manualshive.com logo in svg

Internet Security Systems RealSecure, User Manual, Page: 45 / 126

Share
Download
Internet Security Systems RealSecure User Manual Download Page 45

Blocking Intrusions

37

Blocking Intrusions

Introduction

Desktop Protector identifies and stops most intrusions according to your preset protection 
level, but you may still notice activity that isn't explicitly blocked. This topic explains how 
to handle intrusions from a particular address or intrusions that use a particular protocol.

Caution:

Do not block port scans from your own internal network. This may interfere 

with normal network management procedures.

Blocking an event 
or an intruder

You can block any intruder listed on your events list. When you do, Desktop Protector 
creates an IP address entry in your firewall that prevents all traffic from that IP address 
from entering your system. To block an intruder or an event:

1. Do one of the following:

On the Intruders tab, right-click the name of the intruder.

On the Events tab, right-click the name of the event.

2. On the submenu, select the duration of the block.

Note:

A month is defined as 30 days.

3. Click 

Yes

.

Blocking an IP 
address

To block an IP address:

1. From the Tools menu, select 

Advanced Firewall Settings

The Advanced Firewall Properties window appears.

2. Click 

Add

.

The Add Firewall Entry window appears.

3. Type a name for the IP address filter.

Note:

This should be the name of the system to block, if you know it. For example, if 

you are creating a filter to block all port scans from a known intruder, use the 
intruder’s computer name for the name of this address filter. For information about 
how to learn about intruders, see “Back Tracing” on page 50.

4. Type the IP address or range of addresses for the system to block.

Use standard 

000.000.000.000

 notation. 

If you are specifying a range of IP addresses, place a dash between them. For 
example, 

192.168.10.23–192.168.10.32

.

To block transmissions from all IP addresses through a specific port, select 

All 

Addresses.

 

Note:

You cannot block all transmissions from all IP addresses in this window. To 

block all unsolicited inbound traffic, select the “Paranoid” protection level on the 
Firewall tab.

5. In the 

Mode

 area, select 

Reject

.

6. In the 

Duration of Rule

 area, select the length of the block.

7. Click 

Add

.

Desktop Protector adds the entry to the list in the Advanced Firewall Settings 
window.

Summary of Contents for RealSecure

Page 1: ...TM Desktop Protector User Guide Version 3 5 ...

Page 2: ...rademarks of Sun Microsystems Inc in the United States and other countries All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International Inc in the United States and other countries Adaptive Server SQL SQL Server and Sybase are trademarks of Sybase Inc its affiliates and licensers Tivoli is a registered trademark of Tivoli Systems Inc UNIX is a regi...

Page 3: ...nager 17 Installing Desktop Protector Remotely 18 Using ICEcap Manager to Control RealSecure Agents 19 Chapter 3 Setting Up RealSecure Desktop Protector 21 Overview 21 Installing RealSecure Desktop Protector 22 Stopping Desktop Protector 24 Restarting Desktop Protector 26 Uninstalling Desktop Protector 28 Chapter 4 Configuring RealSecure Desktop Protector 31 Overview 31 Connecting to ICEcap Manage...

Page 4: ...Communications Control Tab 86 Appendix C Advanced Firewall Settings 89 Overview 89 The Firewall Rules Tab 90 The Local Adaptive Protection Tab 92 The Remote Adaptive Protection Tab 93 The Add Firewall Entry Dialog 94 The Modify Firewall Entry Dialog 96 Appendix D Advanced Application Protection Settings 99 Overview 99 The Known Applications Tab 101 The Baseline Tab 102 The Checksum Extensions Dial...

Page 5: ... maintaining software on corporate systems What s new in this guide This guide replaces the BlackICE Agent 3 0 User Guide This guide includes information about a new layer of safety for your desktop called Application Protection Application Protection consists of two features Application Control Desktop Protector prevents unauthorized applications from running on your local system This helps to ke...

Page 6: ...ing with RealSecure Desktop Protector on a corporate network see the RealSecure ICEcap Manager User Guide For answers to questions about Desktop Protector see RealSecure Desktop Protector Frequently Asked Questions For system requirements for Desktop Protector see System Requirements For general information about Desktop Protector s features see the Product Spec Sheet ...

Page 7: ...th name or other information that you must type exactly as shown Save the User txt file in the Addresses folder Type IUSR__SMA in the Username box Constant width italic A file name folder name path name or other information that you must supply Type Version number in the Identification information box Æ A sequence of commands from the taskbar or menu bar From the taskbar select StartÆRun On the Fi...

Page 8: ...ormation The following table provides email addresses and telephone numbers for technical support requests Location Hours Americas 24 hours a day All other locations Monday through Friday 9 00 A M to 6 00 P M during their local time excluding ISS published holidays Note If your local support office is located outside the Americas you may call or email the Americas office for help during off hours ...

Page 9: ...ure Desktop Protector integrates with ICEcap Manager management and reporting console Desktop Protector forwards information about the events it detects to a server running ICEcap Manager for enterprise wide security reporting and analysis ICEcap Manager can in turn install and update Desktop Protector remotely Firewall capabilities RealSecure Desktop Protector provides powerful firewall capabilit...

Page 10: ...ng your system or other computers on a network Application protection consists of two features Application Control Helps you prevent unknown and possibly destructive applications from damaging your system When you suspect an application may have been modified Application Control lets you decide whether to let it start RealSecure Desktop Protector goes beyond the capabilities of other products by p...

Page 11: ...locks unsolicited network traffic that accesses operating system and networking services Good for regular use of the Internet Trusting All ports are open and unblocked and all inbound traffic is allowed Acceptable if you have a minimal threat of intrusions This is the default protection level setting If your local agent is not centrally controlled by ICEcap Manager you should consider customizing ...

Page 12: ...your firewall is set to Cautious for most communications It switches to Trusting when you connect to your corporate network over a VPN and switches back to Cautious when the VPN connection closes At a trade show your firewall automatically switches to Paranoid when you plug into the conference network It switches to Trusting when you connect to your corporate VPN and then switches back to Paranoid...

Page 13: ...firewall When you do this no traffic from that intruder s IP address can enter your system For information about blocking IP addresses see Blocking an IP address on page 37 Blocking a port If you don t have an intruder in mind but you are concerned about intrusion attempts using a specific internet protocol you can block the port or ports that protocol uses Adding a port entry to your firewall ens...

Page 14: ...ation Control tab or the Communications Control tab 3 Clear the Enable Application Protection check box Adding new or upgraded applications to your computer Whenever you upgrade an application or install a new application on your computer the application does not match the Application Protection baseline so BlackICE regards it as an unknown application This protects you from someone maliciously up...

Page 15: ...n when it starts and checks to see if you have authorized the application to run If not Desktop Protector can close the program automatically or alert you depending on the Application Control options you have set Application control is not virus detection Application control is not the same as virus detection Desktop Protector does not search your system for harmful applications Instead Desktop Pr...

Page 16: ...thout your authorization Desktop Protector detects its outbound transmissions and asks you what to do If you recognize the application you can allow it to continue or you can block it If you block it you can have Desktop Protector automatically block the application in the future Example auto update For example some applications include a feature that automatically checks the application provider ...

Page 17: ...k Description 7 10 Critical These are deliberate attacks on your system for the purpose of damaging data extracting data or crashing the system Critical events always trigger protection measures 4 6 Serious These are deliberate attempts to access information on your system without directly damaging anything Some serious events trigger protection measures 1 3 Suspicious These are network activities...

Page 18: ...ttack Unsuccessful Other defenses of your system such as the operating system successfully blocked the intrusion Therefore Desktop Protector did not need to block the event The event did not compromise the system Attack Status Unknown Desktop Protector triggered protection measures as soon as it identified the attack but some attacking packets may have made it through to the computer It is unlikel...

Page 19: ...sktop Protector can capture network traffic attributed to an intrusion and place that information into an evidence file Desktop Protector captures and decodes each packet coming into the system so it can generate files that contain detailed information about the intruder s network traffic To an experienced network engineer evidence files show exactly what the intruder did or attempted to do Becaus...

Page 20: ...r on the Events tab When this happens you can freeze the Events tab and respond to the events at your convenience For information on freezing the Events list see Freezing the Events list on page 49 Deleting events Even if you are filtering out events that are not very risky your events list can grow very long You can delete individual events from the Events tab or you can delete the whole events l...

Page 21: ... provides the background knowledge required for setting up connections between Desktop Protector and ICEcap Manager from your system For more detailed information about using RealSecure Desktop Protector with ICEcap Manager see the RealSecure ICEcap Manager User Guide In this chapter This chapter contains the following topics Topic Page How ICEcap Manager Works With RealSecure Desktop Protector 14...

Page 22: ... allowing modification only to display and event notification preferences However ICEcap administrators can configure groups to allow agents partial local control or almost complete local control The control level can be set only from ICEcap Manager as part of a policy applied to an ICEcap group and pushed to the remote agents in the group An end user cannot choose a control level from the local D...

Page 23: ...local agent is under shared ICEcap Control You can alter any parameters that ICEcap Manager has not explicitly set Local the agent is under shared local control You can override any parameters ICEcap Manager has set Control Level Result Total ICEcap Control ICEcap Manager has complete control over these agents If the local host has the Local Console installed the end user can modify the display an...

Page 24: ... solely responsible for assigning agents to groups Although agents can report a group name ICEcap Manager must authorize that name and make the appropriate assignment The first time an agent reports an event ICEcap Manager assigns the agent to a group by IP address assignment or by group name assignment For more information about this authorization process see the RealSecure ICEcap Manager User Gu...

Page 25: ...ting over the Internet Reporting over the Internet is safe but not without risks Communications from RealSecure agents are encrypted and ICEcap Manager requires an account name and password to submit data Reporting over a VPN VPN connections using the point to point tunneling protocol encrypt packets sent over the Internet adding an additional layer of security between remote systems and ICEcap Ma...

Page 26: ...e only the monitoring and protection engine Remote installations of Desktop Protector must be carried out from ICEcap Manager For additional information about setting up and executing remote installations see the RealSecure ICEcap Manager User Guide Note If a Desktop Protector version already exists on a target system ICEcap Manager does not reinstall Desktop Protector when a remote installation i...

Page 27: ...ese packets through a proxy server Although ICEcap Manager initiates configuration updates and software updates the local agents actually download the files from ICEcap Manager This prevents intruders from pushing unauthorized security settings to agents Note ICEcap Manager does not maintain a link to all the agents on the network Each individual system reports events to the ICEcap server Criteria...

Page 28: ...Chapter 2 Using RealSecure Desktop Protector with ICEcap Manager 20 ...

Page 29: ...e Desktop Protector locally For information about installing Desktop Protector from ICEcap Manager see the RealSecure ICEcap Manager User Guide In this chapter This chapter contains the following topics Topic Page Installing RealSecure Desktop Protector 22 Stopping Desktop Protector 24 Restarting Desktop Protector 26 Uninstalling Desktop Protector 28 ...

Page 30: ... interface Only ICEcap Manager can create and distribute agents without the local user interface known as silent agents For information about installing silent agents see the RealSecure ICEcap Manager User Guide Prerequisites Before you install RealSecure Desktop Protector you must do the following Scan your system for viruses Disable the real time scanning function of any anti virus detection sof...

Page 31: ...er the applicable information If no go to Step 19 14 Enter the fully qualified URL for the ICEcap server Include the port number The default event reporting port is 8082 For example if ICEcap Manager is on a server at the address 192 168 0 101 using event port 8082 enter http 192 168 0 101 8082 Important You can enter the machine name of the ICEcap server but it is preferable to use its IP address...

Page 32: ...BlackICE Application Protection Desktop Protector stops monitoring your system for unauthorized applications and outgoing transmissions Stopping Desktop Protector from the desktop To stop Desktop Protector from the desktop 1 Right click the Desktop Protector icon 2 Select Stop BlackICE Engine Desktop Protector stops monitoring incoming traffic and a red line appears over the Desktop Protector icon...

Page 33: ...ops monitoring your system for unauthorized applications and outgoing transmissions Stopping Desktop Protector from the control panel Windows XP To stop Desktop Protector from the Windows XP control panel 1 Click StartÆSettings ÆControl Panel 2 Double click Performance and Maintenance 3 Double click Administrative Tools 4 Double click Services The Services window appears 5 In the right pane right ...

Page 34: ...he desktop To restart Desktop Protector from the desktop 1 Right click the Desktop Protector icon 2 In the pop up menu select Start BlackICE Engine Desktop Protector resumes monitoring incoming traffic The red line disappears from the Desktop Protector icon 3 Right click the Desktop Protector icon 4 In the pop up menu select Start BlackICE Application Protection Desktop Protector resumes monitorin...

Page 35: ...el 2 Double click Performance and Maintenance 3 Double click Administrative Tools 4 Double click Services The Services window appears 5 In the right pane right click BlackICE and then select ActionÆStart Desktop Protector resumes monitoring incoming traffic The red line disappears from the Desktop Protector icon 6 In the right pane right click RapApp and then select ActionÆStart Desktop Protector ...

Page 36: ... that you want to delete the program files 4 Click Yes The uninstall program asks you if you want to delete the configuration settings that control RealSecure Desktop Protector on this computer 5 Do you intend to reinstall Desktop Protector If yes keep the files that contain settings you will continue to use To keep a file leave its checkbox selected If no clear all the checkboxes You can decide t...

Page 37: ... Desktop Protector from your system Uninstalling Desktop Protector using the agentremove exe utility To remove Desktop Protector using the agentremove utility 1 Locate the agentremove exe file on the ISS CD or in the BlackICE folder on your system drive 2 Double click agentremove exe The system starts the agentremove exe utility 3 Delete the BlackICE directory from your system ...

Page 38: ...Chapter 3 Setting Up RealSecure Desktop Protector 30 ...

Page 39: ...cludes the following topics Topic Page Connecting to ICEcap Manager 32 Setting Your Protection Level 34 Using Adaptive Protection 35 Blocking Intrusions 37 Trusting Intruders 39 Ignoring Events 40 Working with the Application Protection Baseline 42 Configuring Communications Control 46 Controlling Event Notification 48 Back Tracing 50 Collecting Evidence Files 52 Collecting Packet Logs 54 Respondi...

Page 40: ...address or DNS name 6 In the Account Name text box enter ICEcap Manager account name to use when uploading data Refer to your ICEcap Manager documentation for more information about account names The default account name is iceman 7 In the Password text box enter the current ICEcap Manager event password This is the password that Desktop Protector uses to authenticate itself when it reports events...

Page 41: ... the ICEcap server Contact your ICEcap administrator Local or remote precedence ICEcap Manager determines whether the settings on the local computer take precedence over settings received from ICEcap Manager To find out your current precedence 1 On the Main Menu select Tools ÆEdit BlackICE Settings 2 Select the ICEcap tab 3 Click Test Desktop Protector sends a proactive heartbeat to the ICEcap ser...

Page 42: ...n level To set your protection level 1 From the Main Menu select ToolsÆEdit BlackICE SettingsÆFirewall 2 Select a protection level To block all unsolicited inbound traffic select Paranoid To block all unsolicited inbound traffic except for some interactive content on Web sites such as streaming media select Nervous To block only unsolicited network traffic that accesses operating system and networ...

Page 43: ...n your computer connects with your corporate network 1 Click ToolsÆAdvanced Firewall Settings The Advanced Firewall Settings window appears 2 Select the Remote Adaptive Protection tab 3 Under Trusting enter up to five IP addresses included in your corporate network 4 Select the Local Adaptive Protection tab 5 Under Cautious enter up to five IP addresses that your computer may use when connecting t...

Page 44: ...Protector 36 Note This can be a single static IP address or a set of addresses that the conference host provides 6 Click OK Your firewall is configured to switch to Cautious when you connect to your corporate network from your remote location ...

Page 45: ...ck an IP address 1 From the Tools menu select Advanced Firewall Settings The Advanced Firewall Properties window appears 2 Click Add The Add Firewall Entry window appears 3 Type a name for the IP address filter Note This should be the name of the system to block if you know it For example if you are creating a filter to block all port scans from a known intruder use the intruder s computer name fo...

Page 46: ...5 To enter a range of ports use the format 9 999 To close all ports on your computer to communications from a specific IP address select All Ports then go to Blocking an IP address on page 37 Note You cannot use Add Firewall Entry to block or accept all transmissions from all IP addresses through all ports To instruct Desktop Protector to block all unsolicited inbound traffic select the Paranoid p...

Page 47: ...3 From the submenu select one of the following Trust and Accept The BlackICE intrusion detection component ignores all attacks from the intruder and the firewall accepts all communications from the intruder s IP address The intruder is not subjected to any Desktop Protector detection or protection Trust Only The BlackICE intrusion detection component ignores all attacks from the intruder Important...

Page 48: ...t to the list of ignored events on the Detection tab in the BlackICE Settings window Ignore an event type in advance When you know of a potential event but haven t seen that type of event yet and you want Desktop Protector to allow the event you can preemptively ignore the event type For example you may want to ignore future HTTP port scans from your Internet Service Provider Follow these steps 1 ...

Page 49: ...Ignoring Events 41 For more information see The Prompts Tab on page 83 ...

Page 50: ...gerous applications before you update your system s baseline It is a good idea to run your anti virus scan in both normal and safe mode Creating a new baseline To create a new baseline 1 On the Tools menu select Advanced Application Protection Settings The Advanced Application Protection Settings window appears 2 Click the Baseline tab 3 Expand the folder tree 4 Select the folders to include in yo...

Page 51: ...tion Protection component and selected Ask me what to do Desktop Protector alerts you when an unknown application starts For information about how to respond to these alerts see Responding to Application Protection Alerts on page 56 Note To avoid false positives update your application protection baseline every time you install new software Installing a new application can change some helper files...

Page 52: ...t to run you can block it from accessing a network or allow it to access the network Changing application permissions To manage your authorized application files 1 On the Tools menu select Advanced Application Protection Settings 2 Click the Known Applications tab Desktop Protector displays the list of applications it has detected on your system 3 In the Filename column find the name of the applic...

Page 53: ...n feature You must manually enable Application Protection to resume the service Note Stopping the Application Protection component is not the same as disabling it When you stop the Application Protection component it resumes protecting your system when you restart your system If you disable the component it does not restart when you restart your computer To make it available again you must re enab...

Page 54: ...pplication If you installed Desktop Protector in Unattended mode this option is selected by default To have Desktop Protector give you the choice of running or terminating the unauthorized process whenever it tries to contact a network select Prompt before terminating the application This option is selected by default To allow unauthorized processes to run but automatically block them from connect...

Page 55: ...Configuring Communications Control 47 For more information about setting your Communications Control preferences see The Communications Control Tab on page 86 ...

Page 56: ...ear Files The Files to Delete window appears 2 Do one of the following Select Attack list csv to delete all intrusion records from the Events tab For more information about what you are deleting see The Events Tab on page 62 Select Evidence logs to delete all evidence log data For information about what is included in evidence data see Collecting Evidence Files on page 52 Select Packet logs to del...

Page 57: ...on after viewing the list so that Desktop Protector can display new attacks When you restart the computer Desktop Protector resets to an unfrozen state To freeze the Events list From the Main Menu select ViewÆFreeze Showing and hiding columns You can configure the columns that the Events and Intruders tabs display Note Removing a column from the window does not remove the information from that col...

Page 58: ...in the Indirect Trace Threshold box Note The default threshold for an indirect trace is 3 With this setting any event with a severity of 3 or above triggers an indirect back trace 4 Do you want Desktop Protector to query Domain Name Service servers for information about the intruder If yes select DNS lookup If no clear DNS lookup 5 Type the severity level for a direct trace in the Direct Trace Thr...

Page 59: ... two places in the information pane of the Intruder tab in standard text files in the Hosts folder in the directory where Desktop Protector is installed Each file is prefixed with the intruder s IP address Note The severity of the incoming event not the identity of the intruder triggers the back trace For more information about setting your back tracing preferences see The Back Trace Tab on page 7...

Page 60: ...using Windows NT or Windows 2000 Server you can install the Network Monitoring service which includes Network Monitor a decoding application See the Windows NT or Windows 2000 documentation for more information Procedure To collect evidence files 1 From the Main Menu select ToolsÆEdit BlackICE Settings 2 Select the Evidence Log tab 3 Select Logging Enabled 4 In the File prefix box specify the pref...

Page 61: ...Collecting Evidence Files 53 3 Click OK For more information about setting your evidence logging preferences see The Evidence Log Tab on page 74 ...

Page 62: ...an install the Network Monitoring service which includes Network Monitor a decoding application See the Windows NT or Windows 2000 documentation for more information Procedure To collect packet logs 1 From the Main Menu click ToolsÆEdit BlackICE Settings 2 Select the Packet Log tab 3 Select Logging Enabled 4 In the File prefix box specify the prefix for the packet log file names Desktop Protector ...

Page 63: ...Collecting Packet Logs 55 For more information about choosing your packet logging settings see The Packet Log Tab on page 72 ...

Page 64: ... in Install Mode even if you restart This may be necessary for some software installations or updates that continue to install after system reboot When the installation is finished update your system baseline and then disable Install Mode If no go to Step 2 2 Are you certain that this is an application you have authorized If yes click Continue Desktop Protector allows the application to start Tip ...

Page 65: ...o export RealSecure Desktop Protector data into a spreadsheet program or word processor to look at the intrusion activity on your system Procedure To export data 1 Copy or cut the selected information to place it on the clipboard 2 Paste the information into any application that accepts text input ...

Page 66: ...Chapter 4 Configuring RealSecure Desktop Protector 58 ...

Page 67: ...TM Appendixes ...

Page 68: ......

Page 69: ...ibes the operating tabs RealSecure Desktop Protector gathers information and presents it on the Events tab the Intruders tab and the History tab In this appendix This appendix contains the following topics Tab Page The Events Tab 62 The Intruders Tab 65 The History Tab 67 ...

Page 70: ... the latest information about that event Note For more information about filtering the information shown on the Events tab see Filtering the Events List on page 48 Default Events tab columns This table describes the default columns on the Event tab For information about adding optional columns see Showing and hiding columns on page 49 This column Contains this information Severity The severity ico...

Page 71: ...e HTTP Destination Port The TCP UDP port on the local system that was the target of the attempted intrusion Source Port The TCP UDP port on the intruder s system where the event originated Target The NetBIOS WINS name or DNS name of the attacked system the target In most cases this is the local system If Desktop Protector cannot determine a name it shows the target s IP address Target IP The IP ad...

Page 72: ...ly Cut To remove an event intruder combination from the list right click the event intruder combination and then select Cut Copy To copy an event intruder combination to your system s clipboard right click the event intruder combination and then select Copy Delete To remove an event intruder combination from the list right click the event intruder combination and then select Delete Select All To s...

Page 73: ...ity icon is a visual representation of the severity of an event and the response from Desktop Protector For more information see Severity levels on page 12 Blocked State icon The blocked state icon indicates that Desktop Protector is blocking all network traffic from this intruder For information about blocking an intruder see Blocking Intrusions on page 37 Intruder The NetBIOS or DNS name of the ...

Page 74: ...uder and then select Find Print To print the entire contents of the Intruders list right click any intruder and then select Print This command Has this effect Table 14 Intruders tab right click commands This column Contains this information Intruder IP The IP address of the attacking system Severity numeric The highest severity rating attributed to this intruder Table 15 Intruders tab optional col...

Page 75: ...oth graphs as follows Min displays activity over the last 90 minutes Hour displays activity over the last 90 hours Day displays activity over the last 90 days Total in 90 Hours Days Minutes Displays summary statistics for the selected interval as follows Critical displays the number of events rated critical This event type is tracked with a red line on the Events graph Suspicious displays the numb...

Page 76: ...ab buttons This table describes the buttons on the History tab This button Has this effect Close Closes the main Desktop Protector window The detection and protection engine remains active Help Displays the Help Table 19 History tab buttons ...

Page 77: ...ttings on the configuration tabs In this Appendix This appendix contains the following topics Topic Page The Firewall Tab 70 The Packet Log Tab 72 The Evidence Log Tab 74 The Back Trace Tab 76 The Intrusion Detection Tab 77 The ICEcap Tab 78 The Notifications Tab 81 The Prompts Tab 83 The Application Control Tab 84 The Communications Control Tab 86 ...

Page 78: ...ttacks are still reported and logged but not automatically blocked If Auto Blocking is not selected you must manually block intruders to protect your system Allow Internet File Sharing Internet or Windows file sharing allows you to share files with others across the Internet or over a LAN For example you can connect to your system the Internet and upload or download files Clear this check box to d...

Page 79: ...address Note This option modifies the firewall setting for UDP ports 137 and 138 If you select this option Desktop Protector accepts communications on these ports if you disable this option Desktop Protector rejects or blocks communications on these ports Firewall tab buttons This table describes the buttons that appear on the Firewall tab This button Has this effect OK Click to save your changes ...

Page 80: ...version of BlackICE your evidence log files are still stored in C Program Files Network ICE BlackICE Packet log files are encoded as trace files You must have decoding application See the Windows NT or Windows 2000 documentation for more information Packet Log settings This table describes the settings on the Packet Log tab For more information about setting your packet logging preferences see Col...

Page 81: ...et Log tab This button Has this effect OK Click to save your changes and return to the main Desktop Protector window Cancel Click to discard your changes and return to the Desktop Protector window Apply Click to save your changes and keep the current tab open Help Displays the online Help for this tab ...

Page 82: ... not the same as packet logs Packet logs are a capture of all inbound and outbound traffic on the system An evidence file focuses on the traffic associated with specific attacks Evidence Log settings This table describes the available log file settings This setting Has this effect Logging enabled Instructs Desktop Protector to collect evidence files for suspicious events If Desktop Protector is re...

Page 83: ...dence Log tab This button Has this effect OK Click to save your changes and return to the main Desktop Protector window Cancel Click to discard your changes and return to the Desktop Protector window Apply Click to save your changes and keep the current tab open Help Displays the online Help for this tab ...

Page 84: ... a trace of the attack Severity refers to the numeric level of each event The default event severity for the indirect trace threshold is 3 The default event severity for the direct trace threshold is 6 DNS lookup When this option is selected RealSecure Desktop Protector queries available DNS Domain Name Service servers for information about the intruder Note DNS Lookup is enabled by default NetBIO...

Page 85: ...me of the system you want to trust Event name The name of the event type you want to ignore Event ID The standard numerical designation for the event type you want to ignore You can look up the numerical Event ID in the ID field of the Exclude from Reporting dialog This button Has this effect Add Click to open the Exclude from Reporting dialog For information about using the Exclude from Reporting...

Page 86: ...The default account name is iceman Event Password Enter the current ICEcap event password This is the password that Desktop Protector uses to report events to the ICEcap server Group Name The ICEcap group of which the local system is a member for event reporting purposes This group must exist in ICEcap and possess the correct configuration settings to report properly See the RealSecure ICEcap Mana...

Page 87: ...se results appears OK Your computer is communicating normally with ICEcap Manager Authentication Failure The agent was unable to prove its authenticity with the ICEcap server Abort The last attempt to communicate was cut off before it was complete Connection Failure The local agent was unable to connect to ICEcap Manager This setting Has this effect Table 25 ICEcap tab settings ...

Page 88: ...e ICEcap tab This button Has this effect OK Click to save your changes and return to the main Desktop Protector window Cancel Click to discard your changes and return to the Desktop Protector window Apply Click to save your changes and keep the current tab open Help Displays the online Help for this tab ...

Page 89: ...e indicator is triggered only if Desktop Protector is closed or hidden Select the option button that includes the types of events you want the system to trigger an alert for Audible Indicator Enables Desktop Protector to play a wav file when an event is reported The audible alarm is triggered whether the Desktop Protector window is open or closed Select the option button that includes the types of...

Page 90: ...e Notifications tab This button Has this effect OK Click to save your changes and return to the main Desktop Protector window Cancel Click to discard your changes and return to the Desktop Protector window Apply Click to save your changes and keep the current tab open Help Displays the online Help for this tab ...

Page 91: ... cursor hovers over a user interface item Select the option that will give you the level of information you need To show information appropriate to a new user click Beginner To show information useful for a user who is familiar with computers click Intermediate To hide these Tooltips click None By default Beginner is selected Show Prompt When Service Stopped Select this option to have Desktop Prot...

Page 92: ...Files When Protect Agent Files is selected RealSecure Desktop Protector locks the BlackICE program files and the files that contain your known applications list and communications control settings Only Desktop Protector can write to these files More information For more information on how to choose your Application Control options see Working with the Application Protection Baseline on page 42 and...

Page 93: ... Application Control tab This button Has this effect OK Click to save your changes and return to the main Desktop Protector window Cancel Click to discard your changes and return to the Desktop Protector window Apply Click to save your changes and keep the current tab open Help Displays the online Help for this tab ...

Page 94: ...ns Control Settings Your selection of an option on the Communications Control tab determines what Desktop Protector does about all future relevant events You have these choices For information about how to choose an option see Configuring Communications Control on page 46 Communications Control List buttons This table describes the buttons that appear on the Communications Control tab This setting...

Page 95: ...rol Tab 87 Cancel Click to discard your changes and return to the Desktop Protector window Apply Click to save your changes and keep the current tab open Help Displays the online Help for this tab This button Has this effect ...

Page 96: ...Appendix B Configuration Tabs 88 ...

Page 97: ...m entering your system When you block a port Desktop Protector creates a port entry in your firewall that prevents any traffic from entering through that port When you set up adaptive protection Desktop Protector automatically switches protection levels according to the risks associated with the network environment you are in In this Appendix This chapter contains the following topics Topic Page T...

Page 98: ...and all network traffic from that system is rejected Owner Shows who created the firewall entry Entries generated through the Desktop Protector automatic blocking feature display auto Entries created manually from the Desktop Protector user interface show BIgui Address The IP address of the accepted or blocked system If the firewall entry is for a port the word ALL appears Port The accepted or rej...

Page 99: ...nblock Only Removes a blocked address from the firewall Unblock and Accept Changes the blocked addresses firewall setting from Reject to Accept Unblock Accept and Trust Changes the entry s firewall setting from Reject to Accept and then trusts the address or port When trusting the entry the Desktop Protector intrusion detection engine ignores attacks from the address Modify Opens a window that all...

Page 100: ...nnect to a remote system the firewall switches to the Paranoid protection level Nervous When your computer identifies itself with an IP address in any of these fields to connect to a remote system the firewall switches to Nervous Cautious When your computer identifies itself with an IP address in any of these fields to connect to a remote system the firewall switches to Cautious Trusting When your...

Page 101: ...ds triggers the firewall to switch to the Paranoid protection level Nervous A connection with a remote system at an IP address in any of these fields triggers the firewall to switch to Nervous Cautious A connection with a remote system at an IP address in any of these fields triggers the firewall to switch to Cautious Trusting A connection with a remote system at an IP address in any of these fiel...

Page 102: ...ed port Port The port to block or accept This must be a whole value between 1 and 65535 All Ports When selected closes off all ports on your computer to communications from a specific IP address Type The type of address or port If you need to create an entry for multiple types you must create a separate filter for each type Choose from IP TCP UDP Mode The type of firewall setting Choose from Accep...

Page 103: ...rewall Entry dialog buttons The Add Firewall Entry dialog has these buttons This button Has this effect Add Click to create the firewall entry Cancel Closes the window without saving the setting Table 32 Add Firewall Settings dialog buttons ...

Page 104: ...port Port The port to block or accept This must be a whole value between 1 and 65536 All Ports When selected closes off all ports on your computer to communications from a specific IP address Type The type of address or port If you need to create an entry for multiple types you must create a separate filter for each type Choose from IP TCP UDP Mode The type of firewall setting Choose from Accept R...

Page 105: ...rewall Entry dialog buttons The Modify Firewall Entry dialog has these buttons This button Has this effect Add Click to create the firewall entry Cancel Closes the window without saving the setting Table 34 Modify Firewall Settings dialog buttons ...

Page 106: ...Appendix C Advanced Firewall Settings 98 ...

Page 107: ...ring Communications Control on page 46 and The Communications Control Tab on page 86 In this Appendix This Appendix contains the following topics Advanced Application Settings window buttons The Advanced Application Settings window has these buttons Topic Page The Known Applications Tab 101 The Baseline Tab 102 The Checksum Extensions Dialog 103 This button Has this effect Save Changes Click to sa...

Page 108: ...hat kinds of application files Desktop Protector detects For information about how to do this see Adding file types to the baseline on page 44 Find Searches the Filenames column for the text you specify Help menu BlackICE Help Topics Displays the Desktop Protector online Help Online Support Starts your Web browser and points it to a collection of frequently asked questions FAQ about Desktop Protec...

Page 109: ...nformation Filename The name of the application file Click the Filename column header to sort the display by this column Path The location of the application file on your system Application Control To automatically close down the application when it attempts to start select Terminate To let the application run leave the option blank Communications Control To prevent this application from accessing...

Page 110: ... drives and directories RealSecure Desktop Protector has found on your system To see the application files in a directory check the box next to the directory name To view all the application files on a drive check the box next to the drive name The file pane The file pane shows all the application files Desktop Protector has detected on your system To have Desktop Protector search a drive or direc...

Page 111: ...ds these application types dll dynamic link library a collection of resources that enable a program file to do its job drv driver a small program that enables a device or service to work exe executable file containing program instructions ocx special purpose program for functions such as scroll bar movement and window resizing in Windows applications scr screensaver program sys files that control ...

Page 112: ...Appendix D Advanced Application Protection Settings 104 ...

Page 113: ...s Appendix explains how to use the menu options to control the appearance and operation of Desktop Protector features In this Appendix This Appendix contains the following topics Topic Page The File Menu 106 The Edit Menu 107 The View Menu 108 The Tools Menu 109 The Help Menu 110 The System Tray Menu 111 ...

Page 114: ...er 1 On the Events or Intruders tab select an event or intruder 2 Click Print 3 In the Print window choose a printer and the desired number of copies and then click OK For more information about things you can do with Desktop Protector data see Back Tracing on page 50 Exit Exit closes the Desktop Protector user interface The Desktop Protector icon is removed from the task bar when you close the in...

Page 115: ...esktop Protector copies the information to your system s clipboard in comma delimited text format Delete To delete an event or intruder On the Events or Intruders tab click an event or intruder and select Delete from the Edit menu Desktop Protector removes the entry from the list Select All To select all events or intruders On the Events or Intruders tab click an event or intruder and choose Selec...

Page 116: ...he Events list on page 49 Filter by Event Severity Filters the types of attacks that are displayed To filter the types of attacks that are displayed 1 On the Events or Intruders tab select Filter by Event Severity from the View menu 2 Choose the minimum severity level to see reported For information about severity levels see Severity levels on page 12 For more information about filtering Desktop P...

Page 117: ...rol features If Application Protection is already turned off this command is replaced with Start BlackICE Application Protection For more information see Working with the Application Protection Baseline on page 42 Note If this menu item is dimmed ICEcap Manager to which this agent reports has blocked the local user from starting or stopping the Application Protection service Application Protection...

Page 118: ...y asked questions FAQ about Desktop Protector on the ISS Web site WWW ISS NET Starts your Web browser and points it to the ISS Web site www iss net which contains the latest information about RealSecure Desktop Protector and other ISS products About BlackICE Displays your Desktop Protector license key and more information about your Desktop Protector version Support Knowledge Base Starts your brow...

Page 119: ...usion detection functions No incoming traffic is analyzed or blocked If the intrusion detection engine is already stopped this item is replaced with Start BlackICE Engine For more information see Stopping Desktop Protector on page 24 Note If the Stop BlackICE Engine menu item is dimmed ICEcap Manager to which this Desktop Protector installation reports has blocked the local user from starting or s...

Page 120: ...Appendix E The Main Menu 112 ...

Page 121: ... uninstalling 28 blocking addresses 37 events 37 intruders 37 ports 40 c Cautious protection level 3 70 checksum 100 choosing a protection level 34 clearing 48 events 48 109 evidence logs 52 109 packet logs 48 54 109 closing BlackICE 106 collecting evidence of intrusions 52 74 collecting information back tracing 11 evidence logs 11 52 74 packet logs 11 54 72 columns customizing 49 communications c...

Page 122: ...g 11 information collecting 11 72 74 customizing 49 deleting 48 52 54 109 filtering 12 48 108 Informational events 9 Install Mode 56 installation prerequisites 22 installing prerequisites 22 Internet file sharing 34 70 Internet Security Systems technical support viii Web site viii internet service provider 37 intruders blocking 37 trusting 39 Intruders tab 65 Intrusion Detection tab 77 IP addresse...

Page 123: ...cation protection 24 stopping BlackICE 24 from the console 24 from the desktop 24 Windows 2000 control panel 25 Windows NTcontrol panel 24 Windows XP control panel 25 support 100 110 Suspicious events 9 67 sys files 103 t tabs Application Control 84 Back Trace 76 communications control 86 Events 62 Evidence Log 74 Firewall 70 History 67 Intruders 65 Intrusion Detection 77 Notifications 81 Packet L...

Page 124: ...Index 116 ...

Page 125: ... license the rights to the Software that are granted herein ISS shall defend and indemnify Licensee from any final award of costs and damages against Licensee for any actions based on infringement of any U S copyright trade secret or patent as a result of the use or distribution of a current unmodified version of the Software but only if ISS is promptly notified in writing of any such suit or clai...

Page 126: ...safe operation including but not limited to aircraft navigation air traffic control systems weapon systems life support systems nuclear facilities or any other applications in which the failure of the Licensed Software could lead to death or personal injury or severe physical or property damage ISS disclaims any implied warranty of fitness for High Risk Use Revised May 14 2002 ...

Reviews:

No comments