44
White Paper Access Protection in McAfee VirusScan Enterprise and
Host Intrusion Prevention
Access Protection Rules in VirusScan Enterprise
In the past, virus-scanning software depended primarily on the release of updated virus definition
(.DAT) files that instructed the software how to detect and defend against new virus attacks. The use
of .DAT files is still inherent in VSE; however, administrators now also have the ability to create rules that
strengthen systems against further infection and provide a layer of intrusion prevention.
In VSE, all predefined rule definitions are stored in the file vscan.bof. This file is digitally signed and is
updatable by the AutoUpdate process. The new rule-definition language used in vscan.bof allows a
single rule to protect multiple objects of different types (file, registry, port, and process). The new rule
language also allows inclusion and exclusion lists for the objects being protected. For example, a rule
can block access to c:\*.exe and c:\temp/*.exe except for **/notepad.exe.
Purpose and application of rules
Rules should be created with one or more of the following purposes in mind:
To prevent malicious code from running
•
To identify which computers have malicious code running
•
To prevent malicious code from spreading to other computers
•
To prevent a payload from damaging the local computer
•
Rules can be created to target a specific, newly discovered threat, or they can be predefined to provide
generic protection against future threats. For example, a rule might be used during the brief time
between a virus outbreak and the release of a new .DAT file by McAfee Avert
®
Labs. During this time, it
is important to stop the exploit from affecting the targeted systems and prevent it from spreading. In
many cases, VSE can facilitate a new .DAT update and apply operating system patches without allowing
the infection to spread. The rules are therefore not being used in place of virus definition files—they are
used to compliment them.
Processing Access Protection rules
Access Protection rules can be located in two different files, as well as the registry, and rules can be
processed in various ways based on the following conditions:
Vscan.bof
•
(located in the VirusScan directory) is the default Access Protection and buffer
overflow protection content file. This file is read first.
In an outbreak, Avert Labs may release an
•
extra.rul before a new vscan.bof is available. If an
extra.rul is present, (located in the VirusScan directory), it is appended.
User-defined rules are read from the registry and appended.
•
(122 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales