Network application monitoring tracks an application's behavior in the security log. If an application's content is modified too frequently, it is likely that a Trojan horse attacked the application and the client computer is not safe. If an application's content is modified on an infrequent basis, it is likely that a patch was installed and the client computer is safe. You can use this information to create a firewall rule that allows or blocks an application.
You can configure the client to detect and monitor any application that runs on the client computer and that is networked. Network applications send and receive traffic. The client detects whether an application's content changes.
If you suspect that a Trojan horse has attacked an application, you can use network application monitoring to configure the client to block the application. You can also configure the client to ask users whether to allow or block the application.
An application's content changes for the following reasons:
A Trojan horse attacked the application.
The application was updated with a new version or an update.
You can add applications to a list so that the client does not monitor them. You may want to exclude the applications that you think are safe from a Trojan horse attack, but that have frequent and automatic patch updates.
You may want to disable network application monitoring if you are confident that the client computers receive adequate protection from antivirus and antispyware protection. You may also want to minimize the number of notifications that ask users to allow or block a network application.
To block networked applications that might be under attack
In the console, click Clients.
Under Clients, select a group, and then click Policies.
On the Policies tab, under Location-independent Policies and Settings, click Network Application Monitoring.
In the Network Application Monitoring for group name dialog box, click Enable Network Application Monitoring.
In the When an application change is detected drop-down list, select the action that the firewall takes on the application that runs on the client as follows:
If you selected Ask, click Additional Text.
In the Additional Text dialog box, type the text that you want to appear under the standard message, and then click OK.
To exclude an application from being monitored, under Unmonitored Application List, do one of the following tasks:
Check the box beside the application to enable it; uncheck it to disable it.