|Applies To||RSA ECAT 3.4|
RSA ECAT 3.5
|Issue||How to use whitelists and blacklists with RSA ECAT to manage suspect levels|
ECAT analyzes all modules running on the target machine (including drivers, DLLS, processes, hooks, files, etc) and assigns a number that is intended to serve as an indicator of potential risk. This number is referred to as the suspect level. A suspect level is assigned to each object on a machine and an overall number called the MSL(Machine Suspect Level) is compiled as well - the MSL is simply the sum of all suspicious activity on a system. In ECAT, you can build and maintain both a blacklist and a whitelist for files. By doing so, you will affect the suspect score for the file in question as well as the MSL for the machine the file was found on.
Whitelisting a module does not affect the suspect level of that module but the MSL will be affected.
Modules found to be infected are automatically added to the Blacklist with the reason "malware found". This will increase the suspect level of this file (and the MSL as a result of the suspect level increasing). Many ECAT administrators have extensive whitelists and blacklists and routinely back them up. Since corporate networks tends to be somewhat homogenous, these whitelists in particular help them control the suspect level. When a new piece of floating code shows up on a machine, the MSL of that machine will be much higher than the others. When you add a module to the blacklist you automatically cause the suspect level of both that module and the machine to go up. By managing suspect levels of the machines monitored by ECAT, it is possible to make a suspicious new module stand out rather than go unnoticed.
|Legacy Article ID||a66641|