Updating the Zerolock Management Console Default Lockdown Rules

How to update the default Recommended Rules ruleset to ensure hardening of endpoint security.

    Many known exploits are covered with the Vali Cyber “Recommended Rules” ruleset and are outlined in the rule's description.

    This default ruleset is automatically added to the database when you first install the ZeroLock Management Console (ZMC). The ruleset is protected and may not be changed but may be copied, allowing you to create and modify a ruleset based on your organization’s particular requirements.    

     


    Order Matters

    The Recommended Ruleset is of the Ordered Rule Type, meaning that lockdown rules (File Access, Network Access, and Program Execution rules) are evaluated top-to-bottom, with the rules on top resolving actions before moving on to the rules that follow.

    Like a firewall, if an action matches a lockdown rule at the top of the list, it will take the actions specified for that rule and stop evaluating any rules below it. If it does not match, it will pass to the next rule in line until it matches. If no rules match, then the action is allowed.

    In the provided default ruleset, the rules are written so they do not overlap in any way that is consequential to their order, so the default order is sufficient.

     


    Updating Default Ruleset

    The rules contained in the Default Ruleset are versioned so determining if a rule in your ruleset is out of date is simply a matter of looking at the rule’s detail and comparing versions.

    If a rule in your ruleset is out-of-date, you may download the latest ruleset JSON file from the support site to the folder you chose when you initially installed ZeroLock.  On importing,  the newer rule automatically replaces the older rule.

    1. Download the latest rule set from the Vali Cyber support site for your server release. Server versions will identify the compatible ruleset downloads. For example, if you are running server 4.1.3, the agreeing ruleset json will appear like 1.4.0.x.
    2. Navigate to the Control Policies | Rules page | Actions drop-down and select Upload New Rules.
      Image_1_Upload New Rules_v4.1

    3. From the Vali Cyber Support site open the JSON ruleset file you downloaded.   The new ruleset will be uploaded to the ZMC, updating the changed rules.

      Image_2_json File Downloaded_v4.1

    4. You can identify any revised rule by the version number on the Policy Rule details page. 
      Image_3_Updated Rules Version_v4.1.3_KB

    5. Review the release notes to know which rules have been updated or added, then check that those rules reflect the changes per Step 4. For entire ruleset additions, from the TYPE menu, select Ordered Ruleset.Image_4_Ordered Ruleset_v4.1.3
    6. The last on the list is the most recent Ordered Ruleset.
      Image_5_Ordered Ruleset Listed_v4.1.3-1