How-to update the ZeroLock™ Management Console default lockdown rules to ensure hardening of endpoint security.
Many known exploits are covered with this “Recommended Rules” ruleset and are outlined in the rule's description.
This default ruleset is automatically added to the database when you first install the ZeroLock™ Management Console (ZMC). The ruleset is protected and may not be changed but may be copied, allowing you to create and modify a ruleset based on your organization’s particular requirements.
The Recommended Ruleset is of the Ordered Rule Type, meaning that Lockdown rules (File Access, Network Access, and Program Execution rules) are evaluated top-to-bottom, with rules on top resolving actions before moving on to later rules down the chain.
Similar to a firewall, if an action matches on a lockdown rule that is at the top of the list, it will take the actions specified for that rule and stop evaluating any rules below it. If it does not match, it will pass to the next rule in line until it matches. If no rules match, then the action is allowed.
For the provided default ruleset, the rules are written so they do not overlap in any way that is consequential to the order they are in, so the default order is sufficient.
Updating Default Ruleset
The rules contained in the Default Ruleset are versioned so determining if a rule in your ruleset is out of date is simply a matter of looking at the rule’s detail and comparing versions.
If a rule in your ruleset is out of date, you may download the latest ruleset json file from the support site to the folder you chose when you initially installed ZeroLock. On importing, the newer rule automatically replaces the older rule.
- Download the latest rule set from the Vali Cyber support site for your server release. Server versions will identify the compatible ruleset downloads. For example, if you are running server 1.4.32, the agreeing ruleset json will appear like 1.4.0.x.
- Navigate to the Control Policies | Rules page | Actions drop-down and select Upload New Rules.
- Open the ruleset json file you downloaded from the Vali Cyber Support site. Upon opening the file, the new ruleset will be uploaded to the ZMC, updating the changed rules.
- You can identify any revised rule by the version number on the Rules details page.