Threat Prevention

Question 1

What is the role of the Threat Prevention Security Module?

Answer 1

TP prevents threats from accessing systems, scans files automatically when they are accessed, and runs targeted scans for malware on client systems

Question 2

What does Threat Prevention provide protection from?

Answer 2

• Viruses, worms, and trojan horses
• Access point violations
• Buffer overflow exploits
• Illegal API use
• Network intrusions
• Potentially unwanted code and programs
• Vulnerability focused detection
• Zero-day exploit detection

Question 3

How does Threat Prevention protect your system from intrusions?

Answer 3

Access Protection

Exploit Prevention: BOP, Illegal API Use, Network Intrusion Prevention, Expert Rules

Question 4

How does Threat Prevention detect threats when they do occur in your environment?

Answer 4

• On-Access Scan
• On-Demand Scan
• Potentially Unwanted Programs
• Quarantine
• Dashboards and Monitors
• Queries and Reports
• Early Load Anti-Malware

Question 5

How does Threat Prevention correct the threats/issues that are detected?

Answer 5

Actions
Alerts
Extra.DAT files
Scheduled Scans
Content Repositories
Log Files
Dashboards and Monitors

Question 6

Give a high level description of the Access Protection feature of Threat Prevention

Answer 6

Protect against unwanted changes to client systems by restricting access to specified files, shares, registry keys, registry values, and preventing or restricting processes and services from executing threat behavior.

Question 7

Give a high level description of the Exploit Prevention feature of Threat Prevention

Answer 7

Threat Prevention uses signatures in content updates to protect against these exploits:

○ BOP - Uses signatures in content updates to protect against these exploits
○ Illegal API Use - protect against malicious API calls being made by unknown or compromised applications running on the system
○ Network Intrusion Prevention - Protect against network dos attacks and bandwidth oriented attacks that deny or degrade network traffic.
○ Expert Rules - Provide additional parameters and allow more flexibility than the Access Protection custom rules. But, to create Expert Rules, you must understand the McAfee proprietary syntaxes

Question 8

Give a high level description of the On-Access Scan feature of Threat Prevention

Answer 8

Scan for threats as files are read from, or written to, disk. Run scans only when the system is idle, integrates with Anti malware Scan Interface (ASMI) to provide better enhanced scanning for threats in non-browser-based scripts

Question 9

Give a high level description of the On-Demand Scan feature of Threat Prevention

Answer 9

Run or schedule predefined scans, including scans of spyware-related registry entries that weren’t previously cleaned

Question 10

What does the Potentially Unwanted Programs feature do?

Answer 10

Detect potentially unwanted programs, such as spyware and adware, and prevent them from running in your environment

Question 11

When are AMCore content packages normally released?

Answer 11

By 7 GMT (2EST)

Question 12

How does the AMCore content file work with Threat Prevention?

Answer 12

When searching for threats, the scan engine compares the contents of scanned files to known threat information stored in the AMCore content files.

Question 13

T/F: The AMCore content file contains content that the Exploit Prevention feature uses

Answer 13

False, Exploit Prevention has its own content file

Question 14

What happens if during a scan, the scanner encounters a threat that doesn’t have a signature in the AMCore content file that is currently being used?

Answer 14

The scan engine can’t detect the threat, leaving the system vulnerable to attack

Question 15

In addition to the current AMCore, how many previous versions are stored?

Answer 15

Two versions, which can be reverted to in case of an issue

Question 16

What is the purpose of an Extra.DAT file?

Answer 16

DAT files that are deployed outside of the regular content update schedule in situations where new malware is discovered and extra detection is required

Question 17

What happens to an Extra.DAT whenever it becomes out of date?

Answer 17

They have expiration dates built in.

Whenever an Extra.DAT is loaded, the expiration date is compared against the build date of the AMCore content installed on the system. If the AMCore content is newer than Extra.DAT expiration date, the Extra.DAT is considered expired, so it will no longer be used by the system, and will consequently be removed during the next update

Question 18

Where are Extra DATs stored?

Answer 18

c:\Program Files\Common Files\McAfee\Engine\content\avengine\extradat

Question 19

How often are Exploit Prevention packages released?

Answer 19

Once a month

Question 20

How do application protection rules work?

Answer 20

Application protection rules specify the processes that Exploit Prevention monitors for buffer overflow and Illegal API use violations

Only processes in the Application Protection Rules list with the inclusion status of Include are monitored

When a monitored process started, Exploit Prevention injects its DLLs into the process to monitor it for buffer overflow and illegal API use violations

Question 21

What does it mean if the status of an Application Protection rule is Include? Exclude?

Answer 21

Include - Exploit Prevention injects its DLLs and monitors the process for violations.

Exclude - Exploit Prevention doesn’t inject its DLLs and doesn’t monitor the process for violations

Question 22

What happens if the list includes conflicting application protection rules?

Answer 22

Exclude status rules take precedence over Include

Question 23

What are signatures?

Answer 23

Collections of rules that compare behavior against known attacks and perform an action when a mathc is detected.

Question 24

What are the types of signatures?

Answer 24

File Signatures - Report or block operatinos such as renaming or executing, on specific files, paths or drives

Services signatures report or block operations such a starting, stopping, or changing the startup mode, on services

Registry signatures report or block operations such as creating or deleting, on registry keys and registry values

Processes signatures report or block operations such as access or running, on processes

Buffer Overflow signatures report or block malicious programs inserted into the memory space exploited by an attack

Illegal API Use signatures report or block API calls that might result in malicious activity

Network IPS signatures report or block malicious data that flows between the system and the rest of the network

Question 25

What are behavioral rules?`

Answer 25

• They block zero-day attacks and enforce proper OS and app behavior
• Heuristic behavioral rules define a profile of legitimate activity. Activity not matching these rules is considered suspicious and triggers a response

Example: A Behavioral rule might state that only a web server process can access HTML files. If any other process tries to access HTML files, Exploit Prevent responds with the configured action

Question 26

What is an action in the scope of Exploit Prevention?

Answer 26

What Exploit Prevention does when a signature is triggered.

Block- Prevents operation
Report- Allows the operation and reports the event

Question 27

What are the different severity levels for Exploit Prevention signatures?

Answer 27

High - Signatures that protect against clearly identifiable security threats or malicious actions.

Medium - Signatures that are behavioral in nature and prevent applications from operating outside of their environment

Low - Signatures that are behavioral in nature and shield applications. Shielding means locking down application and system resources so that they can’t be changed

Informational - Signatures that indicate a change to the system configuration that might create a benign security risk or an attempt to access sensitive system information

Disabled - Signature that are disabled in the Exploit Prevention content file

Question 28

What is a custom signature?

Answer 28

A rule that can enhance the protection provided by default signatures.

They can be a Custom Access Protection rules to protect specific files, services, registry keys and values, and processes

or

Expert Exploit Prevention Rules to prevent buffer overflow and illegal API use exploits, as well as protect files, services, registry, and processes

Question 29

What is Network Intrusion Prevention (Network IPS)?

Answer 29

Monitors network activity to protect client system from threats, by inspecting all data that flows between the client system and the network

It compares the network data with the known network-based attacks in the Network IPS signatures. If the data matches a known attack, Network IPS responds with the configured action, such as blocking the data from the system

Question 30

What does McAfee GTI do in Threat Prevention?

Answer 30

Uses heuristics or file reputation to check for suspicious files through on-access scanning and on-demand scanning

Question 31

How does On-Access Scanning work?

Answer 31

The On-Access Scanner examines files as the user accesses them, providing continuous, real-time detection of threats.

It integrates with the system at the File-System Filter Driver and scans files where they first enter the system.

Question 32

What criteria does the OAS use to determine whether to scan an item?

Answer 32

• The file extension matches the configuration
• The file information isn’t in the global scan cache
• The file hasn’t been excluded or previously scanned

Question 33

How does a read scan work with the OAS?

Answer 33

If read scan is selected and an attempt is made to read, open, or execute a file:

1 The scanner blocks the request

2. The scanner determines whether the item must be scanned
   - If file doesn’t need to be scanned, the scanner unblocks the file, caches the file information, and grants the operation
   - If the file needs to be scanned, the scan engine scans the file, comparing it to signatures in the currently loaded AMCore content file
   
   • If the file is clean, the scanner unblocks the file and caches the result
   • If the file contains a threat, the scanner denies access to the file and responds with the configured action

Question 34

How does a write scan work with the OAS?

Answer 34

The scanner examines the file only after it is written to disk and closed

1. The scanner determines whether the item must be scanned
   a. If the file doesn’t need to be scanned, the scanner caches the file information, and grants the operation
   b. If the file needs to be scanned, the scan engine scans the file, comparing it to signatures in the currently loaded AMCore content file
   - If the file is clean, the scanner caches the result
   - If the file contains a threat, the scanner responds with the configured action. The scanner doesn’t deny access to the file

Question 35

What is ScriptScan and how does it work?

Answer 35

The Threat Prevention script scanner intercepts and scans scripts before they are executed.

It is a browser helper object that examines JavaScript and VBScript code for malicious scripts before they are executed. If the script is clean, it passes to JavaScript or VBScript for handling. If ScriptScan detects a malicious script, it blocks the script from executing

Question 36

T/F: ScriptScan examines scripts system-wide

Answer 36

False, it examines scripts for Internet Explorer only. It doesn’t look at scripts system-wide and doesn’t examine scripts run by wscript.exe or cscript.exe

Question 37

T/F: If ScriptScan is disabled when Internet Explorer is launched, and then it is enabled, it won’t detect malicious scripts in that instance of Internet Explorer?

Answer 37

True, Internet Explorer must be restarted after enabling ScriptScan for it to detect malicious scripts

Question 38

What is the workflow for ScriptScan?

Answer 38

Browser accesses a web page with a script -> If ScriptScan is enabled, ScriptScan scans script -> If the Script is clean, ScriptScan passes the script to the native Windows Script Host, if it isn’t clean, ScriptScan prevents the script from executing

Question 39

If Script-intensive website and web-based applications are experiencing poor performance, should you disabled script scan?

Answer 39

No, you can make URL exclusions for ScriptScan

Question 40

How does On-Demand Scanning work?

Answer 40

The On-Demand Scanner searches files, folders, memory, and registry, looking for malware that might have infected the computer.
`

Question 41

What criteria does the On-Demand Scanner use to determine if an item must be scanned?

Answer 41

• The file extension matches the configuration

- The file hasn’t been cached, excluded, or previously scanned (if the scanner uses the scan cache).

Question 42

What happens if a file meets the scanning criteria for the On-Demand Scanner?

Answer 42

The scanner compares the information in the item to the known malware signatures in the currently loaded AMCore content files

• If the file is clean, the result is cached, and the scanner checks the next item.
• If the file contains a threat, the scanner responds with the configured action, such as cleaning the file

Question 43

If the On-Demand Scanner is running on a Windows 8 or Windows 10 machine and detects a threat in the path of an installed Windows Store app, what happens?

Answer 43

The scanner marks it as tampered, Windows adds the tampered flag to the tile for the app.

When you attempt to run it, WIndows notifies you of the problem and directs you to the Windows Store to reinstall

Question 44

How does System Utilization(Throttling) work in respect to ODS

Answer 44

Determines the amount of CPU time allotted during an On-Demand Scan

The On-Demand Scanner uses the Windows Set Priority setting for the scan process and thread priority

Question 45

What are the different System Utilization settings, and when should you use them?

Answer 45

Low - Provides improved performance for other running applications. Sets the number of threads for the scan to 1 (Select this option for systems with end-user activity)

Below normal - Sets the number of threads for the scan to be equal to the number of CPUs, default setting for preconfigured Full Scan and Quick Scan ODSs

Normal - Enables scan to complete faster by setting the number of threads for the scan to twice the number of CPUs. (Select this option for systems that have large volumes and little end user activity)

Question 46

How can you view CPU usage during scans?

Answer 46

Open the Task Manager and view the CPU utilization consumed by the McAfee Scanner service process (mcshield.exe)

Question 47

How does Remote Storage scanning work?

Answer 47

It restores files that have been migrated to storage to the local system before scanning.

Select the ‘Files that have been migrated to storage’ option to configure the ODS to scan files that Remote Storage manages

Question 48

What are some important tasks to complete post installation of Threat Prevention?

Answer 48

Configure the logging (BP: Enable debug logging for the first 24 hours during testing and pilot phases)

Confirm engine and content files

Make sure access protection and exploit prevention are enabled

Configure Quarantine location/duration, detection names for exclusions, PUP

Configure OAS to your needs

Configure and schedule regular targeted scans

Configure engine and content file updates

Question 49

Name the Threat Prevention policy categories and give a high level description of them

Answer 49

Access Protection - Prevents unwanted changes to the client system by restricting access to specified files, shares, registry keys, registry values, processes, and services

Exploit Prevention - Prevents applications from executing arbitrary code. Detects and prevents known network-based attacks

OAS - Configures scheduled scanning of all processes, including maximum scan time, and threat detection message configuration

ODS - Configures preconfigured scans that run on the client system (Full Scan, Quick Scan, Right-Click Scan)

Options - Configures settings that apply to both the OAS and ODS

Question 50

Name the 3 different wildcard characters and what they represent?

Answer 50

? - Single Character. This wildcard applies only if the number of characters matches the length of the file or folder name. Example: W?? excludes WWW, but doesn’t exclude WW or WWWW

• • Multiple characters, except backslash \
    (*\ at the beginning of a file path is not valid. Use **\ instead, such as **\ABC*)

** - zero or more of any characters, including backslash
For example: C:\ABC**\XYZ matches C:\ABC\DEF\XYZ and C:\ABC\XYZ

Question 51

What are common ways that threats gain access to a computer?

Answer 51

Macros(Part of word-processing documents and spreadsheet applications)

Executable files

Scripts

Internet Relay Chat messages

Browser and application help files

Email

Combinations of all these access points

Question 52

What are the levels of exclusions that can be applied in regards to access protection?

Answer 52

Rule Level - Exclusions and Inclusions apply to the specified rule

Policy Level - Exclusions apply to all rules

Question 53

What are the roles and differences between McAfee Defined Access Protection Rules and User-Defined Access Protection Rules

Answer 53

McAfee-defined rules prevent change to commonly used files and settings, they can’t be deleted, the file and settings protected by the rules can’t be changed, and subrules/usernames can’t be added to the rules

User-defined rules provide supplementary protection to the McAfee-defined rules. (An empty executables table indicates the rule will apply to all executables) (An empty Usernames table indicates that the rule applies to all users)

Question 54

If an access protection subrule includes file C:\marketing* but excludes C:\marketing\jjohns, what happens?

Answer 54

The subrule will trigger for any of the files in that directory, except for jjohns, because exclude takes precedence over include

Question 55

What is a Buffer Overflow Exploit attack?

Answer 55

When an attack overflows the fixed-size memory buffer reserved for an input process, and then runs executable code, allowing them to take over the target computer or compromise its data

Question 56

What are the two types of buffer overflow exploits?

Answer 56

Stack-based attacks - use the stack memory objects to store user input (most common)

Heap-based attacks - flood the memory space reserved for a program (rare)

Question 57

What is the difference between a quick scan, full scan, and right click scan?

Answer 57

Quick Scan - runs a quick check of the areas of the system most susceptible to infection
Full Scan - performs a thorough check of all areas of the system (recommended if you suspect the computer is infected)
Right Click Scan - Scan an individual file or folder at any time from Windows Explorer by right clicking the file or folder and selecting Scan for threats from the pop-up menu

Question 58

What is the best practice as far as scanning?

Answer 58

Use weekly full scan to supplement the continuous protection of the on-access scan. The full scan includes fewer exclusions and actively checks all files for malicious code

Question 59

What does the global scan cache do?

Answer 59

Stores clean scan results, allowing OAS and ODS to use it to avoid scanning known clean files and improve performance

Question 60

When is the Global Scan Cache flushed?

Answer 60

• OAS/ODS config changes
• Extra.DAT is loaded
• Daily AMCore content file includes an updated Trust DAT (Trust DATs are released every 1-2 weeks, as needed for new certificates)
• The system reboots in safe mode

Question 61

When is an individual object flushed from the cache ?

Answer 61

• The object has changed on the disk
• The object expires
• Object >5days old; may differ from default if cache is full

Question 62

Describe the OAS Scanning Options?

Answer 62

Scan on write:

• Scanner examines file only after it has been written to disk and closed.
• Examines when files are created or changed on the local hard drive
• Copied or moved from a mapped drive to the local hard drive
• Copied or moved from the local hard drive to a mapped drive

Scan on read:

• Scanner prevents access to files unless they are determined to be clean
• Examines when files are read, opened or executed from local hard drive or from mapped network drives

Let McAfee decide

• The OAS uses trust logic to optimize scanning. Trust logic improves your security and boosts performance with scan avoidance, avoiding unnecessary scans
• For example, McAfee analyzes and considers some programs to be trustworthy. If McAfee verifies that these programs haven’t been tampered with, the scanner might perform reduced or optimized scanning

Question 63

What options negatively impact performance for OAS?

Answer 63

-Scan processes on service startup and content update: Because some programs or executables start automatically when you start your system, deselect this option to improve system startp time

• Scan trusted installers:
• Scans MSI files or Windows Trust Installer service files
• Deselect this option to improve the performance of large Microsoft application installers
• On network drives:
• Scans resources on mapped network drives, deselect to improve performance
• Opened for backups:
• Scans files when accessed by backup software
• Compressed archive files:
• Examines the contents of archive (compressed) files, including .jar files

Question 64

How can you reduce the impact of On-Demand Scans on users?

Answer 64

• Enabling On-Demand Scan only when computer is idle, which will pause the scan when TP detects disk or user activity
• Make it so that scans pause when the system is on battery power, or when the system is in presentation mode
• Allows users to defer scan
• Limit scan activity with incremental scans by using the “Stop the task if it runs for” option to stop the scan after it runs for a certain time, and then it will resume from the same place after the task is initiated again
• Configure system utilization to be low
• Scan only what you need to

Question 65

What are the best practices for scanning?

Answer 65

• Daily Memory Scan(Quick Scan): daily
• Active User scans: Weekly(possibly daily)
• Server Scans - Recommended Weekly, Acceptable Monthly

Question 66

How would you revert to a previous AMCore content file?

Answer 66

Use the Roll Back AMCore Content client tasks