TM Desktop Protector User Guide Version 3.
Internet Security Systems, Inc. 6303 Barfield Road Atlanta, Georgia 30328-4233 United States (404) 236-2600 http://www.iss.net © Internet Security Systems, Inc. 1999-2002. All rights reserved worldwide. Customers may make reasonable numbers of copies of this publication for internal use only. This publication may not otherwise be copied or reproduced, in whole or in part, by any other person or entity without the express prior written consent of Internet Security Systems, Inc. Patents pending.
Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Conventions Used in this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Getting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Appendix A: Operating Tabs . . . . . 61 61 62 65 67 Appendix B: Configuration Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview . . . . . . The Events Tab . . The Intruders Tab The History Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preface Overview Introduction This guide is designed to help you use RealSecure Desktop Protector to protect your local system and your network from unwanted intrusions. Scope This guide describes the features of RealSecure Desktop Protector and shows you how to use them. ● Chapter 1 explains how Desktop Protector protects your local system from attacks and unwanted intrusions. ● Chapter 2 provides information about using Desktop Protector to help ICEcap Manager manage network-wide security.
Preface Related publications The following documents are available for download from the Internet Security Systems Web site at www.iss.net. vi ● For information about working with RealSecure Desktop Protector on a corporate network, see the RealSecure ICEcap Manager User Guide. ● For answers to questions about Desktop Protector, see RealSecure Desktop Protector Frequently Asked Questions. ● For system requirements for Desktop Protector, see System Requirements.
Conventions Used in this Guide Conventions Used in this Guide Introduction This topic explains the typographic conventions used in this guide to make information in procedures and commands easier to recognize. In procedures The typographic conventions used in procedures are shown in the following table: Convention What it Indicates Examples Bold An element on the graphical user interface. Type the computer’s address in the IP Address box. Select the Print check box. Click OK.
Preface Getting Technical Support Introduction ISS provides technical support through its Web site and by email or telephone. The ISS Web site The Internet Security Systems (ISS) Resource Center Web site (http://www.iss.net/ support/) provides direct access to much of the information you need. You can find frequently asked questions (FAQs), white papers, online documentation, current versions listings, detailed product literature, and the Technical Support Knowledgebase (http:// www.iss.
Chapter 1 Introduction to RealSecure Desktop Protector Overview Introduction RealSecure Desktop Protector is a comprehensive security solution that helps you protect your system and your network from the following: ● theft of passwords, credit card information, personal files and more ● computer downtime and system crashes ● hackers using your system to start attacks against other systems This chapter describes the basic concepts of RealSecure Desktop Protector.
Chapter 1: Introduction to RealSecure Desktop Protector inbound and outbound traffic on your system for suspicious activity. Desktop Protector blocks unauthorized activity without affecting normal traffic. Intrusion detection RealSecure Desktop Protector contains an intrusion detection system that alerts you to attacks and blocks threats to your system. Desktop Protector captures information about the attacker and logs suspicious activity, which preserves evidence of the attack.
Protection Levels Protection Levels Introduction Protection levels are pre-designed sets of security settings developed for different types of Web use. You can choose to have Desktop Protector block all communications with your system, some communications with your system, or no communications with your system. You can change protection levels at any time.
Chapter 1: Introduction to RealSecure Desktop Protector Adaptive Protection Introduction Adaptive Protection automatically adapts each agent's security level according to the type of network connection it is using. For example, you can set Adaptive Protection to use a more restrictive security level when users are logged on over a VPN, and a less restrictive security level when users are logged directly onto the network.
The Desktop Protector Firewall The Desktop Protector Firewall Introduction Desktop Protector automatically stops most intrusions according to the protection level you have chosen, but you still may notice activity that isn't explicitly blocked. You can configure the Desktop Protector firewall to increase your protection. You can block intrusions from a particular address, or you can block intrusions that use a particular protocol.
Chapter 1: Introduction to RealSecure Desktop Protector Application Protection Introduction BlackICE protects your computer from unknown applications and from applications connecting to a network, such as the Internet. How the baseline works First, BlackICE creates a baseline record (also known as a checksum) of the applications installed on your computer. Then it compares that baseline with any application that attempts to launch or to communicate with a network.
Application Control Application Control Introduction RealSecure Desktop Protector lets you control which applications and related processes can run on your system. Sometimes a program may be installed on your system without your knowledge. Many of these programs are useful or harmless. However, some of these programs can present security risks. They may allow an intruder to locate password information, make the system more vulnerable to future entry, or destroy programs or data on the hard disk.
Chapter 1: Introduction to RealSecure Desktop Protector Communications Control Introduction To reduce security risks from potential “Trojan horse” applications on your system, RealSecure Desktop Protector lets you choose which applications or processes can access a network, such as the Internet or a local area network. How Communications Control works Desktop Protector tracks all the applications (and related processes) that you authorize to access a network from your system.
Desktop Protector Alerts Desktop Protector Alerts Introduction Your dynamic firewall handles most alerts for you, but you can take additional steps to make its responses even more effective. The information in this topic may help you determine which events merit your attention. Severity levels Some network events are more dangerous than others. Desktop Protector assigns each event a numerical rank that reflects the event’s potential risk level, and reports that rank with an icon on the Events tab.
Chapter 1: Introduction to RealSecure Desktop Protector Response levels Desktop Protector reports how it responded to each event by showing a symbol. The symbol for a response can appear two ways: ● as an icon beside the event ● as a mark over the severity level icon This table describes Desktop Protector response level icons and overlays: Icon Overlay Description Attack Blocked: Desktop Protector successfully blocked the attack.
Collecting Information Collecting Information Introduction When an intruder attempts to break into your system, RealSecure Desktop Protector can track the intruder’s activities. You can use this information to determine what an intruder did to your computer. This section explains how to gather and use this information. Back Tracing Desktop Protector can back trace each intrusion to determine where it originated.
Chapter 1: Introduction to RealSecure Desktop Protector Filtering Information Introduction You probably won't need to inspect all the information RealSecure Desktop Protector gathers about the Internet traffic that reaches your system. You can use the configuration tabs to control how much information appears on the information tabs and how often Desktop Protector alerts you to potential risks. You can instruct Desktop Protector to show only events that present risks over a given level.
Chapter 2 Using RealSecure Desktop Protector with ICEcap Manager Overview Introduction RealSecure Desktop Protector interacts with the ICEcap management and reporting console to provide enterprise-wide security monitoring and management. This chapter provides the background knowledge required for setting up connections between Desktop Protector and ICEcap Manager from your system.
Chapter 2: Using RealSecure Desktop Protector with ICEcap Manager How ICEcap Manager Works With RealSecure Desktop Protector Introduction Independent operation ICEcap Manager interacts with agents in two ways: ● Collecting and managing information. As each RealSecure agent detects events, it forwards information about those events to the ICEcap server. ICEcap Manager stores and logs the events for enterprise-wide security reporting and analysis. ● Installing, updating and controlling remote agents.
How ICEcap Manager Works With RealSecure Desktop Protector locally installed. Silent Desktop Protector installations are always completely ICEcapcontrolled. For more information about silent agent installations, see the RealSecure ICEcap Manager User Guide. This table summarizes the levels of control ICEcap Manager can exert over an agent. Control Level Result Total ICEcap Control ICEcap Manager has complete control over these agents.
Chapter 2: Using RealSecure Desktop Protector with ICEcap Manager How ICEcap Manager Handles Information Introduction To help organize information, ICEcap Manager categorizes agents and the events they report into accounts and groups. To report an event, a RealSecure agent must be assigned to a group within an ICEcap account. Accounts Accounts represent significant divisions or organizational elements within the company.
Transmitting Data to ICEcap Manager Transmitting Data to ICEcap Manager Introduction Desktop Protector must be able to transmit data across your network to the ICEcap server. Agents can report to the ICEcap server by one of three methods: ● over the Internet ● over a Virtual Private Network ● through a proxy server Reporting over the Internet Reporting over the Internet is safe, but not without risks.
Chapter 2: Using RealSecure Desktop Protector with ICEcap Manager Installing Desktop Protector Remotely Introduction In addition to managing event information, ICEcap Manager can install Desktop Protector software on remote systems. This can include systems with the Local Console or “silent” installations that include only the monitoring and protection engine. Remote installations of Desktop Protector must be carried out from ICEcap Manager.
Using ICEcap Manager to Control RealSecure Agents Using ICEcap Manager to Control RealSecure Agents Introduction ICEcap Manager manages agents by applying policies to groups of agents. Any configuration change made to a group is distributed to all the members of that group. This reduces the effort required to support remotely installed systems.
Chapter 2: Using RealSecure Desktop Protector with ICEcap Manager 20
Chapter 3 Setting Up RealSecure Desktop Protector Overview Introduction This chapter provides instructions for installing and configuring RealSecure Desktop Protector locally. For information about installing Desktop Protector from ICEcap Manager, see the RealSecure ICEcap Manager User Guide.
Chapter 3: Setting Up RealSecure Desktop Protector Installing RealSecure Desktop Protector Introduction This topic gives instructions for installing Desktop Protector. Local or remote installation You can install RealSecure Desktop Protector locally at your agent computer or remotely from RealSecure ICEcap Manager. In most cases, you should distribute Desktop Protector to network systems from ICEcap Manager. This allows centralized control of configuration.
Installing RealSecure Desktop Protector 8. Read the End User License Agreement. ■ If you accept the End User License Agreement, click I Accept, and then go to Step 9. ■ If you do not accept the End User License Agreement, click I Decline. The setup program exits. 9. Enter the license key provided by your ICEcap administrator. Each agent must have a license key installed. Depending on your ICEcap Manager purchase agreement, you may need to update this key to ensure that the software continues to run.
Chapter 3: Setting Up RealSecure Desktop Protector Stopping Desktop Protector Introduction When you quit the Desktop Protector application, Desktop Protector does not stop monitoring your system. To stop Desktop Protector from monitoring for intrusions and to stop protecting your system against unknown or modified applications, you must stop the BlackICE intrusion detection and application protection features. Note: Stopping Desktop Protector is not the same as removing it.
Stopping Desktop Protector Stopping Desktop Protector from the control panel (Windows 2000) To stop Desktop Protector from the Windows 2000 control panel: 1. Click StartÆ SettingsÆ Control Panel. 2. Double-click Administrative Tools. 3. Double-click Services. The Services window appears. 4. In the right pane, right-click BlackICE, and then select Stop. Desktop Protector stops monitoring incoming traffic and a red line appears over the Desktop Protector icon. 5.
Chapter 3: Setting Up RealSecure Desktop Protector Restarting Desktop Protector Introduction You can restart RealSecure Desktop Protector after you have stopped it, or you can let Desktop Protector restart automatically when you restart your computer. Note: Opening the Desktop Protector window does not make Desktop Protector resume monitoring your system. To restart intrusion protection after stopping it manually, you must follow one of the following procedures or restart your computer.
Restarting Desktop Protector 3. Double-click Services. The Services window appears. 4. In the right pane, right-click BlackICE, and then select Start. Desktop Protector resumes monitoring incoming traffic. The red line disappears from the Desktop Protector icon. 5. In the right pane, right-click RapApp, and then select Start. Desktop Protector resumes monitoring your system for unauthorized applications and outgoing transmissions.
Chapter 3: Setting Up RealSecure Desktop Protector Uninstalling Desktop Protector Introduction You can remove Desktop Protector from your computer using the Windows Add/Remove Programs Utility or the BlackICE Agentremove utility. Important: Use the agentremove.exe utility only if you are unable to remove Desktop Protector through the Windows Add/Remove utility. This utility removes the user interface component (blackice.exe), the application protection component (rapapp.
Uninstalling Desktop Protector 7. Do you want to remove the remaining intrusion files and delete the directory? ■ If yes, click Yes. ■ If no, click No. 8. Click Finish. The system removes Desktop Protector from your system. Uninstalling Desktop Protector using the agentremove.exe utility To remove Desktop Protector using the agentremove utility: 1. Locate the agentremove.exe file on the ISS CD or in the BlackICE folder on your system drive. 2. Double-click agentremove.exe.
Chapter 3: Setting Up RealSecure Desktop Protector 30
Chapter 4 Configuring RealSecure Desktop Protector Overview Introduction This chapter provides the procedures to configure RealSecure Desktop Protector for your specific conditions. These procedures are designed to be performed in sequence.
Chapter 4: Configuring RealSecure Desktop Protector Connecting to ICEcap Manager Introduction RealSecure Desktop Protector interacts with ICEcap Manager management and reporting console to provide enterprise-wide security monitoring and management. If ICEcap Manager application has granted local control, you can use the ICEcap tab to manually configure how Desktop Protector reports intrusion information to an ICEcap server.
Connecting to ICEcap Manager Local or remote precedence? ■ OK: The local RealSecure agent is successfully exchanging information with ICEcap Manager. ■ Authentication Failure: The agent may have an incorrect account name or password. Re-enter the account, group, and password values and test again. If this error persists, check with your ICEcap administrator that you are using the correct account name, password, and group. ■ Abort: The last attempt to communicate was cut off before it was complete.
Chapter 4: Configuring RealSecure Desktop Protector Setting Your Protection Level Introduction Protection levels are predesigned sets of security settings developed for different types of Web use. You can choose to have Desktop Protector block all communications with your system, some communications with your system, or no communications with your system.
Using Adaptive Protection Using Adaptive Protection You can set up your firewall to switch protection levels automatically when it detects a connection with a remote computer. To do this, choose one of the procedures in this topic. Setting adaptive protection from inside the corporate network To switch to the Trusting protection level when your computer connects from inside your corporate network: 1. Click ToolsÆ Advanced Firewall Settings. The Advanced Firewall Settings window appears. 2.
Chapter 4: Configuring RealSecure Desktop Protector Note: This can be a single static IP address or a set of addresses that the conference host provides. 6. Click OK. Your firewall is configured to switch to Cautious when you connect to your corporate network from your remote location.
Blocking Intrusions Blocking Intrusions Introduction Desktop Protector identifies and stops most intrusions according to your preset protection level, but you may still notice activity that isn't explicitly blocked. This topic explains how to handle intrusions from a particular address or intrusions that use a particular protocol. Caution: Do not block port scans from your own internal network. This may interfere with normal network management procedures.
Chapter 4: Configuring RealSecure Desktop Protector Blocking a Port If you don't have a specific intruder in mind but you are concerned about intrusion attempts using a particular internet protocol, you can block the port that protocol uses. Adding a port entry to your firewall ensures that no traffic from any IP address can enter your system using that port. To block a port: 1. From the Tools menu, select Advanced Firewall Settings. 2. Click Add. The Add Firewall Entry window appears. 3.
Trusting Intruders Trusting Intruders Introduction When an address is trusted, Desktop Protector assumes all communication from that address is authorized and excludes the address from any intrusion detection. Trusting ensures that Desktop Protector does not block systems whose intrusions may be useful to you. You can choose to trust a system that has already intruded on your computer, or you can identify a potential intruder to trust ahead of time.
Chapter 4: Configuring RealSecure Desktop Protector Ignoring Events You can configure RealSecure Desktop Protector to ignore events that are not a threat to your system. Note: Ignoring an event is different from trusting an intruder. Ignoring disregards certain kinds of events. When an event type is ignored, Desktop Protector does not log any information about events of that type. Trusting excludes an address from intrusion detection. Intrusions from that address are not shown on the Events tab.
Ignoring Events For more information, see “The Prompts Tab” on page 83.
Chapter 4: Configuring RealSecure Desktop Protector Working with the Application Protection Baseline Introduction When you install RealSecure Desktop Protector, it creates a baseline record (also known as a checksum) of the applications installed on your computer. Desktop Protector uses this information to prevent any unauthorized applications from running. When Desktop Protector alerts you that an unknown application is starting, you can stop the application or let it run.
Working with the Application Protection Baseline 3. Repeat for every warning message that appears. The number of messages you see depends on how many files the application runs. BlackICE will not display the warning messages again unless the application changes. Building your baseline over time Desktop Protector can learn your application protection preferences as you work. You can have Desktop Protector ask you for a decision on each program as it launches. To update your baseline as you work: 1.
Chapter 4: Configuring RealSecure Desktop Protector Adding file types to the baseline If you know of application files on your system that have different extensions, you can add those extensions before creating your baseline. To search for additional file types: 1. On the Desktop Protector Tools menu, select Advanced Application Protection Settings. 2. On the Advanced Application Protection Settings window Tools menu, select Checksum Extensions. The Checksum Extensions window appears. 3.
Working with the Application Protection Baseline Disabling Application Protection To permanently prevent Desktop Protector from monitoring your system for unauthorized applications, follow this procedure: 1. On the Tools menu, select Edit BlackICE Settings, and then select the Application Control tab. 2. Clear Enable Application Protection. Desktop Protector disables the Application Protection feature. You must manually enable Application Protection to resume the service.
Chapter 4: Configuring RealSecure Desktop Protector Configuring Communications Control Introduction When you set your communications control preferences, you establish a rule for RealSecure Desktop Protector to follow whenever an application tries to access a network without your approval. You have the option of terminating the application or letting it run. If you choose to let it run, you can block its network access or allow it to reach the network.
Configuring Communications Control For more information about setting your Communications Control preferences, see “The Communications Control Tab” on page 86.
Chapter 4: Configuring RealSecure Desktop Protector Controlling Event Notification Introduction Filtering the Events List You may find that you want regular access to more or less information than RealSecure Desktop Protector shows by default. You can use the Desktop Protector configuration tabs to control the following: ● how much information appears on the Desktop Protector information tabs ● how frequently Desktop Protector alerts you to potential risks To filter events: 1.
Controlling Event Notification 4. Click OK. For more information about setting your notification preferences, see “The Notifications Tab” on page 81. Freezing the Events list Freezing the Events list stops Desktop Protector from refreshing the tab information until you unfreeze it. However, freezing does not stop the monitoring, detection, and protection features of Desktop Protector. Note: Remember to unfreeze the application after viewing the list so that Desktop Protector can display new attacks.
Chapter 4: Configuring RealSecure Desktop Protector Back Tracing Introduction RealSecure Desktop Protector can track an intruder’s activities to help you determine what an intruder did to your computer. This topic explains how to gather and use this information. How does back tracing work? Back tracing is the process of tracing a network connection to its origin. When somebody connects to your system over a network such as the Internet, your system and the intruder's system exchange packets.
Back Tracing want as much information about the intruder as possible. However, intruders can detect and block a direct trace. Where is the back tracing information? Back tracing information appears in two places: ● in the information pane of the Intruder tab ● in standard text files in the Hosts folder in the directory where Desktop Protector is installed. Each file is prefixed with the intruder's IP address.
Chapter 4: Configuring RealSecure Desktop Protector Collecting Evidence Files Introduction RealSecure Desktop Protector can capture network traffic attributed to an intrusion and place that information into an evidence file. Desktop Protector captures and decodes each packet coming into the system, so it can generate files that contain detailed information about the intruder's network traffic. Where are my evidence files? Desktop Protector evidence files are stored in the installation directory folder.
Collecting Evidence Files 3. Click OK. For more information about setting your evidence logging preferences, see “The Evidence Log Tab” on page 74.
Chapter 4: Configuring RealSecure Desktop Protector Collecting Packet Logs Introduction Packet logging records all the packets that enter your system. This can be useful if you need more detailed information than evidence logs contain. Where are my packet log files? Desktop Protector packet log files are stored in the installation directory folder.
Collecting Packet Logs For more information about choosing your packet logging settings, see “The Packet Log Tab” on page 72.
Chapter 4: Configuring RealSecure Desktop Protector Responding to Application Protection Alerts Introduction Programs can start without your knowledge. The Application Protection component may be triggered when you start a new program through the Start menu or by clicking a shortcut, but it may also be triggered by a program that starts without giving any onscreen indication.
Exporting Desktop Protector Data Exporting Desktop Protector Data Introduction You may want to export RealSecure Desktop Protector data into a spreadsheet program or word processor to look at the intrusion activity on your system. Procedure To export data: 1. Copy or cut the selected information to place it on the clipboard. 2. Paste the information into any application that accepts text input.
Chapter 4: Configuring RealSecure Desktop Protector 58
TM Appendixes
Appendix A Operating Tabs Overview Introduction This appendix describes the operating tabs. RealSecure Desktop Protector gathers information and presents it on the Events tab, the Intruders tab and the History tab.
Appendix A: Operating Tabs The Events Tab Introduction The Events tab summarizes all intrusion and system events on your computer. The tab columns show the time, type, and severity of an event; the intruder's name and IP address; how Desktop Protector has responded to the event, and other information. Customizing information To customize the information on the Events tab, right-click a column header and select Columns. A window appears in which you can add, hide, show, resize, or rearrange columns.
The Events Tab Optional columns on the Events tab This table describes optional columns that you can add to the Events tab. To add an optional column, right-click any column heading and select Columns... This column... Contains this information... TCP Flags Data in the packet header specifying the intended treatment of the packet, such as R (reset), P (push), or U (urgent). Parameter(s) When an intruder is scanning a particular port, this column displays the port numbers scanned.
Appendix A: Operating Tabs Shortcut commands on the Events tab This table describes the commands available by right-clicking an item on the Event tab: This command... Has this effect... Ignore Event To ignore an event, right-click an event/intruder combination, and then select Ignore Event. Ignoring event types is a useful way to stop Desktop Protector from reporting routine scans from ISPs and network probes.
The Intruders Tab The Intruders Tab Introduction The Intruders tab displays all the information RealSecure Desktop Protector has collected about all the intruders who have initiated events on your system. This information helps you determine the severity and location of each intruder. Sorting By default, the intruder list is sorted first in alphabetical order by intruder and then in descending order of severity. Click a column header to sort the list by that column.
Appendix A: Operating Tabs This command... Has this effect... Find To search for an intruder in the list, right-click any intruder, and then select Find. Print To print the entire contents of the Intruders list, right-click any intruder, and then select Print. Table 14: Intruders tab right-click commands Optional columns on the Intruders tab This table describes the optional columns you can add to the Intruders tab.
The History Tab The History Tab Introduction The History tab graphs network and intrusion activity on your system. Note: For detailed information about activity on the Events graph, click the graph near the marker that shows the time you are interested in. The Events tab appears, with the intrusion closest to that time highlighted. History tab options This table describes the options available on the History tab: This option... Interval Has this effect...
Appendix A: Operating Tabs History tab buttons This table describes the buttons on the History tab: This button... Has this effect... Close Closes the main Desktop Protector window. The detection and protection engine remains active. Help Displays the Help.
Appendix B Configuration Tabs Overview Introduction You can control some aspects of the way RealSecure Desktop Protector works by changing the settings on the configuration tabs.
Appendix B: Configuration Tabs The Firewall Tab Introduction Use the Firewall tab to choose how tightly Desktop Protector controls access to your system. Note: If your computer is reporting intrusion events to ICEcap Manager and local configuration editing has been disabled, you cannot set any options on the Firewall tab from the local system. Protection level settings You can choose one of these four protection levels: Level Description Paranoid All ports are blocked to incoming traffic.
The Firewall Tab Desktop Protector rejects or blocks communications on port 139. On Windows 2000, this setting also affects port 445. Allow NetBIOS Neighborhood Select this option to allow your system to appear in the Network Neighborhood of other computers. Clear this option to hide a computer from the Network Neighborhood. Hiding your system does not disable file sharing, but users must locate the computer manually using its IP address.
Appendix B: Configuration Tabs The Packet Log Tab Introduction The Packet Log tab allows you to configure the RealSecure Desktop Protector packet logging features. When packet logging is enabled, Desktop Protector records all the network traffic that passes through your system. Packet logs or evidence logs? Because they contain a record of all network traffic, packet logs can grow very large and occupy a lot of disk space.
The Packet Log Tab Packet Log tab buttons This table describes the buttons that appear on the Packet Log tab. This button... Has this effect... OK Click to save your changes and return to the main Desktop Protector window. Cancel Click to discard your changes and return to the Desktop Protector window. Apply Click to save your changes and keep the current tab open. Help Displays the online Help for this tab.
Appendix B: Configuration Tabs The Evidence Log Tab Introduction When your system is attacked, RealSecure Desktop Protector can capture evidence files that record network traffic from the intruding system. Evidence files record the specific packet that set off a protection response. This can be a good way to investigate intrusions without using a lot of disk space for records. Evidence files Evidence files are located in the installation directory folder.
The Evidence Log Tab Evidence Log tab buttons This table describes the buttons that appear on the Evidence Log tab. This button... Has this effect... OK Click to save your changes and return to the main Desktop Protector window. Cancel Click to discard your changes and return to the Desktop Protector window. Apply Click to save your changes and keep the current tab open. Help Displays the online Help for this tab.
Appendix B: Configuration Tabs The Back Trace Tab Introduction Back tracing is the process of tracing a network connection to its origin. When somebody connects to your system over a network such as the Internet, your system and the intruder's system exchange packets. Before an intruder's packets reach your system, they travel through several routers. RealSecure Desktop Protector can read information from these packets and identify each router the intruder's packets had to travel through.
The Intrusion Detection Tab The Intrusion Detection Tab Introduction The Intrusion Detection tab allows you to control the IP addresses or intrusions the Desktop Protector engine trusts or ignores. For information about trusting and ignoring, see “Trusting Intruders” on page 39 and “Ignoring Events” on page 40. Intrusion Detection tab columns This table describes the information that appears in the columns on the Intrusion Detection tab. This column... Contains this information...
Appendix B: Configuration Tabs The ICEcap Tab Introduction The ICEcap tab allows you to manually control how RealSecure Desktop Protector reports intrusion information to an ICEcap server. When ICEcap reporting is enabled, all events are reported to an ICEcap server for enterprise-wide reporting and analysis. For more information, see “Connecting to ICEcap Manager” on page 32. ICEcap tab features This table describes the settings you can configure on the ICEcap tab. This setting... Has this effect...
The ICEcap Tab This setting... Has this effect... Last Status Shows the result of RealSecure Desktop Protector’s last attempt to check in with the ICEcap server, at the time displayed in the Time field. One of these results appears: • OK: Your computer is communicating normally with ICEcap Manager. • Authentication Failure: The agent was unable to prove its authenticity with the ICEcap server. • Abort: The last attempt to communicate was cut off before it was complete.
Appendix B: Configuration Tabs ICEcap tab buttons 80 This table describes the buttons that appear on the ICEcap tab. This button... Has this effect... OK Click to save your changes and return to the main Desktop Protector window. Cancel Click to discard your changes and return to the Desktop Protector window. Apply Click to save your changes and keep the current tab open. Help Displays the online Help for this tab.
The Notifications Tab The Notifications Tab Introduction The Notifications tab allows you to control some interface and notification functions. Notification settings This table describes the settings you can configure on the Notifications tab: This setting... Has this effect... Event Notification Desktop Protector alarm preferences control how and when the application notifies you of an event Visible Indicator Enables the Desktop Protector System Tray icon to flash when an event is reported.
Appendix B: Configuration Tabs Notifications tab buttons 82 This table describes the buttons that appear on the Notifications tab. This button... Has this effect... OK Click to save your changes and return to the main Desktop Protector window. Cancel Click to discard your changes and return to the Desktop Protector window. Apply Click to save your changes and keep the current tab open. Help Displays the online Help for this tab.
The Prompts Tab The Prompts Tab Introduction The Prompts tab enables you to choose the level of feedback you want from the RealSecure Desktop Protector user interface. Prompts tab settings This table describes the settings on the Prompts tab: This setting... Has this effect... Show Confirm Dialogs Select this option to have Desktop Protector prompt for confirmation when you delete items, clear the event list, and make other significant changes to Desktop Protector.
Appendix B: Configuration Tabs The Application Control Tab Introduction Use the Application Control tab to prevent unauthorized applications from starting on your system. Enable Application Protection When Enable Application Protection is selected, Desktop Protector monitors your system for unauthorized applications. This option is cleared by default. Note: Enabling or disabling this feature also enables or disables the Communications Control feature. See “The Communications Control Tab” on page 86.
The Application Control Tab Application Control tab buttons This table describes the buttons that appear on the Application Control tab. This button... Has this effect... OK Click to save your changes and return to the main Desktop Protector window. Cancel Click to discard your changes and return to the Desktop Protector window. Apply Click to save your changes and keep the current tab open. Help Displays the online Help for this tab.
Appendix B: Configuration Tabs The Communications Control Tab Introduction Use the Communications Control tab to prevent programs on your system from contacting a network without your knowledge. Enable Application Protection When Enable Application Protection is selected, the RealSecure Desktop Protector Application Protection component is running. This option is cleared by default. Note: Enabling or disabling this feature also enables or disables the Application Control feature.
The Communications Control Tab This button... Has this effect... Cancel Click to discard your changes and return to the Desktop Protector window. Apply Click to save your changes and keep the current tab open. Help Displays the online Help for this tab.
Appendix B: Configuration Tabs 88
Appendix C Advanced Firewall Settings Overview Introduction In this Appendix You can use the Advanced Firewall Settings window to block intruders or ports or to configure Desktop Protector to dynamically switch protection levels. ● When you block an intruder, RealSecure Desktop Protector creates an IP address entry in your firewall that prevents all traffic from that IP address from entering your system.
Appendix C: Advanced Firewall Settings The Firewall Rules Tab Introduction Use the IP Address tab to create, modify and delete firewall settings for IP addresses and ports. Add and remove addresses or ports from the firewall list as necessary to modify and protect your system. Caution: This firewall editor is intended only for users with advanced computer networking experience. Sorting Click a column header to sort the list by that column. Click the column header again to reverse the sort order.
The Firewall Rules Tab Buttons The following table describes the buttons on the IP Address tab: This button... Has this effect... Options To be notified when Desktop Protector is about to stop blocking an IP address, select Warn Before Block Expires. Add To manually add a new IP address filter or a new port configuration, click Add. The Add Firewall Entry window appears. For information on managing individual IP addresses, “Blocking Intrusions” on page 37.
Appendix C: Advanced Firewall Settings The Local Adaptive Protection Tab Use this tab to configure your firewall to switch protection levels dynamically. When your firewall detects a connection, and your computer is using one of the IP addresses specified on this tab, your firewall automatically switches to the appropriate protection level.
The Remote Adaptive Protection Tab The Remote Adaptive Protection Tab When your firewall detects a connection with a remote system that is using one of the IP addresses specified on this tab, your firewall automatically switches to the appropriate protection level.
Appendix C: Advanced Firewall Settings The Add Firewall Entry Dialog Introduction Use this dialog to create or change firewall settings that block or accept IP addresses. Add Firewall Entry dialog settings The Add Firewall Entry dialog features these fields: This field... Contains... Name The descriptive name for the filter. It is a good idea to use the name of the potential intruder or of the protocol or software using the port, such as “SMTP” or “Quake.
The Add Firewall Entry Dialog Add Firewall Entry dialog buttons The Add Firewall Entry dialog has these buttons: This button... Has this effect... Add Click to create the firewall entry. Cancel Closes the window without saving the setting.
Appendix C: Advanced Firewall Settings The Modify Firewall Entry Dialog Introduction Use this dialog to change a firewall setting that you have set up previously. Modify Firewall Entry dialog settings The Modify Firewall Entry dialog features these fields: This field... Contains... Name The descriptive name for the filter. It is a good idea to use the name of the potential intruder or of the protocol or software using the port, such as “SMTP” or “Quake.
The Modify Firewall Entry Dialog Modify Firewall The Modify Firewall Entry dialog has these buttons: Entry dialog buttons This button... Has this effect... Add Click to create the firewall entry. Cancel Closes the window without saving the setting.
Appendix C: Advanced Firewall Settings 98
Appendix D Advanced Application Protection Settings Overview Introduction In this Appendix The Advanced Application Settings window lets you control which applications can start on your system and which applications can connect to a network, such as the Internet. ● For information about controlling applications on your system, see “Working with the Application Protection Baseline” on page 42 and “The Application Control Tab” on page 84.
Appendix D: Advanced Application Protection Settings Advanced Application Settings window menu commands The Advanced Application Protection Settings window features these menus: This command... Has this effect... File menu Run Baseline Executes the choices you have made on the Baseline tab. Save Changes Records the settings you have made Known Applications tab. Exit Closes the Advanced Application Protection Settings window without saving any changes.
The Known Applications Tab The Known Applications Tab Introduction The Known Applications tab shows the application files Desktop Protector has detected on your system. If an application not on this list attempts to start, Desktop Protector alerts you or automatically closes the application, depending on the options you selected on the Application Control tab.
Appendix D: Advanced Application Protection Settings The Baseline Tab Introduction The Baseline tab allows you to control how RealSecure Desktop Protector inspects your system for application files. The system tree pane The system tree pane shows the drives and directories RealSecure Desktop Protector has found on your system. To see the application files in a directory, check the box next to the directory name. To view all the application files on a drive, check the box next to the drive name.
The Checksum Extensions Dialog The Checksum Extensions Dialog Introduction The Checksum Extensions dialog enables you to customize the application file types that RealSecure Desktop Protector lists when it inspects your system. Desktop Protector determines which files are included in the baseline from the file name's extension (the three characters after the period).
Appendix D: Advanced Application Protection Settings 104
Appendix E The Main Menu Overview Introduction The Main Menu appears above the information tabs. This Appendix explains how to use the menu options to control the appearance and operation of Desktop Protector features.
Appendix E: The Main Menu The File Menu Introduction Use the File menu to control the essential operations of RealSecure Desktop Protector. Print... Print sends information from Desktop Protector to your default printer. To print information about an event or intruder: 1. On the Events or Intruders tab, select an event or intruder. 2. Click Print. 3. In the Print window, choose a printer and the desired number of copies, and then click OK.
The Edit Menu The Edit Menu Introduction Use the Edit menu to manipulate the intrusion records that RealSecure Desktop Protector gathers. For more information about ways you can use Desktop Protector data, see “Back Tracing” on page 50. Cut To cut an event or intruder: ● Copy On the Events or Intruders tab, click an event or intruder, and then select Cut from the Edit menu. ■ Desktop Protector removes the entry from the list.
Appendix E: The Main Menu The View Menu Introduction Use the View menu to choose what items are displayed, and how, on the Events and Intruders lists. Freeze Stops Desktop Protector from refreshing the tab information. For more information, see “Freezing the Events list” on page 49. Filter by Event Severity Filters the types of attacks that are displayed. To filter the types of attacks that are displayed: 1. On the Events or Intruders tab, select Filter by Event Severity from the View menu. 2.
The Tools Menu The Tools Menu Introduction The Tools menu enables you to configure the application by editing the settings; edit the Advanced Firewall settings; start or stop the BlackICE engine; clear the event list; or change other preferences. Edit BlackICE Settings... Displays the configuration tabs that control the operation of the Desktop Protector engine. For more information, see “Configuration Tabs” on page 69. Stop BlackICE Engine Turns off the Desktop Protector intrusion detection engine.
Appendix E: The Main Menu The Help Menu Introduction The Help menu offers links to the Help, the ISS Web site, and information about Desktop Protector. BlackICE Help Topics Displays the Desktop Protector online Help. Online Support Starts your Web browser and points it to a collection of frequently asked questions (FAQ) about Desktop Protector on the ISS Web site. WWW.ISS.NET Starts your Web browser and points it to the ISS Web site, www.iss.
The System Tray Menu The System Tray Menu Introduction The system tray menu provides a quick way to access some key Desktop Protector functions. You can see this menu by right-clicking the Desktop Protector icon in the lower right corner of your screen. View BlackICE Events Opens the Desktop Protector user interface to the Events list, which displays information about recent intrusions. For more information, see “The Events Tab” on page 62. Edit BlackICE Settings...
Appendix E: The Main Menu 112
Index a accepting events 39 adaptive protection 4, 92–93 adding an entry 94 addresses blocking and accepting 37 Advanced Application Control Settings window Advanced Firewall Settings window 90 advICE library 110 alerts choosing 48, 81, 83 interpreting 9 responding to 43–44, 50, 56 anti-virus 6 Application Control tab 84 application file types 103 Application Protection 6 application control 42, 84, 101 communications control 8, 46, 86, 101 disabling 45 stopping 44 vs virus detection 6 application protectio
Index e Edit menu 107 events accepting 39, 96 blocking 37, 96 clearing 48, 109 deleting 48 filtering 12, 48, 108 finding 107 freezing 49, 108 ignoring 40 notification 48 Events tab 62 Evidence Log tab 74 evidence logs 11, 48 clearing 48, 52, 109 collecting 52 exe files 103 f File menu 106 filtering events 12, 48, 108 finding an event 107 firewall 5, 109 advanced settings 90 customizing 37, 90 modifying an entry 96 Firewall tab 70 freezing events 49 110 67 i icons firewall 90 response levels 10 severity
Index clearing 48, 54, 109 collecting 54 Paranoid protection level 3, 70 ports, blocking 40 prerequisites installation 22 printing information 64, 66, 91, 106 profile see baseline 1 Prompts tab 83 protection level choosing 34 effect on applications 3 setting dynamically 4, 92–93 r responding to alerts 50 response levels 10 restarting application protection 26 BlackICE 26 monitoring 26 restarting BlackICE by restarting your system 27 from the desktop 26 from the Windows 2000 control panel 26 from the Windo
Index 116
Internet Security Systems, Inc. Software License Agreement THIS SOFTWARE IS LICENSED, NOT SOLD. BY INSTALLING THIS SOFTWARE, YOU AGREE TO ALL OF THE PROVISIONS OF THIS SOFTWARE LICENSE AGREEMENT (“LICENSE”). IF YOU ARE NOT WILLING TO BE BOUND BY THIS LICENSE, RETURN ALL COPIES OF THE SOFTWARE AND LICENSE KEYS TO ISS WITHIN FIFTEEN (15) DAYS OF RECEIPT FOR A FULL REFUND OF ANY PAID LICENSE FEE.
Chapter 0: 13. No High Risk Use - Licensee acknowledges that the Software is not fault tolerant and is not designed or intended for use in hazardous environments requiring fail-safe operation, including, but not limited to, aircraft navigation, air traffic control systems, weapon systems, life-support systems, nuclear facilities, or any other applications in which the failure of the Licensed Software could lead to death or personal injury, or severe physical or property damage.
