Threat Prevention Flashcards
What is the role of the Threat Prevention Security Module?
TP prevents threats from accessing systems, scans files automatically when they are accessed, and runs targeted scans for malware on client systems
What does Threat Prevention provide protection from?
- Viruses, worms, and trojan horses
- Access point violations
- Buffer overflow exploits
- Illegal API use
- Network intrusions
- Potentially unwanted code and programs
- Vulnerability focused detection
- Zero-day exploit detection
How does Threat Prevention protect your system from intrusions?
Access Protection
Exploit Prevention: BOP, Illegal API Use, Network Intrusion Prevention, Expert Rules
How does Threat Prevention detect threats when they do occur in your environment?
- On-Access Scan
- On-Demand Scan
- Potentially Unwanted Programs
- Quarantine
- Dashboards and Monitors
- Queries and Reports
- Early Load Anti-Malware
How does Threat Prevention correct the threats/issues that are detected?
Actions Alerts Extra.DAT files Scheduled Scans Content Repositories Log Files Dashboards and Monitors
Give a high level description of the Access Protection feature of Threat Prevention
Protect against unwanted changes to client systems by restricting access to specified files, shares, registry keys, registry values, and preventing or restricting processes and services from executing threat behavior.
Give a high level description of the Exploit Prevention feature of Threat Prevention
Threat Prevention uses signatures in content updates to protect against these exploits:
○ BOP - Uses signatures in content updates to protect against these exploits
○ Illegal API Use - protect against malicious API calls being made by unknown or compromised applications running on the system
○ Network Intrusion Prevention - Protect against network dos attacks and bandwidth oriented attacks that deny or degrade network traffic.
○ Expert Rules - Provide additional parameters and allow more flexibility than the Access Protection custom rules. But, to create Expert Rules, you must understand the McAfee proprietary syntaxes
Give a high level description of the On-Access Scan feature of Threat Prevention
Scan for threats as files are read from, or written to, disk. Run scans only when the system is idle, integrates with Anti malware Scan Interface (ASMI) to provide better enhanced scanning for threats in non-browser-based scripts
Give a high level description of the On-Demand Scan feature of Threat Prevention
Run or schedule predefined scans, including scans of spyware-related registry entries that weren’t previously cleaned
What does the Potentially Unwanted Programs feature do?
Detect potentially unwanted programs, such as spyware and adware, and prevent them from running in your environment
When are AMCore content packages normally released?
By 7 GMT (2EST)
How does the AMCore content file work with Threat Prevention?
When searching for threats, the scan engine compares the contents of scanned files to known threat information stored in the AMCore content files.
T/F: The AMCore content file contains content that the Exploit Prevention feature uses
False, Exploit Prevention has its own content file
What happens if during a scan, the scanner encounters a threat that doesn’t have a signature in the AMCore content file that is currently being used?
The scan engine can’t detect the threat, leaving the system vulnerable to attack
In addition to the current AMCore, how many previous versions are stored?
Two versions, which can be reverted to in case of an issue
What is the purpose of an Extra.DAT file?
DAT files that are deployed outside of the regular content update schedule in situations where new malware is discovered and extra detection is required
What happens to an Extra.DAT whenever it becomes out of date?
They have expiration dates built in.
Whenever an Extra.DAT is loaded, the expiration date is compared against the build date of the AMCore content installed on the system. If the AMCore content is newer than Extra.DAT expiration date, the Extra.DAT is considered expired, so it will no longer be used by the system, and will consequently be removed during the next update
Where are Extra DATs stored?
c:\Program Files\Common Files\McAfee\Engine\content\avengine\extradat
How often are Exploit Prevention packages released?
Once a month
How do application protection rules work?
Application protection rules specify the processes that Exploit Prevention monitors for buffer overflow and Illegal API use violations
Only processes in the Application Protection Rules list with the inclusion status of Include are monitored
When a monitored process started, Exploit Prevention injects its DLLs into the process to monitor it for buffer overflow and illegal API use violations
What does it mean if the status of an Application Protection rule is Include? Exclude?
Include - Exploit Prevention injects its DLLs and monitors the process for violations.
Exclude - Exploit Prevention doesn’t inject its DLLs and doesn’t monitor the process for violations
What happens if the list includes conflicting application protection rules?
Exclude status rules take precedence over Include
What are signatures?
Collections of rules that compare behavior against known attacks and perform an action when a mathc is detected.
What are the types of signatures?
File Signatures - Report or block operatinos such as renaming or executing, on specific files, paths or drives
Services signatures report or block operations such a starting, stopping, or changing the startup mode, on services
Registry signatures report or block operations such as creating or deleting, on registry keys and registry values
Processes signatures report or block operations such as access or running, on processes
Buffer Overflow signatures report or block malicious programs inserted into the memory space exploited by an attack
Illegal API Use signatures report or block API calls that might result in malicious activity
Network IPS signatures report or block malicious data that flows between the system and the rest of the network
What are behavioral rules?`
- They block zero-day attacks and enforce proper OS and app behavior
- Heuristic behavioral rules define a profile of legitimate activity. Activity not matching these rules is considered suspicious and triggers a response
Example: A Behavioral rule might state that only a web server process can access HTML files. If any other process tries to access HTML files, Exploit Prevent responds with the configured action
What is an action in the scope of Exploit Prevention?
What Exploit Prevention does when a signature is triggered.
Block- Prevents operation
Report- Allows the operation and reports the event