virtually take over a system across the network. Other Trojans may be set up to automatically send mail messages or other types of network traffic (including system passwords) while the system owner is unaware of what is occurring.
Note This rule type is not available for UNIX policies. Refer to the Buffer overflow rule information on page 5-16 for similar UNIX functionality.
When the Trojan detection rule is triggered on a system, a Query User pop-up box appears. This box provides text explaining the suspicious system action that is occurring and what the application in question is attempting to do. When prompted, the user must choose one of the following buttons (The button options available for each Trojan rule vary. They may display any of the following):
• Yes: Allows the application access to the resource in question. (This option is not available if a password stealing Trojan is detected).
• Yes to all: Allows the application access to all related query user protected resources, with no further queries appearing.
• No: Denies the application access to the resource in question.
• Terminate: This stops the system action in question and terminates the application that triggered the Trojan rule, effectively killing the Trojan program.
Caution In some cases, a Trojan might hide itself in another application, such as Internet Explorer. Then the application seen as being the Trojan program (for example, Word or Internet Explorer) is a legitimate application on your system. Some Trojans have the ability to present themselves in this manner. Pressing the Terminate button in such cases will kill the legitimate program. However, this may be necessary.
It could be useful, especially in the case of server systems, to use a service restart rule in conjunction with a trojan rule. This way, if you are forced to press the Terminate button when queried and you subsequently terminate the application in question, a service restart rule will cause the application to automatically restart.
Use the Trojan detection rule in a policy to detect and prevent Trojans from performing malicious acts on individual systems and networks. The included Trojan detection rule lets you enable several different types of Trojan detection.
• Trapping of keystrokes by network applications
(Detect applications that attempt to capture system keystrokes.) If the system in question is unattended, the default response of "No" is automatically taken.
• Injecting code into other applications
(Detect applications that have been marked as downloaded content
attempting to write code to space owned by other applications. e.g. injecting a malicious .dll into a privileged process)
If the system in question is unattended, the default response of "No" is automatically taken.
• Accessing memory owned by other applications
(Detect applications that attempt to interfere with the memory space of other applications or detect Trojans attempting to hide in another executable to escape detection and gain permissions to access other resources.)
If the system in question is unattended, the default response of "No" is automatically taken.
• Stealing local passwords
(Detect applications that attempt to steal local system passwords.) If the system in question is unattended, the default response of "No" is automatically taken.
• Downloading and invoking executable files
(Detect applications that download executables and immediately attempt to execute them. This could be downloaded code as a result of a buffer-overflow attach or an executable downloaded by an application such as an email client or web browser.)
If the system in question is unattended, the default response of "Terminate" is automatically taken.
• Downloading and invoking ActiveX controls
(Detect applications that download ActiveX controls and immediately attempt to execute them.)
If the system in question is unattended, the default response of "No" is automatically taken.
This functionality limits applications from downloading ActiveX controls (signed and unsigned). This type of behavior is generally typical of a web browser and sites that require the downloading of ActiveX can trigger this rule. But the rule also covers a Trojan scenario in which a malicious application attempts to act like a web browser. Note that this rule may be unnecessary if system web browser settings are configured with a "High" security level that would restrict the downloading of ActiveX controls. • Accessing system functions from code executing in data or stack space
(This behavior may be symptomatic of a buffer overflow attack and the agent prompts the user if this behavior is detected on the system.)
If the system in question is unattended, the default response of "Terminate" is automatically taken.
– Patterns to be excluded: Use the Wizard from the Event log message in question to exclude a particular pattern when you are seeing buffer overflow events you believe are harmless.
Note If an application is currently not enforcing any ActiveX download or Accessing system functions rules, that application must be restarted for any newly applied ActiveX download or Accessing system functions rules to take effect.
You also have the ability to select specific application classes to exclude from the various Trojan detection types you designate. For example, in some cases, debuggers may perform actions that can be misconstrued as Trojan behavior. Therefore, you would want to create an application class, and select it as an exclusion to one or more Trojan detection features.
Note If you have multiple similar Trojan detection rules, the application class exceptions are combined.
Note Additionally, if you distribute software updates over your network, you would want to exclude that application in the Downloading and invoking executable files —Trojan detection rule.