Product Guide: Part 2 - Detection: Finding Threats Flashcards
What does the On-Access scanner do?
Examines files on your computer as they are accessed, providing continuous, real-time detection of threats.
What VSE features make use of the On-Access Scanner?
Access Protection and Buffer Overflow Protection both use the On-Access Scanner to detect Access Violations and Buffer Overflow exploits respectively
How does On-Access scanning work in VSE?
Hooks into systems at the lowest levels, scans files where they first enter your system
Acts as part of the system, and delivers notifications via the interface when detections occur
When an attempt is made to open, close, or rename a file, the scanner intercepts the operation and takes actions
What criteria does the OAS use to determine if a file should be scanned?
- The file’s extension matches the configuration
- The file has not been cached
- The file has not been excluded
- The file has not been previously scanned
Assuming a file meets the scanning criteria for the OAS, what happens next?
Compares the information in file to the known malware signatures in the currently loaded DAT files
-If the file is clean, the result is cached and read, write, or rename operation is granted
-If the file contains a threat, the operation is denied and the configured action is taken.
For example:
-If the file needs to be cleaned, that cleaning process is determined by the currently loaded DAT files
- The results are recorded in the activity log, if the scanner was configured to do so.
- The On-Access Scan Messages alert appears describing the file name and the action taken, if the scanner was configured to do so.
If a file does not meet OAS criteria, what happens?
It is not scanned, it’s cached, and the requested operation is granted
When is the Scan File Cache flushed? What happens to the files?
When the OAS, an extra.dat file is added, or the cache is full
All files are rescanned
How does the On Access Scanning process differ for writing vs reading to disk?
When files are being written to disk, the on-access scanner scans these items:
- Incoming files being written to the lcoal hard drive.
- Files being created on the local hard drive or a mapped network drive(this includes new files, modified files, or files being copied or moved from one drive to another).
- NOTE: To scan mapped network drives, you must enable the On Network Drives option. Refer to Enabling on-network drives.
- These scans are only accessible by the same client where VSE is installed. It does not detect access to the mapped network drive by other systems.
When files are being read from disk, the on-access scanner scans these items:
- Outgoing files being read from the lcoal hard drive or mapped network drives
- NOTE: To scan mapped network drives, select the On network drives option, described in the previous bullets, to include remote network files.
- Any file attempting to execute a process on the local hard drive
- Any file opened on the local hard drive
- Any file being renamed on the local hard drive, if the file properties have changed
How does the On-Access Scanning process differ when?
- When scanning all files, the scanner examines every file type for all possible threats
- When scanning Default + additional file types, the scanner examines a list of specific files based on the file types you select.
Default file types: The on-access scanner examines the specified file type only for threats that attack that file type.
Additional file types: The on-access scanner examines the files with matching extensions for all possible threats.
Specified file types: The on-access scanner examines the user defined list of file extensions for all possible threats
What is script scanning? How does it work?
The script scanner operates as a proxy component to the real windows scripting host component. It intercepts scripts, then scans them before they are executed.
For example, the script scanner confirms:
If the script is clean, it is passed on to the real scripting host component.
If the script contains a potential threat, the script is not executed.
Trusted processes and also websites that utilize scripts can be excluded from inspection
What is Artemis? How does it work?
The Artemis feature uses heuristics to check for suspicious files. It provides users with Windows-based McAfee anti-virus products that have the most up to date real time detections for certain malware
Artemis does not provide protection for entire classes of malware; just for suspicious samples. The benefit of protecting against specific threats is the capability to protect users with McAfee security at virtually the same time that mcAfee Labs determines a sample is malicious
You can configure the administrator-configured sensitivity levels Artemis uses to look for suspicious programs and DLLs running on client systems protected by VSE. When Artemis detects a suspicious program, it sends a DNS request containing a fingerprint of the suspicious file to a central database server hosted by McAfee Labs.
What is the difference between General Settings and Process Settings?
General settings apply to the scanning of all processes and include parameters, such as maximum scan time, scanning scripts, blocking unwanted threats from a remote computer, sending messages when threats are detected, and reporting detections.
On-access scan processes are configured based on the risk that you assign to each process. You can configure one default scanning policy for all processes, or configure different policies based on the risk assigned to each process. Parameters include assigning risk you assign to processes, defining items to scan, performing Artemis scanning, scanning compressed files, taking actions on detections, and scanning for potentially unwanted programs.
What are on demand scan?
The on-demand scanner examines all parts of your computer for potential threats, at convenient times or at regular intervals. Use on demand scans to supplement the continuous protection that the on-access scanner offers, or to schedule regular scans at times that do not interfere with your work.
How does On Demand Scanning work?
The on-demand scanner searches your system’s files, folders, memory, registry, and more looking for any malware that could have infected your system. You decide when and how the on-demand scans occur. You can scan your system manually, at a scheduled time, or for example, when your system boots.
What are the On-Demand Scanning Methods, and How are they defined?
in-memory-process scanning
This method examines all active processes prior to running the on-demand scan task. Any detected potentially unwanted process is highlighted and the process is stopped. This means that a single pass with the on-demand scanner removes all instances of a potentially unwanted program
Incremental or resumable scanning
This method allows you to limit when on-demand scan activity occurs, and still scan the entire system in multiple sessions. Incremental scanning can be set by adding a time limit to the scheduled scan. The scan stops when the time limit is reached. The next time this task starts, it continues from the point in the file and folder structure where the previous scan stopped.
