|
(Page 1,2,3,4)
Using Endpoint Security Console
- Managed Network
(Note:
Active Directory required for all
features involving Users and Groups)
The
Managed Network section lists all
active workstations running the
Endpoint Security Service. The
computer name and Active Directory
User Name (if applicable) are
displayed. The Managed Network is
where the primary configuration of
Endpoint Security Console takes
place, including Application
Security, Process Detection and
Monitoring, and System/Email Anomaly
Detection.
Applications
The Applications screen consists of
all the Application and Process
Monitor related rules that Endpoint
Security Console is enforcing for
the Applications listed. The Process
Monitor filters processes for
potentially malicious system API
calls used by programmers (and
hackers) to launch process
executables. The screen includes the
Application and file executable
name, version number, number of
rules being enforced, and the
classification ‘Mode’ of those
rules, which can be set to either
allow, deny, or filter incoming or
outgoing traffic.
The top window displays all
‘Allowed/Filtered’ or ‘Denied’
Applications, and the bottom windows
displays a ‘Queue List’, which
contains all Application/Process
Monitor activity from
Computers/Users/Groups that requires
approval from the Administrator. The
Administrator can view all proposed
rules for each queue list item by
right-clicking on an item and
selecting ‘View Suggested Rules’
(see below). Any rules that are set
for the application will be applied
when the Mode is set to ‘Filter’
Traffic. If the Mode is set to
‘Allow’ all rules will be disabled
and all activity related to the
application will be allowed. If the
Mode is set to ‘Block’, no activity
will be allowed.
Process Monitor
Endpoint Security Console maintains
a list of processes that are being
filtered for potentially malicious
system API calls used by programmers
(and hackers) to launch process
executables. The process list is
maintained in the Applications node,
and a separate list of Process
monitor rules is maintained. As you
can see from the screenshot above,
you can Allow, Deny, or Ask the
administrator for each
Process-related function listed. A
set of default processes that are
related to commonly used
applications, such as Internet
Explorer, are set to 'Allow'.
Non-default processes that are
detected by Endpoint Security
Console will be set to 'Filter' if
allowed or 'Deny' if not allowed.
Behavioral
Settings
Email Anomaly Detection
This feature tracks outbound Email
delivery behavior and provides
alerts if there is unusual outbound
email activity based on type and
amount of emails delivered within a
certain period of time. The Email
Anomaly Detection Engine is based on
the specific behavior of each
workstation's email activity over a
period of time called the 'Training
Period', which can be set to 7, 14,
or 28 days. In order to initiate
training, the 'Enable Detection'
checkbox must be selected. The
Anomaly Detection Engine will start
immediately after the end of the
training period. You can also view
the training statistics during or
after the training period (see
screenshot).
System Anomaly Detection
The System Anomaly Detection layer
analyzes the normal use patterns of
running applications and generates
alerts as it detects unusual
activity. The System Anomaly
Detection Engine applies a
sophisticated algorithm to establish
a baseline of normal use based on
several system variables such as CPU
utilization, thread count, and
others. These variables are
monitored over a specific period of
time, called the 'Training Period',
which can be set to 7, 14, or 28
days within the Main Menu (the
default period is 7 days). The
'Enable Detection' checkbox, must be
selected for Training to be active.
Upon installation, Training is
enabled by default and commences
immediately upon installation.
Sensitivity Threshold - The
Privatefirewall System Anomaly
Detection layer generates alerts as
it detects system activity that
deviates from normal. The
sensitivity with which
Privatefirewall applies to system
anomaly detection can be tuned by
adjusting the Sensitivity Threshold.
Decreasing the threshold increases
the sensitivity, meaning that
smaller deviations will generate
alerts. Increasing the threshold
will allow greater variance from
normal activity. By default, the
System Anomaly Detection Sensitivity
Threshold is set to 60%. In simple
terms, activity deviating more than
60% from normal will generate an
alert.
Selecting the Training Statistics
button will display the System
behavior data collected during
training. These may be viewed
during or after the Training period
(see screenshot).
The Anomaly Detection Engine will
start immediately after the end of
the training period, and will
generate an alert whenever in the
Activity Log whenever there is any
activity that is not consistent with
system use patterns established
during the training period.
Additional event details are located
in the 'Reason' column within the
Activity
Log.
Process Detection
The Process
Detection feature
records all
processes that are
launched during the
'Training Period',
which can be set to
1, 3, or 7 days.
Training is enabled
by default and
commences
immediately upon
installation for a
period of 7 days.
All processes
detected during the
Training Period will
be added to the
trusted process
list. After the
training period, a
Tray Alert will be
generated when any
process attempts to
run that was not
recorded during the
training period. If
the process is
related to
known/trusted
activity, the
process should be
allowed.
The top window
displays all Trusted
(allowed) processes,
and the bottom
window displays a
‘Queue List’, which
contains all
detected Processes
from
Computers/Users/Groups
that require review
by the
Administrator. The
Administrator can
right-click on each
item in the Queue
List to Allow or
Deny the process.
Port Tracking
The Port Tracking report monitors
all system ports and protects them
against any unauthorized entry. In
most cases, Endpoint Security
Console goes one step further and
makes all system ports invisible to
intruders (referred to as "Stealth"
mode). The following details are
included:
Application Name
- Any application that may
have access to the Internet or
outside networks.
Process ID - The unique
number assigned to every running
process within the Windows
environment.
Protocol - The Network Protocol,
or type of network connection used
to send the packet.
Local Address - Your system's
IP address.
Remote Address - The Internet
address from where incoming packets
are originating. This will display
either a specific IP, or if one is
not currently detected, it will give
a status (such as "Listening for
packets/connections").
Log Reports
Firewall log records can be sorted
by type and time of occurrence.
Each of these reports can also be
sorted going back 1 Hour, 1 Day, or
1 Week. Separate reports are
maintained for Web Traffic, Mail
Traffic, System Traffic, and
Processes detected. The following
details are included:
Time/Date - When the packet was
detected.
Local IP (Internet address) - The
Internet address from which the
packet was sent.
Local Port - The port from the local
computer involved in the access
attempt.
Remote IP - The Internet address to
which the packet is traveling.
Remote Port - The port from the
remote computer involved in the
access attempt.
Protocol - The Network Protocol, or
type of network connection used to
send the packet.
Application (if applicable) - The
name of the application to which the
packet was attempting to be sent (if
any).
Click here for the next page...
|
