McAfee SAV85E - Active VirusScan - PC Manual de usuario descargar pdf (Pagina 11)

White Paper Access Protection in McAfee VirusScan Enterprise and

Host Intrusion Prevention

Systems running Microsoft Windows operating systems use a three- or four-letter identiﬁer added to ﬁle

names after a period (.) to identify a ﬁle type. When a ﬁle is opened, the ﬁle extension is used to decide

what program should be used to open the ﬁle, or if the ﬁle is a program that should be run. Malware

can modify the ﬁle extension registrations in such a way that execution of the malicious code is silent.

This rule prevents malware from modifying the shell extension by modifying the shell extension for .TXT

and executing every time you open a .TXT ﬁle. This rule prevents extension options by protecting the

registry keys where the ﬁle extensions are registered.

Risks: If system administrators enable this rule, they will need to make sure to disable the rule when

installing valid applications that will modify the ﬁle extension registrations in the registry.

Included processes: all

Excluded processes: explorer

ID and name in Host IPS:

3896, Access Protection—Prevent alteration of all ﬁle extension registrations.

“Protect cached ﬁles from password and email address stealers”

Intention: Some viruses look through the Internet Explorer cache for email addresses and website

passwords. This rule prevents access to anything in the Internet Explorer cache except by

Internet Explorer.

Risk: Any process that uses the WinInet library or hosts an Internet Explorer control in a window can

access the cache; therefore, you may need to add process to this rule if it is enabled.

Included processes: all

Excluded processes: Internet Explorer; McAfee processes

ID and name in Host IPS:

3897, Access Protection—Protect cached ﬁles from password and email address stealers.

Anti-virus Outbreak Control

“Make all shares read-only”

Intention: Many viruses spread by copying themselves to open shares on the network or by infecting

ﬁles on open shares, for example, http://vil.nai.com/vil/content/v_99209.htm. While shares can be

protected by access control lists (ACLs), the ACL on the admin shares (C$, D$, Admin$, etc) cannot be

edited and are read/write to administrators. If an administrator’s system becomes infected, that infection

can rapidly spread across a network. VSE’s share blocking does not treat administrators differently–all

write access is blocked. If there is a policy of making shares read only, this rule reinforces that policy by

closing the administrative shares.

Risks: This is a very powerful rule. It is a good idea to assess the roles of the systems that will use this

rule. In a typical environment, it is likely that this rule will be suitable for workstations and unsuitable

for servers. The rule is intended to block viruses that will severely limit use of the computer or network,

and it is only useful when computers are actively under attack. In addition to potentially affecting the

day-to-day use of computers, these rules can also affect the way they are managed. If computers are

managed by pushing ﬁles to them, this rule will prevent updates or patches from being installed. The

management functions of McAfee ePO will not be affected if this rule is enabled.

ID and name in Host IPS:

There is no corresponding signature in Host IPS.

1 2 ... 6 7 8 9 10 11 12 13 14 15 16 ... 23 24

Comentarios a estos manuales

Sin comentarios

McAfee SAV85E - Active VirusScan - PC Manual de usuario Pagina 11

Comentarios a estos manuales

Relacionado con productos y manuales para Software McAfee SAV85E - Active VirusScan - PC