Home    SecuLution Dokumentation back next
Welcome
SecuLution technique and terminology
Quick start
Test setup in 30 minutes
Best practice in everyday use
Full setup and deployment in 5 hours
Installation of components
Install Appliance
AdminWizard installation
Agent installation
Syslog server installation
Initial configuration tasks
Configure basic settings
Agent configuration
Configure automated tasks
Manage whitelist
Initial whitelist generation
Import trustworthy software
Learn mode
Check deployment and learning progress
Audit
Add entries to whitelist
Drag'n'drop
Individual lernmode
Import from directory
PermanentLernUser
Log alarms
Cleanup whitelist
Manually delete unused entries
Delete entries using a pattern
Clean up classifications
Managed Whitelist
Managed Whitelist
Actions
Actions
Referring rules to objects
Offline mode
Offline mode
Devices
USB device management
USB device encryption
RCM
Agent deployment (RemoteClientManagement)
ArpWatch
ArpWatch
Logs
Logs
FAQ
setup.ini

Audit


Sort rules by classification

If you followed the "best practice" chapter, you have been adding hashes to your whitelist in two steps:

1. Import trustworthy software from sample computers and other sources using certain classification strings (e.g. "sample computers;Windows8;x64;SP1").

2. Add any software that is running on computers in your network that differ from what you imported in step 1 in learn mode, using a different classification string (e.g. "added in learn mode").

At this point you only know that all imported hashes from step one are trustworthy. However it's quite likely that users, even if they don't have administrative rights, have been using software that you don't want or that might even be malware. Therefore we should manually audit these learned programs by auditing the learned hashes. To minimize the work, we can now audit only those hashes which have been learned in learn mode. Select View > Rules > by Classification from the menu (or press keys CTRL-4, or select the fourth radio button above the rules treeview):

menuView

Let's assume you have imported trustworthy software (step one) using classification strings like "sample computers;Windows8;x64;SP1" and added additional software in learn mode using the classification string "added in learn mode". Then your whitelist will look like this:

Ruleset1

Now double-click "sample computers":
open1
As you can see, you will find all the hashes you imported from your sample computers and other sources that you found to be trustworthy in step one. There's no need to look through these hashes. We can completely ignore these hashes, no matter how many there are.

Let's open the classification "added in learn mode":
lern1
This is the software and hardware that we need to audit. Continue with device classification.


Classify devices

First, let's classify all devices. Select View > Rules > by Path from the menu (or press keys CTRL-2, or select the second radio button above the rules treeview):


You'll find the group "device":


Select all devices by double-clicking "devices", selecting the first entry, hold down the SHIFT-key and click on the last entry:


Then right-click, select "change classification", and enter "Devices".


Do these steps with the sub folders as well.

Select View > Rules > by Classification from the menu (or press keys CTRL-4, or select the fourth radio button above the rules treeview):

dev

You can classify devices the same way you can classify software, using semicolon as the separator:
cl5
You can at any time delete hashes that represent devices from the whitelist. Devices that have been deleted from your whitelist will not be usable after the user disconnects and reconnects the device, reboots their computer, or selects "recheck devices" from the Agent's icon.



Audit software using feature "Managed whitelist"

SecuLution provides an online database service (Managed Whitelist) with information about the trustworthiness (Trustlevel) of software (identified by their hash). By clicking on "Check program online" () the hash is transmitted to the SecuLution Managed Whitelist and the trustworthiness of the hash is being determined.

assesmenttl

ruletl

This allows customers to check the trustworthiness of all hashes with a simple mouse click:
Select menu "View / Rules / by Trust Level" (or press the CTRL key - 8 or the 8th radio button above the rules tree view):

sorttl

treeview

Right click "unknown" and select "Check trust level online":

checkonline

The Hashes are sent to the Manages Whitelist service and the trust level of all hashes are determined.

trustlevelcheck

Check and remove untrusted hashes

After the trust level of all hashes has been determined, hashes that have been classified with trust level 0 to 3 should be manually examined and removal should be considered. How does SecuLution calculate a trust level in the Managed Whitelist service?

Unlimited database access

5 requests to the Managed Whitelist service per day are available to all customers free of charge. An unlimited number of requests is available with a subscription service.



Audit software without feature "managed whitelist"

Next we need to look through the hashes that represent software that was added in learn mode. Until today, the main component of your endpoint security solution was probably an antivirus product, which reported that during the last scan no malware was found in your network. But is that really true?

Let's go through the list, one by one, and find out if you really want to approve all the software that's being used in your network. To find out if a particular hash is really trustworthy, we've got some indications that we can use:



Path:
In this example, the program "1033dotnetfx.exe" was started from "g:\alle-lesen\cad\install-agievision\", which in this case is a mapped network drive of a UNC path on a server where only administrators have write access. There is strong evidence that this is a good program, since it must have been written to this path by an administrator. You know your paths. You will recognize where software is coming from.
Filename:
The filename "1033dotnetfx.exe" is a hint but since unwanted software can have any name, this is not proof that "1033dotnetfx.exe" is really what it claims to be.

Hash:
The hash "52456ac39bbb4640930d155c15160556" is a reliable key to find out if this is good or bad software. Right-click on the hash.
  • "Google search". In this case Google will immediately show about 1.000 pages that contain this hash, most of them telling you that this is DotNet 1.1. This is still not 100% proof, but it's very unlikely now that the program is actually something different than what it claims to be.
  • "Open file properties". You can show the files properties and look for digital signatures. However, this works by accessing the admin-share of the host where the program was started from and accesses the file live. In case the computer is unavailable (off) or the admin-share is closed, file properties will be unavailable.
  • "Check program online". This is the Managed Whitelist service SecuLution offers to their customers. 

In this particular case, this is really Microsoft's installer for DotNet Framework 1.1, which we will regard as trustworthy. So we should reclassify this program by changing the classification string from "added in learn mode" to for example "Software;MS;DotNet;Installer;1.1".

dn

You should now continue to audit and reclassify or delete all software that was "added in learn mode".

A few hints:
I don't know this software! Is this malware?
Don't panic. Potentially malicious or unwanted software may have already been running for ages now without anyone noticing. Yes, you should take care of that as soon as possible, but no need to panic now! You can assign a special classification to everything that you're not sure about, so that you will be able to take a closer look at that as soon as you have the time. As soon as you turn off the learn mode, SecuLution makes sure that your network security cannot be further compromised, even if you couldn't audit all software immediately.

I found something that I definitely don't want!
Remove obvious unwanted software immediately by clicking on "delete entry". Users will get used to not being able to run their favorite games anymore, so there's probably no need to call them and complain about their misuse!

ab

I found a dozen versions of the same software!
You will probably find software that exists in various versions. This happens when there hasn't been much effort put into updating installed software. The various hashes usually each represent an individual version of a product. There's even one more version of that software, namely the one that was installed on the sample computer from which you imported trustworthy software, which doesn't show up here because it's already classified as trustworthy! Assuming that your sample computer had the latest version of all tools installed, this means that all the other hashes in this list are mostly outdated and probably have known security issues!


Take a step back and think again about what you found here: In your network there were various software products that had security issues which you were not aware of! Now that has changed! Don't reclassify them here, but instead make sure you update all outdated and insecure versions and then delete the entries here so that they cannot be used anymore! This way SecuLution offers an easy way of keeping track of all the versions of all software that is running in your network. It may be a bit of work to get to that point, but you should not blame SecuLution for that, this important work must be done to keep your software versions updated.

But how do I know on which computers the software is being used?
You can change the loglevel that's being triggered every time a program is started. If you want to know where this old version of Adobe Reader is being used, just edit the "Allow" rule of that program and set the loglevel to for example "5":


Loglevel 5 is greater than the threshold you configured for logging, so from now on you'll find entries in the logs which tell you which computer started this. Update those computers. Then delete this program from your whitelist.