Setting up network application monitoring

You can configure the client to detect and monitor any application that runs on the client computer and that is networked. Network applications send and receive traffic. The client detects whether an application's content changes.

An application's content changes for the following reasons:

• A Trojan horse attacked the application.

• The application was updated with a new version or an update.

If you suspect that a Trojan horse has attacked an application, you can use network application monitoring to configure the client to block the application. You can also configure the client to ask users whether to allow or block the application.

Network application monitoring tracks an application's behavior in the Security Log. If an application's content is modified too frequently, it is likely that a Trojan horse attacked the application and the client computer is not safe. If an application's content is modified on an infrequent basis, it is likely that a patch was installed and the client computer is safe. You can use this information to create a firewall rule that allows or blocks an application.

You can add applications to a list so that the client does not monitor them. You may want to exclude the applications that you think are safe from a Trojan horse attack, but that have frequent and automatic patch updates.

You may want to disable network application monitoring if you are confident that the client computers receive adequate protection from Antivirus and Antispyware Protection. You may also want to minimize the number of notifications that ask users to allow or block a network application.

To set up network application monitoring

1. In the console, click Clients.

2. Under View Clients, select a group, and then click Policies.

3. On the Policies tab, under Location-independent Policies and Settings, click Network Application Monitoring.

4. In the Network Application Monitoring for group name dialog box, click Enable Network Application Monitoring.

5. In the When an application change is detected drop-down list, select the action that the firewall takes on the application that runs on the client:

   • Ask

     Asks the user to allow or block the application.

   • Block the traffic

     Blocks the application from running.

   • Allow and Log

     Allows the application to run and records the information in the Security Log.

     The firewall takes this action on the applications that have been modified only.

6. If you selected Ask, click Additional Text.

7. In the Additional Text dialog box, type the text that you want to appear under the standard message, and then click OK.

8. To exclude an application from being monitored, under Unmonitored Application List, do one of the following actions:

   • To define an application manually, click Add, fill out one or more fields, and then click OK.

   • To define an application from a learned applications list, click Add From.

     See Searching for information about the applications that the computers run.

     The learned applications feature must be enabled.

     See Configuring the management server to collect information about the applications that the client computers run.

   The learned applications list monitors both networked and non-networked applications. You must select networked applications only from the learned applications list. After you have added applications to the Unmonitored Applications List, you can enable, disable, edit, or delete them.

9. To enable or disable an application, check the check box in the Enabled column.

10. Click OK.