Effective policy tuning practices

All Network Security Sensors (Sensors) on initial deployment, have the ' Default Prevention' policy loaded on all interfaces. McAfee recommends that you use the Default Prevention policy as a starting point, then customize the policies based on your organization's requirements. The customized policies can be either cloned versions of the default pre-configured policies or custom-built policies that employ custom rule sets. An appropriately tuned policy will reduce false positives.

Though each network environment has unique characteristics, the following best practices can make tuning more efficient and effective.

Note: As you interact with Network Security Platform policies, you encounter the term "attack", not "signature." Network Security Platform defines an attack as being comprised of one or more signatures, thresholds, anomaly profiles, or correlation rules, where each method is used to detect an attempt to exploit a particular vulnerability in a system. These signatures and checks may contain very specific means for identifying a specific known exploit of the vulnerability, or more generic detection methods that aid in detecting unknown exploits for the vulnerability.