Defeating malware infections with Intel system defense part 3 – automation

The third and last part of the video series discussing how you can make use of the vPro system defense capabilities the easy way is out, this video shows an example of how your existing security server can implement network quarantine using system defense on provisioned devices without having to know a thing about AMT.

The video follows on the second video which showed an example of using system defense through the Microsoft SCOM GUI and shows a proof of concept implementation that only requires the security server to input an event into the local windows event log which is easily doable with almost any programming/script language. Behind the scene the SCOM agent installed on the security server intercepts this event, sends notification to the SCOM server and as a result the SCOM server implements the blocking policy on the offending host.

<br>
<script type="text/javascript" src="http://www.podtech.net/player/popup.js"></script>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="320" height="269" id="player6608b349ef9b4c928ca8b02b50a4c732" align="middle"><param name="allowScriptAccess" value="always" /><param name="FlashVars" value="content=http://media1.podtech.net/media/2008/09/PID_013739/Podtech_Intel_vPro_AMT3.flv&totalTime=273000&permalink=http://www.podtech.net/home/5355/isolation-of-infected-pcs-and-remediation-with-intel-vpro-technology-part-3-of-3&breadcrumb=6608b349ef9b4c928ca8b02b50a4c732" height="269" width="320" /><param name="movie" value="http://www.podtech.net/player/podtech-player.swf?bc=6608b349ef9b4c928ca8b02b50a4c732" /><param name="quality" value="high" /><param name="scale" value="noscale" /><param name="bgcolor" value="#000000" /><embed name="player6608b349ef9b4c928ca8b02b50a4c732" type="application/x-shockwave-flash" src="http://www.podtech.net/player/podtech-player.swf?bc=6608b349ef9b4c928ca8b02b50a4c732" flashvars="content=http://media1.podtech.net/media/2008/09/PID_013739/Podtech_Intel_vPro_AMT3.flv&totalTime=273000&permalink=http://www.podtech.net/home/5355/isolation-of-infected-pcs-and-remediation-with-intel-vpro-technology-part-3-of-3&breadcrumb=6608b349ef9b4c928ca8b02b50a4c732" height="269" width="320" allowScriptAccess="always" ></embed></object>
<noscript>Your browser does not support JavaScript. This media can be viewed at <a href="http://www.podtech.net/home/5355/isolation-of-infected-pcs-and-remediation-with-intel-vpro-technology-part-3-of-3">http://www.podtech.net/home/5355/isolation-of-infected-pcs-and-remediation-with-intel-vpro-technology-part-3-of-3</a></noscript>
<br>
<br>

The beauty of this is that now you can choose any server to collect and correlate your security events and take quarantine decisions and all that without this server having to be an AMT management server. the existing AMT manager (SCOM in this example) is doing the hard work for you.

<br>

as before I hope you find this useful, I would love to hear comments and answer any questions.

Cheers

<br>

Omer.