|
|
What is active content?
|
 |
Active content (also called "mobile
code"), is typically a self-contained program delivered
via the Internet that accesses your PC to perform tasks
- often without any approval from the user. Active content
enables Web sites to interact dynamically with visitors
delivering animation, interactive applications and much
more. When you visit a Web site, most likely small active
content "programs" are downloaded automatically
and executed on your PC.
Active content includes: executables,
Active X, Visual Basic Script, JavaScript, Java and
plug-ins.
A common misconception about surfing
the Internet is that you are "going out" to
visit and view other Web sites. In reality your Web
browser is actually bringing the site to you, downloading
and running all the content of the page you are viewing
on your local system. Computer users are exposed to
active content every day simply by browsing the Web
to perform research, communicating with associates or
friends or while accessing the Internet. The danger
with active content is that it runs automatically with
full rights and privileges and can take any action on
a PC. Thus, active content has become a useful technology
used by hackers to break into PCs.
|
| |
Back to Top 
|
|
|
What is malicious code?
|
|
There are many varying definitions
of malicious code types, but generally "malicious
code" as a category name consists of viruses, Trojan
horses and worms. These definitions are not mutually
exclusive, as specific attacks can be a combination
of these three types.
|
| |
Back to Top
|
|
|
What are Viruses?
|
|
A virus is a computer program that
copies itself from file to file and typically performs
malicious or nuisance attacks on the infected computer.
Computer viruses are analogous to biological viruses.
A computer virus is a program that copies its code into
one or more larger host programs when it is activated.
When the infected programs are run, the viral code is
executed and the virus replicates.
The vast majority of computer viruses
also carry a payload. This is the damage that they will
do to computers after a designated period of time, and
can range from displaying annoying on-screen messages
to deleting files or erasing hard disks.
|
| |
Back to Top
|
|
|
What are Worms?
|
|
A worm spreads from computer to computer.
It has the ability to replicate itself by sending out
large quantities of unwanted e-mails to contacts listed
in a user's e-mail address book (or by other methods).
In addition to damaging local systems, worms can cause
great problems for networks because of their ability
to send large quantities of e-mails that can overload
and crash servers.
|
| |
Back to Top
|
|
|
What are Trojan Horses?
|
|
A Trojan horse is any program in which
malicious or harmful code is contained inside of what
appears to be a harmless program. Crackers use Trojan
horse programs to delete files, steal passwords, extort
individuals and corporations, or simply to spy on the
behavior of the victim and their PC. Trojan horse programs
are often executable files (.exe extension) Back Orifice
and SubSeven are two well-known Trojan horse remote
access tools that allow hackers to take remote control
over victim's PCs.
|
| |
Back to Top
|
|
|
What is "First-Strike Security"
and how does Finjan technology protect me?
|
|
Finjan's First-Strike Security represents
a new way to combat malicious code, including worms,
Trojan horses, malicious Visual Basic Script, JavaScript
and Active X programs. First Strike Security is a proactive
approach that detects and prevents malicious attacks
before they cause damage. A "first strike"
is the first time a new malicious code attack is launched.
Finjan's products use real-time content inspection and
policy-based behavior-monitoring technology that does
not require database updates. Without signature databases
to update, Finjan products provide ongoing security
out of the box. Through its two product lines, SurfinGate
and SurfinShield Corporate, Finjan helps organizations
conduct e-business safely by providing best-of-breed
security tools with unique, patented technologies.
|
| |
Back to Top
|
|
|
How do Finjan's products differ from
traditional anti-virus software?
|
|
Traditional software security products
are reactive and rely on databases containing "signatures"
of known malicious code. They do not "actively
monitor" the behavior of programs. This means that
users are left completely vulnerable to new attacks
until a new "signature" is added to the product.
This model worked well for years until the explosion
of the Internet era, where worms can travel the globe
in hours and cause hundreds of millions of dollars in
damage, like the Nimda, SirCam, ILOVEYOU and ExploreZip
worms.
A new proactive approach is required
today to supplement current security products. Finjan
offers products that inspect the content of incoming
code, so even if a known virus is compressed or a new
variant is released, the code's behavior and its actions
are being monitored. This is especially beneficial in
the first few hours of a new attack when companies are
most vulnerable. Finjan monitors the behavior of incoming
files and blocks such actions as deleting files or opening
a network connection. Programs during installation that
may have behavior that resemble a malicious program
can be "white-listed" and allowed to run.
Finjan's First-Strike Security is the answer to having
a protected system at all times.
Finjan products work well in combination
with anti-virus software as a first-line of defense.
Finjan solutions monitor the behavior of new incoming
programs from the Internet and anti-virus products scan
computers for old, known malicious code.
|
| |
Back to Top
|
|
|
Why do I need Finjan products if I have
anti-virus software?
|
|
Anti-virus software is adequate at
catching viruses that are defined in their databases.
However, if a new Trojan horse or Internet worm attacks
a user's PC, they will not be protected by anti-virus
software. When a new virus is released it takes hours
for anti-virus companies to formulate a patch and distribute
it to customers. This "lag" time allows thousands
of PCs to be infected and harmed. Finjan proactive security
products can be used as a first line of defense in combination
with reactive anti-virus products to protect against
brand new malicious code attacks.
|
| |
Back to Top
|
|
|
Can I use Finjan's products with my
anti-virus software?
|
|
Yes, Finjan products are compatible
with anti-virus products. Finjan products can be deployed
together with anti-virus software, thereby providing
excellent multiple layers of defense from malicious
code attacks.
Because hackers regularly use compression
tools to change and hide known Trojan horses from anti-virus
software, proactive behavior monitoring is the most
effective way to catch and block these types of malicious
programs.
|
| |
Back to Top
|
|
|
When a Finjan alert appears on my PC,
why doesn't it show the name of the malicious code?
|
|
Finjan's products use a unique and
sophisticated procedure, known as behavior monitoring,
to block malicious behavior from new and/or unknown
programs. Anti-virus companies use signatures of known
viruses to detect malicious programs, therefore, anti-viruses
can only recognize viruses that have been pre-identified.
Since Finjan's products do not use a signature database
like anti-virus software, the user is alerted of suspicious
program behavior rather than alerted of a specific malicious
program name. Because Finjan's products proactively
monitor behavior without a database of signatures, all
viruses are unknown when they are recognized.
|
| |
Back to Top
|
|
|
Do Finjan products block all viruses
and all forms of malicious code?
|
|
No. Finjan focuses on proactive security
for active Web content such as ActiveX, JavaScript,
VB Script, executable files (.exe), Java and other programs
that are downloaded from the Internet. Finjan offers
a very effective complement to existing anti-virus protection
and offers an excellent first-line of defense against
new "first-strike" malicious code threats.
Finjan does not look for macro viruses and does not
scan or "clean" systems that are already infected.
|
| |
Back to Top
|
|
|
Do Finjan products protect users against
the latest worms?
|
|
Finjan's products do protect users
from Goner, Nimda, ILOVEYOU, Anna Kournikova and SirCam-type
worms, including all of the variants without having
to create a patch for users to download.
|
| |
Back to Top
|
|
|
What is the real state of the ant-virus
industry, in control or fire fighting?
|
|
The anti-virus industry is most definitely
in a reactive state. The anti-virus vendors themselves
admit this - their technology and product architecture
was simply not designed for an Internet-connected society
where worms can travel the globe in minutes. Anti-virus
vendors must wait for an attack to surface, spend time
analyzing the code and issue a patch, then hope that
every gateway and desktop product be updated before
any kind of containment can be achieved. In the mean
time, it is typical for unskilled "script kiddies"
to release new variants of the original attack that
slip through the scanning engines of recently updated
anti-virus products. Anti-virus companies are trying
to reduce the time it takes to get database patches
out, but they will always remain late in providing "antidotes"
to corporations and users
|
| |
Back to Top
|
|
|
Why doesn't desktop anti-virus software provide adequate protection from malicious Java applets?
|
|
Summary: Typical desktop anti-virus
programs are not aware of the Java environment. Rather,
they treat the entire Java environment (including all
applets running within it) as a single program.
Full Explanation: An anti-virus program
monitors the various components of your system and protects
them. The whole Java environment, being an interpreted
environment, looks like a single program to the anti-virus.
Harmful Java applets may take control of the Java environment,
pretend to be a program local to the system, and cause
damage by executing functions allowed for local executables
only. Such a scenario is beyond the detection capability
of the anti-virus, as it cannot properly identify that
the source of the operations. An anti-virus program
may still protect the system from a few of the harmful
functions (e.g. it might block alterations to the system's
master boot record), but it will not prevent most of
them (e.g. it will permit copying, deleting, encoding
and transfering most files).
|
|
|
Why do I need Finjan software if I
have a firewall?
|
|
Firewall software or hardware at a
network gateway protects private networks from network-based
attacks by allowing or blocking network transactions
but firewalls do not perform content inspection or behavior
monitoring of code. Firewalls are a good line of defense
for networks, but malicious code attacks on PCs can
bypass firewalls very easily via the Web or e-mail.
Finjan products perform sophisticated behavior monitoring
of specific code types, such as ActiveX, JavaScript,
Visual Basic Script, Java and executable files. By monitoring
actual program behavior at the gateway or desktop, Finjan
products can prevent malicious attacks from occurring
on user's PCs.
|
|
|
Why does SurfinGate's setup program
report that it can not find license.txt ("Can not
find license.txt") ?
|
|
Summary: During installation,
an error may appear stating that license.txt can not
be found. This may indicate that some of SurfinGate's
filenames have been shortened.
Full Explanation: If SurfinGate's
setup program reports that it can not find the file
license.txt, it may be because some of SurfinGate's
long filenames have be shortened. Please verify that
the following three files can be found in the same folder
as setup.exe: license.txt, evalLicense.txt, and prodLicense.txt.
The license.txt error will appear if these files are
missing or their names have changed. If it appears that
any of the filenames have been altered (for example,
evalli~1.txt instead of evalLicense.txt), it may be
that SurfinGate's install files are on a partition that
does not support long filenames. This can also happen
when SurfinGate is uncompressed by a program that does
not support long filenames. Please make sure that SurfinGate
is located on a partition that supports long filenames
and that a program that supports long filenames (like
WinZip) was used to uncompress the SurfinGate archive.
|
|
|
Are there any SurfinGate settings which must be updated when changing the IP address of the server?
|
|
Summary: When changing a SurfinGate
server's IP address, it is necessary to update the SurfinGate.cfg
file and restart SurfinGate.
Full Explanation: When SurfinGate
is installed, it stores the server's IP address and
several other parameters in a text file called SurfinGate.cfg.
This file is located in SurfinGate's config directory.
If the server's IP is changed later, SurfinGate.cfg
should be edited to reflect this change.
Please follow the steps below before
changing the IP of a SurfinGate server:
1. From SurfinConsole's Devices Window, select the SurfinGate
server host, and click the Remove button.
2. Close the Devices window, and exit SurfinConsole.
3. Stop SurfinGate.
*With the Windows NT version of SurfinGate server, stop
the Finjan SurfinGate Service from the Services applet
in Control Panel.
*With the UNIX version of SurfinGate server, run sfgstop.
4. Open SurfinGate.cfg with a text editor and change
the value of the gate_ip_address parameter to the server's
new IP address.
5.Using the appropriate method for your
operating system, change the server's IP address.
6.Once
the IP address change has taken effect at the operating
system level, restart SurfinGate.
*With the Windows NT
version of SurfinGate server, start the Finjan SurfinGate
Service from the Services applet in Control Panel.
*With
the UNIX version of SurfinGate server, run sfgstart.
|
|
|
What causes SurfinGate's uninstaller abort with an error indicating that one of SurfinGate's components is running?
|
|
Summary: When SurfinGate's
uninstaller is activated while the SurfinGate service
is running, it will return an error message and abort
the uninstallation process. This can be remedied by
stopping the Finjan SurfinGate Server before running
the uninstaller.
Full Explanation: SurfinGate's uninstaller
will not function when the SurfinGate service is started.
Instead, it will return an error message indicating
that one of SurfinGate's components is running. This
is a safety feature to ensure that SurfinGate is not
accidentally uninstalled. To allow the uninstaller to
proceed normally, the SurfinGate service must be stopped.
This can be accomplished by opening Services inside
the Control Panel, highlighting the entry for Finjan
SurfinGate Server, and clicking on the Stop button.
Once the service has stopped, it will be possible to
run SurfinGate's uninstaller.
|
|
|
When running SurfinGate's installer, what causes the error which says, "SurfinGate server or one of its components is running!...(ERROR 407)"?
|
|
Summary: When installing a
new version of SurfinGate or when installing SurfinConsole
on the SurfinGate server, it is important to make sure
that the Finjan SurfinGate Server is not already started.
Full Explanation: When running SurfinGate's
setup program on a server where SurfinGate is already
installed (for example, when installing SurfinConsole
on the SurfinGate server), error 407 may appear, indicating
that SurfinGate components are already running on that
machine. This is a safety feature to prevent SurfinGate's
program files from being accidentally overwritten while
the server is running. The setup program will exit after
OK is selected in the error dialog box. To allow the
installer to proceed normally, the SurfinGate service
must be stopped. This can be accomplished by opening
Services inside the Control Panel, highlighting the
entry for Finjan SurfinGate Server, and clicking on
the Stop button. Once the service has stopped, it will
be possible to run SurfinGate's setup program.
|
|
|
Can SurfinGate be evaluated without a key?
|
|
Summary: During installation,
the registration window requests a key number. A key
is unnecessary for evaluations.
Full Explanation: SurfinGate can be
evaluated without a key. To evaluate SurfinGate, click
the Register Later button when the registration window
appears. When no key is present, SurfinGate will run
as a 30 day evaluation.
|
|
|
Why would a General Protection Fault occur while installing SurfinGate?
|
|
Summary: During installation,
a General Protection Fault warning may appear. This
can happen when old files in the TEMP folder cause conflicts.
Full Explanation: If a General Protection
Fault (GPF) error message appears shortly after starting
SurfinGate's setup program, it is likely that this is
due to conflicts with files left in the TEMP folder
by other software. SurfinGate's InstallShield setup
routine uses the TEMP directory for storage during the
installation process. If SurfinGate's installer encounters
files left behind by programs previously installed with
InstallShield, conflicts may arise and result in a GPF
message. To correct this problem, please restart the
computer and remove all files from the TEMP folder.
If any of these files are important, be sure to back
them up. Once the TEMP folder is empty, run SurfinGate's
setup program again. If the error persists, please try
installing SurfinGate on another computer. Finjan recommends
that SurfinGate be installed on a clean system with
Windows NT 4.0 and Service Pack 4.
|
|
|
Which "host name" should the user supply during SurfinConsole's installation?
|
|
Summary: During SurfinConsole's
installation, the user is prompted to enter the host
name of the Primary SurfinGate Server. The user should
supply the Primary SurfinGate Server's Microsoft Networking
computer name (as seen in Network Neighborhood).
Full Explanation: When SurfinConsole's
installer prompts the user for the host name of the
primary SurfinGate server, the user should supply the
SurfinGate server's Microsoft Networking computer name.
This is sometimes referred to as a "NetBIOS name". To
find out the computer name of the SurfinGate server,
please follow the steps below.
1.Log in to the NT machine that is running SurfinGate.
2.Click the Start button.
3.Select Settings
4.Click on Control
Panel
5. Double-click on the Network icon in the Control
Panel Window. The computer name will be displayed on
the General tab of the Network window.
|
|
|
What is a primary SurfinGate server?
|
|
Summary: A primary SurfinGate
server is an installation of SurfinGate that also sets
up the database.
Full Explanation: During installation,
the administrator is asked if this installation of SurfinGate
is the primary SurfinGate server. When Yes is selected,
SurfinGate will also set up the database. SurfinGate
requires a database; therefore, the first copy of SurfinGate
installed on a network should always be a primary server.
When installing an additional SurfinGate that will use
a primary server's database, No should be selected when
asked if this is the primary SurfinGate server. After
selecting No, the hostname of the primary server must
be entered so that the secondary server can locate the
central database.
|
|
|
What is the procedure for changing the text and logo that appears in SurfinGate's HTML messages?
|
|
Summary: Text can be changed
by editing the HTML files in SurfinGate Server's Data
directory. In order to change the logo, the __Finjan_Substitute_Data_ARAGABALDDEBSS.gif
file in SurfinGate Server's Data directory must be replaced.
Full Explanation: How to replace Finjan
logo and edit alert messages:
--------------------------------------------------------------------------------
All the relevant files are located in SurfinGate Server's
Data directory.
Editing Messages
--------------------------------------------------------------------------------
The files listed below contain the text of SurfinGate's
HTML messages. All of the plain text in these files
is editable. Please do not edit the place holder variable
(%custom_message%) for the customized error message
written in the console > Policy management > Alert tab
text box.
BLACK_LIST_URL_HTML.html
CF_DENIED_URL.html
EXECODE_BLOCKED_FOR_USER.html
PROTOCOL_BLOCKED_FOR_USER.html
VIRUS_INFECTION_HTML.html
Replacing the Finjan Logo
--------------------------------------------------------------------------------
It is possible to change the image in the substitute
applet or HTML page that SurfinGate sends to the browser:
1. Remove or rename the original GIF file (__Finjan_Substitute_Data_ARAGABALDDEBSS.gif)
2. Place the new GIF in the directory. It must be a
true GIF file, and it should be approximately the same
size as the original image.
3. Since the original name
is hard coded, rename the new GIF as the original one.
4. Restart SurfinGate server service
5. Make a request
to a site where you know there is a violation and check
if the new image appears.
|
|
|
How do I perform Database Management?
|
|
Summary: Finjan Surfingate
has a DB maintenance tool which will check the integrity
of the database, and reduce the amount of log entries
ti to the Surfingate file SFGDatabase.mdb. We suggest
running this procedure periodically to reduce DB size.
To do this:
1. Open the Console and from the Tools menu
choose "Database Maintenance"
2. Click "Archive Log"
to backup the existing log entries to a CSV file and
clear them from the DB.
3. Stop the Finjan Server (leave
the Console open).
4. Back on the Console's "Database
Maintenance", click "General Database Maintenance" to
check DB integrity and compact it.
5. Then re-start
the Finjan Surfingate Server
|
| |
Back to Top
|
