Configure anti-evasion settings
Anti-evasion settings control the network engine handling of abnormal packets that may be attempting to evade analysis. Anti evasion settings are configured in a policy or an individual computer. The Security Posture setting controls how rigorous intrusion prevention analyzes packets, and can be set to one of the following values:
- Normal: Prevents the evasion of intrusion prevention rules without false positives. This is the default value.
- Strict: Performs more stringent checking than Normal mode but can produce some false-positive results. Strict mode is useful for penetration testing but should not be enabled under normal circumstances.
- Custom: If you select Custom, additional settings are available that enable you to specify how Deep Security will handle issues with packets. For these settings (with the exception of TCP Timestamp PAWS Window), the options are Allow (Deep Security sends the packet through to the system), Log Only (same behavior as Allow, but an event is logged), Deny (Deep Security drops the packet and logs an event), or Deny Silent (same behavior as Deny, but no event is logged):
If you changed the posture to "Custom" in Deep Security 10.1 or earlier, all default values for the anti-evasion settings were set to "Deny". This led to a dramatic increase in block events. The default custom values have changed in Deep Security 10.2, as indicated in the table below.
Setting | Description | Normal value | Strict value | Default custom value (pre-10.2) | Default custom value (10.2 or later) |
---|---|---|---|---|---|
Invalid TCP Timestamps | Action to take when a TCP timestamp is too old | Ignore and Log (same function as Log Only) | Deny | Deny | Ignore and Log (same function as Log Only) |
TCP Timestamp PAWS Window | Packets can have timestamps. When a timestamp has an earlier timestamp than the one that came before it, it can be suspicious. The tolerance for the difference in timestamps depends on the operating system. For Windows systems, select 0 (the system will only accept packets with a timestamp that is equal to or newer than the previous packet). For Linux systems, select 1 (the system will accept packets with a timestamp that is a maximum of one second earlier than the previous packet). | 1 for Linux agents, otherwise 0 | 1 for Linux agents, otherwise 0 | 0 | 1 for Linux agents, otherwise 0 |
Timestamp PAWS Zero Allowed | Action to take when a TCP timestamp is zero | Deny for Linux agents or NDIS5, otherwise Allow | Deny for Linux agents or NDIS5, otherwise Allow | Deny | Deny for Linux agents or NDIS5, otherwise Allow |
Fragmented Packets | Action to take when a packet is fragmented | Allow | Allow | Deny | Allow |
TCP Zero Flags | Action to take when a packet has zero flags set | Deny | Deny | Deny | Deny |
TCP Congestion Flags | Action to take when a packet has congestion flags set | Allow | Allow | Deny | Allow |
TCP Urgent Flags | Action to take when a packet has urgent flags set | Allow | Deny | Deny | Allow |
TCP Syn Fin Flags | Action to take when a packet has both SYN and FIN flags set | Deny | Deny | Deny | Deny |
TCP Syn Rst Flags | Action to take when a packet has both SYN and RST flags set | Deny | Deny | Deny | Deny |
TCP Rst Fin Flags | Action to take when a packet has both RST and FIN flags set | Deny | Deny | Deny | Deny |
TCP Syn with Data | Action to take when a packet has a SYN flag set and also contains data | Deny | Deny | Deny | Deny |
TCP Split Handshake | Action to take when a SYN is received instead of SYN-ACK, as a reply to a SYN. | Deny | Deny | Deny | Deny |
RST Packet Out of Connection | Action to take for a RST packet without a known connection | Allow | Deny | Deny | Allow |
FIN Packet Out of Connection | Action to take for a FIN packet without a known connection | Allow | Deny | Deny | Allow |
OUT Packet Out of Connection | Action to take for an outgoing packet without a known connection | Allow | Deny | Deny | Allow |
Evasive Retransmit | Action to take for a packet with duplicated or overlapping data | Allow | Deny | Deny | Allow |
TCP Checksum | Action to take for a packet with an invalid checksum | Allow | Deny | Deny | Allow |