Endpoint Profiles Homepage on the ZeroLock® Management Console

 

Overview

An Endpoint Profile greatly simplifies ensuring that the desired protections are enabled/disabled, the Lockdown rule policies, the logging and cache options, and the secure shell configuration are as you intended for that specific endpoint.

Additionally, using Endpoint Profiles enables ZMC administrators to fine-tune settings for Ransomware, Cryptojacking, and Tampering protection, and settings for ensuring SSH-MFA two-factor authentication usage.  These profiles can also be configured to manage HASH rules for setting alert levels, response type, whether to send email alerts, and auto-quarantine settings.

The following instructions will walk you through the layout of the Endpoint Profiles homepage followed by instructions on creating an Endpoint Profile.

---

Endpoint Profile Screen

1. Export Data - Allows downloading all the information on your screen in CSV format. Clicking either will download all the information on your screen in CSV format.
   1. If you wish to see only select files, hover the cursor to the left of the file number and select the box that appears.
   2. Once you have selected the files you want then use either download option.
2. Add New Profile - Select this when to create a new endpoint profile.
3. Column Headings - The column headings are mostly self-explanatory.   IDs are system-generated. “# of Endpoints” refers to the number of endpoints that profile is being used by.
4. Profiles - The names and descriptions of endpoint profiles existing in the environment.
5. View - Provides a drop-down listing of the screen configurations, i.e., layouts or views, that are available. Initially, the only option in the VIEW drop-down list is All, representing the default and, the only one available layout or view.   Once other layouts are created, they will appear on the list.
6. Edit - Selecting the cog or gear symbolbrings up the Edit View pop-up screen. This screen enables changing the layout (view) of the columns such as moving columns or hiding columns altogether. The views you create may be saved under their name for easy access from the VIEW tab.
   
   When the Edit View screen first appears, the default name ‘All’ is visible, and Save A Copy is the option.
   
   

   Selecting SAVE A COPY will bring up the Save View As screen where you may enter a name for the view. Selecting the Save As button will confirm the creation of the view.

   
   Moving any column will replace SAVE A COPY with MODIFIED, RESET, and SAVE AS.
   1. Modified – is static and only shows that the ‘original’ layout (view) has been changed.  The label goes away when it’s saved. 
   2. Reset – erases your changes, returning the profile to its original configuration.
   3. Save As – allows you to name and save the view you created.
      
      

For the Demo view, the ID column was moved below the Description column.  To save this new Endpoint Profile as a different profile view, click SAVE AS, followed by the Save View As screen where a new name is entered. Enter a name for the new view then select Save As which will return you to the previous screen.

To save your changes to the current view, select SAVE CHANGES.

 

  
Clicking the Done button completes the process and opens the new Endpoint Profile View or layout.  

---

Creating a New Endpoint Profile

Navigate to the Manage Endpoints | Profiles page, then select Add New Profile. 

 

Once on the New Endpoint Profile screen, there are twelve (12) editable sections followed by Cancel and Create buttons.

1. Name/Description – consists of the name and description of the new endpoint profile.
2. Ransomware Protection - concerns the agent’s ability to detect ransomware (malware that encrypts files on the system).  For the agent to detect ransomware, it must be executed over a networked connection.  There are six (6) fields:
   1. Enabled - The GREEN block means that ransomware protection is active.  A RED block represents that ransomware protection is disabled. 
   2. Sensitivity - Low, Medium, and High.  The higher the sensitivity, the fewer files it takes for the ZeroLock AI engine to detect the ransomware attack and generate an alert.  Setting this value too high could cause false positive alerts. 
   3. Alert Level - Low, Medium, and High. This controls how the alert’s severity level will appear in the ZMC.   
   4. Send Email Alerts - This setting controls if emails are sent to all users when a ransomware alert is generated.  The email will contain detailed alert information.  If active, the checkbox will be white.  The email section under System Configuration | Integrations | Integration Settings must be enabled and configured.
   5. Response Type – refers to how ZeroLock will respond.  Options are Alert Only, Suspend, Kill, and Remediate.
      1. Alert Only - an alert is generated.  The ZMC will take no action other than generating an alert that possible malware was detected. User intervention is required.
      2. Suspend – the identified network process that triggered the alert will be suspended.  The offending process and its children will be in a hung state.  A user response is required to unblock the process.
      3. Kill – the network process, and the children that triggered the alert will be terminated.  The user has the option to remediate the alert.
      4. Remediate – the ZeroLock Agent will automatically terminate the offending network process and the children that triggered the alert.  All files manipulated during the attack will be automatically restored to their original state. 
   6. Auto Quarantine – If the checkbox is white, in the event of an alert, the endpoint will be auto-quarantined.  Internet and network access to and from the quarantined endpoint will be blocked except for access to and from the ZMC server. 
3. Cryptojacking Protection – This protection setting concerns the agent’s ability to detect a cryptojacking attack (malicious code that hijacks a machine’s resources to generate cryptocurrency).  It has the same six (6) fields as Ransomware Protection.
4. Tampering Protection – This protection setting concerns the agent’s ability to protect itself from being disabled.  Any attempts at modifying/adding/deleting files in the ZeroLock installation directory will result in a tampering alert.  To protect the running ZeroLock service, the recommended ruleset must be enabled under the Control Policies | Policies section in ZMC. Except for Sensitivity, which has been removed, it has the same fields as Ransomware Protection. 
5. Hash Rules – This protection setting concerns the agent’s ability to protect itself from executable files whose SHA-256 hash values have been added to a list and are allowed or blocked.  The hash values are added to this list by creating a new rule or automatically adding a new rule by selecting BLOCK or ALLOW on the Process Information screen.  There are five (5) fields: Alert Level, Send Email Alerts, Response Type, Auto Quarantine, and Enable Program Filter. 
6. SSH Multifactor Auth – This protection setting concerns the agent’s ability to allow, block, or authenticate SSH sessions from a particular user, IP address, or by setting a schedule of when the endpoint may accept SSH sessions.  There are three (3) fields:  Enabled, Alert Level, and Send Email Alerts.
7. Default Control Policy – Select the desired policy using the Policy drop-down menu. The available policy list comes from Policies (Control Policies | Policies).
8. Endpoint Logging – Used for setting the size of the Baldur and Tyr logs for the ZeroLock Agent on the endpoint.
9. Remote Shell – A remote shell is a tool to execute commands on a device through a command-line shell.  Fields are Enabled and Default User.   A GREEN checkbox indicates the feature is enabled and that commands can be remotely run from the ZeroLock Management Console (ZMC) on the endpoints.  The Default User is ‘nobody’, acting as a placeholder without any permissions.                                                                                                                     
10. Precision Mode Settings –  ESXi systems do not use these settings. Once the ZeroLock agent identifies the operating system as ESXi, it uses the ESXi group box configuration options (see the next section).
    1. 1. Enable – If selected, Precision Mode is on.
       2. Monitor cron – ZeroLock to monitor cron jobs. For this setting to work, Cron, Anacron, and or Crond must be present in the Process Scan Regex.
       3. Monitor systemd –ZeroLock to monitor systemd and any services restarted or started by a periodic job.
       4. Monitor containerd - ZeroLock to monitor containers. For this setting to work, Containerd must be present in the Process Scan Regex. 
       5. Process Scan Regex – is the regex that must be matched by processes ZeroLock will monitor when it does sweeps of the system.
11. ESXI – Contains two (2) fields:
    1. 1. Command Line Regex – list the processes that are monitored on the ESXI endpoint. This regex can include or exclude specific processes. The default is the ‘inetd’ daemon.
       2. Enable Remediation -  If the indicator is green, remediation is enabled; if red, it is not.
12.  Cache Settings – Contains four (4) fields:

• • Location
    The path the ZeroLock agent uses to store (cache) files is identified as being modified and needed for attack remediation.  Speed of access is required for optimal system performance.  The best practice is to use space on the local system drive.  If a network location is required, throughput is something that needs to be accounted for.  The tampering detection functionality protects the cache location.
  • Max Size 

    The maximum allowed disc space that the ZeroLock agent can use when backing up data for remediation.  Users should configure the Max Size setting to ensure enough space is available, depending on the size and number of files modified on the system.  The default is 1000 MB (megabytes).

  • Max Cache File Age
    The maximum time a backed-up file will be available in the cache and for use in remediation.  The default is 172,800 seconds (48 hours). 
  • Max Cache File Size
    

    The maximum file size that the ZeroLock agent will attempt to back up for use in remediation. The value should be set to a number larger than the largest essential files on the protected system. This setting must be verified when protecting ESXi systems. If a file is larger than this value, it will be ignored and can cause remediation to fail if the system is attacked. The default is 104,857,600 B or 100 MB.

 

---

Edit an Existing Endpoint Profile

If you need to make changes to a saved profile, the simplest way is to click a single time on the profile name, which will open a partial view of the Profiles screen as seen below.  In the 'default' layout, only Duplicate is available.  For other layouts or views, the Edit and Delete options will be included.

Selecting Edit will open the screen fully as previously seen in step 2.  

 

When done editing, it's recommended that a descriptive name be assigned. Click Update to return to the  Endpoint Profiles homepage. 

When done editing, click Update at the bottom of the screen to return to the Endpoint Profiles homepage.

---

Applying an Endpoint Profile to an Endpoint

1. Once an Endpoint Profile has been created, it must be applied to an endpoint for the settings to take effect. Navigate to the Endpoints page.
   
   
   
2. On the Endpoints page, select the endpoint or multiple endpoints you want the new endpoint profile applied to. Then, click the Actions drop-down menu and then Set Endpoint Profile.
   
   
   
3. In the Set Endpoint Profile box, select the created endpoint profile from the drop-down menu. Then select the Set Profile button.
   
   
   
4. On clicking Set Profile, you are returned to the Endpoints homepage, where you can see the profile has been applied.

You have successfully configured an endpoint with a new Endpoint Profile!