16
White Paper Access Protection in McAfee VirusScan Enterprise and
Host Intrusion Prevention
“Prevent launching of files from the Downloaded Program Files folder”
A common distribution method for adware and spyware is to have the user download an executable
file and run it automatically from the Downloaded Program Files folder. This rule is specific to Microsoft
Internet Explorer and prevents software installations through the web browser. It might also block the
installation of legitimate software, so either install the application before enabling this rule or add the
installation process to the exclusion list.
Intention: Internet Explorer runs code from the Downloaded Program Files directory, notably ActiveX
controls. Some vulnerabilities in Internet Explorer and viruses place a .EXE file into this directory and run
it. For example, http://vil.nai.com/vil/content/v_101031.htm. This rule closes that attack vector.
Risks: Downloaded Program Files is much more legitimate than Temp, so this rule can disable non-
malicious applications. Two known programs disabled by this rule are Microsoft’s transfer manager
(transfermgr.exe) and the Apple QuickTime installer (QuickTimeInstaller.exe). You can permit these
functions by adding them to the list of processes to exclude.
Included processes: Internet Explorer
Excluded processes: none
ID and name in Host IPS:
3910, Access Protection—Prevent launching of files from the Downloaded Program Files folder.
“Prevent FTP communication”
This rule is designed to block FTP (port 21) traffic from any process not listed in the exclusion list. FTP
communication is frequently used by adware, spyware, Trojans, and viruses to receive or transmit
data. It is also sometimes used by buffer overflow exploits to retrieve additional components. However,
many third-party applications have a legitimate need to use FTP traffic, so they need to be listed in the
exclusions list.
Intention: Viruses and Trojans may attempt to download malicious code, spyware may attempt to
upload personal information, and adware may attempt to download advertisements. These rules prevent
anything but the authorized processes from communicating via FTP.
Risks: FTP is a widely used protocol. If this rule is enabled on an FTP server, it will stop working until the
server process is added to the exclusion list. While we have put popular FTP clients into the exclusions
list, there may be many programs that could be added based on your particular environment.
Included processes: all
Excluded processes: common browsers, email clients and FTP clients
ID and name in Host IPS:
There is no corresponding signature in Host IPS.
(122 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales