4 Replies Latest reply on Apr 11, 2016 4:44 PM by charleslatty

    HIPs events

    charleslatty

      Environment

      HIPs 8.0

      epolicy Orchestrator 5.3.1

      Mcafee Agent 5.x

       

      Hi

       

      I have just implimented HIPs in a customer environment in "Adaptive Mode" and my question is as follows,

      From the diagram which is attached that shows permitted and blocked events, when i eventually change from "adaptive mode" to "regular protection", what will be the impact on events that it does not know about at the moment and would i  have to add exceptions

      to the ones i have already got?

       

      Thanks inadvance

       

      Spookrider2001

        • 1. Re: HIPs events
          Kary Tankink

          Adaptive mode just creates a client side rule to allow that activity, if the signature allows it (signatures that have ALLOW CLIENT RULES enabled in the IPS Rules policy).  What determines if the activity gets blocked or not depends on your IPS Protection policy. If you have a Severity set to PREVENT, then all applicable signatures in that severity level will get blocked, if you don't have IPS exceptions for them.  If set to LOG, then logged only; no block.

           

          I find that tuning IPS events is easier/better (opinions may vary) if you don't use Adaptive mode, and just review the IPS events to determine if an IPS exception is needed (using the View Host IPS Event Description link in an event, or run Host IPS in LOG mode only vs PREVENT mode if you don't want it blocking anything).  You then decide YES or NO to that signature violation.  Adaptive makes that YES decision for you and just presents you with the IPS exception to add to your policy, without all the details that reviewing the IPS event will provide.

          • 2. Re: HIPs events
            charleslatty

            Hi kary,

             

            Thank you very much for the reply is was a great exponentiation.

             

            So correct me if i am wrong on a couple of things;
            1- if i was to disable adaptive mode now, everything that says blocked will be blocked and the allow will be allowed or would i still have to add an exception?

            2- To add the exception would you need to goto host IPS>actions>new exception

             

            Thanks inadvance

             

            Spookrider2001

            • 3. Re: HIPs events
              Kary Tankink

              1. Disable Adaptive mode just disables the learning feature.  If you disable the Retain Existing Client Rules option, then all local client rules will be deleted and the activity can be triggered (whether in PREVENT or LOG mode).  As long as the client rules are in place, the activity will be allowed (as they are local client-side exceptions).

               

              2. Yes, create new exceptions by adding the client side rule to the policy, or create new exception from an IPS event.

              • 4. Re: HIPs events
                charleslatty

                Hi,

                 

                Ok great, i will disable the adaptive mode and retain the rules that are already in place.

                 

                I will properly get back to you in about 7 days and let me you know what happens.

                 

                Thanks again, you have been a great help.

                 

                Thanks inadvance

                 

                spookrider2001