ZeroLock Management Console and Agent Installation Guide

ZeroLock Overview  

Built for zero trust environments and requiring minimal system overhead, ZeroLock provides protection that stops zero-day, file-based, and fileless attacks. Our advanced technology provides low-impact monitoring which, coupled with proof-based AI/ML-driven detection, not only stops attacks at machine speed, but provides automatic remediation and restoration for Linux systems. ZeroLock supports both containerization (e.g., Docker) and virtualization (e.g., VMWare) of any Linux version and any variant (e.g., Red Hat, Ubuntu) running on kernel version 3.5 or later. 

Architecture: Fast System Call Intercept vs. Kernel Module  

ZeroLock uses a patent-pending method to capture system calls. This method creates a "micro-perimeter" that allows us to monitor the system calls – network access, file access, and privileged process access – used by all applications, including those with malicious intent. Our approach is to focus on monitoring the processes and system calls that matter. Though CPU overhead may momentarily increase as much as 10-20% during an attack, it will generally be less than 1%.  

The ZeroLock approach does not modify the kernel so overall stability of the defended system is maintained. Our approach focuses on monitoring vulnerable processes and "attack surface" processes which can create malicious processes, on a protected system. ZeroLock also monitors processes spawned by the attack surface to catch elusive malware that abuses process creation methods. Our unique methodology allows us to monitor and protect the original process we discover, and all child processes created by either regular process forking or those created with malicious intent. This approach allows us to minimize the footprint and overhead required to protect a system and reduce the potential for malicious code interfering with or obfuscating our detection algorithms. 

Unlike generic solutions that try to be all things to all threats, ZeroLock is focused on protecting against the specific threats of ransomware, cryptojacking, and unauthorized data exfiltration. This threat-specific approach gives us an advantage in understanding the techniques employed and reduces the monitoring overhead required to protect systems against these specific threats. 

Distributed AI & Machine Learning Architecture  

ZeroLock's detection and protection methodologies are architected to be highly efficient with real-time effectiveness, yet able to continually learn and adapt from our ever-expanding malware analysis ecosystem.  

Our team of programmers and advisors specializing in AI and machine learning, has built a system based on the analysis of millions of attacks.  Additionally, this system is continually training in new tactics, techniques, and procedures used in file-based and fileless attacks. We have consolidated those capabilities into a continuously learning algorithm that operates in real-time on the host. It receives updates as new training sets are completed and compiled into ZeroLock update modules. We look at advanced behavioral markers of processes on a protected system to determine if an attack is active. 

Benefits of using an algorithm as opposed to a traditional vendor's data file include: 

    1. Faster detection,
    2. Lower overhead on the protected system,
    3. Fewer false positive/false negative determinations, and
    4. Increased difficulty in circumvention using deceptive techniques. 

An additional benefit is that as deployments grow, opt-in partners will expand the ability to profile behaviors that will add to the AI-based training.  

Having learned the types of behavior and actions exhibited by ransomware during an attack, i.e., searching for files, reading files, creating encrypted copies, and deleting files, our proprietary algorithm is able to provide highly effective and efficient protection against ransomware. By understanding the behavior of ransomware through extensive research, iterative development, and extensive testing, we can determine if a process is operating within the system as it is supposed to be and not a compromised process executing an attack. 

Remediation  

Threats are constantly evolving, with threat actors continuously improving and refining their attacks. Because of this, no solution is complete without the ability to remediate damage when a threat is not stopped immediately. To protect against the unknowns, ZeroLock copies all deleted or written files (encryption is considered a write operation) to a protected cache area while the suspect actions and process(es) involved are evaluated. This approach allows us to automatically restore files that have been compromised, deleted, or encrypted by malicious code.  

To ensure that the file copies are protected and not altered, no process we are monitoring can access the folders where the copies are stored.   

Self-Protection  

The ZeroLock Agent has self-protection functionality that prevents malicious code from disabling/removing the agent from the system. Some of the protections the agent utilizes are:  

  • The agent is loaded early in system startup so that it can monitor processes as they start.  
  • The agent prevents monitored processes from killing critical security processes.  

Additional protections include restricting access to the cache folder so that no monitored process can access the cache area and a heartbeat function sent to the management console that gives near real-time health status of the agent on any given protected system.  

ZeroLock provides a fast, effective, scalable, fully automated solution to protect organizations from the growing threat of ransomware. Using a targeted solution without kernel modules, ZeroLock provides the same high level of security across an organization's entire Linux infrastructure without the worry of version-specific testing and certification. By using our proprietary, behavior-based, machine learning algorithms, ZeroLock's solution is faster, less resource-intensive, more effective, and produces fewer false positives than our competitors. We are the only solution on Linux that provides seamless, automated recovery of any compromised files during an attack, minimizing the chances of an extended outage.  

ZeroLock Management Console Set-up 

ZeroLock Management Console (ZMC) is the backend component of the ZeroLock security suite. The ZMC performs command and control for ZeroLock Agent software on protected endpoints. 

The ZMC comprises several components, including ux-server, collector, and database. These components run in a containerized environment on various host operating systems. The Installer prepares the host operating system (starting with a fresh installation) to run the ZMC. The Installer identifies the latest previous version of the ZMC, (optionally) backs it up, copies the database, and then migrates the copied database to the latest schema. 

Minimum System Requirements 

Before proceeding with installing the server you should verify that the target system meets the minimum requirements as outlined in the Minimum System Requirements support document. 

Port Requirements 

Communications to the ZMC requires two ports – 7443 and 443.  

The ZMC requires port 7443 to the UX-Server container and the agent communicates on port 443 (HTTP) to the collector container. The local firewall must allow those ports/protocols inbound. 

Docker Set Up 

Download and install the latest Docker.  Ensure the User launching the ZMC containers is part of the docker group.  The User must be able to launch without sudo access. 

Install Docker Engine on Ubuntu | Docker Documentation 

Install Docker Engine on CentOS | Docker Documentation 

ZeroLock Management Console Download 

Contact Vali Cyber Support 

ZeroLock Containers Installation  

The ZeroLock Management Console (ZMC) ships as a tgz (compressed tar) file, named zerolock-server-<version number>.tgz

  1. Determine where the ZMC files will be installed. The ZMC should run as a regular (non-root) user. We recommend installing the ZMC in the distribution’s default user home directory (e.g., /home/ubuntu, /home/ec2-user, etc.), or else in the home directory of a user created specifically to run ZMC (e.g., /home/zerolock).
  2. Move the ZMC tgz file to the home directory. 
    Graphical user interface, text

Description automatically generated
  3. Extract the file: tar xzf zerolock-server-<version number>.tgz  to create a subdirectory zerolock-server-<version number> 
    Text

Description automatically generated
  4. Change to the new directory: cd zerolock-server-<version number>
  5. Run the installer: bash install-zerolock-server.sh. Command line options are outlined below. 
  6. Enter y to confirm and continue with installation. 
    Text

Description automatically generated
  7. The newly installed ZMC is symlinked: zerolock-server -> zerolock-server-<version number> to identify the latest installation’s subdirectory. 
    Graphical user interface, text

Description automatically generated

      Command line options 

      The new optional switches [-a] and [-d] only work with the Download installers: Self-Extracting and TAR

          Usage: ./installer [-h] [-n] [-v] [-x] [-p] [-a] [-d] 

        Optional Switches
      -h Print this help message and exit. 
      -n Perform a dry run, where no installation or changes are made. Useful for testing and debugging. 
      -v Output more information during installation. Useful for debugging and troubleshooting.  
      -x Perform troubleshooting steps for diagnosing problems.  
      -p Update the apparmor or selinux security profile or policy if additional permissions are required.  
      -a Requires SELinux to be enabled. Prerequisites must be manually installed and verified before proceeding with the installation. No internet network connectivity is available to access the repository.
      -d Requires SELinux to be disabled. No prerequisite verification is required on the system. 

       

      ZeroLock Management Console Startup 

      Starting Service Container 

      To start the service containers, enter the following command:  

      Change to the installation folder:  ~/zerolock-server 

      Command:  ./start-zerolock-server.sh -d 

      Note: The -d has the services run as a daemon. 

      Text

Description automatically generated

      Container Status Check 

      To check the status of the containers: docker ps.  

      Type exit to end the terminal session. 

      Note: There should be five containers running: collector, uxserver, binwatch, mariadb and registry. 

      Stopping Containers  

      Change to the installation folder:  ~/zerolock-server 

      Command:  ./shutdown-backend.sh 

      Text

Description automatically generated

      Server Logs 

      Server logs are located:  ~/zerolock-server/logs 

      collector.txt = endpoint connection and threat information 

      uxserver.txt = ZeroLock Management Console connection and information 

      Text

Description automatically generated

      Test ZeroLock Management Console Connectivity 

      URL: https://localhost 

      User:  superuser 

      Password: S3cureLinux! (You will be forced to change on initial login

      We are currently using a self-signed Certificate.  You will have to click Advance and then Accept the Risk and Continue to use the ZeroLock Management Console. 

      Once logged into the ZeroLock Management Console, you can verify the ZeroLock version at the bottom of any of the primary console screens.