beautypg.com

System defense (sd) – Intel vPro User Manual

Page 14

background image

Intel® vPro™ and Intel® Centrino® Pro Processor Technology Quick Start Guide

14

Once AP starts on the client (default startup time is 6 minutes after the client is powered on), if the
COLLECTOR.EXE process is killed or the LANDesk Management Agent service is stopped, an AP alert is
generated. AP start and stop alerts are displayed in the LSM log, not the Intel AMT Event Log.

Note: If the COLLECTOR.EXE process is killed, restart it by running RESTARTMON.EXE, which is located
in the LDCLIENT folder on the client system.

LANDesk Management Suite 8.8 has the ability to have Agent Presence trigger a System Defense policy
to isolate the client system from the network. This can be done by creating an Intel AMT Agent
Presence alert in the LSM console (under the Core Ruleset) with the action of “Place in the Intel AMT
Remediation Queue.” With this alert rule in place, if a monitored process on the client is stopped, an
Agent Presence alert is generated by Intel AMT and sent to the LANDesk core server. The core server
will then issue a System Defense policy to the client that will stop all network traffic except for LANDesk
management traffic, Intel AMT traffic, DNS traffic, and DHCP traffic, thus isolating the client system
from the network except for system management functions.

Using LANDesk* Out-of-Band Monitor (AMTMON) Features:

LANDesk 8.8 has the ability to disable the network on the client at the OS level. This is not done
through the System Defense feature, but rather through LANDesk agents and communication via the
Intel AMT non-volatile memory (NVM) area. When you select to disable or enable the network on that
client, a flag is set in NVM on the client, which is monitored by the service LANDesk* Out-of-Band
Monitor (AMTMON.EXE). The AMTMON service disables or enables the network on the client based on
the value of the flag in NVM. AMTMON can also run a vulnerability scan on the client at the next
restart, if that flag is set. A message dialog is displayed on the client system whenever these three
operations are performed.

Note: Do not ping the Intel AMT client to test if the network is disabled. Intel AMT will still respond to
pings.

System Defense (SD):

System Defense (SD) does not require any agents to be installed on the Intel AMT client machine.
System Defense policies may be configured on a per-machine basis.

There are four pre-defined SD policies:

• An FTP access policy which will trigger SD if an FTP access is made either to or from the Intel

AMT client machine.

• A UDP flood policy which will trigger SD if Intel AMT sees at least 20,000 UDP packets per second

and will monitor for a Denial-of-service attack.

• An SYN flood policy which will trigger SD if Intel AMT sees at least 20,000 IP packets per second

and will monitor for a Denial-of-service attack.

This manual is related to the following products: