For example, during the process of testing agents, you may find agents recognizing the signature E-mail access. Under certain circumstances, an event triggered by this signature is cause for alarm. Hackers may install trojan applications that use TCP/IP Port 25 typically reserved for e-mail applications, and this action would be detected by the TCP/IP Port 25 Activity (SMTP) signature. On the other hand, normal e-mail traffic might also match this signature. When you see this signature, investigate the process that initiated the event. If the process is one that is not normally associated with e-mail, like Notepad.exe, you might reasonably suspect that a trojan was planted. If the process initiating the event is normally responsible for sending e-mail (Eudora, Netscape, Outlook) create an exception to that event.
You may also find, for example, that a number of agents are triggering the signature startup programs, which indicates either the modification or creation of a value under the registry keys:
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce
As the values stored under these keys indicate programs that are started when the computer boots, recognition of this signature may indicate that someone is attempting to tamper with the system. Or it might indicate something as benign as one of your employees installing RealAudio on their computer. The installation of RealAudio adds the value RealTray to the Run registry key.
To eliminate the triggering of events every time someone installs authorized software, you create exceptions to these events. The agent will no longer generate events to this authorized installation.
To create an event-based exception:
A prefilled New Exception dialog box appears.
To create an event-based trusted application:
A prefilled New Trusted Application dialog box appears.