Server Settings — Adaptive Threat Protection page

Check the rules for each security level used in policies, and the order they run.

Adaptive Threat Protection settings apply to Windows and macOS systems only.

When creating policies for the module, you choose the appropriate security level to balance the rules for particular types of systems.

  • Productivity — Systems that change frequently, often installing and uninstalling software and receiving frequent updates. Examples of these systems are computers used in development environments. Fewer rules are used with this level, and users see minimum blocking and prompting when new files are detected.
  • Balanced— Typical business systems with infrequent new software and changes. More rules are used for this level, and users see more blocking and prompting.
  • Security — IT-managed systems with tight control and little change. Examples of these systems are computers for financial or government institutions and servers. The maximum number of rules are used for this level and users see even more blocking and prompting.

The default rules applied to each security level are a good starting point. As the module and server run in your environment, you can observe the optional rules for each security level, then disable or enable them as needed. You can't change the mandatory rules for each security level.

If you manage clients running Adaptive Threat Protection and the Threat Intelligence Exchange module for Endpoint Security or Threat Prevention from the same McAfee ePO server, the rules displayed in the Server Settings page depend on the content checked in to the Master Repository. If the AMCore Content Package is checked in, Adaptive Threat Protection displays rules from that package. Otherwise, Adaptive Threat Protection displays rules from the Threat Intelligence Exchange module Content. If neither are present in the Master Repository, the Server Settings page for Adaptive Threat Protection is blank. Adaptive Threat Protection displays rules from only one content source.

Note: If an update to Threat Intelligence Exchange module Content includes changes to rules, those changes don't appear in Server Settings (and can't be edited) until AMCore Content Package is updated with those changes .
Option Definition
Operating system (Windows & macOS only) Selects the operating system to display the rules for.
  • Windows — Displays rules that apply to Windows systems.
  • macOS — Displays rules that apply to macOS systems.
Preset Selects which rules to display.
Show selected rows Lists only rules that are selected.
List of rules Lists the rules included in the selected security level.
  • Execution Order — The order of the rules that run.
  • Rule ID — Unique identifier for the rule.
  • Rule Name — Name of the rule.
  • State:

    Enabled — The rule is enabled and being used to match reputations.

    Disabled — The rule is disabled.

    Observe — If the rule is triggered, observation events, such as Would Block and Would Clean, are generated. The rule is informational only — it doesn't impact the reputation of the application.

    If the rule is not Mandatory, you can change the State.

  • Mandatory — A read-only value that indicates whether the rule is required (True) or not (False).
  • Deprecated — A read-only value that indicates that the user has changed the state of the rule, but it is not in the current content package. Once the user reverts the rule to its original state, the rule no longer appears in the list.
  • Target Reputation — A read-only value that indicates that, if the rule can make a reputation determination, the rule returns the specific reputation or one of these other values:

    Various — The rule returns a result based on the particular reputation that is provided as input to that rule. For example, for McAfee GTI rules, the reputation returned is the actual value of the McAfee GTI reputation.

    Not Applicable — Indicates that the rule is used by other rules to gather data.

Actions Lists the actions that are available for a selected rule:
  • Remove Deprecated Rule(s) — Remove the selected deprecated rule.
  • Set Rule(s) to Disabled — Disable the selected rule. (Non-Mandatory rules only)
  • Set Rule(s) to Enabled — Enable the selected rule. (Non-Mandatory rules only)
  • Set Rule(s) to Observe — Run the rule and collect the data, but don't act on it. You can see what would be blocked or allowed if you set the rule to Enabled. (Non-Mandatory rules only)