Threat Prevention Flashcards
What is the role of the Threat Prevention Security Module?
TP prevents threats from accessing systems, scans files automatically when they are accessed, and runs targeted scans for malware on client systems
What does Threat Prevention provide protection from?
- Viruses, worms, and trojan horses
- Access point violations
- Buffer overflow exploits
- Illegal API use
- Network intrusions
- Potentially unwanted code and programs
- Vulnerability focused detection
- Zero-day exploit detection
How does Threat Prevention protect your system from intrusions?
Access Protection
Exploit Prevention: BOP, Illegal API Use, Network Intrusion Prevention, Expert Rules
How does Threat Prevention detect threats when they do occur in your environment?
-On-Access Scan
-On-Demand Scan
-Potentially Unwanted Programs
-Quarantine
-Dashboards and Monitors
-Queries and Reports
-Early Load Anti-Malware
How does Threat Prevention correct the threats/issues that are detected?
Actions
Alerts
Extra.DAT files
Scheduled Scans
Content Repositories
Log Files
Dashboards and Monitors
Give a high level description of the Access Protection feature of Threat Prevention
Protect against unwanted changes to client systems by restricting access to specified files, shares, registry keys, registry values, and preventing or restricting processes and services from executing threat behavior.
Give a high level description of the Exploit Prevention feature of Threat Prevention
Threat Prevention uses signatures in content updates to protect against these exploits:
○ BOP - Uses signatures in content updates to protect against these exploits
○ Illegal API Use - protect against malicious API calls being made by unknown or compromised applications running on the system
○ Network Intrusion Prevention - Protect against network dos attacks and bandwidth oriented attacks that deny or degrade network traffic.
○ Expert Rules - Provide additional parameters and allow more flexibility than the Access Protection custom rules. But, to create Expert Rules, you must understand the McAfee proprietary syntaxes
Give a high level description of the On-Access Scan feature of Threat Prevention
Scan for threats as files are read from, or written to, disk. Run scans only when the system is idle, integrates with Anti malware Scan Interface (ASMI) to provide better enhanced scanning for threats in non-browser-based scripts
Give a high level description of the On-Demand Scan feature of Threat Prevention
Run or schedule predefined scans, including scans of spyware-related registry entries that weren’t previously cleaned
What does the Potentially Unwanted Programs feature do?
Detect potentially unwanted programs, such as spyware and adware, and prevent them from running in your environment
When are AMCore content packages normally released?
By 7 GMT (2EST)
How does the AMCore content file work with Threat Prevention?
When searching for threats, the scan engine compares the contents of scanned files to known threat information stored in the AMCore content files.
T/F: The AMCore content file contains content that the Exploit Prevention feature uses
False, Exploit Prevention has its own content file
What happens if during a scan, the scanner encounters a threat that doesn’t have a signature in the AMCore content file that is currently being used?
The scan engine can’t detect the threat, leaving the system vulnerable to attack
In addition to the current AMCore, how many previous versions are stored?
Two versions, which can be reverted to in case of an issue
What is the purpose of an Extra.DAT file?
DAT files that are deployed outside of the regular content update schedule in situations where new malware is discovered and extra detection is required
What happens to an Extra.DAT whenever it becomes out of date?
They have expiration dates built in.
Whenever an Extra.DAT is loaded, the expiration date is compared against the build date of the AMCore content installed on the system. If the AMCore content is newer than Extra.DAT expiration date, the Extra.DAT is considered expired, so it will no longer be used by the system, and will consequently be removed during the next update
Where are Extra DATs stored?
c:\Program Files\Common Files\McAfee\Engine\content\avengine\extradat
How often are Exploit Prevention packages released?
Once a month
How do application protection rules work?
Application protection rules specify the processes that Exploit Prevention monitors for buffer overflow and Illegal API use violations
Only processes in the Application Protection Rules list with the inclusion status of Include are monitored
When a monitored process started, Exploit Prevention injects its DLLs into the process to monitor it for buffer overflow and illegal API use violations
What does it mean if the status of an Application Protection rule is Include? Exclude?
Include - Exploit Prevention injects its DLLs and monitors the process for violations.
Exclude - Exploit Prevention doesn’t inject its DLLs and doesn’t monitor the process for violations
What happens if the list includes conflicting application protection rules?
Exclude status rules take precedence over Include
What are signatures?
Collections of rules that compare behavior against known attacks and perform an action when a mathc is detected.
If Script-intensive website and web-based applications are experiencing poor performance, should you disabled script scan?
T/F I fScriptScan is disabled when Internet Explorer is launched, and then ot is enabled it won’t detect malicios scripts in that instance of Internet Explorer?
What are the types of signatures?
File Signatures - Report or block operatinos such as renaming or executing, on specific files, paths or drives
Services signatures report or block operations such a starting, stopping, or changing the startup mode, on services
Registry signatures report or block operations such as creating or deleting, on registry keys and registry values
Processes signatures report or block operations such as access or running, on processes
Buffer Overflow signatures report or block malicious programs inserted into the memory space exploited by an attack
Illegal API Use signatures report or block API calls that might result in malicious activity
Network IPS signatures report or block malicious data that flows between the system and the rest of the network
What are behavioral rules?`
-They block zero-day attacks and enforce proper OS and app behavior
-Heuristic behavioral rules define a profile of legitimate activity. Activity not matching these rules is considered suspicious and triggers a response
Example: A Behavioral rule might state that only a web server process can access HTML files. If any other process tries to access HTML files, Exploit Prevent responds with the configured action
What is an action in the scope of Exploit Prevention?
What Exploit Prevention does when a signature is triggered.
Block- Prevents operation
Report- Allows the operation and reports the event
How does a write scan work w/ the OAS?
What are the different severity levels for Exploit Prevention signatures?
What is a custom signature
What is Network Intrusion Prevention (Network IPS)
What does Trellix GTI do in Threat Prevention?
How does on-demand scannong work?
How does on-access scanning work?
What criteria does the OAS use to determine whether to scan an item?
How does a read scan work w/ the OAS
T/F ScriptScan examines scripts system-wide
What criteria does the On-Demand Scanner use to determine if an item must be scanned?
What happens if a file meets the scanning criteria for the On-Demand Scanner?
How does System Utilization(Throttling) work in respect to ODS
What are the different System Utilization settings, and when should you use them?
How can you view CPU usage during scans?
How does Remote Storage scanning work?
If the On-Demand Scanner is running on a Windows 8 or Windows 10 machine and detects a threat in the path of an installed Windows Store app, what happens?
Name the Threat Prevention policy categories and give a high level description of them
Name the 3 different wildcard characters and what they represent?
What is ScriptScan and does it work?
What is the workflow for ScriptScan?
What are some important tasks to complete post installation of Threat Prevention?
What are the levels of exclusions that can be applied in regards to access protection?
What are the roles and differences between McAfee Defined Access Protection Rules and User-Defined Access Protection Rules
If an access protection subrule includes file C:\marketing* but excludes C:\marketing\jjohns, what happens?
What is a Buffer Overflow Exploit attack?
What are the two types of buffer overflow exploits?
What is the difference between a quick scan, full scan, and right click scan?
What is the best practice as far as scanning?
What does the global scan cache do?
When is the Global Scan Cache flushed?
What are common ways that threats gain access to a computer?
When is an individual object flushed from the cache ?
Describe the OAS Scanning Options?
What options negatively impact performance for OAS?
How can you reduce the impact of On-Demand Scans on users?
What are the best practices for scanning?
How would you revert to a previous AMCore content file?
