Except the default rule from McAfee, you can create any custom rules.
The rules can be for Application control, file control, registry control and etc.
Those rule can be helpful for malware outbreak it can help prevent the spread of malware or to control using any file or programs.

To create custom rule to prevent FILE operations (Create, Write, Execute, Read, etc.):

Name: <insert name>
Rule type: Files
Operations: Create, Execute, Read, Write
Parameters: path/file name
Note: The file name must include a path. If you wish to wildcard the path, begin the filename with **\ or ?:\ if you wish to wildcard the drive letter (for example: **\filename.exe or ?:\filename.exe).
You cannot use MD5 hashes with the "Files" parameter:  path/filename only.
Drive type can also be used to limit the path to a specific drive type (for example., hard drive, CD-ROM, USB, network, floppy).  
Executables: Can be left blank, unless you want to limit the signature to specific processes that performs the file operation (for example, explorer.exe, cmd.exe, etc.).

To create a custom rule to prevent PROGRAM operations

Name: <insert name>
Rule type: Program
Operations: Run target executable
Parameters: <leave blank>
Executables: Can be left blank, unless you wish to limit the signature to specific process as the source executable (for example if you want to block explorer.exe from running a Target Executable (for example., notepad.exe)).
Target Executables: Define the executable properties for which you want to prevent execution (for example, if you want to block Notepad.exe from running, specify the path/filename of the executable). The executable can be defined using one or more of the criteria (File Description, File Name, Fingerprint, Signer).

McAfee HIPS update does not work like other solution, all HIPS update are by default in disable status.

The manager of the ePO system need to monitor and check all new rule updates in a log status and after checking the new rules move the it to prevent mode.

This command line utility helps automate upgrades and other maintenance tasks when
third-party software is used to deploy Host Intrusion Prevention on client computers .

The utility is installed as part of Host IPS 8.0 and is no longer a separate download. 


This utility allows administrators to perform the following on the McAfee Host IPS client:

• Start the HIPS service.
• Stop the HIPS service (requires administrator or time-based password). 
• Change log settings (requires administrator or time-based password).
• Start/stop the HIPS engines (requires administrator or time-based password).
• Export the activity log to a formatted text file.
• Export the HIPS policy to a text file
• Reset the HIPS configuration to default. (requires administrator or time-based
• password).
• Display the NaiLite license data residing in the registry on the client computer.
• Export the IPS boot-time policy to a text file.
• Display application information (i.e. path, signer, fingerprint, and description) for an
• arbitrary application.
• Enable/Disable FireCore’s (NDIS) pass-through mode on/off.
• Export Hash from file
  

The utility records its activities to ClientControl.log at:
C:\Documents and Settings\All Users\Application Data\McAfee\Host Intrusion Prevention.
(Windows platforms other than Vista)
C:\ProgramData\McAfee\Host Intrusion Prevention. (Windows Vista platforms) 

To Export Hash from file run the command:

C:\Program Files\McAfee\Host Intrusion Prevention> ClientControl.exe /execinfo "path\filename"



For more info click here