Using virus throttle, How virus throttle works, Installing virus throttle for windows – HP ProLiant Essentials Intelligent Networking Pack Windows Edition User Manual
Page 12
Using Virus Throttle 12
Using Virus Throttle
In this section
How Virus Throttle works......................................................................................................................... 12
Installing Virus Throttle for Windows......................................................................................................... 12
Monitoring Virus Throttle status ................................................................................................................ 13
Virus Throttle Status and Configuration Utility............................................................................................. 16
How Virus Throttle works
Viruses typically spread by connecting to as many different machines as possible. Virus Throttle is a
network packet-filtering feature that monitors all outbound connection requests. Virus Throttle helps to stop
the spread of viruses on your system by detecting abnormal "virus like" behavior in the requests. It slows
down excessive connection requests to new hosts until you can determine if they are viral in nature and
take action.
Virus Throttle allows the network infrastructure to stay up and running by slowing traffic on systems that
exhibit high connection rates and frequent connections to new hosts.
When you install Virus Throttle on your system, the Virus Throttle network NDIS filter driver is inserted into
all existing protocol-to-miniport bindings and all network traffic passes through it. Virus Throttle provides
TCP and UDP support. The driver maintains a delay queue of connection requests for each instance of the
network protocol stack and a list of known hosts that have established connections.
The driver examines all outbound connection requests and determines if the request is for a known host. If
known, the request is passed down the protocol stack as a normal request. If unknown, the request is
added to the delay queue. Periodically, the delay queue is examined and the oldest request is removed
and passed down the protocol stack.
High and low water marks or pre-set thresholds are maintained for the delay queue and are used to
determine when "virus-like" behavior is occurring or has stopped.
•
High water mark—When the rate of connection requests exceeds the rate of the driver removing
them from the delay queue, a high water mark in the queue is exceeded and the driver indicates
"virus-like" activity.
•
Low water mark—When the rate of connection requests drops so that the number of queue entries
fall below a low water mark, the driver indicates that the "virus-like" activity has stopped.
When "virus-like" activity is detected or has stopped, Virus Throttle sends a Windows Management
Instrumentation (WMI) event notification to the administrator. If HP Management agents are installed and
configured correctly, a Simple Network Management Protocol (SNMP) trap warning is also sent to the
administrator.
Installing Virus Throttle for Windows
To install Virus Throttle for Windows using the HP component pack executable file:
1.