Threat Prevention Flashcards

1
Q

What is the role of the Threat Prevention Security Module?

A

TP prevents threats from accessing systems, scans files automatically when they are accessed, and runs targeted scans for malware on client systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does Threat Prevention provide protection from?

A
  • Viruses, worms, and trojan horses
  • Access point violations
  • Buffer overflow exploits
  • Illegal API use
  • Network intrusions
  • Potentially unwanted code and programs
  • Vulnerability focused detection
  • Zero-day exploit detection
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How does Threat Prevention protect your system from intrusions?

A

Access Protection

Exploit Prevention: BOP, Illegal API Use, Network Intrusion Prevention, Expert Rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How does Threat Prevention detect threats when they do occur in your environment?

A
  • On-Access Scan
  • On-Demand Scan
  • Potentially Unwanted Programs
  • Quarantine
  • Dashboards and Monitors
  • Queries and Reports
  • Early Load Anti-Malware
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How does Threat Prevention correct the threats/issues that are detected?

A
Actions
Alerts
Extra.DAT files
Scheduled Scans
Content Repositories
Log Files
Dashboards and Monitors
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Give a high level description of the Access Protection feature of Threat Prevention

A

Protect against unwanted changes to client systems by restricting access to specified files, shares, registry keys, registry values, and preventing or restricting processes and services from executing threat behavior.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Give a high level description of the Exploit Prevention feature of Threat Prevention

A

Threat Prevention uses signatures in content updates to protect against these exploits:

○ BOP - Uses signatures in content updates to protect against these exploits
○ Illegal API Use - protect against malicious API calls being made by unknown or compromised applications running on the system
○ Network Intrusion Prevention - Protect against network dos attacks and bandwidth oriented attacks that deny or degrade network traffic.
○ Expert Rules - Provide additional parameters and allow more flexibility than the Access Protection custom rules. But, to create Expert Rules, you must understand the McAfee proprietary syntaxes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Give a high level description of the On-Access Scan feature of Threat Prevention

A

Scan for threats as files are read from, or written to, disk. Run scans only when the system is idle, integrates with Anti malware Scan Interface (ASMI) to provide better enhanced scanning for threats in non-browser-based scripts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Give a high level description of the On-Demand Scan feature of Threat Prevention

A

Run or schedule predefined scans, including scans of spyware-related registry entries that weren’t previously cleaned

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does the Potentially Unwanted Programs feature do?

A

Detect potentially unwanted programs, such as spyware and adware, and prevent them from running in your environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When are AMCore content packages normally released?

A

By 7 GMT (2EST)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How does the AMCore content file work with Threat Prevention?

A

When searching for threats, the scan engine compares the contents of scanned files to known threat information stored in the AMCore content files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

T/F: The AMCore content file contains content that the Exploit Prevention feature uses

A

False, Exploit Prevention has its own content file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What happens if during a scan, the scanner encounters a threat that doesn’t have a signature in the AMCore content file that is currently being used?

A

The scan engine can’t detect the threat, leaving the system vulnerable to attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

In addition to the current AMCore, how many previous versions are stored?

A

Two versions, which can be reverted to in case of an issue

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the purpose of an Extra.DAT file?

A

DAT files that are deployed outside of the regular content update schedule in situations where new malware is discovered and extra detection is required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What happens to an Extra.DAT whenever it becomes out of date?

A

They have expiration dates built in.

Whenever an Extra.DAT is loaded, the expiration date is compared against the build date of the AMCore content installed on the system. If the AMCore content is newer than Extra.DAT expiration date, the Extra.DAT is considered expired, so it will no longer be used by the system, and will consequently be removed during the next update

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Where are Extra DATs stored?

A

c:\Program Files\Common Files\McAfee\Engine\content\avengine\extradat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

How often are Exploit Prevention packages released?

A

Once a month

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How do application protection rules work?

A

Application protection rules specify the processes that Exploit Prevention monitors for buffer overflow and Illegal API use violations

Only processes in the Application Protection Rules list with the inclusion status of Include are monitored

When a monitored process started, Exploit Prevention injects its DLLs into the process to monitor it for buffer overflow and illegal API use violations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What does it mean if the status of an Application Protection rule is Include? Exclude?

A

Include - Exploit Prevention injects its DLLs and monitors the process for violations.

Exclude - Exploit Prevention doesn’t inject its DLLs and doesn’t monitor the process for violations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What happens if the list includes conflicting application protection rules?

A

Exclude status rules take precedence over Include

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are signatures?

A

Collections of rules that compare behavior against known attacks and perform an action when a mathc is detected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are the types of signatures?

A

File Signatures - Report or block operatinos such as renaming or executing, on specific files, paths or drives

Services signatures report or block operations such a starting, stopping, or changing the startup mode, on services

Registry signatures report or block operations such as creating or deleting, on registry keys and registry values

Processes signatures report or block operations such as access or running, on processes

Buffer Overflow signatures report or block malicious programs inserted into the memory space exploited by an attack

Illegal API Use signatures report or block API calls that might result in malicious activity

Network IPS signatures report or block malicious data that flows between the system and the rest of the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are behavioral rules?`

A
  • They block zero-day attacks and enforce proper OS and app behavior
  • Heuristic behavioral rules define a profile of legitimate activity. Activity not matching these rules is considered suspicious and triggers a response

Example: A Behavioral rule might state that only a web server process can access HTML files. If any other process tries to access HTML files, Exploit Prevent responds with the configured action

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is an action in the scope of Exploit Prevention?

A

What Exploit Prevention does when a signature is triggered.

Block- Prevents operation
Report- Allows the operation and reports the event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What are the different severity levels for Exploit Prevention signatures?

A

High - Signatures that protect against clearly identifiable security threats or malicious actions.

Medium - Signatures that are behavioral in nature and prevent applications from operating outside of their environment

Low - Signatures that are behavioral in nature and shield applications. Shielding means locking down application and system resources so that they can’t be changed

Informational - Signatures that indicate a change to the system configuration that might create a benign security risk or an attempt to access sensitive system information

Disabled - Signature that are disabled in the Exploit Prevention content file

28
Q

What is a custom signature?

A

A rule that can enhance the protection provided by default signatures.

They can be a Custom Access Protection rules to protect specific files, services, registry keys and values, and processes

or

Expert Exploit Prevention Rules to prevent buffer overflow and illegal API use exploits, as well as protect files, services, registry, and processes

29
Q

What is Network Intrusion Prevention (Network IPS)?

A

Monitors network activity to protect client system from threats, by inspecting all data that flows between the client system and the network

It compares the network data with the known network-based attacks in the Network IPS signatures. If the data matches a known attack, Network IPS responds with the configured action, such as blocking the data from the system

30
Q

What does McAfee GTI do in Threat Prevention?

A

Uses heuristics or file reputation to check for suspicious files through on-access scanning and on-demand scanning

31
Q

How does On-Access Scanning work?

A

The On-Access Scanner examines files as the user accesses them, providing continuous, real-time detection of threats.

It integrates with the system at the File-System Filter Driver and scans files where they first enter the system.

32
Q

What criteria does the OAS use to determine whether to scan an item?

A
  • The file extension matches the configuration
  • The file information isn’t in the global scan cache
  • The file hasn’t been excluded or previously scanned
33
Q

How does a read scan work with the OAS?

A

If read scan is selected and an attempt is made to read, open, or execute a file:

1 The scanner blocks the request

  1. The scanner determines whether the item must be scanned
    - If file doesn’t need to be scanned, the scanner unblocks the file, caches the file information, and grants the operation
    - If the file needs to be scanned, the scan engine scans the file, comparing it to signatures in the currently loaded AMCore content file
    • If the file is clean, the scanner unblocks the file and caches the result
    • If the file contains a threat, the scanner denies access to the file and responds with the configured action
34
Q

How does a write scan work with the OAS?

A

The scanner examines the file only after it is written to disk and closed

  1. The scanner determines whether the item must be scanned
    a. If the file doesn’t need to be scanned, the scanner caches the file information, and grants the operation
    b. If the file needs to be scanned, the scan engine scans the file, comparing it to signatures in the currently loaded AMCore content file
    - If the file is clean, the scanner caches the result
    - If the file contains a threat, the scanner responds with the configured action. The scanner doesn’t deny access to the file
35
Q

What is ScriptScan and how does it work?

A

The Threat Prevention script scanner intercepts and scans scripts before they are executed.

It is a browser helper object that examines JavaScript and VBScript code for malicious scripts before they are executed. If the script is clean, it passes to JavaScript or VBScript for handling. If ScriptScan detects a malicious script, it blocks the script from executing

36
Q

T/F: ScriptScan examines scripts system-wide

A

False, it examines scripts for Internet Explorer only. It doesn’t look at scripts system-wide and doesn’t examine scripts run by wscript.exe or cscript.exe

37
Q

T/F: If ScriptScan is disabled when Internet Explorer is launched, and then it is enabled, it won’t detect malicious scripts in that instance of Internet Explorer?

A

True, Internet Explorer must be restarted after enabling ScriptScan for it to detect malicious scripts

38
Q

What is the workflow for ScriptScan?

A

Browser accesses a web page with a script -> If ScriptScan is enabled, ScriptScan scans script -> If the Script is clean, ScriptScan passes the script to the native Windows Script Host, if it isn’t clean, ScriptScan prevents the script from executing

39
Q

If Script-intensive website and web-based applications are experiencing poor performance, should you disabled script scan?

A

No, you can make URL exclusions for ScriptScan

40
Q

How does On-Demand Scanning work?

A

The On-Demand Scanner searches files, folders, memory, and registry, looking for malware that might have infected the computer.
`

41
Q

What criteria does the On-Demand Scanner use to determine if an item must be scanned?

A
  • The file extension matches the configuration

- The file hasn’t been cached, excluded, or previously scanned (if the scanner uses the scan cache).

42
Q

What happens if a file meets the scanning criteria for the On-Demand Scanner?

A

The scanner compares the information in the item to the known malware signatures in the currently loaded AMCore content files

  • If the file is clean, the result is cached, and the scanner checks the next item.
  • If the file contains a threat, the scanner responds with the configured action, such as cleaning the file
43
Q

If the On-Demand Scanner is running on a Windows 8 or Windows 10 machine and detects a threat in the path of an installed Windows Store app, what happens?

A

The scanner marks it as tampered, Windows adds the tampered flag to the tile for the app.

When you attempt to run it, WIndows notifies you of the problem and directs you to the Windows Store to reinstall

44
Q

How does System Utilization(Throttling) work in respect to ODS

A

Determines the amount of CPU time allotted during an On-Demand Scan

The On-Demand Scanner uses the Windows Set Priority setting for the scan process and thread priority

45
Q

What are the different System Utilization settings, and when should you use them?

A

Low - Provides improved performance for other running applications. Sets the number of threads for the scan to 1 (Select this option for systems with end-user activity)

Below normal - Sets the number of threads for the scan to be equal to the number of CPUs, default setting for preconfigured Full Scan and Quick Scan ODSs

Normal - Enables scan to complete faster by setting the number of threads for the scan to twice the number of CPUs. (Select this option for systems that have large volumes and little end user activity)

46
Q

How can you view CPU usage during scans?

A

Open the Task Manager and view the CPU utilization consumed by the McAfee Scanner service process (mcshield.exe)

47
Q

How does Remote Storage scanning work?

A

It restores files that have been migrated to storage to the local system before scanning.

Select the ‘Files that have been migrated to storage’ option to configure the ODS to scan files that Remote Storage manages

48
Q

What are some important tasks to complete post installation of Threat Prevention?

A

Configure the logging (BP: Enable debug logging for the first 24 hours during testing and pilot phases)

Confirm engine and content files

Make sure access protection and exploit prevention are enabled

Configure Quarantine location/duration, detection names for exclusions, PUP

Configure OAS to your needs

Configure and schedule regular targeted scans

Configure engine and content file updates

49
Q

Name the Threat Prevention policy categories and give a high level description of them

A

Access Protection - Prevents unwanted changes to the client system by restricting access to specified files, shares, registry keys, registry values, processes, and services

Exploit Prevention - Prevents applications from executing arbitrary code. Detects and prevents known network-based attacks

OAS - Configures scheduled scanning of all processes, including maximum scan time, and threat detection message configuration

ODS - Configures preconfigured scans that run on the client system (Full Scan, Quick Scan, Right-Click Scan)

Options - Configures settings that apply to both the OAS and ODS

50
Q

Name the 3 different wildcard characters and what they represent?

A

? - Single Character. This wildcard applies only if the number of characters matches the length of the file or folder name. Example: W?? excludes WWW, but doesn’t exclude WW or WWWW

    • Multiple characters, except backslash \
      (*\ at the beginning of a file path is not valid. Use **\ instead, such as **\ABC*)

** - zero or more of any characters, including backslash
For example: C:\ABC**\XYZ matches C:\ABC\DEF\XYZ and C:\ABC\XYZ

51
Q

What are common ways that threats gain access to a computer?

A

Macros(Part of word-processing documents and spreadsheet applications)

Executable files

Scripts

Internet Relay Chat messages

Browser and application help files

Email

Combinations of all these access points

52
Q

What are the levels of exclusions that can be applied in regards to access protection?

A

Rule Level - Exclusions and Inclusions apply to the specified rule

Policy Level - Exclusions apply to all rules

53
Q

What are the roles and differences between McAfee Defined Access Protection Rules and User-Defined Access Protection Rules

A

McAfee-defined rules prevent change to commonly used files and settings, they can’t be deleted, the file and settings protected by the rules can’t be changed, and subrules/usernames can’t be added to the rules

User-defined rules provide supplementary protection to the McAfee-defined rules. (An empty executables table indicates the rule will apply to all executables) (An empty Usernames table indicates that the rule applies to all users)

54
Q

If an access protection subrule includes file C:\marketing* but excludes C:\marketing\jjohns, what happens?

A

The subrule will trigger for any of the files in that directory, except for jjohns, because exclude takes precedence over include

55
Q

What is a Buffer Overflow Exploit attack?

A

When an attack overflows the fixed-size memory buffer reserved for an input process, and then runs executable code, allowing them to take over the target computer or compromise its data

56
Q

What are the two types of buffer overflow exploits?

A

Stack-based attacks - use the stack memory objects to store user input (most common)

Heap-based attacks - flood the memory space reserved for a program (rare)

57
Q

What is the difference between a quick scan, full scan, and right click scan?

A

Quick Scan - runs a quick check of the areas of the system most susceptible to infection
Full Scan - performs a thorough check of all areas of the system (recommended if you suspect the computer is infected)
Right Click Scan - Scan an individual file or folder at any time from Windows Explorer by right clicking the file or folder and selecting Scan for threats from the pop-up menu

58
Q

What is the best practice as far as scanning?

A

Use weekly full scan to supplement the continuous protection of the on-access scan. The full scan includes fewer exclusions and actively checks all files for malicious code

59
Q

What does the global scan cache do?

A

Stores clean scan results, allowing OAS and ODS to use it to avoid scanning known clean files and improve performance

60
Q

When is the Global Scan Cache flushed?

A
  • OAS/ODS config changes
  • Extra.DAT is loaded
  • Daily AMCore content file includes an updated Trust DAT (Trust DATs are released every 1-2 weeks, as needed for new certificates)
  • The system reboots in safe mode
61
Q

When is an individual object flushed from the cache ?

A
  • The object has changed on the disk
  • The object expires
  • Object >5days old; may differ from default if cache is full
62
Q

Describe the OAS Scanning Options?

A

Scan on write:

  • Scanner examines file only after it has been written to disk and closed.
  • Examines when files are created or changed on the local hard drive
  • Copied or moved from a mapped drive to the local hard drive
  • Copied or moved from the local hard drive to a mapped drive

Scan on read:

  • Scanner prevents access to files unless they are determined to be clean
  • Examines when files are read, opened or executed from local hard drive or from mapped network drives

Let McAfee decide

  • The OAS uses trust logic to optimize scanning. Trust logic improves your security and boosts performance with scan avoidance, avoiding unnecessary scans
  • For example, McAfee analyzes and considers some programs to be trustworthy. If McAfee verifies that these programs haven’t been tampered with, the scanner might perform reduced or optimized scanning
63
Q

What options negatively impact performance for OAS?

A

-Scan processes on service startup and content update: Because some programs or executables start automatically when you start your system, deselect this option to improve system startp time

  • Scan trusted installers:
  • Scans MSI files or Windows Trust Installer service files
  • Deselect this option to improve the performance of large Microsoft application installers
  • On network drives:
  • Scans resources on mapped network drives, deselect to improve performance
  • Opened for backups:
  • Scans files when accessed by backup software
  • Compressed archive files:
  • Examines the contents of archive (compressed) files, including .jar files
64
Q

How can you reduce the impact of On-Demand Scans on users?

A
  • Enabling On-Demand Scan only when computer is idle, which will pause the scan when TP detects disk or user activity
  • Make it so that scans pause when the system is on battery power, or when the system is in presentation mode
  • Allows users to defer scan
  • Limit scan activity with incremental scans by using the “Stop the task if it runs for” option to stop the scan after it runs for a certain time, and then it will resume from the same place after the task is initiated again
  • Configure system utilization to be low
  • Scan only what you need to
65
Q

What are the best practices for scanning?

A
  • Daily Memory Scan(Quick Scan): daily
  • Active User scans: Weekly(possibly daily)
  • Server Scans - Recommended Weekly, Acceptable Monthly
66
Q

How would you revert to a previous AMCore content file?

A

Use the Roll Back AMCore Content client tasks