By enabling or changing the configuration of the Access Protection
feature you can configure anti-spyware protection, anti-virus protection,
common protection, virtual machine protection, and define your own rules of
protection. Following is the basic process
VirusScan Enterprise
uses to provide access protection.
Steps taken when a threat occurs
- A user or process tries to
take an action.
- That action is examined by
Access Protection according to the defined rules.
- When a rule is broken, the
action requested by the user or process is managed using the information in the
rules configured. For example, the action causes nothing to happen, it is
blocked, or it is blocked and a report is sent.
- The Access Protection log
file is updated, and an event is generated for the
ePolicy Orchestrator
Global Administrator.
Example of an access threat
- A user downloads a
program,
MyProgram.exe, from the Internet.
Note: For this example,
MyProgram.exe is not malware.
- The user launches the
program and it seems to launch as expected.
- MyProgram.exe
then launches a child process called
AnnoyMe.exe and it attempts to modify the
operating system to ensure it always loads on startup.
- Access Protection
processes the request and matches it against an existing rule that is
configured to block and report.
- AnnoyMe.exe is
denied access when it attempts to modify the operating system, Access
Protection logs the details of the attempt, and it generates an alert to the
ePolicy Orchestrator
Global Administrator.
Log report and alerts generated
This is an example of an Access Protection log entry.
2/10/2010 11:00AM Blocked by Access Protection rule TestDomain\TestUser C:\Users\TestUser\Desktop\AnnoyMe.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Window\CurrentVersion\Run\ Prevent programs registering to autorun
This table describes the data in the previous Access Protection log
entry:
Log entry
|
Description
|
2/10/2010
|
Date
|
11:00AM
|
Time
|
Blocked by Access Protection rule
|
Action taken
|
TestDomain\TestUser
|
Credentials
|
C:\Users\TestUser\Desktop\AnnoyMe.exe
|
Process name that breeched the rule
|
\REGISTRY\MACHINE\SOFTWARE\Microsoft...
|
Location the process tried to access
|
Prevent programs registering to autorun
|
Access Protection rule that was triggered
|
|
Similar information is available using
ePolicy Orchestrator
queries. For details, refer to
Access queries and dashboards.