Product Guide: Part 3 - Response: Handling Threats Flashcards
What do we mean by response?
The actions that are taken to deal with detections when they occur
What happens when a detection occurs?
When a detection occurs, and is detected, the reaction depends on how VSE is configured
VSE is configured to clean automatically(suggested default settings), the resulting action depends on the cleaning instruction from the DAT file.
If the scanner cannot clean a file, or if the file has been damaged beyond repair, the scanner might delete the file or take the secondary action, depending on the definition in the DAT file
When the scanner denies access to files with potential threats, it adds an .mcm extension to the file name when the file is saved
What happens when a System Access Point is violated?
When a system access point is violated, the action taken depends on how the rule was configured
If the the rule was configured to:
Report – Information is recorded in the log file
Block - Access is Denied
Review the log file to determine which system access points were violated and which rules detected the violations
Configure the access protection rules to allow users access to legitimate items and prevent users from accessing protected items
What happens when a Buffer Overflow is detected?
When a buffer overflow detection occurs, the scanner blocks the detection and a message is recorded in the On-Access Scan Messages dialog box.
You can view the dialog box, then decide whether to take any additional actions.
The actions you can take include:
Removing the message – Select the item in the list, then click Remove
Creating an exclusion – If the detected process is one that you legitimately use, or a false positive, create an exclusion using the information in the On-Access Scan Messages dialog box. Review the information in the Name column to determine the name of the process that owns the writable memory that is making the call. Use the process name to create an exclusion
Submitting a sample to McAfee Labs for analysis – If the scanner detects something that you think it should not detect, or does not detect something that you think it should, you can send a sample to McAfee Labs
What happens when an Unwanted Program is detected?
The on-access, on-demand, and email scanners detect unwanted programs based on the Unwanted Programs Policy you configured.
When a detection occurs, the scanner that detected the potentially unwanted program applies the action that you configured on the Actions tab for that scanner.
Review the information in the log file, then decide whether to take any of these additional actions
Fine-tune scanning items – This makes your scans more efficient
Exclude it from detection – If a legitimate program was detected, you can configure it as an exclusion
Add it to the user-defined detection list – If an unwanted program was not detected, you can add it to the user-defined detection list.
Submit a sample to McAfee Labs for analysis – If the scanner detects something that you think it should not detect or does not detect something that you think it should, you can send a sample to McAfee Labs
What happens during an On-Access Scan Detection?
When the on-access scanner detects any malware it takes action according to how you configured the On-Access Scan Properties, in the actions tab.
Also, a message is recorded in the On-Access Scan Messages dialog box
Review the information in the activity log and the On-Access Scan Messages dialog box, then decide whether to take any of these additional actions.
Fine-tune scanning items - To make scanning more efficient, exclude legitimate files that VSE might consider threats, and delete known threats that might be saved in the quarantine
Right-click an item in the On-Access Scan Messages dialog box - To perform these actions:
Clean File - Attempts to clean the file referenced by the selected message.
Delete File - Deletes the file referenced by the selected message. The file name is recorded in the log so that you can restore it from the Quarantine Manager
Select All(crtl + a)
Remove message from list (ctrl + d)
Remove All Messages
Open On-Access Scanner Log File – Opens the On-Access Scanner activity log file.
Open Access Protection log File - Opens the Access protection activity log file.
If an action is not available for the current message, the corresponding icon, button, and menu items are disabled. For example, Clean is not available if the file has already been deleted, or delete is not available if the admin has suppressed the action
Clean file – A file cannot be cleaned if the DAT file has no cleaner or it has been damaged beyond repair. If the file cannot be cleaned, the scanner appends an .mcm extension to the file name and denies access to it. An entry is recorded in the log file. In this case, we recommend that you delete the file and restore it from a clean backup copy.
Submit a sample to McAfee Labs for analysis – If the scanner detects something that you think it should not detect, or does not detect something that you think it should, you can send a sample to McAfee Labs.
What happens during an On-Demand Scan Detection?
When an on-demand detection occurs, the scanner takes action according to how you configured the On-Demand Scan Properties, Actions tab.
Review the information in the log file, then decide whether to take any of these additional actions:
Fine-tune scanning items – This make your scans more efficient
Prompt for action - Configured the scanner to Prompt for action by selecting the action from the On-Demand Scan Progress dialog
Submit a sample to McAfee Labs for analysis – If the scanner detects something that you think it should not detect, or does not detect something that you think it should, you can send a sample to McAfee Labs.
What happens during email scan detections?
When an email scan detection occurs, the scanner takes actions according to how you configured the On-Delivery Email Scan Properties or On-Demand Email Scan properties, Actions tab
Review the information in the log file, then decide whether to take any of these additional actions:
Fine-tune scanning items – This makes your scans more efficient
Submit a sample to McAfee Labs for analysis – If the scanner detects something that you think is should not detect, or does not detect something that you think it should, you can send a sample to McAfee Labs
What are Quarantined Items? How are they handled?
Items that are detected as threats, are cleaned or deleted.
A copy of the item is converted to a non-executable format and saved in the Quarantine folder.
This allows you to perform processes on the quarantined items after downloading a later version of the DAT, that possibly contains information that can clean the threat.
These additional process include:
Restore
Rescan
Delete
Check for false positive
View detection properties
Note: Quarantined items can include multiple types os scanned objects. These objects include files, cookies, registries, or anything VSE scans for malware
Process quarantined items to further check these items and manually delete or restore them using the Virus Scan Console
What is an Emergency DAT? How are they configured?
Emergency DATs, called EXTRA.DAT files, contain information used by VSE to detect a new virus.
When new malware is discovered and extra detection is required, an EXTRA.DAT file, packaged in a SuperDAT (SDAT) executable file, is made available by mcAfee Labs until the normal VSE DAT update is released
Configuring emergency DATs is a two-step process
Download the emergency DAT file. This process is the same for both client systems and ePO repositories
Install the emergency DAT file. This process is different for client systems and ePO servers
