Internet Security Systems Security Systems 3.5, Desktop Protector User Manual
TM
Desktop Protector
User Guide
Version 3.5
Internet Security Systems, Inc.
6303 Barfield Road
Atlanta, Georgia 30328-4233
United States
(404) 236-2600
http://www.iss.net
© Internet Security Systems, Inc. 1999-2002. All rights reserved worldwide. Customers may make reasonable numbers of copies
of this publication for internal use only. This publication may not otherwise be copied or reproduced, in whole or in part, by any
other person or entity without the express prior written consent of Internet Security Systems, Inc.
Patents pending.
Internet Security Systems, the Internet Security Systems logo, Internet Scanner, System Scanner, Database Scanner, Wireless
Scanner, Online Scanner, SiteProtector, ADDME, AlertCon, ActiveAlert, FireCell, FlexCheck, Secure Steps, SecurePartner,
SecureU, X-Force, and X-Press Update are trademarks and service marks, and SAFEsuite and RealSecure registered trademarks,
of Internet Security Systems, Inc. Network ICE, the Network ICE logo, and ICEpac are trademarks, BlackICE a licensed
trademark, and ICEcap a registered trademark, of Network ICE Corporation, a wholly owned subsidiary of Internet Security
Systems, Inc. SilentRunner is a registered trademark of Raytheon Company. Acrobat and Adobe are registered trademarks of
Adobe Systems Incorporated. Certicom is a trademark and Security Builder is a registered trademark of Certicom Corp. Check
Point, FireWall-1, OPSEC, Provider-1, and VPN-1 are registered trademarks of Check Point Software Technologies Ltd. or its
affiliates. Cisco and Cisco IOS are registered trademarks of Cisco Systems, Inc. HP-UX and OpenView are registered trademarks
of Hewlett-Packard Company. IBM and AIX are registered trademarks of IBM Corporation. Intel and Pentium are registered
trademarks of Intel. Lucent is a trademark of Lucent Technologies, Inc. ActiveX, Microsoft, Windows, and Windows NT are
either registered trademarks or trademarks of Microsoft Corporation. Net8, Oracle, Oracle8, SQL*Loader, and SQL*Plus are
trademarks or registered trademarks of Oracle Corporation. Seagate Crystal Reports, Seagate Info, Seagate, Seagate Software,
and the Seagate logo are trademarks or registered trademarks of Seagate Software Holdings, Inc. and/or Seagate Technology,
Inc. Secure Shell and SSH are trademarks or registered trademarks of SSH Communications Security. iplanet, Sun, Sun
Microsystems, the Sun Logo, Netra, SHIELD, Solaris, SPARC, and UltraSPARC are trademarks or registered trademarks of Sun
Microsystems, Inc. in the United States and other countries. All SPARC trademarks are used under license and are trademarks
or registered trademarks of SPARC International, Inc. in the United States and other countries. Adaptive Server, SQL, SQL
Server, and Sybase are trademarks of Sybase, Inc., its affiliates and licensers. Tivoli is a registered trademark of Tivoli Systems
Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company,
Ltd. All other trademarks are the property of their respective owners and are used here in an editorial context without intent of
infringement. Specifications are subject to change without notice.
Disclaimer: The information contained in this document may change without notice, and may have been altered or changed if
you have received it from a source other than ISS or the X-Force. Use of this information constitutes acceptance for use in an
“AS IS” condition, without warranties of any kind, and any use of this information is at the user’s own risk. ISS and the X-Force
disclaim all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular
purpose. In no event shall ISS or the X-Force be liable for any damages whatsoever, including direct, indirect, incidental,
consequential or special damages, arising from the use or dissemination hereof, even if ISS or the X-Force has been advised of
the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental
damages, so the foregoing limitation may not apply.
Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Internet Security Systems,
Inc. The views and opinions of authors expressed herein do not necessarily state or reflect those of Internet Security Systems,
Inc., and shall not be used for advertising or product endorsement purposes.
Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internet
prevents Internet Security Systems from guaranteeing the content or existence of the resource. When possible, the reference
contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a broken or
inappropriate link, please send an email with the topic name, link, and its behavior to
June 2002
support@iss.net
.
Contents
Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Conventions Used in this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Getting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Chapter 1: Introduction to RealSecure Desktop Protector. . . . . . . . . . . . . . . . . . . 1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Protection Levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Adaptive Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The Desktop Protector Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Application Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Application Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Communications Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Desktop Protector Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Collecting Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Filtering Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Chapter 2: Using RealSecure Desktop Protector with ICEcap Manager . . . . . 13
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
How ICEcap Manager Works With RealSecure Desktop Protector . . . . . . . . . . . . . . . . . . . . . . . . . . 14
How ICEcap Manager Handles Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Transmitting Data to ICEcap Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Installing Desktop Protector Remotely. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Using ICEcap Manager to Control RealSecure Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 3: Setting Up RealSecure Desktop Protector . . . . . . . . . . . . . . . . . . . . . . 21
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Installing RealSecure Desktop Protector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Stopping Desktop Protector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Restarting Desktop Protector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Uninstalling Desktop Protector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Chapter 4: Configuring RealSecure Desktop Protector . . . . . . . . . . . . . . . . . . . . . 31
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Connecting to ICEcap Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Setting Your Protection Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Using Adaptive Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Blocking Intrusions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Trusting Intruders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Ignoring Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Working with the Application Protection Baseline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Configuring Communications Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Controlling Event Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Back Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Collecting Evidence Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Collecting Packet Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Responding to Application Protection Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Exporting Desktop Protector Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
iii
Contents
Appendix A: Operating Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
The Events Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
The Intruders Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
The History Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Appendix B: Configuration Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
The Firewall Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
The Packet Log Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
The Evidence Log Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
The Back Trace Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
The Intrusion Detection Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
The ICEcap Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
The Notifications Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
The Prompts Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
The Application Control Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
The Communications Control Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Appendix C: Advanced Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
The Firewall Rules Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
The Local Adaptive Protection Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
The Remote Adaptive Protection Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
The Add Firewall Entry Dialog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
The Modify Firewall Entry Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Appendix D: Advanced Application Protection Settings . . . . . . . . . . . . . . . . . . . . . 99
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
The Known Applications Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
The Baseline Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
The Checksum Extensions Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Appendix E: The Main Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
The File Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
The Edit Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
The View Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
The Tools Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
The Help Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
The System Tray Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
iv
Preface
Overview
Introduction This guide is designed to help you use RealSecure Desktop Protector to protect your local
system and your network from unwanted intrusions.
Scope This guide describes the features of RealSecure Desktop Protector and shows you how to
use them.
● Chapter 1 explains how Desktop Protector protects your local system from attacks
and unwanted intrusions.
● Chapter 2 provides information about using Desktop Protector to help ICEcap
Manager manage network-wide security.
● Chapter 3 provides instructions for installing and configuring Desktop Protector on
your computer.
● Chapter 4 provides detailed procedures for configuring Desktop Protector for your
particular circumstances.
● Appendixes A through E describe the screens and dialog boxes you can use to control
RealSecure Desktop Protector.
Audience This guide is intended for network administrators responsible for installing and
maintaining software on corporate systems.
What’s new in this guide
Using this guide Use this guide to help you configure and work with RealSecure Desktop Protector. To get
This guide replaces the BlackICE Agent 3.0 User Guide. This guide includes information
about a new layer of safety for your desktop, called Application Protection. Application
Protection consists of two features:
● Application Control. Desktop Protector prevents unauthorized applications from
running on your local system. This helps to keep potentially harmful software from
compromising your security, even the software has been successfully installed on
your computer.
● Communications Control. Desktop Protector blocks applications from contacting the
Internet without your authorization. This prevents harmful Trojans from working
even if they have been successfully installed on your local system.
the most effective protection possible, you can follow the steps provided in Chapter 3 to
configure Desktop Protector. The instructions are designed to be followed in the order
given, but you can skip any step without endangering your system.
v
Preface
Related publications The following documents are available for download from the Internet Security Systems
Web sit e at
● For information about working with RealSecure Desktop Protector on a corporate
www.iss.net
.
network, see the RealSecure ICEcap Manager User Guide.
● For answers to questions about Desktop Protector, see RealSecure Desktop Protector
Frequently Asked Questions.
● For system requirements for Desktop Protector, see System Requirements.
● For general information about Desktop Protector’s features, see the Product Spec Sheet.
vi
Conventions Used in this Guide
Conventions Used in this Guide
Introduction This topic explains the typographic conventions used in this guide to make information in
procedures and commands easier to recognize.
In procedures The typographic conventions used in procedures are shown in the following table:
Convention What it Indicates Examples
Bold
SMALL CAPS
Constant
width
Constant
width
italic
Æ
Tabl e 1: Typographic conventions for procedures
An element on the graphical
user interface.
A key on the keyboard.
A file name, folder name,
path name, or other
information that you must
type exactly as shown.
A file name, folder name,
path name, or other
information that you must
supply.
A sequence of commands
from the taskbar or menu bar.
Type the computer’s
address in the IP Address
box.
Select the Print check box.
Click OK.
Press ENTER.
Press the
Save the
the
Type
PLUS SIGN (+).
User.txt
Addresses
IUSR__SMA
file in
folder.
in the
Username box.
Type
Version number
in
the Identification
information box.
From the taskbar, select
Start
ÆRun.
On the File menu, select
Utilities
ÆCompare
Documents.
Command conventions
The typographic conventions used for command lines are shown in the following table:
Convention What it Indicates Examples
Constant
width bold
Italic
[ ]
|
{ }
Tabl e 2: Typographic conventions for commands
Information to type in exactly
as shown.
Information that varies
according to your
circumstances.
Optional information.
Two mutually exclusive
choices.
A set of choices from which
you must choose one.
md ISS
md your_folder_name
dir [drive:][path]
[filename][/P][/W]
[/D]
verify [ON|OFF]
% chmod {ugo
a}=[r][w][x] file
vii
Preface
Getting Technical Support
Introduction ISS provides technical support through its Web site and by email or telephone.
The ISS Web site The Internet Security Systems (ISS) Resource Center Web site (
support/
) provides direct access to much of the information you need. You can find
http://www.iss.net/
frequently asked questions (FAQs), white papers, online documentation, current versions
listings, detailed product literature, and the Technical Support Knowledgebase (
www.iss.net/support/knowledgebase/
).
http://
Hours of support The following table provides hours for Technical Support at the Americas and other
locations:
Location Hours
Americas 24 hours a day
All other locations Monday through Friday, 9:00 A.M. to 6:00 P.M. during
their local time, excluding ISS published holidays
Note: If your local support office is located outside the
Americas, you may call or email the Americas office for
help during off-hours.
Tabl e 3: Hours for technical support
Contact information The following table provides email addresses and telephone numbers for technical
support requests:
Regional Office Email Address Telephone Number
North America and
Latin America
Europe, Middle
East, and Africa
Asia-Pacific and
Philippines
Japan
Tabl e 4: Contact information for technical support
support@iss.net
support@iss.net
asiasupport@iss.net
support@isskk.co.jp
(1) (888) 447-4861 (toll
free)
(1) (404) 236-2700
(44) (118) 959-3900
(63) (2) 886-6014
Domestic: (81) (3) 57404065
Overseas (APAC): (81) (3)
5740-4066
viii
Chapter 1
Introduction to RealSecure Desktop
Protector
Overview
Introduction RealSecure Desktop Protector is a comprehensive security solution that helps you protect
your system and your network from the following:
● theft of passwords, credit card information, personal files and more
● computer downtime and system crashes
● hackers using your system to start attacks against other systems
This chapter describes the basic concepts of RealSecure Desktop Protector.
In this chapter This chapter contains the following topics:
Topic Page
Protection Levels 3
Adaptive Protection 4
The Desktop Protector Firewall 5
Application Protection 6
Application Control 7
Communications Control 8
Desktop Protector Alerts 9
Collecting Information 11
Filtering Information 12
ICEcap integration RealSecure Desktop Protector integrates with ICEcap Manager management and
reporting console. Desktop Protector forwards information about the events it detects to a
server running ICEcap Manager for enterprise-wide security reporting and analysis.
ICEcap Manager can in turn install and update Desktop Protector remotely.
Firewall capabilities RealSecure Desktop Protector provides powerful firewall capabilities, and provides much
more than traditional firewall functionality. The Desktop Protector firewall inspects all
1
Chapter 1: Introduction to RealSecure Desktop Protector
inbound and outbound traffic on your system for suspicious activity. Desktop Protector
blocks unauthorized activity without affecting normal traffic.
Intrusion detection RealSecure Desktop Protector contains an intrusion detection system that alerts you to
attacks and blocks threats to your system. Desktop Protector captures information about
the attacker and logs suspicious activity, which preserves evidence of the attack.
Application protection
RealSecure Desktop Protector prevents unauthorized applications from harming your
system or other computers on a network. Application protection consists of two features:
● Application Control: Helps you prevent unknown and possibly destructive
applications from damaging your system. When you suspect an application may have
been modified, Application Control lets you decide whether to let it start. RealSecure
Desktop Protector goes beyond the capabilities of other products by preventing
unauthorized applications from starting other applications or services.
● Communications Control: Helps you prevent unauthorized applications from
communicating on the Internet. This can even prevent intruders from using your
system to start attacks against other systems. It does this by letting you control which
applications have access to a local network or the Internet.
2
Protection Levels
Protection Levels
Introduction Protection levels are pre-designed sets of security settings developed for different types of
Web use. You can choose to have Desktop Protector block all communications with your
system, some communications with your system, or no communications with your
system. You can change protection levels at any time.
How protection levels work
Protection level definitions
How protection levels affect applications
Protection levels modify your firewall by closing some of the software links, or ports, that
your system uses to receive communications from other computers. The more restrictive
the protection level, the more ports are blocked.
Paranoid: Desktop Protector blocks all unsolicited inbound traffic. Very restrictive, but
useful if your system faces frequent or repeated attacks. This setting may restrict some
Web browsing and interactive content.
Nervous: Desktop Protector blocks all unsolicited inbound traffic except for some
interactive content on Web sites (such as streaming media and other application-specific
uses of the Internet). Preferable if you are experiencing frequent intrusions.
Cautious: Desktop Protector blocks unsolicited network traffic that accesses operating
system and networking services. Good for regular use of the Internet.
Trusting: All ports are open and unblocked and all inbound traffic is allowed. Acceptable
if you have a minimal threat of intrusions. This is the default protection level setting. If
your local agent is not centrally controlled by ICEcap Manager, you should consider
customizing your protection level immediately after installing Desktop Protector.
This table shows how the protection levels affect some representative applications:
Level Blocked Configurable Not Blocked
Paranoid IRC file transfer (DCC)
NetMeeting
PC Anywhere
ICQ
Nervous IRC file transfer (DCC)
NetMeeting
Cautious Unsolicited traffic that
accesses operating
system and networking
services
Trusting None None All inbound traffic
Note: To use an application that is blocked under a selected protection level, use the
Quake (II/III)
Internet Phone
Net2Phone
ICQ
Internet Phone
Net2Phone
None All of the above, plus IRC
FTP file transfers
Sending/receiving email
Real Audio
IRC Chat
All of the above, plus PC
Anywhere, Quake (II,III)
file transfer (DCC)
NetMeeting
Advanced Firewall Settings feature to open the ports the application uses. For more
information on opening ports, see “Blocking Intrusions” on page 37.
3
Chapter 1: Introduction to RealSecure Desktop Protector
Adaptive Protection
Introduction Adaptive Protection automatically adapts each agent's security level according to the
type of network connection it is using. For example, you can set Adaptive Protection to
use a more restrictive security level when users are logged on over a VPN, and a less
restrictive security level when users are logged directly onto the network.
When to use adaptive protection
You may need to connect to your corporate network from inside your corporate
headquarters, from your home office, or from the floor of a trade show. For example:
● Inside your corporate office, your firewall is automatically set to the Trusting
protection level.
● At your home office, your firewall is set to Cautious for most communications. It
switches to Trusting when you connect to your corporate network over a VPN, and
switches back to Cautious when the VPN connection closes.
● At a trade show, your firewall automatically switches to Paranoid when you plug into
the conference network. It switches to Trusting when you connect to your corporate
VPN, and then switches back to Paranoid when the VPN connection closes.
Note: Adaptive protection settings are usually sent down to a local agent from ICEcap
Manager. Use these instructions on your local agent only if your ICEcap administrator
recommends it. Your ICEcap administrator may also provide you with the correct IP
addresses to use.
For information about configuring Desktop Protector to switch protection levels
dynamically, see “Using Adaptive Protection” on page 35.
For detailed information about setting your protection preferences, see “The Firewall Tab”
on page 70.
4
The Desktop Protector Firewall
The Desktop Protector Firewall
Introduction Desktop Protector automatically stops most intrusions according to the protection level
you have chosen, but you still may notice activity that isn't explicitly blocked. You can
configure the Desktop Protector firewall to increase your protection. You can block
intrusions from a particular address, or you can block intrusions that use a particular
protocol.
Protocol analysis The Desktop Protector firewall works by recognizing the special languages computers use
to communicate. For example, your browser receives messages encoded in Hypertext
Transfer Protocol (HTTP) from the Web. These information packets are usually received
through port 80. When Desktop Protector detects traffic coming in through port 80 that is
not correctly encoded in HTTP packets, there may be cause for suspicion.
Dynamic Firewall Your firewall uses information from the BlackICE intrusion detection engine to
reconfigure itself in response to intrusions. The intrusion detection component analyzes
unusual packets and, if they are dangerous, instantly configures the firewall to block them
before they can have any effect on your system.
Blocking an intruder You can block any intruder listed on your events list by adding an IP address to your
firewall. When you do this, no traffic from that intruder's IP address can enter your
system. For information about blocking IP addresses, see “Blocking an IP address” on
page 37.
Blocking a port If you don't have an intruder in mind but you are concerned about intrusion attempts
using a specific internet protocol, you can block the port (or ports) that protocol uses.
Adding a port entry to your firewall ensures that no traffic from any IP address can enter
your system using that port. For information about blocking ports, see “Ignoring Events”
on page 40.
Ignoring events To help reduce the amount of information you have to deal with, you can choose to ignore
events that don't pose any threat to your system. For example, your company’s
Information Services department may carry out routine port scans for network
management purposes. When such a scan appears on your events list, you can right-click
the event and select Ignore. For information about ignoring events, see “Ignoring Events”
on page 40.
Trusting an address When you know a particular IP address is safe, you can choose to ignore all events from
that address. This is called trusting an address. For example, when another computer on
your internal network accesses files on your system, it can appear as an intrusion on your
events list. You can right-click these events and select Tr u s t and Accept to tell Desktop
Protector not to record any events from that computer. For information about trusting and
accepting, see “Trusting Intruders” on page 39.
5
Chapter 1: Introduction to RealSecure Desktop Protector
Application Protection
Introduction BlackICE protects your computer from unknown applications and from applications
connecting to a network, such as the Internet.
How the baseline works
Turning of f Application Protection
Adding new or upgraded applications to your computer
Avoiding alert messages when you install software
First, BlackICE creates a baseline record (also known as a checksum) of the applications
installed on your computer. Then it compares that baseline with any application that
attempts to launch or to communicate with a network. If the application does not match
the baseline, then BlackICE asks you if you want to stop the application or let it continue.
Note: You must update the baseline whenever you make changes to your system, such as
upgrading an application or installing a new application.
To turn off the Application Protection component:
1. Click Tools
2. Select either the Application Control tab or the Communications Control tab.
3. Clear the Enable Application Protection check box.
Whenever you upgrade an application or install a new application on your computer, the
application does not match the Application Protection baseline, so BlackICE regards it as
an unknown application. This protects you from someone maliciously updating
applications with or replacing them with other files that may be harmful.
You can avoid warning messages during upgrade or installation by clicking Install Mode
Options
Application Protection. Click Continue on the periodic messages until the upgrade or
installation ends. Be sure to disable install mode when you are finished.
ÆEdit BlackICE Settings.
Æ Enable Install Mode on the first message you see. This temporarily disables
Note: After you install or upgrade an application, you must add it to the baseline. For
information about updating your baseline to include your new or upgraded software, see
“Managing your authorized applications” on page 44.
6
Application Control
Application Control
Introduction RealSecure Desktop Protector lets you control which applications and related processes
can run on your system. Sometimes a program may be installed on your system without
your knowledge. Many of these programs are useful or harmless. However, some of these
programs can present security risks. They may allow an intruder to locate password
information, make the system more vulnerable to future entry, or destroy programs or
data on the hard disk.
How Application Control works
Example: spyware For example, some installation programs install a separate application on your system to
Application control is not virus detection
When Application Protection is enabled on your system, it creates a list of currently
installed applications.Whenever the computer begins to start an application, Desktop
Protector checks that the application is one of these known applications. You can control
this default behavior by changing the settings on the Application Control tab.
track your Web site visits (commonly known as spyware). Desktop Protector detects the
application when it starts, and checks to see if you have authorized the application to run.
If not, Desktop Protector can close the program automatically or alert you, depending on
the Application Control options you have set.
Application control is not the same as virus detection. Desktop Protector does not search
your system for harmful applications. Instead, Desktop Protector watches for new
applications that may have been installed on your system since the last time Application
Protection searched for new or altered applications, and alerts you when they start. For
example, if you install Desktop Protector after a Trojan application has been installed on
your computer, Desktop Protector assumes the application is known to you and does not
block it from starting or contacting a network.
Important: To get the full benefit of Application control, scan your system for viruses with
an anti-virus program to make sure it is free of dangerous applications before you install
Desktop Protector or have Desktop Protector search for new or modified applications. It is
a good idea to run your anti-virus scan in both normal and safe mode.
More information For instructions, see “Working with the Application Protection Baseline” on page 42.
7
Chapter 1: Introduction to RealSecure Desktop Protector
Communications Control
Introduction To reduce security risks from potential “Tro jan h orse ” applications on your system,
RealSecure Desktop Protector lets you choose which applications or processes can access a
network, such as the Internet or a local area network.
How Communications Control works
Desktop Protector tracks all the applications (and related processes) that you authorize to
access a network from your system. If any software installed on your system attempts to
access a network without your authorization, Desktop Protector detects its outbound
transmissions and asks you what to do:
● If you recognize the application, you can allow it to continue or you can block it.
● If you block it, you can have Desktop Protector automatically block the application in
the future.
Example: autoupdate
For example, some applications include a feature that automatically checks the
application provider’s Web site for software updates. The first time a newly installed or
modified program tries to do this, Desktop Protector asks if you want this application to
access the network. You can control this behavior by altering the settings on the
Communications Control tab.
More information For instructions, see “Configuring Communications Control” on page 46.
8
Desktop Protector Alerts
Desktop Protector Alerts
Introduction Your dynamic firewall handles most alerts for you, but you can take additional steps to
make its responses even more effective. The information in this topic may help you
determine which events merit your attention.
Severity levels Some network events are more dangerous than others. Desktop Protector assigns each
event a numerical rank that reflects the event’s potential risk level, and reports that rank
with an icon on the Events tab. The following table lists the severity levels Desktop
Protector uses:
Icon Rank Description
7-10 Critical. These are deliberate attacks on your system for the purpose of
damaging data, extracting data, or crashing the system. Critical events
always trigger protection measures.
4-6 Serious. These are deliberate attempts to access information on your
system without directly damaging anything. Some serious events trigger
protection measures.
1-3 Suspicious. These are network activities that are not immediately
threatening, but may indicate that someone is attempting to locate
security vulnerabilities in your system. For example, intruders may scan
the available ports or services on a system before attacking it. Suspicious
events do not trigger protection measures.
0 Informational. These are network events that are not threatening but
worth noting. Informational events do not trigger protection measures.
Tabl e 5: Desktop Protector severity icons
9
Chapter 1: Introduction to RealSecure Desktop Protector
Response levels Desktop Protector reports how it responded to each event by showing a symbol. The
symbol for a response can appear two ways:
● as an icon beside the event
● as a mark over the severity level icon
This table describes Desktop Protector response level icons and overlays:
Icon Overlay Description
Attack Blocked: Desktop Protector successfully blocked the attack.
Depending on the severity of the event, Desktop Protector may also have
blocked the attacking system. To see if Desktop Protector is currently
blocking the intruder, double-click the event.
Attack Unsuccessful: Other defenses of your system, such as the
operating system, successfully blocked the intrusion. Therefore, Desktop
Protector did not need to block the event. The event did not compromise
the system.
Attack Status Unknown: Desktop Protector triggered protection
measures as soon as it identified the attack, but some attacking packets
may have made it through to the computer. It is unlikely that the event
compromised the system.
Attack Possible: Desktop Protector triggered protection measures as
soon as it identified the intrusion. However, some attacking packets were
able to get into the computer. The event may have compromised the
system.
Attack Successful: Desktop Protector detected abnormal traffic entering
or exiting the system as a result of the intrusion. However, the Desktop
Protector protection measures could not block the intrusion. The event
has compromised the system.
Tabl e 6: Desktop Protector response icons and overlays and what they mean
10
Collecting Information
Collecting Information
Introduction When an intruder attempts to break into your system, RealSecure Desktop Protector can
track the intruder’s activities. You can use this information to determine what an intruder
did to your computer. This section explains how to gather and use this information.
Back Tracing Desktop Protector can back trace each intrusion to determine where it originated. You can
tell Desktop Protector to seek information from the originating computer itself or from
points the packets passed through on the way to your computer.
When Desktop Protector back traces an intruder, it attempts to gather the IP address, DNS
name, NetBIOS name, Node, Group name, and MAC address. Skilled intruders will often
block Desktop Protector from acquiring this information.
To set up back tracing, see “Introduction” on page 50 and “The Back Trace Tab” on
page 76.
Evidence files RealSecure Desktop Protector can capture network traffic attributed to an intrusion and
place that information into an evidence file. Desktop Protector captures and decodes each
packet coming into the system, so it can generate files that contain detailed information
about the intruder's network traffic.
To an experienced network engineer, evidence files show exactly what the intruder did or
attempted to do. Because evidence files provide proof of the attacker's activities, this can
be very useful to law enforcement or legal counsel in tracking criminal intruders.
For information about setting up evidence gathering, see “Collecting Evidence Files” on
page 52.
Packet log files Packet logging records all the packets that enter your system. This can be useful if you
need more detailed information than evidence logs contain. Packet logs can become very
large and use considerable hard disk space. However, if you are experiencing repeated
intrusions on a system, packet logging can help gather additional information about
activity on the system.
For information about setting up packet logging, see “Collecting Packet Logs” on page 54.
11
Chapter 1: Introduction to RealSecure Desktop Protector
Filtering Information
Introduction You probably won't need to inspect all the information RealSecure Desktop Protector
gathers about the Internet traffic that reaches your system. You can use the configuration
tabs to control how much information appears on the information tabs and how often
Desktop Protector alerts you to potential risks.
You can instruct Desktop Protector to show only events that present risks over a given
level. For example, Desktop Protector determines port scans from your ISP to be of only
informational interest. You can omit those events from the Events tab. For information on
how to do this, see “Filtering the Events List” on page 48.
Severity levels Desktop Protector assigns a severity level to every event, to indicate how dangerous the
event may be to your system. The severity level appears as an icon beside the event on the
Events tab.
Freezing events Sometimes events are recorded so quickly that it can be difficult to keep track of them as
they appear on the Events tab. When this happens, you can freeze the Events tab and
respond to the events at your convenience. For information on freezing the Events list, see
“Freezing the Events list” on page 49.
Deleting events Even if you are filtering out events that are not very risky, your events list can grow very
long. You can delete individual events from the Events tab, or you can delete the whole
events list. For information about deleting events, see “Clearing the Events list” on
page 48.
Event alerts Desktop Protector can alert you to events by making a sound or by showing an alert icon
in your system tray. The alert icons are coded to match the seriousness of the event. You
can tell Desktop Protector to alert you only to events of a particular severity. For
information about setting your alarm preferences, see “Setting alarm preferences” on
page 48.
Customizing event and intruder information
You can configure the Events and Intruders tabs to show only the columns that contain
the information you are most interested in. For example, if you find that multiple attacks
on your system use the same protocol, you can include the Protocol column in the Events
tab. For information on choosing columns to view, see “Showing and hiding columns” on
page 49.
12
Chapter 2
Using RealSecure Desktop Protector with ICEcap
Manager
Overview
Introduction RealSecure Desktop Protector interacts with the ICEcap management and reporting
console to provide enterprise-wide security monitoring and management. This chapter
provides the background knowledge required for setting up connections between
Desktop Protector and ICEcap Manager from your system.
For more detailed information about using RealSecure Desktop Protector with ICEcap
Manager, see the RealSecure ICEcap Manager User Guide.
In this chapter This chapter contains the following topics:
Topic Page
How ICEcap Manager Works With RealSecure Desktop
Protector
Using ICEcap Manager to Control RealSecure Agents 19
14
13
Chapter 2: Using RealSecure Desktop Protector with ICEcap Manager
How ICEcap Manager Works With RealSecure Desktop Protector
Introduction ICEcap Manager interacts with agents in two ways:
● Collecting and managing information. As each RealSecure agent detects events, it
forwards information about those events to the ICEcap server. ICEcap Manager stores
and logs the events for enterprise-wide security reporting and analysis.
● Installing, updating and controlling remote agents. ICEcap administrators can use
ICEcap Manager to control the configuration of all RealSecure agents on the network.
This provides a central platform for standardizing security settings across the
enterprise.
Independent operation
ICEcap Manager and RealSecure Desktop Protector work independently from one
another. If either the agent or ICEcap Manager is offline or unavailable, the other system
continues working without interruption. RealSecure Desktop Protector and ICEcap
Manager interact only when an event or a configuration issue occurs.
This table identifies the possible interactions between RealSecure Desktop Protector and
ICEcap Manager:
Interaction Description Initiated by:
Event Reporting When configured to report to an ICEcap
Manager, Desktop Protector reports information
about each event.
Configuration Updates ICEcap Manager issues instructions to Desktop
Protector to update security settings.
Note: Only ICEcap Manager can issue
configuration updates. While end-users may be
able to configure their local installation of
Desktop Protector, this configuration
information is stored locally. It is not transmitted
to ICEcap Manager.
Software Updates ICEcap Manager installs files on the remote
agent to add RealSecure functionality.
Note: Only ICEcap Manager can distribute
software updates. Local RealSecure agents
cannot update other systems.
Desktop Protector
ICEcap Manager
ICEcap Manager
Tabl e 7: Interactions between ICEcap Manager and the agent
Control levels By default, ICEcap Manager has total control over all agents, allowing modification only
to display and event notification preferences. However, ICEcap administrators can
configure groups to allow agents partial local control or almost complete local control.
The control level can be set only from ICEcap Manager, as part of a policy applied to an
ICEcap group and pushed to the remote agents in the group. An end user cannot choose a
control level from the local Desktop Protector interface.
Note: RealSecure agents that include the Local Console can have any level of
configuration sharing, whether they are remotely installed from ICEcap Manager or
14
How ICEcap Manager Works With RealSecure Desktop Protector
locally installed. Silent Desktop Protector installations are always completely ICEcapcontrolled. For more information about silent agent installations, see the RealSecure ICEcap
Manager User Guide.
This table summarizes the levels of control ICEcap Manager can exert over an agent.
Control Level Result
Total ICEcap Control ICEcap Manager has complete control over these agents. If the
local host has the Local Console installed, the end user can
modify the display and alarm preferences but not the blackice.ini
or firewall.ini files. Configuration settings are disabled.
Shared ICEcap Control The local system has partial control over configuration settings,
and can alter any parameters that ICEcap Manager has not
explicitly set. For example, the user can trust an address that
ICEcap Manager does not trust. However, the user cannot
unblock an ICEcap-blocked address or change the protection
level ICEcap Manager enforces.
Shared Local Control The local system has control over all configuration settings.
Although ICEcap Manager distributes configuration settings to
all agents in the group, the end user can override any of those
configuration settings.
What level of control is in effect?
Tabl e 8: Levels of local or remote control of the local agent
The ICEcap control level determines what you can do with the firewall and Application
Protection components of Desktop Protector on your computer.
To see what level of control ICEcap Manager has over Desktop Protector on your
computer:
1. From the Main Menu, select To o l s
ÆEdit BlackICE Settings.
2. Is the Enable local configuration editing checkbox visible?
■ If yes, you have some degree of control over Desktop Protector on your system.
■ If no, ICEcap Manager has total control of the agent on your system.
3. Which option is selected under Configuration Priority?
■ Remote: the local agent is under shared ICEcap Control. You can alter any
parameters that ICEcap Manager has not explicitly set.
■ Local: the agent is under shared local control. You can override any parameters
ICEcap Manager has set.
15
Chapter 2: Using RealSecure Desktop Protector with ICEcap Manager
How ICEcap Manager Handles Information
Introduction To help organize information, ICEcap Manager categorizes agents and the events they
report into accounts and groups. To report an event, a RealSecure agent must be assigned to
a group within an ICEcap account.
Accounts Accounts represent significant divisions or organizational elements within the company.
For example:
● A manufacturing company’s sales division might constitute one account while its
factory operations might constitute another.
● A European corporation might establish one account for its facilities in France and
another for its British operations.
● A financial services company might create one account for its trading floor and a
separate account for its back-office processing operations.
For more information about creating and using accounts, see the RealSecure ICEcap
Manager User Guide.
Groups Groups are logical collections of systems (also known as hosts) organized for modular
reporting and configuration. Each account consists of one or more groups. For example, a
single account might include a group for all the servers on a network and a group for all
the end-user workstations. Each group belongs to only one account. An agent can report
into only one group.
Assigning an agent to a group
ICEcap Manager is solely responsible for assigning agents to groups. Although agents can
report a group name, ICEcap Manager must authorize that name and make the
appropriate assignment.
The first time an agent reports an event, ICEcap Manager assigns the agent to a group by
IP address assignment or by group name assignment. For more information about this
authorization process, see the RealSecure ICEcap Manager User Guide.
Changing groups Agents cannot alter their group assignment.You can change the group name on the
ICEcap tab in the BlackICE Settings, but the change takes effect only if ICEcap Manager
authorizes the change. This prevents intruders from reassigning an agent to a group with
less restrictive settings. Consult the RealSecure ICEcap Manager User Guide for more
information about change agent group assignments.
Working with VPN
VPN and dial-up users present unique challenges for managing remote agent software.
and dial-up users
● Some VPN users cannot be reliably grouped by IP address because they have
dynamic IP addresses. Desktop Protector may report the remote user’s ISP- assigned
IP address and not the local network address.
● Mobile computers that are connected to the internal network while in the office, but
dial into the network while on the road, can have many different IP addresses.
To handle this situation, it is a good idea to create a group exclusively for dial-up or VPN
users in the appropriate account, using group name precedence. For information on how
to create a remote users’ group, see the RealSecure ICEcap Manager User Guide.
16
Transmitting Data to ICEcap Manager
Transmitting Data to ICEcap Manager
Introduction Desktop Protector must be able to transmit data across your network to the ICEcap server.
Agents can report to the ICEcap server by one of three methods:
● over the Internet
● over a Virtual Private Network
● through a proxy server
Reporting over the Internet
Reporting over a VPN
Reporting through a proxy server
Reporting over the Internet is safe, but not without risks. Communications from
RealSecure agents are encrypted, and ICEcap Manager requires an account name and
password to submit data.
VPN connections using the point-to-point tunneling protocol encrypt packets sent over
the Internet, adding an additional layer of security between remote systems and ICEcap
Manager.
RealSecure agents can also be configured to report events through a proxy server.
17
Chapter 2: Using RealSecure Desktop Protector with ICEcap Manager
Installing Desktop Protector Remotely
Introduction In addition to managing event information, ICEcap Manager can install Desktop Protector
software on remote systems. This can include systems with the Local Console or “silent”
installations that include only the monitoring and protection engine.
Remote installations of Desktop Protector must be carried out from ICEcap Manager. For
additional information about setting up and executing remote installations, see the
RealSecure ICEcap Manager User Guide.
Note: If a Desktop Protector version already exists on a target system, ICEcap Manager
does not reinstall Desktop Protector when a remote installation is executed. To reinstall
Desktop Protector, the software must be manually or remotely removed first and then
reinstalled.
18
Using ICEcap Manager to Control RealSecure Agents
Using ICEcap Manager to Control RealSecure Agents
Introduction ICEcap Manager manages agents by applying policies to groups of agents. Any
configuration change made to a group is distributed to all the members of that group. This
reduces the effort required to support remotely installed systems.
Pushing to agents To modify the configuration of agents on the network, you can make the changes on the
ICEcap server and have ICEcap Manager push those changes to all agents in one or more
groups. This ensures that all members of a group share the same configuration.
How ICEcap Manager communicates with agents
Criteria for ICEcap control
ICEcap Manager and Desktop Protector communicate with each other using encrypted
HTTP packets. Both Desktop Protector and ICEcap Manager can transmit these packets
through a proxy server.
Although ICEcap Manager initiates configuration updates and software updates, the local
agents actually download the files from ICEcap Manager. This prevents intruders from
“pushing” unauthorized security settings to agents.
Note: ICEcap Manager does not maintain a link to all the agents on the network. Each
individual system reports events to the ICEcap server.
For ICEcap Manager to assume total or partial control of an agent, the agent must meet
these criteria:
● The remote system must belong to one ICEcap group.
● A policy must be associated with that group.
If a system belongs to a group, but that group does not have a policy associated with it,
ICEcap Manager cannot make any configuration changes on the remote system. Software
updates are distributed to the agents, but configuration settings are not.
Important: ISS recommends that each group have a properly configured policy. This
ensures that configuration settings are standardized on ICEcap Manager.
19
Chapter 2: Using RealSecure Desktop Protector with ICEcap Manager
20
Chapter 3
Setting Up RealSecure Desktop
Protector
Overview
Introduction This chapter provides instructions for installing and configuring RealSecure Desktop
Protector locally. For information about installing Desktop Protector from ICEcap
Manager, see the RealSecure ICEcap Manager User Guide.
In this chapter This chapter contains the following topics:
Topic Page
Installing RealSecure Desktop Protector 22
Stopping Desktop Protector 24
Restarting Desktop Protector 26
Uninstalling Desktop Protector 28
21
Chapter 3: Setting Up RealSecure Desktop Protector
Installing RealSecure Desktop Protector
Introduction This topic gives instructions for installing Desktop Protector.
Local or remote installation
You can install RealSecure Desktop Protector locally at your agent computer or remotely
from RealSecure ICEcap Manager. In most cases, you should distribute Desktop Protector
to network systems from ICEcap Manager. This allows centralized control of
configuration. However, in some cases it may be quicker to install an agent manually.
For information about installing remotely with RealSecure ICEcap Manager, see the
RealSecure ICEcap Manager User Guide.
Manual ICEcap configuration
When Desktop Protector is installed directly on an agent computer, you must manually
configure the ICEcap settings. When Desktop Protector reports to ICEcap Manager, any
configuration and protection settings attributed to the agent’s account and group are
distributed to the agent.
Note: Manual installations of RealSecure Desktop Protector always include the local user
interface. Only ICEcap Manager can create and distribute agents without the local user
interface, known as “silent” agents. For information about installing silent agents, see the
RealSecure ICEcap Manager User Guide.
Prerequisites Before you install RealSecure Desktop Protector, you must do the following:
● Scan your system for viruses.
● Disable the real-time scanning function of any anti-virus detection software on your
system to avoid unwanted interactions during the installation.
Procedure To install RealSecure Desktop Protector, follow these steps:
4. Are you installing Desktop Protector from the CD?
■ If yes, go to Step 5.
■ If no, locate the directory to which you downloaded Desktop Protector, and then go
to Step 6.
If you have lost your original copy of the software, you can download a new copy
from the Internet Security Systems Web site at
www.iss.net
5. Insert the CD in the CD-ROM drive.
6. Double-click
RSDPSetup.exe
.
7. In the Install Wizard, click Next.
If the setup program detects an existing version of Desktop Protector, the program
prompts you to uninstall or upgrade the existing version.
■ To update Desktop Protector, click Next.
■ To remove Desktop Protector from your hard drive, follow the instructions in
“Uninstalling Desktop Protector” on page 28.
.
22
Loading...