HP NC326m HP ProLiant Essentials Intelligent Networking Pack - Windows Edition - Page 12

Using Virus Throttle In this section How Virus Throttle works...12 Installing Virus Throttle for Windows...12 Monitoring Virus Throttle status ...13 Virus Throttle Status and Configuration Utility 16 How Virus Throttle works Viruses typically spread by connecting to as many different machines as possible. Virus Throttle is a network packet-filtering feature that monitors all outbound connection requests. Virus Throttle helps to stop the spread of viruses on your system by detecting abnormal "virus like" behavior in the requests. It slows down excessive connection requests to new hosts until you can determine if they are viral in nature and take action. Virus Throttle allows the network infrastructure to stay up and running by slowing traffic on systems that exhibit high connection rates and frequent connections to new hosts. When you install Virus Throttle on your system, the Virus Throttle network NDIS filter driver is inserted into all existing protocol-to-miniport bindings and all network traffic passes through it. Virus Throttle provides TCP and UDP support. The driver maintains a delay queue of connection requests for each instance of the network protocol stack and a list of known hosts that have established connections. The driver examines all outbound connection requests and determines if the request is for a known host. If known, the request is passed down the protocol stack as a normal request. If unknown, the request is added to the delay queue. Periodically, the delay queue is examined and the oldest request is removed and passed down the protocol stack. High and low water marks or pre-set thresholds are maintained for the delay queue and are used to determine when "virus-like" behavior is occurring or has stopped. • High water mark-When the rate of connection requests exceeds the rate of the driver removing them from the delay queue, a high water mark in the queue is exceeded and the driver indicates "virus-like" activity. • Low water mark-When the rate of connection requests drops so that the number of queue entries fall below a low water mark, the driver indicates that the "virus-like" activity has stopped. When "virus-like" activity is detected or has stopped, Virus Throttle sends a Windows Management Instrumentation (WMI) event notification to the administrator. If HP Management agents are installed and configured correctly, a Simple Network Management Protocol (SNMP) trap warning is also sent to the administrator. Installing Virus Throttle for Windows To install Virus Throttle for Windows using the HP component pack executable file: 1. Go to the HP website (http://www.hp.com). Using Virus Throttle 12