Many months ago when Intel AMT 3.0 computers were still in pre-production, a test group at Intel came over and dropped one of these prototypes in my lab. "Have a good time" the guy said. He smiles and walked away. At the time, my lab was only composed of AMT 1.0 and AMT 2.0 computers and so, I was very excited to get one of the first AMT 3.0 computers, before anyone else outside of INtel. 24 hours later, I had built heuristic filter support in Intel AMT Commander  and very quickly, Commander was the leading AMT 3.0 test tool within Intel. Later on, I also built Intel Net Traffic, a small tool to help test heuristic filters.



The heuristic filter feature of AMT 3.0 is an extension of the existing Intel AMT System Defense feature. It's a new and special type of filter that looks only at outgoing packets to see if the computer is attacking other computers. Just to be clear, heuristic filters don't protect the computer from attack; it's built to prevent the computer from attacking others. Using Intel AMT Commander, if you connect to an AMT 3.0 computer, you will see a heuristic folder in the "Network" filter of the computer. You can set the heuristic policy timeouts, what happens when it triggers and if the action is permanent or if after a while, the heuristic filter should be reset.



Testing heuristic filters is straight forward. Run "IntelNetTraffic.exe -advanced" on the AMT 3.0 computer and start a UDP packet sweep on a range of IP addresses. You can sweep at, say, 20 packets per second a given range and if you set the heuristic filter right, it will notice the sweep and block the traffic. One common mistake made when testing heuristic is that if you sweep a set of IP addresses within your own subnet, Microsoft Windows (SP2 or Vista) will block packets from being sent unless the target computer within the subnet responds to ARP requests. Unless you have a subnet with a lot of computers, most IP addresses in that sweep will not answer ARP requests and Microsoft Windows will block the packet, resulting in AMT never seeing that packet and heuristic never triggering. To fix this, just sweep a range of IP addresses located outside your own subnet.



By the way, I designed Intel Net Traffic to also allow testing of rate throttling network filters. This feature is almost never demonstrated, but it's been available since AMT 2.0. You just need to setup two Intel Net Traffic and have one send packets to the other. Then, add and activate an AMT network filter that limits the rate down. You will see the impact on the receiving Net Traffic immediately.



Ylian (Intel AMT Blog)