User Guide
OmniAccess SafeGuard OS Administration Guide
364
Chapter 10: Detecting and Isolating Malware Security Threats
Configuring Malware Controls
The enforcement the system makes when malware is detected on a host or host
application is controlled by the malware action command. Use the Global Configuration
command to block or unblock traffic.
malware action [none] [block [host | hostapp]]
The malware action can be changed at run time and the changes take effect immediately.
However, if the action is set to
none, the malware becomes unblocked but is not cleared.
To clear the malware, use the clear malware command, as described in Clearing Malware
Configurations on page 380.
The following example blocks malware at the application level:
(SafeGuardOS) #configure terminal
(SafeGuardOS) (config) #malware action block hostapp
(SafeGuardOS) (config) #exit
(SafeGuardOS) #
See the following sections to verify the configuration.
■ Displaying Configuration Information on page 114.
■ Displaying Malware Actions on page 373
■ Displaying the Contents of the Malware White-List on page 379
Configuring a Malware Remediation Policy
When SafeGuard OS detects that the traffic is classified as malware, the global malware
controls determine whether the traffic is permitted or denied to a host or to the
application. If traffic is permitted, malware remediation policies are not used. If traffic is
Syntax Description host Blocks the host traffic by IP address.
hostapp Attempts to block the host application
based on the type of service observed on
the host. If the type of malware is DoS,
port scanning, or if the anomaly detected
on the host, the system blocks the entire
host. The action taken is displayed in the
show malware status command. When
three or more application-related events
are reported, the entire host is blocked.
none (Default) Does not block traffic and takes
no enforcement action. Even when
malware is detected on a host, the traffic
from the host is not dropped or denied
access.