McAfee SAV85E - Active VirusScan - PC Manual de usuario descargar pdf (Pagina 22)

White Paper Access Protection in McAfee VirusScan Enterprise and

Host Intrusion Prevention

Preventing distribution and damage

As with the “Prevent installation” case above, the virus is already running and the aim of these rules is

to slow or stop it spreading further, or to stop it from causing damage. Since the virus code is running,

there is no limit to what it can try to do and it is impossible to write rules to stop everything. Again, we

can look at what existing, successful viruses do and assume that the next one is going to try something

similar. The rule to “Prevent mass-mailing worms from sending mail” is the best way to stop mass

mailers from spreading themselves.

Viruses tend not to contain payloads designed to delete or corrupt the ﬁles on the computer they are

running on. Instead, they are designed to stay hidden on the computer and attack other computers, for

example by sending spam or participating in denial-of-service attacks. They can either be coded to do

some particular task, to download and run code from somewhere else, or to receive orders directly from

their masters.

Port blocking rules target these last two cases.

Of course, some viruses still do attempt to delete ﬁles. Critical ﬁles—either those that are needed to

keep the computer running or those that contain irreplaceable data—can be protected with rules

such as

Process: *

Wildcard: c:\Data\OrdersDatabase.db

Prevent: Delete

Port Blocking

Port blocking rules allow you to block incoming or outgoing trafﬁc on speciﬁed ports and choose to

log entries when attempts are made to access blocked ports. When you block a port, both Transmission

Control Protocol (TCP) and the User Datagram Protocol (UDP) accesses are blocked. You can block ports

by creating rules to specify which port numbers to block and whether to restrict access to inbound or

outbound processes. You can also exclude processes from the rule if you want a speciﬁc process, or

list of processes, to be allowed access to the otherwise blocked port. This can be very advantageous

in an instance when a known virus accesses the system using speciﬁed ports. However, use caution

as legitimate applications may also need to access the system on those same ports. To help counter

a situation where a legitimate application needs access but protection is required for unknown

applications, an exclusion list may be used.

Port blocking rules

To create user-deﬁned port blocking rules, provide the following:

Rule name—Type the name for this rule.

•

Processes to include—Restrict access to the speciﬁed ports.

•

Processes to exclude—Allow access to the speciﬁed ports.

•

Starting port—Specify the ﬁrst port number. This can be a single port or the starting number

•

of a range of ports.

Ending port—Specify the last port number in a range of ports.

•

Inbound—Prevent systems on the network from accessing the speciﬁed ports.

•

Outbound—Prevent local processes from accessing the speciﬁed ports on the network.

•

Note: If you block access to a port that is used by the ePolicy Orchestrator agent, or the McAfee Host

Intrusion Prevention agent, the agent’s processes are trusted and are allowed to communicate with the

blocked port. All other trafﬁc not related to these agent processes is blocked.

1 2 ... 17 18 19 20 21 22 23 24

Comentarios a estos manuales

Sin comentarios

McAfee SAV85E - Active VirusScan - PC Manual de usuario Pagina 22

Comentarios a estos manuales

Relacionado con productos y manuales para Software McAfee SAV85E - Active VirusScan - PC