Internet Security Systems 3.5, Desktop Protector The Evidence Log Tab

Appendix B: Configuration Tabs

The Evidence Log Tab

Introduction When your system is attacked, RealSecure Desktop Protector can capture evidence files

that record network traffic from the intruding system. Evidence files record the specific

packet that set off a protection response. This can be a good way to investigate intrusions

without using a lot of disk space for records.

Evidence files Evidence files are located in the installation directory folder. For example, if you installed

Desktop Protector in the Program Files directory on the

drive, the evidence files are in

C:\Program Files\ISS\BlackICE

. The file extension for all evidence log files is

*.enc

Note: If you upgraded to RealSecure Desktop Protector 3. 5 from BlackICE Agent, your

evidence log files are still stored in

C:\Program Files\Network ICE\BlackICE

Evidence files are encoded as trace files. To view the contents of these files, you must have

a decoding application, such as Network Monitor (included with the Windows NT Server

and Windows 2000).

The Evidence Log tab controls the size and grouping of each evidence file set. For more

information about tracking evidence of intrusions, see “Collecting Evidence Files” on

page 52.

Note: Evidence files are not the same as packet logs. Packet logs are a capture of all

inbound and outbound traffic on the system. An evidence file focuses on the traffic

associated with specific attacks.

Evidence Log

settings

This table describes the available log file settings:

This setting... Has this effect...

Logging enabled Instructs Desktop Protector to collect evidence files for

suspicious events. If Desktop Protector is remotely installed

from ICEcap, this option is disabled by default. If Desktop

Protector is installed manually, this setting is enabled by

default.

File prefix Specifies the prefix for the evidence file names. To place a

date stamp (format YYYYMMDD) and number (NN) in the

file name, enter

after the selected prefix. For example, if

you enter

evd

(the default file prefix), the file names will look

like this:

evdYYYYMMDD-NN.enc

. The time is in 24-hour

format in Greenwich Mean Time (GMT).

Maximum size (in

kilobytes)

Controls how big each evidence file can get. For best

results, keep this value under 2048 kilobytes (2 MB). To

ensure that the file fits on a floppy disk, consider using a

maximum size of 1400 kilobytes (the default).

Maximum

number of files

Limits the number of files Desktop Protector generates in

the specified collection time period. For example, if the

maximum number of files is 32 (the default value), Desk top

Protector does not generate more than 32 evidence files in

any 24-hour period.

Table 22: Evidence log tab settings