Back to home

Vali Cyber Knowledge Base

ZeroLock®

Agents

Testing ZeroLock® Agent ESXi Protection

The following exercises demonstrate how a ZeroLock Agent provides an ESXi Hypervisor with protection against malicious activity.

Anti-Tampering

 The first is by attempting to kill the ZeroLock Agent.

1. ssh to the ESXi system  

Note: SSH-MFA alert is generated 

2. Attempt to kill ZeroLock:  pkill -9 zerolock 

AntiTampering Image 2

Test result:    

ssh session is closed.  
Tampering alert is generated.

The Tampering Protection is controlled by the Configuration Profile assigned to the endpoint.  By default, the response type is set to Kill.

AntiTampering Test Result Image 3

Program Filter  

Program filtering is part of the layered protection provided by the ZeroLock agent.  Program filtering stops any executable from being launched if installed after the ZeroLock Agent.   

 1. ssh to the ESXi system  

Note: SSH-MFA alert is generated 

Program Filter Image 1

2. Create a simple script to create a new directory and add 30 text files: 
a. vi createfiles.sh

    #!/bin/sh 

rm -rf ./test_files 

mkdir -p ./test_files 

for i in `seq 1 30` 

    echo "ABCDEFGHIJKLMNOPABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJ" > ./test_files/$i.tx 

done

b. Make the script executable:  chmod +x createfiles.sh

c. Execute the script:  ./createfiles.sh 

Program Filter Image 2

Test result:

ssh session is closed.
BLOCK alert is generated. 
Click the Remediation button on the ZMC. Notice the createfiles.sh file is deleted. The file deletion happens because remediation restores all actions during the networked session. Since the file was created within the same session as the execution, all actions are restored.

The Program Filtering is controlled by the Configuration Profile assigned to the endpoint. By default, the Enabled Program Filter is checked (Green) meaning it is active.  Disabling the Program Filter allows new processes to be executed after the ZeroLock Agent has been installed and activated.

Program Filter Image 3 CP-1

OpenSSL Ransomware Attack 

Turn off Program Filtering to allow the creation of test directory and files.

a. Login to the ZeroLock Management Console.

b. Click on System Configuration | Config Profiles | Default | Edit 

Ransomware Image 1 c. On the Edit Configuration Profile screen, go to the ESXi block and click on the Enable Program Filter option. This will change the color of the block from green to red.

d. Lastly, click the Update button.

Ransomware Image 2

NOTE: Wait a minimum of 60 seconds to allow the endpoint to get the configuration change.

2. Create a simple script to create a new directory and add 30 text files:

a. vi createfiles.sh

#!/bin/sh 

rm -rf ./test_files 

mkdir -p ./test_files 

for i in `seq 1 30` 

    echo "ABCDEFGHIJKLMNOPABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJ" > ./test_files/$i.tx 

done 

b. Make the script executable:  chmod +x createfiles.sh
c. Execute the script:  ./createfiles.sh

 3. Exit the ssh session

4. ssh to the ESXi system 

Note: an SSH-MFA alert is generated

5. Run the ransomware attack targeting the newly created directory and files by executing the following command:

grep -r '/test_files' -e "" -l | xargs -P 10 sh -c 'for arg do openssl enc -aes-256-cbc -md sha256 -salt -pass pass:$PASS_DEC -in "$arg" -out "$arg".☢; rm "$arg"; done' 

Ransomware Image 4

Test results: 

Ransomware alert is generated. 
Under ACTIONS, User has the option to Kill or Release alert. 
Select Kill from the drop down to kill the attacking process and close the ssh session.

Ransomware Test Results Image 1

Then click Remediate to restore the system back to the status before the attack.

Ransomware Test Results Image 2-1

You have successfully completed testing ZeroLock® Agent ESXi Protection.