Prevx CSI-E Server

Download Report

Transcript Prevx CSI-E Server

CSI-E
Computer Security Investigator – Enterprise
Definitions:
• Agent – This is an individual machine with Prevx CSI installed on
• Prevx CSI-E Server – This is the central computer which analyses
the Prevx CSI Agents
• PX5 – This is the way Prevx uniquely identifies a file, similar to an
MD5 hash
• MDB – The Master Database (MDB) refers to the storage of data
used by Prevx CSI-E Server
• LDB – The Local Database (LDB) refers to the file which stores the
Prevx CSI-E Agents scan log and settings.
• Determination – This is the decision on whether a file is Good
(clean), Bad (infected) or Unknown (undefined)
CSI-E Scan Flow Diagram
CSI Agent
CSI-E Server
Agent performs
Scan
No
Any Agents
Scanned
recently?
Yes
Verify Agents
scan
information
No
Has Scan
been
processed?
Set group
configurations
No
Yes
Yes
Apply Agent
configurations and /or
remediation
Set Agent
configurations and
remediation and
execute alert rules
Infection or
blacklisted
program
found?
CSI-E Architectural diagram
Internet: (port
80)
Scan information
File Server
CSI-E Agent info
processed configuration
set
Prevx
Community
DB
Determinations
Prevx CSI-E Server
Software
Alerts :
SMS, email, Windows
Events...
MDB
CSI
Shares
CSI-E Agent Scan information
sent
CSI-E Agent info picked up
by CSI-E Server
Reports :
Customized HTML
CSI-E Agent Scan results received plus
additional configuration settings
Prevx CSI-E Agent
Scan performed/
Remediation enforced
File
Software
Prevx Community Database and Zero-Day Detection
•
Utilising the Prevx Community database and advanced detection rules, we pride
ourselves in finding malware before anyone else and consider ourselves as an
incremental (value added) and a stand-alone solution.
Prevx CSI Detection Technology
•
Based on the Prevx CSI detection software, Prevx CSI-E builds in additional
functionality to allow for a truly dynamic powerful detection program to work
exactly how you specify it to operate, using remediation policies and alert rules.
Internet independent agents
•
The Prevx CSI-E implementation does not require client machines to have
internet connection to get determinations, since the implementation of the
CSI-E server will do all the internet communication on the behalf of the
agents, thus negating the need to open up ports for internet
communications on every client machine.
•
This is possible by having a central file share folder where the client
machines transfer their scan logs and configurations (LDB) and await the
verified scan results and additional configuration once the Prevx CSI-E
server has processed the client’s logs.
Overrides and Master Database
•
Organisations may have in-house developed software which is unknown by
the Prevx Community Database, or a standard desktop build where all the
files are known to be good, by having the mechanism to import files
directories or even Windows installer (MSI, MSP) installations (all the setup
files can be analysed prior to installing) into the Prevx CSI-E Master
Database (MDB) you can predefine these import determinations locally to
the Prevx CSI-E server. This will increase performance as if the files PX5
has been stored in the MDB the will be no need to look online for a
determination.
•
The overrides feature can also be used to mark certain files associated with
programs as “bad” so you can disallow or be alerted when certain files on
you network have been seen, despite the Prevx Community Database
marking the files as “good”.
•
The overrides can be grouped together meaning that, for example, after a
scan a sales department machine has seen software which should only be
used on a development teams machines, the Prevx CSI-E alerts the
administrator or run a remediation policy.
Remediation Policies
Once a client machine has been detected as being infected, Prevx CSI-E
will enforce automatic remediation policies to perform immediate actions on
the infection machine, these policies may include:





Auto cleanup – Automatically cleanup an infected machine before it
spreads, the user will be alerted prior to this action as a reboot may be
required.
Network Access Control (NAC) – Automatically remove the infected
machine of your network by disabling all network devices on the infected
host.
User notification – Advise the user that their machine is infected and present
a customizable message.
Shutdown/Reboot machine – The infected machine can be immediately
shutdown to prevent any further infections spreading.
Server side script execution – Execute any type of script or program with
any action by writing your own server side scripts
Alert Rules
When a user’s machine is infected you will more than likely not be watching
the Prevx CSI-E Server console at that very moment, so we have
implemented a messaging system to alert the administrator in numerous
ways:
•
•
•
•
•
Email notification via the Prevx Premium E-mail alert system
SMS (Short Messaging Service) notification via the Prevx SMS Premium
service
Email Notification via your own E-mail system
Windows Events log, this will work alongside Microsoft Operations Manager
(MOM) alert system.
Script Alert rule*
Script Alert Rules
•
One of most configurable features of Prevx CSI-E Server is the Script Alert
feature, this allows the administrator to write any script or even program to
launch under certain conditions, such a client infection, server or client
failure and even when a certain file has been seen in your organization,
especially useful when you wish to control the use of applications such as
MSN Messenger.
•
Also, you can run advanced scripts to perform Active Directory tasks, so if a
machine is seen to be infected you can move the machine into a
remediation OU (organizational unit) or even remove the machine of the
domain therefore preventing further access to domain resources.
Reports
• Prevx CSI-E can generate reports on demand and customized exactly to an
organization needs. The reports are generated from HTML files which can
be formatted by taking advantage of the Prevx CSI-E variables and
placeholders. Especially useful for organisations wishing to provide audit
reports as part of compliance.
•
Each client which communicates with Prevx CSI-E will have its scan history
and infection history and a range of other useful information stored in the
MDB ready for reporting.
•
The standard reports include “Infected Report” and “Agent Reports”
(individual or groups of agents).
Master Database (MDB)
•
By not relying on external proprietary database technologies Prevx CSI-E
has an independent super-efficient database that does not rely on having
(for example) MS SQL. The MDB enforces data integrity and backup
functionality to ensure your organisations Prevx CSI-E data is secure.
•
The MDB is pre-shipped with pre-determined PX5 of core operating system
file signatures to ensure that only new (unseen) files are verified, this
increases the performance of Prevx CSI-E as there will be less need to
communicate with the Prevx Community Database to get determinations.
Over time Prevx can provide mass determinations in a single file format for
the administrators to import these pre-defined determinations en-mass.