|
(Page 1,2,3,4,Anti-Spyware,Anti-Virus)
Behavior-Based Features
Email Anomaly Detection
This feature tracks
outbound Email delivery behavior and provides alerts if
there is unusual outbound email activity. The Email Anomaly
Detection Engine is based on the specific behavior of each
computer's email activity over a period of time called the
'Training Period'. This can be set to 7, 14, or 28 days
within the Settings Menu.
In
order to initiate training, the 'Enable Detection' checkbox
must be selected. The Anomaly Detection Engine will start
immediately after the end of the training period. You can
also view the training statistics during or after the
training period (see screenshot).
Email Anomaly Detection Alerts
There are several
different alerts that may be displayed based on the type and
amount of emails delivered within a certain period of time.
If there is an alert and the nature of the unusual email
activity is unknown, it may be prudent to select the 'Block
delivery' checkbox within the alerts to make sure there are
no worms or viruses causing the activity. Once the nature
of the activity has been determined to be safe, the 'Block
all outbound Email' option should be deselected from the
settings menu or from the Menu Toolbar (see below).
Allow Delivery
Block Delivery
NOTE: Privatefirewall will display the Tray Alert for
30
seconds. If no action is taken, the alert will expire and
the activity will be Allowed.
Click
'Details/Options' in the Tray Alert to display an expanded
Alert (see below), which contains more detailed information
about the suspicious activity.
System Anomaly Detection
The System
Anomaly Detection layer analyzes the normal use patterns of
running applications and generates alerts as it detects
unusual activity. The System Anomaly Detection Engine
applies a sophisticated algorithm to establish a baseline of
normal use based on several system variables such as CPU
utilization, thread count, and others. These variables are
monitored over a specific period of time, called the
'Training Period', which can be set to 7, 14, or 28 days
within the Main Menu (the default period is 7 days). The
'Enable Detection' checkbox, must be selected for Training
to be active. Upon installation, Training is enabled by
default and commences immediately upon installation.
|
 |
User
determination regarding each event that
generates an alert is required when the "Require
User Approval for Each Alert" box is selected.
An on-screen alert (see below) will be displayed
immediately as potential threats are detected.
The alert provides event details and threat
management options. Tray alerts will not be
displayed when this option is selected. |
Sensitivity Threshold: The Privatefirewall System
Anomaly Detection layer generates alerts as it detects
system activity that deviates from normal. The sensitivity
with which Privatefirewall applies to system anomaly
detection can be tuned by adjusting the Sensitivity
Threshold. Decreasing the threshold increases the
sensitivity, meaning that smaller deviations will generate
alerts. Increasing the threshold will allow greater variance
from normal activity. By default, the System Anomaly
Detection Sensitivity Threshold is set to 60%. In simple
terms, activity deviating more than 60% from normal will
generate an alert.
Selecting the Training Statistics button will display the
System behavior data collected during training. These may
be viewed during or after the Training period (see
screenshot).
The Anomaly
Detection Engine will start immediately after the end of the
training period, and
will generate an alert whenever there is any activity that
is not consistent with system use patterns established
during the training period.
If there is an alert and the
nature of the activity is unknown, it may be prudent to
select 'Details/Options' on the tray alert to see more
detailed information.
NOTE:
Privatefirewall will display a Tray Alert for 30 seconds. If
no action is taken, the alert will expire and the activity
will be Allowed.
Click
'Details/Options' in the Tray Alert to display an expanded
Alert (see below), which contains more detailed information
about the suspicious activity and additional threat
management options. If the 'Require user approval for each
alert' box is checked in the settings menu, the expanded
Alert will appear automatically and no tray alerts will be
displayed. If the ‘Web Search’ link is selected, a search
containing the executable filename ('services.exe' in the
alert below) will be performed in your default browser.
|
