21
White Paper Access Protection in McAfee VirusScan Enterprise and
Host Intrusion Prevention
Targeting Rules at Unknown Future Threats
Introduction
It is difficult to know how to combat unknown future threats. Very few viruses are innovative, so using
historical information you can implement general, broad rules.
All of the VSE default rules, described below, are aimed at stopping new threats that behave like recent
widespread threats.
The problem with broad rules that are aimed at preventing the general behavior of viruses is that they
can block legitimate file access. Some of the problems include:
Blocking well-known ports can disable existing software. For example, VSE has rules, which
selectively block ports 25 (SMTP), 20 and 21 (FTP), and 80 (HTTP).
Well-known ports are used by many legitimate programs. Before applying the rule, run it in
report mode for a while to verify that no programs need to use the ports that are blocked.
Blocking access to Windows files and directories prevents parts of Windows from functioning.
For example, we have rules to prevent all access to tftp.exe or write access to
Windows executables.
The tftp rule can trigger as a false alarm when applications such as Explorer or Windows File
Protection try to access files for read access.
The write-prevention rules will block the installation of service packs and hot fixes.
Blocking access to Windows or Program Files files and directories.
Doing this will block the installation of legitimate as well as malicious software.
Preventing infection
Rules to prevent infection can, in decreasing order of security:
Stop the malicious code from getting to the system
•
Allow it to get to the system but prevent it from being executed
•
Allow it to get to the system and execute but prevent it from installing itself
•
For example, two common types of viruses are mass mailers and share-hoppers.
With mass mailers, there is nothing the Access Protection rules can do to prevent code from arriving
on the computer, especially if it is buried within an email. However, using knowledge of how the email
clients work, it is possible to prevent casual execution of the code.
With share-hoppers, it is possible to prevent the malicious files from arriving on the system by restricting
incoming network connections from write access.
In both cases, if the code exists and runs, the first thing the virus does is ensure that it will continue to
run. Once the virus is allowed to run, its options are much greater than when it is relying on the user, or
other software, to launch it. It is therefore much harder to design good rules to stop it. One common
thing that viruses do is copy themselves to the Windows directory and set some value in the registry to
have the virus started on logon or when a particular application starts. The virus will run once and may
do things other than installing itself, but after a reboot the virus should be disabled.
1)
2)
3)
(40 strony)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Komentarze do niniejszej Instrukcji