Home    SecuLution Dokumentation back next
Welcome
SecuLution technique and terminology
Quick start
Test setup in 30 minutes
Best practice in everyday use
Full setup and deployment in 5 hours
Installation of components
Install Appliance
AdminWizard installation
Agent installation
Syslog server installation
Initial configuration tasks
Configure basic settings
Agent configuration
Configure automated tasks
Manage whitelist
Initial whitelist generation
Import trustworthy software
Learn mode
Check deployment and learning progress
Audit
Add entries to whitelist
Drag'n'drop
Individual lernmode
Import from directory
PermanentLernUser
Log alarms
Cleanup whitelist
Manually delete unused entries
Delete entries using a pattern
Clean up classifications
Managed Whitelist
Managed Whitelist
Actions
Actions
Referring rules to objects
Offline mode
Offline mode
Devices
USB device management
USB device encryption
RCM
Agent deployment (RemoteClientManagement)
ArpWatch
ArpWatch
Logs
Logs
FAQ
setup.ini

Test setup in 30 minutes

Quick Start: Installing and configuring a test environment in 30 minutes



Start Appliance

Your Appliance will be delivered preconfigured for your network. If you received a physical device, just plug it in and boot it up. After 2 minutes you should be able to ping the Appliance.

If you have a virtual appliance (VM),
  • copy the directory "SecuLution VM" from your CD to your ESX(i) datastore,
  • choose "Add to inventory" on the .vmx file


Change the machines configuration:

  • remove "network adapter 1", add a new E1000 network adapter,select the appropriate network connection, change the MAC address to "static" and complete it with some random values.
  • configure RAM settings, min 512 MB, 2GB is better
  • configure CPU settings, min 1 CPU, the more the better
Power on your SecuLution VM.


Install AdminWizard

Installing the AdminWizard is straightforward. Just run setup.exe from the AdminWizard directory of your SecuLution install CD.

The initial login password is "password".

When started for the first time, the AdminWizard will guide you through the mandatory configuration tasks. It will also ask for the path where the agent installation files are stored in your network. We'll configure that later. For now just click cancel.

AgentInstallPath
Internet access is required for VM activation.


Import pattern files

The key to a good whitelist is importing pattern files from a computer you trust. For our test setup we'll now assume that your computer is running only trustworthy software. Because this might not really be true, we'll recreate a new whitelist from scratch when we set up SecuLution for a production environment later.

To import trusted applications, select menu item Extra > Hashes > Generate hashes from directory:

MenuImportFromFiles

Double-click on "C:\" and click "List":
ImportFromDir

Note the field "Classification". Enter text that describes what you are importing here. Use a semicolon to separate levels. Click on "Import". The AdminWizard will now create a hash (fingerprint) for every file on this computer and import that hash into the whitelist of trusted applications. Each hash will be marked with the given classification.

Done. You have generated an initial whitelist for testing purposes.


Base configuration

Configuration settings for the Appliance are set in the "Server config" tab. Select the "Default response for unknown programs" tab, enter a message that will be shown to users when they try to use an unknown hash. We'll configure logging later.
setDefaultDeny

Agent configuration values are part of the whitelist. Choose "Rules by program" (menu item View > Rules > by Program, or the leftmost radio button under the Rules tab), scroll upwards and double-click "Agent config":
AgentConfig

Go through each config option and configure the following settings. (If need be, click into the empty line to create a new rule.)
  • device-check -> set to "check devices"
  • disable-password -> set a disable-password 
  • dll-check -> set to "do not check dlls"
  • hideicon -> set to "show Agent icon"
  • offline-mode -> set to "don't ask password"
Finally, activate your changes and upload your whitelist to the Appliance by pressing the up arrow:
activate

Important: Any change to the whitelist will remain in the AdminWizard's memory only and will not be active on the Appliance until you press the up arrow! Imagine the arrow as a command to push the current whitelist to the Appliance.


Set learn mode

After you have imported patterns from trusted files, you might expect that any and all software (their hashes) will be present in the whitelist. But in most cases our whitelist is still not complete. For example, hashes of programs that start from a remote UNC path, devices, even the Agent itself (which we will install next) have not yet been added to our whitelist, because so far we've only imported hashes that were already on drive "C:\". To add all the other hashes that are used on this computer to our whitelist, we'll now configure a learn mode.

A learn mode is a configuration option that instructs the Appliance to NOT deny hashes that are not known in the whitelist, but to allow them instead and also to add them to the whitelist. The idea is to "learn" these hashes. The "Classification" will be added to each program processed in learn mode.

Turn on the learn mode by selecting the "Server config" tab, then the "Learn mode" tab:

learn mode
Type "Delta" in "Classification", select "Duration" of "32 d[ays]" and click "Learn mode on".

During a learn mode the Appliance will only learn new and currently unknown hashes if the programs or devices represented by the hash are actually started or used on a machine where the Agent is installed. So next we need to install the Agent.


Install Agent

CAUTION: Following the next step will cause a forced reboot without asking for confirmation. Close your applications and save your work now!

Go to the directory "Client-Installer" on your SecuLution install CD, right-click on "autosetup.exe" and choose "Run as administrator". The Agent will be installed and your computer will reboot.

Log in and wait until your computer starts the autostart programs. Sometimes a computer keeps on starting different programs after you logged in (e.g. NETLOGON, GPOs). After you think your computer is up and ready for normal usage, you can start the AdminWizard again.



Turn learning mode off

To turn off the learn mode click on the trashcan icon:

turnofflm

Now your SecuLution system is protecting your computer. We are ready for testing.


Testing

You have successfully secured your computer. Let's start some trustworthy programs to verify that the computer works normally. You should be able to run any software that you can find on "C:\" since we've imported all these files already. Does your computer behave normally? Good! That's what we want!

Now let's try to start a program which is not (yet) in your whitelist. You can do that by downloading software, inserting a CD or starting programs that are stored on a server (a UNC path, which we haven't imported before). Don't use a USB stick yet since USB devices will be managed by SecuLution, too but your stick is not yet an allowed device.

Any attempt to start a program that is not yet in your whitelist is blocked, and you will see a popup with the DENY message you configured earlier:

denypopup

That's it! Your computer is secure! Only software that is classified as trustworthy can be started.


Audit learned programs

Remember, we have turned on a learn mode to "learn" additional software and devices that have not been imported during the "import pattern files" part? Now it's time to look over the hashes (programs and devices) that have been added during this learn mode in order to either delete unwanted hashes from our whitelist or to classify them correctly. Since you don't want to go through all the thousands of hashes that might now be in your whitelist, we'd like to see only those hashes that have been added during the learn mode. To do so, select menu item "View/Rules/by classification" (or just click the 4th radio-button in the "Rules" tab treeview):

tbclassification

Double-click "Delta". You will find hashes here that have been "learned" during the learn mode because they were not (yet) included in the whitelist at the time they were checked by the Agent. So they have been learned and classified with the classification string "Delta" you entered when turning on the learn mode. In the example above, these three programs are part of the Agent, and the Agent had not been installed on this computer at the time we were importing patterns from drive "C:\".
Mark all the programs for which you want to change the classification by holding the Ctrl key when clicking on the program. Then right-click and choose "change classification". Enter "SecuLution;Agent;Vx.y.z" where x,y and z are the version number (see program properties).

After that, you should have successfully classified these hashes (press F5 to refresh view).
classified

Now do the same for your devices:
classified


Unknown hashes

What if you're not sure about what you find during your audit of learned hashes?
Right-click the hash and search google:
sgoogle
Most of the time you'll find interesting additional information about the hash.

You can also request additional information from our webservice "Managed Whitelist" by clicking on "Check program online". You'll be presented with information regarding this hash, in this case:
virusfound
The information presented to you here is based on more than 50 different antivirus tools and a list of trusted applications which we (the company SecuLution) manage and update on a daily basis.

You definitely want to block the software in this example. To block this software, just remove it from the list of trusted applications by pressing the "delete entry" button:
deleteentry

That's it.
(However, it still might be a good idea to examine the computer on which this known malware was initially executed. See remark rule "first checked by user username on host hostname with IP address on date-time".)