Using virus throttle, How virus throttle works, Starting virus throttle – HP NC370F PCI-X Multifunction Gigabit Server Adapter User Manual
Page 7
Using Virus Throttle 7
Using Virus Throttle
In this section
How Virus Throttle works........................................................................................................................... 7
Starting Virus Throttle................................................................................................................................ 7
Configuring Virus Throttle parameters ......................................................................................................... 8
Monitoring Virus Throttle status .................................................................................................................. 8
Stopping Virus Throttle .............................................................................................................................. 9
Restarting Virus Throttle............................................................................................................................. 9
Log and Event File .................................................................................................................................. 10
How Virus Throttle works
Viruses typically spread by connecting to as many different machines as possible. Virus Throttle, a
network packet-filtering feature, monitors all outbound connection requests and helps to stop the spread of
viruses on your system by detecting abnormal ("virus like") behavior in the requests. It slows down
excessive connection requests to new hosts until you can determine if they are viral in nature and take
action.
When you install Virus Throttle on your system, the Virus Throttle iptable_filter and ip_queue modules are
loaded and a QUEUE target is created so all connection requests pass through it. The driver maintains a
delay queue of connection requests and a list of known hosts that have established connections.
The driver examines all outbound connection requests and determines if the request is for a known host. If
known, the request is passed down the protocol stack as a normal request. If the request is unknown, it is
added to the delay queue. Periodically, the delay queue is examined, and the oldest request and all other
connection requests to that same host are removed and passed down the protocol stack.
A high water mark and low water mark are maintained for the delay queue and are used to determine
when "virus-like" behavior is occurring or has stopped.
•
When the rate of connection requests exceeds the rate of the driver removing them from the delay
queue, a high water mark in the queue is exceeded, and the driver indicates "virus-like" activity.
•
When the rate of connection requests slows so that the number of queue entries falls below a low
water mark, the driver indicates that the "virus-like" activity has stopped.
When "virus-like" activity is detected or has stopped, Virus Throttle logs an event. If HP Management
agents are installed and configured correctly, a Simple Network Management Protocol (SNMP) trap will
be sent.
Starting Virus Throttle
By default, Virus Throttle is configured to start on system boot-up. To start Virus Throttle immediately after
installation, run the following command:
# /etc/init.d/hp-vt start