I am not if it supported) is:

       

      -If an intruder issues an attack against a web server 's URL running HIPS through his browser (forge the URL) and send a malicious request, the session would be disconnected or reset it. At the same time if an intruder opens another  tab on his browser and go to the web server's again it will enter without any problem. Only the first session should have been reset.

       

      As mentioned, the reaction I see from McAfee HIPS 8.0 is that it only blocks and logs the event. The intruder's specific malicious connection/session is not blocked/reset or quarantine at all.

       

      Is that how it works or am I missing something?

       

      I've got McAfee Agent 5.0, ePO 5.1 and latest McAfee HIPS extension 8.0.