Home    SecuLution Dokumentation back next
Welcome
SecuLution technique and terminology
Quick start
Test setup in 30 minutes
Best practice in everyday use
Full setup and deployment in 5 hours
Installation of components
Install Appliance
AdminWizard installation
Agent installation
Syslog server installation
Initial configuration tasks
Configure basic settings
Agent configuration
Configure automated tasks
Manage whitelist
Initial whitelist generation
Import trustworthy software
Learn mode
Check deployment and learning progress
Audit
Add entries to whitelist
Drag'n'drop
Individual lernmode
Import from directory
PermanentLernUser
Log alarms
Cleanup whitelist
Manually delete unused entries
Delete entries using a pattern
Clean up classifications
Managed Whitelist
Managed Whitelist
Actions
Actions
Referring rules to objects
Offline mode
Offline mode
Devices
USB device management
USB device encryption
RCM
Agent deployment (RemoteClientManagement)
ArpWatch
ArpWatch
Logs
Logs
FAQ
setup.ini

Verification of trustworthiness of software.


Managed Whitelist service (online database)

The "Managed Whitelist" is a service which provides access to an on line database with information about the trustworthiness of software. SecuLution calculates an individual trust level for every hash. Using this feature can reduce the effort of auditing your whitelist to a few mouse clicks.

Subscribers to this service can request an unlimited number of database requests, 5 requests per day are provided for free to every SecuLution customer.

assesment

Trust level

The trust level is a value on a scale between 0 (= clearly not trustworthy) to 10 (= clearly goodware). When importing hashes from reliable sources, the trust level will be applied automatically:

  • Hashes imported into the whitelist using the command line "-wsus", are set to trust level 7.
  • Hashes imported into the whitelist using drag&drop, menu "extra > generate rules from files and import" or using the command line "-importdir", "-importexpandfile", "-importexpand" or "-importifchanged" are set to trust level 6.
  • Hashes which are not listed in the database are set to trust level 3. The trustworthiness of these hashes should be verified separately by checking the source they are from.
Hashes with trust level 0 are known as malicious software and should be removed from the whitelist.


How does SecuLution calculate a trust level in the Managed Whitelist service?

The Managed Whitelist service is provided and maintained by the company SecuLution GmbH in Germany. By partnering with other companies, a pool of data sources was created, used to calculate the level of trust of software (represented by their hash). This trust level is based on:
  • Is the hash known as trustworthy (e.g. part of an OS)?
  • Is the hash signed by publishers?
  • Is the signature from a trustworthy publisher?
  • Is this hash a part of a bundle with other trustworthy software?
  • Is this hash well spread, i.e. it is being used by many customers?
  • Is this hash not classified as being malicious software by antivirus software?
  • Is this hash being manually classified as trustworthy by users?
  • Has this hash been audited by SecuLution and classified as trustworth?

The more of the above criteria are true, the higher the trust level will be. The higher the level, the more likely it is that it is a desirable and necessary software. We recommend the following procedure:

 
Trust Level 0:
  • Usually, these are known malicious softwares, verify that manually.
  • Change the "Allow" rule to a "Deny" rule.
  • Check the log files to find all computers on which these hashes have been denied. These computers should be reinstalled from scratch.
  • Delete these hashes afterwards.

Trust Level 1:
  • Usually, these are known unwanted software products (adware, advertising), verify this manually.
  • Change the "Allow" rule to "Deny - Delete file from HD".
  • Delete the hash afterwards.

Trust Level 2:
  • Usually this is software that can not be classified clearly as being trustworthy (eg, keygens, crackers), verify this manually.
  • Change the "Allow" rule to "Deny - Delete file from HD".
  • Delete the hash afterwards.

Trust Level 3:
  • Usually this is software, not known to the SecuLution Managed whitelist service, for example, in-house software. Verify manually.
  • After examination, set a manual trust level or delete the hash.
  • We recommend to not keep entries of trust level 3. Either set a manual trust level or delete those hashes.

Trust Level 4-10:
  • Indicators to good software were found, the higher the number, the stronger the indicators




Refreshing the trust level of a single hash

By selecting a hash in the AdminWizards treeview, a blue "i" button on the right side of the hash will be enabled. You can get further information about that single hash from the Managed Whitelist service by clicking on it.

singlehash

By clicking of "Add program to list" the trust level will be applied to the hash.

assesment2


Refreshing the trust level of multiple hashes

SecuLution also makes it possible to update the trust level of all hashes in the positive list with a single mouse click:
Select the menu "View / Rules / by Trustlevel" (or press the CTRL-8 key or the 8th radio button above the Rules tree view):

TrustLevel

treeview

Right click "unknown" and select "Check trust level online":

checkonline

The Hashes are sent to the Manages Whitelist service and the trust level of all hashes are determined.

trustlevelcheck



Check and remove untrusted hashes

After the trust level of all hashes has been determined, hashes that have been classified with trust level 0 to 3 should be manually examined and removal should be considered.

The higher the level, the more likely it is that it is a desirable and necessary software. We recommend the following procedure:

Trust Level 0:
  • Usually, these are known malicious softwares, verify that manually.
  • Change the "Allow" rule to a "Deny" rule.
  • Check the log files to find all computers on which these hashes have been denied. These computers should be reinstalled from scratch.
  • Delete these hashes afterwards.

Trust Level 1:
  • Usually, these are known unwanted software products (adware, advertising), verify this manually.
  • Change the "Allow" rule to "Deny - Delete file from HD".
  • Delete the hash afterwards.

Trust Level 2:
  • Usually this is software that can not be classified clearly as being trustworthy (eg, keygens, crackers), verify this manually.
  • Change the "Allow" rule to "Deny - Delete file from HD".
  • Delete the hash afterwards.

Trust Level 3:
  • Usually this is software, not known to the SecuLution Managed whitelist service, for example, in-house software. Verify manually.
  • After examination, set a manual trust level or delete the hash.
  • We recommend to not keep entries of trust level 3. Either set a manual trust level or delete those hashes.

Trust Level 4-10:
  • Usually this is desirable and trustworthy software, which does not require further examination.


Unlimited database access

5 requests to the Managed Whitelist service per day are available to all customers free of charge. An unlimited number of requests is available with a subscription service.