Rules
      Back to home
      1. Vali Cyber Knowledge Base
      2. ZeroLock®
      3. Rules

      Recommended Ruleset: Applying and Updating

      The ZeroLock® Management Console (ZMC) includes a set of default Lockdown rules to ensure security.  Many known exploits are covered within this “Recommended Rules” ruleset and outlined in the rule's description.

        The Recommended ruleset is automatically added to the database when the ZMC is installed.  The ruleset is protected and may not be changed but may be copied, allowing you to create and modify a ruleset based on your organization’s particular requirements.  

        Order Matters

        The Recommended Ruleset is of the Ordered Rule type, meaning that Lockdown rules (File Access, Network Access, and Program Execution) are evaluated top-to-bottom, with rules at the top resolving actions before moving on to rules farther down.

        Like with a firewall, if an action matches a lockdown rule at the top of the list, it will take the actions specified for that rule and NOT evaluate any rules following. If the action does not match that rule, it will continue to the next rule in line until it matches a rule. If no rules match the action, then the action is allowed.

        In the provided Recommended Ruleset, the rules are written so they do not overlap in any consequential way, so the default order is sufficient.

        Updating the Recommended Ruleset

        The rules contained in a Ruleset are versioned so determining if a rule in your ruleset is out of date is simply a matter of looking at the rule’s detail and comparing it to the versions which may be found in the Lockdown Rules Release Notes.

        The release notes detail which rules have been updated or added. Not all “releases” contain new rules, but rules that have been rewritten for clarity or accuracy.

        1. To determine the version of a rule, navigate to the Control Policies | Policy Rules page, select the rule and its details will appear. The version number will be in the far-right corner.Step_1_Policy Rules v1.4.15-1
        2. If a rule in your ruleset is outdated, you may download the latest ruleset JSON file from the Lockdown Rules Release Notes page to a folder on a system that has access to the ZMC portal.
        3. Navigate to the Control Policies | Rules page | Actions drop-down and select Upload New   Rules. 
          Step_3_Upload Rules
        4. Open the ruleset json file you downloaded from the support site.Step_4_Downloads_json file-3
        5. The upload process may take up to 5 minutes. There is no activity indicator.
        6. Review the release notes to know which rules have been updated or added. Also, check that those rules reflect the changes. Ruleset additions will be at the bottom of the Policy Rules list.Step_6_Compare Versions-2
        7. Selecting a rule will open its details and the new version number.Step_7_Updated Rule-1


        Adding Recommended Ruleset to a Policy

        Instead of adding individual rules, only the Recommended Ruleset is required.  This ensures that the rules are added to a policy in the correct order to protect the endpoint system. An easy way to add all Recommended rules to a policy is by the following steps:

        1. Create a Policy. Navigate to the Control Policies | Policies page.  Once there select Add New Policy.
          Step_1_Policies screen-1
        2.  Once the Name and Description sections are done, click Add Rules to add the recommended ruleset. 
          Step_2_New Policy window Add Rules-1
        3. On the Policy Rules menu, scroll down the list of rules to Recommended Rules. Select this ruleset then click the Add Selected button.  
          Step_3_Select Lockdown Rules-1
        4.  The lockdown rules section will now include the Recommended Rules. Select CREATE to create the new policy. 
          Step_4_Create New Policy-2
        5. Once created, your new policy will appear in the Policies section.  
          Step_5_Policies Window with Recommended Ruleset-2

        Applying Policy to Configuration Profile

        A policy must first be applied to a Configuration Profile before it is assigned to an endpoint.

        1. Navigate to the System Configuration | Config Profiles page and select Add New Profile.

          Step_1_Add New Profile-Aug-29-2024-02-41-27-1648-PM

        2. In the New Configuration Profile window, you can configure exactly what actions ZeroLock will take on each protection engine. Here, settings can be fine-tuned for Ransomware, Cryptojacking, Tampering protection, and all Hash Rules set to deny based on a SHA-256 hash (Blocking).
          Step_2_New Config Profile window-1
        3. To apply the policy created, navigate to the Default Control Policy drop-down menu, and select the preferred policy. Only one policy may be assigned to a Configuration Profile at a time. Once done, select the Create button at the bottom of the menu.  Step_3_Select Default Control Policy-Aug-29-2024-02-44-52-1937-PM

        Applying Configuration Profile to an Endpoint

        1. Once a Configuration Profile has been created, it must be applied to an endpoint for the settings to take effect. Navigate to the Endpoints page.
          Step_1_Endpoints-1
        2. On the Endpoints page, select the endpoint or multiple endpoints you want to apply the new configuration profile to. Then, click the Actions drop-down menu and Set Endpoint Config.
          Step_2_Set Endpoint Config-2
        3. Once on the Set Endpoint Configs pop-up menu, select the configuration profile you created using the drop-down menu. Finally, select the Set Configs

          Step_3_Set Configs Box-1
        4. Your endpoint are now properly configured with the Recommended Ruleset.Step_4_Ruleset Applied