Threat Prevention

Question 1

What is the role of the Threat Prevention Security Module?

Answer 1

TP prevents threats from accessing systems, scans files automatically when they are accessed, and runs targeted scans for malware on client systems

Question 2

What does Threat Prevention provide protection from?

Answer 2

• Viruses, worms, and trojan horses
• Access point violations
• Buffer overflow exploits
• Illegal API use
• Network intrusions
• Potentially unwanted code and programs
• Vulnerability focused detection
• Zero-day exploit detection

Question 3

How does Threat Prevention protect your system from intrusions?

Answer 3

Access Protection
Exploit Prevention: BOP, Illegal API Use, Network Intrusion Prevention, Expert Rules

Question 4

How does Threat Prevention detect threats when they do occur in your environment?

Answer 4

-On-Access Scan
-On-Demand Scan
-Potentially Unwanted Programs
-Quarantine
-Dashboards and Monitors
-Queries and Reports
-Early Load Anti-Malware

Question 5

How does Threat Prevention correct the threats/issues that are detected?

Answer 5

Actions
Alerts
Extra.DAT files
Scheduled Scans
Content Repositories
Log Files
Dashboards and Monitors

Question 6

Give a high level description of the Access Protection feature of Threat Prevention

Answer 6

Protect against unwanted changes to client systems by restricting access to specified files, shares, registry keys, registry values, and preventing or restricting processes and services from executing threat behavior.

Question 7

Give a high level description of the Exploit Prevention feature of Threat Prevention

Answer 7

Threat Prevention uses signatures in content updates to protect against these exploits:

○ BOP - Uses signatures in content updates to protect against these exploits
○ Illegal API Use - protect against malicious API calls being made by unknown or compromised applications running on the system
○ Network Intrusion Prevention - Protect against network dos attacks and bandwidth oriented attacks that deny or degrade network traffic.
○ Expert Rules - Provide additional parameters and allow more flexibility than the Access Protection custom rules. But, to create Expert Rules, you must understand the McAfee proprietary syntaxes

Question 8

Give a high level description of the On-Access Scan feature of Threat Prevention

Answer 8

Scan for threats as files are read from, or written to, disk. Run scans only when the system is idle, integrates with Anti malware Scan Interface (ASMI) to provide better enhanced scanning for threats in non-browser-based scripts

Question 9

Give a high level description of the On-Demand Scan feature of Threat Prevention

Answer 9

Run or schedule predefined scans, including scans of spyware-related registry entries that weren’t previously cleaned

Question 10

What does the Potentially Unwanted Programs feature do?

Answer 10

Detect potentially unwanted programs, such as spyware and adware, and prevent them from running in your environment

Question 11

When are AMCore content packages normally released?

Answer 11

By 7 GMT (2EST)

Question 12

How does the AMCore content file work with Threat Prevention?

Answer 12

When searching for threats, the scan engine compares the contents of scanned files to known threat information stored in the AMCore content files.

Question 13

T/F: The AMCore content file contains content that the Exploit Prevention feature uses

Answer 13

False, Exploit Prevention has its own content file

Question 14

What happens if during a scan, the scanner encounters a threat that doesn’t have a signature in the AMCore content file that is currently being used?

Answer 14

The scan engine can’t detect the threat, leaving the system vulnerable to attack

Question 15

In addition to the current AMCore, how many previous versions are stored?

Answer 15

Two versions, which can be reverted to in case of an issue

Question 16

What is the purpose of an Extra.DAT file?

Answer 16

DAT files that are deployed outside of the regular content update schedule in situations where new malware is discovered and extra detection is required

Question 17

What happens to an Extra.DAT whenever it becomes out of date?

Answer 17

They have expiration dates built in.

Whenever an Extra.DAT is loaded, the expiration date is compared against the build date of the AMCore content installed on the system. If the AMCore content is newer than Extra.DAT expiration date, the Extra.DAT is considered expired, so it will no longer be used by the system, and will consequently be removed during the next update

Question 18

Where are Extra DATs stored?

Answer 18

c:\Program Files\Common Files\McAfee\Engine\content\avengine\extradat

Question 19

How often are Exploit Prevention packages released?

Answer 19

Once a month

Question 20

How do application protection rules work?

Answer 20

Application protection rules specify the processes that Exploit Prevention monitors for buffer overflow and Illegal API use violations

Only processes in the Application Protection Rules list with the inclusion status of Include are monitored

When a monitored process started, Exploit Prevention injects its DLLs into the process to monitor it for buffer overflow and illegal API use violations

Question 21

What does it mean if the status of an Application Protection rule is Include? Exclude?

Answer 21

Include - Exploit Prevention injects its DLLs and monitors the process for violations.

Exclude - Exploit Prevention doesn’t inject its DLLs and doesn’t monitor the process for violations

Question 22

What happens if the list includes conflicting application protection rules?

Answer 22

Exclude status rules take precedence over Include

Question 23

What are signatures?

Answer 23

Collections of rules that compare behavior against known attacks and perform an action when a mathc is detected.

Question 24

If Script-intensive website and web-based applications are experiencing poor performance, should you disabled script scan?

Question 25

T/F I fScriptScan is disabled when Internet Explorer is launched, and then ot is enabled it won’t detect malicios scripts in that instance of Internet Explorer?

Question 26

What are the types of signatures?

Answer 26

File Signatures - Report or block operatinos such as renaming or executing, on specific files, paths or drives

Services signatures report or block operations such a starting, stopping, or changing the startup mode, on services

Registry signatures report or block operations such as creating or deleting, on registry keys and registry values

Processes signatures report or block operations such as access or running, on processes

Buffer Overflow signatures report or block malicious programs inserted into the memory space exploited by an attack

Illegal API Use signatures report or block API calls that might result in malicious activity

Network IPS signatures report or block malicious data that flows between the system and the rest of the network

Question 27

What are behavioral rules?`

Answer 27

-They block zero-day attacks and enforce proper OS and app behavior

-Heuristic behavioral rules define a profile of legitimate activity. Activity not matching these rules is considered suspicious and triggers a response

Example: A Behavioral rule might state that only a web server process can access HTML files. If any other process tries to access HTML files, Exploit Prevent responds with the configured action

Question 28

What is an action in the scope of Exploit Prevention?

Answer 28

What Exploit Prevention does when a signature is triggered.

Block- Prevents operation
Report- Allows the operation and reports the event

Question 29

How does a write scan work w/ the OAS?

Question 30

What are the different severity levels for Exploit Prevention signatures?

Question 31

What is a custom signature

Question 32

What is Network Intrusion Prevention (Network IPS)

Question 33

What does Trellix GTI do in Threat Prevention?

Question 34

How does on-demand scannong work?

Question 35

How does on-access scanning work?

Question 36

What criteria does the OAS use to determine whether to scan an item?

Question 37

How does a read scan work w/ the OAS

Question 38

T/F ScriptScan examines scripts system-wide

Question 39

What criteria does the On-Demand Scanner use to determine if an item must be scanned?

Question 40

What happens if a file meets the scanning criteria for the On-Demand Scanner?

Question 41

How does System Utilization(Throttling) work in respect to ODS

Question 42

What are the different System Utilization settings, and when should you use them?

Question 43

How can you view CPU usage during scans?

Question 44

How does Remote Storage scanning work?

Question 45

If the On-Demand Scanner is running on a Windows 8 or Windows 10 machine and detects a threat in the path of an installed Windows Store app, what happens?

Question 46

Name the Threat Prevention policy categories and give a high level description of them

Question 47

Name the 3 different wildcard characters and what they represent?

Question 48

What is ScriptScan and does it work?

Question 49

What is the workflow for ScriptScan?

Question 50

What are some important tasks to complete post installation of Threat Prevention?

Question 51

What are the levels of exclusions that can be applied in regards to access protection?

Question 52

What are the roles and differences between McAfee Defined Access Protection Rules and User-Defined Access Protection Rules

Question 53

If an access protection subrule includes file C:\marketing* but excludes C:\marketing\jjohns, what happens?

Question 54

What is a Buffer Overflow Exploit attack?

Question 55

What are the two types of buffer overflow exploits?

Question 56

What is the difference between a quick scan, full scan, and right click scan?

Question 57

What is the best practice as far as scanning?

Question 58

What does the global scan cache do?

Question 59

When is the Global Scan Cache flushed?

Question 60

What are common ways that threats gain access to a computer?

Question 61

When is an individual object flushed from the cache ?

Question 62

Describe the OAS Scanning Options?

Question 63

What options negatively impact performance for OAS?

Question 64

How can you reduce the impact of On-Demand Scans on users?

Question 65

What are the best practices for scanning?

Question 66

How would you revert to a previous AMCore content file?