Network application monitoring tracks an application's behavior in the security log. If an application's content is modified too frequently, it is likely that a Trojan horse attacked the application and the client computer is not safe. If an application's content is modified on an infrequent basis, it is likely that a patch was installed and the client computer is safe. You can use this information to create a firewall rule that allows or blocks an application.
You can configure the client to detect and monitor any application that runs on the client computer and that is networked. Network applications send and receive traffic. The client detects whether an application's content changes.
If you suspect that a Trojan horse has attacked an application, you can use network application monitoring to configure the client to block the application. You can also configure the client to ask users whether to allow or block the application.
An application's content changes for the following reasons:
A Trojan horse attacked the application.
The application was updated with a new version or an update.
You can add applications to a list so that the client does not monitor them. You may want to exclude the applications that you think are safe from a Trojan horse attack, but that have frequent and automatic patch updates.
You may also want to minimize the number of notifications that ask users to allow or block a network application.
To block networked applications that might be under attack
In the console, click Clients.
Under Clients, select a group, and then click Policies.
On the Policies tab, under Location-independent Policies and Settings, click Network Application Monitoring.
In the Network Application Monitoring for group name dialog box, click Enable Network Application Monitoring.
In the When an application change is detected drop-down list, select the action that the firewall takes on the application that runs on the client as follows:
Asks the user to allow or block the application.
Block the traffic
Blocks the application from running.
Allow and Log
Allows the application to run and records the information in the security log.
The firewall takes this action on the applications that have been modified only.
If you selected Ask, click Additional Text.
In the Additional Text dialog box, type the text that you want to appear under the standard message, and then click OK.
To exclude an application from being monitored, under Unmonitored Application List, do one of the following tasks:
To define an application manually
Click Add, fill out one or more fields, and then click OK.
To define an application from a learned applications list
Click Add From.
The learned applications list monitors both networked and non-networked applications. You must select networked applications only from the learned applications list. After you have added applications to the Unmonitored Applications List, you can enable, disable, edit, or delete them.
Check the box beside the application to enable it; uncheck it to disable it.