Integrate Viper business antivirus EventTracker Enterprise Publication Date: June 2, 2016 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com
Abstract This guide provides instructions to configure Vipre business antivirus to send the logs to EventTracker Enterprise. Scope The configurations detailed in this guide are consistent with EventTracker Enterprise, and Vipre business antivirus 9.3. Target Audience Vipre business antivirus users, who wish to forward logs to EventTracker Manager. The information contained in this document represents the current view of Prism Microsystems Inc. on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism Microsystems, and Prism Microsystems cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism Microsystems MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism Microsystems may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. 2016 Prism Microsystems Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 1
Table of Contents Abstract... 1 Scope... 1 Target Audience... 1 Overview... 3 Pre-requisite... 3 Configuration for sending logs to EventTracker... 3 Configure log file monitor (LFM) for monitoring Vipre business antivirus log files... 8 Exception for ETagent in Vipre Antivirus Firewall... 16 EventTracker Knowledge Pack (KP)... 17 Category... 18 Reports... 18 Alerts... 20 Import Vipre Business Antivirus Knowledge Pack into EventTracker... 20 Category... 20 Alerts... 21 Reports... 21 Verify Knowledge Pack in EventTracker... 22 Categories... 22 Alerts... 23 Reports... 24 Create Dashboards in EventTracker... 25 Schedule Reports... 25 Create Dashlets... 28 Sample Dashboards... 32 2
Overview VIPRE is a scalable Endpoint Solution that protects your networked machines from all types of malware and viruses and includes a firewall (Premium only). Its Bad URL blocking feature under web filtering prevents end users from accidentally opening known bad websites (Premium only). VIPRE Business can be installed at more than one physical location and still be centrally managed. Its policy-based architecture allows administrators to create multiple policies based on user and machine types. EventTracker collects and analyses events and enlightens an administrator about threat detection, changes happening in policy and protected system. Pre-requisite EventTracker Enterprise v7.x for just report and alert should be installed. EventTracker Enterprise v8.x for configuring report, alert and flex dashboard should be installed. Vipre business antivirus should be installed. EventTracker agent should be installed in Vipre business antivirus manager system. EventTracker agent should be in exception in Vipre business antivirus firewall. Firewall between EventTracker manager and Vipre business antivirus manager system should be off or made exception for port 14505. Configuration for sending logs to EventTracker Following are the steps to integrate Vipre antivirus and send the logs to EventTracker manager. As, there is no direct way to send the logs of viper antivirus to remote logging server, we have to configure following script for setting it up in Vipre Antivirus manager machine: 1. Download knowledge pack zip file for Vipre antivirus and extract it. 2. After extraction, copy Vipre AV folder and paste it in any location in Vipre antivirus manager machine. 3. Edit log fetcher.ps1 with Powershell ISE or notepad in Vipre AV folder. 3
Figure 1 4. Now make changes in first line $inspackpath with the path where you have copied the Vipre AV folder. Figure 2 5. Now, create schedule task for running script automatically, every 15 minutes. 6. For this, open Task Scheduler and create a new task for running the script automatically. 4
Figure 3 7. Create a new task. Name it and set your security options. Check "Run with highest privileges" as our scripts need to run as admin. This script need to run without your account signed into the machine, so enable the 'Run whether user is logged on or not' radio button. Figure 4 5
8. Click on the Triggers tab and set your schedule or event that will trigger the running of your vipre log fetcher script. After creating trigger, click on the OK button. Figure 5 Figure 6 6
Figure 7 9. Click on the Actions tab and click on New. Action: Start a program Browse the script: Program/script: Powershell.exe 10. Add Argument First you need to set the ExecutionPolicy. We want to set the execution policy on a per script basis and open up security for us to run the script. This security policy will only be in effect for the script we are running and not compromise security otherwise. So we will be using the following Argument: -ExecutionPolicy Bypass -File D:\product\VipreAV\Vipre integration pack\log fetcher.ps1 7
Figure 8 11. Save and Test. Configure log file monitor (LFM) for monitoring Vipre business antivirus log files Before LFM configuration, deploy the EventTracker agent on Vipre business antivirus manager machine, please refer EventTracker Agent installation guide. After installation of the agent, follow below mentioned steps to configure LFM. 1. Select the Start button, select Prism Microsystems, and then select EventTracker Control Panel. 8
2. Click the icon EventTracker Agent Configuration. Figure 9 3. Click the button Add File Name and select the.csv file which has been generated and then click OK. 9
Figure 10 4. Select Get All Existing Log Files option. 5. In Select Log File Type drop down, select the CSV option. 6. Enter the path of the Vipre Business Antivirus logs. 7. Click the OK button. 8. Now, click the Search String button. Figure 11 10
9. Select Add String. Figure 12 Figure 13 10. Select the string to configure that needs to be searched in the selected logs. If any of the string matches, then a log is generated. 11
11. Click Save Figure 14 As we are generating alerts for Vipre business antivirus, we need to add Event ID 3230 in exception. 12. Select Event Filters Tab. 12
13. Select Filter Exception option. Filter Exception window will display. 14. Click the New Option. Event Details window will display. Figure 15 13
Figure 16 15. Enter the Event ID (3230) in Event ID field, EventTracker in Match in Source, (keyword: (policy protected system quarantined detail scan detail threat detected)) in Match in Event Descr and click the OK button. Figure 17 14
16. Now, event id 3230 is added into exception and it is listed in the filter exception windows. Figure 18 17. Close the Filter Exception window and Save the changes. Figure 19 The logs will be sent to the EventTracker Enterprise. 15
Exception for ETagent in Vipre Antivirus Firewall Vipre antivirus firewall will block the ETagent due to which it will not be able to send logs to ET manager. So, we need to add exception for ETagent in Vipre antivirus firewall. Following are the steps to configure exception in Vipre firewall: 1. Open the VIPRE 2. Click Manage tab > Firewall 3. Scroll down until you see Firewall Protection and click Manage Rules button. Figure 20 4. Click the Add App Rule button to add exceptions and enter the path you identified from the target field. 16
Figure 21 5. Select Allow for Trusted Inbound and Outbound. You can do the same for Public Inbound and Outbound. 6. Continue to make port exceptions if necessary by clicking the Ports tab and click Add. 7. Enter a name of the rule. 8. Click browse and navigate to the executable or paste the path to the executable in the Application field. 9. Select the Port drop down and enter the port. 10. Select the Protocol (TCP or UDP). 11. Click OK. EventTracker Knowledge Pack (KP) Once logs are received in to EventTracker; Reports and Alerts can be configured into EventTracker. The following Knowledge Packs are available in EventTracker Enterprise to support Vipre business antivirus. 17
Category Vipre AV-Policy management: This category provides information related to policy management, i.e when the policy was created and updated in that particular system along with their hostname. Vipre AV-Protected systems: This category provides information related to protection of the system by the agents for the applied policy. Vipre AV-Quarantined details: This category provides information related to Quarantined details where a malicious virus is been detected and categorized based on the threat level. Vipre AV-Scan details: This category provides information related to scan details, i.e. when a system scans for the following: Scanned Archives, Scanned Cookie, Scanned Files, Scanned Memory, Scanned Registry, Scanned Rootkit, Found Archives, Found Cookies, Found Files, Found Memory, Found Registry, Found Rootkit, Found Threats, Deleted, Ignored and Quarantined. Vipre AV-Threat detection: This category provides information related to threat detection that is when a malicious virus has been detected Reports Vipre AV-Policy management: This report provides information related to policy management, i.e. when the policy was created and updated in that particular system along with their hostname. Figure 22 18
Vipre AV-Protected systems: This report provides information related to protection of the system by the agents for the applied policy. Figure 23 Vipre AV-Quarantined details: This report provides information related to Quarantined details where a malicious virus is been detected and categorized based on the threat level. Figure 24 Vipre AV-Scan details: This report provides information related to group scan details, i.e. when a system scans for the following: Scanned Archives, Scanned Cookie, Scanned Files, Scanned Memory, Scanned Registry, Scanned Rootkit, Found Archives, Found Cookies, Found Files, Found Memory, Found Registry, Found Rootkit, Found Threats, Deleted, Ignored and Quarantined. Figure 25 19
Vipre AV-Threat detection: This report provides information related to threat detection that is when a malicious virus has been detected. Alerts Figure 26 Vipre AV: Threat detection - This alert is generated when a malicious virus has been detected. Vipre AV: Policy management - This alert is generated when the policy is created and updated in that particular system along with their hostname. Import Vipre Business Antivirus Knowledge Pack into EventTracker 1. Launch EventTracker Control Panel. 2. Double click Import Export Utility icon, and then click the Import tab. Import Category/ Alert/ Reports as given below. Category 1. Click Category option, and then click the browse button. 2. Locate the.iscat file, and then click the Open button. 3. Click the Import button to import the categories. EventTracker displays success message. 20
Figure 27 4. Click the OK button and then click the Close button. Alerts 1. Click Alert option, and then click the browse button. 2. Locate the.isalt file, and then click the Open button. 3. Click the Import button to import the alerts. EventTracker displays success message. Figure 28 4. Click the OK button and then click the Close button. Reports 1. Click Report option, and then click the browse button. 21
2. Locate.issch file, and then click the Open button. 3. Click the Import button to import the reports. EventTracker displays success message. Figure 29 4. Click the OK button, and then click the Close button. Verify Knowledge Pack in EventTracker Categories 1. Logon to EventTracker Enterprise. 2. Click the Admin dropdown, and select Category. 3. In the Category Tree, expand Vipre AV group folder to see the imported categories. 22
Figure 30 Alerts 1. Logon to EventTracker Enterprise. 2. Click the Admin dropdown, and then click Alerts. 3. In the Search field, enter Vipre business antivirus, and then click the Go button. Alert Management page will display all the imported Vipre business antivirus alerts. 23
Figure 31 4. To activate the imported alerts, select the respective checkbox in the Active column. EventTracker displays message box. Figure 32 5. Click the OK button, and then click the Activate now button. NOTE: You can select alert notification such as Beep, Email, and Message etc. For this, select the respective checkbox in the Alert management page, and then click the Activate Now button. Reports 1. Logon to EventTracker Enterprise. 2. Click the Reports menu, and then Configuration. 3. Select Defined in report type. 4. In Report Groups Tree to view imported Scheduled Reports, scroll down and click Vipre business antivirus group folder. 24
Reports are displayed in the Reports configuration pane. Figure 33 Create Dashboards in EventTracker Schedule Reports 1. Open EventTracker in browser and logon. 2. Navigate to Reports>Configuration. Figure 34 25
Figure 35 3. Select Vipre business antivirus in report groups. Check defined option. 4. Click on schedule to plan a report for later execution. 26
Figure 36 5. Choose appropriate time for report execution and in Step 8 check Persist data in Eventvault explorer box. 27
Figure 37 6. Check column names to persist using PERSIST checkboxes beside them. Choose suitable Retention period. 7. Proceed to next step and click Schedule button. 8. Wait for scheduled time or generate report manually. Create Dashlets 1. EventTracker 8 is required to configure flex dashboard. 2. Open EventTracker in browser and logon. 28
Figure 38 3. Navigate to Dashboard>Flex. Flex Dashboard pane is shown. Figure 39 4. Click to add a new dashboard. Flex Dashboard configuration pane is shown. Figure 40 29
5. Fill fitting title and description and click Save button. 6. Click to configure a new flex dashlet. Widget configuration pane is shown. Figure 41 7. Locate earlier scheduled report in Data Source dropdown. 8. Select Chart Type from dropdown. 9. Select extent of data to be displayed in Duration dropdown. 10. Select computation type in Value Field Setting dropdown. 11. Select evaluation duration in As Of dropdown. 12. Select comparable values in X Axis with suitable label. 13. Select numeric values in Y Axis with suitable label. 14. Select comparable sequence in Legend. 15. Click Test button to evaluate. Evaluated chart is shown. 30
Figure 42 16. If satisfied, click Configure button. Figure 43 17. Click customize to locate and choose created dashlet. 18. Click to add dashlet to earlier created dashboard. 31
Sample Dashboards 1. Vipre AV-Scan details 2. Vipre AV-Quarantined details. Figure 44 Figure 45 32