HP BL20p G3 Dual NC370i ProLiant Essentials Intelligent Networking Pack Linux - Page 7

Using Virus Throttle, How Virus Throttle works

Get HP BL20p G3 Dual NC370i PDF manuals and user guides View all HP BL20p G3 Dual NC370i manuals
Add to My Manuals
Save this manual to your list of manuals

Page 7 highlights

Using Virus Throttle In this section How Virus Throttle works...7 Starting Virus Throttle...7 Configuring Virus Throttle parameters ...8 Monitoring Virus Throttle status ...8 Stopping Virus Throttle ...9 Restarting Virus Throttle ...9 Log and Event File ...10 How Virus Throttle works Viruses typically spread by connecting to as many different machines as possible. Virus Throttle, a network packet-filtering feature, monitors all outbound connection requests and helps to stop the spread of viruses on your system by detecting abnormal ("virus like") behavior in the requests. It slows down excessive connection requests to new hosts until you can determine if they are viral in nature and take action. When you install Virus Throttle on your system, the Virus Throttle iptable_filter and ip_queue modules are loaded and a QUEUE target is created so all connection requests pass through it. The driver maintains a delay queue of connection requests and a list of known hosts that have established connections. The driver examines all outbound connection requests and determines if the request is for a known host. If known, the request is passed down the protocol stack as a normal request. If the request is unknown, it is added to the delay queue. Periodically, the delay queue is examined, and the oldest request and all other connection requests to that same host are removed and passed down the protocol stack. A high water mark and low water mark are maintained for the delay queue and are used to determine when "virus-like" behavior is occurring or has stopped. • When the rate of connection requests exceeds the rate of the driver removing them from the delay queue, a high water mark in the queue is exceeded, and the driver indicates "virus-like" activity. • When the rate of connection requests slows so that the number of queue entries falls below a low water mark, the driver indicates that the "virus-like" activity has stopped. When "virus-like" activity is detected or has stopped, Virus Throttle logs an event. If HP Management agents are installed and configured correctly, a Simple Network Management Protocol (SNMP) trap will be sent. Starting Virus Throttle By default, Virus Throttle is configured to start on system boot-up. To start Virus Throttle immediately after installation, run the following command: # /etc/init.d/hp-vt start Using Virus Throttle 7

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
Using Virus Throttle 7
Using Virus Throttle
In this section
How Virus Throttle works
...........................................................................................................................
7
Starting Virus Throttle
................................................................................................................................
7
Configuring Virus Throttle parameters
.........................................................................................................
8
Monitoring Virus Throttle status
..................................................................................................................
8
Stopping Virus Throttle
..............................................................................................................................
9
Restarting Virus Throttle
.............................................................................................................................
9
Log and Event File
..................................................................................................................................
10
How Virus Throttle works
Viruses typically spread by connecting to as many different machines as possible. Virus Throttle, a
network packet-filtering feature, monitors all outbound connection requests and helps to stop the spread of
viruses on your system by detecting abnormal ("virus like") behavior in the requests. It slows down
excessive connection requests to new hosts until you can determine if they are viral in nature and take
action.
When you install Virus Throttle on your system, the Virus Throttle iptable_filter and ip_queue modules are
loaded and a QUEUE target is created so all connection requests pass through it. The driver maintains a
delay queue of connection requests and a list of known hosts that have established connections.
The driver examines all outbound connection requests and determines if the request is for a known host. If
known, the request is passed down the protocol stack as a normal request. If the request is unknown, it is
added to the delay queue. Periodically, the delay queue is examined, and the oldest request and all other
connection requests to that same host are removed and passed down the protocol stack.
A high water mark and low water mark are maintained for the delay queue and are used to determine
when "virus-like" behavior is occurring or has stopped.
When the rate of connection requests exceeds the rate of the driver removing them from the delay
queue, a high water mark in the queue is exceeded, and the driver indicates "virus-like" activity.
When the rate of connection requests slows so that the number of queue entries falls below a low
water mark, the driver indicates that the "virus-like" activity has stopped.
When "virus-like" activity is detected or has stopped, Virus Throttle logs an event. If HP Management
agents are installed and configured correctly, a Simple Network Management Protocol (SNMP) trap will
be sent.
Starting Virus Throttle
By default, Virus Throttle is configured to start on system boot-up. To start Virus Throttle immediately after
installation, run the following command:
# /etc/init.d/hp-vt start