Installation of components
Initial configuration tasks
Initial whitelist generation
Add entries to whitelist
Test setup in 30 minutes
Quick Start: Installing and configuring a test environment in
Your Appliance will be delivered preconfigured for your network. If
you received a physical device, just plug it in and boot it up.
After 2 minutes you should be able to ping the Appliance.
If you have a virtual appliance (VM),
- copy the directory "SecuLution VM" from your CD to your ESX(i)
- choose "Add to inventory" on the .vmx file
Change the machines configuration:
Power on your SecuLution VM.
- remove "network adapter 1", add a new E1000 network
adapter,select the appropriate network connection, change the MAC
address to "static" and complete it with some random values.
- configure RAM settings, min 512 MB, 2GB is better
- configure CPU settings, min 1 CPU, the more the better
Installing the AdminWizard is straightforward. Just run
setup.exe from the AdminWizard directory of your SecuLution install
The initial login password is "password".
When started for the first time, the AdminWizard will guide you
through the mandatory configuration tasks. It will also ask for the
path where the agent installation files are stored in your network.
We'll configure that later. For now just click cancel.
Internet access is required for VM activation.
The key to a good whitelist is importing pattern files from a
computer you trust. For our test setup we'll now assume that your
computer is running only trustworthy software. Because this might
not really be true, we'll recreate a new whitelist from scratch
when we set up SecuLution for a production environment later.
To import trusted applications, select menu item Extra
> Hashes > Generate hashes from directory:
Double-click on "C:\" and click "List":
Note the field "Classification". Enter text that describes what you
are importing here. Use a semicolon to separate levels. Click on
"Import". The AdminWizard will now create a hash (fingerprint) for
every file on this computer and import that hash into the whitelist
of trusted applications. Each hash will be marked with the given
Done. You have generated an initial whitelist for testing
Configuration settings for the Appliance are set in the "Server
config" tab. Select the "Default response for unknown programs"
tab, enter a message that will be shown to users when they try to
use an unknown hash. We'll configure logging later.
Agent configuration values are part of the whitelist. Choose "Rules
by program" (menu item View > Rules > by
Program, or the leftmost radio button under the Rules
tab), scroll upwards and double-click "Agent config":
Go through each config option and configure the following settings.
(If need be, click into the empty line to create a new rule.)
Finally, activate your changes and upload your whitelist to the
Appliance by pressing the up arrow:
- device-check -> set to "check devices"
- disable-password -> set a disable-password
- dll-check -> set to "do not check dlls"
- hideicon -> set to "show Agent icon"
- offline-mode -> set to "don't ask password"
Important: Any change to the whitelist will remain in the
AdminWizard's memory only and will not be active on the Appliance
until you press the up arrow! Imagine the arrow as a command to
push the current whitelist to the Appliance.
After you have imported patterns from trusted files, you might
expect that any and all software (their hashes) will be present in
the whitelist. But in most cases our whitelist is still not
complete. For example, hashes of programs that start from a remote
UNC path, devices, even the Agent itself (which we will install
next) have not yet been added to our whitelist, because so far
we've only imported hashes that were already on drive "C:\". To add
all the other hashes that are used on this computer to our
whitelist, we'll now configure a learn mode.
A learn mode is a configuration option that instructs the
Appliance to NOT deny hashes that are not known in the whitelist,
but to allow them instead and also to add them to the whitelist.
The idea is to "learn" these hashes. The "Classification" will be
added to each program processed in learn mode.
Turn on the learn mode by selecting the "Server config" tab,
then the "Learn mode" tab:
Type "Delta" in "Classification", select "Duration" of "32 d[ays]"
and click "Learn mode on".
During a learn mode the Appliance will only learn new and currently
unknown hashes if the programs or devices represented by the hash
are actually started or used on a machine where the Agent is
installed. So next we need to install the Agent.
CAUTION: Following the next step will cause a forced reboot
without asking for confirmation. Close your applications and save
your work now!
Go to the directory "Client-Installer" on your SecuLution
install CD, right-click on "autosetup.exe" and choose "Run as
administrator". The Agent will be installed and your computer will
Log in and wait until your computer starts the autostart
programs. Sometimes a computer keeps on starting different programs
after you logged in (e.g. NETLOGON, GPOs). After you think your
computer is up and ready for normal usage, you can start the
learning mode off
To turn off the learn mode click on the trashcan icon:
Now your SecuLution system is protecting your computer. We are
ready for testing.
You have successfully secured your computer. Let's start some
trustworthy programs to verify that the computer works normally.
You should be able to run any software that you can find on "C:\"
since we've imported all these files already. Does your computer
behave normally? Good! That's what we want!
Now let's try to start a program which is not (yet) in your
whitelist. You can do that by downloading software, inserting a CD
or starting programs that are stored on a server (a UNC path, which
we haven't imported before). Don't use a USB stick yet since USB
devices will be managed by SecuLution, too but your stick is not
yet an allowed device.
Any attempt to start a program that is not yet in your whitelist
is blocked, and you will see a popup with the DENY message you
That's it! Your computer is secure! Only software that is
classified as trustworthy can be started.
Audit learned programs
Remember, we have turned on a learn mode to "learn" additional
software and devices that have not been imported during the "import
pattern files" part? Now it's time to look over the hashes
(programs and devices) that have been added during this learn mode
in order to either delete unwanted hashes from our whitelist or to
classify them correctly. Since you don't want to go through all the
thousands of hashes that might now be in your whitelist, we'd like
to see only those hashes that have been added during the learn
mode. To do so, select menu item "View/Rules/by classification" (or
just click the 4th radio-button in the "Rules" tab treeview):
Double-click "Delta". You will find hashes here that have been
"learned" during the learn mode because they were not (yet)
included in the whitelist at the time they were checked by the
Agent. So they have been learned and classified with the
classification string "Delta" you entered when turning on the learn
mode. In the example above, these three programs are part of the
Agent, and the Agent had not been installed on this computer at the
time we were importing patterns from drive "C:\".
Mark all the programs for which you want to change the
classification by holding the Ctrl key when clicking on
the program. Then right-click and choose "change classification".
Enter "SecuLution;Agent;Vx.y.z" where x,y and z are the version
number (see program properties).
After that, you should have successfully classified these hashes
(press F5 to refresh view).
Now do the same for your devices:
What if you're not sure about what you find during your audit of
Right-click the hash and search google:
Most of the time you'll find interesting additional information
about the hash.
You can also request additional information from our webservice
"Managed Whitelist" by clicking on
"Check program online". You'll be presented with information
regarding this hash, in this case:
The information presented to you here is based on more than 50
different antivirus tools and a list of trusted applications which
we (the company SecuLution) manage and update on a daily basis.
You definitely want to block the software in this example. To block
this software, just remove it from the list of trusted applications
by pressing the "delete entry" button:
(However, it still might be a good idea to examine the computer on
which this known malware was initially executed. See remark rule
"first checked by user username on host hostname with IP address on