HPS Inspection Engine - HELP

CounterACT HPS Inspection Engine Plugin
Configuration Guide
Version 9.5.0 and Above
HPS Inspection Engine Plugin
Table of Contents
About the HPS-Inspection Engine Plugin ...................................................................... 4
Requirements ............................................................................................................... 4
Supported Windows Operating Systems ....................................................................... 4
Accessing Windows Endpoints ..................................................................................... 5
Configuration at the Initial Setup Wizard ....................................................................... 5
Configuration per Appliance .......................................................................................... 5
Configuring the Plugin .................................................................................................... 6
Domain Credentials ...................................................................................................... 6
SecureConnector Options ............................................................................................. 8
Actions ..................................................................................................................... 8
Detection .................................................................................................................. 9
Additional Options .................................................................................................. 10
Windows Updates ....................................................................................................... 10
Scanning Using Windows Updates Settings ........................................................... 10
WSUS Environment Settings.................................................................................. 11
Windows Update Default Settings .......................................................................... 11
Minimize Bandwidth during Vulnerability File Download ......................................... 11
Classification .............................................................................................................. 12
CounterACT Classification Versions....................................................................... 13
Nmap Banner Scan ................................................................................................ 14
Nmap Fingerprint Scan .......................................................................................... 14
Tuning ........................................................................................................................ 14
Specify Endpoint IP Addresses to Ignore ............................................................... 15
Tune HPS- Inspection Engine Processes ............................................................... 16
Automatic Tuning for Nmap Processes .................................................................. 17
Run Script Method ................................................................................................. 17
Send HTTP Actions on SecureConnector Connect and User Login ....................... 18
HTTP Notification Action - Attempt to Open Browser at Endpoint........................... 18
User Name Resolve Priorities ................................................................................ 18
Testing and Verifying Connectivity .............................................................................. 19
SecureConnector .......................................................................................................... 20
Version 9.5.0 and above 2

About SecureConnector.............................................................................................. 21
SecureConnector Support – Microsoft Windows ......................................................... 21
How SecureConnector Works ..................................................................................... 22
Activating SecureConnector ....................................................................................... 22
SecureConnector Details ............................................................................................ 22
Running the SecureConnector Executable ................................................................. 23
SecureConnector ID ................................................................................................... 25
SecureConnector Installation Methods ....................................................................... 25
Download an Installation File from an Appliance .................................................... 25
Configuring Appliances ................................................................................................ 27
Apply the Configuration to All Appliances.................................................................... 28
Apply a Configuration to a Single Appliance ............................................................... 28
Apply the Configuration to Groups of Appliances ........................................................ 29
Editing and Updating Configurations ........................................................................... 30
Troubleshooting the HPS-Inspection Engine Plugin .................................................. 30
Operational Requirements .......................................................................................... 30
Testing the Domain Credentials .................................................................................. 31
Testing the Credentials on a Desktop Using a Localhost Query ............................. 31
Testing the Credentials on a Desktop Using Remote Query ................................... 32
Port Setup Test ...................................................................................................... 34
NetBIOS over TCP/IP Setup Test .......................................................................... 36
Services Test ......................................................................................................... 36
Sharing Test........................................................................................................... 36
Disable “Use simple file sharing” ............................................................................ 37
Appendix A: Running Scripts for Remote Inspection................................................. 38
fsprocsvc.exe Information ........................................................................................... 38
Microsoft Task Scheduler vs. fsprocsvc.exe ............................................................... 39
Task Scheduler Limitations ......................................................................................... 39
Activating a Method ................................................................................................ 39
Appendix B: Executable Files Used by the Plugin ...................................................... 40

About the HPS Inspection Engine Plugin

The HPS Inspection Engine Plugin allows CounterACT to:
 Access Microsoft Windows endpoints
 Perform comprehensive, deep inspection for the purpose of resolving an
extensive range of endpoint information, such as operating system details,
Windows security, machine, services, application information and more.
 Activate a variety of CounterACT actions to manage, remediate or control
endpoints.
This document describes how to configure the plugin and provides other information
including supported operating systems, executables and processes generated by the plugin,
and troubleshooting issues.
 If you are working with Macintosh or Linux endpoints, use the Macintosh/Linux
Property Scanner Plugin.
Plugin Updates
The plugin is bundled with major CounterACT releases but new releases may become
available in in between major version releases. The Plugin Updates icon appears on the
status bar of the Console when an update is available for the plugin.
Requirements
 CounterACT version 6.3.4.1 or higher
Supported Windows Operating Systems

The HPS Inspection Engine Plugin supports the following operating systems:
 Windows 2000
 Windows XP
 Windows Server 2000
 Windows Vista
 Windows 7
32-bit and 64-bit machines are supported.

Accessing Windows Endpoints

The following methods can be used to access endpoints and make them manageable. Once
they are manageable, deep inspection can be performed.
 Domain Credentials: Obtain the host domain credentials. Credentials are
defined when installing the CounterACT Console or in the plugin
configuration.
 SecureConnector: Use SecureConnector, a light footprint executable that
runs at the endpoint, if the endpoint is not accessible via domain credentials.
 Local endpoint credentials accessed via the HTTP Localhost Login action.
These credentials are saved by the plugin and used for remote inspection.
Refer to the Console User Manual for more information about this inspection
method.
The plugin must be configured regardless of the method used.
Configuration at the Initial Setup Wizard

Basic configuration (domain credentials) is usually performed when setting up the
CounterACT Console via the Console Initial Setup Wizard, Domain Credentials screen. The
Wizard automatically opens when first logging in to the Console.
Configuration per Appliance

By default, the settings defined for the HPS Inspection Engine Plugin are applied to all
Appliances. If required, you can create separate configurations for each Appliance or for
groups of appliance. See Configuring Appliances for details.

Configuring the Plugin

You can configure the plugin to:
 Add or update Windows domain credentials
 Define global SecureConnector settings
 Define global options when working with the Start Windows Updates action
 Fine tune the Asset Classification mechanism
 Modify the default values used for various global parameters
 Specify test parameters and test connectivity
If you have configured the plugin but cannot access certain Windows endpoints or you see
that deep inspection is not being carried out properly, you may need to perform
troubleshooting procedures. See Troubleshooting the HPS-Inspection Engine Plugin for
details.
To configure the plugin:

1. Select Options from the Tools menu at the Console.
2. Select HPS Inspection Engine.
3. Configure as required. If you are logged into the Enterprise Manager but want to
configure all Appliances or a specific Appliance, make your selection from the
Appliances drop-down list.
The options available in each of the tabs are described in the following sections.
4. Click Apply to save your changes.
Domain Credentials
Domain credentials are domain-level administrator privileges used to connect to network
endpoints. Domain credentials are usually defined when setting up the Console via the
Console Initial Setup Wizard (see Configuration at the Initial Setup Wizard).

Use the Domain Credentials tab to add or modify domain credentials.
Select the Add button to define a new domain, or Edit to modify credentials for an existing
domain.
The following options are available in the Add and Edit dialog boxes:
Field Description
Domain The domain administrator for the endpoints that are to be handled
Administrator by the plugin. These must be endpoints within your internal
network. You must enter at least one administrator.
Domain Name The domain name for the endpoints that are to be handled by the
plugin. These must be endpoints within your Internal
Network. You must enter at least one domain name.
Domain The domain administrator password for the endpoints that are to
Password be handled by the plugin. These must be endpoints within your
Internal Network.
Select the Authenticate using NTLMv2 checkbox to configure the plugin to use NTLM
version 2 to perform deep inspection in environments that support it. If the checkbox is
cleared, the plugin uses NTLM version 1.

SecureConnector Options
The following SecureConnector configuration and deployment options are available from the
HPS-Inspection Engine Plugin.
 Actions
 Detection
 Permanent SecureConnector Deployment Parameters
 Additional Options
 SecureConnector is a light footprint executable that can be run at the desktop to

manage unmanageable endpoints. For more information about how SecureConnector
works, see SecureConnector.
Actions
Disable External Device
The Disable External Device action can be used to disable external devices currently
connected to the endpoint. This feature is supported only when SecureConnector is installed
at the endpoint. Select the Automatically run SecureConnector when using the Disable
External Device action checkbox to automatically install SecureConnector when the Disable
External Device action is used.
Improve Kill Process Actions Frequency

The Kill Process, Kill Instant Messaging and Kill Peer-to-peer actions halt Windows
processes related to these features. If the endpoint has SecureConnector installed the process
is killed once a second; if not, the process is killed once a minute. Select the Automatically
run SecureConnector on Windows endpoints to increase frequency of Kill Process, Kill
IM and P2P actions checkbox to automatically install SecureConnector and increase
Windows kill process frequency (recommended).
Balloon Notification Control

Select the Show balloon messages at desktop checkbox to display balloon messages
generated by SecureConnector.

SecureConnector sends a desktop balloon message when the Disable External Devices, Kill
Process, Kill Instant Messaging and Kill Peer-to-peer actions are performed. The message
indicates which processes were killed.
Detection
Learning MAC Addresses
Instruct CounterACT to learn MAC addresses from the endpoint ARP table when the
endpoint is managed by SecureConnector. This enables detection of endpoints that may be
otherwise unreachable. When cleared, other methods of MAC learning are used, for example
from the Switch Plugin. This option is not available if SecureConnector is located behind a
NAT address.
Select the Use SecureConnector to learn MAC address from local ARP tables checkbox
Permanent SecureConnector Deployment Parameters

This section describes options available when working with the permanent SecureConnector
deployment options. Define how SecureConnector is deployed in the Deployment Type
drop-down list in the Parameters tab of the Start SecureConnector action. Refer to the
Console online Help for details about the action.
Run SecureConnector at Startup
Select Run SecureConnector before any other program to run SecureConnector before
any other desktop program is launched. It is recommended to launch SecureConnector before
other programs to prevent other services or applications from blocking SecureConnector.
This option is applicable if you select Install Permanent As Application in the Deployment
Type drop-down list.
SecureConnector Password Protection
CounterACT administrators can prevent users from uninstalling, exiting or stopping
SecureConnector at the desktop by enforcing password access to these options. Type the
password in the SecureConnector Password Protection field. The password is limited to
24 characters.

Additional Options
This section of the SecureConnector tab includes other options for use with SecureConnector.
SSL version for use with SecureConnector

Select the SSL or TLS version to be used with SecureConnector from the SSL options drop-
down list.
Federal Information Processing Standard (FIPS)
CounterACT is delivered to meet FIPS requirements. If you have enabled FIPS compliance
and want to remain FIPS compliant when working with SecureConnector, select
Tools>Options>HPS Inspection Engine>SecureConnector tab. In the SSL options drop-
down list, select TLS version1 (FIPS).
Additional Appliance Connections

Select additional Appliances to maintain SecureConnector connection with endpoints. For
example, allow laptops connecting from outside the organizational network to be managed by
SecureConnector via an additional Appliance.
Windows Updates
Specify parameters to use when scanning for vulnerabilities and installing missing updates.
These parameters are used when working with the Microsoft Vulnerabilities and Microsoft
Vulnerabilities Fine-tuned properties, and the Start Windows Updates action.
Scanning Using Windows Updates Settings

Enter a range of endpoint IP addresses that will be instructed to use their local Windows
Updates settings (Microsoft Website or WSUS) when scanning for vulnerabilities.
This may be useful for hosts that are connected to your network via a VPN and are physically
located at a distance from the Appliance. In such cases, it may be faster for the endpoint to
connect to the Microsoft Website or to WSUS.
If you do not enter any ranges, the hosts will be scanned by CounterACT using the HPS
Vulnerability DB plugin. Select Tools>Options>Plugins>HPS-Vulnerability DB>Help for
more information about this plugin. Vulnerability scanning is activated when you create a
policy that includes either the Windows Security> Microsoft > Vulnerabilities or Microsoft
Vulnerabilities Fine-tuned property.

WSUS Environment Settings

For vulnerabilities on endpoints to be remediated by a WSUS server, you must:
 Configure the WSUS server.
 Configure the WSUS environment parameters used by endpoints to connect
to the server:
− HTTP(S) URL of WSUS server
− HTTP(S) URL of report server
You can test connection with the server by selecting the Test button.
 Create a policy that uses the Windows Self Remediation action to remediate
the desired endpoints. For more information about this action, refer to the
Console User Manual (Working with Actions>Remediate Actions>Windows
Self Remediation).
Windows Update Default Settings

The following parameters can be configured in this section:
 Update method
 Reboot method
 Maximum Concurrent Vulnerability DB File HTTP Uploads
Minimize Bandwidth during Vulnerability File Download

The HPS-Vulnerability DB Plugin provides Microsoft vulnerability updates to CounterACT
Appliances. The plugin pushes Microsoft vulnerability update information to the HPS
Inspection Engine Plugin installed on CounterACT Appliances. These updates are used when
working with vulnerability policies. The HPS-Inspection Engine Plugin instructs endpoints to
download this information when the Windows Security >Microsoft Vulnerabilities/
Microsoft Vulnerabilities fine-tuned properties are used.

You can minimize bandwidth usage during Microsoft vulnerability file download processes
by limiting the number of concurrent HTTP downloads to endpoints. The default is 20
endpoints simultaneously. Define a value in the Maximum Concurrent Vulnerability DB
File HTTP uploads field.
Classification
The HPS Inspection Engine Plugin powers CounterACT tools used for classifying assets.
These tools include the Asset Classification template, Mobile Classification template, the
Classification action and Classification/Advanced Classification properties.
Use tools to classify network assets into the following categories:
 Windows devices  Printers
 Mobile devices  CounterACT devices
 Linux desktop/servers  Servers
 Unix servers/workstations  Network devices such as switches
 VoIP devices  Terminal Servers
 Network Address Translation (NAT) devices  Unclassified devices
 Apple MAC/OSX  And more
In addition, classification techniques are also used when resolving services, application
versions, operating system details and related information.
The HPS Inspection Engine Plugin uses several methods for retrieving this information, for
example: Nmap tools; domain credentials; passive fingerprinting via the Appliance;
information resolved on devices managed by SecureConnector; or switches configured to
work with CounterACT. Nmap tools are used if other mechanisms could not resolve the
endpoint classification.

CounterACT Classification Versions

There are two CounterACT classification versions.
 Classification version 1 is part of CounterACT versions earlier than 6.3.4.0.
 Classification version 2, which delivers more accurate results, is included as
part of CounterACT version 6.3.4.0 and higher.
It is recommended that users upgrading to version 6.3.4.0 or higher should also upgrade to
CounterACT classification version 2.
Classification Version 1
Classification version 1 uses Nmap engine version 3.48 and database version 4.01
Nmap Banner Scan Not available for classification when using version 1
Nmap Fingerprint Used to resolve operating system class and network functionality
Scan
Classification Version 2
Classification version 2 methods include:
 Nmap 5 – to actively fingerprint the devices in the network and identify their
network functionality
 HTTP and SMB banners – to parse protocols
 New banner-based classification – based on portal HTTP traffic
Classification version 2 uses Nmap engine version 5.21 and database version 5.35
Nmap Banner Scan Classification version 2 uses the Nmap banner scanning utility.
This improves resolution of device services, application versions
and other operating system details. This information is used by
CounterACT to classify devices.
Nmap fingerprint Used to resolve operating system class and network functionality
Scan
Who Should Upgrade

This section describes which users should upgrade to CounterACT classification version 2.
Users Upgrading to Version 6.3.4.0 or Higher

It is recommended that users upgrading from a previous CounterACT version to version

6.3.4.0 or higher should migrate to CounterACT classification version 2. Run the Asset
Classification template before upgrading.
Before upgrading to version 2 it is highly recommended to run the Classification Migration
template, compare classification results and make any manual classification adjustment that
may be required. Refer to the Console Online Help for details about the Classification
Migration template.
It is only recommended to roll back to classification version 1 if the upgrade to version 2 was
not successful.
Users installing CounterACT Version 6.3.4.0 or Higher
If you are a new user, your system is already running with classification version 2. Do not roll
back to version 1.
Nmap Banner Scan

(CounterACT classification version 2 only) Select the Use Nmap Banner Scan checkbox to
use Nmap banner scan to improve the resolution of device services, application versions and
other operating system details.
Nmap Fingerprint Scan

Select the Use Nmap Fingerprint Scan checkbox to use Nmap fingerprint scan to resolve
operating system class and network functionality.
Tuning
Modify the default values used for various global parameters.
The following options are available:

 Specify Endpoint IP Addresses to Ignore

 Tune HPS- Inspection Engine Processes
 Automatic Tuning for Nmap Processes
 Run Script Method
 Send HTTP Actions on SecureConnector Connect and User Login
 HTTP Notification Action - Attempt to Open Browser at Endpoint
− Open as Explorer Dialog Box
− Customize notification popup height / width (in % of screen size)
 User Name Resolve Priorities
− Learning endpoint user name from HTTP login
− Use HTTP Login name when Sign In page is closed
− Remember name for (hours)
Specify Endpoint IP Addresses to Ignore

Specify endpoint IP addresses to ignore when calculating the Number of IP Addresses
property.
Add the addresses to the Define addresses to ignore when using Number of IP
Addresses property table.

Tune HPS- Inspection Engine Processes

You can define tuning parameters for HPS-Inspection Engine Processes that handle numerous
policy properties, for example:
 Antivirus information
 Banner information
 Network functions
 Open ports
 Registry values and keys
 SNMP OID value and MIB values
 User-defined OS fingerprint
 Windows file date, size, OS and services
 Hotfix information
Enable automatic tuning or customize tuning.
To enable automatic tuning:

1. Select the Automatic Tuning for HPS Inspection Engine Processes checkbox to
enable automatic tuning.
The default value depends on the CounterACT Appliance that you are working with. If you
fine-tune the settings at the Enterprise Manager, these settings will be applied to each of the
connected Appliances.
Appliance Default Number of
Memory Processes
<1GB 5
1-2GB 10
2-4GB 20

4GB< 40
To customize tuning:
1. Deselect the Automatic Tuning for HPS Inspection Engine Processes checkbox.
2. Enter a value in the Concurrent HPS Inspection Engine Processes field. If you set
the value too high, you may overload your network and the Appliance.
Automatic Tuning for Nmap Processes

You can define tuning parameters for HPS-Inspection Engine Processes that handle the
following Nmap processes:
 Open ports
 Nmap OS class
 Nmap network function
Enable automatic tuning or customize tuning.
To enable automatic tuning:

1. Select the Automatic Tuning for Nmap Processes checkbox to enable automatic
tuning.
The default value depends on the CounterACT Appliance that you are working with. If you
fine-tune the settings at the Enterprise Manager, these settings will be applied to each of the
connected Appliances.
Appliance Default Number of
Memory Processes
<1GB 5
1-2GB 10
2-4GB 20
4GB< 40
To customize tuning:
1. Deselect the Automatic Tuning for Nmap Processes checkbox.
2. Enter a value in the Concurrent Nmap Processes field. If you set the value too
high, you may overload your network and the Appliance.
Run Script Method

Choose a method to run scripts via remote inspection.
 ForeScout remote service
fsprocsvc.exe is used to run interactive and non-interactive scripts for several
CounterACT tasks.
 Task Scheduler
Task Scheduler is a component of Microsoft Windows that lets user schedule the
launch of programs or scripts at pre-defined times or after specified time intervals.

See Appendix A: Running Scripts for Remote Inspection for more information about these
methods.
Send HTTP Actions on SecureConnector Connect and User Login

Start HTTP Login, HTTP Notification and HTTP Redirection to URL actions immediately
after SecureConnector connection or user login events.
These actions have an Attempt to open a browser at the detected endpoint option. If this
option is selected, the action tries to open a browser immediately, rather than waiting for the
endpoint user to browse.
If the Send http actions on SecureConnector connect and user login events option is
not selected and the user is not logged in at the time that the action is issued, the HTTP
message will not be displayed. With this option set, the message will be displayed when the
user logs in or connects via SecureConnector.
HTTP Notification Action - Attempt to Open Browser at Endpoint

These options apply if the Attempt to open a browser at the detected endpoint option is
selected in the Message tab of the HTTP Notification action.
Open as Explorer Dialog Box

Selecting this option causes the HTTP Notification action to open an Explorer dialog box
rather than the default Web browser.
Customize notification popup height / width (in % of screen size)

These options let you customize the appearance of redirected HTTP notification pages when
Open as Explorer Dialog Box is selected.
User Name Resolve Priorities

Several options are available for customizing the Device Information>User Name property
resolution.

Learning endpoint user name from HTTP login

Instruct CounterACT how to learn endpoint user names. Three options are available:
 Always use HTTP login name when available.
The name will be accessed when working with the HTTP Login action .
 Only use HTTP login name when machine user name is not available
 Only use machine login name
Use HTTP Login name when Sign In page is closed

Use this option to instruct CounterACT to use the HTTP login name when the HTTP sign in
page is closed.
Remember name for (hours)

Use this option to instruct CounterACT for how long to remember the login name. This time
is calculated from the last successful login.
Testing and Verifying Connectivity

In the Test tab, specify parameters used for connectivity testing.
The following options are available:

Field Description
Test A test IP address. Depending on the test type, the address can be used to
Address

Field Description
verify:
 Connectivity to the domain name, administrator and password.
 Remote registry connection.
 CounterACT identifies a running Windows service.
It is recommended to use an address that grants permissions and access
to your entire network, for example the domain controller or the LDAP
server.
Connectivity Specifies whether to test connectivity via SNMP or SMB/RPC.
Test Type
If you are testing via SNMP, you must enter the SNMP access
parameters listed below.
(SNMP Test The OID number to test.
Parameters)
OID
(SNMP Test The community name to test.
Parameters)
Community
(SNMP Test This option controls the SNMP retry and timeout requests. You may
Parameters) need to use this to handle SNMP timeout problems. These problems
Extra may occur if the network is extremely busy.
Parameters
Timeout – The number of seconds to wait for a response. The default
timeout is 25 seconds.
Retry – The number of times to retry sending an SNMP message. The
default number of retries is 1. The upper limit is 20.
For example, to indicate a timeout of five seconds and three retries,
enter the following:
-t 5 –r 3
SecureConnector
This section covers the following SecureConnector topics.
 About SecureConnector
 SecureConnector Support – Microsoft Windows
 How SecureConnector Works
 SecureConnector Details
 Running the SecureConnector Executable
 SecureConnector ID
 SecureConnector Installation Methods

About SecureConnector
CounterACT’s SecureConnector is a light footprint executable that runs at the endpoint for
the purpose of making endpoints manageable, and for performing or optimizing certain
actions. SecureConnector is a dissolvable client / agent.
SecureConnector is also available when working with Macintosh/Linux endpoints. Refer to
the Macintosh/Linux Property Scanner Plugin Configuration Guide for details.
Making Windows Endpoints Manageable

You can use SecureConnector to access unmanageable Windows endpoints and make them
manageable for deep inspection. In general, Windows endpoints are unmanageable if their
remote registry or file system cannot be accessed by CounterACT. This is typical for:
 Machines that are guests on the network
 Domain credentials that do not work or are not available
 Endpoints that are not part of the domain
 Machines that connect via VPN or wireless networks
Several policy properties are available for detecting unmanageable endpoints. Refer to the
Online Help page entitled Working with Conditions for details.
Performing or Optimizing Certain Actions
SecureConnector is required to perform the following actions on endpoints:
 Assign to VLAN on VoIP
 Disable External Device
 Send Balloon Notification
 Disable Dual Homed

 SecureConnector can be used to improve kill frequency when working with
the Kill Process , Kill Instant Messaging and Kill Peer-to-peer
actions. These actions detect and halt specific Windows processes. If the
endpoint has SecureConnector installed the actions run once per second; if
not, the actions run once per minute.
SecureConnector Support – Microsoft Windows

SecureConnector can be activated on the following Windows systems:
 Windows 2000 SP4 or higher
 Windows XP
 Windows Server 2000 SP4
 Windows Vista
 Windows 7

32-bit and 64-bit machines are supported.
How SecureConnector Works

SecureConnector creates a secure (encrypted SSL) connection to the Appliance through port
10003. SecureConnector receives inspection and action requests and responds to them via this
connection; all CounterACT traffic between SecureConnector and the Appliance goes via the
secure connection.
SecureConnector can be configured to dissolve at reboot or disconnection from the network,
leaving no footprints, and then reopen at reconnection. Alternatively, it can be configured to
install permanently so that it remains at reboot or disconnection; in this case it can be
removed via the uninstall option in the Start > Programs menu.
When an endpoint assignment to an Appliance changes, the secure connection is seamlessly
re-created between the endpoint and the newly assigned Appliance.
Activating SecureConnector
SecureConnector is powered by the HPS-Inspection Engine Plugin, but activated from the
Console, Start SecureConnector action. Installation, visibility and other options can be
configured when defining the action. Navigate to the Working with Actions page in the online
Help for details.
In addition, you can distribute SecureConnector to endpoints by downloading an installation
file from an Appliance, and then distributing the file. See Download an Installation File
from an Appliance for details.
Several SecureConnector configuration options are available in this plugin, See
SecureConnector Options for details.
SecureConnector Details
Size on disk Approximately 920 KB
Endpoint Process mode:
memory  Main process: 3MB – 6MB
utilization
 Watchdog process: 400kB – 600kB
Service mode:
 Agent process: 3 MB – 5 MB
 Performer process: 4 MB – 6 MB
 Service: 3 MB – 5 MB
Deployment type Permanent or dissolvable.
Defined in the Start SecureConnector action.
Visibility options Visible (Icon in systray) or non-visible
Defined in the Start SecureConnector action
Installation  Remote inspection
methods
 Browser – using HTTP redirection. Defined in the Start

SecureConnector action.
 Browser – direct setup file download. Described in this guide.
See Download an Installation File from an Appliance.
SecureConnector If possible, SecureConnector should be installed with Administrator
privilege level (or SYSTEM) privileges on all endpoints. This ensures that it will
run regardless of the privilege level of the logged in user, and all
SecureConnector related features will be available to any user
logged on to the machine. Privilege levels are determined in part by
the mode in which SecureConnector is installed.
The mode is determined when configuring the Start
SecureConnector action.
Service Mode
Install SecureConnector in the service mode to ensure it runs with
Administrator privileges when the current logged in users are not
administrators.
Application Mode
In the Application mode, privileges are determined by the status of
the user currently logged in.
The following actions will not work if an unprivileged user logged
in to a host running SecureConnector if it was installed by an
Administrator in the application mode:
 Disable External devices
 Kill process (for processes that do not belong to the
SecureConnector user)
 Disable Dual Homed
UAC blocks installation for specific system critical folders such as
Program Files. However, SecureConnector can be installed to the
user home folder and has all user privileges.
Installation folder %ProgramFiles% if setup runs with Administrator (or SYSTEM)
when installed privileges.
permanently
%USERPROFILE%\Application Data if setup runs with non-
Administrator privileges or setup is affected by UAC.
Folder used %Temp% if runs with Administrator (or SYSTEM) privileges
when deployed %USERPROFILE%\local settings\Temp if setup runs with non-
in dissolvable
mode
Administrator privileges or setup is affected by UAC.
Running the SecureConnector Executable

SecureConnector.exe, activated by the HPS-Inspection Engine Plugin, runs on Windows
endpoints. Activation occurs when the Start SecureConnector action is chosen or when
SecureConnector is otherwise installed. See SecureConnector Installation Methods for
details.

Information about changes to the executable is announced in the HPS Inspection Engine
Plugin Release Notes when new HPS Inspection Engine Plugin versions are released.
SecureConnector can run as an application or as a service, depending on how it is installed.
Installation options are defined when running the Start SecureConnector action. When
installed as a service, the following SecureConnector.exe processes run and can be seen from
the endpoint Task Manager:
In the example shown above there are three SecureConnector.exe processes and one
fsprocsvc.exe process:
 One SecureConnector.exe process manages communication with the
CounterACT Appliance.
 One SecureConnector.exe process is responsible for the user interface (such
as Systray icon, View Compliance Center).
 One SecureConnector.exe process is the SecureConnector service. (If
SecureConnector is installed as an application then this process does not
appear and SecureConnector only uses two processes.)
 The fsprocsvc.exe process is used to install SecureConnector. It runs once
and then dissolves after two hours because it is no longer needed. If
SecureConnector is installed from an HTTP page, this service is used. (See
Appendix A: Running Scripts for Remote Inspection for more information
about fsprocsvc.exe)
When run as a service, the ForeScout SecureConnector service appears at the endpoints’
Computer Management window. The service is started in the automatic mode.

SecureConnector ID
When SecureConnector connects to the CounterACT Appliance, it sends CounterACT a
unique ID. This ID is used as the endpoint’s identity and may cause CounterACT to perform
an identity change if one of the following events occurs:
 The current IP address was used by another machine – This occurs if another
SecureConnector ID was learned for this IP address. If another endpoint with
SecureConnector previously used the same IP address, then the system will
conclude this is a new machine, will delete all previous information and will
relearn the properties from the new machine.
 The current machine previously used another IP address – This occurs if this
SecureConnector ID was learned on another IP address. If this endpoint
previously used another IP address then all the information learned on the
older IP address will be moved to the new IP address (The old IP address will
be changed to the new one).
SecureConnector Installation Methods

In general, three methods are available for installing SecureConnector:
 Install using a Web redirection page. (Use the Start SecureConnector
action.)
 Install remotely using domain credentials on manageable machines. (Use the
Start SecureConnector action.)
 Install using standard file distribution methods, described below.
Download an Installation File from an Appliance

You can distribute SecureConnector to endpoints by downloading an installation file from an
Appliance, and then distributing the file via:

 Wide, automatic distribution via Windows login script or domain group

policy – an advantage to this method is that installation is silent.
 Distribution to specific endpoints via a link in email.
 Distribution to specific endpoints via a file on a USB stick.
 Any third-party distribution tool.
You can also obtain a link from an Appliance and send that via email or another method to
specific endpoints; when a user clicks the link, a SecureConnector installation file is
automatically downloaded to the endpoint.
It does not matter from which Appliance you obtain the installation file or link, because each
endpoint automatically connects to the Appliance to which it is assigned.
After distribution, it is recommended to set up a policy to verify that SecureConnector
installation was successful at the intended endpoints.
To distribute SecureConnector via file or link to endpoints:

1. Browse to the following location. Use your CounterACT username and password to
access the URL.
http://<Appliance_IP_address>/sc
The SecureConnector Configuration page opens.
2. Define SecureConnector settings (described above).

− Whether to place an icon on the endpoint systray.
− Whether to configure SecureConnector to dissolve at reboot or
disconnection from the network, leaving no footprints. Otherwise it is set
to permanent configuration so that it remains after reboot or
disconnection; in this case it can be removed via the uninstall option in
the Start > Programs menu.
3. Select Submit.

4. Select the Download link to download the SecureConnector installation file, or copy
the link on the bottom of the window. Do not change the file name or the link path.
5. Send the file or link to desired endpoints via login script, email or any other method.
If the file method is used, instruct the user to double-click the file to install.
If the link method is used, instruct the user to click the Run button when prompted so
that the installation file will automatically download and run.
6. Create a policy that checks all target endpoints to see if SecureConnector is installed.
Do this using the condition Windows Manageable (SecureConnector) property.
Configuring Appliances
You can configure the HPS Inspection Engine Plugin and apply the configuration as follows:
 Apply the configuration to all Appliances
 Apply a configuration to a single Appliance
 Apply a configuration to groups of Appliances. Group assignments enable
smooth, stream-lined HPS Inspection Engine Plugin configurations.

Apply the Configuration to All Appliances

By default the configuration is applied all Appliances. This configuration is displayed in the
Default tab of the pane.
Apply a Configuration to a Single Appliance

Apply a particular configuration to an Appliance. You can later edit or delete the
configuration for the Appliance. When you delete the configuration defined for the
Appliance, the Enterprise Manager settings are applied to it. These settings appear in the
Default tab.
To create a separate configuration for an Appliance:
1. Select the Plus-sign tab . The Select Appliances to configure dialog box
opens.
2. Select an Appliance and select OK. The pane appears with a tab for the Appliance
you selected.

Apply the Configuration to Groups of Appliances

You can later edit or delete the configuration for the Appliance. When you delete the
configuration defined for the Appliance, the Enterprise Manager settings are applied to it.
These settings appear in the Default tab.
To create configuration assignment groups:
1. Select the Plus-sign tab . The Select Appliances to Configure dialog box
opens.
2. Select the required Appliances and type a name in the Name (Optional) field.
3. Select OK. The pane appears with a tab for the Appliances you selected and the
configuration assignment name.

Editing and Updating Configurations

Use the Edit and Delete buttons to update this configuration . When you delete
the configuration defined for the Appliance, the Enterprise Manager settings are applied to it.
These settings appear in the Default tab.
Troubleshooting the HPS-Inspection Engine Plugin

This section describes troubleshooting procedures if the HPS Inspection Engine Plugin test
fails. The following categories are available:
 Operational Requirements
 Testing the Domain Credentials
 Testing the Credentials on a Desktop Using a Localhost Query
 Testing the Credentials on a Desktop Using Remote Query
Operational Requirements
If the HPS Inspection Engine Plugin is not operating effectively, you should verify that the
following requirements are met:
1. Endpoints are running Windows 2000, Windows XP, Windows Vista, Windows
Server 2003, Windows Server 2008 or Windows 7.
2. The following services are enabled: Remote Procedure Call, Server Service, and
Remote Registry Service.
3. File and Print Sharing for Microsoft Networks (connection properties) is installed.
CounterACT can access C$ on the endpoint.
4. You have domain-level administrator privileges on each computer being scanned or it
is a member of the Domain Admins group. This group allows writing to the file
system but not to the registry.

5. If your network includes endpoints that run under Windows XP SP2, you changed
the Windows Firewall Settings so that CounterACT can perform remote inspection
on these machines. This means that you should have access to port 139 or 445 TCP.
Allowing access means CounterACT can retrieve Windows-related information. By
default, these ports are open on Windows 2000 machines.
6. CounterACT has access to the endpoint’s remote registry and file system. Refer to
the CounterACT User Manual for more information about verifying this information.
7. (For XP systems only) You have deselected the Use Simple File Sharing for the
endpoint.
To deselect Simple File Sharing on Windows XP:

− Double click the My Computer icon on your desktop.
− Select Folder Options from the Tools menu.
− Select the View tab.
− Deselect the Use Simple File Sharing option and select OK.
Testing the Domain Credentials

Perform the following steps to test the domain credentials.
1. Log onto a desktop machine using the CounterACT username and password. If this
fails, check the counteract user settings on the Domain Controller.
2. Check that the desktop machine is a member of the Domain and is authenticating
against the Domain Controller.
3. Check that the login is using the Domain, rather than localhost credentials.
Testing the Credentials on a Desktop Using a Localhost Query

This test ensures that a query can be performed using the domain credentials.
1. Log on to a desktop machine using any credentials other than the counteract user.
This desktop should be a member of the domain.
2. Open a command window (Start>Run>“cmd”).
3. Run the command net use \\127.0.0.1\C$ /USER:DOMAIN\counteract,
where DOMAIN is the fully qualified domain of the network.
The command should return the following:
Local name
Remote name \\127.0.0.1\C$
Resource type Disk
Status OK
# Opens 0
# Connections 1
The command completed successfully.
If this test fails:
1. Check the domain syntax. Perhaps it needs to be more fully qualified. For example
DOMAIN, DOMAIN.COM or HQ.DOMAIN.COM
2. Check the credentials on the Domain Controller.

Testing the Credentials on a Desktop Using Remote Query

1. Log onto another desktop machine that is also a member of the domain.
2. Open a command window (Start->Run->“cmd”).
3. Run the command:
net use \\IPADDRESS\c$ password /user:DOMAIN\counteract
Where IPADDRESS is the IP address of the target machine and ‘password’ is the
password for the counteract user
If this fails, check the following:
 Domain Configuration Test
 TCP/IP Configuration Test
 Port Setup Test
 NetBIOS over TCP/IP Setup Test
 Services Test
 Sharing Test
 Disable “Use simple file sharing”
Domain Configuration Test
To perform a domain configuration test:

1. Open the System dialog box. Select Start>Control Panel>System. See the domain
configuration – in the Computer Name tab, select Change. Verify that the machine is
a member of the domain and that the domain is spelled correctly.
2. Verify that the NetBIOS domain name is identical to the one configured in the Host
Properties Scanner Plugin configuration screen. This is done by running ‘nbtstat –n’,
see the following output.

TCP/IP Configuration Test

Open the properties dialog box of the relevant network connection.
To open the dialog box:

1. Select Start>Settings>Control Panel>Network Connections.
2. Right-click the network connection and select Properties. The following
components should be installed (marked in red in the figure below):
− Client for Microsoft Networks
− File and Printer Sharing for Microsoft Networks
− Internet Protocol (TCP/IP)
3. Client for Microsoft Networks should be configured as follows:

Port Setup Test

CounterACT should have access to one of the following ports: 139/TCP, 445/TCP.
Group Policy Test

In a Windows XP group policy, the domain can be configured to set the end-system’s
Windows Firewall settings. Refer to Appendix 3: Remote Access to Network Hosts>Working
with Windows XP SP2 Machines in the Console User Manual for more information.
Local Configuration of Windows Firewall
To allow incoming network connections:

1. Select Start>Settings>Control Panel>Windows Firewall>Exceptions>File and
Printer sharing. Ports TCP 139 and TCP 445 should be selected.
2. Choose Change Scope for each port and in the Custom List add the CounterACT IP
address.

Disabling Windows Firewall

For testing purposes Windows Firewall can be disabled.
To disable Windows Firewall:

1. Select the General tab.
2. Disable Windows Firewall by choosing the following option:

NetBIOS over TCP/IP Setup Test

NetBIOS over TCP/IP should be enabled either directly or from the DHCP server. One of the
options in red below should be enabled:
Services Test
Verify the following services (circled in red) are running.
To verify:
1. Open the services view by selecting Start>Control
Panel>Administrative Tools>Services. Verify that the following services (In Red)
are running:
− Remote Procedure Call (RPC).
− Remote Registry Service.
− Server
2. If any of them is not running, start it (right-click and select Start).
Sharing Test
Verify the default C$ share exists.

To verify:
1. From My computer, right-click drive C and select Properties.
2. In the Sharing tab, the following should be configured:
Disable “Use simple file sharing”

In some rare incidents, this option prevented the system from performing remote inquiries.
To disable simple file sharing:

1. From My computer>Tools>Folder Options, select the View tab, disable the Use
simple file sharing option.

Appendix A: Running Scripts for Remote Inspection

The fsprocsvc.exe service, installed on endpoints by the HPS-Inspection Engine Plugin,
is used to run interactive scripts for several CounterACT tasks. It is similar to Microsoft's
PsTools (Part of Windows Sysinternals tools: http://technet.microsoft.com/en-
us/sysinternals/default.aspx).
The service does not open any new network connection or generate traffic. Communication is
carried out over Microsoft's SMB/RPC (139/TCP or 445/TCP) and the authentication is
performed with the domain credentials. If there is no request to run a new command within
two hours, the service dissolves automatically.
fsprocsvc.exe Information
Item Description
Footprint  Size on disk: Approximately 250KB
 Memory acquired during runtime: 2 MB
 Runs under: System
 Start type: Automatic
 After 2 hours the service removes itself
Properties requiring  Expected Script Result
the service  Device Interfaces
(With remote
inspection, i.e. not
 Number of IP Addresses
via  External Devices
SecureConnector)  File MD5 Signature
 Is Behind NAT
 Microsoft Vulnerabilities
Actions requiring  Run Script On Windows
the service  HTTP Redirection to URL (If Attempt to open a browser at
(With remote the detected endpoint is selected)
inspection, i.e. not
via  Start SecureConnector
SecureConnector)  Set Registry Key
 Start Antivirus
 Update Antivirus
 Start Windows Updates
 Kill Process on Windows, Kill Instant Messaging, Kill Peer-to-
peer
Controlling the fsprocsvc.exe runs from the system temp folder.
location where the
The scripts are run as follows:
service executable
and scripts are The following configuration property sets the directory to use:
copied to config.script_run_folder.value
For example: config.script_run_folder.value =

"C:\Program Files\Forescout\"
If the property is not defined (it is not defined by default), then the
directory to use is determined as follows:
If a user is logged into the endpoint, then the logged-in user temp
folder is used.
Microsoft Task Scheduler vs. fsprocsvc.exe

An option is available to work with Microsoft Task Scheduler, rather than with
fsprocsvc.exe.
Task Scheduler is a component of Microsoft Windows that lets user schedule the launch of
programs or scripts at pre-defined times or after specified time intervals. This utility can be
used to run CounterACT scripts.
Task Scheduler Limitations

 Requires the relevant service to be started on the endpoint.
 Interactive tasks do not work on Windows Vista and Windows 7 if the
remote process is triggered from Task Scheduler.
 The Update Antivirus action does not work on Windows Vista and
Windows 7 if the HPS remote inspection is configured to work as a
"Scheduled Task".
 Opening a browser window does not work on Windows Vista and
Windows 7 if the HPS remote inspection is configured to work as a
"Scheduled Task". When redirected with this option checked, the
browser does not open automatically and relies on the packet engine
seeing this traffic.
 On Windows Vista and Windows 7 configurations, SecureConnector via
remote inspection is invisibly installed if the HPS remote inspection is
configured to work as a Scheduled Task and SecureConnector is set to be
visible.
Activating a Method
To run scripts in remote inspection using Task Scheduler:
1. Open the following file on the Appliance
/usr/local/forescout/plugin/va/local.properties
2. Add the line: config.run_script_fsnet.value=false
3. This should be done for each Appliance.

Appendix B: Executable Files Used by the Plugin

The following executable files are installed on endpoints by the HPS-Inspection Engine
Plugin. Refer to HPS Inspection Engine Release Notes for information regarding changes
made to these files.
EXE files
Name Description
fsprocsvc.exe fsprocsvc.exe is used to run scripts for several CounterACT

tasks. The service is similar to Microsoft’s PsTools (Part of
Windows Sysinternals tools: http://technet.microsoft.com/en-
us/sysinternals/default.aspx). The service does not open any
new network connection or generate traffic. Communication is
carried out over Microsoft's SMB/RPC (139/TCP or 445/TCP)
and the authentication is performed with the domain
credentials. If there is no request to run a new command within
two hours, the service dissolves automatically.
SecureConnector.e The SecureConnector executable.

xe
fs_DeviceControl.ex Used to resolve the External Devices property (remote

e inspection).
fs_md5.exe Used to resolve the File MD5 Signature property.
Additional Files
fs_kill_proc.vbs Used to perform the following actions:

 Kill Process on Windows (remote inspection)
 Kill Instant Messaging (remote inspection)
 Kill Peer-to-peer (remote inspection)
fs_sched_task_rm.v Utility for running scripts with Task Scheduler (remote

bs inspection). Not used when working with fsprocsvc.exe.
fs_wmi.vbs Used to resolve the Windows Security Center Antivirus Status

property.
fs_kb.vbs Used to resolve the Microsoft Security >Vulnerabilities property.
fs_http_upload.vbs Used to resolve the Microsoft Security >Vulnerabilities property.
fs_host_ips.vbs Used to resolve the Number of IP Addresses property.

fs_av_update.vbs Used to perform the Update Antivirus action.
fs_av_start.vbs Used to perform the Start Antivirus action.
fs_wua_full.vbs Used to perform the Start Windows Updates action.
fs_nat_active.vbs Used to resolve the Is Behind NAT property.
fs_reg_edit.vbs Used to perform the Set Registry Key action.
fs_workgroup.vbs Used to resolve the Device Information>User property (On Vista

on WORKGROUP).
fs_wua_search.vbs Used for Microsoft Security >Vulnerabilities properties.

Legal Notice
Copyright © ForeScout Technologies, 2000-2012. All rights reserved.
The copyright and proprietary rights in the guide belong to ForeScout Technologies. It is strictly forbidden
to copy, duplicate, sell, lend or otherwise use this guide in any way, shape or form without the prior consent
of ForeScout Technologies.
This product is based on software developed by ForeScout Technologies. The products described in this
document are protected by U.S. patent # 6,363,489 issued March 2002 and may be protected by other U.S.
Patents and foreign patents.
Redistribution and use in source and binary forms are permitted, provided that the above copyright notice
and this paragraph are duplicated in all such forms and that any documentation, advertising materials and
other materials related to such distribution and use, acknowledge that the software was developed by
ForeScout Technologies.
THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
All other trademarks used in this document are the property of their respective owners.
Send comments and questions regarding documentation to: documentation@forescout.com
11/5/12

HPS Inspection Engine - HELP

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

HPS Inspection Engine - HELP

Загружено:

Авторское право:

Доступные форматы

CounterACT HPS Inspection Engine Plugin

Version 9.5.0 and above 2

Version 9.5.0 and above 3

About the HPS Inspection Engine Plugin

Supported Windows Operating Systems

Version 9.5.0 and above 4

Accessing Windows Endpoints

Configuration at the Initial Setup Wizard

Configuration per Appliance

Version 9.5.0 and above 5

Configuring the Plugin

To configure the plugin:

Version 9.5.0 and above 6

Use the Domain Credentials tab to add or modify domain credentials.

Version 9.5.0 and above 7

 SecureConnector is a light footprint executable that can be run at the desktop to

Improve Kill Process Actions Frequency

Balloon Notification Control

Version 9.5.0 and above 8

Permanent SecureConnector Deployment Parameters

Version 9.5.0 and above 9

SSL version for use with SecureConnector

Additional Appliance Connections

Scanning Using Windows Updates Settings

Version 9.5.0 and above 10

WSUS Environment Settings

Windows Update Default Settings

Minimize Bandwidth during Vulnerability File Download

Version 9.5.0 and above 11

Version 9.5.0 and above 12

CounterACT Classification Versions

Who Should Upgrade

Version 9.5.0 and above 13

It is recommended that users upgrading from a previous CounterACT version to version

Nmap Banner Scan

Nmap Fingerprint Scan

The following options are available:

Version 9.5.0 and above 14

 Specify Endpoint IP Addresses to Ignore

Specify Endpoint IP Addresses to Ignore

Version 9.5.0 and above 15

Tune HPS- Inspection Engine Processes

To enable automatic tuning:

Version 9.5.0 and above 16

Automatic Tuning for Nmap Processes

To enable automatic tuning:

Run Script Method

Version 9.5.0 and above 17

Send HTTP Actions on SecureConnector Connect and User Login

HTTP Notification Action - Attempt to Open Browser at Endpoint

Open as Explorer Dialog Box

Customize notification popup height / width (in % of screen size)

User Name Resolve Priorities

Version 9.5.0 and above 18

Learning endpoint user name from HTTP login

Use HTTP Login name when Sign In page is closed

Remember name for (hours)

Testing and Verifying Connectivity

The following options are available:

Version 9.5.0 and above 19

Version 9.5.0 and above 20

Making Windows Endpoints Manageable

 Disable Dual Homed

SecureConnector Support – Microsoft Windows