How to Perform Queries for Endpoint Visibility Using Saner Endpoint Security Solution 3.0.2

Transcription

1 How to Perform Queries for Endpoint Visibility Using Saner Endpoint Security Solution 3.0.2

2 Contents Title Page No Create a Custom Query:... 6 Create a Query to List Windows Startup Programs Present in the Endpoints:... 8 Create a Query to List Windows Visual Effects Settings Value:... 9 Create a Query to List Unwanted Programs: Create a Query to List Unwanted Processes: Create a Query to List Threats Present in the Endpoints:... 15

3 3 Query Management with Saner Endpoint Security Solution A query is a request for information from a database or live data from endpoints where the Saner agent is installed. SecPod Saner Business supports natural language-based queries, related to processes, services, users, registry, network, and device configurations on the endpoint. The Saner platform s metadata model makes it easy to search using unstructured natural language-based queries. This is the only platform that is fully compliant with wellestablished standards, such as SCAP, STIX/TAXII Query results are fetched in microseconds, to help make quick decisions around endpoint activities. Complex queries can be created or multiple queries can be cascaded with AND and OR combinations. The scalable architecture of Saner allows responses to IoCs in seconds without impacting the network or systems. Queries are categorized into two types: 1) Default Queries - The Saner solution provides default queries that can fetch information such as anti-virus information, hosts that have disabled the firewall, hosts that have disabled Bit locker protection, etc. 2) Custom Queries - Users can create custom queries. Select an account you want to manage. The menu expands. Click Queries on the menu. Figure 1 highlights the Queries pane on the dashboard. To create a custom query, click the question mark icon on the menu. A query contains two options: i) Add Rule, to select supported probes. Multiple rules can be selected with AND or OR operations. ii) Add Group, to join rules based on conditions. Multiple rules can be joined into one group. Fig.1

4 4 Fig.2 The Run option displays the query results fetched from the database. The Edit and Delete buttons allow you to edit or delete the queries. Fig.3 The ( ) icon lists possible values of the selected attributes. The ( ) icon lists attributes of a file probe. The ( ) icon indicates that the probe will take time to execute and collect response from the agents.

5 5 In figure 3, the probe is File. File Path is a mandatory field attribute for the file probe. It sends a query to the agent systems. Define a Scope restricts the query to a particular group. When an administrator clicks the submit button the query is sent only to the selected groups. Total number of supported probes in Viser based on the OS OS Total No. of Probes Special Probes Windows Linux MAC Note: When a query with mandatory attributes is created with a special probe, it is auto broadcast to the agents. For a typical query, you must click the Submit button.

6 6 Create a Custom Query: 1. Specify the Name, Category, Severity and Operating System Family details. 2. Select the AND operation. 3. Select Registry Key Effective Rights probe and specify Hive and Key as the parameters. 4. Click Add Rule. Add a rule and file and the file path. 5. Click Create. Figure 4 displays a query with multiple rules to check for Locky malware. Once the query is created or updated it displays the result in real-time. Figure 5 displays details of the host infected with Locky malware. Fig.4

7 7 Fig.5 Fig.6

8 8 Create a Query to List Windows Startup Programs Present in the Endpoints: 1. Click Queries > Create Query. 2. Specify the details - Select the registry probe. Specify the registry which lists all the startup programs present in the system. 3. Click Update. Fig.7 Figure 7 displays a query for listing the Windows startup programs present in the endpoints. Figure 8 displays the result of the above query. Fig.8

9 9 Create a Query to List Windows Visual Effects Settings Value: This query lists endpoints Visual Effects Settings Value which is an assessment parameter for the system performance. To create this query, 1. Click Queries > Create Query. 2. Create 2 groups with each group containing 2 rules, AND and OR. The group with AND operation contains 2 rules with registry probe specifying the path for Key and value for the Name attribute. The group with OR operation contains 2 rules with HIVE attribute. This query searches in HKEY CURRENT USER or HKEY LOCAL MACHINE. 3. Click Create. Fig.9 Figure 9 shows a query to list Windows Visual Effects Settings. Fig.10 Figure 10 shows the query results. To know more about the instances, click More.

10 10 Fig.11 Figure 11 shows the query result in detail. The value of the field value is 1 which indicates the result for best appearance. The values can range from 0 to 2. The default value of 0 is Let Windows choose what s best for my computer. Change the value to 1 for Adjust for best appearance. Change the value to 2 for Adjust for best performance. Note: If the host has a value 1, the administrator needs to change the value to 2 for best performance by using the CMD & Ctrl action: CMD & Ctrl > Registry > Modify Registry > With the value 2

11 11 Create a Query to List Unwanted Programs: 1. Click Queries > Create Query. 2. Specify the details - Select the registry probe - Specify the registry which lists all the unwanted programs present in the system. 3. Click Update. Figure 12 displays a query for listing unwanted programs. Fig.12 Fig.13

12 12 The table in figure 13 lists the name of the unwanted programs present in the endpoints with the number of affected instances. IT administrators can use this query to list the unwanted programs that consume a lot of memory. Note: To delete or block the listed unwanted program, go to CMD & Ctrl > Software Deployment > Application Management > Uninstall and select the unwanted program name OR CMD & Ctrl > Application Control > Application Block and select the unwanted program name from the list.

13 13 Create a Query to List Unwanted Processes: 1. Click Queries > Create Query. 2. Specify the details - Select the registry probe. Specify the registry which lists all the unwanted processes present in the system. 3. Click Update. Fig.14 Figure 14 displays a query for listing unwanted processes, for example, armsvc.exe - This process stands for Adobe Acrobat Update Service. jusched.exe - This process stands for Java Update Scheduler. NeroCheck.exe - This is a process from hardware manufacturers that searches for drivers that could trigger conflicts with Nero Express, Nero, and NeroVision Express. OSPPSVC.exe - This is a software process that comes with Microsoft Office winampa.exe - This is a software process that places Winamp to the right at the bottom of the taskbar and ensures that no other programs with media content are linked. Sidebar.exe - This is a Windows process that consumes a lot of memory. These processes consume a lot of system memory and are better stopped or removed. Fig.15

14 14 The table in figure 15 lists the name of the unwanted processes present in the endpoints with the number of affected instances. IT administrators can use this query to list the unwanted processes that consume a lot of memory. Note: To delete or block the unwanted processes, go to CMD & Ctrl > Process > Process Block or Stop Process by Name and select the unwanted process name from the list.

15 15 Create a Query to List Threats Present in the Endpoints: 1. Click Queries > Create Query. 2. Specify the details - Select the registry probe. Specify the registry which lists the malware present in the system. 3. Click Update. Fig.16 Figure 16 displays a query for detecting the presence of the Cryptoshield malware in the endpoints. This query contains four groups with AND OR operators that will search for a particular string present in a file and a registry entry with specified keys. In the registry, it searches for the name Windows SmartScreen.

16 16 Fig.17 The table in figure 17 lists the path of the malware file and the registry entry. Note: To delete the malware, go to CMD & Ctrl > Security > Quarantine and specify the path of malware file. Remove the listed registry by going CMD & Ctrl > Registry > Delete Registry.

17 About Us SecPod Technologies creates cutting edge products to ensure endpoint security. Founded in 2008 and headquartered in Bangalore with operations in USA, the company provides computer security software for proactively managing risks and threats to endpoint computers. Contact Us Web: Tel: SecPod Technologies