McAfee recommends that you test new operating system Service Pack (SP) installations on Host IPS clients in Log mode in a non-production test area. Monitor these tests for any security events. After testing, create any appropriate exceptions if required. Or, enable IPS in Adaptive mode, which creates an IPS exception if it is required during the SP install.
- Apply the appropriate exceptions to your named policy for Host IPS before you install the operating system update in your production environment.
- Apply the exceptions to the Host IPS policy before you install an operating system patch or SP. Add the exception while the Host IPS client has IPS enabled and runs in Prevent High severity reaction mode.
The syntax for applying the exceptions must be defined as drive:\*\i386\update\update.exe
NOTE: The * wildcard is for the dynamically created parent folder. For example: d:\813959b0c311cb6685d\i386\update\update.exe.
Steps to perform before you apply an operating system patch or SP to a Host IPS client running in Prevent High severity reaction mode:
-
Identify any events that might be triggered. To identify such events, apply the operating system
patch or SP on a selected test computer in
Warning mode.
-
Create appropriate exceptions and retest. This action helps you ensure that no other signatures are triggered.
-
Apply exceptions to production Host IPS clients before rolling out
patch updates.
For Host IPS 8.0, the new option
Startup IPS protection enabled might interfere with the completion of SP updates during system restarts. If you experience this issue, disable this option before you restart after you apply updates:
Startup IPS protection enabled — Select this option to apply a hard-coded set of file and registry protection rules until the Host IPS service has started on the client.
For more information about the feature, see
Host Intrusion Prevention 8.0 Product Guide.
