How to Create a Hash Rule

The ZeroLock® Management Console (ZMC) makes the performance of this task efficient and easy by providing two (2) methods with which to create rules and apply them in policies.

One of the most challenging tasks in system administration is restricting the usage of specific applications. Using either method allows you to block or allow applications or executables then apply the restrictions to particular endpoints.

Hash Rule Creation via Alerts

1. On the ZeroLock Management Console (ZMC) go to Alerts and select an alert you want to create a hash rule for.
   
   
   
2. Double click the selected alert to bring up the Alert Detail screen then select Processes.  The Tree view is the default.
   
   
   
3. From here there are two (2) ways to add a new hash rule.
   • TREE View - in this view (see above), click on a red process box which brings up the following screen.  Double click the BLOCK button. The first click selects and the second confirms the action.  This adds the rule to all existing policies.
     
   
   
   • LIST View - This method accomplishes the same thing as the Tree view, though displays less information.  Select the List View under the Processes tab then select BLOCK on the process, or processes, you wish to create a Hash rule for.  Again, 
     double click the BLOCK button. The first click selects and the second confirms.
     
4. On double clicking BLOCK, a message screen appears letting you know it was successful and that this Block rule has been added to all policies.
   
   
   
5. To verify, go to Control Policies | Policies and click the Default Policy.
   
   
   

Hash Rule Creation via Policy Rules

1. To create a Hash rule, first navigate to the Control Policies | Rules page. 
   
   
   
2. On the Rules page, click the Actions drop-down menu and select the Add New Rule.
   
   
   
3. On the New Policy Rule pop-up, the Rule Type defaults to SSH-MFA rules. Select HASH from the drop-down menu.
   
     
4. Using the variety of features offered for this Rule Type, craft a rule that fits the exact File access control action you want ZeroLockHash  to monitor.
   
   
   Each field of the Hash Rule screen is described below:

5. Name	1	The name of the rule as it will appear on your Rules page as well as when adding to a policy.
   Description	2	The description of the rule as it will appear on your Rules page as well as when adding to a policy, useful for explaining the purpose of the rule.
   Rule Type	3	Selecting what type of rule to create (SSH-MFA, Hash, Canary, File Access, Network Access, or Program Execution). This can only be changed during initial rule creation. Once the rule is created, this is the only field that can no longer be edited.
   SHA-256 Hash	4	Place only the exact SHA-256 hash in this field that the rule will either block or allow.
   Action	5	Designate whether to block or allow the specified hash.

6. Once the Hash Rule is properly configured, click the Create button at the bottom of the New Policy Rule pop-up menu.
   
   
   
7. Before implementing a rule on to an endpoint, it must first be applied to a policy. Navigate to the Control Policies | Policies page.  Then select the Add New Policy button.
   
   
   
8. On the New Policy pop-up menu, give your new policy a name and description. There is one default rule in place for any new policy, an SSH-MFA rule that simply creates an alert any time an SSH connection is established but does not take any actions. This rule can be left in place or deleted from the new policy based on your preferred configuration.
   
   To add the new Hash rule, click the Add Rules button.
   
   
   
9. On the Policy Rules menu, select any rules you want to add to the new policy. When all are selected, hit the Add Selected button at the bottom.
   
    
10. When all preferred rules have been added to the policy, you can configure what order your lockdown rules will be evaluated. Lockdown rules (File Access, Network Access, and Program Execution rules) are evaluated top-to-bottom, with rules on top resolving actions before moving onto later rules down the chain.
    
    Similar to a firewall, if an action matches on a lockdown rule that is at the top of the list, it will take the actions specified for that rule and stop evaluating any rules below it. If it does not match, it will pass to the next rule in line until it matches. If no rules match, then the action is allowed.
    
    
    
11. In order to apply a policy to an endpoint, the policy must first be applied to a Config Profile. Navigate to the System Configuration | Config Profiles page.  Once there, select Add New Profile.
    
    
    
    
12. On the New Configuration Profile pop-up menu you can configure exactly what actions ZeroLock will take for each protection engine. Here, settings can be fine-tuned for Ransomware, Cryptojacking, and Tampering protection, as well as settings for all Hash Rules set to deny based on a SHA-256 hash.
    
    In order to apply the policy that was created, navigate to the Default Control Policy drop-down menu, insert the name and description for the policy, and then, select the preferred policy. Only one policy may be applied to a Configuration Profile at a time. Once complete, select the Create button at the bottom of the menu.
    
    
    
13. Once a Configuration Profile has been created, it must be applied to an endpoint so the settings can take effect. Navigate to the Endpoints page.
    
     
14. On the Endpoints page, select the endpoint or multiple endpoints that you want to apply the new configuration profile to. Then, click the Actions drop-down menu and select Set Endpoint Config.
    
    
    
15. On the Set Endpoint Configs pop-up menu, select the created configuration profile from the drop-down menu, then select the Set Configs button.
    
    
    
16. You have successfully created and applied a Hash rule to the endpoint(s).