The ZeroLock™ Management Console (ZMC) includes a set of default Lockdown rules to ensure security. Many known exploits are covered within this “Recommended Rules” ruleset and outlined in the rule's description.
This Recommended ruleset is automatically added to the database when you first install the ZMC. The ruleset is protected and may not be changed but may be copied, allowing you to create and modify a ruleset based on your organization’s particular requirements.
The Recommended Ruleset is of the Ordered Rule type, meaning that Lockdown rules (File Access, Network Access, and Program Execution) are evaluated top-to-bottom, with rules on top resolving actions before moving on to later rules down the chain.
Similar to a firewall, if an action matches a lockdown rule that is at the top of the list, it will take the actions specified for that rule and NOT evaluate any rules below it. If the action does not match that rule, it will continue to the next rule in line until it matches a rule. If no rules match the action, then the action is allowed.
For the provided Recommended Ruleset, the rules are written so they do not overlap in any way that is consequential to the order they are in, so the default order is sufficient.
Updating the Recommended Ruleset
The rules contained in the Recommended Ruleset are versioned so determining if a rule in your ruleset is out of date is simply a matter of looking at the rule’s detail and comparing versions. If a rule in your ruleset is out of date, you may download the latest ruleset json from the support site and import the newer rule which will automatically replace the out of date rule.
This is done in the following manner:
- Download the latest rule set from the Vali Cyber support site for your server release. Server versions will identify the compatible ruleset downloads. For example, if you are running server 1.4.34, the agreeing ruleset json will appear like 1.4.1.x.
- Navigate to the Control Policies | Rules page | Actions drop-down and select Upload New Rules.
- Open the ruleset json file you downloaded from the support site.
- On opening the file, the new ruleset will be uploaded to the ZMC, updating the changed rules. You can identify any revised rule by the version number located on the upper right of the Policy Rule details page.
Note: The details page for a rule is accessed by clicking on the rule.
Adding Recommended Ruleset to a Policy
Instead of adding individual rules, only the Recommended Ruleset is required. This ensures that the rules are added to a policy in the correct order to properly protect the endpoint system. An easy way to add all Recommended rules to a policy is by the following steps:
- Create a Policy. Navigate to the Control Policies | Policies page. Once there select Add New Policy.
- On the New Policy pop-up menu, give your new policy a name and description. To add the recommended ruleset, click the Add Rules button.
- On the Policy Rules menu, scroll down the list of rules to Recommended Rules. Select this ruleset then click the Add Selected button.
- On the screen that follows, your lockdown rules section will now include the Recommended Rules. Select CREATE on that screen.
- Once created, your new policy will appear in the Policies section.
Applying Policy to Configuration Profile
- In order to apply a policy to an endpoint, the policy must first be applied to a Configuration Profile. Navigate to the System Configuration | Config Profiles page then select Add New Profile.
- On the New Configuration Profile pop-up menu, you can configure exactly what actions ZeroLock will take for each protection engine. Here, settings can be fine-tuned for Ransomware, Cryptojacking, and Tampering protection, as well as settings for all Hash Rules set to deny based on a SHA-256 hash.
- In order to apply the policy that was created, navigate to the Default Control Policy drop-down menu, and select the preferred policy. Only one policy may be applied to a Configuration Profile at a time. Once complete, select the Create button at the bottom of the menu.
Applying Configuration Profile to an Endpoint
- Once a Configuration Profile has been created, it must be applied to an endpoint for the settings to take effect. Navigate to the Endpoints page.
- On the Endpoints page, select the endpoint or multiple endpoints that you want to apply the new configuration profile to. Then, click the Actions drop-down menu and select Set Endpoint Config.
- On the Set Endpoint Configs pop-up menu, select the created configuration profile from the drop-down menu. Then select the Set Configs button.
- Your endpoint are now properly configured with the Recommended Ruleset.