Home    SecuLution Dokumentation back next
Welcome
SecuLution technique and terminology
Quick start
Test setup in 30 minutes
Best practice in everyday use
Full setup and deployment in 5 hours
Installation of components
Install Appliance
AdminWizard installation
Agent installation
Syslog server installation
Initial configuration tasks
Configure basic settings
Agent configuration
Configure automated tasks
Manage whitelist
Initial whitelist generation
Import trustworthy software
Learn mode
Check deployment and learning progress
Audit
Add entries to whitelist
Drag'n'drop
Individual lernmode
Import from directory
PermanentLernUser
Log alarms
Cleanup whitelist
Manually delete unused entries
Delete entries using a pattern
Clean up classifications
Managed Whitelist
Managed Whitelist
Actions
Actions
Referring rules to objects
Offline mode
Offline mode
Devices
USB device management
USB device encryption
RCM
Agent deployment (RemoteClientManagement)
ArpWatch
ArpWatch
Logs
Logs
FAQ
setup.ini

Individual learn mode

There can be multiple learn modes, each one learning from an individual IP address range or object:



In the above example, computers with an IP address in the range 172.16.5.0 - 172.16.5.255, as well as any user, group or computer object that's a member of the group "cert publishers" are in learn mode.

"Valid for"
Usually - and this is strongly encouraged - "valid for" should remain set to "0.0.0.0/0". The network range "0.0.0.0/0" includes all IP addresses and therefore represents an alias for "all computers". This means that all new hashes added in learn mode will be allowed for everybody ("allow" rules are valid for "0.0.0.0/0").

You can however set "valid for" to something different. This will result in new hashes being added to the whitelist in learn mode with "Allow" rules that are valid only for the object you selected here. This can effectively be used to create a blacklist, because programs already listed in the whitelist will not be learned if a learn mode is used later. If "valid for" is set to something invalid, the learned program will not be allowed for anybody, and it will also not be added when learn mode is turned on. This is effectively a permanent blacklist.