Rules
      Back to home
      1. Vali Cyber Knowledge Base
      2. ZeroLock®
      3. Rules

      How to Create and Apply a Hash Rule

      The ZeroLock® Management Console (ZMC) provides two (2) methods with which to create Hash rules and apply them in policies.

        One of the most challenging tasks in system administration is restricting the usage of specific applications. Using the ZMC, hash rules may be created through Alerts or Policy Rules. Either method lets you allow or block applications or executables and then apply the restrictions to endpoints.

        Hash Rule Creation via Alerts

        1. On the ZeroLock Management Console (ZMC) go to Alerts and select an alert you want to create a hash rule for.
          Step_1_Alerts page-1

        2. Double-click the selected alert to bring up the Alert Detail screen then select Processes.  The Tree view is the default.
          Step_2_Processes Tree View-2

        3. From this point, there are two (2) ways to add a new hash rule.
          • TREE View - in this view (see above), click on a red process box which brings up the following screen.  
            Step_3_a1_Process Information

            Clicking the BLOCK button brings up the CREATE RULE screen.  Selecting CREATE RULE at the bottom of the screen adds the rule to all existing policies and returns you to the PROCESS INFORMATION screen above. Click CLOSE to return to the individual alert screen in Step 2.
            .Step_3_a2_Create Rule

          • LIST View -  This method accomplishes the same as the Tree view, though displays less information. Select the List View under the PROCESSES tab then select BLOCK on the process, or processes, you wish to create a Hash rule for. 
            Step_3_b_List View

             

            Clicking the BLOCK button brings up the same CREATE RULE screen as under Tree view. Selecting CREATE RULE at the bottom of the screen adds the rule to all existing policies and returns you to the individual Alert screen above.

        4. Once back on the individual alert screen, clicking BLOCK brings up the same CREATE RULE screen but clicking the Create Rule button results in the following message.

          Step_4_Rule Already Exists

        5. To verify, go to Control Policies | Policies and click the Default Policy. The rule you created is in the Details section under HASH Rules.
          Step_5_Policy Details

          You have successfully created a Hash rule via the Alerts method.

        Hash Rule Creation via Policy Rules


        1. To create a Hash rule, first navigate to the Control Policies | Rules page. 
          Step_1_Policy Rules page

        2. On the Rules page, click the Actions drop-down menu and select the Add New Rule.
          Step_2_Add New Rule-1

        3. On the New Policy Rule pop-up, the Rule Type defaults to SSH-MFA rules. Select HASH from the drop-down menu.
          Step_3_Select Hash
            
        4. Using the variety of features offered for this Rule Type, craft a rule that fits the exact File access control action you want ZeroLock Hash  to monitor.

          Step_4_New Policy Rule Explained_KB

          Each field of the Hash Rule screen is described below:

          Name 1 The name of the rule as it will appear on your Rules page as well as when adding to a policy. 
          Description 2 The description of the rule as it will appear on your Rules page as well as when adding to a policy, useful for explaining the purpose of the rule.
          Rule Type 3 Selecting what type of rule to create (SSH-MFA, Hash, Canary, File Access, Network Access, or Program Execution). This can only be changed during initial rule creation. Once the rule is created, this is the only field that can no longer be edited.
          SHA-256 Hash 4 Place only the exact SHA-256 hash in this field that the rule will either block or allow.
          Action 5 Designate whether to block or allow the specified hash.


        5. Once the Hash Rule is properly configured, click the Create button at the bottom of the New Policy Rule pop-up menu.

        Step_5_New Policy Rule Create

        Applying the Hash Rule to a Policy

        1. Before implementing a rule on to an endpoint, it must first be applied to a policy. Navigate to the Control Policies | Policies page.  Then select the Add New Policy button.
          Step_1_Add New Policy-1

        2. On the New Policy pop-up menu, give your new policy a name and description. There is one default rule in place for any new policy, an SSH-MFA rule that simply creates an alert any time an SSH connection is established but does not take any actions. This rule can be left in place or deleted from the new policy based on your preferred configuration.

          To add the new Hash rule, click the Add Rules button.
          Step_2_Add Rules-1

        3. On the Policy Rules menu, select any rules you want to add to the new policy. When all are selected, hit the Add Selected button at the bottom.
          Step_3_Add Selected Rule
           
        4. When all preferred rules have been added to the policy, you can configure what order your lockdown rules will be evaluated. Lockdown rules (File Access, Network Access, and Program Execution rules) are evaluated top-to-bottom, with rules on top resolving actions before moving onto later rules down the chain.

          Similar to a firewall, if an action matches on a lockdown rule that is at the top of the list, it will take the actions specified for that rule and stop evaluating any rules below it. If it does not match, it will pass to the next rule in line until it matches. If no rules match, then the action is allowed.
          Step_4_New Policy Created-1

        5. In order to apply a policy to an endpoint, the policy must first be applied to a Config Profile. Navigate to the System Configuration | Config Profiles page.  Once there, select Add New Profile.
          Step_5_Add New Profile


        6. On the New Configuration Profile pop-up menu you can configure exactly what actions ZeroLock will take for each protection engine. Here, settings can be fine-tuned for Ransomware, Cryptojacking, and Tampering protection, as well as settings for all Hash Rules set to deny based on a SHA-256 hash.

          Enter a name and description, navigate to the Default Control Policy and, from the drop-down menu, select the preferred policy. Only one policy may be applied to a Configuration Profile at a time. Once complete, select the Create button at the bottom of the menu.


          Step_6_New Config Profile

        7. Once a Configuration Profile has been created, it must be applied to an endpoint so the settings can take effect. Navigate to the Endpoints page.
          Step_7_Endpoints Page
           
        8. On the Endpoints page, select the endpoint or multiple endpoints that you want to apply the new configuration profile to. Then, click the Actions drop-down menu and select Set Endpoint Config.
          Step_8_Actions Set Endpoint Config-1

        9. On the Set Endpoint Configs pop-up menu, select the created configuration profile from the drop-down menu, then select the Set Configs button.Step_9_Set Configs

        10. On the Endpoints page you can see that the profile has been applied to the endpoint.Step_10_Profile on Endpoint


          You have successfully created and applied a Hash rule to the endpoint.