Home    SecuLution Dokumentation back next
Welcome
SecuLution technique and terminology
Quick start
Test setup in 30 minutes
Best practice in everyday use
Full setup and deployment in 5 hours
Installation of components
Install Appliance
AdminWizard installation
Agent installation
Syslog server installation
Initial configuration tasks
Configure basic settings
Agent configuration
Configure automated tasks
Manage whitelist
Initial whitelist generation
Import trustworthy software
Learn mode
Check deployment and learning progress
Audit
Add entries to whitelist
Drag'n'drop
Individual lernmode
Import from directory
PermanentLernUser
Log alarms
Cleanup whitelist
Manually delete unused entries
Delete entries using a pattern
Clean up classifications
Managed Whitelist
Managed Whitelist
Actions
Actions
Referring rules to objects
Offline mode
Offline mode
Devices
USB device management
USB device encryption
RCM
Agent deployment (RemoteClientManagement)
ArpWatch
ArpWatch
Logs
Logs
FAQ
setup.ini

FAQ


I have a problem with SecuLution. How do I get help?

First of all, we recommend checking whether your questions are already answered in the product documentation. A full-text search through the documentation can easily be done through Google by limiting the search results to the site seculution.com (Google search for: "site:seculution.com search term").

In the case of a technical problem, first check whether the problem still exists with the latest version of SecuLution (Agent and AdminWizard).

For email inquiries to Technical Support, always provide the following information:

Exact description of the problem
  • What happened?
  • What did you expect to happen instead?
  • Please also provide time, date, username, hostname, hash and the name of the program with which you had issues so that we can find the incident in the logfiles.
  • Screenshots

Send the following files by email

  • Logfiles (Syslog) of the day and the day before the issue happened
  • latest ruleset backup, additionally a backup of the ruleset that was created one week ago (if applicable)
  • scripts (nightly.bat) that run per task scheduler
  • AdminWizard log files (if applicable)



Trouble installing the agent

It is mandatory to install the Agent by right-clicking on autosetup.exe -> "Run as administrator", even if the UAC is off or the user has administrative rights. A simple double click leads to incorrect installation, shown by error messages. Prior to re-installation of the Agent it is mandatory to first remove the faulty installation by right clicking on autouninstaller.exe -> "Run as administrator". Only after the next reboot the Agent can be installed by right-clicking on the autosetup.exe -> "Run as administrator".


After installing the error "Agent not running" appears

When installing the SecuLution Agent, the installation routine checks the success and reports if the SecuLution Agent was not installed correctly. If the computer successfully completed the installation of the SecuLution Agent but the SecuLution Agent does not function properly after a reboot, the logged in user is constantly shown the message "SecuLution Agent not running! Please report this error. ". In this case we recommend a manual uninstall and reinstall of the SecuLution Agent.


Message "Something was denied on the server. Server not in learn mode?" when installing the Agent.

Installing the Agent fails with the following message:

    Install failed : something which denied ( server not in learn mode? )

During the installation of the Agent, the setup program checks if all the software that's currently running on the computer you're about to install the Agent on (all hashes) are listed in the whitelist (will be allowed by the Appliance). If any of those hashes are not allowed, the setup routine terminates intentionally, because it can not be assured that the computer will work properly after rebooting, if the program or device in question will be blocked.

The solution is simple: Look at the logs and find out which program or device was denied during setup.

If you want to turn off this action, you can insert the following line in the setup.ini of the Agent:
[ SecuSurf ]
DontAbortSetupOnDeny = 1

This can be useful when performing updates while you have configured certain programs explicitly to be denied. However we don't recommend this setting.


Should I turn on DLL checking?

SecuLution can also check DLLs and other libraries (such as drivers). This allows for an extremely precise control over the executed code. Three configuration options are supported:

1. DLL Check off (DLLs are not checked)
2. Check RunDLL32 DLLs (DLLs started by rundll32.exe are checked)
3. Check DLL (all DLLs are checked)

We recommend the configuration "Check RunDLL32 DLLs" as this is a good compromise between the additional effort required by maintaining DLLs and the security provided. Turning on the full DLL check will increase the number of rules by a factor of 8 to 15, while the gain in security is rather small. The reason is that SecuLution already offers an incomparably high security level with the DLL check set to option one or two. Turning on the DLL checking increases the security level from perhaps 99.995% to 99.9995% (assuming that 100% security can never be achieved).

Switching on the DLL check is recommended for high-security environments and particularly vulnerable systems..

Switching on the DLL check (both "RunDLL32 DLLs" and "Check DLLs") must be accompanied by a learning mode, since these DLLs were not yet part of the Whitelist and thus would be blocked!

Using the command line switch "-wsus" does not do anything.

When you start the AdminWizard with the switch "-WSUS" nothing happens. The aim of -WSUS function is to import all new Windows updates in SecuLutions whitelist. This assumes that the current database of your WSUS has already been used for the deployment of Windows update files to your computers and is already a part of the whitelist. Therefore it is not necessary to import all existing update files into the whitelist from the WSUS. It is only necessary to include all future updates into the whitelist. For this reason, the AdminWizard does not perform any operations when the "-WSUS" was used for the very first time. Instead it sets the current timestamp in a database. From now on, each time the AdminWizard is being started using the "-WSUS" command line switch, the "WSUSContent" directory is searched for files that are newer than the timestamp retrieved from the database. Any new update files found will be extracted and included into the whitelist.


Importing new software: Which packers are supported?

The AdminWizard can unpack various file formats (e.g. .zip, .rar, .msi, .cab, and many more formats like self extracting installers .exe), however, some file formats are protected against unpacking, so this function will probably not be able to add 100% of the software.
However, adding the files in learn mode works perfectly.


A program is denied but that incident is not shown in the logs.

This happens if the LogLevel is set to "4" (instead of "3", see recommendation) and the denied program is known to the whitelist but only allowed for other users, groups or computers. If a user to whom that particular program is not allowed tries to start it, the program will be denied and the event logged with  LogLevel "3". If the servers log setting is set to only log LL4 and higher, that event will not be listed in the logs.

Simple solution:

  • Set LogLevel to "3"
  • Reproduce issue
  • Reload Logs
  • Right click on alarm of denied program in logs
  • Click on "show program in treeview"
  • Change "Valid for" to a value that includes the user or computer
  • Press OK
  • Activate changes (Menu File/Activate)


Popup "Enter UNC path" appears when starting the AdminWizard.

The AdminWizard needs to know the folder/path from which you deploy the Agents (e.g. to determine the version number of the Agent you are using). This UNC path is a share on one of your servers, where you placed the installation files for deployment of the Agent. This message appears when not all files which are required to install and uninstall the agent are present in the UNC path. The following file structure must be present:


In folder "Install":

In folder "Uninstall":

You'll find the latest versions of RCM files in the subfolder "RCM" of your AdminWizard installation ("C:\Program Files (x86)\SecuLution\SecuSurf-Admin-Wizard\RCM") should you need them for updating.

When the AdminWizard detects updates of the Agent installer or uninstaller, you should unpack the downloaded .zip files and overwrite the existing files "autosetup.exe" or "autouninstaller.exe" in the folders mentioned above.


I have received a patch by mail. How do I activate it?

  • Create a backup of the current rule set (for emergencies)
  • Copy the entire contents (incl. " ---- BEGIN " and " END PGP MESSAGE --- " line) to clipboard (Ctrl-a , Ctrl-c).
  • Start the Admin Wizard and sign in.
  • Select the menu "Extra / Patch".
  • Paste the contents of the clipboard into the text box (Ctrl-v) and then confirm with "OK".
  • The Admin Wizard will inform you that the patch has been successfully activated and whether it is necessary to restart (eg when updating the server code, but not for configuration changes such as additional licenses). If you have multiple servers, the patch is automatically replicated among all servers. It is therefore not necessary to apply the patch on each server.
  • If a restart of the server is necessary, select the menu, select "Extra / Server / restart server" to restart the server at any time you want to, immediately or later.
  • The server should be back online innerhlab of about 4 minutes after the restart.

I have a problem with the AdminWizard. How do I create debug logs?

Just like any other software, SecuLution may not be free of bugs. For debugging we need logs. To create them, follow these steps:

  • Open cmd.exe
  • In cmd.exe, type
    cd "\Program Files (x86)\SecuLution\SecuSurf-Admin-Wizard"
  • In cmd.exe, type
    SecuSurfAdminWizard.exe -turndebugmodeon

  • Start the AdminWizard. You'll see a popup. Copy the content into the clipboard by pressing CTRL-C.


  • Start an editor (notepad.exe) and paste the content of your clipboard into a new textfile.
  • Reproduce the issue in the AdminWizard.
  • Immediately after you have reproduces the issue, copy the logfile to a new location. You'll find the path in notepad.
  • Close the AdminWizard.
  • Turn debugging off by typing in cmd.exe:
    SecuSurfAdminWizard.exe -turndebugmodeoff


  • Zip the logfile and send it to info [at] seculution.com with a brief description of your problem and screenshots.


I have a problem with the SecuLution Agent. How do I create debug logs?

To debug a problem with the SecuLution Agent we need log files that have been created with a debug version of the Agent while the problem has been reproduced. To create these log files:

  • Uninstall the current Agent
  • Turn on Minidumps 
  • Install the latest debug version of the SecuLution Agent (contact support to get it)
  • Reproduce the problem
  • Reboot into safe mode
  • Zip the directory C:\SSLOGS
  • Uninstall the Agent using the normal Agent uninstaller
  • Send SSLOGS.zip to your support contact



Where in the Registry can I find the AdminWizards settings?

On 32 Bit Windows systems settings can be found under
H_KEY_LOCAL_MACHINE\SOFTWARE\SecuLution\SecuSurf\Admin-Wizard

On 64 Bit Windows systems settings can be found under
HKEY_USERS\S-1-5-21-1050957569-136395086-4194942220-1106_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\SecuLution\SecuSurf\Admin-Wizard
The SID of the above example may vary.


User settings can be found under
HKEY_CURRENT_USER\Software\SecuLution\SecuSurf\Admin-Wizard

What are the system requirements?

SecuLution Appliance:

  • native support for any VMWare virtualization product (e.g. esx(i), Workstation, Player)
  • other virtualisation products have been reported to work as well

SecuLution Agent:

  • all versions of Microsoft Windows
  • for legacy versions of Windows (Windows NT4, Windows 2000 and Windows XP < SP3) a compatible version with limited features is available on request

SecuLution AdminWizard:

  • all versions of Microsoft Windows

SecuLution RCM Module:

  • all versions of Microsoft Windows >= Windows XP SP3

Some hash algorithms are now considered "broken". What impact does this have on the security of SecuLution?

Short answer:
The weaknesses found in the hash algorithms MD5 and SHA1 have no effect on the security of SecuLution since it is still not possible to generate a malicious software that has a predetermined hash. It is not possible to create a file that has the same hash as a software already contained in SecuLutions whitelist.


Detailed answer:
In the media SHA1 and MD5 are described as being "broken" because it is possible to generate collisions. A "collision" with respect to hashes means that you can create two different input files (file1 and file2) which after passing through the hash algorithm result in the same hash. However, it is not possible to influence the resulting hash in any way.
To perform an attack on the security offered by SecuLution, an attacker would have to create a file whose hash is already contained in SecuLution's Whitelist ("pre-image" attack). A collision attack is about creating two different files which have the same non-determinable hash; A pre-image attack is about creating a file that has a specific, predefined hash. These are two completely cryptographically different tasks. Successful pre-image attacks are also not known with SHA1 and MD5.


No restriction of SecuLution security due to collisions:
If a hash algorithm is no longer collision-resistant, it is possible to create two different files with the same non-determinable hash. An attacker can create a good and an evil software that have the same hash.
Since a hash is the mapping of an arbitrary amount of data into a small fixed-length amount of data, all hashing procedures have collisions. As soon as the generation of a collision can be carried out practically, the property of the collision resistance of an algorithm is considered broken. The prerequisite for creating collisions with MD5 and SHA1 is that both input files are created together, that is, from one author and from one source. This means that the originator of file1 must also be the originator of file2. If an attacker can make a user trust File1, he does not have to worry about collision, because he has already achieved the goal that the user will trust his software file1. Thus the attacker can thus put his malicious code in file 1 and does not need to create a file that has the same hash as file1. The fact that the attacker can also create a file2 that potentially does something other than file1 does not play any role in SecuLution’s security.