The ZeroLock® Management Console (ZMC) includes a set of default Lockdown rules to ensure security. Many known exploits are covered within this “Recommended Rules” ruleset and outlined in the rule's description.
This Recommended ruleset is automatically added to the database when the ZMC is installed. The ruleset is protected and may not be changed but may be copied, allowing you to create and modify a ruleset based on your organization’s particular requirements.
Order Matters
The Recommended Ruleset is of the Ordered Rule type, meaning that Lockdown rules (File Access, Network Access, and Program Execution) are evaluated top-to-bottom, with rules at the top resolving actions before moving on to rules farther down.
Like with a firewall, if an action matches a lockdown rule at the top of the list, it will take the actions specified for that rule and NOT evaluate any rules following. If the action does not match that rule, it will continue to the next rule in line until it matches a rule. If no rules match the action, then the action is allowed.
In the provided Recommended Ruleset, the rules are written so they do not overlap in any consequential way, so the default order is sufficient.
Updating the Recommended Ruleset
The rules contained in a Ruleset are versioned so determining if a rule in your ruleset is out of date is simply a matter of looking at the rule’s detail and comparing it to the versions which may be found in the Lockdown Rules Release Notes.
The release notes detail which rules have been updated or added. Not all “releases” contain new rules, but rules that have been rewritten for clarity or accuracy.
- To determine the version of a rule, navigate to the Control Policies | Policy Rules page, select the rule and its details will appear. The version number will be in the far-right corner.
- If a rule in your ruleset is outdated, you may download the latest ruleset JSON file from the Lockdown Rules Release Notes page to a folder on a system that has access to the ZMC portal.
- Navigate to the Control Policies | Rules page | Actions drop-down and select Upload New Rules.
- Open the ruleset json file you downloaded from the support site.
- The upload process may take up to 5 minutes. There is no activity indicator.
- Review the release notes to know which rules have been updated or added. Also, check that those rules reflect the changes. Ruleset additions will be at the bottom of the Policy Rules list.
- Selecting a rule will open its details and the new version number.
Adding Recommended Ruleset to a Policy
Instead of adding individual rules, only the Recommended Ruleset is required. This ensures that the rules are added to a policy in the correct order to protect the endpoint system. An easy way to add all Recommended rules to a policy is by the following steps:
- Create a Policy. Navigate to the Control Policies | Policies page. Once there select Add New Policy.
- Once the Name and Description sections are done, click Add Rules to add the recommended ruleset.
- On the Policy Rules menu, scroll down the list of rules to Recommended Rules. Select this ruleset then click the Add Selected button.
- The lockdown rules section will now include the Recommended Rules. Select CREATE to create the new policy.
- Once created, your new policy will appear in the Policies section.
Applying Policy to Configuration Profile
A policy must first be applied to a Configuration Profile before it is assigned to an endpoint.
- Navigate to the System Configuration | Config Profiles page and select Add New Profile.
- In the New Configuration Profile window, you can configure exactly what actions ZeroLock will take on each protection engine. Here, settings can be fine-tuned for Ransomware, Cryptojacking, Tampering protection, and all Hash Rules set to deny based on a SHA-256 hash (Blocking).
- To apply the policy created, navigate to the Default Control Policy drop-down menu, and select the preferred policy. Only one policy may be assigned to a Configuration Profile at a time. Once done, select the Create button at the bottom of the menu.
Applying Configuration Profile to an Endpoint
- Once a Configuration Profile has been created, it must be applied to an endpoint for the settings to take effect. Navigate to the Endpoints page.
- On the Endpoints page, select the endpoint or multiple endpoints you want to apply the new configuration profile to. Then, click the Actions drop-down menu and Set Endpoint Config.
- Once on the Set Endpoint Configs pop-up menu, select the configuration profile you created using the drop-down menu. Finally, select the Set Configs
- Your endpoint are now properly configured with the Recommended Ruleset.