12
White Paper Access Protection in McAfee VirusScan Enterprise and
Host Intrusion Prevention
“Block read and write access to all shares”
Intention: This rule is intended for use when a share-hopping worm is known to be in the wild and
actively spreading. In environments that prohibit file sharing, these rules can enforce that policy as it will
prevent write access, or all access, from remote computers to the protected one.
Risks: This is a very powerful rule. System roles need to be assessed before the rule is enabled. In a
typical environment, it is likely that this rule will be suitable for workstations and unsuitable for servers.
It is intended to block viruses that will severely limit the use of the computer or network, and it is only
useful when computers are actively under attack. In addition to potentially affecting the day-to-day use
of computers, these rules can also affect the way that they are managed. If computers are managed by
pushing files to them, this rule will prevent updates or patches from being installed.
ID and name in Host IPS:
There is no corresponding signature in Host IPS.
Common Standard Protection
The rules in this category are intended to block viruses, adware, spyware, etc., with rules that shouldn’t
need much modification.
“Prevent modification of McAfee files and settings”
Intention: Many viruses and Trojans attack anti-virus products. This rule, in addition to VSE’s self-
protection features, protects VirusScan registry values and processes from being altered or deleted by
malicious code.
Risks: This rule protects the McAfee security product from modification by any process not listed in
the policy’s exclusion list. Many Trojans and viruses will attempt to terminate or even delete security
products. If you use custom or third-party deployment and update tools to install or update VSE, add
the process, which alters McAfee settings to the exclusion list. Not doing so may cause the installation or
update to fail. It is recommended that you utilize McAfee ePO to deploy and update VSE.
Included processes: all
Excluded processes: Installers, McAfee processes
ID and name in Host IPS:
3898, Access Protection—Prevent modification of McAfee files and settings.
“Prevent modification of McAfee Agent files and settings”
Intention: This rule provides the same coverage as the above rule, except that it specifically protects the
McAfee Agent that is deployed by McAfee ePO.
ID and name in Host IPS:
3899, Access Protection—Prevent modification of McAfee Agent files and settings.
“Prevent modification of McAfee Scan Engine files and settings”
Intention: Similar to the above two rules, this is another self-protection rule designed to protect the
scanning engine against tampering.
ID and name in Host IPS:
3900, Access Protection—Prevent modification of McAfee Scan Engine files and settings.
(40 strony)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Komentarze do niniejszej Instrukcji