Integrate Viper business antivirus EventTracker Enterprise

Similar documents
Integrate Malwarebytes EventTracker Enterprise

Integrate Sophos Enterprise Console. EventTracker v8.x and above

Integrate pfsense EventTracker Enterprise

Integrate TippingPoint EventTracker Enterprise

Integrate Microsoft Antimalware. EventTracker v8.x and above

Integrate MySQL Server EventTracker Enterprise

Integrate Windows PowerShell

Integrating Barracuda SSL VPN

Integrate Meraki WAP. EventTracker Enterprise. EventTracker 8815 Centre Park Drive Columbia MD

Integrate Trend Micro InterScan Web Security

Integrate Microsoft Hyper-V Server

Integrate IIS SMTP server. EventTracker v8.x and above

Integrate Cb Defense. EventTracker v8.x and above

Integration of Phonefactor or Multi-Factor Authentication

Integrate Cisco IronPort Security Appliance (ESA)

Integrate Cisco Sourcefire

Integrate Saint Security Suite. EventTracker v8.x and above

Integrate Juniper Secure Access VPN

Integrating Terminal Services Gateway EventTracker Enterprise

Integrate Fortinet Firewall. EventTracker v8.x and above

Integrate Microsoft Office 365. EventTracker v8.x and above

Integrate Bluecoat Content Analysis. EventTracker v9.x and above

Integrate NGINX. EventTracker v8.x and above

Integrate Barracuda Spam Firewall

Integrate Sophos Appliance. EventTracker v8.x and above

Integrate Palo Alto Traps. EventTracker v8.x and above

Integrate Symantec Messaging Gateway. EventTracker v9.x and above

Integrate Sophos UTM EventTracker v7.x

Integrating Microsoft Forefront Unified Access Gateway (UAG)

Integrate Akamai Web Application Firewall EventTracker v8.x and above

Integrate Dell FORCE10 Switch

Integrate Microsoft ATP. EventTracker v8.x and above

Integrate HP ProCurve Switch

Integrating Cisco Distributed Director EventTracker v7.x

Integrate EMC Isilon. EventTracker v8.x and above

Integrating Microsoft Forefront Threat Management Gateway (TMG)

Integrating Cyberoam UTM

Integrate F5 BIG-IP LTM

Integrate Microsoft IIS

Integrate Cisco IOS Publication Date: April 15, 2016

Integrate Kaspersky Security Center

Integrate McAfee Firewall Enterprise VPN

Integrate Veeam Backup and Replication. EventTracker v9.x and above

Integrate Check Point Firewall. EventTracker v8.x and above

Enhancement in Network monitoring to monitor listening ports EventTracker Enterprise

Integrate Citrix NetScaler

8815 Centre Park Drive Columbia MD Publication Date: Dec 04, 2014

Integrate Apache Web Server

Product Update: ET82U16-029/ ET81U EventTracker Enterprise

Integrate Cisco Switch

Agent Installation Using Smart Card Credentials Detailed Document

Integrate A10 ADC Publication Date: September 3, 2015

SECURE FILE TRANSFER PROTOCOL. EventTracker v8.x and above

EventTracker v7.x. Integrating Cisco Catalyst. EventTracker 8815 Centre Park Drive Columbia MD

Receive and Forward syslog events through EventTracker Agent. EventTracker v9.0

Integrating Imperva SecureSphere

Port Configuration. Configure Port of EventTracker Website

Integrate Salesforce. EventTracker v8.x and above

Remote Indexing Feature Guide

Integrating LOGbinder SP EventTracker v7.x

Enhancement in Agent syslog collector to resolve sender IP Address EventTracker Enterprise

Integrate Cisco VPN Concentrator

How To Embed EventTracker Widget to an External Site

Integrate VMware ESX/ESXi and vcenter Server

Integrate Aventail SSL VPN

Configure Alerts. EventTracker v6.x. EventTracker 8815 Centre Park Drive Columbia MD Publication Date: Jun 12, 2009

Integrate Grizzly steppe attacks detection script

Agent health check enhancements Detailed Document

EventTracker v8.2. Install Guide for EventTracker Log Manager. EventTracker 8815 Centre Park Drive Columbia MD

Service Pack ET90U Feature Document

Enable Auditing in Open LDAP on Linux Server

Integrate APC Smart UPS

Geolocation and hostname resolution while Elasticsearch indexing. Update Document

Integrate Citrix Access Gateway

Integrate Trend Micro Control Manager. EventTracker v8.x and above

EventVault Introduction and Usage Feature Guide Version 6.x

New Features Guide EventTracker v6.2

How to Configure ASA 5500-X Series Firewall to send logs to EventTracker. EventTracker

Upgrade Guide. Upgrading to EventTracker v6.4 b50. Upgrade Guide Centre Park Drive Publication Date: Feb 17, 2010.

Integrate Clavister Firewall

IIS Web Server Configuration Guide EventTracker v8.x

Secure IIS Web Server with SSL

Installation Guide. EventTracker Enterprise. Install Guide Centre Park Drive Publication Date: Aug 03, U.S. Toll Free:

Feature List. EventTracker v7.6. EventTracker 8815 Centre Park Drive Columbia MD Publication Date: Sep 15, 2014

Agent Direct Log Archiver Configuration Guide

Configuring TLS 1.2 in EventTracker v9.0

Upgrade Guide. Upgrading to EventTracker v7.1 Enterprise. Upgrade Guide Centre Park Drive Publication Date: Apr 11, 2011.

Event Correlator. EventTracker v8.x

IIS Web Server Configuration Guide EventTracker v9.x

Monitoring SharePoint 2007/ 2010/ 2013 Server using EventTracker

Integrate WatchGuard XTM. EventTracker Enterprise

Check Point Guide. Configure ETAgent to read CheckPoint Logs. EventTracker 8815 Centre Park Drive Columbia MD

Security Scorecard in Flex Dashboard

Installation Guide Install Guide Centre Park Drive Publication Date: Feb 11, 2010

Feature List. EventTracker v9.0

EventTracker: Backup and Restore Guide Version 9.x

EventTracker Manual Agent Deployment User Manual

EventTracker Manual Agent Deployment User Manual Version 7.x

Integrate Routing and Remote Access Service (RRAS) EventTracker v8.x and above

Upgrade Guide. Upgrading to EventTracker v6.4 b50. Upgrade Guide Centre Park Drive Publication Date: Feb 17, 2010.

Transcription:

Integrate Viper business antivirus EventTracker Enterprise Publication Date: June 2, 2016 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com

Abstract This guide provides instructions to configure Vipre business antivirus to send the logs to EventTracker Enterprise. Scope The configurations detailed in this guide are consistent with EventTracker Enterprise, and Vipre business antivirus 9.3. Target Audience Vipre business antivirus users, who wish to forward logs to EventTracker Manager. The information contained in this document represents the current view of Prism Microsystems Inc. on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism Microsystems, and Prism Microsystems cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism Microsystems MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism Microsystems may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. 2016 Prism Microsystems Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 1

Table of Contents Abstract... 1 Scope... 1 Target Audience... 1 Overview... 3 Pre-requisite... 3 Configuration for sending logs to EventTracker... 3 Configure log file monitor (LFM) for monitoring Vipre business antivirus log files... 8 Exception for ETagent in Vipre Antivirus Firewall... 16 EventTracker Knowledge Pack (KP)... 17 Category... 18 Reports... 18 Alerts... 20 Import Vipre Business Antivirus Knowledge Pack into EventTracker... 20 Category... 20 Alerts... 21 Reports... 21 Verify Knowledge Pack in EventTracker... 22 Categories... 22 Alerts... 23 Reports... 24 Create Dashboards in EventTracker... 25 Schedule Reports... 25 Create Dashlets... 28 Sample Dashboards... 32 2

Overview VIPRE is a scalable Endpoint Solution that protects your networked machines from all types of malware and viruses and includes a firewall (Premium only). Its Bad URL blocking feature under web filtering prevents end users from accidentally opening known bad websites (Premium only). VIPRE Business can be installed at more than one physical location and still be centrally managed. Its policy-based architecture allows administrators to create multiple policies based on user and machine types. EventTracker collects and analyses events and enlightens an administrator about threat detection, changes happening in policy and protected system. Pre-requisite EventTracker Enterprise v7.x for just report and alert should be installed. EventTracker Enterprise v8.x for configuring report, alert and flex dashboard should be installed. Vipre business antivirus should be installed. EventTracker agent should be installed in Vipre business antivirus manager system. EventTracker agent should be in exception in Vipre business antivirus firewall. Firewall between EventTracker manager and Vipre business antivirus manager system should be off or made exception for port 14505. Configuration for sending logs to EventTracker Following are the steps to integrate Vipre antivirus and send the logs to EventTracker manager. As, there is no direct way to send the logs of viper antivirus to remote logging server, we have to configure following script for setting it up in Vipre Antivirus manager machine: 1. Download knowledge pack zip file for Vipre antivirus and extract it. 2. After extraction, copy Vipre AV folder and paste it in any location in Vipre antivirus manager machine. 3. Edit log fetcher.ps1 with Powershell ISE or notepad in Vipre AV folder. 3

Figure 1 4. Now make changes in first line $inspackpath with the path where you have copied the Vipre AV folder. Figure 2 5. Now, create schedule task for running script automatically, every 15 minutes. 6. For this, open Task Scheduler and create a new task for running the script automatically. 4

Figure 3 7. Create a new task. Name it and set your security options. Check "Run with highest privileges" as our scripts need to run as admin. This script need to run without your account signed into the machine, so enable the 'Run whether user is logged on or not' radio button. Figure 4 5

8. Click on the Triggers tab and set your schedule or event that will trigger the running of your vipre log fetcher script. After creating trigger, click on the OK button. Figure 5 Figure 6 6

Figure 7 9. Click on the Actions tab and click on New. Action: Start a program Browse the script: Program/script: Powershell.exe 10. Add Argument First you need to set the ExecutionPolicy. We want to set the execution policy on a per script basis and open up security for us to run the script. This security policy will only be in effect for the script we are running and not compromise security otherwise. So we will be using the following Argument: -ExecutionPolicy Bypass -File D:\product\VipreAV\Vipre integration pack\log fetcher.ps1 7

Figure 8 11. Save and Test. Configure log file monitor (LFM) for monitoring Vipre business antivirus log files Before LFM configuration, deploy the EventTracker agent on Vipre business antivirus manager machine, please refer EventTracker Agent installation guide. After installation of the agent, follow below mentioned steps to configure LFM. 1. Select the Start button, select Prism Microsystems, and then select EventTracker Control Panel. 8

2. Click the icon EventTracker Agent Configuration. Figure 9 3. Click the button Add File Name and select the.csv file which has been generated and then click OK. 9

Figure 10 4. Select Get All Existing Log Files option. 5. In Select Log File Type drop down, select the CSV option. 6. Enter the path of the Vipre Business Antivirus logs. 7. Click the OK button. 8. Now, click the Search String button. Figure 11 10

9. Select Add String. Figure 12 Figure 13 10. Select the string to configure that needs to be searched in the selected logs. If any of the string matches, then a log is generated. 11

11. Click Save Figure 14 As we are generating alerts for Vipre business antivirus, we need to add Event ID 3230 in exception. 12. Select Event Filters Tab. 12

13. Select Filter Exception option. Filter Exception window will display. 14. Click the New Option. Event Details window will display. Figure 15 13

Figure 16 15. Enter the Event ID (3230) in Event ID field, EventTracker in Match in Source, (keyword: (policy protected system quarantined detail scan detail threat detected)) in Match in Event Descr and click the OK button. Figure 17 14

16. Now, event id 3230 is added into exception and it is listed in the filter exception windows. Figure 18 17. Close the Filter Exception window and Save the changes. Figure 19 The logs will be sent to the EventTracker Enterprise. 15

Exception for ETagent in Vipre Antivirus Firewall Vipre antivirus firewall will block the ETagent due to which it will not be able to send logs to ET manager. So, we need to add exception for ETagent in Vipre antivirus firewall. Following are the steps to configure exception in Vipre firewall: 1. Open the VIPRE 2. Click Manage tab > Firewall 3. Scroll down until you see Firewall Protection and click Manage Rules button. Figure 20 4. Click the Add App Rule button to add exceptions and enter the path you identified from the target field. 16

Figure 21 5. Select Allow for Trusted Inbound and Outbound. You can do the same for Public Inbound and Outbound. 6. Continue to make port exceptions if necessary by clicking the Ports tab and click Add. 7. Enter a name of the rule. 8. Click browse and navigate to the executable or paste the path to the executable in the Application field. 9. Select the Port drop down and enter the port. 10. Select the Protocol (TCP or UDP). 11. Click OK. EventTracker Knowledge Pack (KP) Once logs are received in to EventTracker; Reports and Alerts can be configured into EventTracker. The following Knowledge Packs are available in EventTracker Enterprise to support Vipre business antivirus. 17

Category Vipre AV-Policy management: This category provides information related to policy management, i.e when the policy was created and updated in that particular system along with their hostname. Vipre AV-Protected systems: This category provides information related to protection of the system by the agents for the applied policy. Vipre AV-Quarantined details: This category provides information related to Quarantined details where a malicious virus is been detected and categorized based on the threat level. Vipre AV-Scan details: This category provides information related to scan details, i.e. when a system scans for the following: Scanned Archives, Scanned Cookie, Scanned Files, Scanned Memory, Scanned Registry, Scanned Rootkit, Found Archives, Found Cookies, Found Files, Found Memory, Found Registry, Found Rootkit, Found Threats, Deleted, Ignored and Quarantined. Vipre AV-Threat detection: This category provides information related to threat detection that is when a malicious virus has been detected Reports Vipre AV-Policy management: This report provides information related to policy management, i.e. when the policy was created and updated in that particular system along with their hostname. Figure 22 18

Vipre AV-Protected systems: This report provides information related to protection of the system by the agents for the applied policy. Figure 23 Vipre AV-Quarantined details: This report provides information related to Quarantined details where a malicious virus is been detected and categorized based on the threat level. Figure 24 Vipre AV-Scan details: This report provides information related to group scan details, i.e. when a system scans for the following: Scanned Archives, Scanned Cookie, Scanned Files, Scanned Memory, Scanned Registry, Scanned Rootkit, Found Archives, Found Cookies, Found Files, Found Memory, Found Registry, Found Rootkit, Found Threats, Deleted, Ignored and Quarantined. Figure 25 19

Vipre AV-Threat detection: This report provides information related to threat detection that is when a malicious virus has been detected. Alerts Figure 26 Vipre AV: Threat detection - This alert is generated when a malicious virus has been detected. Vipre AV: Policy management - This alert is generated when the policy is created and updated in that particular system along with their hostname. Import Vipre Business Antivirus Knowledge Pack into EventTracker 1. Launch EventTracker Control Panel. 2. Double click Import Export Utility icon, and then click the Import tab. Import Category/ Alert/ Reports as given below. Category 1. Click Category option, and then click the browse button. 2. Locate the.iscat file, and then click the Open button. 3. Click the Import button to import the categories. EventTracker displays success message. 20

Figure 27 4. Click the OK button and then click the Close button. Alerts 1. Click Alert option, and then click the browse button. 2. Locate the.isalt file, and then click the Open button. 3. Click the Import button to import the alerts. EventTracker displays success message. Figure 28 4. Click the OK button and then click the Close button. Reports 1. Click Report option, and then click the browse button. 21

2. Locate.issch file, and then click the Open button. 3. Click the Import button to import the reports. EventTracker displays success message. Figure 29 4. Click the OK button, and then click the Close button. Verify Knowledge Pack in EventTracker Categories 1. Logon to EventTracker Enterprise. 2. Click the Admin dropdown, and select Category. 3. In the Category Tree, expand Vipre AV group folder to see the imported categories. 22

Figure 30 Alerts 1. Logon to EventTracker Enterprise. 2. Click the Admin dropdown, and then click Alerts. 3. In the Search field, enter Vipre business antivirus, and then click the Go button. Alert Management page will display all the imported Vipre business antivirus alerts. 23

Figure 31 4. To activate the imported alerts, select the respective checkbox in the Active column. EventTracker displays message box. Figure 32 5. Click the OK button, and then click the Activate now button. NOTE: You can select alert notification such as Beep, Email, and Message etc. For this, select the respective checkbox in the Alert management page, and then click the Activate Now button. Reports 1. Logon to EventTracker Enterprise. 2. Click the Reports menu, and then Configuration. 3. Select Defined in report type. 4. In Report Groups Tree to view imported Scheduled Reports, scroll down and click Vipre business antivirus group folder. 24

Reports are displayed in the Reports configuration pane. Figure 33 Create Dashboards in EventTracker Schedule Reports 1. Open EventTracker in browser and logon. 2. Navigate to Reports>Configuration. Figure 34 25

Figure 35 3. Select Vipre business antivirus in report groups. Check defined option. 4. Click on schedule to plan a report for later execution. 26

Figure 36 5. Choose appropriate time for report execution and in Step 8 check Persist data in Eventvault explorer box. 27

Figure 37 6. Check column names to persist using PERSIST checkboxes beside them. Choose suitable Retention period. 7. Proceed to next step and click Schedule button. 8. Wait for scheduled time or generate report manually. Create Dashlets 1. EventTracker 8 is required to configure flex dashboard. 2. Open EventTracker in browser and logon. 28

Figure 38 3. Navigate to Dashboard>Flex. Flex Dashboard pane is shown. Figure 39 4. Click to add a new dashboard. Flex Dashboard configuration pane is shown. Figure 40 29

5. Fill fitting title and description and click Save button. 6. Click to configure a new flex dashlet. Widget configuration pane is shown. Figure 41 7. Locate earlier scheduled report in Data Source dropdown. 8. Select Chart Type from dropdown. 9. Select extent of data to be displayed in Duration dropdown. 10. Select computation type in Value Field Setting dropdown. 11. Select evaluation duration in As Of dropdown. 12. Select comparable values in X Axis with suitable label. 13. Select numeric values in Y Axis with suitable label. 14. Select comparable sequence in Legend. 15. Click Test button to evaluate. Evaluated chart is shown. 30

Figure 42 16. If satisfied, click Configure button. Figure 43 17. Click customize to locate and choose created dashlet. 18. Click to add dashlet to earlier created dashboard. 31

Sample Dashboards 1. Vipre AV-Scan details 2. Vipre AV-Quarantined details. Figure 44 Figure 45 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback