Hamlet SEP11 功能介绍.pptVIP

* * * The Symantec Intrusion Prevention Engine is able to do deep packet inspection and is able read the entire Ethernet packet and uses all parts of the packet, including the data portion. This engine supports a high performance signature definition, which is able to use regular expressions. In addition, the Intrusion Prevention Engine is able to apply signatures based on what application is sending or receiving the traffic, as different applications require different signatures. This signature library of known vulnerabilities in each application is maintained on Sygate’s online update server and is updated on a regular basis. Also, using the Sygate Policy Manager customers can create their own signatures or modify signatures created by Sygate. Updating all the Agent’s signature files is quite easy. The updated signature files can be downloaded to any Sygate Policy Manager and then automatically and transparently distributed to every Agent in the next heartbeat, no matter how many Agents are being managed. * * The Symantec Agent adapts its security policy to the type of network connection, such as wireless, Ethernet or VPN, plus the location of the network connection, such as home, an Internet café, or the office. Sygate eliminates rogues that expose the organization to hackers while automating the process, thus enhancing not only protection but also cost effectiveness. Support for the following triggers: - IP address (range or mask) - DNS Server - DHCP Server - WINS Server - Gateway Address - TMP Token Exists (hardware token) - DNS Name Resolves to IP - Policy Manager Connected - Network Connection (wireless, VPN, Ethernet, dialup) * * * Each Engine has two sets of detection modules: Pro-valid = evidence of valid application behavior Pro-malicious = evidence of malicious application behavior Each Detection Module has a weight The weight indicates the importance of the behavioral trait Each process gets 2 scores: Valid Score = measure of how valid the