Upload
phungliem
View
214
Download
0
Embed Size (px)
Citation preview
Security
2 Chapter 11 - Security Sadjadi et al.
Oneofthemostcriticaladvantagesoftoday’snetworkedcomputingenvironmentsistheabilitytoseamlesslyexchangeinformationwithalmostanynetworkedcomputerviaemail,emailattachments,world-wideweb,ftp,ssh,etc.Thisdesiredcapability,however,placesnetworkedcomputersunderconstantthreatofmaliciousprograms (i.e., viruses, spyware, adware,etc.) entering the systemand consequently causingundesiredharmincludingunauthorizedaccesstosensitivedata,systemdowntime,blockednetworkaccess,andsoon.Clearly,whileconvenientnetworkaccessisdesirable,maliciousprogramsmustnotbeallowedtocauseanyharms.Thatis,thesecurityofthesystemmustbeensuredwithoutcompromisingremoteaccesscapabilitiesand the user’s free access to the outsideworld.The security of the systemwithin this context can onlybeguaranteedif1)anup-to-datedescriptionofallmaliciousprogramsisavailable,2)alldata(e.g., files)enteringthesystemarescannedtoensurethattheydonotcontainmalicioussoftware,3)iffound,malicioussoftwareareremovedorquarantined,and4)accesstosensitivepartsofthesystemismonitored.
KaseyaEndpointSecurity (KES)described in thischapterprovidesall the facilitiesneeded tomaintainasecure environment. It provides for periodical scanning of the entire file systemand the system registryforsuspiciousentries,cleaningorremoving infected files,andmonitoringaccess tosensitivepartsof thesystem. Inaddition,dependingonuser-definedmanagedsecurityprofiles,KEScan triggeralarms, sendemailnotifications,runscripts,createjobtickets,andlogallsecurity-sensitiveactivities.Insummary,KESmaintainsthesecurityofthemanagednetworkby
• Detectingmalicioussoftware through:• Scanning -Performsbothon-accessandon-demandscanningofthefilesystemandreg-istry:
• Scans Email -Checksincomingandoutgoingmailbyusingplug-insdesignedforthemostfrequentlyusedemailprograms.• On Access Protection -filesarescannedastheyarecopied,openedorsaved.Ifavirusisdiscovered,fileaccessisstoppedandthevirusisnotallowedtoactivateitself.OnAccessProtection,loadedinthememoryofthecomputerduringsystemstartup,alsoprovidesvitalprotectionforthesystemareasofthecomputer.• On Demand Scans -Scanscanberunon-demandorscheduledtorunperiodicallyatconvenienttimes.
• ScaningMSExchangeServers -Scansinboundandoutbounde-mailmessagesandmailboxfoldersonMSExchangeServersagainstvirus/spyware/malwarethreatsanddeletesthemimmediatelybeforeemailrecipientsoftheMSExchangeServerareinfected.
TheremainderofthischapterdescribesthedetailsofKESoperationsanditscustomization.
11.1.1 DashboardTheDashboard pageprovidesadashboardviewofthestatusofmachinesinstalledwithKaseyaEndpointSecurity.
• Endpoint Security Statistics• License Status• Top Machines with Threats• Top Threats Discovered
Fig.11.1belowshowsthegenericviewoftheDashboardpage.Theoptionssupportedonthispagearelistedandexplainedonthenextpage.
Introduction
11.1 Protection
Secu
rity
3Chapter 11 - Security Sadjadi et al.
1. Endpoint Security Statistics
TheEndpointSecurityStatisticssectionprovidesvariousstatisticsaboutthesecuritystatusofendpointsandthestatusofsecuritydefinitions.
• EndpointsNeedReboot• Signatureversionsolderthan‘<version>’• EndpointswitholderversionofKES• Endpointsnothavingascancompletedthisweek• Endpointscurrentlyrunningascan• EndpointswithResidentShielddisabled
Clickanyofthesehyperlinkedstatisticstoseeatabbeddialogshowingeachmemberbelongingtothatsta-tistic.
2. License Status: Apiechartdisplaysthepercentageofmachinesthathaveexpiredlicensesorwillhaveexpiredlicensesin30,60,90or91+days.Clickanysliceofthepiechartoranylabelofthepiecharttodisplayalistofindividualmachinesbelongingtothatslice.
3. Top Machines with Threats: Liststhemachineswiththegreatestnumberofcurrentthreats.Thenumberofthreatsinthevirusvaultarealsolisted.ClickingahyperlinkedmachineIDdisplaysthethreatsbelongingtothatmachineIDintheViewThreatspage.
4. Top Threats Discovered: A pie chart displayswhich threats have been found on the greatestpercentageofmachines.ClickanysliceofthepiechartoranylabelofthepiecharttodisplayalistofindividualmachinesbelongingtothatsliceintheViewThreatspage.
Fig. 11.1: Dashboard
page
Security
4 Chapter 11 - Security Sadjadi et al.
11.1.2 Security StatusTheSecurity StatuspagedisplaysthecurrentsecuritystatusofeachmachineIDlicensedtouseKaseyaEndpointSecurity.ThelistofmachineIDsdisplayeddependsontheMachineID/GroupIDfilterandmachinegroups the administrator is authorized to see usingSystem > Group Access. To display on this page,machineIDsmusthaveKaseyaEndpointSecurityclientsoftwareinstalledonthemanagedmachineusingtheSecurity > Install/Removepage.
Indicatorsincludegeneralsecurityprotection,fileprotection,mailprotection,thenumberofthreatsdetected,andtheversionofsecurityprotectioninstalledoneachmachineID.
Fig.11.2belowshowsthegenericviewoftheSecuritystatuspage.Theoptionsavailableonthispagearelistedandexplainedbelow.
1. Current Available Signature Version: Thelatestversionofsecurityprotectionavailable.YoucanupdateoneormoremachineIDswiththeCurrentAvailableVersionusingSecurity > Manual Updates.
2. Current Installer Version: TheversionnumberoftheAVGinstallertobeusedonnewinstallations.
3. Enable Resident Shield:Click to enable residentmemory anti-malware protection on selectedmachinesIDs.
4. Disable Resident Shield:Click todisable residentmemoryanti-malwareprotectiononselectedmachinesIDs.
5. Enable Email:ClicktoenableemailprotectiononselectedmachinesIDs.
6. Disable Email:ClicktodisableemailprotectiononselectedmachinesIDs.
7. Empty Vault: ClicktoemptythevirusvaultofallquarantinedmalwareIDs.
8. Reboot Now: RebootsselectedmachinesIDs.Somesecurityupdatesrequireareboottoinstalltheupdate.Ifarebootispending,arebooticondisplaysalongsidethepre-updateversionnumberandthemachineisstillprotected.
9. Machine.Group ID:ThelistofMachineID.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheadministratorisauthorizedtoview.
Fig. 11.2: Security status
Secu
rity
5Chapter 11 - Security Sadjadi et al.
10. Profile Name:ThesecurityprofileassignedtothemachineID.
11. Status: ThecurrentstateofsecurityprotectionforamachineIDisindicatedbythesetofstatusiconsdisplayedintheStatuscolumn.Possiblestatusiconsinclude:
ResidentShieldOn
ResidentShieldOff
ResidentShieldPartial
ResidentShieldEnable/DisablePending
EmailScannerOn
EmailScannerOff
EmailScannerPartial
EmailScannerEnable/DisablePending
LinkScannerOn
LinkScannerOff
LinkScannerPartial
LinkScannerEnable/DisablePending
WebShieldOn
WebShieldOff
WebShieldPartial
WebShieldEnable/DisablePending
12. Threats:ThenumberofunhealedthreatsdetectedonthemachineID.Thesearecurrentthreatsthatneeduserattention.YoucanclickthehyperlinkednumberinanyrowtodisplaythesethreatsintheCurrent ThreatstaboftheView Threatspage.
13. Virus Vault:Thenumberof threatsstored in thevirusvaultof themachineID.These itemsaresafelyquarantinedandwillbeautomaticallydeleted,ifprofilesettingsapply.Youcanclickthehyper-linkednumberinanyrowtodisplaythesethreatsintheVirus VaulttaboftheView Threats > page.
14. Version:TheversionofsecurityprotectioncurrentlyusedbythismachineID.
Security
6 Chapter 11 - Security Sadjadi et al.
11.1.3 Manual UpdateTheManualUpdatespagecontrolstheupdatingofmachineIDslicensedtouseKESwiththelatestversionofsecurityprotectionavailable.Updatesarescheduledautomaticallybydefault.Youcandisableandre-enableautomaticupdatingbymachine.Typicallythisfunctionisonlyusedtoreviewtheupdatestatusofagentsortoforceanimmediateupdatecheckifneeded.
ThelistofmachineIDsyoucanselectdependsonthemachineID/groupIDfilter.Todisplayonthispage,machineIDsmusthavetheKESclientsoftwareinstalledonthemanagedmachineusingtheSecurity > In-stall/Removepage.
Fig.11.3belowshowsthegenericviewoftheManualupdatepage.Theoptionssupportedonthispagearelistedandexplainedbelow.
1. Current Available Version:Thelatestversionofsecurityprotectionavailable.ChecktheversioncolumnonthispagetodetermineifanymachineIDsaremissingthelatestversionofsecurityprotectionorthelatestKESclientsoftwareavailable.
2. Current KES Client Version:ThelatestKESclientsoftwareavailable.
3. Update: ClicktoscheduleavirusdefinitionupdateonselectedmachineIDsusingtheupdateop-tionspreviouslyselected.
4. Cancel Update:Clicktoclearascheduledupdate.
5. Enable Automatic Updates:Enablesvirusdefinitionupdates.
6. Disable Automatic Updates: Disables virus definition updates. This prevents virus definitionupdates from slowing down the network during peakworking hours. In a future release youwill beabletoschedulewhentoupdatevirusdefinitions.Ifautomaticupdatesaredisabled,thenared-crossicondisplaysintheScheduled Timecolumn,evenifamanualupdateisscheduled.
7. Immediate: ChecktheImmediateboxtobegintheupdateassoonasUpdateisclicked.
8. Date/Time: Entertheyear,month,day,hour,andminutetoschedulethistask.
9. Stagger by: Youcandistributetheloadonyournetworkbystaggeringthistask.Ifyousetthispa-
Fig. 11.3: Manual Update
Secu
rity
7Chapter 11 - Security Sadjadi et al.
rameterto5minutes,thenthetaskoneachmachineIDisstaggeredby5minutes.
10. Skip if Machine Offline: Checktoperformthistaskonlyatthescheduledtime,withina15minutewindow.Ifthemachineisoffline,skipandrunthenextscheduledperiodandtime.Unchecktoperformthistaskassoonasthemachineconnectsafterthescheduledtime.
11. Update from KServer (Override file source):Ifchecked,updatesaredownloadedfromtheKServ-er.Ifblank,updatesaredownloadedusingthemethodspecifiedinPatch Management > File Source.
Machine.Group ID: ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheuserisauthorizedtoview.
12. Source: IfafilesourceisdefinedusingPatchManagement>FileSource,thenupdatesaresourcedfromthislocation.Otherwise,updatesaresourcedfromtheinternet.
IftheoptionDownload from Internet if machine is unable to connect to the file serverisselectedinPatch Management > File Source:
• DuringaKESv2.xendpointinstall,ifthefilessourceisdownorcredentialsinvalid,theinstallerisdownloadedfromtheKServerandcompletestheendpointinstall.• DuringaKESv2.xmanualupdate, if thefilessource isdownorcredentials invalid, theupdate isdownloadedfromtheinternet.
Inbothcasesabove,theViewLogspagedisplaysanerrormessagestatingwhythefilesourcefailedandthatitistryingtodownloadfromtheinternet.
13. Last Update: ThistimestampshowswhenamachineIDwaslastupdated.Whenthisdatechanges,anewupdateisavailabletouse.
14. Version: TheversionofsecurityprotectioncurrentlyusedbythismachineID.
15. Scheduled Time: Timestampshowingthenextscheduledupdate,ifoneisscheduledeithermanu-allyorautomatically.
11.1.4 Schedule ScanTheSchedule ScanpageschedulessecurityprotectionscansofselectedmachineIDslicensedtouseKas-eyaEndpointSecurity.ThelistofmachineIDsyoucanselectdependsonthemachineID/groupIDfilter.Todisplayonthispage,machineIDsmusthavetheKESclientsoftwareinstalledonthemanagedmachineusingtheSecurity > Install/Remove page.
Fig.11.4belowshowsthegenericviewoftheschedulescanpage.Theoptionssupportedonthispagearelistedandexplainedonthenextpage.
Security
8 Chapter 11 - Security Sadjadi et al.
1. Scan: ClicktoscheduleascanofselectedmachineIDsusingthescanoptionspreviouslyselected.
2. Cancel:Clicktoclearascheduledscan.
3. Immediate: ChecktheImmediate boxtobeginthescanassoonasScan isclicked.
4. Date/Time: Entertheyear,month,day,hour,andminutetoschedulethistask.
5. Stagger by: Youcandistribute the loadonyournetworkbystaggering this task. If youset thisparameter to5minutes, thenthetaskoneachmachineID isstaggeredby5minutes.Forexample,machine1runsat10:00,machine2runsat10:05,machine3runsat10:10,...
6. Skip if Machine Offline: Checktoperformthistaskonlyatthescheduledtime,withina15minutewindow.Ifthemachineisoffline,skipandrunthenextscheduledperiodandtime.Unchecktoperformthistaskassoonasthemachineconnectsafterthescheduledtime.
7. Every N Periods: Checktheboxtomakethistaskarecurringtask.Enterthenumberofperiodstowaitbeforerunningthistaskagain.
8. Machine.Group ID: ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheuserisauthorizedtoseeusingSystem > User Security > Scopes.
9. Last Scan: Thistimestampshowswhenthelastscanoccurred.Whenthisdatechanges,newscandataisavailabletoview.
10. Next Scan / Schedule: Thistimestampshowsthenextscheduledscan.Overduedate/timestampsdisplayasredtextwithyellowhighlight.Agreencheckmarkindicatesthescanisrecurring.
11.1.5 View ThreatsTheView Threatspagedisplaysthreatsyoucantakeactionon.Threatsaregroupedbytheirstatusontwodifferenttabs:
• Current Threats - Lists discovered threats onmachines that could not be automatically healed.Eachunhealedthreatremainsunchangedonthemachine,requiringuseraction.DeletingathreatontheCurrentThreatstabdeletesthefileimmediately,withoutmovingthefiletotheVirusVault.
• Virus Vault-Threatsarediscoveredbyscanorresidentshield.Healingthethreatreplacestheorigi-
Fig. 11.4: Schedule Scan
Secu
rity
9Chapter 11 - Security Sadjadi et al.
nalfilewithahealedcopy.Theoriginal,unhealedfileismovedtoahiddenpartitiononthecomputerharddrivecalledtheVirus Vault.Ineffect,theVirus Vaultactsasakindof“recyclebin”forthreats,allowingyoutorecoverthembeforedeletingthempermanentlyfrommachines.
HealingHealinginvolvesthefollowingsteps:
1. Anattemptismadetocleanthefile.
2. Ifthatfails,anattemptismadetomovethefiletotheVirusVault.
3. Ifthatfails,anattemptismadetodeletethefile.
4. Ifthatfails,thefileremainsunchangedonthemachineandislistedintheCurrentThreatstaboftheViewThreatspage.
MS Exchange Server ThreatsAnymalwaredetectedbyMSExchangeServeremailprotection is immediatelydeleted from theMSEx-changeServeranddisplaysonlyontheVirusVaulttab.
Fig.11.5belowshowsthegenericviewoftheViewThreatspage.Theoptionssupportedonthispagearelistedandexplainedbelow.
1. Current Threats: TheCurrentThreatstabprovidesyouwiththefollowingactions:
• Heal-Attemptstohealafilewithoutdeletingit.HealedthreatsareremovedfromtheCurrentThreatstabanddisplayintheVirusVaulttab.
• Delete-Attemptstodeleteafile.Deletedthreatsaredeletedfromthecomputerimmediately.
• Remove from this List-RemovesthethreatfromtheViewThreatspagewithoutperforminganyotheraction.
• Cancel Pending Operation-Cancelsanyoftheotheractions, if theyhavenotyetbeencompleted.
Fig. 11.5: View Threats
Security
10 Chapter 11 - Security Sadjadi et al.
• Add to PUP Exclusion List-Athreatisidentifiedasapotentialunwantedprogram,orPUP,bydisplayinga(P)nexttothenameofthethreatontheViewThreatspage.PUPthreatscanbeaddedtotheexclusionlistfortheprofileassignedtothemachinetheywerefoundon.Ex-clusionmeansthefileisnolongerscannedasapotentialthreatonallmachinesassignedthisprofile.Onlyperformthisactionifyou’recertainthefileissafetouse.TheentirePUPExclusionListismaintainedusingtheDefine Profile > PUP Exclusionstab.
2. Virus Vault: TheVirusVaulttabprovidesyouwiththefollowingactions:
• Restore-Restorestheoriginalfileidentifiedasathreat.Onlyperformthisactionifyou’recertainthefileissafetouse.
• Delete-DeletestheoriginalfileidentifiedasathreatfromtheVirusVault.
Note: File deleted from the Virus Vault cannot be recovered.
• RemovefromthisList-RemovesthethreatfromtheViewThreatspagewithoutperforminganyotheraction.
• CancelPendingOperation-Cancelsanyoftheotheractions,iftheyhavenotyetbeencom-pleted.
• AddtoPUPExclusionList-Athreatisidentifiedasapotentialunwantedprogram,orPUP,bydisplayinga(P)nexttothenameofthethreatontheViewThreatspage.PUPthreatscanbeaddedtotheexclusionlistfortheprofileassignedtothemachinetheywerefoundon.Ex-clusionmeansthefileisnolongerscannedasapotentialthreatonallmachinesassignedthisprofile.Onlyperformthisactionifyou’recertainthefileissafetouse.TheentirePUPExclusionListismaintainedusingtheDefineProfile>PUPExclusionstab.
3. Apply Filter / Reset Filter:ClickApply Filter to filter the rowsdisplayedby the text entered intheMachine.Group,ThreatPathorThreatNamefields.TimefilteringandActionsortingoccursimmedi-Machine.Group,ThreatPathorThreatNamefields.TimefilteringandActionsortingoccursimmedi-,ThreatPathorThreatNamefields.TimefilteringandActionsortingoccursimmedi-ThreatPathorThreatNamefields.TimefilteringandActionsortingoccursimmedi-orThreatNamefields.TimefilteringandActionsortingoccursimmedi-ThreatNamefields.TimefilteringandActionsortingoccursimmedi-fields.TimefilteringandActionsortingoccursimmedi-TimefilteringandActionsortingoccursimmedi-filteringandActionsortingoccursimmedi-Actionsortingoccursimmedi-sortingoccursimmedi-ately.ClickResetFiltertodisplayallrowsofdata.
4. Machine.Group:FilterbythemachineID.groupIDofthemanagedmachinesreportingthreats.
5. Threat Path:Filterbypathnamelocationoffilesonmanagedmachineswithreportedthreats.
6. Time: Filter bya rangeof datesand times the threatswere last detected.Time filteringoccursimmediately.
7. Threat Name:Filterbythenameofthethreat,asdesignatedbytheanti-malwaredefinitionsusedtodetectathreat.
8. Category: Filterbythetypeof threatreported.SelectAll OFForAll ON toenableordisableallcategories.
9. Action: Filter by pending or completed actions taken against view threat records. Select All OFF orAll ON toenableordisableactions.Actionsortingoccursimmediately.
11.1.6 View LogsTheView LogspagedisplaysthesecurityprotectioneventlogofeachmachineIDlicensedtouseKaseyaEndpointSecurity.ThelistofmachineIDsdisplayeddependsontheMachineID/GroupIDfilterandmachinegroups theuser isauthorized toseeusingSystem > User Security > Scopes.Todisplayon thispage,
Secu
rity
11Chapter 11 - Security Sadjadi et al.
machine IDsmust have the KES client software installed on themanagedmachine using theSecurity > Install/Remove page.
ClickamachineID.groupIDtodisplayaneventlog.EacheventdisplaystheTime,aneventCode,andinmostcasesaMessagecontainingadditional information.Securityprotectioneventcodesdescribeoneofthreetypesoflogentry:
• Errors
• Events
• Commands
Fig.11.6belowshowsthegenericviewoftheViewLogspage.Theoptionssupportedonthispagearelistedandexplainedbelow.
Filter Fields: Filterthedisplayofthreatsusingtextfields,adaterangeand/ordrop-downlists.Includeanasterisk(*)wildcardwiththetextyouentertomatchmultiplerecords.Pagingrowscanbesortedbyclickingcolumnheadinglinks.
1. Time, Min, Max:Filterbyarangeofdatesandtimes.
2. Code: Filterbythecategoryoflogeventreported.SelectAll OFForAll ONtoenableordisableallcategories.
3. Message:Filterbymessagetext.
4. Apply Filter / Reset Filter: Click Apply Filter to filter the rows by the date range entered intheTimefieldsand/orthetextenteredintheMessage field.ClickReset Filtertodisplayallrowsofdata.
Fig. 11.6: View Logs
Security
12 Chapter 11 - Security Sadjadi et al.
11.2.1 Extend/ReturnTheExtend/Return pageextends theannual license count for selectedmachines IDsor returnsannuallicensesfromselectedmachineIDs.AannuallicensecanbereturnedfromonemachineIDandbeappliedtoanothermachineID.EachmachineIDcanbeallocatedmultipleyearsofsecurityprotection.KESlicensesareallocatedtogroupIDsusingSystem > License Manager.
ThelistofmachineIDsyoucanselectdependsonthemachineID/groupIDfilter.Todisplayonthispage,machine IDsmust have the KES client software installed on themanagedmachine using theSecurity > Install/Remove page.
Fig.11.7belowshowsthegenericviewoftheExtend/Returnpage.Theoptionssupportedonthispagearelistedandexplainedbelow.
1. Extend:ExtendstheannuallicensecountforselectedmachinesIDs.
2. Return:ReturnsannuallicensesfromselectedmachineIDs.
3. Auto Extend: Enablesautomaticallocationofanewlicensethedaytheoldlicenseexpiresforse-lectedmachineIDs.Partiallicensesareallocatedfirst,thenfulllicenses.Ifnoadditionallicensesexist,allocationfailsandsecurityprotectionexpiresfortheendpoint.
4. Remove Auto Extend:DisablesautoextendforselectedmachineIDs.Thisoptiononlydisplaysformasterroleusers.
5. Licenses Used:DisplaysthenumberofannualKaseyaEndpointSecuritylicensesused,returnableandpartial.ThesecountsarenotaffectedbythemachineID.groupIDfilter.
• Used-AlicenseisusedifithasbeenassignedatleastoncetoanymachineID.Theusedlicensecountincludesallreturnable,partialandexpiredlicenses.
Fig. 11.7:Extend/Return
11.2 License
Secu
rity
13Chapter 11 - Security Sadjadi et al.
• Returnable-Thetotalnumberofreturnablelicensesavailable.
• Partial-Thetotalnumberofpartiallyusedlicensesavailable.PartiallyconsumedlicensesaremadeavailablewhenKESisuninstalledfromamachineID.
6. Show only licences expiring within 30 days: Limitsthedisplayoflicensesinthepagingareatothoseexpiringwithin30days.
7. Machine.Group ID: ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheuserisauthorizedtoview.
8. Returnable: ThenumberofannuallicensesreturnablefromamachineID.AmachineIDwithonlyoneannuallicensecannotreturnanyadditionalannuallicenses.
9. Expires On: ThedateamachineID’ssecurityprotectionexpires,basedonthenumberofannuallicensesithas.
10. Auto Extend: Ifchecked,autoextendisenabledforthismachineID.
11. At Limit: IfthemaximumnumberofannuallicensesavailabletoagroupIDarebeingused,theneachlicensedmachineIDinthatgroupIDdisplaysaYesintheAt Limitcolumn.ThisalertstheuserthatmoreannuallicensesmayberequiredforthatgroupID.KESlicensesareallocatedtogroupIDsusingSystem >License Manager.
11.2.2 NotifyTheNotifypageprovidesautomaticnotificationof theexpirationofKESlicenses.Customers,VSAusersandmachineuserscanbenotifiedaspecifiednumberofdaysbeforeKESlicensesexpire.KESlicensesareallocatedtogroupIDsusingSystem > License Manager.
Fig.11.8belowshowsthegenericviewoftheNotifypage.Theoptionssupportedonthispagearelistedandexplainedonthenextpage.
Fig. 11.8: Notify
Security
14 Chapter 11 - Security Sadjadi et al.
1. Send notification when license will expire in N days: Enterthenumberofdaysbeforetheexpi-rationdateofanKESlicensetonotifycustomers,usersandusers.
2. Email Recipients (Comma separate multiple addresses): Specifyemailaddressestosendnoti-ficationmessages.Multipleemailaddressesmustbeseparatedbycommas.
3. Apply: ClickApply toapplyparameterstoselectedmachineIDs.ConfirmtheparametershavebeenappliedcorrectlyinthemachineIDlist.
4. Clear: ClickClear toremoveallparametersettingsfromselectedmachineIDs.
5. Machine.Group ID: ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/
6. GroupIDfilterandthemachinegroupstheuserisauthorizedtoview.
7. Days: Showsthenumberofdaysbeforethelicenseexpirationdatethatnotificationwillbesent.
8. Email Address List: Liststheemailaddressesnotificationswillbesentto.
9. Notify: If checked,email recipientswill be forewarned that thismachine ID’s security license isabouttoexpire.Ifblank,notificationwillnotbesent.
11.3.1 Install/RemoveTheInstall/RemovepageinstallsorremovessecurityprotectionforselectedmachineIDs.Thelistofma-chineIDsdisplayeddependsontheMachineID/GroupIDfilterandmachinegroupstheuserisauthorizedtoseeusingSystem > User Security > Scopes.Installationrequiresarebootofthemanagedmachine.
Fig.11.9belowshowsthegenericviewoftheInstall/Removepage.Theoptionsselectedonthispagearelistedandexplainedonthenextpage.
11.3Configure
Fig. 11.9: Install/Remove
Secu
rity
15Chapter 11 - Security Sadjadi et al.
1. Install:InstallKESonselectedmachineIDs.
2. Verify Install:DisplaysonlyinKaseya2.Updates5.xKESclientstoK2KESclients.CanalsobeusedtoinstallaK2KESclientwhenastandaloneversionofAVGisalreadyinstalledonamanagedmachine.
3. Remove: RemoveKESonselectedmachineIDs.
4. Cancel Pending Operation: Canceleitherofthefirsttwoactions,iftheyhavenotyetbeencom-pleted.
5. Edit User Prompts: Editthewarningpromptdisplayedtousers,ifawarningpromptisdisplayed.Youcanalsospecifythenumberofminutestheuserisallowedtopostponeinstallation.Thisoptiononlydisplaysformasterroleusers.
6. Reboot Now:Rebootstheselectedcomputer.PeriodicallyAVGreleasesanupdatethatrequiresareboot.RebootrequireddisplaysintheVersioncolumn.
7. Installation Options: Configure the following installation options. These options apply to anyinstallationyousubsequentlyperform.Installationoptionsaredefinedby VSA user.
• User Name-Ifchecked,enteranameassociatedwiththisinstallofKES.
• Company Name-Ifchecked,enterthenameofthecompanyassociatedwiththisinstallofKES.
• Target Directory-ifchecked,enteratargetdirectory.Ifblank,thedefaultinstalldirectoryisused.
• Kill all running applications that prevent installation-Ifchecked,stopsallrunningap--Ifchecked,stopsallrunningap-plicationsthatmightpreventsuccessfulinstallation.
• Disable Windows Defender-RunningWindowsDefendersignificantlydegradestheperfor--RunningWindowsDefendersignificantlydegradestheperfor-manceofKESandshouldbedisabledbydefaultusingthisoption.
• Reboot the computer after installation if needed
• Ifchecked,AVGrebootsthecomputerafterinstallation.Kaseyadoesnotcontrolthisevent.Whiletheendpointreboots,theInstall StatuscolumnmaydisplayaVerifying Installationmes-mes-sage.Oncetheendpointchecks-inagain,theinstallationcompletesandtheInstall Statuscol-col-umndisplaysagreencheckmark.
• If blank, Kaseya controls the reboot. The Install Status column displays a Reboot Re-quiredbutton.Theusercanclickthebuttontoreboottheendpoint.Oncetheendpointchecks-inagain,theinstallationcompletesandtheInstall Statuscolumndisplaysagreencheckmark.
• Enable end user directory scans-Addsaright-clickoptiontoWindowsExplorer,enablingtheusertoscananindividualfileordirectoryimmediately.
• Hide AVG system tray icon - If checked, hides theAVG icon in the system tray. If un-- If checked, hides theAVG icon in the system tray. If un-checked,theAVGicondisplaysonlyafterAVGisinstalledandthemachinerebooted.
ScriptOptions
• Script to run before install-Selectanagentprocedure.
Security
16 Chapter 11 - Security Sadjadi et al.
• Script to run after install-Selectanagentprocedure.
Components
• Link Scanner-Blocksdangerouswebsitesandcheckslinksreturnedbythemostpopularsearchengines.DoesnotinstalltobrowsersrunningonWindowsServerO/S.
• Active Safe Search-Scansalinkdisplayedinawebpage,beforeyouclickit.
• Search-Shield-IdentifiesthesafetyratingforasearchlinklistedinGoogle,YahooandMSNsearchlists.
• Web-Shield-Scansdownloadedfilesandfilesexchangedusinginstantmessaging.
• MS Office 2000 - 2007 Add-in - Installs theAVG scanning plugin for Microsoft Office,versions2000though2007.
• Email Scanner-Ifchecked,installationdetectsthedefaultemailclientonamachineandautomaticallyinstallstherespectiveemailscanningplug-in.
• ID Protection-Ifchecked,AVG’sIdentityProtectionoptionisenabled.Preventstargetedtheftofpasswords,bankaccountdetails,creditcardnumbers,andotherdigitalvaluablesusing“behavioralanalysis”tospotsuspiciousactivityonamachine.
• Firewall (Not managed by Kaseya)-Ifchecked,AVG’sfirewalloptionisenabled.Blocksunauthorizedaccesswhilepermittingauthorizedcommunications.
• Exchange Server Plug-in (Setting ignored on non-Exchange machines) - Ifchecked,installsKESemailprotectiontoMSExchangeServers.ThissettingisignoredwhentheKESclientisinstalledtoanon-MSExchangeServermachine.
8. Immediate: ChecktheImmediate boxtobegintheinstallassoonasInstall isclicked.
9. Date/Time: Entertheyear,month,day,hour,andminutetoschedulethistask.
10. Stagger by: Youcandistributetheloadonyournetworkbystaggeringthistask.Ifyousetthispa-rameterto5minutes,thenthetaskoneachmachineIDisstaggeredby5minutes.
11. Skip if Machine Offline: Checktoperformthistaskonlyatthescheduledtime,withina15minutewindow.Ifthemachineisoffline,skipandrunthenextscheduledperiodandtime.Unchecktoperformthistaskassoonasthemachineconnectsafterthescheduledtime.
12. Applied Licenses: DisplaysthenumberofannualKESlicensesappliedtomachines.
13. License Pool: Displaysthenumberofadditionallicensesavailable:partially-usedKESlicensesandnever-usedKESlicenses.Partially-usedlicensearealwaysconsumedfirst.
14. Install from KServer (override file source): Ifchecked,installsaredownloadedfromtheKServer.Ifblank,installsaredownloadedusingthemethodspecifiedinPatchManagement>FileSource.
15. Select Profile: SelectsthesecurityprofiletoassignamachineIDwhensecurityprotectionisin-stalled.
16. Prompt user before install / Force install without warning user: Installationrequiresarebootofthemanagedmachine.IfPrompt user before installisselected,theuserisgiventheoptionofpost-
Secu
rity
17Chapter 11 - Security Sadjadi et al.
poningtheinstallationforaspecifiednumberofminutes.OtherwiseForce install without warning user causesthesoftwaretobeinstalledatthescheduledtimewithoutwarningtheuser.
17. Auto Refresh: Selectingthischeckboxautomaticallyupdatesthepagingareaeveryfiveseconds.ThischeckboxisautomaticallyselectedandactivatedwheneverInstall isclicked.
18. Machine.Group ID: ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheuserisauthorizedtoview.
19. Install Status: If checked,KESclientsoftware is installedon themachine ID. If theagentsoft-wareisearlierthan4.7.1,themessageRequires Agent Updatedisplays.Ifblank,KESclientsoftwareisnotinstalledonthemachineID.
20. Install Source: IfafilesourceisdefinedusingPatch Management >File Source,theninstallsaresourcedfromthislocation.Otherwise,installsaresourcedfromtheinternet.
21. Installed On: ThedateKESclientsoftwarewasinstalledonthemachineID.
22. Version: TheversionofsecurityprotectioncurrentlyusedbythismachineID.
11.3.2DefineProfileTheDefineProfilepagemanagessecurityprofiles.Eachsecurityprofilerepresentsadifferentsetofenabledordisabledsecurityoptions.ChangestoasecurityprofileaffectallmachineIDsassignedthatsecurityprofile.AsecurityprofileisassignedtomachineIDsusingSecurity>AssignProfile.Typicallydifferenttypesofma-chinesornetworksrequiredifferentsecurityprofiles.Asampleprofileisprovidedforyou.Youcan’tchangethesampleprofile,butyoucansaveitunderanewnameandmakechangestothecopy.
Fig.11.10belowshowsthegenericviewoftheDefineprofilepage.Theoptionssupportedonthispagearelistedandexplainedonthenextpage.
Fig. 11.10: Define Profile
Security
18 Chapter 11 - Security Sadjadi et al.
1. Save: Saveschangestoasecurityprofile.
2. Save As:Createsanewsecurityprofilebysavingitusingadifferentname.
3. Delete:Deletesanexistingsecurityprofile.
4. Share:Sharesaprivatesecurityprofile.Otheruserscannotseeprivatesecurityprofiles.Sharingaprivatesecurityprofilemakesitapublicsecurityprofile.Sharerightsareassignedby object.Therearethreesharingcheckboxoptions.Thefirsttwocheckboxesaremutually exclusiveanddeterminewhatsharerightsareassigned.Ifneitherofthefirsttwocheckboxesarechecked,thesharedobjectcanonlybeseenbytheusersgivenshareaccess,buttheobjectcannotbeusednoredited.TheSharedandNot Sharedlistboxesandthethirdcheckboxdeterminewhocanseetheobject.
• Allow other administrators to modify:Ifchecked,sharerightstotheobjectincludesbeingabletouseit,viewitsdetailsandeditit.
• Other administrators may use but may not view or edit:Ifchecked,sharerightstotheobjectonlyallowsusingit.
• Make public (seen by all administrators):Ifchecked,ensuresthatallcurrentandfutureVSAuserscanseetheobject.Ifblank,onlyselecteduserrolesanduserscanseethesharedobject.Ifblank,andnewusersoruserrolesareaddedlater,youhavetoreturntothisdialogtoenablethemtoseethespecificobject.
5. Take Ownership:Takesownershipofanypublicsecurityprofile.Thisoptiononlydisplaysformas-terroleusers.
6. General: TherearethreesectionswhenGeneralisselected.Anexplanationofthesesectionsisprovidedbelow.
VirusVaultLimit Size of the Vault-Ifchecked,limitsthesizeofthevaultasspecifiedusingthefollowingoptions:
• Maximum Size of the Vault:<N>% of Local Disk-Enterthemaximumpercentageofdiskspacetoallocateforthestorageofquarantinedthreats.
• Minimum Available Space to Remain on Local Disk-Entertheminimumnumberofmegabytestoallocateonthedisktothestorageofquarantinedthreats.
Automatic File Deletion-Ifchecked,deletesfilesautomaticallyasspecifiedbythefollowingoptions:
• Delete Files Older than <N> Days-Enterthenumberofdaystostorequarantinedthreatsbeforetheyareautomaticallydeleted.
• Maximum Number of files to Store-Enterthemaximumnumberofquarantinedthreatstostore.
SystemTrayNotifications
• Display system tray notifications-Ifchecked,thefollowingsystemtraynotificationscanbeoptionallyenabled.Allnotificationmessagesdisplayonthemanagedmachinenexttothesystemtray.
Secu
rity
19Chapter 11 - Security Sadjadi et al.
• Display tray notifications about update-Ifchecked,displaysanotificationmessagethattheKESsoftwareisbeingupdated.
• Display tray notifications about scanning - Ifchecked,displaysanotificationmessagethatthemachineisbeingscanned.
• Display Resident Shield related tray notifications (automatic action) - If checked,displaysanotificationmessagethatResidentShieldhastakenactionagainstathreat.
• Display components state change notification - If checked, displays a notificationmessagethatthestateofoneoftheKEScomponentshaschanged.
• Display Email Scanner related notifications-Ifchecked,displaysanotificationmessagethatemailscanninghastakenactionagainstanemailthreat.
AgentIconMenu Display option to Enable/Disable Resident Shield in Agent Icon Menu-Ifchecked:
• Enable SecurityandCancel Scanoptionsdisplayintheagenttaskmenuoftheman-optionsdisplayintheagenttaskmenuoftheman-agedmachine.
• Theusercanclick theEnable Securityoptionontheagentmenuto turnsecurityprotectiononoroff.
• TheusercanclicktheCancel Scanoptionontheagentmenutocancelanongoingsecurityprotectionscan.
7. Resident Shield
Residentshieldisamemory-residentfeature.
• Enable Resident Shield-Ifchecked,thefollowingtypesoffilesarescannedastheyarecopied,openedorsaved.Ifblank,nootherResident Shieldoptionsareevaluated.
FileTypes
• Scan all files -Ifselected,allfilesonthemanagedmachinearescanned.
• Scan Infectible files and Selected Document Types -Ifselected,specifiesthead-ditional fileextensionsofprogramsanddocuments to includeorexcludeusing thefollowingoptions:
• Exclude files with the following extensions from the scan -Specifies the fileextensionsofprogramsanddocumentstoexcludefromascan.Excludedextensionshave precedence over included extensions. Enter each extension separated by asemi-colon(;)character.
• Always scan files with the following extensions-Specifiesthefileextensionsofprogramsanddocumentstoincludeinascan.Entereachextensionseparatedbyasemi-colon(;)character.ResidentShieldscansthefollowingfileextensionswithoutyouhaving to specify them:386;ASP;BAT;BIN;BMP;BOO;CHM;CLA;CLASS;CMD;CNM;COM;CPL;DEV;DLL;DO*;DRV;EML;EXE;GIF;HLP;HT*;INI;JPEG*;JPG;JS*;LNK;MD*;MSG;NWS;OCX;OV*;PCX;PGM;PHP*;PIF;PL*;PNG;POT;PP*;SCR;SHS;SMM;SYS;TIF;VBE;VBS;VBX;VXD;WMF;XL*;XML;ZL*;
Security
20 Chapter 11 - Security Sadjadi et al.
• Scan files without an extension - Ifchecked, thescan includes fileswithoutanextension.
AdditionalOptions
• Scan for Tracking Cookies-Ifchecked,thescanincludesinternetbrowsertrackingcook-ies.Foundtrackingcookiesaredeletedimmediatelyandnotmovedtothevirusvault.
• Scan Potentially Unwanted Programs and Spyware threats-Ifchecked,thescandetectsexecutableapplicationsorDLLlibrariesthatcouldbepotentiallyunwantedprograms.Someprograms,especiallyfreeones,includeadwareandmaybedetectedandreportedbyKESasaPotentiallyUnwantedProgram.
• Scan files on close-Ifchecked,filesarescannedastheyareclosed.
• Scan boot sector of removable media-Ifchecked,thescanincludesthebootsectorofremovablemedia.
• Use Heuristics - If checked,scanning includesheuristicanalysis.Heuristicanalysisper-formsadynamicemulationofascannedobject’sinstructionswithinavirtualcomputingenvi-ronment.
8. Email Scanner
• Enable Email Scanner - If checked, inbound and outbound email and attachments arescannedforviruses.Ifblank,nootherEmail Protectionoptionsareevaluated.
EmailScanning
• Check Incoming Email-Ifchecked,incomingemailisscanned.
• Do Not Certify Email-Ifselected,incomingemailisnotcertified.
• Certify all Email-Ifselected,allincomingemailiscertified.
• Only Certify Email with Attachments-Ifselected,onlyincomingemailwithattach-mentsarecertified.
• Incoming Email Certification-Certificationtextappendedtoincomingemail.
• Check Outgoing Email-Ifchecked,outgoingemailisscanned.
• Do Not Certify Email-Ifselected,outgoingemailisnotcertified.
• Certify all Email-Ifselected,alloutgoingemailiscertified.
• Only Certify Email with Attachments-Ifselected,onlyoutgoingemailwithattach-mentsarecertified.
• Outgoing Email Certification-Certificationtextappendedtooutgoingemail.
• Modify Subject for Messages Marked as Virus-Addsprefixtexttothesubjectofames-sagethatcontainsavirus.
Secu
rity
21Chapter 11 - Security Sadjadi et al.
ScanningProperties
• Use Heuristics-Appliestoanemailmessage.Ifchecked,scanningincludesheuristicanal-ysis.Heuristicanalysisperformsadynamicemulationofascannedobject’sinstructionswithinavirtualcomputingenvironment.
• Scan Potentially Unwanted Programs and Spyware threats-Ifchecked,emailscanningincludesscanningforspyware,adware,andpotentiallyunwantedprograms.
• Scan inside archives (RAR,RAR3.0, ZIP,ARJ,CAB) - If checked, email archives arescanned.
EmailAttachmentsReporting(asathreat)
• Report Password Protected Archives - If checked, reportspassword-protectedarchiveattachments(zip,rar,etc)inemailasthreats.
• Report Password Protected Documents-Ifchecked,reportspassword-protecteddocu-mentattachmentsinemailasthreats.
• Report Files containing macro - Ifchecked, reports filescontainingmacrosattached toemailasthreats.
• Report hidden extensions - Ifchecked, reports files thatuseahiddenextension.Someviruseshide themselvesbydoubling their fileextension.Forexample, theVBS/Iloveyouvi-rusattachesafile, ILOVEYOU.TXT.VBS,toe-mails.ThedefaultWindowssetting is tohideknownextensions,sothefilelookslikeILOVEYOU.TXT.Whenyouopenityoudonotopena.TXTtextfilebutinsteadexecutea.VBSprocedurefile.
• Move reported attachments to Virus Vault (incoming email only) -Ifchecked,reportedemailattachmentsaremovedtothevirusvault.TheydisplayintheVirus VaulttaboftheViewThreatspageinsteadofintheCurrent Threats tab.
9. Full Scan
ScanSettings
• Scan Potentially Unwanted Programs and Spyware threats-Ifchecked,thescandetectsexecutableapplicationsorDLLlibrariesthatcouldbepotentiallyunwantedprograms.Someprograms,especiallyfreeones,includeadwareandmaybedetectedandreportedbyKESasaPotentiallyUnwantedProgram.
• Scan for Tracking Cookies-Ifchecked,thescanincludesinternetbrowsertrackingcookies.Foundtrackingcookiesaredeletedimmediatelyandnotmovedtothevirusvault.
• Scan Inside Archives-Ifchecked,scanningincludesarchivefiles—suchasZIPandRARfiles.
• Use Heuristics-Ifchecked,scanningincludesheuristicanalysis.Heuristicanalysisperformsadynamicemulationofascannedobject’sinstructionswithinavirtualcomputingenvironment.
• Scan system environment-Ifchecked,systemareasarescannedbeforethefullscanisstarted.
Security
22 Chapter 11 - Security Sadjadi et al.
• Scan infectible files only -Ifchecked,“infectible“filesarescannedbasedontheircontentsregardlessoftheirfileextensions.Forexample,anEXEfilecouldberenamedbutstillbein-fected.Thefollowingtypesoffilesareconsidered‘infectible’files:
• EXE type-COM;DRV;EXE;OV?;PGM;SYS;BIN;CMD;DEV;386;SMM;VXD;DLL;OCX;BOO;SCR;ESL;CLA;CLASS;BAT;VBS;VBE;WSH;HTA;HTM;HTML;?HTML;CHM;INI;HTT;INF;JS;JSE;HLP;SHS;PRC;PDB;PIF;PHP;ZL?;ASP;LNK;EML;NWS;CPL;WMF
• DOC type-DO?;XL?;VBX;RTF;PP?;POT;MDA;MDB;XML;DOC?;DOT?;XLS?;XLT?;XLAM;PPT?;POT?;PPS?;SLD?;PPAM;THMX
Performance
• Select System Priority for Scan-Defineshowfastthescanrunsandhowmuchsystemresourcesthescanuses.Youcansetthescantorunasfastaspossiblewhileslowingdownacomputernoticeably,oryoucanchoosethatyouwishthescantorunusingaslittlesystemresourcesaspossible,whileprolongingthescan’sruntime.
10. Exchange
• Enable AVG for Exchange Server -Enable or disable email scanning for assignedMSExchangeServers.
• Mail Certification-EnableordisableaddingacertificationnotetoscannedemailonMSExchangeServers.Customizethecertificationnoteinthetextfield.
Performance
• Run scans in background -Enableordisablebackgroundscanning.BackgroundscanningisoneofthefeaturesoftheVSAPI2.0/2.5applicationinterface.ItprovidesthreadedscanningoftheExchangeMessagingDatabases.Wheneveranitemthathasnotbeenscannedbeforeisencounteredinusers’mailboxfolders,itissubmittedtoAVGforExchange2000/2003Servertobescanned.Scanningandsearchingforunexaminedobjectsrunsinparallel.Aspecificlowpriority thread isused foreachdatabase,whichguaranteesother tasks, forexampleemailmessagesstorageintheMicrosoftExchangedatabase,arealwayscarriedoutpreferentially.
• Scan Proactively-EnableordisableVSAPI2.0/2.5proactivescanning.Proactivescanninginvolvesdynamicalprioritymanagementofitemsinthescanningqueue.Lowerpriorityitemsarenotscannedunlessallhigherpriorityoneshavebeenscanned.Anitem’spriorityrisesifaclienttriestouseit,soanitems’precedencechangesdynamicallyaccordingtouseractivity.
• Scan RTF Files-SpecifywhetherRTFfilesshouldbescannedornot.
• Scanning Threads -Thescanningprocess is threadedbydefault to increasetheoverallscanningperformancebyacertainlevelofparallelism.Thedefaultnumberofthreadsiscom-putedas2timesthe‘number_of_processors’+1.
• Scan Timeout-Themaximumcontinuousinterval,inseconds,foronethreadtoaccessthemessagethatisbeingscanned.
11. Exclude Dirs
ExcludeDirectories
• Add new record-Addsdirectoriesexcludedfromascan.Somedirectoriesmaybethreat-
Secu
rity
23Chapter 11 - Security Sadjadi et al.
freebutcontainfilesthatareerroneouslyinterpretedasmalware.
12. Exclude PUPs ExcludePotentiallyUnwantedPrograms
Usethistabtoexcludepotentiallyunwantedprograms,orPUPs,manually.TheViewThreatspageprovidesaquickermethodofidentifyingandexcludingPUPs.
• Add new record-AddsPUPfilestoexcludefromascan.Somefilesmaybethreat-freebutbeerroneouslyinterpretedaspotentiallyunwantedprograms(PUPs).Youneedtoidentifythefilename,itschecksumvalueanditsfilesizeinbytes.
ClickAdd New Record thenenterthefollowing:
• Filename-Enterthenameofthefile.
• Checksum-Enterthechecksumvalueofthefile.Todeterminethechecksumvalue,opentheAVGUIonamachinethatcontainsthefile.SelectTools > Advanced Settings.SelectthePUP Exceptionspropertysheet.ClicktheAdd exceptionbutton.Selectthefilebybrowsingthe machine’s local directory. The corresponding checksum value is displayed. Copy andpastethechecksumvaluefromtheAVG UIintotheAdd new recorddialogboxoftheExclude PupstabofSecurity > Define Profile.
• File Size-Enterthefilesizeinbytes.Todeterminethefilesize,right-clickthefileinWindowsExplorerandchecktheSizevalueinbytes.
13. Updates
UsethistabtoconfigurehowAVGupdatesaredownloaded.
ProxySettings
Enables/disablesusingaproxyservertodownloadAVGupdates.
• Don’t use proxy-Disablesproxysettings.
• Use proxy-Enablesproxysettings.
• Try connection using proxy, and if it fails, connect directly-Enablesproxysettings.Ifproxyfails,connectsdirectly.
Manual-Setsproxysettingsmanually.
• Server-EnteravalidproxyservernameorIPaddress.
• Port-Enteraportnumber.
• Use PROXY authentication-Ifchecked,proxyauthenticationisrequired.
• Username-IfUse PROXY authenticationischecked,enteravalidusername.
• Password-IfUse PROXY authenticationischecked,enteravalidpassword.
Security
24 Chapter 11 - Security Sadjadi et al.
• Auto-Setsproxysettingsautomatically.
• From browser-Selectadefaultbrowserfromthedrop-downmenutosetproxysettings.
• From script-Enterthefullpathofascriptthatspecifiestheproxyserveraddress.
• Auto detect-Attemptstogetthesettingsfromtheproxyserverdirectly. UpdateURL
AVGprovidesadefaultURLtodownloadupdates.YoucanpreferentiallydownloadupdatesfromacustomURL.
• Use Custom Update URL -Select thisoption topreferentiallydownloadupdates fromacustomURL.
• Name-EnterthenameofthecustomupdateURL.
• URL-EntertheURL.
11.3.3AssignProfileTheAssignProfilepageassignssecurityprofilestomachineIDslicensedtouseKES.SecurityprofilesaredefinedusingSecurity>DefineProfile.ThelistofmachineIDsyoucanselectdependsonthemachineID/groupIDfilter.Todisplayonthispage,machineIDsmusthavetheKESclientsoftwareinstalledonthemanagedmachineusingtheSecurity > In-stall/Remove page.
Fig.11.11belowshowsthegenericviewoftheAssignprofilepage.Theoptionssupportedonthispagearelistedandexplainedbelow.
1. Apply Configuration: ClickApply ConfigurationtoapplythesecurityprofiledisplayedintheSelect Profiledrop-downboxtoselectedmachineIDs.
2. Select Profile: SelectasecurityprofiletoapplytoselectedmachineIDs.
Fig. 11.11: Assign Profile
Secu
rity
25Chapter 11 - Security Sadjadi et al.
3. Only display machines with the selected profile: Ifchecked,filtersthepagingareabythese-lectedsecurityprofile.
4. Machine.Group ID:ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheuserisauthorizedtoview.
5. Profile Name:DisplaysthesecurityprofileassignedtoamachineID.Displaysthestatusof themachineIDifthereisaproblem.
11.3.4 Log SettingsTheLog SettingspagespecifiesthenumberofdaystokeepsecurityprotectionlogdataformachineIDslicensedtouseKES.Certainmachines,suchaswebservers,maywarrantmaintainingalongerhistoryofvirusattacksthenothertypesofmachines.ThelistofmachineIDsyoucanselectdependsonthemachineID/groupIDfilter.Todisplayonthispage,machineIDsmusthavetheKESclientsoftwareinstalledonthemanagedmachineusingtheSecurity > In-stall/Remove page.
Fig.11.12belowshowsthegenericviewoftheLogSettingspage.Theoptionsupportedonthispagearelistedandexplainedbelow.
1. Apply Configuration: ClickApply Configurationtoapplythenumberofdaysspecifiedinthe<N> days to keep log entriesfieldtoselectedmachineIDs.
2. <N> days to keep log entries: Enterthenumberofdaystomaintainsecurityprotectionlogdata.
3. Machine.Group ID:ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheuserisauthorizedtoview.
4. Log Days Before Expiration: ShowsthenumberofdayssecurityprotectionlogdataismaintainedforamachineID.
Fig. 11.12: Log Settings
Security
26 Chapter 11 - Security Sadjadi et al.
11.4.1 Exchange StatusTheExchange StatuspagedisplaysthestatusofemailprotectiononMSExchangeserversthathaveKESinstalledonthem.DuringtheinstallofKESonamachine, ifMSExchangeisdetected,thepluginforMSExchangeemailprotectionisautomaticallyinstalled.
ThelistofmachineIDsyoucanselectdependsonthemachineID/groupIDfilter.Also,themachineIDmusthaveMSExchangeServerinstalledonthemachine.
Fig.11.13belowshowsthegenericviewoftheExchangestatuspage.Theoptionssupportedonthispagearelistedandexplainedbelow.
1. Mailboxes Protected / Mailbox Licenses: Displaysboth thenumberofExchangeServermail-boxesprotectedandthenumberofmailboxlicensesusedandavailable.
2. Machine.Group ID: ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheuserisauthorizedtoview.
3. Install Status: Ifchecked,KESclientsoftwareisinstalledonthemachineID.Iftheagentsoftwareisearlierthan4.7.1,themessageRequiresAgentUpdatedisplays.Ifblank,KESclientsofwareisnot in-stalledonthemachineID.
4. Install Source: IfafilesourceisdefinedusingPatch Management >File Source,theninstallsaresourcedfromthislocation.Otherwise,installsaresourcedfromtheinternet.
IftheoptionDownload from Internet if machine is unable to connect to the file serverisselectedinPatch Management > File Source:
• DuringaKESv2.xendpointinstall,ifthefilessourceisdownorcredentialsinvalid,theinstallerisdownloadedfromtheKserverandcompletestheendpointinstall.
• DuringaKESv2.xmanualupdate, if thefilessource isdownorcredentials invalid, theupdate isdownloadedfromtheinternet.
Fig. 11.13: Exchange
Status
11.4 MS Exchange
Secu
rity
27Chapter 11 - Security Sadjadi et al.
Inbothcasesabove,theViewLogspagedisplaysanerrormessagestatingwhythefilesourcefailedandthatitistryingtodownloadfromtheinternet.
5. Mailboxes: ThenumberofemailaccountsontheMSExchangeServer.
6. Installed On: ThedateMSExchangeServeremailprotectionwasinstalledonthemachineID.
11.5.1DefineAlarmSetsTheDefineAlarmSetspagedefinessetsofalarmconditionsusedtotriggeralertsusingtheApplyAlarmSetspage.
To Create a New Alarm Set
1. Select<No Alarm Sets Saved>intheSelect Profiledrop-downlist.AlternativelyyoucanselectanexistingalarmsetandclickSave As.
2. Checkoneormorealarmconditioncheckboxes.
3. UsetheIgnore additional alarms for <N> <periods>tospecifythenumberofminutestoignorethesamesetofalarmconditions.Setto0totriggeranalarmeachtimeanalarmconditionoccurs.
4. ClickSave tosavethealarmset.
To Delete an Alarm Set
1. SelectanalarmsetfromtheSelect Profiledrop-downlist.
2. ClickDelete todeletethealarmset.
Fig.11.14belowshowsthegenericviewoftheDefineAlarmsetspage.Theoptionssupportedonthispagearelistedandexplainedbelow.
11.5 Security Alarms
Fig. 11.14: Define Alarm
Sets
Security
28 Chapter 11 - Security Sadjadi et al.
1. Save:Savethealarmset.
2. Save As:Saveanalarmsettoanewname.
3. Delete:Deleteanalarmset.
4. Share:Displaysifyouownaselectedalarmset.Sharethisalarmsetwithusers,userrolesortomakepublicforallusers.Sharerightsareassignedby object.Therearethreesharingcheckboxoptions.Thefirsttwocheckboxesaremutually exclusiveanddeterminewhatsharerightsareassigned.Ifneitherofthefirsttwocheckboxesarechecked,thesharedobjectcanonlybeseenbytheusersgivenshareaccess,buttheobjectcannotbeusednoredited.TheShared andNotSharedlistboxesandthethirdcheckboxdeterminewhocanseetheobject.
• Allow other administrators to modify -Ifchecked,sharerightstotheobjectincludesbeingabletouseit,viewitsdetailsandeditit.
• Other administrators may use but may not view or edit-Ifchecked,sharerightstotheobjectonlyallowsusingit.
• Make public (seen by all administrators)-Ifchecked,ensuresthatallcurrentandfutureVSAuserscanseetheobject.Ifblank,onlyselecteduserrolesanduserscanseethesharedobject.Ifblank,andnewusersoruserrolesareaddedlater,youhavetoreturntothisdialogtoenablethemtoseethespecificobject.
5. Ignore additional alarms <N> <periods>: Specifythenumberofperiodsyouwantthesametypeofalarmtobeignoredafterthefirstalarmistriggered.
6. Alarm Conditions: CheckanyofthefollowingtypesofalarmconditionstoincludeitinaKESalarmset.
• Threat Detected and Not Healed-AthreathasbeenaddedtotheCurrent ThreatstaboftheViewThreatspagethatcouldnotbeautomaticallyhealed
• Protection Disabled-Securityprotectionhasbeendisabled.
• Definition Updated-SecurityprotectionhasbeenupdatedwiththelatestversionofKES.
• Scheduled Scan Completed-Asecurityprotectionscanhasbeencompleted.
• Reboot Required-Arebootisrequired.
• Protection Enabled-Securityprotectionhasbeenenabled.
• Service Error-TheKESservicehasstopped.
• Definition Not Updated in <N> Days -Securityprotectionhasnotbeenupdated for thespecifiednumberofdays.
• Scheduled Scan Did Not Complete -Ascheduledsecurityprotectionscandidnotcom-plete.
• AVG Removed by User-AmachineuserhasuninstalledtheAVGclientfromthemanagedmachine.
Secu
rity
29Chapter 11 - Security Sadjadi et al.
11.5.2 Apply Alarm SetsTheApply Alarm Setspagecreatesalertsinresponsetosecurityprotectionalarmconditionsdefinedus-ingDefineAlarmSets.ThealarmssetsareappliedtoselectedmachineIDslicensedtouseKES.ThelistofmachineIDsyoucanselectdependsonthemachineID/groupIDfilter.Todisplayonthispage,machineIDsmusthavetheKESclientsoftwareinstalledonthemanagedmachineusingtheSecurity >In-stall/Removepage.
To Create an Alert
1. Checkanyofthesecheckboxestoperformtheircorrespondingactionswhenanalarmconditionisencountered:
• CreateAlarm
• CreateTicket
• RunScript
• EmailRecipients
2. Setadditionalemailparameters.
3. Selectanalarmset.
4. CheckthemachineIDstoapplythealarmsetto.
5. ClickApplytoassignthealarmsettoselectedmachineIDs.
To Cancel an Alert
1. SelectmachineIDcheckboxes.
2. ClickRemove toremovetheassignedalarmsetfromselectedmachineIDs.
Fig.11.15belowshowsthegenericviewoftheApplyAlarmSetspage.Theoptionssupportedonthispagearelistedandexplainedbelow.
Fig. 11.15: Apply Alarm
Sets
Security
30 Chapter 11 - Security Sadjadi et al.
1. Apply:ApplyaselectedalarmsettoselectedmachineIDs.
2. Remove:RemoveaselectedalarmsetfromselectedmachineIDs.
3. Remove All:RemoveallalarmsetsassignedtoselectedmachineIDs.
4. Format Email: Formattheemailsenttoemailrecipients.Thisoptiononlydisplaysformasterroleusers.
5. Create Alarm: Ifcheckedandanalarmconditionisencountered,analarmiscreated.Alarmsaredisplayed inMonitor > Dashboard List,Monitor > Alarm Summaryand Info Center > Reports > Logs > Alarm Log.
6. Create Ticket: Ifcheckedandanalarmconditionisencountered,aticketiscreated.
7. Run Script: Ifcheckedandanalarmconditionisencountered,anagentprocedureisrun.Youmustclick theselect agent procedure link tochooseanagentprocedure to run.YoucanoptionallydirecttheagentproceduretorunonaspecifiedrangeofmachineIDsbyclickingthis machine IDlink.ThesespecifiedmachineIDsdonothavetomatchthemachineIDthatencounteredthealarmcondition.
8. Email Recipients: Ifcheckedandanalarmconditionisencountered,emailsaresenttothespeci-fiedemailaddresses.
• ClickFormat EmailtodisplaytheFormat Alert Emailpopupwindow.Thiswindowenablesyoutoformatthedisplayofemailsgeneratedbythesystemwhenanalarmistriggered.
• EmailissentdirectlyfromtheVSAtotheemailaddressspecifiedinthealert.Setthe From AddressusingSystem > Outbound Email.
9. Select an Alarm Set: SelectanalarmsettoapplytoselectedmachineIDs.
10. Machine.Group ID: ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheuserisauthorizedtoview.
11. Alarm Set: ListsthealarmsetsassignedtoeachmachineID.
12. ATSE: TheATSEresponsecodeassignedtomachineIDsorSNMPdevices:
• A=CreateAlarm
• T=CreateTicket
• S=RunAgentProcedure
• E=EmailRecipients
13. Email Address: Acommaseparatedlistofemailaddresseswherenotificationsaresent.