Home    SecuLution Dokumentation back next
SecuLution technique and terminology
Quick start
Test setup in 30 minutes
Best practice in everyday use
Full setup and deployment in 5 hours
Installation of components
Install Appliance
AdminWizard installation
Agent installation
Syslog server installation
Initial configuration tasks
Configure basic settings
Agent configuration
Configure automated tasks
Manage whitelist
Initial whitelist generation
Import trustworthy software
Learn mode
Check deployment and learning progress
Add entries to whitelist
Individual lernmode
Import from directory
Log alarms
Cleanup whitelist
Manually delete unused entries
Delete entries using a pattern
Clean up classifications
Managed Whitelist
Managed Whitelist
Referring rules to objects
Offline mode
Offline mode
USB device management
USB device encryption
Agent deployment (RemoteClientManagement)

Check deployment

Check after 4 days

  • Check if deployment was successful on at least some of your machines. If you are using RCM to deploy your Agent's, click on the "RCM" tab and check if some of the hosts have already been moved to the column "These hosts are currently secured by SecuLution".
  • Check if software and devices have been added to the whitelist in learn mode. To do so, click on logs and set the filter in the second column to loglevel (LL) "4" and to "allow" in the rightmost "action" column. This will filter the logs to only show entries added in learn mode.
  • Check the number of learned programs.
Adding additional trustworthy software by importing from sample computers means fewer programs should have been added in learn mode. However, if you find a large number of entries (an exact number is hard to tell, but say you find more than 100 entries that have been added in learn mode), you may not have imported enough software from sample computers. For example, if you have only imported a Windows 8 sample computer, but you also deployed the Agent to a Windows 8.1 computer. This will result in a few hundred hashes that have been added in learn mode just because a large number of hashes for software on Windows 8.1 are different from the hashes of the same software on Windows 8. Consequently all these programs have been learned in learn mode. This is not invalid nor does it cause a real problem, but since you want to later audit all learned software, you want to keep the number of learned entries manageable. So you may want to either also import Windows 8.1, or to update all Windows 8.0 computers to Windows 8.1 and then rebuild your whitelist from scratch.

Check after 14 days

Make sure that the Agent was deployed to all computers. Also check the number of programs addded to the whitelist as described above.

Check after 21 days and later

About 21 days after Agent deployment has started, it's usually a good idea to look at the number of new programs that are added in learn mode every day. Click on the "Logs" tab and apply filters (LL:4, Action: "Allow") to see how many files have been added during the last 48 hours. Once the number of learned programs per day is small enough for you to handle those cases manually (users calling you because they cannot use a certain program), it's time to turn the learn mode off and bring SecuLution into production mode.