Configuration Profile Creation

Configuration Profiles allow the ZeroLock™ Management Console (ZMC) administrators to control ZeroLock Agent behavior on protected Endpoints.

    A Configuration Profile greatly simplifies ensuring that the desired protections are enabled/disabled, the Lockdown rule policies, the logging and cache options, and the secure shell configuration are as you intended for an endpoint.

    Additionally, using Configuration Profiles enables ZMC administrators to fine-tune settings for Ransomware, Cryptojacking, and Tampering protection, as well as settings for ensuring usage of SSH-MFA two-factor authentication.  These profiles can also be configured to manage HASH rules as far as setting alert levels, response type, whether to send email alerts, and auto-quarantine settings.

    To create a Configuration Profile use the following steps. 

    Navigate to the System Configuration | Config Profile page then select Add New Profile
    Config Profiles Main Page 2.0.1

    Once on the New Configuration Profile pop-up screen you are presented with eleven (11) editable sections followed by Cancel and Create buttons.
    New Config Profile Full-2
    1. Name/Description – consists of the name and description of the new configuration profile.
    2. Ransomware Protection – Has six (6) fields:
      1. Enabled - If this protection active the block is green, if inactive the block is red.
      2. Sensitivity - Low, Medium, and High. The higher the sensitivity the fewer files it takes for ZeroLock to react. 
      3. Alert Level - Low, Medium, and High.
      4. Send Email Alerts - If emails are to be generated to others with alert information.  If active, checkbox will be white. 
      5. Response Type – refers to how ZeroLock will respond.  Options are Do Nothing, Suspend, Kill, and Remediate. 
      6. Auto Quarantine – if checkbox is white the endpoint will be auto quarantined in the event of an alert.
    3. Cryptojacking Protection – Has the same six (6) fields as Ransomware Protection.
    4. Tampering Protection – Has the same fields as Ransomware Protection except for Sensitivity has been removed.
    5. Hash Rules – Has four (4) fields: Alert Level, Send Email Alerts, Response Type, and Auto Quarantine.
    6. SSH Multifactor Auth – Has three (3) fields:  Enabled, Alert level, and Send Email Alerts.
    7. Default Control Policy – Using the Policy drop down menu, select the desired policy.
    8. Endpoint Logging – Used for setting the size of the Baldur and Tyr logs for the ZeroLock Agent on the endpoint.
    9. Remote Shell – A remote shell is a tool for executing commands on a device through a command-line shell.  Fields are Enabled and Default User.   A green checkbox means that this feature is enabled, and commands can be remotely run from the ZeroLock Management Console (ZMC) on the endpoints.  The Default User is ‘nobody’ and is a place holder with no permissions.

      Note:  The ONLY system that can access this feature on the endpoint is the configured collector system defined in the Agents configuration.
    10. Precision Mode Settings* –  By default, an agent does not monitor any processes.  Process monitoring settings are set here, in the Configuration Profile, or in the server query functionality.  Regardless of where it is set, it may take up to 60 seconds for an agent to start monitoring SSH and other processes when it is initially applied.
      This section contains five (5) fields:
        1. Enable – If selected, Precision Mode is on
        2. Monitor cron – ZeroLock to monitor cron jobs. Cron, Anacron, and/or Crond must be present in the Process Scan Regex for this setting to work.
        3. Monitor systemd –ZeroLock to monitor systemd and any services restarted or started by a periodic job.
        4. Monitor containerd - ZeroLock to monitor containers. Containerd must be present in the Process Scan Regex for this setting to work. 
        5. Process scan regex – is a regex that must be matched for processes ZeroLock will monitor when it does sweeps of the system.
      Note:  When disabling monitor options, the agent must be disabled then reenabled to stop monitoring already running processes.  For example, if you are monitoring cron jobs and then disable it on the server, you have to deactivate and reactivate the agent so that it stops monitoring this type of process.
      *Available in ZeroLock Management Console v2.0.7 and later.
    11. Cache Settings – Contains four (4) fields:
        1. Location – path to where cache is located.
        2. Max Size – of cache in mega-bytes (MB).
        3. Max Cache File Age – in seconds.
        4. Max Cache File Size – in bytes (B).

    Edit an Existing Configuration Profile

    If you need to make changes to a saved profile, the simplest way is to click a single time on the profile name which will open a partial view of the Profiles screen as seen below.

    Selecting Edit will open the screen fully as previously seen in step 2.
    How to Open Edit Screen 2.0.1

    When done editing, click Update to return to the previous screen.

    Edited ConfigProfile_Full-2

    You have successfully created a new Configuration Profile.