The main function of McAfee Host Intrusion Prevention is to protect systems against known and unknown attacks. This is often achieved without an update to the software, by use of patented buffer overflow and other behavioral protection. It has the additional benefit reducing the urgency and frequency of patching by protecting vulnerabilities from exploit even before a patch has been applied. Consider the time spent on patching within your organization. By deploying Host IPS, many of those vulnerabilities would be protected from exploit, allowing you to patch on a more reasonable schedule. For example, McAfee Host IPS protected against 60% of all exploits against Microsoft vulnerabilities, and nearly 75% of all exploits against Adobe vulnerabilities, disclosed between 2006 and 2011. Also consider the Host IPS ability to protect systems against exploit on those occasions when a new vulnerability exists but the corresponding patch is not yet available.
Please note that McAfee Host IPS has two main components: kernel-level IPS protection and a firewall. During the installation HIPS is automatically “checked in”, meaning downloaded into the software repository. Installation onto endpoints is then done through selecting a group (i.e. laptops) and assigning the client deployment task.
Enable Host IPS (HIPS) and apply protection levels
For the initial stages of this evaluation, you will first enable Host IPS on a group of computers of your choice. Then assign a policy that instructs Host IPS to block high-severity, and log medium- and low-severity events. Blocking on high-severity events is a minimum if you plan to use attack tools to test the product’s effectiveness. This is combined with logging of medium- and low-severity events. To accomplish more than simply log events, a policy such as this is often used in implementation in live environments.
Enabling Host IPS
Follow these steps to assign a policy that enables Host IPS on your client systems.
Setting Protection Level
Follow these steps to assign a policy that blocks high-severity events, and logs any medium- and low-severity events. Logging provides detailed advanced knowledge of which signatures may require exclusions prior to enforcing block on medium-severity events, thus guiding accurate policy tuning. One can elevate select low-severity signatures to medium later if desired, instead of maintaining all lows active.