McAfee SAV85E - Active VirusScan - PC Manual de usuario descargar pdf (Pagina 19)

White Paper Access Protection in McAfee VirusScan Enterprise and

Host Intrusion Prevention

Preventing infection

When the W32/Bagle.ab@MM virus runs, it copies itself to:

%windir%/system32/drvdll.exe

%windir%/system32/drvddll.exeopen

%windir%/system32/drvddll.exeopenopen

%windir%/CPLSTUB.EXE

Since Windows does not use these ﬁlenames, creating rules that prevent these ﬁles from being created

should prevent the virus from infecting a machine with no side effects.

For example:

Process: *

Wildcard: %windir%/system32/drv*.exe

Prevent: Create

Process: *

Wildcard: %windir%/cplstub.exe

Prevent: Create

Similar rules will be sufﬁcient for many new viruses.

The default rules that block creation of all executables in Windows directories may have side effects and

might not be suitable for use in some environments.

In order of security

As many threats use random ﬁlenames, use the broad “prevent any executable from being created” 1.

rule all the time.

If that causes too many problems, use the broad “prevent any executable from being created” rule 2.

for the duration of the outbreak.

If even that causes problems, then use the virus-speciﬁc rules we derived above.3.

Preventing distribution and damage

If you suspect that a virus has already infected your computers, you need to identify which one and stop

the virus spreading further.

Since this virus—W32/Bagel.ab@MM—has known ﬁlenames then using the “User Deﬁned Detection”

feature of VSE found in the “Unwanted Programs Policy” is a very good way of detecting the virus. The

Access Protection rules can help as well.

If we change the above rules slightly to read:

Process: *

Wildcard: %windir%/system32/drv*.exe

Prevent: Create, write, read, execute

Process: *

Wildcard: %windir%/cplstub.exe

Prevent: Create, write, read, execute

1 2 ... 14 15 16 17 18 19 20 21 22 23 24

Sin comentarios

McAfee SAV85E - Active VirusScan - PC Manual de usuario Pagina 19