By enabling or modifying the configuration of the Access Protection you
can configure anti-spyware protection, anti-virus protection, common
protection, virtual machine protection, and define your own rules of
protection. Following is the basic process
VirusScan Enterprise
uses to provide access protection:
Steps taken when a threat occurs
- A user or process tries to
take an action.
- That action is examined by
Access Protection in accordance with the defined rules.
- When a rule is broken, the
action requested by the user or process is managed following the rules
configured. For example, the action causes nothing to happen, it is blocked, or
it is blocked and a report sent.
- The Access Protection log
file is updated, and an event is generated for the
ePolicy Orchestrator
Administrator.
Example of an access threat
- A user downloads a
program,
MyProgram.exe, from the internet.
Note: For this example MyProgram.exe is not malware.
- The users launches the
program and it seems to launch as expected.
- MyProgram.exe then
launches a child process called
AnnoyMe.exe and it attempts to modify the
operating system to ensure it always loads on startup.
- Access Protection
processes the request and matches it against an existing rule that is
configured to Block and Report.
- AnnoyMe.exe is denied
access when it attempts to modify the operating system, Access Protection logs
the details of the attempt, and it generates an alert to the
ePolicy Orchestrator
Administrator.
Log report and alerts generated
Following is the Access Protection log entry:
2/10/2010 11:00AM Blocked by Access Protection rule TestDomain\TestUser C:\Users\TestUser\Desktop\AnnoyMe.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Window\CurrentVersion\Run\ Prevent programs registering to autorun
The following table describes the data in the previous Access
Protection log entry:
Log entry
|
Description
|
2/10/2010
|
Date
|
11:00AM
|
Time
|
Blocked by Access Protection rule
|
Action taken
|
TestDomain\TestUser
|
Credentials
|
C:\Users\TestUser\Desktop\AnnoyMe.exe
|
Process name that breeched the rule
|
\REGISTRY\MACHINE\SOFTWARE\Microsoft...
|
Location the process tried to access
|
Prevent programs registering to autorun
|
Access Protection rule that was triggered
|
|
Similar information is available using
ePolicy Orchestrator
queries. For details, refer to
Accessing Queries and Dashboards.