Configuration Profiles
      Back to home
      1. Vali Cyber Knowledge Base
      2. ZeroLock®
      3. Configuration Profiles

      Configuration Profile Creation

      Configuration Profiles allow the ZeroLock® Management Console (ZMC) administrators to control ZeroLock Agent behavior on protected Endpoints.

        A Configuration Profile greatly simplifies ensuring that the desired protections are enabled/disabled, the Lockdown rule policies, the logging and cache options, and the secure shell configuration are as you intended for an endpoint.

        Additionally, using Configuration Profiles enables ZMC administrators to fine-tune settings for Ransomware, Cryptojacking, and Tampering protection, and settings for ensuring the use of SSH-MFA two-factor authentication.  These profiles can also be configured to manage HASH rules for setting alert levels, response type, whether to send email alerts, and auto-quarantine settings.

        To create a Configuration Profile, use the following steps. 

        1. Navigate to the System Configuration | Config Profile page and select Add New Profile.
          Image_1_Add New Profile_v4x
        2. On the New Configuration Profile screen, you are presented with twelve (12) editable sections followed by Cancel and Create buttons.

        Image_2_New CP screen_v4x-1

        1. Name/Description – consists of the name and description of the new configuration profile.
        2. Ransomware Protection – This protection setting applies to the agent’s ability to detect ransomware (malware that encrypts files on the system).  For the agent to detect ransomware, it must be executed over a networked connection.   There are six (6) fields:
          1. Enabled - The GREEN block means that ransomware protection is active.  A RED block represents that ransomware protection is disabled. 
          2. Sensitivity - Low, Medium, and High. The higher the sensitivity, the fewer files that are needed for the ZeroLock AI engine to detect the ransomware attack, generating an alert.  Setting this value too high could cause false positive alerts.
          3. Alert Level - Low, Medium, and High. Controls how the alert’s severity level will appear in ZMC.   
          4. Send Email Alerts - This setting controls if emails are sent to all users when a ransomware alert is generated.  The email will contain detailed alert information.  If active, the checkbox will be white.  The email section under System Settings must be enabled and configured.  
          5. Response Type – refers to how ZeroLock will respond.  Options are Do Nothing, Suspend, Kill, and Remediate.
            1. Do Nothing – an alert will be generated.  ZMC will not automatically take action on the alert.  Any action requires the user to initiate.  
            2. Suspend – the identified network process that triggered the alert will be suspended.  The offending process and its children will be in a hung state.  A user response is required to unblock the process.
            3. Kill – the network process, and the children that triggered the alert will be terminated.  The user has the option to remediate the alert.
            4. Remediate – the ZeroLock Agent will automatically terminate the offending network process and children that triggered the alert.  All files manipulated during the attack will be automatically restored to their original state.  
          6. Auto Quarantine – For alerts, if the checkbox is white, the endpoint will be auto-quarantined.  Internet and network access to and from the quarantined endpoint will be blocked except for access to and from the ZMC server.  
        3. Cryptojacking Protection – This protection setting concerns the agent’s ability to detect a cryptojacking attack (malicious code that hijacks a machine’s resources to generate cryptocurrency).  It has the same six (6) fields as  Ransomware Protection.
        4. Tampering Protection – This protection setting concerns the agent’s ability to protect itself from being disabled.  Any attempts at modifying/adding/deleting files in the ZeroLock installation directory will result in a tampering alert.  To protect the running ZeroLock service, the recommended ruleset must be enabled under the Policies section in ZMC.  It has the same fields as Ransomware Protection except for Sensitivity , which has been removed. 
        5. Hash Rules – This protection setting applies to the agent’s ability to protect itself from executable files whose SHA-256 hash values have been added to a list to allow or block. The hash values are added to this list by creating a new rule or automatically adding a rule by selecting BLOCK or ALLOW on the Process Information screen.  There are five (5) fields: Alert LevelSend Email AlertsResponse Type, Auto Quarantine, and Enable Program Filter
        6. SSH Multifactor Auth – This protection setting concerns the agent’s ability to allow, block, or authenticate SSH sessions from a particular user or IP address or set a schedule for when the endpoint may accept SSH sessions.  There are three (3) fields:  Enabled, Alert Level, and Send Email Alerts.
        7. Default Control Policy – Using the Policy drop-down menu, select a policy. The available policy list comes from Policies (Control Policies | Policies).
        8. Endpoint Logging – Used for setting the size of the Baldur and Tyr logs for the ZeroLock Agent on the endpoint.
        9. Remote Shell – A remote shell is used to execute commands on a device through a command-line shell.  Fields are Enabled and Default User.   A green checkbox indicates this feature is enabled, and commands can be remotely run from the ZeroLock Management Console (ZMC) on the endpoints.  The Default User is ‘nobody’, a placeholder with no permissions.
          Step_9_Note-1

           

        10. Precision Mode Settings*ESXi systems do not use these settings. Once the ZeroLock agent identifies the operating system as ESXi, it uses the ESXi group box configuration options (see item 11 below). Step_10_Caution

          When enabled, the agent does not monitor any processes by default. The cron, systemd, and containerd options, as well as the Process Scan Regex settings, work together to allow a user to fine-tune the list of processes monitored by ZeroLock.  When initially applied, it may take up to 60 seconds for the agent to receive the new settings and begin monitoring the listed processes. This section contains five (5) fields:
            1. Enable – If selected, Precision Mode is on.
            2. Monitor cron – ZeroLock to monitor cron jobs. For Process Scan Regex to work, Cron, Anacron, and/or Crond must be present.
            3. Monitor systemd –ZeroLock to monitor systemd and any services restarted or started by a periodic job.
            4. Monitor containerd - ZeroLock to monitor containers. Containerd must be in the Process Scan Regex for this setting to work. 
            5. Process Scan Regex – is a regex that must be matched for processes ZeroLock will monitor when it does sweeps of the system.
          Step_10_Note
                                
        11. ESXI – Contains two (2) fields: 
            1. Command Line Regex – list the processes monitored on the ESXI endpoint. This regex can include or exclude specific processes.  The default is the ‘inetd’ daemon.
            2. Enable Remediation -  If the indicator is green, remediation is enabled; if red, it is not. 
        12. Cache Settings – Contains four (4) fields:
            1. Location
              The path the ZeroLock agent uses to store (cache) files is identified as being modified and needed for attack remediation.  Speed of access is required for optimal system performance.  The best practice is to use space on the local system drive.  If a network location is required, throughput needs to be accounted for.  The tampering detection functionality protects this location.
            2. Max Size 

              The maximum allowed disc space that the ZeroLock agent can use when backing up data for remediation. Users should configure the Max Size setting to ensure enough space is available, depending on the size and number of files modified on the system. The default is 1000 MB (megabytes). 
               

            3. Max Cache File Age
              The maximum time a backed-up file will be available in the cache and available for use in remediation.  The default is 172,800 seconds (48 hours). 
            4. Max Cache File Size

              The Max Cache File Size defines the maximum size of a single file that ZeroLock will attempt to cache. The Max Size setting refers to the total storage allocated for the entire cache location.

              By default, Max Cache File Size is set to 100 GB (107,374,182,400 bytes). If the largest file on your virtual machine is 100 GB or smaller, this setting does not need to be modified. However, if any single file exceeds 100 GB, you must update this setting accordingly and ensure the value is specified in bytes.

              For example, even if your VM requires 400 GB of total cache storage, if no individual file exceeds 100 GB, the default Max Cache File Size is sufficient. Files larger than the configured limit will be skipped during caching.

        Edit an Existing Configuration Profile

        If you need to change a saved profile, the simplest way is to click once on the profile name to open a partial view of the Profiles screen as seen below.

        Selecting Edit will open the screen fully as previously seen in step 2.
        Edit Config Profile


        Update To Save Edits

        When done editing, clicking Update at the bottom of the screen will return you to the Configuration Profiles homepage. 

        Congratulations, you have successfully created a new Configuration Profile.