Path: Security - Intrusion Prevention System

The Threat Defender has an integrated intrusion prevention system (IPS) which carries out various network traffic checks (e.g. using byte and instruction sequences).

Using the analysis results of the IPS scanning engine, you can handle the occurrence of assumed intrusions in a more fine-grained manner than with standard IPS.

The Threat Defender can be configured to use these results in simple rules (e.g. drop) or in complex scenarios (e.g. block the client for one hour after five IPS hits in 15 minutes, see the Block TCP Port Scanner advanced correlation scenario).

Each implemented IPS Category (e.g. Trojans, web-specific apps) and the associated IPS rule (e.g. Eicar) contains a state variable which can be:

  • Enabled (default setting)
  • Muted, i.e. hits of rules in this IPS category are counted internally for statistics, but not reported as IPS hits.
  • Disabled, i.e. hits of rules in this IPS category are not counted at all and not reported.

The categories of the intrusion prevention system can be used in global rules or as a part of an advanced correlation scenario.