I am a newcomer for CSA. I have a few questions as following. Could you please clarify it for me?
1. If all rules do not match the event, what action will it take place? Allow or Deny?
2. If the first answer is allow, how can it protect the system for the zero day attack?
Thanks so much,
You are right that if no rules are triggered, CSA does not interfere with the application. But to answer the second half of your original question, CSA protects against zero day attacks by monitoring behavior, rather than signatures. In other words, it doesn't matter what the attack code looks like, it matters what it does. For example, if you get attacked by a new virus, you may not have a signature for your anti virus software to detect it. But if it tries to install a copy on your computer, or attempts to install a rootkit, or opens a port for listening, or scans for other vulnerable hosts, CSA will detect those actions and block them.