Installation of components
Initial configuration tasks
Initial whitelist generation
Add entries to whitelist
Sort rules by
If you followed the "best practice" chapter, you have been
adding hashes to your whitelist in two steps:
1. Import trustworthy software from sample computers and other
sources using certain classification strings (e.g. "sample
2. Add any software that is running on computers in your network
that differ from what you imported in step 1 in learn mode, using a
different classification string (e.g. "added in learn mode").
At this point you only know that all imported hashes from step
one are trustworthy. However it's quite likely that users, even if
they don't have administrative rights, have been using software
that you don't want or that might even be malware. Therefore we
should manually audit these learned programs by auditing the
learned hashes. To minimize the work, we can now audit only those
hashes which have been learned in learn mode. Select View
> Rules > by Classification from the menu (or press
keys CTRL-4, or select the fourth radio button above the rules
Let's assume you have imported trustworthy software (step one)
using classification strings like "sample
computers;Windows8;x64;SP1" and added additional software in learn
mode using the classification string "added in learn mode". Then
your whitelist will look like this:
Now double-click "sample computers":
As you can see, you will find all the hashes you imported from your
sample computers and other sources that you found to be trustworthy
in step one. There's no need to look through these hashes. We can
completely ignore these hashes, no matter how many there are.
Let's open the classification "added in learn mode":
This is the software and hardware that we need to audit. Continue
with device classification.
First, let's classify all devices. Select View > Rules
> by Path from the menu (or press keys CTRL-2, or
select the second radio button above the rules treeview):
You'll find the group "device":
Select all devices by double-clicking "devices", selecting the
first entry, hold down the SHIFT-key and click on the last
Then right-click, select "change classification", and enter
Do these steps with the sub folders as well.
Select View > Rules > by Classification from
the menu (or press keys CTRL-4, or select the fourth radio button
above the rules treeview):
You can classify devices the same way you can classify software,
using semicolon as the separator:
You can at any time delete hashes that represent devices from the
whitelist. Devices that have been deleted from your whitelist will
not be usable after the user disconnects and reconnects the device,
reboots their computer, or selects "recheck devices" from the
Audit software using
feature "Managed whitelist"
SecuLution provides an online database service (Managed Whitelist) with information
about the trustworthiness (Trustlevel) of software
(identified by their hash). By clicking on "Check program online"
() the hash is transmitted to the
SecuLution Managed Whitelist and the trustworthiness of the hash is
This allows customers to check the trustworthiness of all hashes
with a simple mouse click:
Select menu "View / Rules / by Trust Level" (or press the CTRL key
- 8 or the 8th radio button above the rules tree view):
Right click "unknown" and select "Check trust level online":
The Hashes are sent to the Manages Whitelist service and the trust
level of all hashes are determined.
Check and remove untrusted hashes
After the trust level of all hashes has been determined, hashes
that have been classified with trust level 0 to 3 should be
manually examined and removal should be considered. How does SecuLution calculate a trust level
in the Managed Whitelist service?
Unlimited database access
5 requests to the Managed Whitelist service per day are available
to all customers free of charge. An unlimited number of requests is
available with a subscription service.
Audit software without
feature "managed whitelist"
Next we need to look through the hashes that represent software
that was added in learn mode. Until today, the main component of
your endpoint security solution was probably an antivirus product,
which reported that during the last scan no malware was found in
your network. But is that really true?
Let's go through the list, one by one, and find out if you really
want to approve all the software that's being used in your network.
To find out if a particular hash is really trustworthy, we've got
some indications that we can use:
In this example, the program
"1033dotnetfx.exe" was started from
"g:\alle-lesen\cad\install-agievision\", which in this case is a
mapped network drive of a UNC path on a server where only
administrators have write access. There is strong evidence that
this is a good program, since it must have been written to this
path by an administrator. You know your paths. You will recognize
where software is coming from.
The filename "1033dotnetfx.exe" is
a hint but since unwanted software can have any name, this is not
proof that "1033dotnetfx.exe" is really what it claims to be.
"52456ac39bbb4640930d155c15160556" is a reliable key to find out if
this is good or bad software. Right-click on the hash.
- "Google search". In this case Google will immediately show
about 1.000 pages that contain this hash, most of them telling you
that this is DotNet 1.1. This is still not 100% proof, but it's
very unlikely now that the program is actually something different
than what it claims to be.
- "Open file properties". You can show the files properties and
look for digital signatures. However, this works by accessing the
admin-share of the host where the program was started from and
accesses the file live. In case the computer is unavailable (off)
or the admin-share is closed, file properties will be
- "Check program online". This is the Managed Whitelist service SecuLution
offers to their customers.
In this particular case, this is really Microsoft's installer
for DotNet Framework 1.1, which we will regard as trustworthy. So
we should reclassify this program by changing the classification
string from "added in learn mode" to for example
You should now continue to audit and reclassify or delete all
software that was "added in learn mode".
A few hints:
I don't know this software! Is
Don't panic. Potentially malicious or unwanted software may have
already been running for ages now without anyone noticing. Yes, you
should take care of that as soon as possible, but no need to panic
now! You can assign a special classification to everything that
you're not sure about, so that you will be able to take a closer
look at that as soon as you have the time. As soon as you turn off
the learn mode, SecuLution makes sure that your network security
cannot be further compromised, even if you couldn't audit all
I found something that I
definitely don't want!
Remove obvious unwanted software immediately by clicking on "delete
entry". Users will get used to not being able to run their favorite
games anymore, so there's probably no need to call them and
complain about their misuse!
I found a dozen versions of the
You will probably find software that exists in various versions.
This happens when there hasn't been much effort put into updating
installed software. The various hashes usually each represent an
individual version of a product. There's even one more version of
that software, namely the one that was installed on the sample
computer from which you imported trustworthy software, which
doesn't show up here because it's already classified as
trustworthy! Assuming that your sample computer had the latest
version of all tools installed, this means that all the other
hashes in this list are mostly outdated and probably have known
Take a step back and think again about what you found here: In your
network there were various software products that had security
issues which you were not aware of! Now that has changed! Don't
reclassify them here, but instead make sure you update all outdated
and insecure versions and then delete the entries here so that they
cannot be used anymore! This way SecuLution offers an easy way of
keeping track of all the versions of all software that is running
in your network. It may be a bit of work to get to that point, but
you should not blame SecuLution for that, this important work must
be done to keep your software versions updated.
But how do I know on which
computers the software is being used?
You can change the loglevel that's being triggered every time a
program is started. If you want to know where this old version of
Adobe Reader is being used, just edit the "Allow" rule of that
program and set the loglevel to for example "5":
Loglevel 5 is greater than the threshold you configured for
logging, so from now on you'll find entries in the logs which tell
you which computer started this. Update those computers. Then
delete this program from your whitelist.