Configure anti-evasion settings

Anti-evasion settings control the network engine handling of abnormal packets that may be attempting to evade analysis. Anti evasion settings are configured in a policy or an individual computer. The Security Posture setting controls how rigorous intrusion prevention analyzes packets, and can be set to one of the following values:

  • Normal: Prevents the evasion of intrusion prevention rules without false positives. This is the default value.
  • Strict: Performs more stringent checking than Normal mode but can produce some false-positive results. Strict mode is useful for penetration testing but should not be enabled under normal circumstances.
  • Custom: If you select Custom, additional settings are available that enable you to specify how Deep Security will handle issues with packets. For these settings (with the exception of TCP Timestamp PAWS Window), the options are Allow (Deep Security sends the packet through to the system) or Deny Silent (same behavior as Deny, but no event is logged):
  • Deny (Deep Security drops the packet and logs an event) is not a customizable option.

    If you changed the posture to "Custom" in Deep Security 10.1 or earlier, all default values for the anti-evasion settings were set to "Deny". This led to a dramatic increase in block events. The default custom values have changed in Deep Security 10.2, as indicated in the table below.

Setting Description Normal value Strict value Default custom value (pre-10.2) Default custom value (10.2 or later)
Invalid TCP Timestamps Action to take when a TCP timestamp is too old Ignore (same function as Allow) Deny Deny Ignore (same function as Allow)
TCP Timestamp PAWS Window Packets can have timestamps. When a timestamp has an earlier timestamp than the one that came before it, it can be suspicious. The tolerance for the difference in timestamps depends on the operating system. For Windows systems, select 0 (the system will only accept packets with a timestamp that is equal to or newer than the previous packet). For Linux systems, select 1 (the system will accept packets with a timestamp that is a maximum of one second earlier than the previous packet). 1 for Linux agents, otherwise 0 1 for Linux agents, otherwise 0 0 1 for Linux agents, otherwise 0
Timestamp PAWS Zero Allowed Action to take when a TCP timestamp is zero Deny for Linux agents or NDIS5, otherwise Allow Deny for Linux agents or NDIS5, otherwise Allow Deny Deny for Linux agents or NDIS5, otherwise Allow
Fragmented Packets Action to take when a packet is fragmented Allow Allow Deny Allow
TCP Zero Flags Action to take when a packet has zero flags set Deny Deny Deny Deny
TCP Congestion Flags Action to take when a packet has congestion flags set Allow Allow Deny Allow
TCP Urgent Flags Action to take when a packet has urgent flags set Allow Deny Deny Allow
TCP Syn Fin Flags Action to take when a packet has both SYN and FIN flags set Deny Deny Deny Deny
TCP Syn Rst Flags Action to take when a packet has both SYN and RST flags set Deny Deny Deny Deny
TCP Rst Fin Flags Action to take when a packet has both RST and FIN flags set Deny Deny Deny Deny
TCP Syn with Data Action to take when a packet has a SYN flag set and also contains data Deny Deny Deny Deny
TCP Split Handshake Action to take when a SYN is received instead of SYNACK, as a reply to a SYN. Deny Deny Deny Deny
RST Packet Out of Connection Action to take for a RST packet without a known connection Allow Deny Deny Allow
FIN Packet Out of Connection Action to take for a FIN packet without a known connection Allow Deny Deny Allow
OUT Packet Out of Connection Action to take for an outgoing packet without a known connection Allow Deny Deny Allow
Evasive Retransmit Action to take for a packet with duplicated or overlapping data Allow Deny Deny Allow
TCP Checksum Action to take for a packet with an invalid checksum Allow Deny Deny Allow