Security - School of Computing and Information Sciencesusers.cis.fiu.edu/~sadjadi/Teaching/IT Automation/KAS201...It provides for periodical scanning of the entire file system and

Security

Table of Contents:

◊ Protection◊ License◊ Configure◊ MSExchange◊ SecurityAlarms

Security

2 Chapter 11 - Security Sadjadi et al.

Oneofthemostcriticaladvantagesoftoday’snetworkedcomputingenvironmentsistheabilitytoseamlesslyexchangeinformationwithalmostanynetworkedcomputerviaemail,emailattachments,world-wideweb,ftp,ssh,etc.Thisdesiredcapability,however,placesnetworkedcomputersunderconstantthreatofmaliciousprograms (i.e., viruses, spyware, adware,etc.) entering the systemand consequently causingundesiredharmincludingunauthorizedaccesstosensitivedata,systemdowntime,blockednetworkaccess,andsoon.Clearly,whileconvenientnetworkaccessisdesirable,maliciousprogramsmustnotbeallowedtocauseanyharms.Thatis,thesecurityofthesystemmustbeensuredwithoutcompromisingremoteaccesscapabilitiesand the user’s free access to the outsideworld.The security of the systemwithin this context can onlybeguaranteedif1)anup-to-datedescriptionofallmaliciousprogramsisavailable,2)alldata(e.g., files)enteringthesystemarescannedtoensurethattheydonotcontainmalicioussoftware,3)iffound,malicioussoftwareareremovedorquarantined,and4)accesstosensitivepartsofthesystemismonitored.

KaseyaEndpointSecurity (KES)described in thischapterprovidesall the facilitiesneeded tomaintainasecure environment. It provides for periodical scanning of the entire file systemand the system registryforsuspiciousentries,cleaningorremoving infected files,andmonitoringaccess tosensitivepartsof thesystem. Inaddition,dependingonuser-definedmanagedsecurityprofiles,KEScan triggeralarms, sendemailnotifications,runscripts,createjobtickets,andlogallsecurity-sensitiveactivities.Insummary,KESmaintainsthesecurityofthemanagednetworkby

• Detectingmalicioussoftware through:• Scanning -Performsbothon-accessandon-demandscanningofthefilesystemandreg-istry:

• Scans Email -Checksincomingandoutgoingmailbyusingplug-insdesignedforthemostfrequentlyusedemailprograms.• On Access Protection -filesarescannedastheyarecopied,openedorsaved.Ifavirusisdiscovered,fileaccessisstoppedandthevirusisnotallowedtoactivateitself.OnAccessProtection,loadedinthememoryofthecomputerduringsystemstartup,alsoprovidesvitalprotectionforthesystemareasofthecomputer.• On Demand Scans -Scanscanberunon-demandorscheduledtorunperiodicallyatconvenienttimes.

• ScaningMSExchangeServers -Scansinboundandoutbounde-mailmessagesandmailboxfoldersonMSExchangeServersagainstvirus/spyware/malwarethreatsanddeletesthemimmediatelybeforeemailrecipientsoftheMSExchangeServerareinfected.

TheremainderofthischapterdescribesthedetailsofKESoperationsanditscustomization.

11.1.1 DashboardTheDashboard pageprovidesadashboardviewofthestatusofmachinesinstalledwithKaseyaEndpointSecurity.

• Endpoint Security Statistics• License Status• Top Machines with Threats• Top Threats Discovered

Fig.11.1belowshowsthegenericviewoftheDashboardpage.Theoptionssupportedonthispagearelistedandexplainedonthenextpage.

Introduction

11.1 Protection

Secu

rity

3Chapter 11 - Security Sadjadi et al.

1. Endpoint Security Statistics

TheEndpointSecurityStatisticssectionprovidesvariousstatisticsaboutthesecuritystatusofendpointsandthestatusofsecuritydefinitions.

• EndpointsNeedReboot• Signatureversionsolderthan‘<version>’• EndpointswitholderversionofKES• Endpointsnothavingascancompletedthisweek• Endpointscurrentlyrunningascan• EndpointswithResidentShielddisabled

Clickanyofthesehyperlinkedstatisticstoseeatabbeddialogshowingeachmemberbelongingtothatsta-tistic.

2. License Status: Apiechartdisplaysthepercentageofmachinesthathaveexpiredlicensesorwillhaveexpiredlicensesin30,60,90or91+days.Clickanysliceofthepiechartoranylabelofthepiecharttodisplayalistofindividualmachinesbelongingtothatslice.

3. Top Machines with Threats: Liststhemachineswiththegreatestnumberofcurrentthreats.Thenumberofthreatsinthevirusvaultarealsolisted.ClickingahyperlinkedmachineIDdisplaysthethreatsbelongingtothatmachineIDintheViewThreatspage.

4. Top Threats Discovered: A pie chart displayswhich threats have been found on the greatestpercentageofmachines.ClickanysliceofthepiechartoranylabelofthepiecharttodisplayalistofindividualmachinesbelongingtothatsliceintheViewThreatspage.

Fig. 11.1: Dashboard

page

Security


11.1.2 Security StatusTheSecurity StatuspagedisplaysthecurrentsecuritystatusofeachmachineIDlicensedtouseKaseyaEndpointSecurity.ThelistofmachineIDsdisplayeddependsontheMachineID/GroupIDfilterandmachinegroups the administrator is authorized to see usingSystem > Group Access. To display on this page,machineIDsmusthaveKaseyaEndpointSecurityclientsoftwareinstalledonthemanagedmachineusingtheSecurity > Install/Removepage.

Indicatorsincludegeneralsecurityprotection,fileprotection,mailprotection,thenumberofthreatsdetected,andtheversionofsecurityprotectioninstalledoneachmachineID.

Fig.11.2belowshowsthegenericviewoftheSecuritystatuspage.Theoptionsavailableonthispagearelistedandexplainedbelow.

1. Current Available Signature Version: Thelatestversionofsecurityprotectionavailable.YoucanupdateoneormoremachineIDswiththeCurrentAvailableVersionusingSecurity > Manual Updates.

2. Current Installer Version: TheversionnumberoftheAVGinstallertobeusedonnewinstallations.

3. Enable Resident Shield:Click to enable residentmemory anti-malware protection on selectedmachinesIDs.

4. Disable Resident Shield:Click todisable residentmemoryanti-malwareprotectiononselectedmachinesIDs.

5. Enable Email:ClicktoenableemailprotectiononselectedmachinesIDs.

6. Disable Email:ClicktodisableemailprotectiononselectedmachinesIDs.

7. Empty Vault: ClicktoemptythevirusvaultofallquarantinedmalwareIDs.

8. Reboot Now: RebootsselectedmachinesIDs.Somesecurityupdatesrequireareboottoinstalltheupdate.Ifarebootispending,arebooticondisplaysalongsidethepre-updateversionnumberandthemachineisstillprotected.

9. Machine.Group ID:ThelistofMachineID.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheadministratorisauthorizedtoview.

Fig. 11.2: Security status

Secu

rity


10. Profile Name:ThesecurityprofileassignedtothemachineID.

11. Status: ThecurrentstateofsecurityprotectionforamachineIDisindicatedbythesetofstatusiconsdisplayedintheStatuscolumn.Possiblestatusiconsinclude:

ResidentShieldOn

ResidentShieldOff

ResidentShieldPartial

ResidentShieldEnable/DisablePending

EmailScannerOn

EmailScannerOff

EmailScannerPartial

EmailScannerEnable/DisablePending

LinkScannerOn

LinkScannerOff

LinkScannerPartial

LinkScannerEnable/DisablePending

WebShieldOn

WebShieldOff

WebShieldPartial

WebShieldEnable/DisablePending

12. Threats:ThenumberofunhealedthreatsdetectedonthemachineID.Thesearecurrentthreatsthatneeduserattention.YoucanclickthehyperlinkednumberinanyrowtodisplaythesethreatsintheCurrent ThreatstaboftheView Threatspage.

13. Virus Vault:Thenumberof threatsstored in thevirusvaultof themachineID.These itemsaresafelyquarantinedandwillbeautomaticallydeleted,ifprofilesettingsapply.Youcanclickthehyper-linkednumberinanyrowtodisplaythesethreatsintheVirus VaulttaboftheView Threats > page.

14. Version:TheversionofsecurityprotectioncurrentlyusedbythismachineID.

Security


11.1.3 Manual UpdateTheManualUpdatespagecontrolstheupdatingofmachineIDslicensedtouseKESwiththelatestversionofsecurityprotectionavailable.Updatesarescheduledautomaticallybydefault.Youcandisableandre-enableautomaticupdatingbymachine.Typicallythisfunctionisonlyusedtoreviewtheupdatestatusofagentsortoforceanimmediateupdatecheckifneeded.

ThelistofmachineIDsyoucanselectdependsonthemachineID/groupIDfilter.Todisplayonthispage,machineIDsmusthavetheKESclientsoftwareinstalledonthemanagedmachineusingtheSecurity > In-stall/Removepage.

Fig.11.3belowshowsthegenericviewoftheManualupdatepage.Theoptionssupportedonthispagearelistedandexplainedbelow.

1. Current Available Version:Thelatestversionofsecurityprotectionavailable.ChecktheversioncolumnonthispagetodetermineifanymachineIDsaremissingthelatestversionofsecurityprotectionorthelatestKESclientsoftwareavailable.

2. Current KES Client Version:ThelatestKESclientsoftwareavailable.

3. Update: ClicktoscheduleavirusdefinitionupdateonselectedmachineIDsusingtheupdateop-tionspreviouslyselected.

4. Cancel Update:Clicktoclearascheduledupdate.

5. Enable Automatic Updates:Enablesvirusdefinitionupdates.

6. Disable Automatic Updates: Disables virus definition updates. This prevents virus definitionupdates from slowing down the network during peakworking hours. In a future release youwill beabletoschedulewhentoupdatevirusdefinitions.Ifautomaticupdatesaredisabled,thenared-crossicondisplaysintheScheduled Timecolumn,evenifamanualupdateisscheduled.

7. Immediate: ChecktheImmediateboxtobegintheupdateassoonasUpdateisclicked.

8. Date/Time: Entertheyear,month,day,hour,andminutetoschedulethistask.

9. Stagger by: Youcandistributetheloadonyournetworkbystaggeringthistask.Ifyousetthispa-

Fig. 11.3: Manual Update

Secu

rity


rameterto5minutes,thenthetaskoneachmachineIDisstaggeredby5minutes.

10. Skip if Machine Offline: Checktoperformthistaskonlyatthescheduledtime,withina15minutewindow.Ifthemachineisoffline,skipandrunthenextscheduledperiodandtime.Unchecktoperformthistaskassoonasthemachineconnectsafterthescheduledtime.

11. Update from KServer (Override file source):Ifchecked,updatesaredownloadedfromtheKServ-er.Ifblank,updatesaredownloadedusingthemethodspecifiedinPatch Management > File Source.

Machine.Group ID: ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheuserisauthorizedtoview.

12. Source: IfafilesourceisdefinedusingPatchManagement>FileSource,thenupdatesaresourcedfromthislocation.Otherwise,updatesaresourcedfromtheinternet.

IftheoptionDownload from Internet if machine is unable to connect to the file serverisselectedinPatch Management > File Source:

• DuringaKESv2.xendpointinstall,ifthefilessourceisdownorcredentialsinvalid,theinstallerisdownloadedfromtheKServerandcompletestheendpointinstall.• DuringaKESv2.xmanualupdate, if thefilessource isdownorcredentials invalid, theupdate isdownloadedfromtheinternet.

Inbothcasesabove,theViewLogspagedisplaysanerrormessagestatingwhythefilesourcefailedandthatitistryingtodownloadfromtheinternet.

13. Last Update: ThistimestampshowswhenamachineIDwaslastupdated.Whenthisdatechanges,anewupdateisavailabletouse.

14. Version: TheversionofsecurityprotectioncurrentlyusedbythismachineID.

15. Scheduled Time: Timestampshowingthenextscheduledupdate,ifoneisscheduledeithermanu-allyorautomatically.

11.1.4 Schedule ScanTheSchedule ScanpageschedulessecurityprotectionscansofselectedmachineIDslicensedtouseKas-eyaEndpointSecurity.ThelistofmachineIDsyoucanselectdependsonthemachineID/groupIDfilter.Todisplayonthispage,machineIDsmusthavetheKESclientsoftwareinstalledonthemanagedmachineusingtheSecurity > Install/Remove page.

Fig.11.4belowshowsthegenericviewoftheschedulescanpage.Theoptionssupportedonthispagearelistedandexplainedonthenextpage.

Security


1. Scan: ClicktoscheduleascanofselectedmachineIDsusingthescanoptionspreviouslyselected.

2. Cancel:Clicktoclearascheduledscan.

3. Immediate: ChecktheImmediate boxtobeginthescanassoonasScan isclicked.


5. Stagger by: Youcandistribute the loadonyournetworkbystaggering this task. If youset thisparameter to5minutes, thenthetaskoneachmachineID isstaggeredby5minutes.Forexample,machine1runsat10:00,machine2runsat10:05,machine3runsat10:10,...


7. Every N Periods: Checktheboxtomakethistaskarecurringtask.Enterthenumberofperiodstowaitbeforerunningthistaskagain.

8. Machine.Group ID: ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheuserisauthorizedtoseeusingSystem > User Security > Scopes.

9. Last Scan: Thistimestampshowswhenthelastscanoccurred.Whenthisdatechanges,newscandataisavailabletoview.

10. Next Scan / Schedule: Thistimestampshowsthenextscheduledscan.Overduedate/timestampsdisplayasredtextwithyellowhighlight.Agreencheckmarkindicatesthescanisrecurring.

11.1.5 View ThreatsTheView Threatspagedisplaysthreatsyoucantakeactionon.Threatsaregroupedbytheirstatusontwodifferenttabs:

• Current Threats - Lists discovered threats onmachines that could not be automatically healed.Eachunhealedthreatremainsunchangedonthemachine,requiringuseraction.DeletingathreatontheCurrentThreatstabdeletesthefileimmediately,withoutmovingthefiletotheVirusVault.

• Virus Vault-Threatsarediscoveredbyscanorresidentshield.Healingthethreatreplacestheorigi-

Fig. 11.4: Schedule Scan

Secu

rity


nalfilewithahealedcopy.Theoriginal,unhealedfileismovedtoahiddenpartitiononthecomputerharddrivecalledtheVirus Vault.Ineffect,theVirus Vaultactsasakindof“recyclebin”forthreats,allowingyoutorecoverthembeforedeletingthempermanentlyfrommachines.

HealingHealinginvolvesthefollowingsteps:

1. Anattemptismadetocleanthefile.

2. Ifthatfails,anattemptismadetomovethefiletotheVirusVault.

3. Ifthatfails,anattemptismadetodeletethefile.

4. Ifthatfails,thefileremainsunchangedonthemachineandislistedintheCurrentThreatstaboftheViewThreatspage.

MS Exchange Server ThreatsAnymalwaredetectedbyMSExchangeServeremailprotection is immediatelydeleted from theMSEx-changeServeranddisplaysonlyontheVirusVaulttab.

Fig.11.5belowshowsthegenericviewoftheViewThreatspage.Theoptionssupportedonthispagearelistedandexplainedbelow.

1. Current Threats: TheCurrentThreatstabprovidesyouwiththefollowingactions:

• Heal-Attemptstohealafilewithoutdeletingit.HealedthreatsareremovedfromtheCurrentThreatstabanddisplayintheVirusVaulttab.

• Delete-Attemptstodeleteafile.Deletedthreatsaredeletedfromthecomputerimmediately.

• Remove from this List-RemovesthethreatfromtheViewThreatspagewithoutperforminganyotheraction.

• Cancel Pending Operation-Cancelsanyoftheotheractions, if theyhavenotyetbeencompleted.

Fig. 11.5: View Threats

Security


• Add to PUP Exclusion List-Athreatisidentifiedasapotentialunwantedprogram,orPUP,bydisplayinga(P)nexttothenameofthethreatontheViewThreatspage.PUPthreatscanbeaddedtotheexclusionlistfortheprofileassignedtothemachinetheywerefoundon.Ex-clusionmeansthefileisnolongerscannedasapotentialthreatonallmachinesassignedthisprofile.Onlyperformthisactionifyou’recertainthefileissafetouse.TheentirePUPExclusionListismaintainedusingtheDefine Profile > PUP Exclusionstab.

2. Virus Vault: TheVirusVaulttabprovidesyouwiththefollowingactions:

• Restore-Restorestheoriginalfileidentifiedasathreat.Onlyperformthisactionifyou’recertainthefileissafetouse.

• Delete-DeletestheoriginalfileidentifiedasathreatfromtheVirusVault.

Note: File deleted from the Virus Vault cannot be recovered.

• RemovefromthisList-RemovesthethreatfromtheViewThreatspagewithoutperforminganyotheraction.

• CancelPendingOperation-Cancelsanyoftheotheractions,iftheyhavenotyetbeencom-pleted.

• AddtoPUPExclusionList-Athreatisidentifiedasapotentialunwantedprogram,orPUP,bydisplayinga(P)nexttothenameofthethreatontheViewThreatspage.PUPthreatscanbeaddedtotheexclusionlistfortheprofileassignedtothemachinetheywerefoundon.Ex-clusionmeansthefileisnolongerscannedasapotentialthreatonallmachinesassignedthisprofile.Onlyperformthisactionifyou’recertainthefileissafetouse.TheentirePUPExclusionListismaintainedusingtheDefineProfile>PUPExclusionstab.

3. Apply Filter / Reset Filter:ClickApply Filter to filter the rowsdisplayedby the text entered intheMachine.Group,ThreatPathorThreatNamefields.TimefilteringandActionsortingoccursimmedi-Machine.Group,ThreatPathorThreatNamefields.TimefilteringandActionsortingoccursimmedi-,ThreatPathorThreatNamefields.TimefilteringandActionsortingoccursimmedi-ThreatPathorThreatNamefields.TimefilteringandActionsortingoccursimmedi-orThreatNamefields.TimefilteringandActionsortingoccursimmedi-ThreatNamefields.TimefilteringandActionsortingoccursimmedi-fields.TimefilteringandActionsortingoccursimmedi-TimefilteringandActionsortingoccursimmedi-filteringandActionsortingoccursimmedi-Actionsortingoccursimmedi-sortingoccursimmedi-ately.ClickResetFiltertodisplayallrowsofdata.

4. Machine.Group:FilterbythemachineID.groupIDofthemanagedmachinesreportingthreats.

5. Threat Path:Filterbypathnamelocationoffilesonmanagedmachineswithreportedthreats.

6. Time: Filter bya rangeof datesand times the threatswere last detected.Time filteringoccursimmediately.

7. Threat Name:Filterbythenameofthethreat,asdesignatedbytheanti-malwaredefinitionsusedtodetectathreat.

8. Category: Filterbythetypeof threatreported.SelectAll OFForAll ON toenableordisableallcategories.

9. Action: Filter by pending or completed actions taken against view threat records. Select All OFF orAll ON toenableordisableactions.Actionsortingoccursimmediately.

11.1.6 View LogsTheView LogspagedisplaysthesecurityprotectioneventlogofeachmachineIDlicensedtouseKaseyaEndpointSecurity.ThelistofmachineIDsdisplayeddependsontheMachineID/GroupIDfilterandmachinegroups theuser isauthorized toseeusingSystem > User Security > Scopes.Todisplayon thispage,

Secu

rity


machine IDsmust have the KES client software installed on themanagedmachine using theSecurity > Install/Remove page.

ClickamachineID.groupIDtodisplayaneventlog.EacheventdisplaystheTime,aneventCode,andinmostcasesaMessagecontainingadditional information.Securityprotectioneventcodesdescribeoneofthreetypesoflogentry:

• Errors

• Events

• Commands

Fig.11.6belowshowsthegenericviewoftheViewLogspage.Theoptionssupportedonthispagearelistedandexplainedbelow.

Filter Fields: Filterthedisplayofthreatsusingtextfields,adaterangeand/ordrop-downlists.Includeanasterisk(*)wildcardwiththetextyouentertomatchmultiplerecords.Pagingrowscanbesortedbyclickingcolumnheadinglinks.

1. Time, Min, Max:Filterbyarangeofdatesandtimes.

2. Code: Filterbythecategoryoflogeventreported.SelectAll OFForAll ONtoenableordisableallcategories.

3. Message:Filterbymessagetext.

4. Apply Filter / Reset Filter: Click Apply Filter to filter the rows by the date range entered intheTimefieldsand/orthetextenteredintheMessage field.ClickReset Filtertodisplayallrowsofdata.

Fig. 11.6: View Logs

Security


11.2.1 Extend/ReturnTheExtend/Return pageextends theannual license count for selectedmachines IDsor returnsannuallicensesfromselectedmachineIDs.AannuallicensecanbereturnedfromonemachineIDandbeappliedtoanothermachineID.EachmachineIDcanbeallocatedmultipleyearsofsecurityprotection.KESlicensesareallocatedtogroupIDsusingSystem > License Manager.

ThelistofmachineIDsyoucanselectdependsonthemachineID/groupIDfilter.Todisplayonthispage,machine IDsmust have the KES client software installed on themanagedmachine using theSecurity > Install/Remove page.

Fig.11.7belowshowsthegenericviewoftheExtend/Returnpage.Theoptionssupportedonthispagearelistedandexplainedbelow.

1. Extend:ExtendstheannuallicensecountforselectedmachinesIDs.

2. Return:ReturnsannuallicensesfromselectedmachineIDs.

3. Auto Extend: Enablesautomaticallocationofanewlicensethedaytheoldlicenseexpiresforse-lectedmachineIDs.Partiallicensesareallocatedfirst,thenfulllicenses.Ifnoadditionallicensesexist,allocationfailsandsecurityprotectionexpiresfortheendpoint.

4. Remove Auto Extend:DisablesautoextendforselectedmachineIDs.Thisoptiononlydisplaysformasterroleusers.

5. Licenses Used:DisplaysthenumberofannualKaseyaEndpointSecuritylicensesused,returnableandpartial.ThesecountsarenotaffectedbythemachineID.groupIDfilter.

• Used-AlicenseisusedifithasbeenassignedatleastoncetoanymachineID.Theusedlicensecountincludesallreturnable,partialandexpiredlicenses.

Fig. 11.7:Extend/Return

11.2 License

Secu

rity


• Returnable-Thetotalnumberofreturnablelicensesavailable.

• Partial-Thetotalnumberofpartiallyusedlicensesavailable.PartiallyconsumedlicensesaremadeavailablewhenKESisuninstalledfromamachineID.

6. Show only licences expiring within 30 days: Limitsthedisplayoflicensesinthepagingareatothoseexpiringwithin30days.

7. Machine.Group ID: ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheuserisauthorizedtoview.

8. Returnable: ThenumberofannuallicensesreturnablefromamachineID.AmachineIDwithonlyoneannuallicensecannotreturnanyadditionalannuallicenses.

9. Expires On: ThedateamachineID’ssecurityprotectionexpires,basedonthenumberofannuallicensesithas.

10. Auto Extend: Ifchecked,autoextendisenabledforthismachineID.

11. At Limit: IfthemaximumnumberofannuallicensesavailabletoagroupIDarebeingused,theneachlicensedmachineIDinthatgroupIDdisplaysaYesintheAt Limitcolumn.ThisalertstheuserthatmoreannuallicensesmayberequiredforthatgroupID.KESlicensesareallocatedtogroupIDsusingSystem >License Manager.

11.2.2 NotifyTheNotifypageprovidesautomaticnotificationof theexpirationofKESlicenses.Customers,VSAusersandmachineuserscanbenotifiedaspecifiednumberofdaysbeforeKESlicensesexpire.KESlicensesareallocatedtogroupIDsusingSystem > License Manager.

Fig.11.8belowshowsthegenericviewoftheNotifypage.Theoptionssupportedonthispagearelistedandexplainedonthenextpage.

Fig. 11.8: Notify

Security


1. Send notification when license will expire in N days: Enterthenumberofdaysbeforetheexpi-rationdateofanKESlicensetonotifycustomers,usersandusers.

2. Email Recipients (Comma separate multiple addresses): Specifyemailaddressestosendnoti-ficationmessages.Multipleemailaddressesmustbeseparatedbycommas.

3. Apply: ClickApply toapplyparameterstoselectedmachineIDs.ConfirmtheparametershavebeenappliedcorrectlyinthemachineIDlist.

4. Clear: ClickClear toremoveallparametersettingsfromselectedmachineIDs.

5. Machine.Group ID: ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/

6. GroupIDfilterandthemachinegroupstheuserisauthorizedtoview.

7. Days: Showsthenumberofdaysbeforethelicenseexpirationdatethatnotificationwillbesent.

8. Email Address List: Liststheemailaddressesnotificationswillbesentto.

9. Notify: If checked,email recipientswill be forewarned that thismachine ID’s security license isabouttoexpire.Ifblank,notificationwillnotbesent.

11.3.1 Install/RemoveTheInstall/RemovepageinstallsorremovessecurityprotectionforselectedmachineIDs.Thelistofma-chineIDsdisplayeddependsontheMachineID/GroupIDfilterandmachinegroupstheuserisauthorizedtoseeusingSystem > User Security > Scopes.Installationrequiresarebootofthemanagedmachine.

Fig.11.9belowshowsthegenericviewoftheInstall/Removepage.Theoptionsselectedonthispagearelistedandexplainedonthenextpage.

11.3Configure

Fig. 11.9: Install/Remove

Secu

rity


1. Install:InstallKESonselectedmachineIDs.

2. Verify Install:DisplaysonlyinKaseya2.Updates5.xKESclientstoK2KESclients.CanalsobeusedtoinstallaK2KESclientwhenastandaloneversionofAVGisalreadyinstalledonamanagedmachine.

3. Remove: RemoveKESonselectedmachineIDs.

4. Cancel Pending Operation: Canceleitherofthefirsttwoactions,iftheyhavenotyetbeencom-pleted.

5. Edit User Prompts: Editthewarningpromptdisplayedtousers,ifawarningpromptisdisplayed.Youcanalsospecifythenumberofminutestheuserisallowedtopostponeinstallation.Thisoptiononlydisplaysformasterroleusers.

6. Reboot Now:Rebootstheselectedcomputer.PeriodicallyAVGreleasesanupdatethatrequiresareboot.RebootrequireddisplaysintheVersioncolumn.

7. Installation Options: Configure the following installation options. These options apply to anyinstallationyousubsequentlyperform.Installationoptionsaredefinedby VSA user.

• User Name-Ifchecked,enteranameassociatedwiththisinstallofKES.

• Company Name-Ifchecked,enterthenameofthecompanyassociatedwiththisinstallofKES.

• Target Directory-ifchecked,enteratargetdirectory.Ifblank,thedefaultinstalldirectoryisused.

• Kill all running applications that prevent installation-Ifchecked,stopsallrunningap--Ifchecked,stopsallrunningap-plicationsthatmightpreventsuccessfulinstallation.

• Disable Windows Defender-RunningWindowsDefendersignificantlydegradestheperfor--RunningWindowsDefendersignificantlydegradestheperfor-manceofKESandshouldbedisabledbydefaultusingthisoption.

• Reboot the computer after installation if needed

• Ifchecked,AVGrebootsthecomputerafterinstallation.Kaseyadoesnotcontrolthisevent.Whiletheendpointreboots,theInstall StatuscolumnmaydisplayaVerifying Installationmes-mes-sage.Oncetheendpointchecks-inagain,theinstallationcompletesandtheInstall Statuscol-col-umndisplaysagreencheckmark.

• If blank, Kaseya controls the reboot. The Install Status column displays a Reboot Re-quiredbutton.Theusercanclickthebuttontoreboottheendpoint.Oncetheendpointchecks-inagain,theinstallationcompletesandtheInstall Statuscolumndisplaysagreencheckmark.

• Enable end user directory scans-Addsaright-clickoptiontoWindowsExplorer,enablingtheusertoscananindividualfileordirectoryimmediately.

• Hide AVG system tray icon - If checked, hides theAVG icon in the system tray. If un-- If checked, hides theAVG icon in the system tray. If un-checked,theAVGicondisplaysonlyafterAVGisinstalledandthemachinerebooted.

ScriptOptions

• Script to run before install-Selectanagentprocedure.

Security


• Script to run after install-Selectanagentprocedure.

Components

• Link Scanner-Blocksdangerouswebsitesandcheckslinksreturnedbythemostpopularsearchengines.DoesnotinstalltobrowsersrunningonWindowsServerO/S.

• Active Safe Search-Scansalinkdisplayedinawebpage,beforeyouclickit.

• Search-Shield-IdentifiesthesafetyratingforasearchlinklistedinGoogle,YahooandMSNsearchlists.

• Web-Shield-Scansdownloadedfilesandfilesexchangedusinginstantmessaging.

• MS Office 2000 - 2007 Add-in - Installs theAVG scanning plugin for Microsoft Office,versions2000though2007.

• Email Scanner-Ifchecked,installationdetectsthedefaultemailclientonamachineandautomaticallyinstallstherespectiveemailscanningplug-in.

• ID Protection-Ifchecked,AVG’sIdentityProtectionoptionisenabled.Preventstargetedtheftofpasswords,bankaccountdetails,creditcardnumbers,andotherdigitalvaluablesusing“behavioralanalysis”tospotsuspiciousactivityonamachine.

• Firewall (Not managed by Kaseya)-Ifchecked,AVG’sfirewalloptionisenabled.Blocksunauthorizedaccesswhilepermittingauthorizedcommunications.

• Exchange Server Plug-in (Setting ignored on non-Exchange machines) - Ifchecked,installsKESemailprotectiontoMSExchangeServers.ThissettingisignoredwhentheKESclientisinstalledtoanon-MSExchangeServermachine.

8. Immediate: ChecktheImmediate boxtobegintheinstallassoonasInstall isclicked.


10. Stagger by: Youcandistributetheloadonyournetworkbystaggeringthistask.Ifyousetthispa-rameterto5minutes,thenthetaskoneachmachineIDisstaggeredby5minutes.


12. Applied Licenses: DisplaysthenumberofannualKESlicensesappliedtomachines.

13. License Pool: Displaysthenumberofadditionallicensesavailable:partially-usedKESlicensesandnever-usedKESlicenses.Partially-usedlicensearealwaysconsumedfirst.

14. Install from KServer (override file source): Ifchecked,installsaredownloadedfromtheKServer.Ifblank,installsaredownloadedusingthemethodspecifiedinPatchManagement>FileSource.

15. Select Profile: SelectsthesecurityprofiletoassignamachineIDwhensecurityprotectionisin-stalled.

16. Prompt user before install / Force install without warning user: Installationrequiresarebootofthemanagedmachine.IfPrompt user before installisselected,theuserisgiventheoptionofpost-

Secu

rity


poningtheinstallationforaspecifiednumberofminutes.OtherwiseForce install without warning user causesthesoftwaretobeinstalledatthescheduledtimewithoutwarningtheuser.

17. Auto Refresh: Selectingthischeckboxautomaticallyupdatesthepagingareaeveryfiveseconds.ThischeckboxisautomaticallyselectedandactivatedwheneverInstall isclicked.


19. Install Status: If checked,KESclientsoftware is installedon themachine ID. If theagentsoft-wareisearlierthan4.7.1,themessageRequires Agent Updatedisplays.Ifblank,KESclientsoftwareisnotinstalledonthemachineID.

20. Install Source: IfafilesourceisdefinedusingPatch Management >File Source,theninstallsaresourcedfromthislocation.Otherwise,installsaresourcedfromtheinternet.

21. Installed On: ThedateKESclientsoftwarewasinstalledonthemachineID.

22. Version: TheversionofsecurityprotectioncurrentlyusedbythismachineID.

11.3.2DefineProfileTheDefineProfilepagemanagessecurityprofiles.Eachsecurityprofilerepresentsadifferentsetofenabledordisabledsecurityoptions.ChangestoasecurityprofileaffectallmachineIDsassignedthatsecurityprofile.AsecurityprofileisassignedtomachineIDsusingSecurity>AssignProfile.Typicallydifferenttypesofma-chinesornetworksrequiredifferentsecurityprofiles.Asampleprofileisprovidedforyou.Youcan’tchangethesampleprofile,butyoucansaveitunderanewnameandmakechangestothecopy.

Fig.11.10belowshowsthegenericviewoftheDefineprofilepage.Theoptionssupportedonthispagearelistedandexplainedonthenextpage.

Fig. 11.10: Define Profile

Security


1. Save: Saveschangestoasecurityprofile.

2. Save As:Createsanewsecurityprofilebysavingitusingadifferentname.

3. Delete:Deletesanexistingsecurityprofile.

4. Share:Sharesaprivatesecurityprofile.Otheruserscannotseeprivatesecurityprofiles.Sharingaprivatesecurityprofilemakesitapublicsecurityprofile.Sharerightsareassignedby object.Therearethreesharingcheckboxoptions.Thefirsttwocheckboxesaremutually exclusiveanddeterminewhatsharerightsareassigned.Ifneitherofthefirsttwocheckboxesarechecked,thesharedobjectcanonlybeseenbytheusersgivenshareaccess,buttheobjectcannotbeusednoredited.TheSharedandNot Sharedlistboxesandthethirdcheckboxdeterminewhocanseetheobject.

• Allow other administrators to modify:Ifchecked,sharerightstotheobjectincludesbeingabletouseit,viewitsdetailsandeditit.

• Other administrators may use but may not view or edit:Ifchecked,sharerightstotheobjectonlyallowsusingit.

• Make public (seen by all administrators):Ifchecked,ensuresthatallcurrentandfutureVSAuserscanseetheobject.Ifblank,onlyselecteduserrolesanduserscanseethesharedobject.Ifblank,andnewusersoruserrolesareaddedlater,youhavetoreturntothisdialogtoenablethemtoseethespecificobject.

5. Take Ownership:Takesownershipofanypublicsecurityprofile.Thisoptiononlydisplaysformas-terroleusers.

6. General: TherearethreesectionswhenGeneralisselected.Anexplanationofthesesectionsisprovidedbelow.

VirusVaultLimit Size of the Vault-Ifchecked,limitsthesizeofthevaultasspecifiedusingthefollowingoptions:

• Maximum Size of the Vault:<N>% of Local Disk-Enterthemaximumpercentageofdiskspacetoallocateforthestorageofquarantinedthreats.

• Minimum Available Space to Remain on Local Disk-Entertheminimumnumberofmegabytestoallocateonthedisktothestorageofquarantinedthreats.

Automatic File Deletion-Ifchecked,deletesfilesautomaticallyasspecifiedbythefollowingoptions:

• Delete Files Older than <N> Days-Enterthenumberofdaystostorequarantinedthreatsbeforetheyareautomaticallydeleted.

• Maximum Number of files to Store-Enterthemaximumnumberofquarantinedthreatstostore.

SystemTrayNotifications

• Display system tray notifications-Ifchecked,thefollowingsystemtraynotificationscanbeoptionallyenabled.Allnotificationmessagesdisplayonthemanagedmachinenexttothesystemtray.

Secu

rity


• Display tray notifications about update-Ifchecked,displaysanotificationmessagethattheKESsoftwareisbeingupdated.

• Display tray notifications about scanning - Ifchecked,displaysanotificationmessagethatthemachineisbeingscanned.

• Display Resident Shield related tray notifications (automatic action) - If checked,displaysanotificationmessagethatResidentShieldhastakenactionagainstathreat.

• Display components state change notification - If checked, displays a notificationmessagethatthestateofoneoftheKEScomponentshaschanged.

• Display Email Scanner related notifications-Ifchecked,displaysanotificationmessagethatemailscanninghastakenactionagainstanemailthreat.

AgentIconMenu Display option to Enable/Disable Resident Shield in Agent Icon Menu-Ifchecked:

• Enable SecurityandCancel Scanoptionsdisplayintheagenttaskmenuoftheman-optionsdisplayintheagenttaskmenuoftheman-agedmachine.

• Theusercanclick theEnable Securityoptionontheagentmenuto turnsecurityprotectiononoroff.

• TheusercanclicktheCancel Scanoptionontheagentmenutocancelanongoingsecurityprotectionscan.

7. Resident Shield

Residentshieldisamemory-residentfeature.

• Enable Resident Shield-Ifchecked,thefollowingtypesoffilesarescannedastheyarecopied,openedorsaved.Ifblank,nootherResident Shieldoptionsareevaluated.

FileTypes

• Scan all files -Ifselected,allfilesonthemanagedmachinearescanned.

• Scan Infectible files and Selected Document Types -Ifselected,specifiesthead-ditional fileextensionsofprogramsanddocuments to includeorexcludeusing thefollowingoptions:

• Exclude files with the following extensions from the scan -Specifies the fileextensionsofprogramsanddocumentstoexcludefromascan.Excludedextensionshave precedence over included extensions. Enter each extension separated by asemi-colon(;)character.

• Always scan files with the following extensions-Specifiesthefileextensionsofprogramsanddocumentstoincludeinascan.Entereachextensionseparatedbyasemi-colon(;)character.ResidentShieldscansthefollowingfileextensionswithoutyouhaving to specify them:386;ASP;BAT;BIN;BMP;BOO;CHM;CLA;CLASS;CMD;CNM;COM;CPL;DEV;DLL;DO*;DRV;EML;EXE;GIF;HLP;HT*;INI;JPEG*;JPG;JS*;LNK;MD*;MSG;NWS;OCX;OV*;PCX;PGM;PHP*;PIF;PL*;PNG;POT;PP*;SCR;SHS;SMM;SYS;TIF;VBE;VBS;VBX;VXD;WMF;XL*;XML;ZL*;

Security


• Scan files without an extension - Ifchecked, thescan includes fileswithoutanextension.

AdditionalOptions

• Scan for Tracking Cookies-Ifchecked,thescanincludesinternetbrowsertrackingcook-ies.Foundtrackingcookiesaredeletedimmediatelyandnotmovedtothevirusvault.

• Scan Potentially Unwanted Programs and Spyware threats-Ifchecked,thescandetectsexecutableapplicationsorDLLlibrariesthatcouldbepotentiallyunwantedprograms.Someprograms,especiallyfreeones,includeadwareandmaybedetectedandreportedbyKESasaPotentiallyUnwantedProgram.

• Scan files on close-Ifchecked,filesarescannedastheyareclosed.

• Scan boot sector of removable media-Ifchecked,thescanincludesthebootsectorofremovablemedia.

• Use Heuristics - If checked,scanning includesheuristicanalysis.Heuristicanalysisper-formsadynamicemulationofascannedobject’sinstructionswithinavirtualcomputingenvi-ronment.

8. Email Scanner

• Enable Email Scanner - If checked, inbound and outbound email and attachments arescannedforviruses.Ifblank,nootherEmail Protectionoptionsareevaluated.

EmailScanning

• Check Incoming Email-Ifchecked,incomingemailisscanned.

• Do Not Certify Email-Ifselected,incomingemailisnotcertified.

• Certify all Email-Ifselected,allincomingemailiscertified.

• Only Certify Email with Attachments-Ifselected,onlyincomingemailwithattach-mentsarecertified.

• Incoming Email Certification-Certificationtextappendedtoincomingemail.

• Check Outgoing Email-Ifchecked,outgoingemailisscanned.

• Do Not Certify Email-Ifselected,outgoingemailisnotcertified.

• Certify all Email-Ifselected,alloutgoingemailiscertified.

• Only Certify Email with Attachments-Ifselected,onlyoutgoingemailwithattach-mentsarecertified.

• Outgoing Email Certification-Certificationtextappendedtooutgoingemail.

• Modify Subject for Messages Marked as Virus-Addsprefixtexttothesubjectofames-sagethatcontainsavirus.

Secu

rity


ScanningProperties

• Use Heuristics-Appliestoanemailmessage.Ifchecked,scanningincludesheuristicanal-ysis.Heuristicanalysisperformsadynamicemulationofascannedobject’sinstructionswithinavirtualcomputingenvironment.

• Scan Potentially Unwanted Programs and Spyware threats-Ifchecked,emailscanningincludesscanningforspyware,adware,andpotentiallyunwantedprograms.

• Scan inside archives (RAR,RAR3.0, ZIP,ARJ,CAB) - If checked, email archives arescanned.

EmailAttachmentsReporting(asathreat)

• Report Password Protected Archives - If checked, reportspassword-protectedarchiveattachments(zip,rar,etc)inemailasthreats.

• Report Password Protected Documents-Ifchecked,reportspassword-protecteddocu-mentattachmentsinemailasthreats.

• Report Files containing macro - Ifchecked, reports filescontainingmacrosattached toemailasthreats.

• Report hidden extensions - Ifchecked, reports files thatuseahiddenextension.Someviruseshide themselvesbydoubling their fileextension.Forexample, theVBS/Iloveyouvi-rusattachesafile, ILOVEYOU.TXT.VBS,toe-mails.ThedefaultWindowssetting is tohideknownextensions,sothefilelookslikeILOVEYOU.TXT.Whenyouopenityoudonotopena.TXTtextfilebutinsteadexecutea.VBSprocedurefile.

• Move reported attachments to Virus Vault (incoming email only) -Ifchecked,reportedemailattachmentsaremovedtothevirusvault.TheydisplayintheVirus VaulttaboftheViewThreatspageinsteadofintheCurrent Threats tab.

9. Full Scan

ScanSettings

• Scan Potentially Unwanted Programs and Spyware threats-Ifchecked,thescandetectsexecutableapplicationsorDLLlibrariesthatcouldbepotentiallyunwantedprograms.Someprograms,especiallyfreeones,includeadwareandmaybedetectedandreportedbyKESasaPotentiallyUnwantedProgram.

• Scan for Tracking Cookies-Ifchecked,thescanincludesinternetbrowsertrackingcookies.Foundtrackingcookiesaredeletedimmediatelyandnotmovedtothevirusvault.

• Scan Inside Archives-Ifchecked,scanningincludesarchivefiles—suchasZIPandRARfiles.

• Use Heuristics-Ifchecked,scanningincludesheuristicanalysis.Heuristicanalysisperformsadynamicemulationofascannedobject’sinstructionswithinavirtualcomputingenvironment.

• Scan system environment-Ifchecked,systemareasarescannedbeforethefullscanisstarted.

Security


• Scan infectible files only -Ifchecked,“infectible“filesarescannedbasedontheircontentsregardlessoftheirfileextensions.Forexample,anEXEfilecouldberenamedbutstillbein-fected.Thefollowingtypesoffilesareconsidered‘infectible’files:

• EXE type-COM;DRV;EXE;OV?;PGM;SYS;BIN;CMD;DEV;386;SMM;VXD;DLL;OCX;BOO;SCR;ESL;CLA;CLASS;BAT;VBS;VBE;WSH;HTA;HTM;HTML;?HTML;CHM;INI;HTT;INF;JS;JSE;HLP;SHS;PRC;PDB;PIF;PHP;ZL?;ASP;LNK;EML;NWS;CPL;WMF

• DOC type-DO?;XL?;VBX;RTF;PP?;POT;MDA;MDB;XML;DOC?;DOT?;XLS?;XLT?;XLAM;PPT?;POT?;PPS?;SLD?;PPAM;THMX

Performance

• Select System Priority for Scan-Defineshowfastthescanrunsandhowmuchsystemresourcesthescanuses.Youcansetthescantorunasfastaspossiblewhileslowingdownacomputernoticeably,oryoucanchoosethatyouwishthescantorunusingaslittlesystemresourcesaspossible,whileprolongingthescan’sruntime.

10. Exchange

• Enable AVG for Exchange Server -Enable or disable email scanning for assignedMSExchangeServers.

• Mail Certification-EnableordisableaddingacertificationnotetoscannedemailonMSExchangeServers.Customizethecertificationnoteinthetextfield.

Performance

• Run scans in background -Enableordisablebackgroundscanning.BackgroundscanningisoneofthefeaturesoftheVSAPI2.0/2.5applicationinterface.ItprovidesthreadedscanningoftheExchangeMessagingDatabases.Wheneveranitemthathasnotbeenscannedbeforeisencounteredinusers’mailboxfolders,itissubmittedtoAVGforExchange2000/2003Servertobescanned.Scanningandsearchingforunexaminedobjectsrunsinparallel.Aspecificlowpriority thread isused foreachdatabase,whichguaranteesother tasks, forexampleemailmessagesstorageintheMicrosoftExchangedatabase,arealwayscarriedoutpreferentially.

• Scan Proactively-EnableordisableVSAPI2.0/2.5proactivescanning.Proactivescanninginvolvesdynamicalprioritymanagementofitemsinthescanningqueue.Lowerpriorityitemsarenotscannedunlessallhigherpriorityoneshavebeenscanned.Anitem’spriorityrisesifaclienttriestouseit,soanitems’precedencechangesdynamicallyaccordingtouseractivity.

• Scan RTF Files-SpecifywhetherRTFfilesshouldbescannedornot.

• Scanning Threads -Thescanningprocess is threadedbydefault to increasetheoverallscanningperformancebyacertainlevelofparallelism.Thedefaultnumberofthreadsiscom-putedas2timesthe‘number_of_processors’+1.

• Scan Timeout-Themaximumcontinuousinterval,inseconds,foronethreadtoaccessthemessagethatisbeingscanned.

11. Exclude Dirs

ExcludeDirectories

• Add new record-Addsdirectoriesexcludedfromascan.Somedirectoriesmaybethreat-

Secu

rity


freebutcontainfilesthatareerroneouslyinterpretedasmalware.

12. Exclude PUPs ExcludePotentiallyUnwantedPrograms

Usethistabtoexcludepotentiallyunwantedprograms,orPUPs,manually.TheViewThreatspageprovidesaquickermethodofidentifyingandexcludingPUPs.

• Add new record-AddsPUPfilestoexcludefromascan.Somefilesmaybethreat-freebutbeerroneouslyinterpretedaspotentiallyunwantedprograms(PUPs).Youneedtoidentifythefilename,itschecksumvalueanditsfilesizeinbytes.

ClickAdd New Record thenenterthefollowing:

• Filename-Enterthenameofthefile.

• Checksum-Enterthechecksumvalueofthefile.Todeterminethechecksumvalue,opentheAVGUIonamachinethatcontainsthefile.SelectTools > Advanced Settings.SelectthePUP Exceptionspropertysheet.ClicktheAdd exceptionbutton.Selectthefilebybrowsingthe machine’s local directory. The corresponding checksum value is displayed. Copy andpastethechecksumvaluefromtheAVG UIintotheAdd new recorddialogboxoftheExclude PupstabofSecurity > Define Profile.

• File Size-Enterthefilesizeinbytes.Todeterminethefilesize,right-clickthefileinWindowsExplorerandchecktheSizevalueinbytes.

13. Updates

UsethistabtoconfigurehowAVGupdatesaredownloaded.

ProxySettings

Enables/disablesusingaproxyservertodownloadAVGupdates.

• Don’t use proxy-Disablesproxysettings.

• Use proxy-Enablesproxysettings.

• Try connection using proxy, and if it fails, connect directly-Enablesproxysettings.Ifproxyfails,connectsdirectly.

Manual-Setsproxysettingsmanually.

• Server-EnteravalidproxyservernameorIPaddress.

• Port-Enteraportnumber.

• Use PROXY authentication-Ifchecked,proxyauthenticationisrequired.

• Username-IfUse PROXY authenticationischecked,enteravalidusername.

• Password-IfUse PROXY authenticationischecked,enteravalidpassword.

Security


• Auto-Setsproxysettingsautomatically.

• From browser-Selectadefaultbrowserfromthedrop-downmenutosetproxysettings.

• From script-Enterthefullpathofascriptthatspecifiestheproxyserveraddress.

• Auto detect-Attemptstogetthesettingsfromtheproxyserverdirectly. UpdateURL

AVGprovidesadefaultURLtodownloadupdates.YoucanpreferentiallydownloadupdatesfromacustomURL.

• Use Custom Update URL -Select thisoption topreferentiallydownloadupdates fromacustomURL.

• Name-EnterthenameofthecustomupdateURL.

• URL-EntertheURL.

11.3.3AssignProfileTheAssignProfilepageassignssecurityprofilestomachineIDslicensedtouseKES.SecurityprofilesaredefinedusingSecurity>DefineProfile.ThelistofmachineIDsyoucanselectdependsonthemachineID/groupIDfilter.Todisplayonthispage,machineIDsmusthavetheKESclientsoftwareinstalledonthemanagedmachineusingtheSecurity > In-stall/Remove page.

Fig.11.11belowshowsthegenericviewoftheAssignprofilepage.Theoptionssupportedonthispagearelistedandexplainedbelow.

1. Apply Configuration: ClickApply ConfigurationtoapplythesecurityprofiledisplayedintheSelect Profiledrop-downboxtoselectedmachineIDs.

2. Select Profile: SelectasecurityprofiletoapplytoselectedmachineIDs.

Fig. 11.11: Assign Profile

Secu

rity


3. Only display machines with the selected profile: Ifchecked,filtersthepagingareabythese-lectedsecurityprofile.

4. Machine.Group ID:ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheuserisauthorizedtoview.

5. Profile Name:DisplaysthesecurityprofileassignedtoamachineID.Displaysthestatusof themachineIDifthereisaproblem.

11.3.4 Log SettingsTheLog SettingspagespecifiesthenumberofdaystokeepsecurityprotectionlogdataformachineIDslicensedtouseKES.Certainmachines,suchaswebservers,maywarrantmaintainingalongerhistoryofvirusattacksthenothertypesofmachines.ThelistofmachineIDsyoucanselectdependsonthemachineID/groupIDfilter.Todisplayonthispage,machineIDsmusthavetheKESclientsoftwareinstalledonthemanagedmachineusingtheSecurity > In-stall/Remove page.

Fig.11.12belowshowsthegenericviewoftheLogSettingspage.Theoptionsupportedonthispagearelistedandexplainedbelow.

1. Apply Configuration: ClickApply Configurationtoapplythenumberofdaysspecifiedinthe<N> days to keep log entriesfieldtoselectedmachineIDs.

2. <N> days to keep log entries: Enterthenumberofdaystomaintainsecurityprotectionlogdata.

3. Machine.Group ID:ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheuserisauthorizedtoview.

4. Log Days Before Expiration: ShowsthenumberofdayssecurityprotectionlogdataismaintainedforamachineID.

Fig. 11.12: Log Settings

Security


11.4.1 Exchange StatusTheExchange StatuspagedisplaysthestatusofemailprotectiononMSExchangeserversthathaveKESinstalledonthem.DuringtheinstallofKESonamachine, ifMSExchangeisdetected,thepluginforMSExchangeemailprotectionisautomaticallyinstalled.

ThelistofmachineIDsyoucanselectdependsonthemachineID/groupIDfilter.Also,themachineIDmusthaveMSExchangeServerinstalledonthemachine.

Fig.11.13belowshowsthegenericviewoftheExchangestatuspage.Theoptionssupportedonthispagearelistedandexplainedbelow.

1. Mailboxes Protected / Mailbox Licenses: Displaysboth thenumberofExchangeServermail-boxesprotectedandthenumberofmailboxlicensesusedandavailable.


3. Install Status: Ifchecked,KESclientsoftwareisinstalledonthemachineID.Iftheagentsoftwareisearlierthan4.7.1,themessageRequiresAgentUpdatedisplays.Ifblank,KESclientsofwareisnot in-stalledonthemachineID.

4. Install Source: IfafilesourceisdefinedusingPatch Management >File Source,theninstallsaresourcedfromthislocation.Otherwise,installsaresourcedfromtheinternet.

IftheoptionDownload from Internet if machine is unable to connect to the file serverisselectedinPatch Management > File Source:

• DuringaKESv2.xendpointinstall,ifthefilessourceisdownorcredentialsinvalid,theinstallerisdownloadedfromtheKserverandcompletestheendpointinstall.

• DuringaKESv2.xmanualupdate, if thefilessource isdownorcredentials invalid, theupdate isdownloadedfromtheinternet.

Fig. 11.13: Exchange

Status

11.4 MS Exchange

Secu

rity


Inbothcasesabove,theViewLogspagedisplaysanerrormessagestatingwhythefilesourcefailedandthatitistryingtodownloadfromtheinternet.

5. Mailboxes: ThenumberofemailaccountsontheMSExchangeServer.

6. Installed On: ThedateMSExchangeServeremailprotectionwasinstalledonthemachineID.

11.5.1DefineAlarmSetsTheDefineAlarmSetspagedefinessetsofalarmconditionsusedtotriggeralertsusingtheApplyAlarmSetspage.

To Create a New Alarm Set

1. Select<No Alarm Sets Saved>intheSelect Profiledrop-downlist.AlternativelyyoucanselectanexistingalarmsetandclickSave As.

2. Checkoneormorealarmconditioncheckboxes.

3. UsetheIgnore additional alarms for <N> <periods>tospecifythenumberofminutestoignorethesamesetofalarmconditions.Setto0totriggeranalarmeachtimeanalarmconditionoccurs.

4. ClickSave tosavethealarmset.

To Delete an Alarm Set

1. SelectanalarmsetfromtheSelect Profiledrop-downlist.

2. ClickDelete todeletethealarmset.

Fig.11.14belowshowsthegenericviewoftheDefineAlarmsetspage.Theoptionssupportedonthispagearelistedandexplainedbelow.

11.5 Security Alarms

Fig. 11.14: Define Alarm

Sets

Security


1. Save:Savethealarmset.

2. Save As:Saveanalarmsettoanewname.

3. Delete:Deleteanalarmset.

4. Share:Displaysifyouownaselectedalarmset.Sharethisalarmsetwithusers,userrolesortomakepublicforallusers.Sharerightsareassignedby object.Therearethreesharingcheckboxoptions.Thefirsttwocheckboxesaremutually exclusiveanddeterminewhatsharerightsareassigned.Ifneitherofthefirsttwocheckboxesarechecked,thesharedobjectcanonlybeseenbytheusersgivenshareaccess,buttheobjectcannotbeusednoredited.TheShared andNotSharedlistboxesandthethirdcheckboxdeterminewhocanseetheobject.

• Allow other administrators to modify -Ifchecked,sharerightstotheobjectincludesbeingabletouseit,viewitsdetailsandeditit.

• Other administrators may use but may not view or edit-Ifchecked,sharerightstotheobjectonlyallowsusingit.

• Make public (seen by all administrators)-Ifchecked,ensuresthatallcurrentandfutureVSAuserscanseetheobject.Ifblank,onlyselecteduserrolesanduserscanseethesharedobject.Ifblank,andnewusersoruserrolesareaddedlater,youhavetoreturntothisdialogtoenablethemtoseethespecificobject.

5. Ignore additional alarms <N> <periods>: Specifythenumberofperiodsyouwantthesametypeofalarmtobeignoredafterthefirstalarmistriggered.

6. Alarm Conditions: CheckanyofthefollowingtypesofalarmconditionstoincludeitinaKESalarmset.

• Threat Detected and Not Healed-AthreathasbeenaddedtotheCurrent ThreatstaboftheViewThreatspagethatcouldnotbeautomaticallyhealed

• Protection Disabled-Securityprotectionhasbeendisabled.

• Definition Updated-SecurityprotectionhasbeenupdatedwiththelatestversionofKES.

• Scheduled Scan Completed-Asecurityprotectionscanhasbeencompleted.

• Reboot Required-Arebootisrequired.

• Protection Enabled-Securityprotectionhasbeenenabled.

• Service Error-TheKESservicehasstopped.

• Definition Not Updated in <N> Days -Securityprotectionhasnotbeenupdated for thespecifiednumberofdays.

• Scheduled Scan Did Not Complete -Ascheduledsecurityprotectionscandidnotcom-plete.

• AVG Removed by User-AmachineuserhasuninstalledtheAVGclientfromthemanagedmachine.

Secu

rity


11.5.2 Apply Alarm SetsTheApply Alarm Setspagecreatesalertsinresponsetosecurityprotectionalarmconditionsdefinedus-ingDefineAlarmSets.ThealarmssetsareappliedtoselectedmachineIDslicensedtouseKES.ThelistofmachineIDsyoucanselectdependsonthemachineID/groupIDfilter.Todisplayonthispage,machineIDsmusthavetheKESclientsoftwareinstalledonthemanagedmachineusingtheSecurity >In-stall/Removepage.

To Create an Alert

1. Checkanyofthesecheckboxestoperformtheircorrespondingactionswhenanalarmconditionisencountered:

• CreateAlarm

• CreateTicket

• RunScript

• EmailRecipients

2. Setadditionalemailparameters.

3. Selectanalarmset.

4. CheckthemachineIDstoapplythealarmsetto.

5. ClickApplytoassignthealarmsettoselectedmachineIDs.

To Cancel an Alert

1. SelectmachineIDcheckboxes.

2. ClickRemove toremovetheassignedalarmsetfromselectedmachineIDs.

Fig.11.15belowshowsthegenericviewoftheApplyAlarmSetspage.Theoptionssupportedonthispagearelistedandexplainedbelow.

Fig. 11.15: Apply Alarm

Sets

Security


1. Apply:ApplyaselectedalarmsettoselectedmachineIDs.

2. Remove:RemoveaselectedalarmsetfromselectedmachineIDs.

3. Remove All:RemoveallalarmsetsassignedtoselectedmachineIDs.

4. Format Email: Formattheemailsenttoemailrecipients.Thisoptiononlydisplaysformasterroleusers.

5. Create Alarm: Ifcheckedandanalarmconditionisencountered,analarmiscreated.Alarmsaredisplayed inMonitor > Dashboard List,Monitor > Alarm Summaryand Info Center > Reports > Logs > Alarm Log.

6. Create Ticket: Ifcheckedandanalarmconditionisencountered,aticketiscreated.

7. Run Script: Ifcheckedandanalarmconditionisencountered,anagentprocedureisrun.Youmustclick theselect agent procedure link tochooseanagentprocedure to run.YoucanoptionallydirecttheagentproceduretorunonaspecifiedrangeofmachineIDsbyclickingthis machine IDlink.ThesespecifiedmachineIDsdonothavetomatchthemachineIDthatencounteredthealarmcondition.

8. Email Recipients: Ifcheckedandanalarmconditionisencountered,emailsaresenttothespeci-fiedemailaddresses.

• ClickFormat EmailtodisplaytheFormat Alert Emailpopupwindow.Thiswindowenablesyoutoformatthedisplayofemailsgeneratedbythesystemwhenanalarmistriggered.

• EmailissentdirectlyfromtheVSAtotheemailaddressspecifiedinthealert.Setthe From AddressusingSystem > Outbound Email.

9. Select an Alarm Set: SelectanalarmsettoapplytoselectedmachineIDs.


11. Alarm Set: ListsthealarmsetsassignedtoeachmachineID.

12. ATSE: TheATSEresponsecodeassignedtomachineIDsorSNMPdevices:

• A=CreateAlarm

• T=CreateTicket

• S=RunAgentProcedure

• E=EmailRecipients

13. Email Address: Acommaseparatedlistofemailaddresseswherenotificationsaresent.

Secu

rity
