How access threats are stopped

By enabling or changing the configuration of the Access Protection feature you can configure anti-spyware protection, anti-virus protection, common protection, virtual machine protection, and define your own rules of protection. Following is the basic process VirusScan Enterprise uses to provide access protection.


Steps taken when a threat occurs

  1. A user or process tries to take an action.
  2. That action is examined by Access Protection according to the defined rules.
  3. When a rule is broken, the action requested by the user or process is managed using the information in the rules configured. For example, the action causes nothing to happen, it is blocked, or it is blocked and a report is sent.
  4. The Access Protection log file is updated, and an event is generated for the ePolicy Orchestrator Global Administrator.

Example of an access threat

  1. A user downloads a program, MyProgram.exe, from the Internet.
    Note: For this example, MyProgram.exe is not malware.
  2. The user launches the program and it seems to launch as expected.
  3. MyProgram.exe then launches a child process called AnnoyMe.exe and it attempts to modify the operating system to ensure it always loads on startup.
  4. Access Protection processes the request and matches it against an existing rule that is configured to block and report.
  5. AnnoyMe.exe is denied access when it attempts to modify the operating system, Access Protection logs the details of the attempt, and it generates an alert to the ePolicy Orchestrator Global Administrator.

Log report and alerts generated

This is an example of an Access Protection log entry.

  2/10/2010 11:00AM Blocked by Access Protection rule TestDomain\TestUser C:\Users\TestUser\Desktop\AnnoyMe.exe \REGISTRY\MACHINE\SOFTWARE\Microsoft\Window\CurrentVersion\Run\ Prevent programs registering to autorun  
This table describes the data in the previous Access Protection log entry:

Log entry Description
2/10/2010 Date
11:00AM Time
Blocked by Access Protection rule Action taken
TestDomain\TestUser Credentials
C:\Users\TestUser\Desktop\AnnoyMe.exe Process name that breeched the rule
\REGISTRY\MACHINE\SOFTWARE\Microsoft… Location the process tried to access
Prevent
programs registering to autorun
Access Protection rule that was triggered

Similar information is available using ePolicy Orchestrator queries. For details, refer to Access queries and dashboards.

Related information

How access threats are stopped