Home    SecuLution Dokumentation back next
Welcome
SecuLution technique and terminology
Quick start
Test setup in 30 minutes
Best practice in everyday use
Full setup and deployment in 5 hours
Installation of components
Install Appliance
AdminWizard installation
Agent installation
Syslog server installation
Initial configuration tasks
Configure basic settings
Agent configuration
Configure automated tasks
Manage whitelist
Initial whitelist generation
Import trustworthy software
Learn mode
Check deployment and learning progress
Audit
Add entries to whitelist
Drag'n'drop
Individual lernmode
Import from directory
PermanentLernUser
Log alarms
Cleanup whitelist
Manually delete unused entries
Delete entries using a pattern
Clean up classifications
Managed Whitelist
Managed Whitelist
Actions
Actions
Referring rules to objects
Offline mode
Offline mode
Devices
USB device management
USB device encryption
RCM
Agent deployment (RemoteClientManagement)
ArpWatch
ArpWatch
Logs
Logs
FAQ
setup.ini

Learn mode

Turning learn mode on

To add software and devices that are used in your network to your whitelist, you can use an automatic learn mode.

A learn mode is a configuration option that instructs the Appliance to NOT deny hashes that are not in the whitelist, but allow them instead, and also add them to the whitelist.The idea is to allow and "learn" these hashes. You can have multiple learn modes, which can be useful in case you want to choose individual objects to learn from.

Turn on the learn mode by selecting the "Server config" tab, then the "Learn mode" tab:

learn mode

During a learn mode, the Appliance will only learn new (unknown) hashes which are checked by an Agent. Hashes which are already in the whitelist will not be learned since they are already known (even if that hash may not have an "allow" policy associated with it, which would result in the program being effectively blocked).

Classification

Use the classification string to define what exactly you expect to be learning. This will help you keep track of the software that you add to the whitelist.

A semicolon can be used as a separator:
"SecuLution;AdminWizard" will result in:

tree

There is no limit for the depth, you can use "Software;SecuLution;AdminWizard;V0.16.120".

For your initial learn mode you can use "added in learn mode".

Turn learn mode off

To turn off a learn mode, just press the trashcan icon of the learning mode you want to delete:

trashcan