Use the following information to ensure that the correct
severity and
reaction for a signature are applied correctly to the client:
- Enable IPS logging (ALL) on the client.
- Trigger a signature.
- Click Start, Run, type File Explorer*, and click OK.
- Open the appropriate log file for the specific version of Host IPS running:
- For Host Intrusion Prevention 8.0, open HipShield.log, located in: ...\Documents and Settings\All Users\Application Data\McAfee\Host Intrusion Prevention
- Search for Violation. The following is an example for a trigger on signature 1001:
08-17 10:44:17 [01228] VIOLATION: [10] ------- Violation Logged ---- Size 583 ----
<Event> <!-- Level=High, Reaction=Prevent -->
<EventData
SignatureID="1001"
SignatureName="Windows Agent Shielding - File Modification"
SeverityLevel="4"
Reaction="3"
ProcessUserName="Local\System"
Process="C:\Program Files\Network Associates\VirusScan\Mcshield.exe"
IncidentTime="2006-08-17 10:44:17"
AllowEx="False"
SigRuleClass="Files"
SigRuleDirective="read,attribute"/>
<Params>
<Param name="Workstation Name">Local</Param>
<Param name="files">C:\Program Files\McAfee\Host Intrusion Prevention\eng\isapi\IsapiStub.dll</Param>
</Params>
</Event>
<------------------------------
Explanation of Signature information
SeverityLevel=4 (HIGH)
Reaction=3 (PREVENT)
If these are not correct for that signature, check to see if the signature policy was changed for the end node, or is not inheriting policy from a site level.
SeverityLevel maps to the current Severity level assigned for that signature:
4 - HIGH
3 - MEDIUM
2 - LOW
1 - INFORMATION
0 - DISABLED
Reaction values map to their current protection policy for events:
10 - CREATE EXCEPTION (when Host IPS Adaptive mode is enabled)
3 - PREVENT
2 - LOG
1- IGNORE (when set to 1, you do not see anything in the HipShield.log)