Product Guide: Prevention: Avoiding Threats Flashcards
What does Access Protection do?
Compares an action being requested against a list of configured rules. Each rule can be configured to block or report, or block and report access violations when they occur
Why is Access Protection helpful?
- prevents unwanted changes to computer by restricting access to specified ports, files, shares, registry keys, and registry values.
- Also protects McAfee processes by preventing users from stopping them (this protection is critical before and during outbreaks)
T/F: The on-access scanner, which detects access violations, must be enabled to detect attempts to access ports, files, shares, and registry keys and registry values.
True
What are the most common ways that threats gain access to your system?
Macros – As part of word processing documents and spreadsheet applications
Executable files – Seemingly benign programs can include viruses along with the expected program. For example, some common file extensions are .exe, .com, .vbs, .bat, .hlp and .dll
Email – Jokes, games, and images as part of email messages with attachments.
Scripts – Associated with web pages and emails, scripts such as ActiveX and JavaScript,
If allowed to run, can include viruses.
Internet Relay Chat (IRC) messages - Files sent along with these messages can easily contain malware as part of the message. For example, automatic startup processes can contain worms and trojan threats.
Browser and application help files – Downloading these HELP files exposes the system to embedded viruses and
Combinations of all these - Sophisticated malware creators combine all of these delivery methods and even embed one piece of malware within another to try and access your computer
What is the basic process VSE uses when providing Access Protection?
- A user or process tries to take an action.
- That action is examined by Access protection according to the defined rules.
- When a rule is broken, the action requested by the user or process is managed using the information in the rules configured. For example, the action causes nothing to happen, it is blocked, or it is blocked a report is sent.
- The Access protection log file is updated, and an event is generated for the ePO Global admin.
How does setting a password for the VSE client interface affect users?
- NON-Admins – non admins run all VSE applications in read only mode. They can view some configuration parameters, run saved scans, and run immediate scans and updates. They cannot change any configuration parameters, create, delete, or modify saved scan or update tasks.
- Administrators – Administrators must type the password to access the protected tabs and controls in read/write mode. If a password is not provided for a protected item, they view it in read only mode.
What are the different kind of Access Protection rules?
Anti Virus
-Rules protecting your computer from common behaviors of malware threats. You can enable, disable, and change the configuration, but you can’t delete these rules
Common
- These preconfigured rules prevent modification of commonly used files and settings
- Enable, disable, change configuration, but cannot delete
VM protection
These preconfigured rules prevent termination of VMWare processes and modification of VMWare files.
-enable, disable, and change configuration, but cannot delete
User-defined
-These custom rules supplement the protection provided by the Anti-Virus and Common rules
Anti-spyware
Examples:
- Prevent Internet explorer favorites and settings
- Prevent programs from running and execution of scripts from the Temp folder
What are the different Access Protection Levels
- Standard: Anti-virus and common rules that protect some critical settings and files from being modified, but generally allow you to install and execute legitimate software
- Maximum: Anti-Virus and common rules that protect most critical settings and files from being modified. This level provides more protection than standard, but might prevent you from installing legitimate software. If you cannot install software, we recommend that you disable the Access Protection feature first, then enable it again after installation
- Outbreak Control: Anti-Virus that block destructive code from accessing the computer until a DAT file is released. These rules are preconfigured to block access to shares during an outbreak
How does VSE respond to an Access Point Violation
When an access point violation occurs:
- Information is recorded in the log file, if you selected the Report option for the rule that detected the violation.
- The event is recorded in the local event log and to SNMP, if you configured Alert Properties to do so.
- The event is reported to Alert Manager and ePolicy Orchestrator, if those products are configured to do so.
- A Block and Report action for a rule determine what happens when a rule detects a violation.
- On the standalone client system, a red frame surrounds the system tray icon and remains visible for 30 minutes, unless you reset it.
What are the Types of User-Defined Rules
Port Blocking Rule:
-Blocks incoming or outgoing network traffic on specific ports or ranges of ports
Note: When you block a port, TCP and UDP accesses are blocked
Note: When you block a port any protocol using that port or range of ports is blocked. For example, TCP and UDP accesses are blocked
File/Folder Blocking Rule
-Blocks write access to files and folders, file execution, plus new file creation and file deletion
Note: Once you restrict access to a file or folder, the restriction remains in place until the administrator removes it. This helps prevent intrusions and stops them from spreading during an outbreak
Registry Blocking rule
-Protects registry keys or values by blocking these actions: write to, create, or delete
What is a Buffer Overflow Attack?
-Attackers use buffer overflow exploits to run executable code by overflowing the fixed-size memory buffers reserved for an input process. This code lets the attacker take over the target computer or compromise its data
There are Heap Based Attacks, which are rare and difficult to execute, and Stack Based Attacks, which are more common
What is the process of a Stack Based Overflow attack?
1 Normal stack memory process — The fixed-size stack memory object is usually empty and waiting for user input. When a program receives input from the user, such as their name, the data is stored on top of the stack and assigned a return memory address. When the stack is processed, the user’s input is sent to the return address specified by the program.
2 Overflowing the stack — When the program is written, a specific amount of memory space is reserved for the data. The stack overflows if the data written is larger than the space reserved for it within the memory stack. This is only a problem when combined with malicious input.
3 Exploiting the overflow — If the program is waiting for a user to enter their name, but the attacker enters an executable command that exceeds the stack size, that command is saved outside of the reserved space.
4 Running the malicious code — The command is not automatically run just because it exceeds the stack buffer space. But it could be if a return address that points to the malicious command is provided by the attacker. Initially the program starts to crash because of the buffer overflow, but the program tries to recover by using the return address provided by the attacker. If the return address is a valid address, the malicious command is executed.
5 Exploiting the permissions — Since programs usually run either in kernel mode or with permissions inherited from a service account, the malicious code is now running with the same permissions as the application that was compromised. This could mean the attacker can gain full control of the operating system.
How does VSE Buffer Overflow Protection work?
- BOP prevents exploited buffer overflows from executing arbitrary code on your computer. It monitors user-mode API calls and recognizes when they are called as a result of a buffer overflow
- When a detection occurs, information is recorded in the activity log and displayed in the On Access Scan Messages dialog box, if you configured those options to do so.
- VSE uses a Buffer overflow and Access protection DAT file to protect approximately 30 applications, for example, Internet Explorer, Microsoft Outlook, Outlook Express, Microsoft Word, and MSN Messenger
What are Potentially Unwanted Programs?
PUP are defined ad software programs written by legitimate companies that can alter the security state, or the privacy policy of the computer on which they are installed. This software can, but does not necessarily, include spyware, adware, and dialers. These embedded PUPs can be downloaded with a program that you actually want. Security-minded users recognize such programs and, in some cases, remove them
How is Potentially Unwanted Program protection configured in VSE?
Configuration is a two step process:
Configure Unwanted programs policy to define which potentially unwanted programs to detect and exclude
Select categories of programs or specific programs within a category from a predefined list which comes form the current DAT file.
Specify exclusions.
Create a list of user defined programs to detect.
2. Enable unwanted program detection in the on-access, email, and on demand scanners, then configure which actions to take when an unwanted program is detected.
