Microsoft and Windows are U.S. registered
trademarks of Microsoft Corporation.
Internet Explorer is either a registered
trademark or trademark of Microsoft
Corporation in the United States and/or other
countries.
Intel and Pentium are trademarks of Intel
Corporation in the U.S. and other countries.
The information contained herein is subject
to change without notice.
The only warranties for HP products and
services are set forth in the express warranty
statements accompanying such products
and services. Nothing herein should be
construed as constituting an additional
warranty. HP shall not be liable for technical
or editorial errors or omissions contained
herein.
Symantec™ Endpoint Protection for
Microsoft® Windows Embedded
Standard 2009 (WES) and Windows® XP
Embedded (XPe) User Guide
HP thin clients
Second Edition (March 2009)
First Edition (August 2008)
506030-002
About this book
The software described in this book is furnished under a license agreement and may be used only in
accordance with the terms of the agreement.
Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014,
Responding to application messages ................................................................................................. 12
Responding to Trojan horse warnings ................................................................................................ 13
Responding to blocked traffic messages ............................................................................................ 14
v
Responding to permission status messages ...................................................................................... 14
5 Monitoring and logging
About logs .......................................................................................................................................... 15
About the Security log ........................................................................................................ 16
About the Traffic log ........................................................................................................... 17
About the Packet log .......................................................................................................... 18
About the System log ......................................................................................................... 19
Stopping an active response .............................................................................................................. 22
6 Command Line Management
The command-line interface for the client service .............................................................................. 23
Typing a parameter if the agent is password-protected ..................................................................... 24
Index ................................................................................................................................................................... 26
vi
1System requirements
This chapter includes the following topics:
Hardware requirements on page 1
●
Software requirements on page 1
●
Hardware requirements
The agent requires the following minimum hardware:
®
Pentium® 133 MHz or equivalent
Intel
●
256 MB RAM
●
40 MB available hard disk space
●
One Ethernet adapter (with TCP/IP installed)
●
Software requirements
The agent requires the following software:
Windows Embedded Standard 2009 (WES) operating system or
●
Windows XP Embedded (XPe) operating system or
●
Windows Embedded Point of Service operating system
●
Windows Internet Explorer
●
TCP/IP Networking
●
COM Base
●
IP Security Services
●
NDIS & NDSI User-mode I/O Driver
●
OLE Dialog Interfaces
●
User Interface Core
●
®
6.0
Hardware requirements1
2Introducing the agent
This chapter includes the following topics:
About the Symantec Endpoint Protection for WES and XPe on page 2
●
About security policies on page 2
●
Key features of the agent on page 3
●
About the Symantec Endpoint Protection for WES and
XPe
The Symantec Endpoint Protection for WES and XPe (the agent) is security software that is installed
on embedded endpoints, such as ATMs, Point of Service systems, and thin clients, that run the WES,
XPe, or the XPe Point of Service operating system.
The agent provides a customizable firewall that protects the endpoint from intrusion and misuse, whether
malicious or unintentional. It detects and identifies known Trojan horses, port scans, and other common
attacks. In response, it selectively allows or blocks traffic, or various networking services, applications,
ports, and components.
About security policies
The agent uses security policies, which include firewall rules, and security settings. These policies
protect an individual endpoint from network traffic and the viruses that can cause harm. Firewall rules
determine whether your endpoint allows or blocks an incoming or outgoing application or service from
gaining access through your network connection. Firewall rules allow the agent to systematically allow
or block incoming or outgoing applications and traffic from or to specific IP addresses and ports. Security
settings detect and identify common attacks, send e-mail messages after an attack, display
customizable messages, and accomplish other related security tasks. The configuration of firewall rules
with other security and antivirus settings results in a security agent that protects your endpoint.
2Chapter 2 Introducing the agent
Key features of the agent
The agent can be used in the following networking environments:
Directly connected to the local area network or wireless network
●
Remotely connected using Virtual Private Network (VPN) or dial-up
●
Completely disconnected from any network
●
The agent does not support location awareness or host integrity. Host integrity will be supported in a
later release.
Key features of the agent3
3Agent basics
This chapter includes the following topics:
Opening the agent on page 4
●
Navigating the main window on page 4
●
Using the menus and the toolbar on page 5
●
About the notification area icon on page 8
●
Testing your endpoint on page 10
●
Opening the agent
The agent is designed to start automatically when you turn on your endpoint, protecting you immediately.
To configure your agent or review logs of potential attacks on your agent, you open the agent first.
To open the agent
1.On the Windows taskbar, click Start > Programs.
2.Click Symantec > Symantec Endpoint Protection for Windows XP Embedded agent.
Navigating the main window
Once you open the agent, you see the main screen. The main screen provides real-time network traffic
updates, online status, links to logs, and access to various advanced rules, security settings, and
antivirus settings.
The user interface changes depending on the different control modes of the agent, including user mode,
admin mode, or mixed mode. In addition, some icons may not appear, depending on how your system
administrator configured the agent.
The agent is resizable, so you can view it as a full-screen or part-screen image.
4Chapter 3 Agent basics
Using the menus and the toolbar
The top of the screen displays a standard menu and toolbar. The toolbar icons can be used to quickly
access logs, view the Help file, or test your system.
Some icons are either disabled or may not appear. This status depends on how the agent is configured
or which control mode the agent is in.
The toolbar icons that are located below the menus provide shortcuts. These shortcuts can be used to
do the following:
Block all applications
●
Change your security policy
●
Access the logs
●
Test the agent’s effectiveness
●
View the Help file
●
The File menu commands include Exit Symantec Endpoint Protection agent, which exits the agent and
turns off security on your endpoint.
The Location menu displays the default Office location.
The Tools menu commands include the following:
ApplicationsOpens the Applications List
OptionsOpens the Options dialog box, which contains many security options, including e-mail alerts, Network
Advanced RulesOpens the Advanced Rules dialog box, where you can set up firewall rules
LogsOpens the logs
Automatically Start
Service
Test Your System
Security
Not enabled for the agent
Opens a Web site so that you can scan and test the effectiveness of the agent
The View menu gives users the option to change the display of software programs in the Running
Applications field. The View menu commands include the following:
Large IconsDisplays 32x32 icons in the field. Each icon represents a software application or a system service
Small IconsDisplays 16x16 icons. Both the large and small icon displays provide the full name of the application
ListProvides small icon representations, with the icons displayed in a standard list
Applications DetailsProvides a list of all running applications and their version numbers and paths
Connection DetailsProvides further information on the type of connection that each application makes when accessing
the network adapter and other details
Using the menus and the toolbar5
Hide Windows
Services
Hide Broadcast TrafficToggles the display of broadcast traffic
Toggles the display of Windows Services
Viewing traffic history
You can view a real-time picture of the last two minutes of your traffic history in the main window. The
graphs reload new information every second, providing instant data, as measured in bytes, about your
incoming and outgoing network traffic.
The Traffic History graphs are broken down into three sections. The Incoming and Outgoing Traffic
History graphs are on the left side of the graphs section. These provide a visual assessment of the
current traffic that enters and leaves your endpoint through a network interface. This traffic includes the
traffic that is allowed and the traffic that is blocked. The green lines and bars indicate the traffic that is
allowed to pass through. The red coloring indicates the traffic that the agent has blocked traffic.
The Attack History graph on the right side of the screen provides information on attempted attacks
against your computer.
Displaying broadcast traffic
Broadcast traffic is the network traffic that is sent to every endpoint in a particular subnet. It is not directed
specifically to your endpoint. If you do not want to see this traffic, you can remove it from this graphical
view by checking Hide Broadcast Traffic. You then only see unicast traffic in this graph, which is the
traffic that is directed specifically to your endpoint. To redisplay broadcast traffic, uncheck Hide
Broadcast Traffic.
Viewing currently running applications and services
The Running Applications field provides a list of all applications and system services that currently run
on your system.
Permission status refers to the permissions that you allow an application. It shows whether it:
Can access your Internet connection or network
●
Is blocked from accessing the Internet or network altogether
●
Asks your permission before it accesses that connection
●
You can change the status of applications from the Running Applications field by right-clicking an
application’s icon and selecting the desired status.
Table 3-1 Running Applications field on page 6 displays how each application icon appears,
depending on the permission status.
Table 3-1 Running Applications field
StatusDescription
AllowIcon appears normal, with no marks. The icon displays a small blue dot on the lower left corner if it
AskIcon appears with a small, yellow question mark.
BlockIcon appears with a red circle and cross-out mark.
receives traffic. It displays a small blue dot on the lower right corner if it sends traffic.
6Chapter 3 Agent basics
There are a number of services running at any given time. Since they are often crucial to the operation
of your endpoint, you may want to allow them. You can show or hide them from the message console.
To hide system services
Click Hide Windows Services.
▲
To change the display of applications
Right-click the Running Applications field and select the desired view.
▲
To stop an application or service from running
In the Running Applications field, right-click the application and click Terminate.
▲
Displaying or hiding the message area
The message area is located at the bottom of the main screen. It provides a real-time update of the
server-agent communication status. This update includes when the latest security policy is downloaded
and the number of the policy serial numbers.
The message area is hidden by default.
To show or hide the message area
1.Below the Running Applications field, click Show Message Console. The message area
appears.
2.To hide the message area from view, click Hide Message Console. The message area collapses
and displays the Show Message Console icon.
Viewing current security policy and communication status
This section explains how to view current security policy and communication status.
To view the current policy information
On the bottom of the main screen, look for the status bar.
▲
You can view a real-time update of the agent’s communication with the server. If green, the light indicates
that the agent is online and communicating with the management server. If gray, the agent is not
connected to the management server.
To view the communication status
In the right-hand corner of the status bar, look for the status icon.
▲
Using the menus and the toolbar7
About the notification area icon
REDThe agent has blocked traffic.
GREENTraffic flows uninterrupted by the agent.
GRAYNo traffic flows in that direction. A green dot means that the agent is connected to the Symantec Policy
Manager.
About responding to the flashing icon
If you see a flashing icon, the endpoint may be responding to an attempted attack. When you rest your
mouse over the flashing icon, a tool tip appears telling you that you are under an attack.
To make the icon stop flashing, double-click the icon. The Security log opens, displaying a new log entry.
The icon stops flashing after one minute.
Displaying the shortcut menu
The agent has a notification area icon that is located in the lower-right corner of your desktop. Rightclick this icon to show frequently used commands.
Table 3-2 Notification area icon shortcut menu on page 8 displays the following notification area icon
shortcut menu and commands for the Server Control mode and Client Control mode. Commands on
the shortcut menu for the Power User mode vary depending on what options are set on the server.
Table 3-2 Notification area icon shortcut menu
Menu commandDescriptionServer Control modeClient Control mode
Symantec Protection AgentOpens the agent’s main
screen
NormalAllows network traffic to flow
as normal
Block AllBlocks all network trafficX
Applicationspens the Applications listXX
LogsOpens the agent logsXX
OptionsOpens the Options dialog box,
where you can configure the
settings for the agent
Advanced RulesOpens the Advanced Rules
dialog box, where you can
write specific rules for
allowing or blocking network
access
XX
X
X
X
Help TopicsOpens the online Help system XX
8Chapter 3 Agent basics
Table 3-2 Notification area icon shortcut menu (continued)
Menu commandDescriptionServer Control modeClient Control mode
AboutOpens the About dialog box,
providing information on your
version of the agent
Exit Symantec Protection
Agent
Stops the agent from running.
You need to restart the agent
to protect your system
NOTE: This option may
appear dimmed or not at all.
Disabling protection temporarily
You may need to disable security on the agent so that the agent does not block outbound traffic. You
disable security from the management server. You cannot do it from the agent. If you must disable
security from the agent, exit the agent.
To temporarily disable blocking
Exit the agent.
▲
Changing security levels
The agent supports two security levels: Normal and Block All.
To change your security level
XX
XX
1.Click Security.
2.Click Block All or Normal.
Enabling password protection
You can set your agent to require a password before you make any security changes or before you exit
the agent.
To enable password protection
1.Click the Tools > Options > General tab.
2.Click Set Password.
3.In the Password dialog box, type your new password in the New Password and Confirm New
Password fields. You can disable password protection by leaving both fields blank.
4.Click OK.
5.To have the agent prompt you for a password before you exit the agent, on the General tab,
click Ask password while exiting.
About the notification area icon9
Testing your endpoint
You can test the vulnerability of your system to outside threats by scanning your system. Assessing
your vulnerability to an attack is one of the most important steps that you can take. With what you learn
from the tests, you can more effectively set the various options on your agent to protect your endpoint
from attack.
To test your endpoint
1.Do one of the following:
On the toolbar, click Security Test.
●
On the Tools menu, click Test Your System Security.
●
The Symantec Security Check scans your endpoint and tries to determine your IP address,
operating system, Web browser, and other information about your system.
2.Choose one of the following scans:
Security Scan
●
Virus Detection
●
3.Click Start.
10Chapter 3 Agent basics
4Responding to messages and
warnings
This chapter includes the following topics:
About message types on page 11
●
Responding to application messages on page 12
●
Responding to Trojan horse warnings on page 13
●
Responding to blocked traffic messages on page 14
●
Responding to permission status messages on page 14
●
About message types
You may see several different types of messages on the endpoint. These messages usually describe
a situation and indicate how the agent tries to resolve the issue.
You may see the following types of messages:
Application messages
●
Changed application messages
●
Fast user switch messages
●
Application messages
An application-related message occurs for one of the following reasons:
An application that the agent has never seen before, or that has been assigned the status of Ask,
●
tries to access your network connection.
An application that normally accesses your network connection has changed, possibly because of
●
a product upgrade.
Your agent software is being updated.
●
Your agent has detected a Trojan horse on your endpoint.
●
For example, you may see the following type of message when an application or service tries to access
your endpoint, the port, and other information.
About message types11
Internet Explorer (IEXPLORE.EXE) is trying to connect to www.symantec.com
using remote port 80 (HTTP - World Wide Web). Do you want to allow this
program to access the network?
This message appears because the application has been opened, either directly or indirectly by you, or
by another application.
If you didn’t open any program or click any link and an application tries to access your network
connection, there may be a number of different reasons. However, if you cannot see any reason that
application should try to access your network connection, it is always safest to click No. This message
might indicate the presence of a Trojan horse on your endpoint, something that needs to be checked
immediately.
Changed application messages
Occasionally, you might see a message that indicates an application has changed.
Telnet Program has changed since the last time you opened it, this could
●
be because you have updated it recently. Do you want to allow it to
access the network?
The application that is listed on the message is trying to access your network connection. Although the
agent recognizes the name of the application, something about the application has changed since the
last time the agent encountered it.
This change could be because you have upgraded the product recently. The agent uses an MD5
checksum to determine the legitimacy of an application. An upgraded version might not pass the
checksum test because it may to have a different checksum value.
If you have not recently upgraded the application, your network may be under attack by a Trojan horse.
Responding to application messages
You can change the status of the application at any time, either in the Running Applications field or in
the Applications List.
To respond to application messages
1.Click Detail to view more information about the application, including the file name, version number,
and path name. The Detail section also displays whether the application tries to connect locally to
your endpoint or remotely to an outside destination. It shows the local and remote port numbers
and IP addresses.
2.If you want the agent to remember your choice for the next time this application tries to access your
network connection, click Remember my answer, and do not ask me again for this
application.
3.Do one of the following actions: Depending on whether you select or don’t select the Remember
my answer, and do not ask me again for this application option and click the Yes or No icons,
the application is assigned the following permission statuses.
To allow the application to access the network connection, click Yes.
●
To block the application from accessing the network connection, click No.
●
12Chapter 4 Responding to messages and warnings
Responding to Trojan horse warnings
If the agent detects a known Trojan horse on your endpoint, it blocks the Trojan horse from accessing
your system and displays a message such as the following:
“C:\WINNT\System32\UMGR32.EXE, a Trojan horse application has been
●
detected on your computer. It has been blocked by the Symantec
Protection Agent.”
This message means that a Trojan horse is present on your system and has been activated. Either you
tried to open the program that was identified as a Trojan horse, or it has been triggered by another
program on your endpoint. It is possible that the Trojan horse was on your endpoint when you installed
the agent. It is also possible that you have recently downloaded it through a legitimate application, such
as a Web browser. The Trojan horse tried to access your network connection, and has been blocked
by the agent.
To respond to a Trojan horse warning
1.Click OK.
2.Immediately notify your IT department. The agent blocks the Trojan horse from sending any
information out of or into your endpoint. However, it is still important to remove it from your system
as soon as possible. The agent terminates the Trojan horse process automatically, but removal
requires the assistance of your IT department.
Responding to Trojan horse warnings13
Responding to blocked traffic messages
Security messages display a message box when applications are blocked:
Blocked application messageAn application that has been launched from your computer has
been blocked in accordance with rules set by your system
administrator. For example, you may see the following text:
Application Internet Explorer has been
blocked, file name is IEXPLORE.EXE.
These messages indicate that your agent has blocked traffic
that you have specified as not trusted. If the agent is operating
under Block All mode, these messages appear quite often. If
you are operating in Allow All mode, these messages do not
appear.
If you or the system administrator configures the agent to display a message when either the agent
blocks the endpoint from accessing an application or when an attack is launched, a message appears
above the notification area.
To respond to security messages
In the message box, click Do not show this window again.
▲
Responding to permission status messages
If you or your system administrator have set an applications’ permission status to Ask or Block, a
message appears when an incoming application accesses your endpoint.
Table 4-1 Application permission status messages on page 14 displays how you can respond to an
application or permission status message.
Table 4-1 Application permission status messages
If you check Remember my answer
box?
YesYesAllows the application and won’t ask
NoYesAllows the application and ask you every
YesNoBlocks the application and ask you every
NoNoBlocks the application and won’t ask you
You can change an application’s permission status from the Applications List.
If you clickYour agent
again.
time.
time.
again.
14Chapter 4 Responding to messages and warnings
5Monitoring and logging
This chapter includes the following topics:
About logs on page 15
●
Viewing logs on page 19
●
Back tracing logged events on page 20
●
Exporting logs on page 21
●
Filtering logged events on page 21
●
Stopping an active response on page 22
●
About logs
The agent’s logs are an important method for tracking your endpoint’s activity and its interaction with
other endpoints and networks. The logs record information about the agent’s status and about the traffic
that tries to enter or exit your endpoint through your network connection.
The agent’s logs perform the following tasks:
Record information about the agent’s status and about the traffic that tries to enter or exit your
●
endpoint through your network connection.
Track your endpoint’s activity and interaction with other endpoints and networks.
●
Detect potentially threatening activity, such as port scanning.
●
Help you troubleshoot connectivity problems or possible network attacks.
●
Record the results of the management policies that are applied to your endpoint.
●
The agent includes the following types of logs:
SecurityRecords potentially threatening activity that is directed towards your endpoint, denial-of-service
attacks, port scans, executable file alterations, and Trojan horse attacks.
TrafficRecords every connection your endpoint makes through the network.
PacketCaptures every packet of data that enters or leaves a port on your endpoint.
SystemRecords all operational changes for the agent, such as starting and stopping services, detecting
network applications, and configuring software.
About logs15
About the Security log
The Security log records potentially threatening activity that is directed towards your endpoint, such as
port scanning, virus attacks, or denial-of-service attacks. The Security log is probably the most important
log in the agent.
The Security log records attacks in the following categories:
Critical attack
Major attack
Minor attack
Information
The Security log records the following information about each activity:
TimeThe exact date and time that the event was logged
Security TypeType of security alert, such as a DoS attack, executable file, Ping of Death, or virus attack
SeverityThe severity of the attack (either Critical, Major, Minor, or Information)
DirectionDirection that the traffic was traveling in (incoming, outgoing, or unknown)—Most attacks are
incoming, that is, they originate in another endpoint. Other attacks, like Trojan horses, are
programs that have been downloaded to your endpoint and therefore are already present; they
are considered outgoing. Still other attacks are unknown in direction; they include Active
Response or application executable changed.
ProtocolType of protocol—UDP, TCP, and ICMP
Remote HostIP address of the remote endpoint (only appears in Local View - this is the default)
Remote MACMAC address of the remote endpoint. If outside the subnet, it is the MAC address of the router.
Local HostIP address of the local endpoint (only appears in Local View - this is the default)
Local MACMAC address of the local endpoint (only appears in Local View - this is the default)
Application NameName of the application associated with the attack
User NameUser or endpoint that sent or received the traffic
DomainDomain of the user
OccurrencesNumber of occurrences of the attack method
(only appears in Local View - this is the default)
Begin TimeTime the attack began
End TimeTime the attack ended
16Chapter 5 Monitoring and logging
About the Traffic log
Whenever your endpoint makes a connection through the network, this transaction is recorded in the
Traffic log. The Traffic log includes information about incoming and outgoing traffic.
The Traffic log categorize different types of traffic as:
Incoming traffic; passed through the agent
Incoming traffic; blocked by the agent
Outgoing traffic; passed through the agent
Outgoing traffic; blocked by the agent
Traffic direction unknown; passed through the agent
Traffic direction unknown; blocked by the agent
The Traffic log records the following information about each activity:
TimeThe exact date and time that the event was logged
SeverityThe severity of the traffic
DirectionDirection that the traffic travels (incoming or outgoing)
ProtocolType of protocol - UDP, TCP, and ICMP
Remote HostIP address of the remote endpoint (only appears in Local View
- this is the default)
Remote MACMAC address of the remote endpoint. If outside the subnet, it
is the MAC address of the router. (only appears in Local View
- this is the default)
Remote PortPort on the remote endpoint (only appears in Local View - this
is the default)
Local HostIP address of the local endpoint (only appears in Local View -
this is the default)
Local MACMAC address of the local endpoint (only appears in Local View
- this is the default)
Local PortPort used on the endpoint (only appears in Local View - this is
the default)
Application NameName of the application that is associated with the attack
UserUser’s log on name
About logs17
DomainUser’s domain name
LocationThe Location (Normal or Block All) that was in effect at the time
of the attack
OccurrencesNumber of packets each piece of traffic sends between the
Begin TimeTime traffic starts matching the rule
End TimeTime traffic stops matching the rule
Rule NameThe rule that determined the passing or blockage of this traffic
About the Packet log
The Packet log captures every packet of data that enters or leaves a port on your endpoint. The Packet
log is disabled by default in the agent because of its potentially large size. You must enable the Packet
log before you can use it.
The Packet log uses the following icons to categorize data packets:
Full data packet captured
The Packet log records the following information about each data packet:
TimeThe exact date and time that the packet was logged
beginning and ending time
Remote HostName of the remote endpoint (only appears in Local View - this is the default)
Remote PortPort on the remote host that sent/received the traffic (only appears in Local View - this is the default)
Local HostIP Address of the local endpoint (only appears in Local View - this is the default)
Local PortPort used on the endpoint for this packet (only appears in Local View - this is the default)
Source HostName of the source endpoint (only appears in Source View)
Source PortPort on the source host that sent/received the traffic (only appears in Source View)
Destination HostIP Address of the destination endpoint (only appears in Source View)
Destination PortPort used on the destination endpoint for this packet (only appears in Source View)
DirectionDirection that the traffic was traveling in (incoming or outgoing)
ActionAction taken by the agent: Blocked or Allowed
Application NameName of the application that is associated with the packet
Below the Log Viewer are two additional data fields that provide further detail regarding the selected
event. The left field provides data on the type of packet logged. The right field displays the actual data
packet.
18Chapter 5 Monitoring and logging
About the System log
The System log records all operational changes, such as the starting and stopping of services, detection
of network applications, software configuration modifications, and software execution errors. It also logs
communication with the Symantec Policy Manager, including connection and downloads. All information
that is provided in the System log also appears in real time in the message area. The System log is
especially useful for troubleshooting the agent.
The System log records the following information about each system error:
TimeThe date and time that the event was logged
TypeType of event can be an error, warning, or information regarding the Symantec Policy Manager. An
IDID assigned to the event by the agent
SummaryDescription of the event
Viewing logs
The following procedure explains how to view logs.
To view logs
error indicates a problem with the source; a warning indicates a potential problem; and an information
point provides information about an event involving the agent.
1.Do one of the following:
Click Tools > Logs.
●
On the toolbar, click the drop-down arrow next to the Logs icon.
●
2.Click one of the log types. Each log opens the Log Viewer dialog box. The Log Viewer is a table
where each row represents a logged event and each column displays information regarding the
event.
3.In the Log Viewer dialog box, click the View menu and then click either Local View or Source
View. The fields in the log change depending on whether you choose the local view or source view.
4.To view a description of each event, select an event row
5.Click Refresh, or press F5 to update the log that you are viewing.
6.Click File > Exit.
Viewing logs19
Back tracing logged events
Back tracing enables you to pinpoint the source of data from a logged event. Back tracing shows the
exact steps, or hops, that incoming traffic has made before reaching your endpoint. A hop is a transition
point, usually a router, which a packet of information travels through on a public network. Back tracing
follows a data packet backwards; discovering which routers the data took to reach your endpoint.
Figure 5-1 Back tracing a packet on page 20 shows how the agent back traces a packet.
Figure 5-1 Back tracing a packet
For each log entry, you can trace a data packet that was used in an attack attempt. Each router that a
data packet passes through has an IP address. You can view the IP address and other details. The
information that appears does not guarantee that you have discovered who the hacker is. The final hop’s
IP address lists the owner of the router that the hackers connected through, and not necessarily the
hackers themselves.
You can back trace a logged event in the Security, Traffic, and System logs
To back trace a logged event
1.Open the log file and click an event so that the entire row is selected.
The agent begins back tracing the event.
2.Do one of the following:
Right-click and click BackTrace.
●
Click Action > BackTrace.
●
3.In the Back Trace Information dialog box, click Whois to view detailed information on each hop.
A drop panel displays detailed information about the owner of the IP address from which the traffic
event originated. You can cut and paste the information in the Detail information panel. Press Ctrl
+C to copy the information into the Clipboard. Then press (Ctrl+V) to paste it into an e-mail
message to your system administrator.
4.Click Whois again to hide the information.
5.Click OK.
6.Click OK.
20Chapter 5 Monitoring and logging
Exporting logs
You can save and export the contents of the logs to different locations. You may want to export logs to
save space or to perform a security review.
To export a log file
1.Open the log in the Log Viewer.
2.Click File > Export.
3.In the Save As dialog box, select the location and format type for the log file.
4.Click OK.
Filtering logged events
You can view the recorded events in the Log Viewer by the severity level of the attack and by a previous
period of time.
To filter log events by severity
1.In the Log Viewer dialog box, click the Filter menu.
2.Click File > Export > Severity.
3.Click Severity.
4.In the Save As dialog box, select the location and format type for the log file.
You can view more than one type of event at one time. The Log Viewer is automatically reloaded.
5.Click the severity level(s) so that a check mark appears to the left of the severity level name. You
have the following options:
Critical (Security log only)
●
Major
●
Minor
●
Error (System log only)
●
Warning (System log only)
●
Information
●
To filter log events by time period
1.In the Log Viewer dialog box, click the Filter menu.
2.Select the time period for which you want to view log events. For example, 2 Week Logs displays
the events that were recorded over the past 14 days.
Exporting logs21
Stopping an active response
If the agent detects an attack, it triggers an active response. The active response automatically blocks
the IP address of a known intruder for a specific amount of time (from 1 to 2,147,483,647 seconds). The
default amount of time is 10 minutes. If you don’t want to wait the default amount of time to unblock the
IP address, you can stop the active response immediately.
An active response can also be triggered by IPS signatures that are updated weekly and by denial of
service signatures that can be updated with new builds, port scans, and MAC spoofing. However, a
Trojan horse is not considered an attack because it is a program that runs on the same endpoint where
it was detected. It is considered a security alert rather than an attack.
You can stop active responses in the Security log only.
To stop an active response
1.Click Tools > Logs > Security.
2.Select the row for the application or service you want to unblock. Blocked traffic is specified as
Blocked in the Action column.
3.On the Action menu, click Stop Active Response to block the selected application, or click Stop
All Active Response if you want to unblock all blocked traffic.
4.When the Active Response dialog box appears, click OK.
22Chapter 5 Monitoring and logging
6Command Line Management
This chapter includes the following topics:
The command-line interface for the client service
●
Typing a parameter if the agent is password-protected
●
The command-line interface for the client service
You can manipulate the agent directly from the command line on the agent computer by using the smc
command for the client service. You may want to use this command in a script that runs the parameters
remotely. For example, if you need to stop the agent to install an application on multiple agents, you
can stop and restart each client service.
With the exception of smc -start, the client service must run to use the command-line parameters.
The command-line parameters are not case sensitive.
Table 6-1 Parameters that administrators can use
ParameterDescription
smc -importadvruleReplaces the imported firewall rules to the agent's list of existing firewall rules.
These rules overwrite the existing rules. The client service must run to import the
profile file's contents.
To import firewall rules, you import a .sar file. For example, you can type the following
command:
To import firewall rules, you import a .sar file. For example, you can type the following
command:
smc -importadvrule
C:\config\AllowExplorerRule.sar
An entry is added to the System log after you import the rules.
smc –appendadvruleAdds the imported rules to the bottom of an existing advanced rules list. This
command does not overwrite existing Advanced rules.
To append firewall rules, you import a .sar file. For example, you can type the
following command:
smc –appendadvrule
C:\config\AllowExplorerRule.sar
An entry is added to the System log after you append the rules.
The command-line interface for the client service23
Table 6-1 Parameters that administrators can use (continued)
ParameterDescription
smc -exportadvruleExports the agent's firewall rules to a .sar file.
Agent rules are only exported from the agent when in Server Control mode.
You must specify the path name and file name. For example, you can type the
following command:
smc -exportadvrule
C:\config\AllowExplorerRule.sar
smc -importallconfigImports the server and client profiles to the agent. The source folder must contain
both serdef.xml and cltdef.xml.
This command replaces the current profile file's contents. Therefore, you can deploy
the most current profile file without having to remove out-of-date firewall rules,
antivirus scans, security settings, and user interface settings.
You must specify the path name and file name and extension. Any name or extension
is acceptable. For example, you can type the following command:
smc -importallconfig
C:\profile\source_folder\OfficeRules.xml
smc -exportallconfigExports the server and client profiles to file and folder of your choice.
Exports the server and client profiles to file and folder of your choice.
You must specify the path name and file name and extension.
Any name or extension is acceptable. For example, you can
type the following command:
C:\profile\dest_folder\OfficeRules.xml
smc -startStarts the client service.
smc -stopStops the client service.
When you import profile files and firewall rules, note that the following rules apply:
You cannot import profile files or firewall rule files directly from a mapped network drive.
●
The agent does not support UNC (universal naming convention) paths.
●
Typing a parameter if the agent is password-protected
You can password-protect the agent computer for the following parameters:
-stopThe agent asks for a password before you or the user stops the agent.
-importconfigThe agent asks for a password before you can import the profile file.
-exportconfigThe agent asks for a password before you can export the profile file.
NOTE:The password is limited to 15 characters or less.
24Chapter 6 Command Line Management
To type a parameter if the agent is password-protected, perform the following steps:
1.On the agent computer, on the taskbar, click Start > Run.
2.In the Run dialog box, type cmd.
3.In the Windows MS-DOS prompt, type either one of the following:
smc -parameter -p password
smc -p password -parameter
Where:
parameter is -stop, -importconfig, or -exportconfig.
password is the password you specified in the console.
For example, you can type either:
smc -exportallconfig c:\profile.xml -p password or
smc -p password -exportallconfig c:\profile.xml
4.Close the command prompt.
Typing a parameter if the agent is password-protected25