McAfee SAV85E - Active VirusScan - PC Manual de usuario descargar pdf (Pagina 7)

White Paper Access Protection in McAfee VirusScan Enterprise and

Host Intrusion Prevention

“Prevent execution of scripts from the Temp folder”

Intention: This rule prevents the Windows scripting host from running VBScript and JavaScript scripts

from the Temp directory. This would protect against a large number of Trojans and questionable web

installation mechanisms that are used by many adware and spyware applications. This rule may also

block legitimate third-party applications from being installed.

Risks: Since the email client downloads the script and then launches a legitimate Windows program

(cscript or wscript) to process the script, this rule cannot distinguish between scripts that have been

saved from a malicious email and those that have a legitimate reason for existing in the Temp directory.

This rule may therefore prevent some legitimate scripts from running.

ID and Name in Host IPS:

3893, Access Protection—Prevent execution of scripts from the Temp folder.

Anti-virus Standard Protection

“Prevent Registry Editor and Task Manager from being disabled”

Intention: This rule protects some Windows registry entries to prevent the disabling of the registry

editor and Task Manager. In the event of an infection, an administrator needs to have the ability to make

changes to the registry, or open Task Manager to stop active processes.

Risk: Preventing the registry editor and Task Manager from running can make the manual removal of

malicious code more difﬁcult.

ID and Name in Host IPS:

3883, Access Protection—Prevent Registry Editor and Task Manager from being disabled.

“Prevent user rights policies from being altered”

Intention: Many worms attempt to locate accounts on network systems that have administrative rights.

Enabling this rule prevents malicious code from modifying the rights of users. This rule protects registry

values containing important Windows security information. For example, some viruses remove important

privileges from the administrator account; this rule blocks those changes.

Included processes: all

Excluded processes: installers

ID and Name in Host IPS:

3884, Access Protection—Prevent user rights policies from being altered.

“Prevent remote creation/modiﬁcation of executable and conﬁguration ﬁles”

Enabling this rule will prevent other computers from making a connection and altering executables, ﬁles

in the Windows directories, etc.

Intention: This rule forms a very cut-down version of the “make shares read-only” rule. First, the

extension list is reduced to ﬁle types that viruses usually infect. Second, the blocked action is just “write,”

which prevents infection but also allows new ﬁles to be created. This protects against fast spreading

worms or viruses, which traverse a network through open or administrative shares.

Risk: While there are reasons to copy executables around using Windows shares there are fewer, if any,

reasons to modify executables on remote systems. This is usually indicative of attack behavior. These

four rules are much less likely to false alarm than the broad “make shares read-only” rule but are also

less secure.

ID and Name in Host IPS:

There is no corresponding signature in Host IPS.

1 2 3 4 5 6 7 8 9 10 11 12 ... 23 24

Comentarios a estos manuales

Sin comentarios

McAfee SAV85E - Active VirusScan - PC Manual de usuario Pagina 7

Comentarios a estos manuales

Relacionado con productos y manuales para Software McAfee SAV85E - Active VirusScan - PC