User Guide
OmniAccess SafeGuard OS Administration Guide
363
Chapter 10: Detecting and Isolating Malware Security Threats
The system uses the following malware algorithms:
■ High Connection Attempts Rate (HCAR) to detect fast worms
■ High Connection Attempts Failures (HCAF) to detect blind worms
■ HCARHCAF combination to detect fast and blind worms
After malware is detected on the host or host application, the system reports the event to
the policy component for enforcement action. Depending on how the malware policy is
constructed, the system enforces whether the user or application is permitted or blocked.
This chapter provides an overview of the malware detection process and provides
procedures for coding the commands used for detecting and remedying malware.
Configuring Malware Detection
Basic configuration of the malware detection feature on the SafeGuard device requires:
1 Enabling and Disabling Global Malware Detection
2 Configuring Malware Controls
3 Configuring a Malware Remediation Policy
Enabling and Disabling Global Malware Detection
Malware is disabled by default. To enable the malware detection feature, use the Global
Configuration malware detection command:
malware detection [enable| disable]
For example, the following command enables malware detection:
(SafeGuardOS) #configure terminal
(SafeGuardOS) (config) #malware detection enable
(SafeGuardOS) (config) #exit
(SafeGuardOS) #
To validate the setting, see Displaying the Malware Detection State on page 373.
Syntax Description enable Enables malware detection in the
SafeGuard device. Detection includes
malware reporting, logging, and
visualization.
disable (Default) Disables malware detection in
the SafeGuard device. Malware
processing is bypassed.