Configuring Active Protection for a Shavlik Protect Agent Policy

Important! When enabling Active Protection for use on agent machines, it is strongly recommended that you remove all other antivirus and antispyware programs that may be running on the agent machines. Using multiple threat programs on the same machine may cause serious performance issues.

Active Protection is a real-time service used to detect known and unknown threats before they infect an agent machine. Active Protection sits quietly in the background of a machine and monitors for attempts to change security configuration settings and values. (Attempts to change security settings and values are often an indication that some sort of malware is trying to install itself on the machine.) If it detects an attempt to change a setting it can respond a number of different ways, depending on how it is configured. If Active Protection is not enabled, known risks can still be detected if you have implemented a scheduled threat task, they just won't be detected in real-time.

You enable and configure Active Protection settings on the Active Protection tab.

 

Enable Active Protection

To enable the use of Active Protection, enable this check box. Agents with Active Protection enabled will check for updated threat data every few hours.

File access

Enables you to specify when Active Protection will examine individual files on the agent machines.

  • On access, all file types (lower performance): Active Protection will perform a scan whenever a file is touched (executed, moved, copied, loaded, etc.) on the agent machine. If the file is infected the user will be alerted before the infected file has a chance to do damage to the computer. This option applies to preset files, including EXE, INI, HLP, BAT, and others.

While this provides the most complete form of protection, the trade-off is it may slow the agent machine's performance. To counteract this, enable the Limit AP scanning option.

  • Limit AP scanning to only high risk file types (higher performance): You can improve the performance of Active Protection by scanning only those file types that present the highest risk. This is a good compromise solution for those companies seeking a fairly high level of security while maintaining a reasonable level of performance. The list of high risk file types includes the following:

 

ade

cpl

ex!

inf

mde

pdf

shb

vxd

adp

crt

ex#

ini

msc

pif

shs

wmv

asf

dll

ex$

ins

msg

png

swf

wsc

bas

doc

exv

isp

msi

pps

sys

wsf

bat

dot

hlp

js

msp

ppt

url

wsh

chm

eml

hta

jse

nt

reg

vb

xls

cmd

exe

htm

lnk

ocx

scr

vbe

xlt

com

ex_

html

mdb

pcd

sct

vbs

 

  • On execute: Active Protection will perform a scan only when a file is executed or a .dll file is loaded.

Reset levels to default

Sets all the AP monitors to Allow. This prevents known malware from executing on the system. All other actions will be allowed without notifying the user.

Set levels to troubleshooting

Sets all the AP monitors to Prompt User For Action. This prevents known malware from executing on the system. For all other actions, the user will be notified whenever a change attempt is made to any of the watched files on their workstation. If the user does not respond to a notification prompt it will eventually time out and the action will be allowed to occur. If the same change attempt happens again a new notification prompt will be issued, even if the user previously allowed the change.

This setting gives the user the most control but it also requires an extensive knowledge about computers. It can also be quite disruptive to the user. For these reasons it should only be enabled:

  • for the most experienced computer users

  • if you are experiencing or expecting malware attacks on the workstations in your organization

  • when troubleshooting a problem

Security level options

Each AP monitor watches over a specific set of files and/or registry components. An AP monitor can be configured to respond a number of different ways whenever it detects an attempt to change one of its watched files or components. The available security levels are:

  • Allow: Allows change attempts to occur without notifying the user.

  • Allow, Notify User: Allows change attempts to occur, but also issues a message to the user indicating that a change has occurred.

  • Prompt User For Action: Prompts the user for an action whenever a change attempt occurs. The user can either allow the change or deny change.

Note: The notifications and prompts will not be displayed if the See an icon in the notification area check box is not enabled on the General Settings tab.

Example: If the Internet Explorer Settings monitor is set to Prompt User For Action, it will report any attempts to change the Internet Explorer settings on the target machine and will allow the user to decide what action to take.

Tip: A common custom setting is to set the Running Programs monitor to Allow and all other monitors to Prompt User For Action.

 Internet Explorer Monitors

Internet Explorer Settings: This monitor watches for any changes that are made to Internet Explorer (IE), including its home page, default start page, search preferences, default error pages, and handling of URL prefixes (for example, http://, ftp://, etc.). It also watches for changes to Internet Explorer's security zone settings, digital certificate store, and trusted publishers list. Changes to any of these locations could compromise the security of Internet Explorer, prevent you from accessing legitimate web sites, or redirect you to malicious web sites.

Internet Explorer Security: This monitor watches for the addition of new toolbars, explorer bars, toolbar buttons, and browser helper objects (BHOs, plug-ins) to Internet Explorer. Changes to Internet Explorer settings could compromise some of the more secure settings. This could allow a remote Web site to exploit the target machine, possibly allowing ActiveX controls to be installed with a "drive-by download". Browser security preference settings are the first line of defense in stopping the theft or unwanted viewing of confidential, personal information. The most popular browsers offer the ability to receive an alert or notification when any of the following occurs:

  • Changes between secure and insecure transmission modes.

  • Invalid site certificates (this setting notifies the user when a site's SSL certificate is invalid or has expired, and an invalid certificate will deactivate SSL).

  • A transmission is sent over an "open" or unsecured connection.

  • A forms submittal is redirected (this setting warns if information being submitted on a Web-based form is being sent to a Web site other than the one that is currently being viewed).

Tip: To improve security with IE, you can use IE's more advanced security options. To access these options in IE, select Tools > Internet Options > Advanced tab. Among other choices, the Advanced tab contains a Security section that includes several configuration options pertaining to encrypted communications. Although most of the default settings are acceptable, certain security levels disable the items by default. You should enable these items: Check for publisher's certificate revocation, Check for server certificate revocation (requires restart), Do not save encrypted pages to disk, and Empty Temporary Internet Files folder when browser is closed.

Internet Explorer Programs: This monitor watches for sites being added to or removed from security zones in IE. It also watches for changes to IE's security zone settings, digital certificate store, and trusted publishers list. Changes to any of these locations could compromise the security of IE, prevent a user from accessing legitimate Web sites, or redirect a user to malicious Web sites. This monitor watches for changes that are initiated by unknown programs only, not users.

Note: The Internet Explorer Settings monitor and the Internet Explorer Programs monitor, although similar, monitor different areas of the registry.

 

 Windows Registry Monitors

System Startup Programs: This monitor watches for changes to system startup locations on the disk and in the registry. System startup changes could allow a program or one of its components to start automatically with Windows.

System Policies: This monitor watches for registry changes to system policy settings that could compromise computer security or restrict the user's control of Windows, Internet Explorer, and their computer. Some system policy settings include the Windows task manager, anonymous user access, and Windows update.

Shell Options: This monitor watches for changes in the registry that affect how Windows handles certain file types. These changes could allow a program or one of its components to automatically open certain types of files on the computer or automatically associate it to a file type.

Windows Logon Security: This monitor watches for registry changes to the Windows logon process. These changes could allow a new program or one of its components to start automatically with Windows and compromise the security of your computer.

 Windows System Monitors

Active-X Installations: This monitor watches for ActiveX applications that are being downloaded with IE. ActiveX applications are programs that are downloaded from Web sites and stored on the computer.

These programs are stored in C:\Windows\Downloaded Program Files. They are also referenced in the registry by their CLSID (the long string of numbers between curly braces). IE regularly uses many legitimate ActiveX applications. Most ActiveX applications  can be deleted from a computer without problem, because they can be downloaded again.

Many of the current security vulnerabilities that exist in Microsoft's IE Web browser exist in the service called "active scripting". Active scripts are programs written in JavaScript, or sometimes Microsoft's VBScript and ActiveX. Active scripting can install spyware on your computer. It is a method known as "drive-by downloading". While it is possible to disable active scripting completely, there are legitimate sites for which you want active scripting enabled.

For example, http://windowsupdate.microsoft.com (Windows Update Service) uses active scripting, as do many other legitimate Web sites. There may be Webmail sites that use active scripting. Some sites with high amounts of content such as CNN's news site can also make heavy use of scripts. Online commerce sites such as CDW and PC Connection also use scripts in their sites. Fortunately, IE has in its design, a way to identify "trusted sites". That is, it is possible to disable active scripting on a general basis, but enable it for sites that are viewed routinely, such as Webmail or online commerce sites.

Configuration (.INI) File: This monitor watches for changes to key Windows .INI files and their equivalent registry storage locations. Changes to an .INI file or its equivalent registry location could allow a new program or one of its components to start automatically with Windows.

Context Menu Handlers: This monitor watches for changes to the commands or options that appear on the right-click context menus for certain files and other items in Windows.

Internet Host Names: This monitor watches for changes to the Windows HOSTS file (C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS), which translates Internet host names (for example, www.example.com) to the IP addresses (for example, 64.236.16.116) that Internet programs actually use to access sites online. Changes to the HOSTS file could prevent a user from reaching legitimate Web sites or redirect users to malicious Web sites.

Trojan (Disguised) Files: This monitor watches for the presence of Trojans that attempt to disguise themselves as legitimate Windows system files or that replace legitimate Windows system files with illegitimate versions.

Running Programs: Use with caution! This monitor watches for unknown processes or programs that are attempting to run on your computer. It checks any request to execute or load a library onto the machine and compares it to the threat engine database to determine if it is a known good, a known bad, or unknown component. It then takes the appropriate action based on the specified preferences. This monitor does not effect programs that are already running when Active Protection is started.

For typical computer use, it's best to have this set to Allow. If you want users to aggressively monitor everything that runs on their computers, set this to Prompt User For Action. But note that users may receive many prompts frequently depending on which programs are installed on their computer.

Save and update Agents

Saves all changes to the policy file and stores it on the console. Also updates any agent machines that are currently assigned this policy as follows:

  • If an agent machine is online and configured to listen for policy updates, the updated policy will be pushed out to that machine immediately.

  • If an agent machine is online but is not configured to listen for policy updates, the updated policy will be pushed out the next time the agent checks in with the console.

  • If an agent machine is not currently online, the updated policy will be pushed out the next time the agent checks in with the console.

The Agent Policy Editor will be closed.

Cancel

Indicates you want to exit the Agent Policy Editor without saving your most recent changes. A "Do you want to save your changes?" prompt will appear that gives you a second chance to save your changes. If you click Yes the policy will be saved and the associated agents updated (the same as Save and Update Agents).  If you click No the Agent Policy Editor will be closed without saving your changes.