Damage Cleanup Services

Table Of Contents

Damage Cleanup Services

About Damage Cleanup Services

Trojans

Grayware and Spyware

The Damage Cleanup Services Solution

Registering a DCS Server to a Cisco ICS Server

Specifying DCS Servers and Modifying DCS Settings

Cleaning Infected Hosts

Accessing a DCS Server

Removing a DCS Server

Damage Cleanup Services

This appendix explains how to use Damage Cleanup Services (DCS) to clean infected hosts. It contains the following sections:

• About Damage Cleanup Services

• Registering a DCS Server to a Cisco ICS Server

• Specifying DCS Servers and Modifying DCS Settings

• Cleaning Infected Hosts

• Accessing a DCS Server

• Removing a DCS Server

About Damage Cleanup Services

Cisco ICS uses Damage Cleanup Services (DCS) to help protect computers against Trojans and to rid hosts of potentially unwanted spyware and other types of grayware.

This section describes Trojans, spyware, grayware, and how DCS deals with them. It contains the following topics:

• Trojans

• Grayware and Spyware

• The Damage Cleanup Services Solution

Trojans

A Trojan is a malicious program that masquerades as a harmless application. Unlike viruses, Trojans do not replicate, but they can be just as destructive. An application that claims to rid computer of viruses when it actually introduces viruses onto a computer is an example of a Trojan. Traditional antivirus solutions can detect and remove viruses but not Trojans, especially those that are already running on the system.

Grayware and Spyware

Grayware refers to several types of files and applications that can be covertly installed on computers to track user web-surfing habits, display advertisements, log key strokes, change Internet settings, cause abnormal computer behavior, and even compromise system security. Spyware, the most commonly found type of grayware, monitors user behavior, logs key strokes, and sends the data it collects to another source.

The Damage Cleanup Services Solution

To address the threats and nuisances posed by Trojans and grayware, DCS does the following:

•Detects and removes live Trojans and active grayware applications.

•Kills processes that Trojans and grayware applications create.

•Repairs system files that Trojans and grayware modify.

•Deletes files and applications that Trojans and grayware drop.

To accomplish these tasks, DCS uses these components:

•Damage Cleanup engine—The engine that DCS uses to scan for and remove Trojans and Trojan processes.

•Damage Cleanup template—The file that the Damage Cleanup engine uses to help identify Trojan files and processes to be eliminated.

•Spyware pattern—The file that the Damage Cleanup engine uses to eliminate spyware and other grayware.

Registering a DCS Server to a Cisco ICS Server

The Cisco ICS server to DCS server relationship is a one-to-many relationship. A single Cisco ICS server can register many DCS servers to it, but a single DCS server can be registered to only one Cisco ICS server.

You cannot add DCS servers from the Cisco ICS web console. Before you can use DCS, you must register the Cisco ICS server with a DCS server from the DCS web console. See your DCS documentation for details.

A registered DCS server appears in the AV Software folder in the Directory pane of the device list tree. For more information, see Using the Device List Tree, page 3-3. After successful registration, Cisco ICS creates an event log entry. For more information, see Event Logs, page 10-5.

Specifying DCS Servers and Modifying DCS Settings

If more than one DCS server is registered to Cisco ICS, you can specify hosts to associate with certain DCS servers.

To specify DCS servers and modify the DCS settings, follow these steps:

Step 1 Choose Outbreak Management > Outbreak Settings > Monitored Network.

The Monitored Network window appears showing the Watch List tab.

Step 2 Click the Damage Cleanup Settings tab.

Step 3 Click Add.

The Add Hosts window appears.

Step 4 Click one of the following:

•IP address—Enter a single host IP address and the corresponding mask. The mask determines which IP address bits to include. Cisco ICS uses the exact value of the IP address bits that correspond to the 1 bits in the mask. For example, if you use the IP address 10.10.10.10 with the mask 255.255.0.0, Cisco ICS adds IP addresses 10.10.0.0 to 10.10.255.255.

•IP range—Enter a range of IP addresses to add multiple hosts or an entire segment of the network.

Step 5 Click Save.

Step 6 From the Associated Damage Cleanup Server list, select the DCS server that will clean the host.

Step 7 To modify DCS settings, check one or both of the following:

•Automatically clean hosts after Cisco ICS adds them to a watch list

•Automatically remove hosts from a watch list after DCS cleans them

Step 8 Click Save.

Cleaning Infected Hosts

On the Watch List window, you can use Damage Cleanup Services (DCS) on infected hosts.

To clean infected hosts, follow these steps:

Step 1 Choose Outbreak Management > Outbreak Management Summary.

Step 2 Click the name of an active task.

The summary window for that task appears.

Step 3 Click the link that represents the number of infected or cleaned hosts.

The Watch List window appears.

Step 4 If you are already on the Watch List window and need to confirm that you are viewing infected hosts, choose Infected hosts next to Display and click Go.

Step 5 Check the check boxes next to the hosts to clean or check the check box at the top to select all hosts.

Step 6 Click Cleanup.

Step 7 Verify that DCS successfully cleaned the hosts by confirming that the check mark icon appears under the Cleaned column.

Accessing a DCS Server

If a Damage Cleanup Services server is registered to Cisco ICS, you can access the DCS web console from the Cisco ICS web console. You cannot add DCS servers from the Cisco ICS web console. Before you can use DCS, you must register the Cisco ICS server with a DCS server from the DCS web console. See your DCS documentation for details.

To access a DCS server, follow these steps:

Step 1 Choose Devices > Device List.

Step 2 Click the AV Software folder in the Directory Tree pane.

Step 3 Click the DCS server in the Device List pane.

Step 4 Click Configure.

The DCS web console opens.

Removing a DCS Server

You can remove a DCS server from the Cisco ICS web console or unregister the Cisco ICS server from the DCS Management console. See your DCS documentation for instructions. After a successful unregistration, Cisco ICS creates an event log entry. For more information, see Event Logs, page 10-5.

To remove a DCS server, follow these steps:

Step 1 Choose Devices > Device List.

Step 2 Click the AV Software folder in the Directory Tree pane.

Step 3 Click the DCS server in the Device List pane.

Step 4 Click Delete.

A confirmation window appears.

Step 5 Click OK.