McAfee SAV85E - Active VirusScan - PC Manual de usuario descargar pdf (Pagina 9)

White Paper Access Protection in McAfee VirusScan Enterprise and

Host Intrusion Prevention

“Prevent mass mailing worms from sending mail”

Intention: Many viruses and worms ﬁnd email addresses on the infected system and send themselves

to these addresses. They do this by connecting directly to the email servers whose names they have

harvested from the local system. This rule prevents any process from talking to a foreign email server

using SMTP. By blocking this communication, a machine may become infected with a new mass-mailing

virus, but that virus will be unable to spread further by email. It prevents outbound access to SMTP ports

25 and 587 on all programs except known email clients listed as an exclusion.

Risks: Our list of exclusions cannot be complete—there are many third-party applications that send

email. These will stop working until their process names are added to the list of exclusions. To add a

process to the list of exclusions, highlight the rule, click Edit, and add the process name to the list of

processes to exclude.

Included processes: all

Excluded processes: common browsers and email clients

ID, Name in Host IPS:

There is no corresponding signature in Host IPS.

“Prevent IRC communication”

Internet Relay Chat (IRC) is the preferred communication method used by botnet herders and remote-

access Trojans to control botnets (a set of scripts or an independent program that connects to IRC). IRC

allows an attacker to control infected machines that are sitting behind network address translation (NAT),

and the bot can be conﬁgured to connect back to the command and control server listening on any port.

Intention: Many backdoor Trojans connect to IRC servers and receive commands from their authors.

For example, http://vil.nai.com/vil/content/v_98963.htm. By blocking this communication, even if a

system becomes infected with a new Trojan, it will be unable to communicate with the person or entity

controlling it.

Risks: If IRC is used within a company, or if these ports are used for some other purpose, then the rule

will block them until the processes using the ports are added to the exclusion list.

Included processes: all

Excluded processes: none

Blocked inbound ports: TCP/UDP 6666-6669

Blocked outbound ports: TCP/UDP 6666-6669

ID and name in Host IPS:

There is no corresponding signature in Host IPS.

“Prevent use of tftp.exe”

Trivial File Transfer Protocol (TFTP) provides basic ﬁle transfer with no user authentication. Many Trojans

use TFTP because it is a rudimentary method to download additional code. Enabling this rule will prevent

anything except Windows Update from using it to download other malicious code to the system.

Intention: Some viruses spread by exploiting buffer overﬂows in vulnerable applications. Code is

injected into the process and then run. This code downloads the rest of the virus from the computer that

just injected the download code. Often, the download code uses the Windows TFTP client (tftp.exe) to

perform the download. Therefore, even if a system becomes infected with part of a new virus, it cannot

become fully infected because it cannot download the rest of the code.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 ... 23 24

Comentarios a estos manuales

Sin comentarios

McAfee SAV85E - Active VirusScan - PC Manual de usuario Pagina 9

Comentarios a estos manuales

Relacionado con productos y manuales para Software McAfee SAV85E - Active VirusScan - PC