Installation of components
Initial configuration tasks
Initial whitelist generation
Add entries to whitelist
I have a problem with SecuLution.
How do I get help?
First of all, we recommend checking whether your questions are
already answered in the product documentation. A full-text search
through the documentation can easily be done through Google by
the search results to the site seculution.com (Google search
for: "site:seculution.com search term").
In the case of a technical problem, first check whether the problem
still exists with the latest version of SecuLution (Agent and AdminWizard).
For email inquiries to Technical Support, always provide the
Exact description of the problem
- What happened?
- What did you expect to happen instead?
- Please also provide time, date, username, hostname, hash and
the name of the program with which you had issues so that we can
find the incident in the logfiles.
Send the following files by email
- Logfiles (Syslog) of the day and the day before the issue
- latest ruleset backup, additionally a backup of the ruleset
that was created one week ago (if applicable)
- scripts (nightly.bat) that run per task scheduler
- AdminWizard log files (if
Trouble installing the
It is mandatory to install the Agent by right-clicking on
autosetup.exe -> "Run as administrator", even if the UAC is off
or the user has administrative rights. A simple double click leads
to incorrect installation, shown by error messages. Prior to
re-installation of the Agent it is mandatory to first remove the
faulty installation by right clicking on autouninstaller.exe ->
"Run as administrator". Only after the next reboot the Agent can be
installed by right-clicking on the autosetup.exe -> "Run as
After installing the
error "Agent not running" appears
the SecuLution Agent, the installation routine checks the success
and reports if the SecuLution Agent was not installed correctly. If
the computer successfully completed the installation of the
SecuLution Agent but the SecuLution Agent does not function
properly after a reboot, the logged in user is constantly shown the
message "SecuLution Agent not running! Please report this error. ".
In this case we recommend a manual uninstall and reinstall of the
Message "Something was denied on the
server. Server not in learn mode?" when installing the Agent.
Installing the Agent fails with the following message:
failed : something which denied ( server not in learn mode?
During the installation of the Agent, the setup program checks if
all the software that's currently running on the computer you're
about to install the Agent on (all hashes) are listed in the
whitelist (will be allowed by the Appliance). If any of those
hashes are not allowed, the setup routine terminates intentionally,
because it can not be assured that the computer will work properly
after rebooting, if the program or device in question will be
The solution is simple: Look at the logs and find out which program
or device was denied during setup.
If you want to turn off this action, you can insert the following
line in the setup.ini of the Agent:
[ SecuSurf ]
DontAbortSetupOnDeny = 1
This can be useful when performing updates while you have
configured certain programs explicitly to be denied. However we
don't recommend this setting.
Should I turn on DLL checking?
SecuLution can also check DLLs and other libraries (such as
drivers). This allows for an extremely precise control over the
executed code. Three configuration options are supported:
1. DLL Check off (DLLs are not checked)
2. Check RunDLL32 DLLs (DLLs started by rundll32.exe are
3. Check DLL (all DLLs are checked)
We recommend the configuration "Check RunDLL32 DLLs" as this is a
good compromise between the additional effort required by
maintaining DLLs and the security provided. Turning on the full DLL
check will increase the number of rules by a factor of 8 to 15,
while the gain in security is rather small. The reason is that
SecuLution already offers an incomparably high security level with
the DLL check set to option one or two. Turning on the DLL checking
increases the security level from perhaps 99.995% to 99.9995%
(assuming that 100% security can never be achieved).
Switching on the DLL check is recommended for high-security
environments and particularly vulnerable systems..
Switching on the DLL check (both "RunDLL32 DLLs" and "Check DLLs")
must be accompanied by a learning mode, since these DLLs were not
yet part of the Whitelist and thus would be blocked!
Using the command line switch
"-wsus" does not do anything.
When you start the AdminWizard with the switch "-WSUS" nothing
happens. The aim of -WSUS function is to import all new
Windows updates in SecuLutions whitelist. This assumes that the
current database of your WSUS has already
been used for the deployment of Windows update files to your
computers and is already a part of the whitelist. Therefore it is
not necessary to import all existing
update files into the whitelist from the WSUS. It is only necessary
to include all future
updates into the whitelist. For this reason, the AdminWizard does
not perform any operations when the "-WSUS" was used for the very
first time. Instead it sets the current timestamp in a database.
From now on, each time the AdminWizard is being started using the
"-WSUS" command line switch, the "WSUSContent" directory is
searched for files that are newer than
the timestamp retrieved from the database. Any new update
files found will be extracted and included into the whitelist.
Importing new software:
Which packers are supported?
The AdminWizard can unpack various file formats (e.g. .zip,
.rar, .msi, .cab, and many more formats like self extracting
installers .exe), however, some file formats are protected against
unpacking, so this function will probably not be able to add 100%
of the software.
However, adding the files in learn mode works perfectly.
A program is denied but that
incident is not shown in the logs.
This happens if the LogLevel is set to "4" (instead of "3", see
the denied program is known to the whitelist but only allowed for
other users, groups or computers. If a user to whom that particular
program is not allowed tries to start it, the program will be
denied and the event logged with LogLevel "3". If the servers log setting is set to
only log LL4 and higher, that event will not be listed in the
- Set LogLevel
- Reproduce issue
- Reload Logs
- Right click on alarm of denied program in logs
- Click on "show program in treeview"
- Change "Valid for" to a value that
includes the user or computer
- Press OK
- Activate changes (Menu File/Activate)
Popup "Enter UNC path" appears when
starting the AdminWizard.
The AdminWizard needs to know the folder/path from which you
deploy the Agents (e.g. to determine the version number of the
Agent you are using). This UNC path is a share on one of your
servers, where you placed the installation files for deployment of
the Agent. This message appears when not all files which are
required to install and uninstall the agent are present in the UNC
path. The following file structure must be present:
In folder "Install":
In folder "Uninstall":
You'll find the latest versions of RCM files in the subfolder
"RCM" of your AdminWizard installation ("C:\Program Files
(x86)\SecuLution\SecuSurf-Admin-Wizard\RCM") should you need them
When the AdminWizard detects updates of the Agent installer or
uninstaller, you should unpack the downloaded .zip files and
overwrite the existing files "autosetup.exe" or
"autouninstaller.exe" in the folders mentioned above.
I have received a patch by
mail. How do I activate it?
- Create a backup of the current rule set (for emergencies)
- Copy the entire contents (incl. " ---- BEGIN " and " END PGP
MESSAGE --- " line) to clipboard (Ctrl-a , Ctrl-c).
- Start the Admin Wizard and sign in.
- Select the menu "Extra / Patch".
- Paste the contents of the clipboard into the text box (Ctrl-v)
and then confirm with "OK".
- The Admin Wizard will inform you that the patch has been
successfully activated and whether it is necessary to restart (eg
when updating the server code, but not for configuration changes
such as additional licenses). If you have multiple servers, the
patch is automatically replicated among all servers. It is
therefore not necessary to apply the patch on each server.
- If a restart of the server is necessary, select the menu,
select "Extra / Server / restart server" to restart the server at
any time you want to, immediately or later.
- The server should be back online innerhlab of about 4 minutes
after the restart.
I have a problem with the
AdminWizard. How do I create debug logs?
Just like any other software, SecuLution may not be free of
bugs. For debugging we need logs. To create them, follow these
- Open cmd.exe
- In cmd.exe, type
cd "\Program Files
- In cmd.exe, type
- Start the AdminWizard. You'll see a popup. Copy the content
into the clipboard by pressing CTRL-C.
- Start an editor (notepad.exe) and paste the content of your
clipboard into a new textfile.
- Reproduce the issue in the AdminWizard.
- Immediately after you have reproduces the issue, copy the
logfile to a new location. You'll find the path in notepad.
- Close the AdminWizard.
- Turn debugging off by typing in cmd.exe:
- Zip the logfile and send it to info [at] seculution.com with a
brief description of your problem and screenshots.
I have a problem with the
SecuLution Agent. How do I create debug logs?
To debug a problem with the SecuLution Agent we need log files
that have been created with a debug version of the Agent while the
problem has been reproduced. To create these log files:
- Uninstall the current Agent
- Turn on Minidumps
- Install the latest debug version of the SecuLution Agent
(contact support to get it)
- Reproduce the problem
- Reboot into safe mode
- Zip the directory C:\SSLOGS
- Uninstall the Agent using the normal Agent uninstaller
- Send SSLOGS.zip to your support contact
Where in the Registry can I
find the AdminWizards settings?
On 32 Bit Windows systems settings can be found under
On 64 Bit Windows systems settings can be found under
The SID of the above example may vary.
User settings can be found under
What are the system
- native support for any VMWare virtualization product (e.g.
esx(i), Workstation, Player)
- other virtualisation products have been reported to work
- all versions of Microsoft Windows
- for legacy versions of Windows (Windows NT4, Windows 2000 and
Windows XP < SP3) a compatible version with limited features is
available on request
- all versions of Microsoft Windows
SecuLution RCM Module:
- all versions of Microsoft Windows >= Windows XP SP3
algorithms are now considered "broken". What impact does this have
on the security of SecuLution?
The weaknesses found in the hash algorithms MD5 and SHA1 have no
effect on the security of SecuLution since it is still not possible
to generate a malicious software that has a predetermined hash. It
is not possible to create a file that has the same hash as a
software already contained in SecuLutions whitelist.
In the media SHA1 and MD5 are described as being "broken" because
it is possible to generate collisions. A "collision" with respect
to hashes means that you can create two different input files
(file1 and file2) which after passing through the hash algorithm
result in the same hash. However, it is not possible to influence
the resulting hash in any way.
To perform an attack on the security offered by SecuLution, an
attacker would have to create a file whose hash is already
contained in SecuLution's Whitelist ("pre-image" attack). A
collision attack is about creating two different files which have
the same non-determinable hash; A pre-image attack is about
creating a file that has a specific, predefined hash. These are two
completely cryptographically different tasks. Successful pre-image
attacks are also not known with SHA1 and MD5.
No restriction of SecuLution security due to collisions:
If a hash algorithm is no longer collision-resistant, it is
possible to create two different files with the same
non-determinable hash. An attacker can create a good and an evil
software that have the same hash.
Since a hash is the mapping of an arbitrary amount of data into a
small fixed-length amount of data, all hashing procedures have
collisions. As soon as the generation of a collision can be carried
out practically, the property of the collision resistance of an
algorithm is considered broken. The prerequisite for creating
collisions with MD5 and SHA1 is that both input files are created
together, that is, from one author and from one source. This means
that the originator of file1 must also be the originator of file2.
If an attacker can make a user trust File1, he does not have to
worry about collision, because he has already achieved the goal
that the user will trust his software file1. Thus the attacker can
thus put his malicious code in file 1 and does not need to create a
file that has the same hash as file1. The fact that the attacker
can also create a file2 that potentially does something other than
file1 does not play any role in SecuLution’s security.