General information: Real time integrity monitoring (RTIM) is a generic technique used to stop PE virus attacks in their tracks, based on the detection of virus induced integrity changes, and by preventing the opening of a program that had its integrity compromised by virus.
RTIM is based on the InVircible offline (on-demand) integrity monitoring technology, first introduced in ’90 by NetZ Computing. Real-time integrity monitoring is implemented through IV Interceptor, and runs concurrently with other techniques also implemented in the IV real time module. RTIM is supported only under NT based operating systems, i.e. NT4, W2K, 2003 Server, and XP.
RTIM is especially effective for the containment of PE virus attacks, whether known or entirely new, where other AV methods fail. As demonstrated many times, a great deal of the damage caused by new viruses occurs in the first hours and days from its release in the wild, until AV producers succeed in producing new virus definition for their product. This is especially true for viruses that propagate through sharing, as the latter attain worldwide distribution within hours from release, while AV updates become available within days, at best. InVircible’s RTIM is the only solution that stops such outbreak in its tracks, without requiring software updates whatsoever.
In the enterprise / network environment, RTIM provides timely alerting on the onset of a PE virus attack, and prevents it from developing into a full scale infection and crisis. RTIM messages are routed to IV Administrator, where they are treated as highest priority alerts.
Operation and use: RTIM uses the integrity database that exists on every IV protected PC. The integrity database is automatically created and managed by the daily run of the Audit & Integrity Expert System (installation default). When a file is accessed by Windows, IV Interceptor first checks it to determine if it’s safe to let Windows continue and open it. If the file type is contained in the IV secured files list (executables, by default), and has an integrity “signature” in the IV database, then the file's current integrity signature is checked against the last recorded one, in the database, to assure that no viral changes were made to it.
The InVircible integrity monitoring technique is unique in its ability to distinguish between legitimate changes, like the replacement of a file by an upgrade version, etc., and changes that were made by a viral process, or by Trojan.
No user action is expected in order to setup and configure RTIM. The Audit & Integrity expert system takes care of creating the database for RTIM and does manage the integrity signature files on daily basis through the scheduled run of the A&I expert system.
Proceed as follows to check if A&I is scheduled properly:
Click IV on the taskbar, select ‘IV Scheduler’, and press the A&I 'schedule' button
Verify that A&I is scheduled to run daily (every day), at 1:00 PM, with the following settings
The start directory should be 'All local drives'
Tick the 'run unattended’ box, if clear
Select 'check only' mode
You may change the time of the daily A&I run, if required (e.g. the computer is off at 13:00, as would be the case for home computers), or change the scheduling to 'every 12 hours’.
When set properly, the scheduled A&I will keep the integrity database up-to-date, by adding integrity signatures for newly added programs, and automatically renew the signature of files that were upgraded, or changed by a non-viral process.
In the enterprise network environment, system administrators are advised to verify that A&I is scheduled to run daily, in check-only and unattended mode, on their client machines. This can be done from the ‘Configuration’ panel of IV Administrator, and selecting the ‘Scheduler’ tab.
The following is an example of the message displayed when Interceptor detects a file with compromised integrity:
If not sure whether the file is infected or not, then 'rename'. Renaming will render the file inert (it won’t execute even if double clicked) by replacing the last character of its extension with tilde (~). Use 'delete’ only if absolutely sure that the file is infected and you prefer replacing it rather than disinfecting.
A suspicious file may be submitted for online inspection and identification of the virus (if known, not new). You'll need to momentarily deactivate RTIM (click the IV icon, select 'options' and clear the 'check file integrity' box) in order to submit the flagged file without renaming it.
Re-securing a benign file: On rare occasions, IV may not detect that a file changed for a non-viral cause. In which case the file may be re-secured in order to stop the RTIM alert.
Here is how to re-secure a selected file:
Click the IV icon and select Audit & Integrity
In the A&I window, select directory where to start the scan (the same directory where the file to re-secure is stored) and start the scan
When finished with the scan, select the file from the list with the mouse right button, and choose 're-secure' from the menu
Site Map
