Home    SecuLution Dokumentation back next
Welcome
SecuLution technique and terminology
Quick start
Test setup in 30 minutes
Best practice in everyday use
Full setup and deployment in 5 hours
Installation of components
Install Appliance
AdminWizard installation
Agent installation
Syslog server installation
Initial configuration tasks
Configure basic settings
Agent configuration
Configure automated tasks
Manage whitelist
Initial whitelist generation
Import trustworthy software
Learn mode
Check deployment and learning progress
Audit
Add entries to whitelist
Drag'n'drop
Individual lernmode
Import from directory
PermanentLernUser
Log alarms
Cleanup whitelist
Manually delete unused entries
Delete entries using a pattern
Clean up classifications
Managed Whitelist
Managed Whitelist
Actions
Actions
Referring rules to objects
Offline mode
Offline mode
Devices
USB device management
USB device encryption
RCM
Agent deployment (RemoteClientManagement)
ArpWatch
ArpWatch
Logs
Logs
FAQ
setup.ini

Import trustworthy software


Set up computers where only trustworthy software is installed

Write down a list of operating systems (OS) that your users work with and that you will later secure with the Agent. Make sure you distinguish between different service packs and different architectures (Windows 8 and Windows 8.1 are two items on your list, and if you run x86 and x64 architectures, that makes 4!). For each item on your list you should create a "sample computer". This means that each of these computers must be set up and patched. Then you should install a good set of software of each architecture (x86 and x64) that you are running on computers in your network. This doesn't have to include all software that you're using in your network. Later you will make SecuLution automatically learn all the programs that are not yet in your whitelist. To minimize the amount of learned hashes (which you will have to audit manually later), it's good to maximize the number of hashes you are importing into the whitelist from a computer which you can trust.


Import an empty whitelist

You may already have hashes in your whitelist from previous tests. To start from scratch, you should import a new empty whitelist. Choose File > open from the main menu and navigate to the AdminWizard install directory (usually "C:\Program Files (x86)\SecuLution\SecuSurf-Admin-Wizard"). Enter the directory "RuleSets" and double-click the file "leer.ssf". This imports a new empty whitelist. All rules and Agent configuration settings are now gone. Scroll up and reconfigure the Agent settings.


Import software from trusted computers

The easiest way to import trustworthy hashes from a sample computer is to install the AdminWizard on the sample computer, and then import all files from the local "C:\" filesystem by selecting menu item Extra > Hashes > Generate hashes from directory:
MenuImportFromFiles

Double-click on "C:\" and click "List":
ImportFromDir

Note the field "Classification". Enter text that describes what you are importing here. Use a semicolon to separate levels. Here we used the string "sample computers;Windows8;x64;SP1". Click on "Import". The AdminWizard will now create a hash for every program on this computer and import that hash into the whitelist. Each hash will be marked with the classification.

Import additional trustworthy software

You can also add trustworthy software by importing their hashes from a UNC path. Navigate to the path in Windows Explorer and copy/paste the path:

UNC
Selecting the "unpack each file" option will expand files like setup.exe and add their contents as well. However, there are setup files that cannot be expanded, so this function will probably not be able to add 100% of the software. Choosing "unpack each file" also takes much longer. Remember to use a good classification string.

This function can be used as often as you like. Programs already listed in the whitelist will not be changed, so you won't have double entries.

Limit the execution of administrative software

There are a small number of programs that can dynamically run code in their own process environment (e.g., PowerShell.exe, Web Helper.exe (comes with Nvidia driver)). Limit the execution of such applications to administrators.