Theory of Operation
Malware operates with the primary objective of establishing communication with external servers to receive instructions, updates, and data transmission directives. In earlier iterations, malware employed fixed IP addresses. However, contemporary malware employs advanced methodologies to create and sustain connections with external servers. Recognizing these behaviors becomes pivotal for detecting malware presence and preempting malicious activities.
Upon detecting irregularities in outgoing connection requests, the device shifts into a safeguarded operational mode for DNS queries. This mode effectively halts the malware’s interaction with its external server, thereby neutralizing its ability to inflict further harm. Simultaneously, this protective measure ensures the printer’s uninterrupted functionality.
In the event of persistent anomalous connection requests, the device enacts a system restart mechanism. This leverages the device’s Sure Start and Whitelisting capabilities to eliminate the malware. Concurrently, an IT security alert is initiated to highlight the potential attack.
HP Connection Inspector Configuration
Customizable parameters delineate the framework through which the feature identifies abnormal DNS behavior. The device can adopt one of two modes: DNS Protected Mode or Self-Healing Mode, where a system restart is executed. These adjustable parameters facilitate tailoring the detection methodology to suit varied customer environments, encompassing network behaviors and security considerations.
Configuration Interfaces:
- Embedded Web Server (EWS): Supports comprehensive configuration settings.
- HP Web Jetadmin (Version 10.4sr2 Feature Pack 6): Provides Enable/Disable capability.
- HP JetAdvantage Security Manager (Version 3.1): Accommodates all configuration settings.
Feature Enable/Disable
The HP Connection Inspector feature can be deactivated for diagnostic purposes. Disabling and re-enabling the feature resets Protected mode counters and monitoring statistics to their predefined values.
EWS Path: Networking Tab -> TCP/IP Menu -> Network Identification Page
Threshold and Duration Settings
DNS Failure Threshold (Default: 5, Range: 4 – 50)
- Represents the count of distinct unresolved DNS requests within the “Monitoring Window,” leading to the activation of DNS Protected Mode.
- Higher values extend detection accuracy but may result in decreased responsiveness and potential false positives.
Monitoring Window (Default: 80 mins, Range: 30 mins – 14400 mins)
- Defines the time span, in minutes, during which DNS resolution activities are tallied.
- Extending this window enhances detection of slower-executing connection request activities but could elevate potential false positives.
Protected Mode Duration (Default: 60 mins, Range: 40 mins – 120 mins)
- Specifies the minimum duration, in minutes, for which DNS Protected Mode remains active post-trigger.
- Increased values mitigate surreptitious malware conduct.
Self-Healing (Remediation) Settings
Number of Times in Protected Mode (Default: 3, Range: 1 – 10)
- Indicates the count of DNS Protected Mode events required to initiate a system restart.
- Higher values prolong the interval prior to a system restart.
Cumulative Protected Mode Duration (Default: 80 mins, Range: 60 mins – 140 mins)
- Represents the overall duration of DNS Protected mode events in minutes since device startup, preceding a system restart.
- The Cumulative DNS Protected Mode setting governs the timing of system restarts.
White List Settings
The White List option permits inclusion of DNS addresses exempt from blocking and detection statistics. Instances of false positives generated by HP Connection Inspector can be resolved by adding the implicated DNS names or domains to the white list.
Restore Default Settings
This option restores HP Connection Inspector settings to factory defaults, simultaneously resetting Protected mode counters and monitoring statistics to their initial values.
Protected Mode
Activation of Protected Mode
- The device transitions to Protected mode under the following conditions:
- Exceeding the set DNS Failure Threshold due to unique, unresolved, unknown DNS requests.
DNS Behavior in Protected Mode DNS resolution is authorized for:
- Domains and associated domain suffixes present in a user-defined whitelist.
- Domains successfully resolved since system startup (History List).
- Destinations within the current domain and corresponding domain suffixes.
- Trusted domains (with Cross-Origin Resource Sharing enabled). During Protected Mode, DNS requests not covered by the History or Whitelist are prohibited.
Self-Healing Mode
The device initiates a system restart upon meeting any of the subsequent conditions:
- The count of DNS Protected Mode events surpasses the specified “Number of DNS Protected Mode Events.”
- Total DNS Protected Mode duration exceeds the designated “Cumulative DNS Protected Mode Duration.”
- Upon initiation of a system restart remediation event, the device auto-reboots, unless Auto-recover is disabled, or an apparent network anomaly recurs twice within 30 minutes. In this case, the device reboot occurs, halting at the preboot menu to thwart potential malware exploits.
Error and Status Messages
Event Log Messages These messages indicate the product’s detection and recovery from a network anomaly self-healing event.
Event Log Error Code and Message Cause: The printer identified and recuperated from a potentially corrupted network anomaly. Recommended Action: If the number of protected mode events or the cumulative time in protected mode triggers a system reset, review syslog messages for domain requests that might necessitate whitelist inclusion.
Control Panel Messages A security alert is displayed on the control panel ahead of a system reset self-recovery event.
Jetdirect Configuration Page Status The Jetdirect Configuration page reflects HP Connection Inspector’s Protected Mode status:
- Yes: Device is in protected mode.
- No: Device is not in protected mode.
- N/A: HP Connection Inspector is disabled.
Syslog Messages Syslog messages report various settings changes and events related to HP Connection Inspector configuration.