Threat Prevention Flashcards
What is the role of the Threat Prevention Security Module?
TP prevents threats from accessing systems, scans files automatically when they are accessed, and runs targeted scans for malware on client systems
What does Threat Prevention provide protection from?
- Viruses, worms, and trojan horses
- Access point violations
- Buffer overflow exploits
- Illegal API use
- Network intrusions
- Potentially unwanted code and programs
- Vulnerability focused detection
- Zero-day exploit detection
How does Threat Prevention protect your system from intrusions?
Access Protection
Exploit Prevention: BOP, Illegal API Use, Network Intrusion Prevention, Expert Rules
How does Threat Prevention detect threats when they do occur in your environment?
- On-Access Scan
- On-Demand Scan
- Potentially Unwanted Programs
- Quarantine
- Dashboards and Monitors
- Queries and Reports
- Early Load Anti-Malware
How does Threat Prevention correct the threats/issues that are detected?
Actions Alerts Extra.DAT files Scheduled Scans Content Repositories Log Files Dashboards and Monitors
Give a high level description of the Access Protection feature of Threat Prevention
Protect against unwanted changes to client systems by restricting access to specified files, shares, registry keys, registry values, and preventing or restricting processes and services from executing threat behavior.
Give a high level description of the Exploit Prevention feature of Threat Prevention
Threat Prevention uses signatures in content updates to protect against these exploits:
○ BOP - Uses signatures in content updates to protect against these exploits
○ Illegal API Use - protect against malicious API calls being made by unknown or compromised applications running on the system
○ Network Intrusion Prevention - Protect against network dos attacks and bandwidth oriented attacks that deny or degrade network traffic.
○ Expert Rules - Provide additional parameters and allow more flexibility than the Access Protection custom rules. But, to create Expert Rules, you must understand the McAfee proprietary syntaxes
Give a high level description of the On-Access Scan feature of Threat Prevention
Scan for threats as files are read from, or written to, disk. Run scans only when the system is idle, integrates with Anti malware Scan Interface (ASMI) to provide better enhanced scanning for threats in non-browser-based scripts
Give a high level description of the On-Demand Scan feature of Threat Prevention
Run or schedule predefined scans, including scans of spyware-related registry entries that weren’t previously cleaned
What does the Potentially Unwanted Programs feature do?
Detect potentially unwanted programs, such as spyware and adware, and prevent them from running in your environment
When are AMCore content packages normally released?
By 7 GMT (2EST)
How does the AMCore content file work with Threat Prevention?
When searching for threats, the scan engine compares the contents of scanned files to known threat information stored in the AMCore content files.
T/F: The AMCore content file contains content that the Exploit Prevention feature uses
False, Exploit Prevention has its own content file
What happens if during a scan, the scanner encounters a threat that doesn’t have a signature in the AMCore content file that is currently being used?
The scan engine can’t detect the threat, leaving the system vulnerable to attack
In addition to the current AMCore, how many previous versions are stored?
Two versions, which can be reverted to in case of an issue
What is the purpose of an Extra.DAT file?
DAT files that are deployed outside of the regular content update schedule in situations where new malware is discovered and extra detection is required
What happens to an Extra.DAT whenever it becomes out of date?
They have expiration dates built in.
Whenever an Extra.DAT is loaded, the expiration date is compared against the build date of the AMCore content installed on the system. If the AMCore content is newer than Extra.DAT expiration date, the Extra.DAT is considered expired, so it will no longer be used by the system, and will consequently be removed during the next update
Where are Extra DATs stored?
c:\Program Files\Common Files\McAfee\Engine\content\avengine\extradat
How often are Exploit Prevention packages released?
Once a month
How do application protection rules work?
Application protection rules specify the processes that Exploit Prevention monitors for buffer overflow and Illegal API use violations
Only processes in the Application Protection Rules list with the inclusion status of Include are monitored
When a monitored process started, Exploit Prevention injects its DLLs into the process to monitor it for buffer overflow and illegal API use violations
What does it mean if the status of an Application Protection rule is Include? Exclude?
Include - Exploit Prevention injects its DLLs and monitors the process for violations.
Exclude - Exploit Prevention doesn’t inject its DLLs and doesn’t monitor the process for violations
What happens if the list includes conflicting application protection rules?
Exclude status rules take precedence over Include
What are signatures?
Collections of rules that compare behavior against known attacks and perform an action when a mathc is detected.
What are the types of signatures?
File Signatures - Report or block operatinos such as renaming or executing, on specific files, paths or drives
Services signatures report or block operations such a starting, stopping, or changing the startup mode, on services
Registry signatures report or block operations such as creating or deleting, on registry keys and registry values
Processes signatures report or block operations such as access or running, on processes
Buffer Overflow signatures report or block malicious programs inserted into the memory space exploited by an attack
Illegal API Use signatures report or block API calls that might result in malicious activity
Network IPS signatures report or block malicious data that flows between the system and the rest of the network
What are behavioral rules?`
- They block zero-day attacks and enforce proper OS and app behavior
- Heuristic behavioral rules define a profile of legitimate activity. Activity not matching these rules is considered suspicious and triggers a response
Example: A Behavioral rule might state that only a web server process can access HTML files. If any other process tries to access HTML files, Exploit Prevent responds with the configured action
What is an action in the scope of Exploit Prevention?
What Exploit Prevention does when a signature is triggered.
Block- Prevents operation
Report- Allows the operation and reports the event
What are the different severity levels for Exploit Prevention signatures?
High - Signatures that protect against clearly identifiable security threats or malicious actions.
Medium - Signatures that are behavioral in nature and prevent applications from operating outside of their environment
Low - Signatures that are behavioral in nature and shield applications. Shielding means locking down application and system resources so that they can’t be changed
Informational - Signatures that indicate a change to the system configuration that might create a benign security risk or an attempt to access sensitive system information
Disabled - Signature that are disabled in the Exploit Prevention content file
What is a custom signature?
A rule that can enhance the protection provided by default signatures.
They can be a Custom Access Protection rules to protect specific files, services, registry keys and values, and processes
or
Expert Exploit Prevention Rules to prevent buffer overflow and illegal API use exploits, as well as protect files, services, registry, and processes
What is Network Intrusion Prevention (Network IPS)?
Monitors network activity to protect client system from threats, by inspecting all data that flows between the client system and the network
It compares the network data with the known network-based attacks in the Network IPS signatures. If the data matches a known attack, Network IPS responds with the configured action, such as blocking the data from the system
What does McAfee GTI do in Threat Prevention?
Uses heuristics or file reputation to check for suspicious files through on-access scanning and on-demand scanning
How does On-Access Scanning work?
The On-Access Scanner examines files as the user accesses them, providing continuous, real-time detection of threats.
It integrates with the system at the File-System Filter Driver and scans files where they first enter the system.
What criteria does the OAS use to determine whether to scan an item?
- The file extension matches the configuration
- The file information isn’t in the global scan cache
- The file hasn’t been excluded or previously scanned
How does a read scan work with the OAS?
If read scan is selected and an attempt is made to read, open, or execute a file:
1 The scanner blocks the request
- The scanner determines whether the item must be scanned
- If file doesn’t need to be scanned, the scanner unblocks the file, caches the file information, and grants the operation
- If the file needs to be scanned, the scan engine scans the file, comparing it to signatures in the currently loaded AMCore content file- If the file is clean, the scanner unblocks the file and caches the result
- If the file contains a threat, the scanner denies access to the file and responds with the configured action
How does a write scan work with the OAS?
The scanner examines the file only after it is written to disk and closed
- The scanner determines whether the item must be scanned
a. If the file doesn’t need to be scanned, the scanner caches the file information, and grants the operation
b. If the file needs to be scanned, the scan engine scans the file, comparing it to signatures in the currently loaded AMCore content file
- If the file is clean, the scanner caches the result
- If the file contains a threat, the scanner responds with the configured action. The scanner doesn’t deny access to the file
What is ScriptScan and how does it work?
The Threat Prevention script scanner intercepts and scans scripts before they are executed.
It is a browser helper object that examines JavaScript and VBScript code for malicious scripts before they are executed. If the script is clean, it passes to JavaScript or VBScript for handling. If ScriptScan detects a malicious script, it blocks the script from executing
T/F: ScriptScan examines scripts system-wide
False, it examines scripts for Internet Explorer only. It doesn’t look at scripts system-wide and doesn’t examine scripts run by wscript.exe or cscript.exe
T/F: If ScriptScan is disabled when Internet Explorer is launched, and then it is enabled, it won’t detect malicious scripts in that instance of Internet Explorer?
True, Internet Explorer must be restarted after enabling ScriptScan for it to detect malicious scripts
What is the workflow for ScriptScan?
Browser accesses a web page with a script -> If ScriptScan is enabled, ScriptScan scans script -> If the Script is clean, ScriptScan passes the script to the native Windows Script Host, if it isn’t clean, ScriptScan prevents the script from executing
If Script-intensive website and web-based applications are experiencing poor performance, should you disabled script scan?
No, you can make URL exclusions for ScriptScan
How does On-Demand Scanning work?
The On-Demand Scanner searches files, folders, memory, and registry, looking for malware that might have infected the computer.
`
What criteria does the On-Demand Scanner use to determine if an item must be scanned?
- The file extension matches the configuration
- The file hasn’t been cached, excluded, or previously scanned (if the scanner uses the scan cache).
What happens if a file meets the scanning criteria for the On-Demand Scanner?
The scanner compares the information in the item to the known malware signatures in the currently loaded AMCore content files
- If the file is clean, the result is cached, and the scanner checks the next item.
- If the file contains a threat, the scanner responds with the configured action, such as cleaning the file
If the On-Demand Scanner is running on a Windows 8 or Windows 10 machine and detects a threat in the path of an installed Windows Store app, what happens?
The scanner marks it as tampered, Windows adds the tampered flag to the tile for the app.
When you attempt to run it, WIndows notifies you of the problem and directs you to the Windows Store to reinstall
How does System Utilization(Throttling) work in respect to ODS
Determines the amount of CPU time allotted during an On-Demand Scan
The On-Demand Scanner uses the Windows Set Priority setting for the scan process and thread priority
What are the different System Utilization settings, and when should you use them?
Low - Provides improved performance for other running applications. Sets the number of threads for the scan to 1 (Select this option for systems with end-user activity)
Below normal - Sets the number of threads for the scan to be equal to the number of CPUs, default setting for preconfigured Full Scan and Quick Scan ODSs
Normal - Enables scan to complete faster by setting the number of threads for the scan to twice the number of CPUs. (Select this option for systems that have large volumes and little end user activity)
How can you view CPU usage during scans?
Open the Task Manager and view the CPU utilization consumed by the McAfee Scanner service process (mcshield.exe)
How does Remote Storage scanning work?
It restores files that have been migrated to storage to the local system before scanning.
Select the ‘Files that have been migrated to storage’ option to configure the ODS to scan files that Remote Storage manages
What are some important tasks to complete post installation of Threat Prevention?
Configure the logging (BP: Enable debug logging for the first 24 hours during testing and pilot phases)
Confirm engine and content files
Make sure access protection and exploit prevention are enabled
Configure Quarantine location/duration, detection names for exclusions, PUP
Configure OAS to your needs
Configure and schedule regular targeted scans
Configure engine and content file updates
Name the Threat Prevention policy categories and give a high level description of them
Access Protection - Prevents unwanted changes to the client system by restricting access to specified files, shares, registry keys, registry values, processes, and services
Exploit Prevention - Prevents applications from executing arbitrary code. Detects and prevents known network-based attacks
OAS - Configures scheduled scanning of all processes, including maximum scan time, and threat detection message configuration
ODS - Configures preconfigured scans that run on the client system (Full Scan, Quick Scan, Right-Click Scan)
Options - Configures settings that apply to both the OAS and ODS
Name the 3 different wildcard characters and what they represent?
? - Single Character. This wildcard applies only if the number of characters matches the length of the file or folder name. Example: W?? excludes WWW, but doesn’t exclude WW or WWWW
- Multiple characters, except backslash \
(*\ at the beginning of a file path is not valid. Use **\ instead, such as **\ABC*)
- Multiple characters, except backslash \
** - zero or more of any characters, including backslash
For example: C:\ABC**\XYZ matches C:\ABC\DEF\XYZ and C:\ABC\XYZ
What are common ways that threats gain access to a computer?
Macros(Part of word-processing documents and spreadsheet applications)
Executable files
Scripts
Internet Relay Chat messages
Browser and application help files
Combinations of all these access points
What are the levels of exclusions that can be applied in regards to access protection?
Rule Level - Exclusions and Inclusions apply to the specified rule
Policy Level - Exclusions apply to all rules
What are the roles and differences between McAfee Defined Access Protection Rules and User-Defined Access Protection Rules
McAfee-defined rules prevent change to commonly used files and settings, they can’t be deleted, the file and settings protected by the rules can’t be changed, and subrules/usernames can’t be added to the rules
User-defined rules provide supplementary protection to the McAfee-defined rules. (An empty executables table indicates the rule will apply to all executables) (An empty Usernames table indicates that the rule applies to all users)
If an access protection subrule includes file C:\marketing* but excludes C:\marketing\jjohns, what happens?
The subrule will trigger for any of the files in that directory, except for jjohns, because exclude takes precedence over include
What is a Buffer Overflow Exploit attack?
When an attack overflows the fixed-size memory buffer reserved for an input process, and then runs executable code, allowing them to take over the target computer or compromise its data
What are the two types of buffer overflow exploits?
Stack-based attacks - use the stack memory objects to store user input (most common)
Heap-based attacks - flood the memory space reserved for a program (rare)
What is the difference between a quick scan, full scan, and right click scan?
Quick Scan - runs a quick check of the areas of the system most susceptible to infection
Full Scan - performs a thorough check of all areas of the system (recommended if you suspect the computer is infected)
Right Click Scan - Scan an individual file or folder at any time from Windows Explorer by right clicking the file or folder and selecting Scan for threats from the pop-up menu
What is the best practice as far as scanning?
Use weekly full scan to supplement the continuous protection of the on-access scan. The full scan includes fewer exclusions and actively checks all files for malicious code
What does the global scan cache do?
Stores clean scan results, allowing OAS and ODS to use it to avoid scanning known clean files and improve performance
When is the Global Scan Cache flushed?
- OAS/ODS config changes
- Extra.DAT is loaded
- Daily AMCore content file includes an updated Trust DAT (Trust DATs are released every 1-2 weeks, as needed for new certificates)
- The system reboots in safe mode
When is an individual object flushed from the cache ?
- The object has changed on the disk
- The object expires
- Object >5days old; may differ from default if cache is full
Describe the OAS Scanning Options?
Scan on write:
- Scanner examines file only after it has been written to disk and closed.
- Examines when files are created or changed on the local hard drive
- Copied or moved from a mapped drive to the local hard drive
- Copied or moved from the local hard drive to a mapped drive
Scan on read:
- Scanner prevents access to files unless they are determined to be clean
- Examines when files are read, opened or executed from local hard drive or from mapped network drives
Let McAfee decide
- The OAS uses trust logic to optimize scanning. Trust logic improves your security and boosts performance with scan avoidance, avoiding unnecessary scans
- For example, McAfee analyzes and considers some programs to be trustworthy. If McAfee verifies that these programs haven’t been tampered with, the scanner might perform reduced or optimized scanning
What options negatively impact performance for OAS?
-Scan processes on service startup and content update: Because some programs or executables start automatically when you start your system, deselect this option to improve system startp time
- Scan trusted installers:
- Scans MSI files or Windows Trust Installer service files
- Deselect this option to improve the performance of large Microsoft application installers
- On network drives:
- Scans resources on mapped network drives, deselect to improve performance
- Opened for backups:
- Scans files when accessed by backup software
- Compressed archive files:
- Examines the contents of archive (compressed) files, including .jar files
How can you reduce the impact of On-Demand Scans on users?
- Enabling On-Demand Scan only when computer is idle, which will pause the scan when TP detects disk or user activity
- Make it so that scans pause when the system is on battery power, or when the system is in presentation mode
- Allows users to defer scan
- Limit scan activity with incremental scans by using the “Stop the task if it runs for” option to stop the scan after it runs for a certain time, and then it will resume from the same place after the task is initiated again
- Configure system utilization to be low
- Scan only what you need to
What are the best practices for scanning?
- Daily Memory Scan(Quick Scan): daily
- Active User scans: Weekly(possibly daily)
- Server Scans - Recommended Weekly, Acceptable Monthly
How would you revert to a previous AMCore content file?
Use the Roll Back AMCore Content client tasks
