Home    SecuLution Dokumentation back next
SecuLution technique and terminology
Quick start
Test setup in 30 minutes
Best practice in everyday use
Full setup and deployment in 5 hours
Installation of components
Install Appliance
AdminWizard installation
Agent installation
Syslog server installation
Initial configuration tasks
Configure basic settings
Agent configuration
Configure automated tasks
Manage whitelist
Initial whitelist generation
Import trustworthy software
Learn mode
Check deployment and learning progress
Add entries to whitelist
Individual lernmode
Import from directory
Log alarms
Cleanup whitelist
Manually delete unused entries
Delete entries using a pattern
Clean up classifications
Managed Whitelist
Managed Whitelist
Referring rules to objects
Offline mode
Offline mode
USB device management
USB device encryption
Agent deployment (RemoteClientManagement)

Offline mode

Server unavailable (offline, down)

The Agent communicates with the Appliance when available.

In case the Appliance is unavailable, the Agent uses a local encrypted cache of hashes that have been checked previously. So a computer that's being used offline (a laptop or notebook) can be used the same way it was used while the Appliance was available, as long as hashes are checked that have been previously allowed for this computer. Note that for a hash to be stored in the local encrypted cache, the Agent must check the hash on the whitelist, which only happens when a program is used or a device is connected.

Preparing for offline mode

The local cache only contains hashes that have previously been checked on the Appliance. You can fill the cache with all entries from the whitelist by clicking the menu item "prepare for offline mode" in the Agent's icon. Verify the value "cachesize" in the Agent's setup.ini is large enough to store all hashes from your whitelist locally.

Unknown hashes while offline

In case the following conditions apply:

  • Agent is offline (Appliance unavailable)
  • Hash is unknown (e.g. user starts an application that's not in the cache)

then settings from the configuration option "offline mode" will be used.

The following options are available:

The user will be presented with a password dialog. Entering the correct password will allow the requested hash and add the hash to a second local "offline cache".

"don't ask password, allow everything":
The computer will not block any unknown hash and will add the hash to a second local "offline cache".

"challenge response method".
The user will be presented with a dialog containing a "challenge" (numbers) and a text field in which a response must be entered:

The user can now call the administrator on the phone and explain what he's doing. The administrator can create a "response" code (menu item Extra > challenge response) and tell it to the user, who in turn will be able to use the hash:

Individual configuration options

Hashes that represent configuration options can be configured the same way as hashes that represent devices or programs.

In the example above, host "l1w7" is configured so that in offline mode no hash will be denied, while all other computers will ask for a password when unknown hashes are requested in onffline mode.

Local offline "delta cache"

In case:
  • the Agent is offline and
  • the hash is not listed in the "offline cache" file and
  • the hash is authorized using one of the methods mentioned above,

the Agent will add the hash to a second local cache file ("delta cache"), which only contains hashes that have been allowed in offline mode which were not listed in the first "offline cache".

As soon as the Agent reconnects to the Appliance, all entries from this "delta cache" will be checked on the whitelist. These hashes will be learned on the Appliance (while it is in learn mode) and listed in the logs. This way, the administrator will be notified if users (try to) start untrusted hashes while in offline mode.