17
White Paper Access Protection in McAfee VirusScan Enterprise and
Host Intrusion Prevention
“Prevent HTTP communication”
Many spyware, adware, and Trojan programs use port 80 for software downloads, bundled components,
or updates. This rule will prevent any service (using svchost.exe) from communicating over port 80. This
would stop common spyware and adware delivery mechanisms. Some server software uses port 80,
although this isn’t common in desktops.
This rule will block all HTTP communication for processes not in the exclusions list. Like FTP traffic, HTTP
traffic is used by many applications to retrieve or transmit data. Spyware, adware, and Trojans also
commonly use HTTP communication for software downloads of third-party components or updates.
There are also many legitimate reasons for processes to communicate via HTTP. Many applications use
a registration or self-update procedure that communicates over HTTP. Without the process being listed
in the exclusions list, the traffic would be blocked; therefore, McAfee strongly recommends a thorough
test and review cycle before enabling this rule.
Intention: Many Trojans download scripts or other Trojans from websites controlled by the Trojan’s
author. For example, http://vil.nai.com/vil/content/v_100487.htm. By blocking this communication,
even if a system becomes infected with a new unknown Trojan it will be unable to download further
malicious code.
Risks: HTTP is a very widely used protocol. While we have included popular web browsers in the
exclusion list, there may be many programs you may need to add based on your particular environment.
ID and name in Host IPS:
There is no corresponding signature in Host IPS.
Virtual Machine Protection
The rules in this category are intended to block viruses, adware, spyware, etc., with strict rules that may
be inappropriate for some computers, and may need some customization before they can be enabled.
These rules are often used temporarily or in extreme cases of lock down.
“Prevent Termination of VMware Processes”
Intention: When the “Prevent termination of VMware processes “ rule is enabled, VSE will prevent
processes except VMware processes and those specifically excluded from terminating the process
or service. This protects VMware processes from being disabled by malicious programs that seek to
circumvent virus protection programs by killing their processes.
If this rule is set, no one (except excluded processes) can terminate a VMware process using Task
Manager, etc. (“Terminate” means forcing the process to end right now. The victim process has no say
in the matter).
Risks: There are no drawbacks to enabling this rule, as it simply prevents processes from terminating
VMware processes or services.
“Prevent modification of VMware Workstation files and settings”
Intention: This rule protects VMware Workstation registry values and processes from alteration or
deletion by malicious code.
Risks: This rule protects the VMware Workstation product from modification by any process not listed in
the policy’s exclusion list.
(122 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales