Академический Документы
Профессиональный Документы
Культура Документы
Administration Guide
r12
This documentation and any related computer software help programs (hereinafter referred to as the
"Documentation") are for your informational purposes only and are subject to change or withdrawal by CA at any time.
This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part,
without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may
not be used or disclosed by you except as may be permitted in a separate confidentiality agreement between you and
CA.
Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation,
you may print a reasonable number of copies of the Documentation for internal use by you and your employees in
connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print copies of the Documentation is limited to the period during which the applicable license for such
software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify
in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER
OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION,
INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR
LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and
is not modified in any way by the terms of this notice.
Provided with "Restricted Rights." Use, duplication or disclosure by the United States Government is subject to the
restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section
252.227-7014(b)(3), as applicable, or their successors.
Copyright © 2010 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein
belong to their respective companies.
CA Product References
This document references the following CA products:
■ CA Total Defense
■ CA Total Defense for Unified Network Control
Contact CA
Contact Technical Support
For your convenience, CA provides one site where you can access the
information you need for your Home Office, Small Business, and Enterprise CA
products. At http://ca.com/support, you can access the following:
■ Online and telephone contact information for technical assistance and
customer services
■ Information about user communities and forums
■ Product and documentation downloads
■ CA Support policies and guidelines
■ Other helpful resources appropriate for your product
Contents
Chapter 1: Introduction 13
Types of Protection ............................................................................. 13
Anti-Malware ............................................................................... 13
Proactive Protection ......................................................................... 13
Groupware ................................................................................. 14
CA Gateway Security ........................................................................ 14
CA Total Defense for Unified Network Control ................................................ 15
Product Infrastructure .......................................................................... 15
Client-Server Communication ................................................................... 15
Phone Home ................................................................................ 15
Internet Information Services (IIS) .......................................................... 16
Data Flow between Endpoints and Servers ................................................... 18
Data Flow Using Proxies ..................................................................... 20
The Management Console ....................................................................... 21
Management Console Navigation ............................................................ 22
Filter and Find Tools ........................................................................ 23
Ease of Use Features ........................................................................ 24
Open the Management Console .............................................................. 25
Install the CA Security Certificate ............................................................ 25
Contents 5
Viewing Events ............................................................................. 38
Events Statistics ............................................................................ 39
Record Deletion and Archival ................................................................ 39
Events and User Roles ...................................................................... 41
High Severity Events ........................................................................ 42
Event Insight ............................................................................... 43
Events Flow Diagram ........................................................................ 44
6 Administration Guide
License Expiration .......................................................................... 73
Renewals and Migration ..................................................................... 74
New License Keys ........................................................................... 74
License Reassignment ....................................................................... 75
Proxy or Server Component License Assignment ............................................. 75
Offline License Synchronization .............................................................. 76
Management Server Proxy Implementation ...................................................... 77
Activating a Proxy in a DMZ ................................................................. 78
Endpoint Discovery ............................................................................. 79
How Endpoint Discovery Works .............................................................. 79
Discovery Scanning Methods ................................................................ 82
Operating System Detection Methods ........................................................ 84
Endpoint Discovery Network Map ............................................................ 85
Unknown Host Found ....................................................................... 85
Differences between Full and Incremental Discovery .......................................... 86
IP Address Exclusion List .................................................................... 86
Timeout, Delay and Retry Ranges ........................................................... 87
Optimizing Endpoint Discovery Configuration ................................................. 88
Viewing Endpoint Discovery Scan Engines Performance Statistics ............................. 89
View Service Logs During a Scan ............................................................ 89
Revert to Older Signatures ...................................................................... 89
Directory Services .............................................................................. 90
Conditions for Using Active Directory ........................................................ 91
Server Database Management................................................................... 92
Management Server Database ............................................................... 92
Event Server Database ...................................................................... 94
Endpoint Discovery Database ................................................................ 96
User Role Management ......................................................................... 96
Assigning User Roles ........................................................................ 96
User Role Authentication .................................................................... 97
Group Inheritance .......................................................................... 98
Global and Partition-Specific Roles ........................................................... 98
User Role Descriptions ...................................................................... 98
Contents 7
View the Endpoints Panel................................................................... 107
View the Malware Panel .................................................................... 108
View the CA Global Advisor Panel ........................................................... 109
View the Server Monitor Panel .............................................................. 110
Reports ....................................................................................... 112
View Report Filters ......................................................................... 112
Create Report Filters ....................................................................... 112
Manage Report Filters ...................................................................... 114
View Reports .............................................................................. 115
Report Configuration ....................................................................... 116
View Scheduled Tasks ...................................................................... 150
Create Scheduled Tasks .................................................................... 151
Manage Scheduled Tasks ................................................................... 151
View Run History .......................................................................... 152
Customize Report Scheme ................................................................. 153
Maintain Report Storage ................................................................... 154
Set Reporter Permissions ................................................................... 154
Events ........................................................................................ 156
View Events ............................................................................... 156
Delete Events .............................................................................. 157
View Event Filters .......................................................................... 157
Create Event Filters ........................................................................ 159
View Statistics ............................................................................. 160
Event Notification Configuration ............................................................ 160
Endpoints ..................................................................................... 168
View Endpoints ............................................................................ 168
Filter the Endpoint View .................................................................... 170
View Managed Endpoint Details ............................................................. 174
Manage Centralized Deployments ........................................................... 176
Create New Installation Packages ........................................................... 179
Save an Installation Package to Disk ........................................................ 180
Deploy Installation Packages to Endpoints .................................................. 181
Delete Endpoints ........................................................................... 183
Review Deployment Jobs ................................................................... 183
Filter Deployment Job Records.............................................................. 185
Purge Deployment Job Records ............................................................. 186
Partition Assignment Tree ...................................................................... 187
View the Partition Assignment Tree ......................................................... 187
View Partition Branch Details ............................................................... 189
Lock the Partition Assignment Tree ......................................................... 191
Create or Edit a Partition Branch ............................................................ 192
Subdivide Partition Branches ............................................................... 194
8 Administration Guide
Using the Branch Subdivision Page ......................................................... 196
Using the Branch Properties Page ........................................................... 198
Manage Partition Branches ................................................................. 200
Policy Assignment Tree ........................................................................ 201
Lock the Policy Assignment Tree ............................................................ 201
Assign Policies ............................................................................. 202
Manage Policy Assignment Branches ........................................................ 203
Common Tree Procedures ...................................................................... 206
Manage Server Change History ............................................................. 206
Set Change History Parameters............................................................. 207
View Partition Assignment Tree Change History ............................................. 207
View Policy Assignment Tree Change History ................................................ 209
View Policies Change History ............................................................... 213
View Advanced Policy Components Change History .......................................... 216
Manage Locked Trees ...................................................................... 218
View Change History Details ................................................................ 221
Policies ........................................................................................ 222
Manage Policies ............................................................................ 222
Create General Policies ..................................................................... 224
Create Anti-Malware Policies ................................................................ 250
Create Proactive Protection Policies ......................................................... 279
Manage Proactive Protection Advanced Configuration ........................................ 309
Create Groupware Policies .................................................................. 479
Licensing ...................................................................................... 526
Manage License Status ..................................................................... 526
Licensing Messages ........................................................................ 527
Complete the Licensing Registration Process ................................................ 528
Product Subscription Management Tool ..................................................... 529
View Endpoint Details .......................................................................... 529
Filter the Endpoint List ..................................................................... 530
Reassign Licenses .......................................................................... 530
Unassign Licenses ......................................................................... 531
View Product Information ...................................................................... 531
Edit Contact Details ........................................................................ 533
Link an Order to Your Account .............................................................. 534
View Support Contact Details ............................................................... 534
Manage License Requests ...................................................................... 535
Renew or Upgrade a License ............................................................... 537
Migrate a License .......................................................................... 538
Endpoint Discovery ............................................................................ 539
Manage Endpoint Discovery ................................................................ 540
Configure Endpoint Discovery .............................................................. 543
Contents 9
Schedule Endpoint Discovery ............................................................... 544
Specify Endpoint Discovery Methods ........................................................ 546
Enter Authentication Credentials ............................................................ 547
Specify IP Range Exclusions ................................................................ 548
Specify Port Scanning Parameters .......................................................... 549
Specify Advanced Parameters .............................................................. 551
Specify Endpoint Discovery Logging Options ................................................ 553
Management Server Proxy ..................................................................... 554
Manage Proxy Servers ..................................................................... 554
Add Management Proxy Servers ............................................................ 557
Configure Management Proxy Servers ...................................................... 559
Active Directory ............................................................................... 560
Using Active Directory Servers ............................................................. 560
Add Active Directory Servers ............................................................... 561
Manage Active Directory Servers ........................................................... 563
Server Databases .............................................................................. 564
Configure Management Server Databases ................................................... 565
Event Server .............................................................................. 566
Set Database Storage Connection .......................................................... 567
Set Storage Preferences.................................................................... 568
Maintain the Event Server .................................................................. 569
Schedule Event Server Maintenance ........................................................ 570
View Event Server History .................................................................. 572
Archive the Event Server ................................................................... 573
View Archive History ....................................................................... 575
View Archived Databases ................................................................... 576
User Roles ..................................................................................... 577
Manage User Roles ......................................................................... 577
View the User Role Details ................................................................. 579
Add or Remove Users from User Roles ...................................................... 580
Revert to Older Signatures ..................................................................... 582
10 Administration Guide
Microsoft SQL Server Connection ............................................................... 589
Database Connectivity ..................................................................... 590
Management Console Connection ............................................................... 590
Active Directory Server Configuration ........................................................... 591
Discovery or Remote Deployment Issue ........................................................ 591
Log Shows “Service creation failed with retCode [50029]” ....................................... 591
Endpoint Discovery Does Not Start ............................................................. 592
Endpoint Discovery Failed to Locate Endpoints .................................................. 592
Endpoint Discovery Runs for a Prolonged Time .................................................. 593
An Endpoint is Listed without an IP Address ..................................................... 593
Turn on Management Server Logging ........................................................... 594
Generate a Diagnostic Report .................................................................. 594
Diagnose a Report Failure ...................................................................... 595
Contents 11
Chapter 1: Introduction
This section contains the following topics:
Types of Protection
CA Total Defense provides multiple layers of protection to safeguard your
network against malicious programs, viruses, spyware, and other threats. The
following sections provide a brief overview of Total Defense protection policies.
Anti-Malware
Proactive Protection
Controls network traffic between the endpoint and other computers and
networks. Performs stateful packet inspection so that it can identify and
permit only traffic that matches known legitimate connection behavior.
Application Controls
Keeps track of authorized applications and stops non-authorized applications
from executing on the endpoint.
OS Security
Chapter 1: Introduction 13
Types of Protection
Intrusion Protection
Inspects inbound and outbound network traffic from multiple sources to
identify suspicious patterns that can indicate a network attack. The intrusion
policy generates alerts and actions if suspicious activity is detected based on
sets of rules that identify such traffic and makes decisions about what
happens when an anomalous event is detected.
Vulnerability Assessment
Assesses endpoint vulnerability by examining account and password settings
and reports whether an endpoint is out of compliance.
Groupware
CA Gateway Security
14 Administration Guide
Product Infrastructure
CA Total Defense for Unified Network Control ensures that every endpoint
connected to your corporate network complies with your established security
policies. If an endpoint is not compliant, CA Total Defense for Unified Network
Control puts the device into network quarantine, which limits its access to
network resources. A device in network quarantine can access only those
remediation servers that bring the device back into compliance.
For more information refer to the product documentation located in the CA Total
Defense for Unified Network Control Docs directory or from the CA Support
website.
Product Infrastructure
For detailed information about the CA Total Defense product architecture, see
the Product Infrastructure section in the CA Total Defense Implementation Guide
for Distributed Installations.
Client-Server Communication
This section describes the communications that occur between endpoints and CA
Total Defense server components.
Phone Home
Chapter 1: Introduction 15
Client-Server Communication
To modify the default settings of the Phone Home policy, you can copy and paste
the default policy and create a customized policy for your environment. For
example, you can adjust the phone home settings to stagger them so that
different groups of endpoints contact the server at different times to avoid peaks
of heavy network traffic. You might also choose to designate a secondary server
as a back-up in case the primary server is unavailable, or have certain endpoints
contact a Management Server Proxy instead of the Master Management Server.
To modify the Phone Home policy, you use the Policy Editor from within the
Management Console.
Note: Any time that you modify the name of the primary or secondary server,
you must use the server's fully qualified domain name.
More Information
The following table shows the CA Total Defense components that use IIS:
Component Description in Port
Computer
Management
Window
16 Administration Guide
Client-Server Communication
To view IIS
1. Log onto the computer hosting the Management Server and go to the Control
Panel
For more information on IIS, refer to the official Microsoft IIS website at
www.iis.net.
Chapter 1: Introduction 17
Client-Server Communication
The following diagram shows the data flow between unmanaged, managed and
mobile endpoints and CA Total Defense server components. This example
represents a Distributed Installation in an organization's main IT department.
The data flow is the same in a Standalone installation except that all of the server
components are installed on a single host machine.
18 Administration Guide
Client-Server Communication
Chapter 1: Introduction 19
Client-Server Communication
The following diagram shows the communication and data flow when proxies are
used at remote office:
20 Administration Guide
The Management Console
The main functional areas of the Management Console (the numbered sections in
the following illustration) provide access to the following features, functions, and
information:
1. The Navigation Pane, on the left of the console, helps you quickly move from
one area of the console to another. The following section in this guide
provides additional information about the Navigation Pane.
2. The Toolbar, at the top of the main panel in the console display, provides
task-oriented buttons and drop-down menus that perform actions related to
the content displayed in the Work Area. The items on the Toolbar vary
depending on the task you are performing or the content you are viewing.
3. The Work Area, located just below the Toolbar, displays information or
configuration options that you can set. When you select an item in the
Navigation Pane, this area of the console displays the appropriate content.
4. The Link Menu, in the top right corner, lets you refresh the console data, set
personal preferences, view product version information, and access the
online help procedures.
Chapter 1: Introduction 21
The Management Console
When you first log into the Management Console, the Dashboard page appears.
The navigation pane, on the left side of the page, provides quick and easy access
to different functional areas in which you perform specific management tasks.
The functional areas group similar tasks together and include the following
categories:
Overview
Provides access to the Dashboard, which displays an instant assessment of
CA Total Defense and the endpoints in your organization. Check the
Dashboard at the beginning of each day for a view of the overall status of
your network's health.
Monitor
Provides access to the event viewing and reporting areas. Use these areas of
the console regularly to review high-priority events and to view, schedule,
and generate reports.
Maintain
Provides access to policies, partitions, endpoints, and endpoint deployment.
In most cases, you will use this area of the console primarily during product
implementation, and only periodically after implementation to adjust
policies, deploy the product to new endpoints, or add new product features
to endpoints.
Configure
22 Administration Guide
The Management Console
To access the functions in the categories, expand the headings to navigate to the
area you want to access. A down arrow indicates the heading is fully expanded.
A right arrow indicates that you can drill down further into a functional area.
The Management Console provides a Filter tool and a Find tool to help you
quickly locate and work with specific items or information.
These tools appear on pages that can potentially display long lists of data. To use
these tools, click the down arrow to the left of the tool's label to expand the pane
and display the options available for filtering or searching. The options available
vary, based upon the content of the page.
The Find tool finds the first item that matches criteria you specify and highlights
that item in the list, keeping all non-matching items on the page for your
reference. You can use the Next and Previous buttons to move to the next or
previous occurrence of the item. This allows you to view or work with a selected
item and still refer to other items on the page.
Chapter 1: Introduction 23
The Management Console
The Filter tool allows you to display only the items that match the specified filter
criteria and removes all other data from the page. This allows you to view or
work with only a subset of the data.
The Filter tool also provides the Retrieve New List option to help you to view an
updated list from the Management Server before you perform any filtering
operations. When you select the Retrieve New List option and click Submit, the
Management Console retrieves the new list and applies the specified filter
options to display only the items that match your criteria.
You can use the Filter tool on the Managed Endpoints and Unmanaged Endpoints
pages to enter a character or text string into the Endpoint Name option, to view
only the items with the matching character or text string.
You can use the * wild card to represent one or more characters, or the ? to
represent a single character. For example, to find all endpoints with names
beginning with XP, enter XP* in the Endpoint Name field. The filter displays all
endpoint names beginning with XP, regardless of the length of the name. If you
enter XP? in the Endpoint Name field, the filter displays only those endpoints
named XPA, XPB, XPC, and so on.
When working in the Management Console, consider using the following features
for easy access to functions and to personalize your work-space:
■ Hover your cursor over buttons, drop-down menus, and links to view tool
tips.
■ Use right-click pop-up menus, rather than Toolbar buttons or drop-down
menus, to access functions in the Work Area.
■ Hover your cursor over table data to view additional text descriptions.
Some tables provide multiple column sorting. If so, you will see a number
displayed in the column heading. Specify a primary and secondary column,
and so on, before sorting the columns.
■ Drag and drop columns in tables to place them in a different order.
24 Administration Guide
The Management Console
You can open the Management Console on the computer that hosts the
Management Server or from a remote computer using a web browser.
To open the console from the Start menu on the computer hosting the
Management Server
Note: The Domain field is only required if the user account you are logging
in as is not a user on the local system.
3. Click Login.
The Management Console appears and displays the default Dashboard
panels.
1. Enter one of the following URLs in the address bar of the browser, and then
click Go:
■ https://<servername>/catd
■ https://<servername>:CA Portal/catd
Where:
The first time you open the Management Console, a Security Alert Dialog may
appear. To avoid this dialog in the future, click View Certificate, Install
Certificate, and follow the prompts in the wizard.
Chapter 1: Introduction 25
Chapter 2: Monitoring Your Network's
Health
This section contains the following topics:
Dashboard (see page 27)
Reports (see page 29)
Events (see page 37)
Dashboard
The Dashboard provides information that helps you monitor the health of the
endpoints on your network. Check it at the beginning of your day to see the
activity of the last 24 hours. You may also want to view the Dashboard
periodically for updates as data is refreshed or to view the activity of the last
7-day period.
When you first log into the Management Console, it displays four default
Dashboard panels, in a side-by-side layout. The default panels include the
following information:
■ Signature status
Lets you review the latest signature version and download date, and the
number of endpoints that have valid or out-of-date signatures.
■ Malware status
Shows you the number of endpoints that require attention, whether they are
currently
■ Infected
■ Require a reboot to complete the cleaning process
You can also see the number of endpoints that fall into these categories:
■ Clean
■ Infection was disarmed
■ Endpoint Status
Shows you the number of managed and unmanaged endpoints, as well as
the number of unsuccessful deployments of the CA Total Defense
Agent/Client. Managed endpoints are workstations, desktops, laptops, or
servers in your organization that are running the Client and that have
phoned home to the Management Server. Unmanaged endpoints do not
have the Agent/Client installed and are at risk.
■ CA Global Advisor
Gives you immediate access to the latest research and blogs from the CA
Security Advisor website. Click a link to view an article or go directly to the
CA Global Security Advisor website.
An additional panel, the Server Monitor, is also available, but not part of the
default Dashboard. This panel provides basic operating, hardware, and
networking information on the system running the Management Server. You can
view this panel by expanding Panels in the Navigation Pane and then selecting
the Server Monitor.
More Information
Custom Dashboards
The Management Console lets you create a custom Dashboard that contains the
information that you find most useful. To create a custom Dashboard, you can
click the New button and set the options in the Create Custom Dashboard dialog
to choose the panels to include and the panel layout to use. You can choose
panels by selecting them from a dialog or by dragging and dropping them into a
new, blank Dashboard.
You can also specify whether this custom Dashboard should be the new default
Dashboard. If you save your custom Dashboard as the new default Dashboard,
the Management Console displays it automatically each time you log in.
Once you have created a custom Dashboard, it appears in the Navigation Pane
on the left side of the Management Console, just beneath the Dashboards item.
To view a custom Dashboard that is not the new default Dashboard, click the
Dashboard's name in the Navigation pane. You can also edit or delete custom
Dashboards.
More Information
28 Administration Guide
Reports
If you have created multiple partitions to allow other users, or groups of users, to
manage specific endpoints, these users can view partition-specific information
for the Signatures and Malware panels. To view partition-specific information,
you select the appropriate partition from the Partition drop-down menu. The
Dashboard then displays information for the selected partition only in these two
panels. The Endpoints panel does not support partition-specific views.
More Information
If you have assigned User Roles within your organization, certain roles may or
may not have privileges to view the data presented in the Dashboard. The
Partition drop-down menu only presents the partitions that a user has the rights
to view. If the user does not have any partition privileges, the partition-specific
panels display a message stating the information is unavailable for this user.
For example, a User Manager cannot view the Signatures or Malware panels. If
he attempts to view these panels, they display a message that states he does not
have the privileges to view the information. However the User Manager can view
the Global Security Advisor panel.
Reports
CA Total Defense provides numerous out-of-the-box reports for all product
components, as well as easy-to-use templates that let you create fully
customized reports. You can also choose from several output formats and
viewing options.
The Report Server gathers data from several different resources when
generating reports. Depending on the type of report, the report data comes from
one of the following resources:
■ The Events database provides information about endpoint events related to
CA Total Defense product components, such as Anti-Malware, Proactive
Protection, and Groupware Option.
■ The CA Total Defense Management Server database provides information for
reports that provide information regarding policies and endpoints.
■ The CA Total Defense for Unified Network Control Management Server
database provides information for reports related to CA Total Defense for
Unified Network Control.
All reports are saved locally on the Report Server. You can view all reports using
the Management Console or any of the additional methods described in this
section.
More Information
Report Generation
You can manually generate reports at any time, or schedule report generation to
occur automatically at a specific time or at regular intervals.
You can manually generate reports using one of the following three methods:
■ From Configure Reports, select a product component, then one or more
reports, and click Generate.
■ From View Reports, select a report and click Regenerate.
■ From Scheduled Tasks, select the task and click Go.
When you schedule reports, you can set all time-related fields, including the
report generation time, to match the time zone of the person who receives
the report. The time zone option lets you send the most current information
available to recipients in time zones that are different from your own.
30 Administration Guide
Reports
More Information
The Report Server provides different viewing methods and actions that allow you
use the data in a variety of ways. When you configure reports, you specify the
viewing method or report of your choice. When the report is successfully
generated, the Report Server notifies you that it is ready for viewing.
Report Viewer
Displays reports directly from the Management Console. Use predefined or
custom filters to display only the reports you want to view. The Report
Server provides several predefined Report Filters and easy-to-use templates
that help you create custom filters.
Note: The web browser you use to view reports must have the pop-up
blocker disabled for the Total Defense Management Console URL. If pop-ups
are not disabled, any reports that you attempt to view from the View Reports
page in the Management Console will be blocked or result in a new page
overriding the console's current page.
Note: Do not use this report action when you expect reports to be large.
■ Send emails that include HTML links to the generated reports to a list of
recipients. Click the links to view the reports through your web browser.
RSS Reader
Delivers generated reports to an RSS feed. When a report generation
completes, the Report RSS server is notified with a user-configurable
message. You must also set your RSS reader application to the Report RSS.
In addition, you can have the RSS message include a link to the Report
Catalog. The catalog displays all reports that were generated in this task,
with the size and the report type. When you click the link, you can view the
report through the web interface.
Sends generated reports to a printer. The user initiating the report must
have permission to access the printer. Additionally, to print reports you must
have the following applications installed on the Report Server machine:
■ A valid printer configured on the Report Server machine.
Upload
Uploads reports to an external folder located on the Report Server. The user
initiating the report must have permission to access the designated folder.
Run
Sends the report to an external application. The user initiating the report
must have permission to start and run the specified application.
More Information
Predefined Reports
The View Reports page in the Management Console provides quick and easy
access to dozens of out-of-the-box reports that require no user configuration.
These reports are available once your product implementation is complete.
32 Administration Guide
Reports
■ Groupware reports
■ Security information reports, including reports concerning disabled
accounts, locked accounts, and accounts with expired passwords
■ Gateway Security reports for SMTP and HTTP
By default, predefined reports contain data for the previous seven days, but you
can customize the reporting period. You can also choose to run reports against
the current database or archived databases. These options are available when
you configure a new report or edit an existing report.
If you are using CA Total Defense for Unified Network Control, you can generate
and view certain UNC reports using the CA Total Defense Management Console.
To generate the reports, the Report Server queries the CA Total Defense for
Unified Network Control Management Server for the necessary report data.
Before this communication between products can occur, you must specify the
location of the CA Total Defense for Unified Network Control Management
Server.
1. On the computer hosting the Report Server, using a text editor open the
following:
<Install_dir>\Program
Files\CA\TotalDefense\EventSettingManager\SettMngr_EventSettingManag
er_exe\Topology.XML
2. And add the following entries to the file, replacing UNC_Server_Location
with the appropriate information for your site:
<TopologyNode Type="EverestReporter">
<HostDNS>UNC_Server_Location</HostDNS>
<HostWCFURL>https://UNC_Server_Location:34443/UNCWS/managemen
t.asmx</HostWCFURL>
3. Save the file and restart the "CA Total Defense Setting Manager” service.
Custom Reports
The Report Server provides a powerful report customization feature that lets you
create your own reports that include only the data you need. You can filter report
data down to the smallest detail of an event.
With the report template open, you can specify the content for the report. Once
you have saved the report, click Generate to submit the report for generation.
More Information
You can include your company logo on your reports, and modify the header and
footer information to customize the look and feel of your reports.
You can replace the CA logo that appears in both default and custom reports with
your company logo.
To fit properly in the logo space of the report, the logo image you use must fit
within the following guidelines:
■ Width up to 145 pixels
■ Height up to 45 pixels
■ Background color: RDH 0x2D3133 (Decimal values: Red = 45, Green = 49,
Blue = 51)
For more information on the size and background color requirements, use an
image editor to view the default image properties on the Report server at
<installation_directory>\GeneratedData\Images.
When creating reports, you can choose from the following output formats:
■ HTML
Note: We do not recommend using the HTML format for large amounts of
data.
■ PDF
34 Administration Guide
Reports
■ Microsoft Word
■ CSV (comma separated values)
Note: The CSV report output uses UTF-8 encoding and should be used for
importing data to other applications and not for report viewing.
Note: To print reports in Microsoft Word format, the user account issuing the
print command must have Administrator permissions. You can set up the
account and the appropriate privileges once the print command is issued from
the Management Console. If necessary, you can create an account for an
existing, active user with the appropriate print permissions and a non-expiring
password. To set up this user in the Management Console, go to the Reports,
Settings, Reporter Permissions page.
The layout of the report depends on the report data type. For example, certain
types of data display better in a given format. The following report layouts are
available:
■ Table
■ Pie chart
■ Bar chart
Report Maintenance
By default, the maintenance process automatically purges any reports older than
seven days. When reports are purged, they are permanently deleted from the
Report Server. However, you can exclude a report from purge so it is not deleted.
To change this setting, you can modify the purge date on your reports from the
Monitor, Reports, Settings, Maintenance page.
You can also use Report Filters to help you remove a group of older reports you
no longer need. To do this, you create a custom Report Filter specifying criteria
that matches the reports you want to delete. Apply the filter by selecting it on the
View Reports page, and, when the matching reports appear, select the entire
group using the Shift or Control keys and click Delete. The reports are
permanently deleted.
More Information
Note: The following information is only applicable if you are using multiple
partitions to manage endpoints.
The Report Server enforces partition assignments for the Reporter user role in
the following scenarios:
When reports are viewed through the Reports, View Reports page
Only events generated from partitions the user is assigned to appear in the
reports that the user views through in the Management Console. If the
requested report includes data from partitions the user is not assigned to,
the request to view the report is denied.
Note: Partition enforcement does not apply to CA Total Defense for Unified
Network Control reports.
The following user roles can view delete, create, modify, and schedule reports
regardless of their partition assignments:
■ Administrator
■ Global Policy Manager
Once they generate a report, the data presented in the report is filtered to only
include events from the partition they are entitled to manage based on their role
assignment.
36 Administration Guide
Events
More Information
Events
An event is any CA Total Defense related action or condition that occurs on an
endpoint running the Client or any of the server or proxy components. The
following product components generate events:
■ Anti-Malware
■ Proactive Protection (Firewall, Intrusion Detection, Application Control, and
OS Security)
■ Vulnerability Assessment
■ Groupware Option
■ CA Gateway Security
■ CA Total Defense Server
■ CA Total Defense Agent
■ CA Total Defense for Unified Network Control
Events are categorized as High, Medium, or Low severity, allowing you to filter
the events you want to monitor.
Event Management
The Event Management policy controls the type of information sent to the Event
Server. If you do nothing, the endpoints in your organization receive the
CA-recommended Event Management policy when you deploy the Client to the
endpoints. In addition the policy controls the number of times an attempt is
made to forward events and the total number of attempts made if the initial
attempt to forward the event fails.
The default CA-recommended policy specifies that events are forwarded directly
to the Event Server. You can modify the policy to change the types of events that
are forwarded, how frequently they are forwarded, and whether they are
forwarded directly to the Event Server or to an Event Server Proxy.
If you are in a large enterprise organization, or have offices that are widely
dispersed, CA recommends forwarding events to a set of Event Proxy Servers.
The proxies then forward all events directly to the central Event Server located in
your organization's IT headquarters. Smaller organizations can choose to
forward events directly to the Event Server.
More Information
Viewing Events
Once events are stored in the Event Server database, you can view and analyze
the content of the events using the Event Viewer. The Event Viewer provides
default event filters that help you filter the events to display only the events you
are interested in viewing. You can create your own event filters to display the
specific information from the events database.
Best Practice Tip! The larger your organization, the larger your Events
database will be. We recommend creating filters that use a two week time
interval (or less). This creates a filter with a reasonable execution time that
returns a reasonable amount of data. If you need data from a greater period of
time, we recommended scheduling a report task to generate a report. You can
then analyze the requested data using the report.
More Information
38 Administration Guide
Events
Events Statistics
The Statistics page helps you view the status of the Events database. It shows
the current amount of disk space that the database is using. When the used disk
space becomes too large, you can perform immediate maintenance by going to
Configure, Environment, Maintenance, Run Now. You can also specify that upon
archiving the database, the Event Server switches into a new database.
You can also use the Statistics page to review all events by their producer and by
their severity type. Based on your selection, the page displays the information in
graphical bar charts, percentage tables, and numerical tables.
More Information
Over a period of time the Events database grows in size and can become quite
large. A large database can increase the event filter execution time and slow
down other database operations. However you can perform the following
procedures to maintain and control the size of the database:
Maintenance
Delete old records or delete records that match a custom filter you create to
find the records you want to delete. You can choose to delete older records
from the database manually, using the Run now option, or automatically
using the Scheduler option.
If the database is quite large it may take a long time to delete the records. If
you do not want to engage the database and use up CPU cycles on the record
deletion task, you can specify that the deletion not run longer than a set
period of time. Upon reaching the allotted period of time, the current
deletion operation will stop at its first available opportunity. Note that using
this option may prevent the deletion of some of the older data in the
database.
Additionally you can delete records using an event filter. For example, go to
Monitor, Events, Events Viewer, Filter Events in the Management Console.
Then click New to create a new filter based on a type of event, such as all Low
severity events for the Anti-Malware component. Once the filter is created,
go to the Events Viewer, select the new filter you created and click Delete
Events.
Archiving
More Information
40 Administration Guide
Events
Note: The following information only applies to your environment if you have
assigned CA Total Defense User Roles to specific users or groups of users. If you
have not assigned User Roles, you can ignore this section.
CA Total Defense User Roles enforce user permissions when viewing events on
the Event Viewer page. The following list describes the permissions for each role:
Administrator
Views and deletes events generated from all partitions, including the
Unassigned partition.
Global Policy Manager
Views and deletes events generated from all partitions, including the
Unassigned partition.
Global Reporter
Views and deletes events generated from all partitions, including the
Unassigned partition.
Partition Reporter
Views events generated only from the partitions for which the user is
assigned the Reporter role.
Note: If you filter events against partitions that you are not entitled to view, no
events will be displayed in the Event Viewer.
More Information
Unassigned Partition
If you have endpoints in your organization that have not yet phoned home to the
Management Server, and therefore have not yet been assigned to a partition,
the events for those endpoints are placed in the Unassigned Partition. This
partition lets you view the events for those endpoints that do not yet belong to a
specific partition. When the endpoint eventually phones home and is placed into
a partition, its events will no longer appear in the Unassigned Partition.
Sends high-severity events when malware items rated High or Critical risk
are detected.
Agent
Sends high-severity events when accepted real time policy fails to be applied
to the client.
42 Administration Guide
Events
Event Insight
Event Insight is a sub component of the Event Layer that monitors the events
stream and generates email notifications with a statistical summary when
certain conditions are met. The statistical information includes the following:
■ Total events matches the Event Insight Filter
■ Measurement time interval
■ First’s event occurrence
■ Last's event occurrence
The Event Insight module does not have a graphical user interface. For
information on tuning and setting Event Insight, contact CA Support.
Events from endpoints and/or Event Server Proxies are posted to the IIS Event
site either by HTTPS or HTTP protocol (based on your specification) from the
event bus.
On the IIS Event site, the events are captured and forwarded to the Event Server
using an MSMQ channel and stored in a local storage queue (MSMQ queue).
The database server pulls the stored events from the Event Server using the
MSMQ channel and stores them on the Microsoft SQL Server database (or
Microsoft SQL Server Express).
Requests from the Management Console are handled by the TD R12 site on the
IIS machine.
The site hosts the Event layer client component that acts as a proxy between the
Management Console and the Event Management components. Communication
between the client proxy and the Event Management is implemented by a WCF
channel.
Settings Manager
Report Server
Provides access to the client proxy to manage any operation related to
Reports and Event filters, such as create, delete, view, or generate.
Notification Processor
Provides access to the client proxy to manage any operation related to
Notification management, such as view, edit, delete, or generate.
44 Administration Guide
Events
When you install the Management Server, a default Partition Assignment Tree
and default Policy Assignment Trees for each policy type are automatically
created for you. These default trees are set up so that all endpoints are initially
accounted for and receive the default CA-recommended policies. You can use all
of the default trees as initially installed or you can modify some or all of the trees
to meet specific management requirements within your organization.
Best Practice Tip! We recommend that you carefully read and fully understand
how these trees work before making any modifications to them.
Each tree has a root branch that is automatically created when you install the
Management Server.
The root branch of each Policy Assignment Tree is called Policy Tree Root. You
cannot change this name.
The root branch of the Partition Assignment Tree is called Managed Endpoints.
You can change the name of the root branch of the Partition Assignment Tree to
something that is more meaningful to your organization or you can use the
default name.
1. Open the Partition Assignment Tree page, and select Managed Endpoints.
3. Click Edit.
4. On the Branch Properties page, enter a new name in the Name field.
48 Administration Guide
Policy and Partition Tree Concepts
To achieve specific management goals, you can subdivide the root branch of the
tree structures and create additional branches. These branches can also have
sub-branches, forming a parent and child relationship. The child branches can
also have child branches, and so on.
You create a new branch by subdividing the root branch or a previously created
branch. Each branch can be subdivided according to one of five different
dimensions, or criteria. When you subdivide a branch for the first time, you must
select one of the five branch subdivision options. You can only subdivide a
specific branch using one subdivision option. Sibling branches (branches at the
same level of the tree with the same parent) can only be added using the same
the same subdivision option as the initial child branch. However you can use
other options to subdivide any of the child branches. That is, the initial method
you choose to subdivide one branch does not affect the choices available for
subdividing any of its child branches. This gives you complete flexibility when
creating trees.
The following diagram shows a root branch subdivided initially by the IP Address.
Its sibling branch must also be based on the IP Address option. However, the
child branches are defined using the Platform option.
Note: You must assign each branch in the Partition Assignment Tree a unique
name. Duplicate names are not allowed in this tree. However, duplicate names
are permitted in the Policy Assignment Tree, as long as they are not both
children of the same parent branch.
More Information
50 Administration Guide
Policy and Partition Tree Concepts
More Information
Each time you initially subdivide a specific branch, the Management Server
creates an additional branch for all endpoints that do not fall into the new
branch. In Policy Assignment Trees, the name of this branch is always “Other
Endpoints.” In the Partition Assignment Tree, the name of the additional branch
is Other Endpoints or Other Endpoints (n) where n is an incremented integer
starting at 1. The integer is incremented for each new branch, as partition names
in the Partition Assignment Tree must be unique.
For example, if you subdivide the root branch of the Partition Assignment Tree by
platform type and specify Windows 2000, all endpoints with this operating
system are assigned to this partition when they phone home. Endpoints with a
different operating system are assigned to the Other Endpoints partition.
Best Practice Tip! We recommend that you change the name of the Other
Endpoints branch when the Management Console prompts you to do so. The
branch name should have some meaning that fits within your organization.
The following list describes the options available for subdividing branches:
IP Address
Subdivides the branch by IP address. A branch can be defined by a single IP
address string or by a list of addresses. In addition, each string can point to
a single address, or, using wild cards or other notations, to a range of
addresses. This option supports trailing wild cards, Classless Inter-Domain
Routing (CIDR) notation, address and netmask notation, and IPv6 notation
to specify a subnet range.
Example Explanation
Endpoint Name
Subdivides the branch using the names of the managed endpoints. You can
use an asterisk (*) wild-card to represent multiple characters, or a question
mark (?) to represent a single character. For example, an organization based
in Australia might use "AUS" at the beginning of each endpoint name.
Entering AUS* places all endpoints located in Australia into this branch.
Platform
Subdivides the branch based on operating system type. Using this category
you can create a partition for all endpoints running one or more specific
operating systems. For example if you chose Windows 2008 Server, you
could create a partition for all the servers in your organization running this
operating system.
52 Administration Guide
Policy and Partition Tree Concepts
Active Directory
Subdivides the branch using your existing Active Directory structure. If you
are currently using Active Directory to manage the endpoints in your
organization, you can select any of the existing Active Directory structures
and use them to create one or more partitions in the Partition Assignment
Tree or branches in a Policy Assignment Tree. When you use this option, the
Management Console displays a representation of your Active Directory tree.
You only need to select the objects to use. You must first specify your Active
Directory instance using the Directory Services page under Configure,
Environment.
Custom Variable
Subdivides the branch based on a CA-provided variable or a custom variable
that you define on your endpoint.
For example, if you create a variable named ORACLE and set its value to 1,
and you then define a branch with the custom variable ORACLE and value of
1, then all endpoints with this variable and value would be placed into this
branch.
If more than one custom variable is defined for a branch, an endpoint only
needs to match one of the custom variables to be assigned to the branch.
Adding a new entry under this key with a specific value defines a custom
variable with the same name and value as the registry entry.
Note: When you save a newly created branch, the Management Server scans
the new branch's subdivision rule(s) and compares it to your existing tree
structure. If the new branch's subdivision options are a subset of the parent
branch or found to be an overlapping range of the parent branch, an invalid tree
structure message is returned. Review the existing tree structure and correct the
values specified in subdivision option.
More Information
The partition and branch assignment process follows the subdivision rules until
an endpoint falls into an undivided branch or partition whose attributes match
those of the endpoint. The endpoint is then assigned to that branch or partition.
The following steps describe how endpoints are assigned to partitions and
branches:
54 Administration Guide
Policy and Partition Tree Concepts
The Policy Assignment Tree lets you create and assign policies to branches that
house groups of endpoints that you want to manage the same way. Each policy
type has its own Policy Assignment Tree. This provides you complete flexibility in
creating policies based on an endpoint's role or function.
Note: Each branch is assigned a single policy in each Policy Assignment Tree.
While a different policy can be assigned to each branch, a specific policy can also
be assigned to more than one branch. A branch can also have NO policy assigned
to it, which means that the endpoint users can set their own values for the
settings defined in this policy type.
For example, you could create three different Anti-Malware policies to protect
endpoints with the following functional roles:
■ Research & Development
■ Critical Application Servers
■ Desktops
Each Anti-Malware policy would have specific settings based on its general
function. To implement this policy coverage, you would create two sibling
branches (branches at the same level of the tree) in the Anti-Malware Policy
Assignment Tree. Suppose your organization uses a standard endpoint naming
scheme, so you decide to use the Endpoint Name subdivision option. The
Management Server creates the third branch automatically for all other
endpoints. All endpoints that do not fall into the first two branches will fall into
this branch.
As endpoints phone home to the Management Server, they fall into the matching
branch and pull the policy assigned to that branch. An endpoint from Research
and Development named RDdoe picks up the policy from the Research and
Development branch. An endpoint named CASsqldb picks up its Anti-Malware
policy from the Critical Application Servers branch. An endpoint named OTjane
picks up the policy from the Other Endpoints branch.
For organizations that have a single user or a single group of users responsible
for managing all of the organization's endpoints, there is no need to create
additional partitions beyond the default partition, Managed Endpoints. When you
use the default partition, all endpoints are managed by a single user or group.
Note that you can still assign different, customized policies to various endpoints
even though all endpoints are assigned to the same partition. To achieve this,
you use the Policy Assignment Tree.
56 Administration Guide
Policy and Partition Tree Concepts
The only reason to modify the Partition Assignment Tree is if there are different
users or groups of users who manage a specific groups of endpoints. For
example, an IT department may have a group responsible for managing
database servers and another group responsible for managing all desktops. As
the CA Total Defense Administrator, you can create a partition for the database
servers and another one for the desktops. You can then assign certain
individuals. or the entire group, the appropriate user roles to manage the
endpoints.
More information:
Each Policy Assignment Tree and the Partition Assignment Tree can easily
function using its root branch alone. If necessary, however, you can subdivide
the root branch of a tree to create additional partitions or branches and child
branches.
The only reason to modify the Partition Assignment Tree is if you have different
groups of users that are required to manage certain sets of endpoints. If you
have a small number of IT Administrators or a single Administrators group that
will manage all endpoints in the organization, you do not need to modify the
Partition Assignment Tree. Subdividing the Partition Assignment Tree adds
management overhead and is not recommended unless it is necessary to satisfy
your IT management organization.
Will the policies you I need have different settings based on the types
of endpoints they protect?
The only reason to modify a Policy Assignment Tree is if you need to assign
specific policy settings to different groups of endpoints for a given policy type.
For example if you need an Anti-Malware Real-time policy for servers and a
different Anti-Malware Real-time policy for other endpoints, you should
subdivide the root partition to support this implementation.
The following steps provide a general outline for designing a tree structure:
3. With your tree structure visually laid out, use the Management Console to
lock the default tree to avoid potential collisions with other users.
4. Create the new branches and sub-branches, as needed, by referring to your
diagrammed notes.
5. Review the changes and then save the new tree structure.
Tree Operations
The following sections describe behavior when common operations are
performed on the tree structures.
58 Administration Guide
Tree Operations
Locking Trees
Before you can modify a tree, you must first lock it by clicking the Lock button.
Locking the tree avoids collisions with other users who might also be attempting
to modify the same tree at the same time. Unless the tree is locked you cannot
make modifications to it. When you are finished modifying the tree, you then
click the Apply button to save your changes to the tree. Your changes are
committed to the Management Server database and the tree is unlocked.
Note: If a user accidentally leaves a tree locked and does not return to unlock it,
other users will be unable to modify the locked tree. However, a user with the
Administrator or Global Policy Manager role can use the Locked Trees page to
unlock a tree.
More Information
Tree Modifications
As you modify a tree structure, the Management Console retains your changes
until you are ready to finalize them and displays information about any branches
that have been added or modified in italic font. Before you save the changes,
verify that the tree structure satisfies your needs, and then click Apply. Once you
save the changes to the database, the Management Console displays the new
tree structure in normal, non-italic font.
Branch Deletion
If you have modified the default tree structures by adding additional branches to
the Policy Assignment Tree, or additional partitions to the Partition Assignment
Tree, you can delete a branch or partition at any time. When a branch or partition
is deleted, each endpoint in the deleted branch will receive a new branch
assignment the next time the endpoint phones home to the Management Server.
Before you delete a branch or partition, you can determine the endpoint's new
branch assignment by viewing the remaining partitions or branches subdivision
options and determining where each endpoint will land. In most cases, the
endpoint will fall into the Other Endpoints branch at the same level of the deleted
branch.
Note: If you are deleting a partition from the Partition Assignment Tree that has
child-partitions, you must first delete all of the lower level child partitions before
you can delete the parent partition. However, you can delete a branch in the
Policy Assignment Tree that contains child-branches.
Only specific CA Total Defense user roles can modify the Partition Assignment
Tree or Policy Assignment Trees. The following list describes each user's
permissions related to the tree structures:
Administrator X X X
Global Reporter X
User Manager X
Audit Archivist X
Policy Concepts
This section contains a description of the three policy categories that are
available in CA Total Defense Endpoint Protection:
■ CA-recommended Default Policies
■ Global Policies
■ Partition Policies
CA Total Defense provides a default policy with preset options, based on best
practice experience, for each policy type. The recommended policies are
automatically assigned to the root branch of each Policy Assignment Tree and
provide immediate, "out of the box" protection. If you install the Management
Server and make no changes to policies or the Policy Assignment Trees, the
endpoints in your organization pull the default policies when they phone home to
the server.
60 Administration Guide
Policy Concepts
The default settings for each policy are used as the default values any time you
create a new policy. However, you can always change the default values to
settings that work for your particular environment. You can then specify that the
newly modified policy should be the new default policy. Each time you create a
policy of that type in the future, it will contain your site-specific values.
Note: You can easily recognize the default policy as it appears in bold font in the
Management Console.
Default policies are also automatically placed into each new Remote Installation
package that you create. For example, if you install the Anti-Malware product
component, the default policies associated with this policy type include:
Real-time, Scheduled Jobs, Scheduled Scan Options, and Malware Submission. A
default policy exists for each of these policies and is automatically included in
your installation package. To use the default policies you do not need to do
anything but select the product component you want to deploy. If you want to
create a policy with different settings, you can remove the default policy and
include your modified policy instead.
This greatly reduces the overhead of endpoint deployment and provides you with
immediate protection. Some organizations may choose to use the default
policies for all endpoints, while other organizations may choose to modify some
policies.
Best Practices Tip! To create custom policies, use the default policies as a
starting point. Make a copy of the CA-recommended policy and use the copy as
a basis for creating a custom policy. If the CA-recommended default policy is the
default policy, it cannot be deleted. If you create a custom policy and make it the
new default policy, you can then delete the CA-recommended default policy. We
recommend that you do not delete the CA-recommended default policy, but save
it as a copy of the original policy before you make any modifications.
More Information
Policy Assignment
You can assign a policy to one or more branches of the Policy Assignment Tree
for a specific policy type. Policies can be assigned to branch in one of the
following ways:
■ A single policy is a assigned to a single branch of the tree
The policy contains settings that are specific to the endpoints in the branch it
is assigned to. It contains settings that you do not want to apply to the
endpoints in other branches of the tree.
More Information
Global Policies
Global policies are available to all Partition Policy Managers to use in the
partitions they manage. If you are using multiple partitions to delegate
management tasks for specific endpoints to other users in your organization, you
may consider creating global policies.
The Management Console displays a globe icon to the left of a global policy name
in policy lists.
Administrators and Global Policy Managers are the only users with permission to
create, edit, or delete global policies.
62 Administration Guide
Endpoint Management
Partition Policies
Partition-specific policies are only available for use in a specific partition. Users
that are assigned the Partition Policy Manager role create and manage partition
policies.
Best Practice Tip! We recommend that you only use partition policies if you
have created multiple partitions in the Partition Assignment Tree, or intend to do
so in the future.
If you are a CA Total Defense Administrator or Global Policy Manager, you can
promote policies that are created within a single partition to become global
policies for general availability across all partitions.
Endpoint Management
The Maintain Endpoints page provides a view of all managed and unmanaged
endpoints on your network. Managed endpoints have the CA Total Defense
Agent/Client installed. Unmanaged endpoints have been discovered by the
Endpoint Discovery tool, but do not have the CA Total Defense Agent/Client
installed. You can also deploy the CA Total Defense client and review the status
of deployment jobs from this page.
Viewing Endpoints
Both the Managed and Unmanaged endpoint lists provide general information
about each endpoint:
■ The Unmanaged list displays the endpoint's name, IP address, platform, and
when the endpoint was discovered.
■ The Managed list provides the same information, plus the name of the
partition the endpoint belongs to in the Partition Assignment Tree, and the
CA Total Defense Endpoint Protection products currently installed.
If the list of managed or unmanaged endpoints fills more than one page, you can
use the navigational aids at the bottom of the page to go to a specific page
number, move to the next or previous page, or jump to the first or last page.
In addition, you can quickly locate a specific endpoint using the Filter tool.
Note: The Filter panel is collapsed when you open the View Endpoints page.
■ Alternatively, you can use multiple criteria to narrow your search. For
example, to find all endpoints using Windows XP that begin with the
name "aus," enter "aus" in the Endpoint Name field and select Windows
XP from the Platform drop-down menu.
More Information
64 Administration Guide
Endpoint Management
For detailed information about a managed endpoint, select the endpoint from the
Managed list and click the Details button. For information about a group of
endpoints, you can select them using the Shift or Control keys.
The Details button opens the Endpoint Details page, with four tabs of detailed
information:
General
Displays detailed information about an endpoint's system information and
interfaces. From this tab you can quickly determine the partition the
endpoint belongs to and the last time it phoned home to the Management
Server.
Products
Displays the product components installed on the endpoint and indicates
whether they are up to date with the latest version available. Use this tab to
check if an endpoint's product components are up to date, and if necessary,
initiate a content update request.
Policies
Displays the policies assigned to an endpoint, and the branch to which the
endpoint belongs. Use this page to check if an endpoint has downloaded the
latest policies.
Custom Variables
Displays any custom variables and the associated values assigned to the
endpoint.
If you selected multiple endpoints from the Managed Endpoints list, the Endpoint
Details page lists each endpoint in the Endpoint Name list on the left. Click an
endpoint name to view detailed information for that endpoint.
The Content Update policy specifies the settings that endpoints use to contact a
Redistribution Server for content updates that include new signature files,
product updates, and patches. The Content Update policy specifies when the
update action occurs.
The View Endpoints, Details page displays whether the product components for a
particular endpoint are up to date. To access the Details page, select an
endpoint, and click the Details button. If a component is up to date, the Up to
Date? field displays a green check mark. If an endpoint is not up to date with the
latest component updates, the Up to Date? column displays a red "X."
If an endpoint does not have the latest version of one or more product
components, you can click the Update button to send an update request to the
endpoint that lists a series of tasks to perform. When the endpoint phones home
to the Management Server (at its regularly scheduled time), it picks up the
Update request and gets the latest component from the update source specified
in the Content Update policy.
Remote Deployments
The Centralized Deployment page lets you perform new product deployments of
the CA Total Defense Agent/Client and policies to any unmanaged endpoints in
your organization. You can also add product components to endpoints that
already have the CA Total Defense Agent/Client installed.
When the package has been assigned, use the Set Up drop-down menu to enter
the administrative credentials necessary to access each endpoint. You can also
test the login credentials before you start the deployment. The Set Up
drop-down menu provides several other options, but only the login credentials
are required before you can start the deployment. The other options include
specifying an alternate target directory for the installation, specifying the
endpoint's locale, setting a reboot option for the endpoint, and running the
competitive uninstaller to remove any third-party anti-malware programs from
the endpoint.
66 Administration Guide
Chapter 4: Configuring Your
Environment
Use the Configure, Environment pages to configure the following aspects of the
CA Total Defense environment:
■ Licensing Management
■ Endpoint Discovery
■ Directory Services
License Management
The Product Subscription Management (PSM) tool lets you proactively manage
your CA Total Defense licenses. Using PSM you can easily do the following:
■ Assign, unassign, and reassign specific endpoints to licenses in your license
pool
Your license pool contains the total the number of available licenses for a
given license key. For example, if your company purchases a license for 100
endpoints, the license pool initially contains 100 licenses. If 75 endpoints are
using licenses, 25 licenses are still available in the license pool.
■ See a consolidated view of all Assigned Endpoints and Unassigned Endpoints
An assigned endpoint is currently using one license from the license pool and
can actively run the CA Total Defense products that the license entitles it to
run. An unassigned endpoint is not using a license and cannot run any of the
CA Total Defense products.
Note: The PSM tool resides on the CA Entitlement Management System (EMS).
To access the PSM tool you must have an active Internet connection.
The following sections describe the concepts and tasks associated with licensing
your CA Total Defense products.
■ The EMS verifies the products you are entitled to install based on the
products your company purchased and displays those applications in the
Installation Wizard's product selection menus.
■ The EMS sends you an email with a license activation link within 24 hours
of your installation.
68 Administration Guide
License Management
If you do not have an Internet connect or the license is not found, you may
continue the installation and complete the license activation using CA Total
Defense Offline Licensing tool. The product runs in a 30-day trial mode with
full functionality until your license registration and activation.
5. When you receive the license activation email, you must click the link in the
email to activate your license.
6. After activating your license, you must then click the Synchronize button
located in the Management Console to immediately end the trial period. This
causes the Management Server to immediately generate a unique Node-id.
The PSM sends the node-id to the EMS.
7. The EMS creates a license pool and assigns it to the node-id of the
Management Server.
8. After the Client/Agent is deployed to your endpoints, each endpoint checks
for an entitlements.xml file before it starts running the CA Total Defense
products.
The following illustration shows the communication flow between the managed
endpoints running the CA Total Defense Client or CA Total Defense for Unified
Network Control Agent and the CA Entitlement Management System.
70 Administration Guide
License Management
The PSM tool collects information from each endpoint to create a unique node-id
for every endpoint. This information is used to create an organization chart that
provides ease of management as it displays all the Assigned Endpoints and
Unassigned Endpoints in your organization with the PSM graphical user interface.
The following list describes the properties that are collected from every
endpoint:
SID
Host-Name
The endpoint's name as registered in the operating system.
Hardware Architecture
MAC Address
The Media Access Control address; which uniquely identifies the endpoint's
Network Interface Card.
With Assigned Endpoints selected, the lower right side of the page displays the
endpoints that are currently assigned a license from your license pool:
Because the PSM resides on the CA Entitlement Management System, you must
have an active Internet connection when you launch the tool. The PSM uses
several security mechanisms to protect all communications between the PSM
and the Entitlement Management System. These security mechanisms include:
■ User authentication when logging in to the Management Console
■ Encryption of data
■ HTTPS/SSL over a designated port
To launch the PSM, click the Manage Licenses button in your CA Total Defense or
CA Total Defense for Unified Network Control Management Console. The PSM
opens in a separate web browser window. The following snapshot shows the PSM
populated with artificial, "test" data:
72 Administration Guide
License Management
You can then perform your licensing tasks as necessary. When you are finished
with all licensing tasks, close the browser window to close the PSM. Return to the
Management Console and click the Manual Synchronization button to
immediately send all changes to the Entitlement Management System.
Synchronization
Every 24 hours the PSM automatically transmits the entire organization structure
to the Entitlement Management System, which maintains a current copy of the
organization, as well additional historical copies. You can configure the time that
this synchronization occurs by changing the settings on the Manage Licenses
page in the Management Console. Since the Entitlement Management System
maintains several historical copies, any discrepancies in the current organization
chart from the PSM are compared to the historical charts and discrepancies are
resolved.
License Expiration
The Management Console begins to display alerts when you log into the console
and in the banner area of the main console page beginning 90 days prior to the
license expiration date. It displays additional alerts at 60 and 30 days. This
allows you time to evaluate your licensing needs and purchase additional
licenses or renew your existing licenses. If your license expires and you choose
not renew it, the following actions occur for each installed product:
■ 90 days before the license expires, each user logging into the Management
Console receives a message about the coming expiration. This message
appears once, the first time the user logs in after the 90-day point has been
reached.
■ 60 days before the license expires, the same notification is sent to each user
logging into the Management Console. Again, the message appears only
once when the user logs into the console after the 60-day point has been
reached. In addition, a similar message appears at the top of the
Management Console (in the “Logged in as” line) for the duration.
■ Starting on the expiration day, and continuing for the next 15 days, a
message with a yellow background appears and remains in the same
location within the Management Console.
■ Starting at 15 days after expiration, and continuing until the 30-day point is
reached, the same message appears with a red background and remains in
the same location in the Management Console.
■ At 30 days after expiration, you can no longer log into the Management
Console. Instead, a pop-up window appears and allows you to access the
Product Subscription Management tool. With the tool, you can request a new
license key and upgrade your license.
Every unique purchase of this product comes with a specific subscription length
of 1, 2, or 3 years. CA provides a 30-day grace period at the end of the
subscription to allow time for product renewal. Prior to the end of the grace
period, you must purchase a new license for an additional period of 1, 2, or 3
years. When you renew the product, the CA Entitlement Management System
sends you a new license for the additional period and deducts the number of
grace days (if any were used) from the current subscription.
If after your initial purchase of this product, you decide to add additional
components, you can use the PSM to request a migration to a product with
additional features. If you purchase additional components, CA sends you a new
license key with the additional products. The same is true for upgrading your
product to a higher version.
If you decide to reduce the number of licenses during a renewal period, the
Product Subscription Management tool transfers some endpoints to key-less trial
mode. During the 30-day period of the key-less trial mode, you must unassign a
license from a few non-critical endpoints and reassign the licenses to protect the
most critical endpoints in your organization. This allows you to stay within the
new license count.
If you add more endpoints, renew, migrate, or upgrade your CA Total Defense or
CA Total Defense for Unified Network Control product, the OLP sends you a new
license key. If you are renewing, upgrading or migrating your existing product
and not adding new components, you can simply enter the new license key using
the Link Order tab in the Product Subscription Management tool. You access this
tab by clicking Product Information on the left side of the Product Subscription
Management page.
74 Administration Guide
License Management
When the Link Order page opens, you enter the order number and the new
license key number from the email or hard-copy certificate you received from
CA, and then click Submit. After you submit the information, close the Product
Subscription Management tool and return to the Management Console. At the
next regularly scheduled synchronization time, the Product Subscription
Management tool sends the information to the CA Entitlement System and
associates the new key with the server's node-id. To send the information
immediately, click the Synchronize Licenses button on the Management
Console's License Management page.
If you are migrating to new product components, you install the components
from your product DVD, and when prompted by the Installation Wizard, enter
the new license key number. The license key sends the information to the CA
Entitlement Management System and associates the node-id of the system
where you are installing the component with the license key.
License Reassignment
The PSM application lets you easily manage the assignment, unassignment, and
reassignment of endpoints to and from your license pool.
To perform this task on an endpoint, you must first unassign the license from one
or more currently licensed endpoints and then reassign the free licenses to new
endpoints. These new endpoints are identified by their unique node-id and the
change in your licensing are sent to the Entitlement Management System during
the next synchronization.
If you have reached the maximum number of licenses available in the license
pool, you can unassign a license from an existing server component and reassign
it to the server. After assigning the license to the new proxy or server, you can
then designate that component as the primary point of contact for
Clients/Agents.
If you did not activate the license for your CA Total Defense product, the
Management Console displays the following message:
This message appears if you did not activate your license when you installed the
product. You must activate your license within 30 days or the product will no
longer work.
Note: Only a user with Administrator privileges on the Management Console can
complete the registration process.
There are two options for completing the licensing registration process and
activating your license, online license activation and offline license activation.
Online license activation
Online license activation requires Internet access for the Management
Server and the license activation email. The CA Entitlement Management
System sends you this email after you have entered a valid license key
during installation. The email should arrive quickly, but at most within 24
hours. If you cannot find the activation email, contact your sales
representative or visit the CA Support website and click the Licensing link.
Offline license activation
For offline license activation, you must download and install the CA Total
Defense Licensing Utility, then follow the instructions provided in the help for
that utility. Visit this site https://ems.ca.com/synctool to download the
utility.
76 Administration Guide
Management Server Proxy Implementation
4. Click Licensing.
The Licensing page opens, listing the days remaining until your license
expires and when the synchronization occurs.
5. Click Synchronize Licenses.
Note: You must have an active Internet connection during the license activation
and manual synchronization steps.
The following steps describe the process for implementing a Management Server
Proxy in your environment:
1. Determine where in your organization you should install a Management
Server Proxy.
3. Install the Management Server Proxy component from the CA Total Defense
DVD.
5. Modify the Phone Home policy to add the name of the proxy as either the
primary or secondary server for endpoints to contact.
The next time the endpoints phone home to the Master Management Server,
they retrieve the modified Phone Home policy that tells them which
Management Server Proxy to contact in the future.
From that point forward, the endpoint phones home to the designated
Management Server Proxy instead of the Master Management Server.
When you install a Management Server Proxy, the Installation Wizard generates
a certificate that allows the proxy to communicate with the Master Management
Server. However, if you install the Management Server Proxy in a DMZ, the
proxy cannot contact the Master Management Server to synchronize policy or
endpoint information.
Note: You must ensure that a copy of the security certificate is accessible from
the Management Console.
1. Click Environment.
2. Click Management Proxy Servers.
The Management Proxy Servers page opens.
3. Click Add.
The Add Installed Proxy page opens.
4. Enter the proxy name and click Browse to upload the certificate that was
created during the proxy installation.
78 Administration Guide
Endpoint Discovery
6. Click Add.
The server is added to the proxy server list.
Note: You can click Discard to remove any changes you made, but stay on
this page or click Cancel to cancel your changes and return to the
Management Proxy Server page.
Endpoint Discovery
Endpoint Discovery finds all unmanaged endpoints on your network and runs in
the following two modes:
Full Discovery
After you have installed the Management Server and you are ready to deploy
the Agent/Client to the endpoints in your network, you use Endpoint
Discovery and perform a Full Discovery to find all of the unmanaged
endpoints. You can then deploy the Agent/Client using the Management
Console's remote installation feature.
Incremental Discovery
After you have fully deployed and implemented CA Total Defense, new
endpoints may have joined the network. To find any unmanaged endpoints
after a Full Discovery has already been performed, you can run an
Incremental Discovery. You can choose to run an Incrememental Discovery
every day Endpoints that were previously discovered are ignored and only
newly detected endpoints are detected.
Endpoint Discovery remembers and reuses the discovery method that was
successful in contacting each endpoint. This greatly reduces the overhead of
an incremental discovery and avoids a "hit or miss" trial discovery of each
endpoint. However, if the discovery method for a specific endpoint should
change due to changing dynamics of your network, the newer successful
method for that endpoint is remembered and reused in subsequent scans.
For this reason performing an incremental discovery is more efficient than
performing a full discovery.
Duplicate endpoints are ignored and the final results are stored in the locally
hosted Endpoint Discovery database. They are also written to an xml file named
Discovery-<Timestamp>.xml located in the /CA/Results directory.
After discovering unmanaged endpoints, you can view a list of the endpoints by
selecting the Maintain Endpoints, Unmanaged Endpoints in the Management
Console. From this page you can easily select the endpoints to manage and click
the Install button to perform a remote installation of the CA Total Defense
Agent/Client.
80 Administration Guide
Endpoint Discovery
The following illustration shows the process for finding unmanaged endpoints
using the Management Console:
The following lists describe the benefits and constraints of using this discovery
method:
Benefits
■ Widely used, operating system-independent protocol
■ Detects endpoints in domains and subdomains
■ If DNS zone transfers are enabled, can detect endpoints in a highly secure
network behind a firewall
Constraints
■ Cannot detect endpoints in a local workgroup
■ Cannot detect the endpoint's operating system
■ This protocol may be blocked in a highly secure network behind a firewall
82 Administration Guide
Endpoint Discovery
The following lists describe the benefits and constraints of using this discovery
method:
Benefits
■ Commonly used by network scanning and system management software
■ May be allowed to reach some isolated workgroups behind firewalls
■ Operating system-independent
■ Uses fewer packets than a TCP ping scan when network traffic is a concern
Constraints
■ This protocol may be completely blocked by a firewall in a highly secure zone
■ Can detect other infrastructure devices, such as printers or routers, making
operating system detection mandatory to determine if the detected device is
a valid endpoint
The following lists describe the benefits and constraints of using this discovery
method:
Benefits
■ Specific TCP ports used by CA Total Defense can be specified during
configuration, thereby increasing endpoint detection
■ TCP stack is available on all endpoints
Constraints
■ Can detect other infrastructure devices, such as printers or routers, making
operating system detection mandatory to determine if the detected device is
a valid endpoint
■ Can be apprehended as suspicious activity by an intrusion detection system
resulting in false positives
Note: You can avoid a false positive detection from your intrusion detection
system by adding CA Total Defense to your whitelisted applications.
If the initial scanning methods are unable to determine the endpoint's operating
system, Endpoint Discovery uses one of the following tools or methods to detect
the operating system:
■ Windows Management Instrumentation
■ Windows Remote Management
■ Active fingerprinting
The benefits and constraints of each configurable method are listed in the
following sections.
The following lists describe the benefits and constraints of using these methods
for determining an endpoint's operating system.
Benefits
■ Commonly used in system management software
■ Works across firewalls as it is HTTP-based
■ Highly reliable method for detecting operating system information on
Windows endpoints
■ Uses system administration credentials required for system management
Constraints
■ A small unmanaged network may not use WMI or WinRM protocols
■ In a highly secure network these protocols may be blocked
If a detected endpoint's operating system has not been detected using WMI or
WinRM, Endpoint Discovery uses Active Fingerprinting to determine the
operating system.
The following lists describe the benefits and constraints of using this method for
determining an endpoint's operating system:
Benefits
■ TCP stack is available on all endpoints
■ Specific TCP ports used by CA Total Defense can be specified during
configuration, allowing the retrieval of operating system information
84 Administration Guide
Endpoint Discovery
Constraints
■ Can be apprehended as suspicious activity by an intrusion detection system
resulting in false positives
Note: You can avoid a false positive detection from your intrusion detection
system by adding CA Total Defense to your whitelisted applications.
The SMB and DNS discovery methods obtain the hostname and IP address of
detected endpoints. During this process, Endpoint Discovery observes the nature
of IP assignments on the network and formulates an approximate map of your
network. This map is flexible enough to account for certain IP boundaries that
are not yet identified by the current scan.
Because some IP addresses may not be assigned or may not be live during the
discovery scan, a response may not be received from a large number of IP
addresses from within the network map. However, any unresponsive IP
addresses that were detected in a previous discovery, or that are part of the
network map, are removed from the list of unresponsive IPs.
Unresponsive Endpoints
If a previously detected endpoint does not respond during a discovery scan, its
Maximum Inactivity Count value is set to 1. Each time it fails to respond to a
scan, this variable is incremented by 1. When the Maximum Inactivity Count
value exceeds the number you specify in your discovery configuration, the
endpoint is removed from the database. If a previously unresponsive endpoint
does respond during a scan, and it has not exceeded the Maximum Inactivity
Count, its value is reset to 0.
Endpoint Discovery provides an IP range exclusion option that lets you exclude a
subset of your network from the discovery scan. This option applies to all scan
engines along with other specific configuration options.
■ Explicit range support with fixed CIDR suffix for the starting and ending
IP address, for example: 1.2.3.12/24-1.2.3.252/24.
■ Explicit range support for full IPv6 addresses (not abbreviated) and use
of CIDR type prefix masking is also supported.
The Endpoint Discovery tool validates the IP address of discovered endpoints and
any IPs that fall in the exclusion range are discarded. For cases where the host
name to IP address resolution does not yield a result, Endpoint Discovery detects
the endpoint, but provides an error code that states IP address resolution could
not be performed and the endpoint may belong to the exclusion range.
86 Administration Guide
Endpoint Discovery
The following table shows the default, minimum, and maximum values for
timeout, delays, and retries for the various protocol operations. Use the
information in this table to help you configure the most suitable times for
discovery scans on your network.
Note: If your network is generally reliable and it is not rate limiting or prone to
delays, CA recommends using the default packet rate, retries and timeout
values.
ICMP Sweep Scan Timeout 0.1 sec 0.1 sec 5 sec Single digit of fraction
shall be allowed.
Active Fingerprinting-based 1 0 2
Remote OS Detection Scan
Number of Retries
DNS Lookup Timeout 0.5 sec 0.5 sec 60 sec Single digit of fraction
shall be allowed.
■ For enterprise networks that are not reliable and where delays and drops are
frequent, use an increased number of retries and increased time-out values
to ensure minimum required coverage and accuracy. Increasing the
maximum scan threads can also provide a relatively better result.
■ For entry level server grade systems, use the default value of maximum scan
threads. If the system's specification is better than an entry level server
grade system, you can increase the maximum number of scan threads if the
overall processing requirements of the system are not too high during the
time the discovery/rediscovery process will run.
Ideally, the best configuration is to run discovery with all the scan engines
enabled and with maximum threads, leaving other settings as default. In some
cases, depending on network settings, the configuration should be altered to
optimize discovery performance. The following are some optimization options:
■ If the ICMP packets are disabled in a network, there is no point running the
ICMP engine. The ICMP engine can be turned off to save time.
■ The known open ports across the network should be specified by enabling
port scanning mode adding the preferred ports.
88 Administration Guide
Revert to Older Signatures
3. Select Roll back signatures to, and click the calendar icon to select the date
to which to roll back.
4. Click Apply.
Your request is submitted. If you have the proper permissions and there are
no pending actions blocking the rollback, the signature rolls back to the
version to the date you specified.
After all conflicts any resolved, you must resume the signature updates.
Your request is submitted. If you have the proper permissions and there are
no pending actions blocking this action, the signature updates resume.
Directory Services
If you are using Active Directory to manage your network infrastructure, you can
take advantage of the existing framework and feed it directly into the
Management Server. This can greatly reduce the amount of time you spend
implementing CA Total Defense.
90 Administration Guide
Directory Services
To use your Active Directory framework with CA Total Defense, you must specify
the server name and port number (the default is 389) where Active Directory is
hosted, the Active Directory tree name, and whether you want to connect
anonymously or use a secure connection. You access these options by selecting
Configure Environment, Directory Services.
The following conditions apply when using Active Directory on Windows 2000:
■ The password policy must specify reversible encryption for the Domain. If
this setting is changed, the user that is being used to connect must also
change his or her password after the password policy has changed for the
setting to take effect.
■ Use the fully qualified Domain name of the Active Directory server. For
example,
Use: adserver.travis.ourcompany.com
Do not use: adserver
■ Use Domain information when specifying the user. For example,
Use: travis\jdoe
Do not use: jdoe
■ Subauthentication must be enabled (the default setting).
■ Do not specify a Domain Administrator.
The following conditions apply when using Active Directory on Windows 2003
and later:
■ Use the fully qualified Domain name of the Active Directory server. For
example,
Use: adserver.travis.ourcompany.com
If at any point you need to modify the information you supplied during
installation, you can do so using the Configure Environment, Server Databases
page. The following sections describe the management tasks associated with
each database.
The database also stores additional, underlying data that is not visible through
the Management Console.
92 Administration Guide
Server Database Management
If you move your database from one server machine to another, or make any
other changes that affect the database location, name, or user login credentials,
you must specify those changes in the Management Console. You initially specify
this information when you first install the Management Server or Event Server.
However, you can modify the information at any time after your installation.
Using the Manage Environment page, you can modify the server name that hosts
the database, name of the database instance, port number, and database login
credentials.
Note: If you modify the information for the Management Server, the web service
must be restarted and any users that are currently logged in are automatically
logged off.
The Management Server utilizes many automated clean-up tasks that are built
into the server, requiring no user interaction. It removes duplicate records and
those that are obsolete. It also performs database compaction on a regular
basis. You can also use the Microsoft SQL built-in maintenance features,
including the back and restore commands, to perform basic maintenance tasks.
Events database
Stores the events that occur on all managed endpoints and CA Total Defense
server components and proxies. It also stores additional, underlying data
that is not visible through the Management Console.
Reports database
Stores all reports templates, reports, and the configuration settings for all
report management activities and Event filters.
Notifications database
A Microsoft SQL Server hosts all three databases in a single instance and uses
the same port number and user access credentials. If you change to any of these
settings, the change affects all three databases. You can modify your initial
settings (made during installation) using the Configure Environment, Server
Databases, Event Server pages. You may find it necessary to periodically
synchronize these settings against your SQL Server.
If you suspect that you have a connection problem, use the Test Connection
button located on the Connection page to test your connections. This feature
displays a message in the Management Console if the connection to all three
databases is successful or if any issues are detected.
You can specify your preferences for the amount of storage that Events database
needs. Most organizations can use the Normal (Light) storage option, which
stores the most common event information and uses less disk space. To store all
events data, choose the Comprehensive (Full) option. Because some events
contain a large amount of data, choosing the Comprehensive (Full) option
requires a much larger amount of available disk space for database storage.
You can choose to delete all database records or only records beyond a specific
date. If the database is quite large it can take a long time to delete the records.
If you do not want to use up CPU cycles on the record deletion task, you can
specify a maximum amount of time that the deletion can run.
As part of regular database maintenance, you should perform archiving when the
database reaches a certain size or at a regularly scheduled interval.
94 Administration Guide
Server Database Management
Over a period of time the Events database grows in size and can become quite
large. A large database can increase the event filter execution time and slow
down other database operations. However you can perform the following
procedures to maintain and control the size of the database:
Maintenance
Delete old records or delete records that match a custom filter you create to
find the records you want to delete. You can choose to delete older records
from the database manually, using the Run now option, or automatically
using the Scheduler option.
If the database is quite large it may take a long time to delete the records. If
you do not want to engage the database and use up CPU cycles on the record
deletion task, you can specify that the deletion not run longer than a set
period of time. Upon reaching the allotted period of time, the current
deletion operation will stop at its first available opportunity. Note that using
this option may prevent the deletion of some of the older data in the
database.
Additionally you can delete records using an event filter. For example, go to
Monitor, Events, Events Viewer, Filter Events in the Management Console.
Then click New to create a new filter based on a type of event, such as all Low
severity events for the Anti-Malware component. Once the filter is created,
go to the Events Viewer, select the new filter you created and click Delete
Events.
Archiving
Note: If you selected Microsoft SQL Server Express Edition during the
installation of CA Total Defense, archiving is critical using as the database
size is limited to 4 GB. At this point new data cannot be inserted into the
database. You must configure archiving to occur when the database reaches
3.5 GB to avoid operational errors.
Best Practice Tip! We recommend that you schedule maintenance to occur
on a regular basis to improve event filtering performance.
More Information
The Endpoint Discovery database utilizes many automated clean-up tasks that
are built into the server, requiring no user interaction. It removes duplicate
records and those that are obsolete. It also performs database compaction on a
regular basis. You can also use the Microsoft SQL built-in maintenance features,
including the back and restore commands, to perform basic maintenance tasks.
96 Administration Guide
User Role Management
Different users can perform specific tasks, such as partition and policy
management, reporting, and auditing, as required by your organization's
internal practices.
■ Avoids the need to create specific per-object permissions
CA Total Defense user roles are simple to use in small organizations with few
endpoints, yet flexible enough to handle the administration of a large, diverse
organization with different users or groups handling different functions from
within the Management Console.
For example, a small organization could have an Administrator with full access to
all areas of the Management Console, and may choose to assign at least one
Audit Archivist role to an individual who is responsible for changes to auditing
settings.
While a user is logged into the Management Console, the rights associated with
their user role are valid for the entire session. Any changes made during the
user's session are not effective until the user logs out and logs back in again. This
includes changes that are made to any groups of which the user is a member.
Group Inheritance
The User Roles page shows whether users have inherited permissions through
group membership when you hover your mouse over them.
The Management Server grants the CA Total Defense Administrator user role to
the local system's Administrators group during the installation of the
Management Server. This ensures that at least one user has the Administrative
role in the product. This is true on domain controllers, member servers, and
standalone (non-domain) servers.
Note: If you do not want everyone in the local Administrators group to have an
Administrator role in CA Total Defense, use the Configure User Roles page in the
Management Console to first assign yourself the CA Total Defense Administrator
role, and then remove the role from the Administrator group. You must perform
these steps in that order.
If you are using a single partition to manage the endpoints in your organization,
all user roles are global and all actions taken by users in these roles apply
globally, to the entire organization.
98 Administration Guide
User Role Management
Management Console
The General Preferences let you set the inactivity timeout interval, refresh
interval, and display settings for the Management Console.
■ On displays the Steps to Create Policy pane when you create a policy.
■ Off removes the Steps to Create Policy pane when creating a policy.
3. Enter a refresh interval for the Dashboard in the Dashboard section. The
Dashboard displays will update using the interval you specify.
4. Enter the timeout duration in the Security section. If you do not use the
Management Console before this interval expires, the console logs you out
and you must log back in.
5. Click OK to save the settings and close the window.
The changes take effect immediately.
More information:
The Locale Preferences let you set the language and the time and display format
used throughout the Management Console.
3. Use the Language drop-down menu to select the language for the
Management Console.
Hour
Specify whether to display the hour as a one or two digit number.
Show AM/PM
Show Seconds
Enable this option to have the seconds appear in the time display.
Time Zone
Select your time zone.
Month
Select one of the following to specify how to display the month:
Show day
Enable this option to add the day of the week to the date display.
Day of Month
Specify whether to display the day as a one or two digit number.
Day of Week
Specify whether to display either a three letter abbreviation or the full
name of the day of the week.
Date Order
Specify the month, day, and year order in the date display.
6. Click Save to save the settings and close the window.
By default, the Management Console updates the Dashboard panels every ten
minutes. You can refresh the Dashboard contents immediately or you can set an
option to refresh the content more frequently.
2. Select the General tab and set the Refresh Interval option.
The content of the Dashboard will refresh itself based on the new frequency.
Manage Dashboards
You can add panels, edit, delete, and change the layout of all custom Dashboards
you create.
1. Click Dashboard.
2. Expand the Dashboard list and select the Dashboard to which to add a panel.
Note: You cannot add a panel to the default CA Total Defense Dashboard.
5. Click Add.
The new panel is added to the Dashboard view.
To edit a Dashboard
1. Click Dashboard.
2. Expand the Dashboard list and select the Dashboard to edit.
Note: You cannot edit the default CA Total Defense Dashboard.
3. Click Edit.
The Edit Dashboard page opens. This page is the same as the Create
Dashboard page.
■ To remove a panel, select the panel in the left table and click Remove.
5. Once you are finished, click Apply to save your changes.
To delete a Dashboard
1. Click Dashboard.
2. Expand the Dashboard list and select the Dashboard to delete.
3. Click Delete.
A confirmation window opens.
4. Click Yes.
The selected Dashboard is deleted.
3. Use the Layout drop-down menu to select how the panels of the Dashboard
are tiled.
You can select one of the following options:
Tiled Layout
Display the panels as a series of tiled squares.
Manual Layout
More Information
You can create a custom Dashboard to display the information that is most
important to you.
1. Click Dashboard.
2. Click New.
The Create New Dashboard window opens.
4. (Optional) Select the Make Default Dashboard option to see this Dashboard
when you log into the Management Console.
5. In the Layout section, specify how the panels of the Dashboard are tiled. You
can select one of the following options:
Side by Side Layout
Manual Layout
Select this option to be able to manually move and resize the panels to fit
your needs.
6. Click Assign Panels to save the Dashboard and open the Edit Dashboard pane
to assign panels to the Dashboard.
To create the Dashboard without panels, click Create Empty Dashboard. You
can later add panels by dragging then from the navigation pane to the
Dashboard or by selecting a panel using the Add to Dashboards button.
7. (Optional) If you clicked Assign Panels, select a panel in the Available Panels
table and click Add to add the panel to the Dashboard. Alternatively, you can
click and drag a panel from the Available Panels to the Dashboard.
To remove a panel, select the panel in the Selected Panels table and click
Remove.
More information:
The Signatures panel displays the signature status for all endpoints in the
selected partition.
1. Click Dashboard.
2. Click Panel to expand the panel list.
3. Click Signature Update Status.
The Signatures panel contains a thermometer graph that displays the signature
status of endpoints. The top of the panel shows the version number of the last
signature update and when the update occurred. The graph displays how many
endpoints in the selected partition are using the current signature, how many
have an out of date signature, and how many have not contacted the
Management Server with this information.
The Endpoints panel displays statistics for all discovered endpoints. This panel
displays a holistic view of the endpoints in your organization. It is not
partition-specific.
1. Click Dashboard.
2. Click Panel to expand the panel list.
3. Click Endpoints.
The Endpoints panel appears and display the following information:
Last Discovery
Lists the time and date of the last endpoint discovery.
Chart
The Malware panel displays the number of endpoints that have reported back to
the Management Server as clean or infected. It also displays the number of
endpoints that have not phoned home to the Management Server. You can view
this information for the last 24 hour period or for the last 7-day period. The
information displayed is based on the currently selected partition.
1. Click Dashboard.
2. Click Panel to expand the panel list.
3. Click Malware.
You can view information for the following periods by clicking the appropriate
link:
Last 24 Hours
Displays malware information for the last 24 hours. Information older than
24 hours is omitted.
Last Week
Infected
The number of endpoints that are currently infected.
Not Reporting
The number of endpoints that have not reported back on malware found.
The CA Security Advisor panel displays the latest information from the CA
Security Advisor website. This information provides alerts for the latest malware
information and vulnerability threats, as well as CA Research blogs.
1. Click Dashboard.
2. Click Panel to expand the panel list.
3. Click CA Global Security Advisor.
You can use the drop-down menu to view the following information:
Latest Malware
Displays information on the latest malware news reported from CA. This
information may include specific ways to remove the malware. In addition,
information about signature updates used to detect and clean the latest
malware are provided in this feed.
Latest Vulnerabilities
Displays the latest information on newly discovered software vulnerabilities.
This information may include information about the availability of patches
that eliminate vulnerabilities.
CA Research Blog
Displays blogs created by the CA Research team.
The Server Monitor panel displays statistics for the system hosting the
Management Server.
1. Click Dashboard.
2. Click Panel to expand the panel list.
3. Click Server Monitor.
The Server Monitor panel is divided into five tabs. The Server Monitor panel
displays the following information:
General
Server IP Address
The IP address used by the server.
CPU
This tab displays information about the CPU usage on the server. The graph
displays the CPU usage on the server over the past 5 hour period of time. You
can mouse over a point on the graph to view the time and CPU use
percentage at that moment.
CPU Usage
The percentage of CPU cycles used by the overall CPU activity of the
entire server.
Handles
Threads
Memory
This tab displays the total memory used and the free memory available on
the server machine in a pie chart.
Disk
This tab displays the total disk space used and the disk space available on
the selected drive of the server machine in a pie chart. You can select
alternate drives using the drop-down menu at the bottom of the display.
Network
This tab displays the network usage information for the server. You can
mouse over a point on the graph to view the time and network use
percentage at that moment.
Packets In
The total number of incoming packets.
Packets Out
The total number of packets sent.
Bytes Received
Reports
This section contains procedures related to reports.
Report filters help you quickly locate specific types of reports. You create a report
filter by selecting specific filter criteria. When you select the new filter, the
Management Console displays only the reports that match the filter.
Edit
Modifies an existing filter.
Duplicate
Creates a copy of the filter and appends a number to the filter name.
Delete
Report filters let you filter the report information that is displayed on the View
Reports page. You can create report filters that let you view only those reports
that meet your needs.
The Report Filters page opens, populated with the available filters.
3. Click New.
The New Output Filter page opens.
4. Enter a unique name and description for this report filter in the Name and
Description fields.
5. To create the filters, select a filter option, then specify the details for that
option. Select from the following filter options:
Note: You can select multiple filter options.
Time Frame
Filter reports based on a range of time, such as all reports generated
since last week.
Use the drop-down menu to select the time range. You can select any of
the given options, or customize the time range.
To choose a custom range, select the Custom option, configure the time
zone, and enter the start and stop times for the range.
Component
Filter reports based on the component to which the report applies.
For example, select Firewall to view reports that relate only to the
Firewall.
Status
Filter reports based on the status of the report.
For example, to find all failed reports, you can create a filter using the
Failed status option.
Partition
Filter reports based on the partition providing the information for the
report.
Report
Task
Filter reports based on the scheduled task that generated the report.
Initiated By
Filter reports based on text that you supply.
Enter text in the Enter an Initiator field, and click Add to add that text.
The filter displays only reports containing the entered text string.
Action
Filter reports based on the action taken after the report is generated.
For example, to find all reports that are sent to a recipient by email after
generation, select Email.
6. Click OK.
The filter is saved and now appears on the View Reports filter list.
You can edit, delete, and duplicate report filters from the Report Filters page.
■ Edit a report filter to change or modify the existing settings.
■ Duplicate a report filter to create an identical copy of the filter. The copied
filter has the same name as the original, with a number appended to the
name.
■ Delete a report filter to remove it from the list.
View Reports
You can use the View Reports page to view generated reports, refresh the
information they contain, send reports to other users, and delete reports.
Note: The web browser you use to view reports must have the pop-up blocker
disabled for the Total Defense Management Console URL. If pop-ups are not
disabled, any reports that you attempt to view from the View Reports page in the
Management Console will be blocked or result in a new page overriding the
console's current page.
The View Reports page lists the following information about each report:
Name
Lists the name of the report.
Component
Lists the components of the CA Total Defense system that the report
concerns.
Format
Lists the format used by the report.
Note: The CSV report output uses UTF-8 encoding and should be used for
importing data to other applications and not for report viewing.
Initiated By
Lists the user who created the report.
Status
Lists the status of the report.
Maintenance
Displays a check box indicating if the report is purged during Report
Maintenance. A check mark indicates the report is purged. To prevent a
report from being purged, uncheck this box.
Start Time
Lists the time the report period started.
End Time
You can view all reports, a filtered list of reports, or the contents of a specific
report.
3. Select a filter from the filter drop-down menu to filter the displayed reports.
The View Reports page updates to display only those reports that match the
filter criteria.
4. Select a report and perform one of the following actions:
More information:
Report Configuration
The following procedures describe how to configure reports for CA Total Defense.
For instructions on how to configure reports for CA Total Defense for Unified
Network Control, see the CA CA Total Defense for Unified Network Control
Administrator Guide or the online help.
From the Report page, you can generate reports, duplicate an existing report, or
delete reports. You can generate a report immediately. You may want to
generate an immediate report if you need up to date information or if you want
to run the report only once. Duplicating an existing report creates a copy of the
report that you can edit. You can create a duplicate if you want to make a new
report with only minor changes from the original report. You may also delete
reports to remove those reports you no longer need.
To generate reports
The report page opens, displaying a list of available reports for that
subcategory.
4. Click Generate.
The Generate Report page opens.
5. Select the file format for the report. You may select from the following:
PDF
Select this option to produce the report in Portable Document Format
(PDF). If you do not have Acrobat Reader installed on the server, you
may not be able to print this report.
HTML
Word Document
6. Click the Region tab and specify the time zone and culture for the report.
7. (Optional) On the Action tab, specify any actions for the report. You may
specify the following actions:
Email
Use this action to email the report to others. You must specify the
recipients. You may also edit the subject and message body of the email.
You may also specify if the report is included in the email as an
attachment or a compressed attachment.
Print
Use this action to print the report. You must specify the printer, the
number of copies, and the account used for printing the report. To print
PDF and Word document reports, the appropriate application must be
installed on the server.
Run
Use this action to run the report through another application. You must
specify the application's full path. The generated reports drop folder is
passed to this application as a parameter. You must also specify the
account used for this action.
Save
Use this action to save the report to the local disk or a network drive. You
must specify the save location. You must also specify the account used
for this action.
RSS
Select this action to generate an RSS message feed for this report. You
must specify the title, category, and description for the feed. Use the
drop-down arrows next to each field to add variables to the field.
8. Click OK.
The report is generated. You may view generated reports on the View
Generated Reports page.
■ Click Delete to remove the selected report. You are prompted to confirm
the deletion. Click Yes to complete the deletion.
The report is deleted from the reports list.
More information:
The options on the Endpoint page help you to configure Anti-Malware Endpoint
reports. You can create and edit Anti-Malware reports, to specify the settings and
the filters to use in the reports, using the options available on the Endpoint page.
In addition, you can generate, duplicate, or delete reports for the Anti-Malware
Endpoint component from this page.
You can select from the following available filter options for Anti-Malware
component reports:
Time Frame
Filter output based on a range of time. Use the drop-down menu to select a
time range, or select the Custom option, and configure the time zone and the
start and stop times for the range to customize the range.
Events Severity
Filter output based on the severity of the event. You can choose High,
Medium, or Low severity.
Layout Type
Specify the type of layout (pie chart, bar chart, or table) for your report.
Output Count
Filter output to display only a specified number of items. You can also choose
the layout type (pie chart, bar chart, or table) for your output.
Policy State
Filter output based on the policy status. You can filter policies with On or Off
configurations.
IP
Filter output based on a single IP address, IP address range, or subnet you
specify to include or exclude.
Endpoint
Filter output based on a list of endpoints you specify to include or exclude.
Account
Filter output based on user accounts you specify to include or exclude.
Domain
Malware Name
Malware Risk
Filter output based on the level of malware risk you specify.
Malware Status
Filter output based on the malware status you specify.
Malware Detection
Note: The filter options displayed depend on the template you have chosen. You
can select multiple filter options.
3. Click New.
The Create Report page appears.
4. Enter a name and description for the report in the fields provided, select a
template for your report from the list of templates, and click Next.
5. Specify partition options for your report. Select the partitions to include in
the report or specify to resolve the user's partition assignment during the
report creation, and click Next.
6. Click the checkboxes next to the appropriate filters to select the filters for
your report.
Use the Add, Remove, and Modify buttons, or the checkboxes and radio
buttons provided to configure your filters.
Note: The filter options displayed depend on the template you have chosen.
You can select multiple filter options.
7. Click Finish.
Your report appears in the list of reports.
4. Edit the name or description of the report in the Name and Description fields,
and use the Partition, Customization, or General tabs to edit the settings for
the report:
■ The Partition tab lets you specify partitions to include in the report and
select to resolve the user's partition assignment during the report
creation.
■ The Customization tab lets you edit the filter options for your report and
configure the filters.
■ The General tab lets you view information about when, and by whom,
the report was initiated or modified, and lets you specify to exclude the
report from maintenance avoiding routine deletion after a period of time.
More information:
You can select from the following available filter options for Anti-Malware
Groupware component reports:
Time Frame
Filter output based on a range of time. Use the drop-down menu to select a
time range, or select the Custom option, and configure the time zone and the
start and stop times for the range to customize the range.
Layout Type
Specify the type of layout (pie chart, bar chart, or table) for your report.
IP
Filter output based on a single IP address, IP address range, or subnet you
specify to include or exclude.
Endpoint
Filter output based on a list of endpoints you specify to include or exclude.
Sender
Service
Filter output based on the type of Groupware service. You can specify
Exchange, Lotus Notes, NetApp, or SharePoint.
Recipient
Filter output based on recipient accounts you specify to include or exclude.
Domain
Filter output based on domains you specify to include or exclude.
Malware Name
Malware Risk
Filter output based on the level of malware risk you specify.
Malware Status
Filter output based on the malware status you specify.
Malware Detection
Filter output based on the malware detection type you specify.
Note: The filter options displayed depend on the template you have chosen. You
can select multiple filter options.
3. Click New.
The Create Report page appears.
4. Enter a name and description for the report in the fields provided, select a
template for your report from the list of templates, and click Next.
5. Specify partition options for your report. Select the partitions to include in
the report or specify to resolve the user's partition assignment during the
report creation, and click Next.
6. Click the checkboxes next to the appropriate filters to select the filters for
your report.
Use the Add, Remove, and Modify buttons, or the checkboxes and radio
buttons provided to configure your filters.
Note: The filter options displayed depend on the template you have chosen.
You can select multiple filter options.
7. Click Finish.
Your report appears in the list of reports.
4. Edit the name or description of the report in the Name and Description fields,
and use the Partition, Customization, or General tabs to edit the settings for
the report:
■ The Partition tab lets you specify partitions to include in the report and
select to resolve the user's partition assignment during the report
creation.
■ The Customization tab lets you edit the filter options for your report and
configure the filters.
■ The General tab lets you view information about when, and by whom,
the report was initiated or modified, and lets you specify to exclude the
report from maintenance avoiding routine deletion after a period of time.
More information:
The options on the Firewall page help you to configure Firewall reports. You can
create and edit Firewall reports, to specify the settings and the filters to use in
the reports, using the options available on the Firewall page. In addition, you can
generate, duplicate, or delete reports for the Firewall component from this page.
You can select from the following available filter options for Firewall component
reports:
Events Severity
Filter output based on the severity of the event. You can choose High,
Medium, or Low severity.
Time Frame
Filter output based on a range of time. Use the drop-down menu to select a
time range, or select the Custom option, and configure the time zone and the
start and stop times for the range to customize the range.
Output Count
Filter output to display only a specified number of items. You can also choose
the layout type (pie chart, bar chart, or table) for your output.
Direction
Action
Filter output based on the action applied by the firewall. You can filter by
monitored events, or by events prevented by the firewall.
IP
Filter output based on a single IP address, IP address range, or subnet you
specify to include or exclude.
Remote IP
Filter output based on a single remote IP address, remote IP address range,
or remote subnet you specify to include or exclude.
Local Port
Filter output based on a single port, or port range you specify to include or
exclude.
Remote Port
Filter output based on a single remote port, or remote port range you specify
to include or exclude.
Endpoint
Filter output based on a list of endpoints you specify to include or exclude.
App Name
Filter output based on the name of an application you specify to include or
exclude.
App Path
Filter output based on the path of an application you specify to include or
exclude.
App Status
Filter output based on the status of the application. You can filter by Known
or Unknown status.
Policy State
Filter output based on the policy status. You can filter policies with On or Off
configurations.
Domain
Note: The filter options displayed depend on the template you have chosen.
You can select multiple filter options.
3. Click New.
The Create Report page appears.
4. Enter a name and description for the report in the fields provided, select a
template for your report from the list of templates, and click Next.
5. Specify partition options for your report. Select the partitions to include in
the report or specify to resolve the user's partition assignment during the
report creation, and click Next.
6. Click the checkboxes next to the appropriate filters to select the filters for
your report.
Use the Add, Remove, and Modify buttons, or the checkboxes and radio
buttons provided to configure your filters.
Note: The filter options displayed depend on the template you have chosen.
You can select multiple filter options.
7. Click Finish.
4. Edit the name or description of the report in the Name and Description fields,
and use the Partition, Customization, or General tabs to edit the settings for
the report:
■ The Partition tab lets you specify partitions to include in the report and
select to resolve the user's partition assignment during the report
creation.
■ The Customization tab lets you edit the filter options for your report and
configure the filters.
■ The General tab lets you view information about when, and by whom,
the report was initiated or modified, and lets you specify to exclude the
report from maintenance avoiding routine deletion after a period of time.
More information:
The options on the Application Control page help you to configure Application
Control reports. You can create and edit Application Control reports, to specify
the settings and the filters to use in the reports, using the options available on
the Application Control page. In addition, you can generate, duplicate, or delete
reports for the Application Control component from this page.
You can select from the following available filter options for Application Control
component reports:
Events Severity
Filter output based on the severity of the event. You can choose High,
Medium, or Low severity.
Time Frame
Filter output based on a range of time. Use the drop-down menu to select a
time range, or select the Custom option, and configure the time zone and the
start and stop times for the range to customize the range.
Output Count
Filter output to display only a specified number of items. You can also choose
the layout type (pie chart, bar chart, or table) for your output.
IP
Filter output based on a single IP address, IP address range, or subnet you
specify to include or exclude.
Endpoint
Filter output based on a list of endpoints you specify to include or exclude.
Domain
Filter output based on domains you specify to include or exclude.
App Name
Filter output based on the name of an application you specify to include or
exclude.
App Path
App Spawning
Filter output based on the type of application spawning. You can filter
applications that were spawned, applications that run a child application
under their own identity, or applications that run a child application under
their own level of integrity.
Filter output based on the application discovery type. You can filter by
applications that were found and enrolled, applications that were found but
not enrolled due to a no enrolling rule, or applications that were not found.
Note: The filter options displayed depend on the template you have chosen. You
can select multiple filter options.
The Application Control page appears populated with the Application Control
reports.
3. Click New.
The Create Report page appears.
4. Enter a name and description for the report in the fields provided, select a
template for your report from the list of templates, and click Next.
5. Specify partition options for your report. Select the partitions to include in
the report or specify to resolve the user's partition assignment during the
report creation, and click Next.
6. Click the checkboxes next to the appropriate filters to select the filters for
your report.
Use the Add, Remove, and Modify buttons, or the checkboxes and radio
buttons provided to configure your filters.
Note: The filter options displayed depend on the template you have chosen.
You can select multiple filter options.
7. Click Finish.
Your report appears in the list of reports.
4. Edit the name or description of the report in the Name and Description fields,
and use the Partition, Customization, or General tabs to edit the settings for
the report:
■ The Partition tab lets you specify partitions to include in the report and
select to resolve the user's partition assignment during the report
creation.
■ The Customization tab lets you edit the filter options for your report and
configure the filters.
■ The General tab lets you view information about when, and by whom,
the report was initiated or modified, and lets you specify to exclude the
report from maintenance avoiding routine deletion after a period of time.
More information:
The options on the OS Security page help you to configure OS Security reports.
You can create and edit OS Security reports, to specify the settings and the filters
to use in the reports, using the options available on the OS Security page. In
addition, you can generate, duplicate, or delete reports for the OS Security
component from this page.
You can select from the following available filter options for OS Security
component reports:
Events Severity
Filter output based on the severity of the event. You can choose High,
Medium, or Low severity.
Time Frame
Filter output based on a range of time. Use the drop-down menu to select a
time range, or select the Custom option, and configure the time zone and the
start and stop times for the range to customize the range.
Output Count
Filter output to display only a specified number of items. You can also choose
the layout type (pie chart, bar chart, or table) for your output.
IP
Filter output based on a single IP address, IP address range, or subnet you
specify to include or exclude.
Endpoint
Filter output based on a list of endpoints you specify to include or exclude.
Domain
Action
Filter output based on the action applied by the firewall. You can filter by
monitored events, or by events prevented by the firewall.
App Name
Filter output based on the name of an application you specify to include or
exclude.
App Path
Filter output based on the path of an application you specify to include or
exclude.
Policy State
Filter output based on the policy status. You can filter policies with On or Off
configurations.
Object Access
Filter output based on the type of object access. Use the drop-down menu
and checkboxes to filter by the following objects:
■ File
■ Registry
■ DLL
■ Device
■ Service
■ Com Object
■ System Privileges
Note: The filter options displayed depend on the template you have chosen. You
can select multiple filter options.
4. Click New.
The Create Report page appears.
5. Enter a name and description for the report in the fields provided, select a
template for your report from the list of templates, and click Next.
6. Specify partition options for your report. Select the partitions to include in
the report or specify to resolve the user's partition assignment during the
report creation, and click Next.
7. Click the checkboxes next to the appropriate filters to select the filters for
your report.
Use the Add, Remove, and Modify buttons, or the checkboxes and radio
buttons provided to configure your filters.
Note: The filter options displayed depend on the template you have chosen.
You can select multiple filter options.
8. Click Finish.
Your report appears in the list of reports.
5. Edit the name or description of the report in the Name and Description fields,
and use the Partition, Customization, or General tabs to edit the settings for
the report:
■ The Partition tab lets you specify partitions to include in the report and
select to resolve the user's partition assignment during the report
creation.
■ The Customization tab lets you edit the filter options for your report and
configure the filters.
■ The General tab lets you view information about when, and by whom,
the report was initiated or modified, and lets you specify to exclude the
report from maintenance avoiding routine deletion after a period of time.
6. Click OK to return to the reports list.
More information:
The options on the Intrusion Protection page help you to configure Intrusion
Protection reports. You can create and edit Intrusion Protection reports, to
specify the settings and the filters to use in the reports, using the options
available on the Intrusion Protection page. In addition, you can generate,
duplicate, or delete reports for the Intrusion Protection component from this
page.
You can select from the following available filter options for Intrusion Protection
component reports:
Events Severity
Filter output based on the severity of the event. You can choose High,
Medium, or Low severity.
Time Frame
Filter output based on a range of time. Use the drop-down menu to select a
time range, or select the Custom option, and configure the time zone and the
start and stop times for the range to customize the range.
Output Count
Filter output to display only a specified number of items. You can also choose
the layout type (pie chart, bar chart, or table) for your output.
Action
Filter output based on the action applied by the firewall. You can filter by
monitored events, or by events prevented by the firewall.
IP
Filter output based on a single IP address, IP address range, or subnet you
specify to include or exclude.
Remote IP
Filter output based on a single remote IP address, remote IP address range,
or remote subnet you specify to include or exclude.
Local Port
Filter output based on a single port, or port range you specify to include or
exclude.
Remote Port
Filter output based on a single remote port, or remote port range you specify
to include or exclude.
Endpoint
Filter output based on a list of endpoints you specify to include or exclude.
Domain
Note: The filter options displayed depend on the template you have chosen. You
can select multiple filter options.
3. Click New.
The Create Report page appears.
4. Enter a name and description for the report in the fields provided, select a
template for your report from the list of templates, and click Next.
5. Specify partition options for your report. Select the partitions to include in
the report or specify to resolve the user's partition assignment during the
report creation, and click Next.
6. Click the checkboxes next to the appropriate filters to select the filters for
your report.
Use the Add, Remove, and Modify buttons, or the checkboxes and radio
buttons provided to configure your filters.
Note: The filter options displayed depend on the template you have chosen.
You can select multiple filter options.
7. Click Finish.
Your report appears in the list of reports.
4. Edit the name or description of the report in the Name and Description fields,
and use the Partition, Customization, or General tabs to edit the settings for
the report:
■ The Partition tab lets you specify partitions to include in the report and
select to resolve the user's partition assignment during the report
creation.
■ The Customization tab lets you edit the filter options for your report and
configure the filters.
■ The General tab lets you view information about when, and by whom,
the report was initiated or modified, and lets you specify to exclude the
report from maintenance avoiding routine deletion after a period of time.
More information:
The options on the Vulnerability Assessment page help you to configure reports
for the Vulnerability Assessment component. You can create and edit
Vulnerability Assessment reports, to specify the settings and the filters to use in
the reports, using the options available on the Vulnerability Assessment page. In
addition, you can generate, duplicate, or delete reports for the Vulnerability
Assessment component from this page.
You can select from the following available filter options for Vulnerability
Assessment component reports:
Events Severity
Filter output based on the severity of the event. You can choose High,
Medium, or Low severity.
Last In Time
Filter output based on a time frame. Enter the number of days in the field
provided.
Share Settings
Filter the output based on the settings of shared resources. You can filter by
open connections, unlimited connections, or writable connections.
IP
Filter output based on a single IP address, IP address range, or subnet you
specify to include or exclude.
Output Count
Filter output to display only a specified number of items. You can also choose
the layout type (pie chart, bar chart, or table) for your output.
Time Frame
Filter output based on a range of time. Use the drop-down menu to select a
time range, or select the Custom option, and configure the time zone and the
start and stop times for the range to customize the range.
Account
Endpoint
Filter output based on a list of endpoints you specify to include or exclude.
Domain
Filter output based on domains you specify to include or exclude.
Intrusion Name
Filter the output based on an intrusion name. You can choose to include or
exclude specified intrusion names.
Account State
Filter the output based on the state of the account. You can choose to include
or exclude specified account states.
Password State
Filter the output based on the state of the password. You can choose to
include or exclude specified password states.
Account Lockout
Filter the output based on the lockout status of the account. You can choose
to include or exclude specified lockout states.
Password Property
Filter the output based on the password properties. You can choose to
include or exclude specified password properties.
Note: The filter options displayed depend on the template you have chosen. You
can select multiple filter options.
3. Click New.
The Create Report page appears.
4. Enter a name and description for the report in the fields provided, select a
template for your report from the list of templates, and click Next.
5. Specify partition options for your report. Select the partitions to include in
the report or specify to resolve the user's partition assignment during the
report creation, and click Next.
6. Click the checkboxes next to the appropriate filters to select the filters for
your report.
Use the Add, Remove, and Modify buttons, or the checkboxes and radio
buttons provided to configure your filters.
Note: The filter options displayed depend on the template you have chosen.
You can select multiple filter options.
7. Click Finish.
Your report appears in the list of reports.
4. Edit the name or description of the report in the Name and Description fields,
and use the Partition, Customization, or General tabs to edit the settings for
the report:
■ The Partition tab lets you specify partitions to include in the report and
select to resolve the user's partition assignment during the report
creation.
■ The Customization tab lets you edit the filter options for your report and
configure the filters.
■ The General tab lets you view information about when, and by whom,
the report was initiated or modified, and lets you specify to exclude the
report from maintenance avoiding routine deletion after a period of time.
5. Click OK to return to the reports list.
More information:
The options on the SMTP page help you to configure reports for the Gateway
Security SMTP component. You can create and edit SMTP reports, to specify the
settings and the filters to use in the reports, using the options available on the
SMTP page. In addition, you can generate, duplicate, or delete reports for the
Gateway Security SMTP component from this page.
You can select from the following available filter options for Gateway Security
SMTP component reports:
Events Severity
Filter output based on the severity of the event. You can choose High,
Medium, or Low severity.
Output Count
Filter output to display only a specified number of items. You can also choose
the layout type (pie chart, bar chart, or table) for your output.
Time Frame
Filter output based on a range of time. Use the drop-down menu to select a
time range, or select the Custom option, and configure the time zone and the
start and stop times for the range to customize the range.
Source IP
Filter output based on a single source IP address, source IP address range, or
source subnet you specify to include or exclude.
Target IP
Filter output based on a single target IP address, target IP address range, or
target subnet you specify to include or exclude.
Offending Source IP
Filter output based on offending source IPs you specify to include or exclude.
Endpoint
Filter output based on a list of endpoints you specify to include or exclude.
Source Domain
Filter output based on source domains you specify to include or exclude.
Target Domain
Filter output based on target domains you specify to include or exclude.
Policy Rule
Filter output based on the policy rules you specify.
Policy Filter
Policy Category
Filter output based on the policy categories you specify.
Policy Action
Filter output based on the policy actions you specify.
Policy Direction
Filter output based on a policy direction. You can filter policies in incoming or
outgoing directions.
Sender
Recipient
Filter output based on recipient accounts you specify to include or exclude.
Malware Name
Filter output based on a malware name you specify to include or exclude.
URL Categories
Filter output based on URL categories. Use the checkboxes to specify the URL
categories to filter.
Note: The filter options displayed depend on the template you have chosen. You
can select multiple filter options.
3. Click New.
The Create Report page appears.
4. Enter a name and description for the report in the fields provided, select a
template for your report from the list of templates, and click Next.
5. Specify partition options for your report. Select the partitions to include in
the report or specify to resolve the user's partition assignment during the
report creation, and click Next.
6. Click the checkboxes next to the appropriate filters to select the filters for
your report.
Use the Add, Remove, and Modify buttons, or the checkboxes and radio
buttons provided to configure your filters.
Note: The filter options displayed depend on the template you have chosen.
You can select multiple filter options.
7. Click Finish.
4. Edit the name or description of the report in the Name and Description fields,
and use the Partition, Customization, or General tabs to edit the settings for
the report:
■ The Partition tab lets you specify partitions to include in the report and
select to resolve the user's partition assignment during the report
creation.
■ The Customization tab lets you edit the filter options for your report and
configure the filters.
■ The General tab lets you view information about when, and by whom,
the report was initiated or modified, and lets you specify to exclude the
report from maintenance avoiding routine deletion after a period of time.
5. Click OK to return to the reports list.
More information:
The options on the HTTP page help you to configure reports for the Gateway
Security HTTP component. You can create and edit HTTP reports, to specify the
settings and the filters to use in the reports, using the options available on the
HTTP page. In addition, you can generate, duplicate, or delete reports for the
Gateway Security HTTP component from this page.
You can select from the following available filter options for Gateway Security
HTTP component reports:
Events Severity
Filter output based on the severity of the event. You can choose High,
Medium, or Low severity.
Output Count
Filter output to display only a specified number of items. You can also choose
the layout type (pie chart, bar chart, or table) for your output.
Time Frame
Filter output based on a range of time. Use the drop-down menu to select a
time range, or select the Custom option, and configure the time zone and the
start and stop times for the range to customize the range.
Source IP
Filter output based on a single source IP address, source IP address range, or
source subnet you specify to include or exclude.
Target IP
Filter output based on a single target IP address, target IP address range, or
target subnet you specify to include or exclude.
Endpoint
Filter output based on a list of endpoints you specify to include or exclude.
Account
Source Domain
Filter output based on source domains you specify to include or exclude.
Target Domain
Filter output based on target domains you specify to include or exclude.
Policy Rule
Policy Filter
Filter output based on the policy filters you specify.
Policy Category
Filter output based on the policy categories you specify.
Policy Action
Filter output based on the policy actions you specify.
Policy Direction
Filter output based on a policy direction. You can filter policies in incoming or
outgoing directions.
URL Categories
Filter output based on URL categories. Use the checkboxes to specify the URL
categories to filter.
Malware Name
Note: The filter options displayed depend on the template you have chosen. You
can select multiple filter options.
3. Click New.
The Create Report page appears.
4. Enter a name and description for the report in the fields provided, select a
template for your report from the list of templates, and click Next.
5. Specify partition options for your report. Select the partitions to include in
the report or specify to resolve the user's partition assignment during the
report creation, and click Next.
6. Click the checkboxes next to the appropriate filters to select the filters for
your report.
Use the Add, Remove, and Modify buttons, or the checkboxes and radio
buttons provided to configure your filters.
Note: The filter options displayed depend on the template you have chosen.
You can select multiple filter options.
7. Click Finish.
Your report appears in the list of reports.
4. Edit the name or description of the report in the Name and Description fields,
and use the Partition, Customization, or General tabs to edit the settings for
the report:
■ The Partition tab lets you specify partitions to include in the report and
select to resolve the user's partition assignment during the report
creation.
■ The Customization tab lets you edit the filter options for your report and
configure the filters.
■ The General tab lets you view information about when, and by whom,
the report was initiated or modified, and lets you specify to exclude the
report from maintenance avoiding routine deletion after a period of time.
5. Click OK to return to the reports list.
More information:
The options on the Unified Network Control page help you to configure Unified
Network Control reports. You can create and edit Unified Network Control
reports, to specify the settings to use in the reports, using the options available
on the Unified Network Control page. In addition, you can generate, duplicate, or
delete reports for the Unified Network Control component from this page.
The Unified Network Control page appears populated with the Unified
Network Control reports.
3. Click New.
The Create Report page appears.
4. Enter a name and description for the report in the fields provided, select a
template for your report from the list of templates, and click Next.
5. Specify whether to use the Time Frame filter option, to filter the report
output based on a specific time period.
Use the drop-down menu to select a time range, or select the Custom option,
and configure the time zone and the start and stop times for the range to
customize the range
6. Click Finish.
Your report appears in the list of reports.
The Unified Network Control page appears populated with the Unified
Network Control reports.
4. Edit the name or description of the report in the Name and Description fields,
and use the Partition, Customization, or General tabs to edit the settings for
the report:
■ The Partition tab lets you specify partitions to include in the report and
select to resolve the user's partition assignment during the report
creation.
■ The Customization tab lets you edit the filter options for your report and
configure the filters.
■ The General tab lets you view information about when, and by whom,
the report was initiated or modified, and lets you specify to exclude the
report from maintenance avoiding routine deletion after a period of time.
5. Click OK to return to the reports list.
More information:
The options on the Scorecard page help you to configure reports for the Product
Scorecard. The Product Scorecard contains summary information of the product
activities. You can create and edit reports, to specify the settings to use in the
reports, using the options available on the Scorecard page. In addition, you can
generate, duplicate, or delete reports for the Product Scorecard from this page.
3. Click New.
4. Enter a name and description for the report in the fields provided, select a
template for your report from the list of templates, and click Next.
5. Specify partition options for your report. Select the partitions to include in
the report or specify to resolve the user's partition assignment during the
report creation, and click Next.
6. Specify whether to use the Score Card filter option to filter the report output
based on the source of the Scorecard.
You can choose either Endpoint or Server Scorecard.
Note: The filter options displayed depend on the template you have chosen.
You can select multiple filter options.
7. Click Finish.
Your report appears in the list of reports.
4. Edit the name or description of the report in the Name and Description fields,
and use the Partition, Customization, or General tabs to edit the settings for
the report:
■ The Partition tab lets you specify partitions to include in the report and
select to resolve the user's partition assignment during the report
creation.
■ The Customization tab lets you edit the filter options for your report and
configure the filters.
■ The General tab lets you view information about when, and by whom,
the report was initiated or modified, and lets you specify to exclude the
report from maintenance avoiding routine deletion after a period of time.
More information:
The options on the Endpoint page help you to configure Endpoint reports. You
can create and edit Endpoint reports, to specify the settings and the filters to use
in the reports, using the options available on the Endpoint page. In addition, you
can generate, duplicate, or delete reports for Endpoints from this page.
You can select from the following available filter options for Endpoint component
reports:
IP
Platform
Filter the output based on the operating system platform.
Product
Filter the output based on the product. Use the checkboxes to specify the
products to filter.
Version
Filter the output based on the product and signature versions you specify.
Note: The filter options displayed depend on the template you have chosen. You
can select multiple filter options.
3. Click New.
The Create Report page appears.
4. Enter a name and description for the report in the fields provided, select a
template for your report from the list of templates, and click Next.
5. Specify partition options for your report. Select the partitions to include in
the report or specify to resolve the user's partition assignment during the
report creation, and click Next.
6. Click the checkboxes next to the appropriate filters to select the filters for
your report.
Use the Add, Remove, and Modify buttons, or the checkboxes and radio
buttons provided to configure your filters.
Note: The filter options displayed depend on the template you have chosen.
You can select multiple filter options.
7. Click Finish.
Your report appears in the list of reports.
4. Edit the name or description of the report in the Name and Description fields,
and use the Partition, Customization, or General tabs to edit the settings for
the report:
■ The Partition tab lets you specify partitions to include in the report and
select to resolve the user's partition assignment during the report
creation.
■ The Customization tab lets you edit the filter options for your report and
configure the filters.
■ The General tab lets you view information about when, and by whom,
the report was initiated or modified, and lets you specify to exclude the
report from maintenance avoiding routine deletion after a period of time.
More information:
The options on the Policies page help you to configure Policy reports. You can
create and edit Policy reports, and specify the settings and the filters to use in
the reports, using the options available on the Policies page. In addition, you can
generate, duplicate, or delete reports for Policies from this page.
3. Click New.
The Create Report page appears.
4. Enter a name and description for the report in the fields provided, select a
template for your report from the list of templates, and click Next.
5. Specify partition options for your report. Select the partitions to include in
the report or specify to resolve the user's partition assignment during the
report creation, and click Next.
6. Specify whether to use the Policy Information filter option to filter the report
output based on the policy information.
Use the checkboxes to select the partition name and the policy textual
description.
Note: The filter options displayed depend on the template you have chosen.
You can select multiple filter options.
7. Click Finish.
Your report appears in the list of reports.
4. Edit the name or description of the report in the Name and Description fields,
and use the Partition, Customization, or General tabs to edit the settings for
the report:
■ The Partition tab lets you specify partitions to include in the report and
select to resolve the user's partition assignment during the report
creation.
■ The Customization tab lets you edit the filter options for your report and
configure the filters.
■ The General tab lets you view information about when, and by whom,
the report was initiated or modified, and lets you specify to exclude the
report from maintenance avoiding routine deletion after a period of time.
5. Click OK to return to the reports list.
More information:
Use the Scheduled Tasks page to view, edit, or delete an existing task. You can
also create a new task or select an existing task and duplicate it.
This page also lets you submit a Scheduled Task for generation.
The Scheduled Tasks page displays the following information for each scheduled
task:
Name
Format
The format used by the scheduled task.
Scheduler
The occurrence of the scheduled task. The task can be scheduled one time
only, daily, weekly, or monthly.
Description
You can view existing Scheduled Tasks, create a new Scheduled Task, and then
run the task immediately if necessary.
Scheduled Tasks let you schedule when reports are generated. You can create
recurring tasks to schedule when reports are generated on a regular basis or that
occurs only once.
You can execute any task when you need later using the Go button on the View
Scheduled Tasks page.
3. Click New.
The Create Scheduled Task page opens.
4. Enter a unique name and description for this scheduled task in the Name and
Description fields.
5. Select the reports you want this scheduled task to generate and click Next.
The Select File Format page opens.
6. Select the file format generated by the reports and click Next.
7. Specify the output method and provide details for that output as necessary
and click Next.
8. Specify how frequently this task should occur and the time for the scheduled
task to run.
9. Click Finish
The Scheduled Task is created and added to the Schedule Task list.
From the Scheduled Tasks page, you can manage the tasks you have scheduled.
You can edit a scheduled task to modify the settings, duplicate a task to copy it,
run a scheduled task immediately, or delete the task to remove it from the
schedule.
3. Select the appropriate scheduled task and click one of the following:
■ To run the task immediately, click Go.
The Management console runs the scheduled task and the resulting
reports are available on the View Reports page as soon as the task
finishes.
You are prompted to confirm the deletion. Click Yes to complete the
deletion.
The Management Console deletes the scheduled task.
The Run History page lets you view all the past run scheduled tasks that have not
been deleted.
The Run History page displays the following information for each scheduled task:
Name
Format
The format used by the scheduled task.
Type
Status
The status of the scheduled task.
Start Time
The time the scheduled task began.
End Time
The time the scheduled task finished.
From this page, you can delete the Run History records if necessary.
More information:
Customizing the report scheme lets you determine the look and feel of generated
reports. You can create a custom header, footer, and include a logo graphic on
your report.
The logo must be a valid image file type, with the following width and height
requirements:
■ Image width: up to 145 pixels
4. To add a header or footer, select the Font Name, Font size, and enter the text
in the Header or Footer text fields.
5. (Optional) Click Preview and specify an output format to see a preview of the
scheme.
The preview opens in a pop-up window. You must enable pop-ups to see the
preview. Close the pop-up window to exit the preview.
Reports are stored on the hard drive of the Event Server. If you do not
periodically maintain report storage space, you may encounter size limitations.
Report Maintenance lets you limit the length of time that reports are stored.
2. Click Maintenance.
The Report Management Settings page opens.
3. Enter the maximum number of days for which reports are stored.
Certain actions that reporters perform may require specific permissions to run
successfully. The Reporter Permissions page lets you add active users with the
permissions necessary to run report-specific actions. The most common access
rights include:
■ Access to the printer to perform the print action
■ Access to a specific application to perform the run action
■ Write access to the upload folder to perform the upload action
You may want to create a specific user account with these privileges and a
non-expiring password.
The Reporter Permissions page opens and displays all known reporter
permissions.
This page lists the user's domain name and the description entered when
creating reporter permissions.
3. Click Add.
The User Credentials window opens.
4. Enter the Domain, User name, and Password for the reporter.
6. (Optional) Click Validate to ensure the information entered is valid. Once you
click this button, the Management Console attempts to access the domain
using the reporter credentials provided. Any errors are reported.
7. Click OK to save your changes and return to the Reporter Permissions page.
4. Edit the Domain, User name, and Password for the reporter.
6. (Optional) Click Validate to ensure the information entered is valid. Once you
click this button, the Management Console attempts to access the domain
using the reporter credentials provided. Any errors are reported.
7. Click OK to save your changes and return to the Reporter Permissions page.
Events
This section contains procedures related to events.
View Events
The View Events page lets you review all the events that occur on your network.
When viewing events, you must first select a filter.
To view events
1. Select Events, and select View Events.
The View Events page opens, displaying either a blank tab or the last filter
results you selected.
The View Events page creates a new tab, displaying events that match the
filter criteria.
From this page you can view more details about an event or delete an event.
3. Click Go.
The View Events page creates a new tab, displaying events that match the
filter criteria.
4. Select an event.
5. Click View Event.
The event information is displayed in a new pane on the right side of the
page. Click Hide Event to close this pane.
Delete Events
To delete an event
1. Select Events, and on the Events Viewer page, select View Events.
The View Events page opens, displaying either a blank tab, or the last filter
results you selected.
2. Select a filter from the drop-down menu.
3. Click Go.
The View Events page creates a new tab, displaying events that match the
filter criteria.
Event Filters let you limit the events displayed to only those that match your
filter criteria. Using the Event Filters lets you focus on your tasks at hand instead
of sorting through all the events manually.
The Filter Events page opens, displaying a list of Event Filters available.
From the Filter Events page you can create, edit, duplicate, and delete Event
Filters. Additionally you can delete all filtered events from this page.
The Filter Events page opens, displaying a list of Event Filters available.
4. Click Edit.
The Event Filter Properties page for that filter opens.
6. Click OK.
The changes are saved and you are returned to the Filter Events page.
The Filter Events page opens, displaying a list of Event Filters available.
4. Click Delete.
4. Click Duplicate.
A duplicate of the filter is created, with a number appended to the end of the
name.
The events are deleted and you are returned to the Filter Events page.
Creating an Event Filter lets you specify the filtering criteria that apply with that
filter.
2. Click New.
The New Event Filter page opens.
4. Specify the components to which the filter applies, and click Next.
You must select at least one component
5. Specify the Database to which the filter applies and click Next. You may
specify the current Database. You may skip this page if you have no
backed-up databases.
6. Specify the partitions to which the filter applies, or specify that the partitions
are resolved when the filter is executed, and click Next.
7. Select and specify any additional custom filter information and click Next.
9. Click Finish
The filter is created, and you are returned to the Filter Events page.
View Statistics
The Statistics page displays information on the size of the Event Database, and
lists the number of events by severity.
The Statistics page is divided into two panes, Database Sizing and Events by
severity. The Database Sizing pane displays the following information:
Database file size
The total number of High severity events found in the Event Database.
Medium Severity Events
The total number of Medium severity events found in the Event Database.
The total number of Low severity events found in the Event Database.
The General configurations for event notification let you specify the SMTP and
RSS provider information used when sending out notifications.
3. Click General.
The General page opens.
4. Select the type of provider. You can specify SMTP Provider or RSS Provider.
The settings for your SMTP Provider or RSS Provider appear.
– Title Name: The title name used for this RSS feed.
– Title Description: The title description used for this RSS feed.
6. If you selected SMTP Provider and your SMTP Server uses authentication,
select Enable SMTP Server Authentication and provide the user name and
password used to access the SMTP Server.
7. Click Apply to save your settings.
You can send event notifications through email, RSS feed, or as Windows NT
Events. The event notification settings control how often a notification attempt is
made, and what actions are taken if the notification fails. The settings are the
same for all types of notifications, but you can specify different values for each
type of notification. For example, you could have email notification attempted
every 10 minutes and RSS feeds attempted every 5 minutes. When configuring
notification settings, you first specify the notification format, then the settings
for that format.
3. Click Settings.
The Settings page opens.
Enter the number of attempts allowed before the Event Server declares
that the notification failed to send.
7. (Optional) In the storage pane, you may enable the following settings:
You can view Email Event Notifications that have been generated by CA Total
Defense from the Email page. In addition, you can send certain notifications, or
delete a notification from the list.
Note: The Management Console prevents you from sending notifications with a
status of Sent or Data Error.
To
The recipient's email address
Subject
Date
The date the Email Event Notification was generated
Attempt
The number of attempts made to send the notification
Status
Whether the notification has been successfully sent
3. Select the appropriate Email Event Notification and perform one of the
following:
■ To view the properties for that notification, click Properties.
■ To send that notification, click Send Now.
For more information about Email Event Notification Properties, see Set
Email Event Notification Properties.
You can set Email Event Notification Properties to customize the recipients of the
notification emails.
The Email Event Notification Properties displays the following information for
each notification listed:
Created
Last Attempt
The date of the last attempt to send the Email Event Notification
Priority
Attempts
The number of attempts made to send the Email Event Notification
Status
Whether the Email Event Notification has been successfully sent
Using the Email Event Notification Properties list, you can add, edit, or remove
recipients from the notification.
■ Select a recipient and click Edit to edit that recipient. Make any
necessary changes, and then press Enter to save those changes.
■ Enter an email address and click Add to add a new email recipient for this
notification.
■ Select a recipient and click Remove to remove an email recipient from
this notification.
5. Click OK.
Your changes are saved.
To exit the page without saving your changes, click Discard.
You can view RSS Event Notifications that have been generated by CA Total
Defense from the RSS page. In addition, you can send certain notifications, or
delete a notification from the list.
Note: The Management Console prevents you from sending notifications with a
status of Sent or Data Error.
Subject
Attempt
The number of attempts made to send the notification
Status
Whether the notification has been successfully sent
3. Select the appropriate RSS Event Notification and perform one of the
following:
■ To view the properties for that notification, click Properties.
■ To send that notification, click Send Now.
The RSS Event Notification properties are displayed. For more information
about RSS Event Notification Properties, see RSS Event Notification
Properties.
You can view RSS Event Notification properties to review detailed information
about RSS Event Notifications.
The RSS Event Notification list displays the following information for each
notification:
RSS Info
Link
If a hyperlink is included in the RSS Event Notification, it is displayed here
Source
The source of the RSS Event Notification
Category
The information section displays the following information for the RSS Event
Notification:
Created
The date the RSS Event Notification was created
Modified
Last Attempt
The date of the last attempt to send the RSS Event Notification
Priority
The priority of the RSS Event Notification
Attempts
The number of attempts to send the RSS Event Notification
Status
You can view Windows NT Event Notifications that have been generated by CA
Total Defense product from the Windows NT Events page. In addition, you can
send certain notifications, or delete a notification from the list.
Note: The Management Console prevents you from sending notifications with a
status of Sent or Data Error.
Source
The source of the Windows NT Event Notification
Type
The type of event. This can be an Error Event, an Information Event, or
a Warning Event
Date
The date the Windows NT Event Notification was generated
Attempt
The number of attempts made to send the notification
Status
Whether the notification has been successfully sent
3. Select the appropriate Windows NT Event Notification and perform one of the
following:
■ To view the properties for that notification, click Properties.
■ To send that notification, click Send Now.
The Windows NT Event Notification list displays the following information for
each notification:
Subject
Source
The source of the Windows NT Event Notification.
Type
The information section displays the following information for each Windows NT
Event Notification:
Created
The date the Windows NT Event Notification was created
Modified
Last Attempt
The date of the last attempt to send the Windows NT Event Notification
Priority
The priority of the Windows NT Event Notification
Attempts
The number of attempts made to send the Windows NT Event Notification
Status
Endpoints
The following sections provide procedures related to managing endpoints.
View Endpoints
The View Endpoints page lets you see either the managed or unmanaged
endpoints. If an endpoint appears on the managed list, it has successfully
phoned home. If an endpoint appears on the unmanaged list, the endpoint has
been discovered but has not successfully phoned home.
You can navigate through the list of endpoints using either the page drop-down
menu, or the navigation arrows located in the lower right section of the page.
You can also filter the endpoint lists.
Endpoint Name
The name of the endpoint.
IP Address
The IP addresses of the endpoint.
Platform
Partition
The partition to which the endpoint has been assigned. This information is
only shown for managed endpoints.
Products
The CA Total Defense products that are installed on the endpoint. This
information is only shown for managed endpoints.
First Discovered
The date the endpoint was first detected during a discovery process. This
information is only shown for unmanaged endpoints.
Filter
Open the Filter pane to filter the list of endpoints displayed.
Install
Delete
Delete the selected endpoint from the list. This button does not appear if you
are viewing unmanaged endpoints. Unmanaged endpoints are removed from
the list by the Discovery process once they are no longer found.
Details
View detailed information about a specific endpoint. Select the endpoint and
click Details to view the information.
More information:
When you first access the View Endpoints page, the Management Console
retrieves the full endpoint list from the database. Filtering lets you narrow down
the endpoints the Management Console displays. When filtering the Endpoint
View page, you can select one of the following Filter options:
If you enter filtering criteria, then click Clear, the Management Console
returns to displaying the entire list of endpoints stored in its memory.
If another user or process changes the endpoint list stored in the database
after you open this page but before you click Submit, this filter option
displays those changes in the filtered results. If changes are made after you
click Submit, you can update the display by clicking the Refresh button or
filtering again with the same criteria.
You can filter both the managed endpoint list and the unmanaged list. The
criteria you can use depend on which list you select to filter.
Note: All filtering criteria are optional. We recommend that you only use the
options you need.
As you enter the information, the list actively narrows displaying only those
endpoints that match your selection. You can use the following criteria:
Endpoint Name
Enter an endpoint name to locate that endpoint. Enter a partial name or
a string of characters to see only endpoints matching that string or
partial name. This filter criterion is available for both the managed
endpoint list and the unmanaged endpoint list.
IP Address
Enter an IP address to the endpoint with that address. You can enter a
partial address or a string of characters to find all endpoints matching
that string or partial address. This filter criterion is available for both the
managed endpoint list and the unmanaged endpoint list.
Platform
Select a platform from the drop-down menu to filter endpoints based on
the operating system installed on the endpoint. This filter criterion is
available for both the managed endpoint list and the unmanaged
endpoint list.
Note: In some cases, the Discovery process may not be able to precisely
identify the specific operating system version running on an endpoint.
Because of this the Platform shown for these endpoints in the
Unmanaged Endpoints display is shown as a list of the possible OS
versions, such as Windows 2003/Windows XP, rather than a specific
version. The Platform drop-down menu includes both the specific OS
version choices and all pairs of possible ambiguous choices. The filter
matches the exact choice from the drop-down. That is, selecting one of
the ambiguous OS items from the drop-down causes the filter to show
endpoints with that specific combination of OS possibilities. Selecting
one of the unambiguous OS items causes the filter to show only those
endpoints that exactly match that OS.
Partition
Product
Select a product from the drop-down menu to filter endpoints based on
the products installed on the endpoint. This filter criterion is only
available for the managed endpoint list.
This filter criterion is only available for the unmanaged endpoint list.
To clear the list, click Clear. The page displays the unfiltered endpoint list.
Alternatively, you may want to retrieve and filter the endpoints listed in the
database. When filtering endpoints in this manner, you must click Submit to view
the filtered list.
4. Select and enter your filter criteria. You may use the following filter criteria:
Endpoint Name
This filter criterion is available for both the managed endpoint list and
the unmanaged endpoint list.
IP Address
This filter criterion is available for both the managed endpoint list and
the unmanaged endpoint list.
Platform
Filter endpoints based on the operating system installed on the endpoint.
This filter criterion is available for both the managed endpoint list and
the unmanaged endpoint list.
Partition
Filter endpoints based on the partition to which the endpoint is assigned.
This filter criterion is only available for the managed endpoint list.
Product
Filter endpoints based on the products installed on the endpoint. This
filter criterion is only available for the managed endpoint list.
This filter criterion is only available for the unmanaged endpoint list.
5. Click Submit.
The endpoint list shows only those endpoints that match your filtering
criteria.
To clear any options you've entered and see the unfiltered list, click Clear, then
Submit.
The Endpoint Details page provides additional information for each managed
endpoint. You can only view details for managed endpoints.
Click the tabs of the Endpoint Details page to navigate through the information
on the page. The tabs provide the following information:
General
The General tab provides general information for the endpoint, including the
partition to which the endpoint is assigned, the last time the endpoint
phoned home to the Server for policy updates, the operating system, version
and service pack used on the endpoint, whether the endpoint uses a 32-bit
or 64-bit architecture, and the time zone and locale of the endpoint.
In addition, it provides a table with information about the network interfaces
found on the endpoint, including the name, type, and description for the
interface, the MAC address and IP address, and the status of the interface on
the endpoint.
Note: The Last Phone Home Time field displays the last time the endpoint
phoned home and exchanged information with the Management Server.
Because of the Phone Home feature's automatic optimizations, not all phone
home attempts result in an information exchange. If there is no information
exchange, the Last Phone Home Time does not change. An information
exchange is unnecessary when there are no changes on the Management
Server or endpoint.
If a long interval has passed since the last phone home time listed for the
endpoint, and the Policy tab shows that the policies are not up to date on the
endpoint, you should verify that the endpoint can phone home.
Products
The Products tab lists the name and version of the CA Total Defense products
installed on the endpoint. In addition, this page provides a table with
information about the components installed on the endpoint which make up
each product, including the name and installed version of the component,
the latest version of the component available for distribution, and indicates
whether the component is up to date or requires updating.
If a component requires updating, you can click the Update button on this
tab to run a full update job, to update all components specified in the
Content Update configuration on the endpoint.
Policies
The Policies tab lists policy information for the endpoint, including the policy
types assigned to the endpoint, the name of the specific policy assigned for
that policy type, and the branch to which the endpoint is assigned.
In addition, the Policies tab indicates the last time the policy was updated on
the Server, the last time the policy was updated on the endpoint, and
whether the policy is up to date on the endpoint.
Custom Variables
Branches can be divided based on a CA-provided variable or a custom
variable that you define. The Custom Variables field lists any custom
variables assigned to the endpoint:
Custom Variable Name
The value assigned to the custom variable. The Custom Variable Value
can be any character except '!', '=', or ','.
Use the Total Defense r12 Centralized Deployment page to assign installation
packages to endpoints. Installation packages contain CA Total Defense products
you want to install and their corresponding policies. When you create a package,
you can specify the applicable policies to include in the package and then assign
packages to both unmanaged and managed endpoints.
1. Select the endpoints, either managed or unmanaged, and view the Manage
Centralized Deployments page for those endpoints.
2. Create or edit the installation packages (see page 179).
The Total Defense r12 Centralized Deployment page displays the installation
packages available and lets you specify the details, such as the installation
directory or locale, to use when setting up an installation package for an
endpoint. From this page, you can also access the Configuration for New Package
page, to create new deployment packages.
Important! If you click Close or navigate away from this page using the
Navigation pane, the changes you make are not saved.
Note: Use the endpoint drop-down menu to switch the view to the
unmanaged endpoints, if necessary.
3. Select the endpoint or endpoints whose deployment page you want to view
and click Install.
The Total Defense r12 Centralized Deployment page opens, displaying the
following information:
Endpoint Name
The name of the endpoint.
Package
Target Directory
The target directory for the installation package. When you deploy a
package and you do not specify a Target Directory, the default directory
is used.
NA appears in this field on the managed endpoints list because the
directory has already been specified for managed endpoints.
Locale
NA appears in this field on the managed endpoints list because the locale
has already been specified for managed endpoints.
Reboot
Indicates whether you have specified a reboot after the CA Total Defense
products are installed.
Comp. Uninstall
Indicates whether the installation package will attempt to uninstall other
anti-malware products before installing CA Total Defense products.
Login
The login credentials provided for this installation package.
Setup
Use the Setup drop-down menu to specify additional details when
installing a package to an unmanaged endpoint.
See the Deploy Installation Packages to Endpoints (see page 181) help
page for more information.
Add
Click Add, enter the name of a new endpoint, and click OK to add a new
endpoint to the list. Endpoints must be added by name.
If you click Close or navigate away from this page using the Navigation
pane, the changes you make are not saved. The Add button allows you
to add additional endpoints without navigating away from the page.
Remove
Select an endpoint and click Remove to remove the endpoint from the
list.
Assign Package
Click Assign Package to assign a package to the endpoint.
Unassign Package
Click Unassign Package to remove the package from the endpoint.
Details
Select an endpoint from the list and click Details to view the Endpoint
Details page for the selected endpoint.
New
Click New to create new install packages.
Edit
Select an installation package from the list and click Edit to edit the
selected package.
Delete
Select an installation package from the list and click Delete to delete the
selected package.
More information:
You must use an installation package to install the CA Total Defense products to
the endpoints in your system using the remote install feature. When you create
an installation package, you can select the components to install and the policies
you want to associate with those specific components.
An installation package includes a policy for each policy type required by the
components selected for that package. The package is initialized with the default
policy of each policy type, but you can change the policy selection when creating
the package.
3. Select the endpoint or endpoints whose deployment page you want view and
click Install.
The Total Defense r12 Centralized Deployment page opens.
4. Click New.
The Configuration for New Package page opens.
5. Enter a name and a unique description for this package in the Package Name
and Package Description fields.
6. Use the Select Products drop-down menu to select the products installed by
this package.
The package contains a policy for each of the policy types associated with all
of the products in the package.
7. (Optional) You can specify the policies to associate with this package.
The Available Policies for Select Policy Type displays information about the
policies available.
■ Click Save to save the installation package. You can then assign the
package to endpoints for remote installation.
■ Click Save to Disk to open the Save Package to Disk window and save the
package to a specific location on the server. You can then copy the
package to a CD or DVD for direct installation onto an endpoint.
The deployment package is created and appears in the Package list or is
saved to the specified location.
The Save Package to Disk window lets you specify the path and folder name used
when creating an installation package. The path can be anyplace on the
Management Console. The Management Console uses the name to create a
folder that contains the files for this specific package under the path you
specified. For example, if you specify C:\packages\03_10_2010 as the path, and
"this_one" as the name, then the files for this package are located in
C:\packages\03_10_2010\this_one. The name must be a valid Windows folder
name. If the target location already exists, the Management Console asks if you
want to replace this folder.
Name
Specify the name of the folder. The Management Console uses the name
to create a folder that contains the files for this specific package under
the path you specified. The name must be a valid Windows folder name.
2. Click OK.
The installation packaged is saved to the folder created in the path you
specified.
Important! If you click Close or navigate away from this page using the
Navigation pane, the changes you make are not saved. You must then restart the
deployment procedure.
Use the endpoint drop-down menu to switch the view to display unmanaged
endpoints.
Click a single endpoint to select it. To select multiple endpoints, hold down
the Ctrl key and click each endpoint. To select a range of endpoints, select
the first endpoint in the range, hold down the Shift key and select the last
endpoint in the range.
4. Click Install.
The Total Defense r12 Centralized Deployment page opens and displays the
View Endpoints table, populated with the selected endpoints.
6. Select the installation package to deploy to the selected endpoints from the
Package List and select Assign from the Assign drop-down menu.
Alternatively, drag the packages from the Package List to each endpoint.
The installation packages are assigned to the endpoints.
Specify Locale
Specify the language used by the CA Total Defense product installed on
the endpoint.
When issuing a reboot command, ensure that end users have enough
time to save any tasks before rebooting or allow them to delay the
reboot to a more convenient time.
Run Competitive Uninstaller
8. Click Deploy.
Delete Endpoints
You can remove managed endpoints from your list by deleting the endpoint. You
cannot delete unmanaged endpoints. Unmanaged endpoints are removed from
the list by the Discovery process once they are no longer found.
To delete an endpoint
4. Click Delete.
You can review your deployment jobs using the Review Deployment Jobs page.
You can also view details for each deployment job record.
The Review Deployment Jobs page opens and displays the following
information:
Target Endpoint
Time Started
The time when the deployment was started.
Status
The status of the deployment job.
Last Status Update
Select a record and click Details to view the following detailed information
about the selected record:
Target Endpoint
The target of this job.
Assigned Package
The package assigned to the endpoint.
Target Directory
Locale
The locale specified for the deployment job.
Force Reboot
Whether the deployment job forces a reboot of the endpoint after
deployment.
Reboot Delay
Whether a forced reboot can be delayed by the endpoint user.
If a forced reboot is not specified, NA appears in this field.
Login ID
The Login ID used by the deployment job.
More information:
As you view your deployment job records, you can use the filter options to
narrow down the list. Narrowing down the list lets you see only those jobs that
match your filter criteria. When filtering the deployment job records, you can
select one of the following Filter options:
Note: All filtering criteria are optional. It is recommended that you only use the
options you need.
3. Click the double arrows next to Filter to expand the filter options.
Alternatively, you may only want to filter all endpoints in the database. When
filtering all endpoints in this manner, you must click Submit to view the filtered
list.
3. Click the double arrows next to Filter to expand the filter options.
The list shows only those deployment job records that match your filtering
criteria.
To reset the list, click Clear, then the Submit button again to refresh the list.
You can purge deployment job records to make maintaining your records an
easier task. You have two options when purging records, you can perform an
active purge of either selected records or all records prior to a specified date, or
you can setup an automatic purge.
Select a record or set of records, then choose this option to purge only
the selected records.
Select this option then specify a date to purge all records prior to that
date.
4. Click OK.
When any record becomes older than this limit, it is automatically purged
5. Click OK.
Records that exceed the limit are purged.
The Partition Assignment Tree page lets you create new branches, subdivide
existing branches, and view detailed information for each branch. You perform
these actions when you want to modify the default Partition Assignment Tree.
Note: Before you modify the Partition Assignment Tree, read About the Partition
Assignment Tree section in the CA Total Defense Administration Guide.
To view the Partition Assignment Tree page, click Maintain, Policies, Policies and
Partitions.
The Partition Assignment Tree page displays the following information about
each partition:
Partition Name
Lists the name assigned to the partition.
Description
Note: The procedures for these buttons are covered on subsequent help pages.
Lock/Unlock
Locks and unlocks the tree. Locking the Partition Assignment Tree prevents
another user from changing partitions while you work on them. You must
lock the tree before you can edit, delete, subdivide partition branches.
New
Creates new partitions or subdivides an existing branch. If you do not select
a partition and click new, you can create a new partition. If you select a
partition or branch and click new, you can subdivide that partition or branch.
Edit
Edits the selected partition or branch.
Delete
Deletes the selected partition or branch.
Details
Provides detailed information for the selected partition or branch.
Manage Policies
Displays the Policy Assignment Tree for the selected policy type.
Additionally, you can use the buttons found under Policy Categories to change
the list of available Policy Types. To change the list, simply click a Policy
Category.
You can find and select a particular partition using the Find tool.
To find a partition
The Partition Details page provides additional information about a partition. This
information includes which users are assigned the Partition Policy Manager and
Partition Reporter roles for the partition, as well as the policies in place on the
selected partition.
In the Branch Information pane, the Partition Details page displays the following
information about each partition or branch:
Branch Name
Parent Branch
Lists the parent partition or branch of the selected branch. This field only
appears if you select a branch.
Definition of Branch
Lists the value used to divide this branch. This field only appears if you select
a branch.
The remaining tables on the page display information about the users and
policies assigned to this partition. These tables display the following information:
Policy Managers
This table displays information about the policy managers assigned to this
partition. The table displays the following information:
User Name
Lists the user name for this specific user.
Global
Partition
Lists if the manager is a Partition Policy Manager.
Reporters
User Name
Partition
Lists if the Reporter is assigned to only the partition level.
Policies
This table displays information about the policies assigned to this partition.
The table displays the following information:
Policy Type
Lists the name type of policy. Expand the lists to show the individual
policies beneath.
Usage Count
Lists the total number of times the policy is used.
# Endpoints
Lists the total number of endpoints that this policy is assigned to on this
partition.
When you work on the Partition Assignment Tree, you must lock the tree before
you can create new partitions, subdivide branches, edit existing partitions and
branches, or delete existing partitions or branches. Only one user can lock the
Partition Assignment Tree at a time. This locking prevents other users from
making changes to the Partition Assignment Tree that would conflict with your
changes.
The Partition Assignment Tree is locked until you click Unlock or apply
changes.
Once you have locked the Partition Assignment Tree, only you can make changes
until you unlock the tree or a user with the appropriate privileges unlocks the
tree from the Locked Tree Assignment page.
More information:
Partition branches let you divide the Managed Endpoints root of the Partition
Assignment Tree into smaller groups. You can subdivide branches using the
following methods:
By IP Address
You can specify the exact name of the endpoint, or enter a range of
endpoints using a wildcard.
By Platform
You can divide the branch based on the operating system found on the
endpoint.
By Custom Variable
You must specify the name, operator, and value used for the custom
variable. Branches can be divided based on a CA-provided variable or a
custom variable that you define. For example, using regedit you might
create a variable whose value is set to Oracle=1. You would then create a
custom variable with a name Oracle, an Operator of -=, and a value of 1. All
endpoints with this variable and value will be placed into this partition.
You can use either = or != as the Operator.
To create a custom variable, use regedit to modify the following registry key:
\HKEY_LOCAL_MACHINE\SOFTWARE\CA\TD\CustomVariables
Custom Variable Name
The Custom Variable Name is case-insensitive, and must be a-z, 0-9, '-',
'_', or '.' .
Custom Variable Value
The Custom Variable Value can be any character except '!', '=', or ','.
To create smaller groups of branches for each partition branch. You can only
create new partition branches by subdividing the Managed Endpoints root
branch. If you select a child branch and click New, you will instead subdivide that
child branch.
Note: You must lock the Partition Assignment Tree to create a partition
branch.
5. Choose one of the branch subdivision options and provide the subdivision
details.
6. Click Save.
The Branch Properties page closes, returning you to the Partition Assignment
Tree.
8. Once you created and adjusted all the branches, click Apply.
The new branches are created. Your lock is removed and the changes are
saved.
Editing a partition branch lets you rename the branch, change the description of
the branch, or change the subdivision details. You cannot switch how a branch is
subdivided.
2. Click Lock.
Note: You must lock the Partition Assignment Tree to be able to edit a
branch.
4. Edit the details as necessary. You cannot switch how a branch is subdivided.
5. Click Save.
The Branch Properties page closes, returning you to the Partition Assignment
Tree.
6. Click Apply.
Your changes are saved and your lock is removed.
After creating a partition branch, you may want to subdivide that branch into
smaller branches. Branches can be subdivided based on IP Address, endpoint's
name, the endpoint's operating system platform, your active directory tree, or
by a custom variable you assign. Once you have subdivided a branch based on a
selected criterion, all further subdivisions of that branch must use the same
criterion.
For example, you could create three new branches for a partition branch all
based on endpoint names. However, you could not subdivide a partition branch
into two branches based on platform and one branch based on endpoint name.
The advantage of this is that once you have subdivided a branch, creating further
branches is simplified.
When subdividing a new partition branch, you always create two new branches,
one branch based on the criterion you entered, the other covering all endpoints
that do not match the criterion you entered. After creating this initial split, you
can edit either branch as necessary or subdivide the branch further, creating new
branches.
3. Click Lock.
Note: You must lock the Partition Assignment Tree to be able to subdivide a
partition branch.
Note: The New button performs various functions, with the function
performed dependant on the branch you select. The only way to subdivide a
partition branch is by first selecting that partition branch, then clicking New.
6. Click Next.
The Branch Properties page opens.
7. Enter a name and description for this new subdivision and enter the
subdivision criteria.
The values you enter depend on the method of subdivision you selected.
8. Click Next.
The Branch Properties page changes, letting you now enter the details for
the second subdivision.
9. (Optional) Enter the name and description for the second subdivision.
Alternatively, you can leave this information as is and edit this information
later.
The Branch Properties page closes, returning you to the Partition Assignment
Tree.
The new branch partition is created. Your lock is lost and must be reapplied
to make additional changes.
3. Click Lock.
Note: You must lock the Partition Assignment Tree to be able to subdivide a
partition branch.
Note: The New button performs various functions, with the function
performed dependant on the branch you select. The only way to subdivide a
partition branch is by first selecting that partition branch, then clicking New.
5. Enter a name and description for this new subdivision and enter the
subdivision criteria.
6. The values you enter depend on the method of subdivision you selected for
the first subdivision you created for this partition branch.
7. Click Save.
The Branch Properties page closes, returning you to the Partition Assignment
Tree.
8. Click Apply.
The new branch partition is created. Your lock is lost and must be reapplied
to make additional changes.
The Branch Subdivision page lets you specify how a branch from either the
Partition Assignment Tree or Policy Assignment tree is divided. You can access
this page when either dividing one of those branches or editing one of those
branches. This page displays the branch name and description of the branch that
is subdivided.
IP Address
Subdivides the branch by IP address. A branch can be defined by a single IP
address string or by a list of addresses. In addition, each string can point to
a single address, or, using wild cards or other notations, to a range of
addresses. This option supports trailing wild cards, Classless Inter-Domain
Routing (CIDR) notation, address and netmask notation, and IPv6 notation
to specify a subnet range.
Example Explanation
Endpoint Name
Subdivides the branch using the names of the managed endpoints. You can
use an asterisk (*) wild-card to represent multiple characters, or a question
mark (?) to represent a single character. For example, an organization based
in Australia might use "AUS" at the beginning of each endpoint name.
Entering AUS* places all endpoints located in Australia into this branch.
Platform
Subdivides the branch based on operating system type. Using this category
you can create a partition for all endpoints running one or more specific
operating systems. For example if you chose Windows 2008 Server, you
could create a partition for all the servers in your organization running this
operating system.
Active Directory
Subdivides the branch using your existing Active Directory structure. If you
are currently using Active Directory to manage the endpoints in your
organization, you can select any of the existing Active Directory structures
and use them to create one or more partitions in the Partition Assignment
Tree or branches in a Policy Assignment Tree. When you use this option, the
Management Console displays a representation of your Active Directory tree.
You only need to select the objects to use. You must first specify your Active
Directory instance using the Directory Services page under Configure,
Environment.
Custom Variable
Subdivides the branch based on a CA-provided variable or a custom variable
that you define on your endpoint.
For example, if you create a variable named ORACLE and set its value to 1,
and you then define a branch with the custom variable ORACLE and value of
1, then all endpoints with this variable and value would be placed into this
branch.
If more than one custom variable is defined for a branch, an endpoint only
needs to match one of the custom variables to be assigned to the branch.
Adding a new entry under this key with a specific value defines a custom
variable with the same name and value as the registry entry.
More information:
The Branch Properties page lets you enter the name, description, and details of
how a branch is subdivided. You access this page after selecting how the branch
is subdivided when creating or editing branches from either the Partition
Assignment Tree or Policy Assignment Tree.
Depending on how you subdivide branches, you must enter the following:
IP Address
Example Explanation
Example Explanation
Endpoint Name
Subdivides the branch using the names of the managed endpoints. You can
use an asterisk (*) wild-card to represent multiple characters, or a question
mark (?) to represent a single character. For example, an organization based
in Australia might use "AUS" at the beginning of each endpoint name.
Entering AUS* places all endpoints located in Australia into this branch.
Platform
Subdivides the branch based on operating system type. Using this category
you can create a partition for all endpoints running one or more specific
operating systems. For example if you chose Windows 2008 Server, you
could create a partition for all the servers in your organization running this
operating system.
Active Directory
Subdivides the branch using your existing Active Directory structure. If you
are currently using Active Directory to manage the endpoints in your
organization, you can select any of the existing Active Directory structures
and use them to create one or more partitions in the Partition Assignment
Tree or branches in a Policy Assignment Tree. When you use this option, the
Management Console displays a representation of your Active Directory tree.
You only need to select the objects to use. You must first specify your Active
Directory instance using the Directory Services page under Configure,
Environment.
Custom Variable
Subdivides the branch based on a CA-provided variable or a custom variable
that you define on your endpoint.
For example, if you create a variable named ORACLE and set its value to 1,
and you then define a branch with the custom variable ORACLE and value of
1, then all endpoints with this variable and value would be placed into this
branch.
If more than one custom variable is defined for a branch, an endpoint only
needs to match one of the custom variables to be assigned to the branch.
Adding a new entry under this key with a specific value defines a custom
variable with the same name and value as the registry entry.
More information:
In addition to creating and editing partition branches, you can delete branches.
More information:
When you work on a Policy Assignment Tree, you must first lock the tree before
you can create new branches, edit or delete existing branches, or assign policies.
Only one user can lock the Policy Assignment Tree at a time. This lock prevents
other users from making changes to the tree that would conflict with your
changes. Once you have locked the Policy Assignment Tree, only you can make
changes until you unlock the tree or a user with the appropriate privileges
unlocks the tree from the Locked Tree Assignment page.
4. Select the policy you whose assignment tree you want to view.
6. Click Lock.
The Policy Assignment Tree is locked until you click Unlock or Apply to save
your changes.
More information:
Assign Policies
To assign a policy
You must explicitly select a partition, even if it is the Managed Endpoints root
partition.
3. Select the Policy Category followed by the policy to assign, and then click
Manage Policies.
The Policy Assignment Tree window opens for that specific policy type for
that partition.
4. Click Lock.
The Policy Assignment Tree is locked until you click Unlock or Apply.
Note: You must lock the Policy Assignment Tree before you can assign
policies. Locking the tree prevents other users from making changes to the
tree that would conflict with your changes.
5. Select the branch to which you want the policy assigned, select the policy to
assign, and click Assign.
Alternatively, you can drag a policy from the Policy List and drop it onto the
target branch.
6. Click Apply
You are prompted to confirm the operation.
Policy Assignment Tree branches let you assign separate policies to different
groups of endpoints. You can create new branches, edit existing branches, and
delete branches as necessary.
3. Specify the Policy Category, select the policy to manage, and click Manage
Policies.
The Policy Assignment Tree window opens for that specific policy type of that
partition or branch.
4. Click Lock.
The Policy Assignment Tree is locked. The lock remains in place until you
click Unlock or apply your changes.
Note: You must lock the Policy Assignment Tree before you can assign
policies. Locking the tree prevents other users from making changes to the
tree that would conflict with your changes.
5. Click Branch and select New Branch from the drop-down menu.
The Branch Subdivision page opens.
6. Select the method used to subdivide the branch, and click Next.
Note: The method you select impacts the values you enter on the next page.
The Branch Properties page opens.
7. Enter a name and description for the new branch, and enter the subdivision
criteria.
The values you enter depend on the method of subdivision you selected.
8. Click Save.
The Branch Properties page closes, returning you to the Policy Assignment
Tree.
9. Click Apply.
You are prompted to confirm your changes.
3. Specify the Policy Category, select the policy to manage, and click Manage
Policies.
The Policy Assignment Tree window opens for that specific policy type of that
partition or branch.
4. Click Lock.
The Policy Assignment Tree is locked. The lock remains in place until you
click Unlock or apply your changes.
Note: You must lock the Policy Assignment Tree before you can assign
policies. Locking the tree prevents other users from making changes to the
tree that would conflict with your changes.
Note: You can only edit the name and description of the last branch which
holds the endpoints that are not in any other specified category.
8. Click Apply.
You are prompted to confirm your changes.
3. Specify the Policy Category, select the policy to manage, and click Manage
Policies.
The Policy Assignment Tree window opens for that specific policy type of that
partition or branch.
4. Click Lock.
The Policy Assignment Tree is locked. The lock remains in place until you
click Unlock or apply your changes.
Note: You must lock the Policy Assignment Tree before you can assign
policies. Locking the tree prevents other users from making changes to the
tree that would conflict with your changes.
The changes you made are saved and the lock is removed.
More information:
The Management Server records any changes to the Partition Assignment Tree,
Policy Assignment Trees, policies, and Advanced Policy Components. These
records are referred to as the Change History, which you can view at any time. If
you see incorrect behavior on one of your endpoints, such the incorrect
treatment of a detected infection, you can review all policy changes. You can also
review the Change History to ensure other users are not making unnecessary or
unplanned changes. If you are the Administrator or Audit Archivist role, you can
specify how long the Change History is kept.
Policies
Displays changes made to the policies such as when an existing policy is
modified or when a new policy is created.
Displays changes made to the Advanced Policy Components which are used
to build all of the Proactive Protection policies.
The Change History has one parameter, which controls how long the change
history records are retained. Any record that is older than the specified value is
deleted. Keeping a large set of change history records by setting a high value for
this parameter ensures a greater record of changes but increases the storage
requirements for these records. By default, change history records are kept for
30 days. The lowest value you can set is 8 days, meaning at a minimum records
are retained for 8 days.
3. Enter the number of days to retain change history records in the Number of
Days to Retain Change History Records field.
4. Click Apply.
The setting is saved.
To discard changes you made before clicking Apply, click Discard. Discard
restores the settings currently saved in the database.
If you make changes, click Apply, then make additional changes, the Discard
function only removes the additional changes, not those you already applied.
The Partition Assignment Tree Change History page lets you see all the past
saved changes for the various partitions.
The Change History link expands, displaying links to each specific change
history page.
The Partition Assignment Tree Change History page opens, displaying the
latest changes first.
The Change History table for Partition Assignment Trees displays the following
information:
Time
Lists the time when this change history record was created.
User
Lists the user who made the change resulting in the change history record.
Partition
Lists the partition affected by this change.
Action
Lists the type of change that was made.
Additionally, from this page you can view further details concerning some of the
changes, filter the change history view to limit the information displayed to suit
your needs, and navigate through the pages of change history for this area.
Note: You may only view details on changes with an action of Update.
1. Expand any row in the change history table that has an Action of Update.
2. Select an item.
3. Click Details.
The details window opens displaying what change was made to the item.
2. Specify the filtering criteria. You can select from the following options:
Partition
Select this option and specify the partition to display only those change
history records for that partition.
Date
Select this option and specify a date range to display only those change
history records from within that date range. Enter only a To date to
display all records created before that date. Enter only a From date to
display all records created after that date. Use the following procedure to
clear a date field:
User
Select this option and specify a user name to list only those changes
made by that user.
Action
Select this option, then specify one of the following actions to only find
change records matching that action:
■ Create: Lists all change records where a partition was created.
■ Update: Lists all change records where a partition was updated.
3. Click Submit.
The change history table only displays those records that match the filter
criteria.
You can navigate through the listing of change history records using the
arrows at the bottom of the page.
The Policy Assignment Tree Change History page lets you see all the past saved
changes for the various policy assignment trees.
The Change History link expands, displaying links to each specific change
history page.
3. Click Policy Assignment Tree.
The Policy Assignment Tree Change History page opens, displaying the latest
changes first.
The Change History table for Policy Assignment Trees displays the following
information:
Time
Lists the time when this change history record was created.
User
Lists the user who made the change resulting in the change history record.
Partition
Lists the partition affected by this change.
Policy Type
Lists the policy affected by this change.
Branch
Lists the branch that holds the particular policy.
Action
Additionally, from this page you can view further details concerning some of the
changes, filter the change history view to limit the information displayed to suit
your needs, and navigate through the pages of change history for this area.
Note: You may only view details on changes with an action of Update.
1. Expand any row in the change history table that has an Action of Update.
2. Select an item.
3. Click Details.
The details window opens displaying what change was made to the item.
2. Specify the filter criteria by selecting Filter next to a filter category and
specifying the filter criteria. You can select from the following filter
categories:
Partition
Enable Filter for this category and select the partition from the
drop-down menu to view only those change history records for that
partition.
Policy Type
Enable Filter for this category and select the policy type from the
drop-down menu to view only those change history records for that
policy type.
Date
Select this option and specify a date range to display only those change
history records from within that date range. Enter only a To date to
display all records created before that date. Enter only a From date to
display all records created after that date. Use the following procedure to
clear a date field:
Branch
Enable Filter for this category and enter the name of the branch to view
all change history records for that branch. You may use wildcards to find
all change history records for branches whose name contains the string
you entered. Capitalization does not matter.
User
Enable Filter for this category and enter the user name to view all change
history records for that policy. You must enter the full username; you
cannot use wildcards. Capitalization does not matter.
Action
Enable Filter for this category, then use the drop-down menu to select
one of the following actions to find change history records matching that
action:
■ Create: Lists all change records where a tree or branch was created.
■ Lock: Lists all change records where a tree or branch was locked.
■ Unlock: Lists all change records where a tree or branch was
unlocked.
3. Click Submit.
The change history table only displays those records that match the filter
criteria. When specifying the filter criteria, you can use as many of the filter
categories as you need. The Management Console displays the results that
match all the filter criteria you enter. So if you specify both a date range and
an action, the Management Console displays only those change history
records for that action, which occur during the date range.
To stop filtering based on a category, set that category to All and click Submit.
You can navigate through the listing of change history records using the arrows
at the bottom of the page.
The Policies Change History page lets you see all the past saved changes for the
policies.
The Change History link expands, displaying links to each specific change
history page.
3. Click Policies.
The Policies Change History page opens, displaying the latest changes first.
The Change History table for Policies displays the following information:
Time
Lists the time when this change history record was created.
User
Lists the user who made the change resulting in the change history record.
Partition
Lists the partition affected by this change.
Policy Type
Lists the policy affected by this change.
Policy
Additionally, from this page you can view further details concerning some of the
changes, filter the change history view to limit the information displayed to suit
your needs, and navigate through the pages of change history for this area.
Note: You may only view details on changes with an action of Update.
1. Expand any row in the change history table that has an Action of Update.
2. Select an item.
3. Click Details.
The details window opens displaying what change was made to the item.
Policy Type
Enable Filter for this category and select the policy type from the
drop-down menu to view only those change history records for that
policy type.
Date
Select this option and specify a date range to display only those change
history records from within that date range. Enter only a To date to
display all records created before that date. Enter only a From date to
display all records created after that date. Use the following procedure to
clear a date field:
a. Click the field to be cleared to bring up the calendar.
b. Hold down the Ctrl key and click the currently selected date in the
calendar to clear the date field.
Policy
Enable Filter for this category and enter the name of the policy to view all
change history records for that policy. You may use wildcards to find all
change history records for policies whose name contains the string you
entered. Capitalization does not matter.
User
Enable Filter for this category and enter the user name to view all change
history records for that policy. You must enter the full username; you
cannot use wildcards. Capitalization does not matter.
Action
Enable Filter for this category, then use the drop-down menu to select
one of the following actions to find change history records matching that
action:
3. Click Submit.
The change history table only displays those records that match the filter
criteria. When specifying the filter criteria, you can use as many of the filter
categories as you need. The Management Console displays the results that
match all the filter criteria you enter. So if you specify both a date range and
an action, the Management Console displays only those change history
records for that action, which occur during the date range.
To stop filtering based on a category, set that category to All and click Submit.
You can navigate through the listing of change history records using the arrows
at the bottom of the page.
The Advanced Policy Component Change History page lets you see all the past
saved changes for the various policy components used to build proactive
protection policies.
The Change History table for the policy components displays the following
information:
Time
Lists the time when this change history record was created.
User
Lists the user who made the change resulting in the change history record.
Partition
Lists the partition affected by this change.
Component Type
Action
Lists the type of change that was made.
Additionally, from this page you can view further details concerning some of the
changes, filter the change history view to limit the information displayed to suit
your needs, and navigate through the pages of change history for this area.
Note: You may only view details on changes with an action of Update.
1. Expand any row in the change history table that has an Action of Update.
2. Select an item.
3. Click Details.
The details window opens displaying what change was made to the item.
Component Type
Enable Filter for this category and select the component type from the
drop-down menu to view only those change history records for that
component type.
Date
Select this option and specify a date range to display only those change
history records from within that date range. Enter only a To date to
display all records created before that date. Enter only a From date to
display all records created after that date. Use the following procedure to
clear a date field:
a. Click the field to be cleared to bring up the calendar.
b. Hold down the Ctrl key and click the currently selected date in the
calendar to clear the date field.
Component
Enable Filter for this category and enter the name of the component to
view all change history records for that component. You may use
wildcards to find all change history records for components whose name
contains the string you entered. Capitalization does not matter.
User
Enable Filter for this category and enter the user name to view all change
history records for that policy. You must enter the full username; you
cannot use wildcards. Capitalization does not matter.
Action
Enable Filter for this category, then use the drop-down menu to select
one of the following actions to find change history records matching that
action:
3. Click Submit.
The change history table only displays those records that match the filter
criteria. When specifying the filter criteria, you can use as many of the filter
categories as you need. The Management Console displays the results that
match all the filter criteria you enter. So if you specify both a date range and
an action, the Management Console displays only those change history
records for that action, which occur during the date range.
To stop filtering based on a category, set that category to All and click Submit.
You can navigate through the listing of change history records using the arrows
at the bottom of the page.
You must lock the Partition Assignment Tree or Policy Assignment Tree to ensure
that your changes do not conflict with changes made by another user. However,
a situation may occur in which a user has already locked a tree that is needed by
another user, and the current holder of the lock cannot return to unlock that tree
in a reasonable time frame. The Locked Trees page lets you review all the
currently locked trees and, if you have the necessary permission, unlock these
trees to make them available for work by another user.
Note: Only users assigned the Administrator or Group Policy Managers can
unlock trees using this page.
Click Refresh if you think someone locked a tree after you opened this page,
and you want to see the updated list of locked trees.
The Partition Assignment Tree table shows the lock status of the Partition
Assignment Tree. This table displays the following information:
User Name
Last Updated
Lists the time when the tree was last updated or changed.
The Policy Assignment Tree table lists the currently locked policy trees. You can
view this table by user name or partition. To change this view, simply select
either User Name or Partition in the View By field. Additionally, you can change
the sort order for the table based on User, Partition, and Policy Type.
User Name/Partition/Policy
Lists the user who has locked this policy tree, follow by the partition where
the policy is located, then lastly the specific Policy Assignment Tree. If you
switch the sorting order, this list changes to display the partition first,
followed by the user name.
Locked At
Sorting the Policy Assignment Tree table lets you set the sort order for the trees
displayed. For example, you could sort locked trees based on user name in
alphabetical order, and Policy Types in reverse alphabetical order so you could
easily find who has the Vulnerability Assessment Policy Assignment Tree locked.
You can use the Locked Trees page to unlock trees if you are an Administrator or
Global Policy Manager.
2. Click Unlock.
The tree is unlocked if you have the necessary permissions.
You can also use the Locked Trees page to navigate to the locked assignment
trees.
To go to a locked tree
More information:
If a Change History record contains an actual value change, you can view the
details of this change. The details list what value was change, the old value and
the new value. The details
The Change History details page for that change opens, displaying the
changed value.
In addition to all the information provided in the Change History table for the
record, the Change History Details page displays the following:
Item
Old Value
Lists original value of the item prior to the change.
New Value
Lists new value of the item.
More information:
Policies
This section contains procedures related to global and partition-specific policies.
Manage Policies
When you select any Global Policy Definitions page, a list of pre-configured
policies created for that policy type appears. The following information is
displayed:
Policy Name
Lists the name given to the policy.
Description
Lists the date and time when the policy was last updated, expressed in the
local time of the machine running the Management Server.
# of Assignments
Lists the number of Policy Assignment Tree branches to which the policy has
been assigned.
You can create a new policy, edit an existing policy, copy and paste a policy,
delete a policy from the Global Policy Definitions page, or find a policy. The
procedure for creating a new policy is unique to each policy and described in the
help for that policy page.
The Global Policy Definition window for that specific policy opens, displaying
a list of available policies.
5. (Optional) Browse to the location where you want to copy the new policy.
This step only applies if you are copying the policy from the Configuration
page for that policy and branch.
6. Click Paste.
A copy of the policy is added to the list of existing policies. The name of the
policy is appended with a number to indicate the copy.
To delete a policy
2. Click the policy category containing the policy you want to create.
The policy category opens, containing the list of policies.
The Global Policy Definition window for that specific policy opens, displaying
a list of available policies.
To find a policy
2. Click the policy category containing the policy you want to create.
The policy category opens, containing the list of policies.
4. Select an existing policy by clicking on the policy, and click the Double arrow
next to Find
5. Using the drop-down menu to specify the field you want to use for the
search. If you wish to search all fields, leave the option as All Fields.
General Policies let you control how and when the Client contacts the
Management Console for updates, manage event notification, and set
Client-specific options. The General Policies include the following:
More information:
The Phone Home Policy controls when the Client contacts the Management
Server for policy and component updates.
These settings include naming and describing the policy, locking the policy
settings, and indicating whether this is the default policy.
More information:
Use the Name and General Policy Settings to specify the name and description
for the policy. You can also lock the policy to prevent end users from making any
changes to your policy settings.
You can also specify the policy as the new, default policy for that policy type, in
place of the CA-recommended policy. The default policy is included in any
Remote Installation packages that include this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are also used to initialize fields when you create a new policy of this
type.
4. Click New.
The Name and General Settings page for the policy opens.
Description
Provides a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
6. In the Lock Settings pane, specify whether to enable or disable the Lock
settings when applying this policy option.
Enable this option if you do not want end users to change the settings of this
policy.
Note: If an end user has a valid reason for needing to change a policy's
settings, and the policy is locked, you must create and deploy a new policy
with that user's specific settings.
7. In the Default Policy pane, choose to enable or disable the following option:
Make this policy the default for this policy type
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Phone Home Settings let you specify which Management Server or
Management Server Proxy the endpoint contacts when phoning home and the
time and frequency the endpoints phone home.
1. Open the Phone Home Settings page by either clicking Next on the Name and
General Settings page of the Phone Home Policy, or by clicking the Phone
Home Settings link in the Steps to Create Policy pane.
2. Select the primary server using the drop-down menu in the Primary server
field. The primary server is the initial server contacted when the endpoint
phones home.
Note: The servers displayed in the drop-down menu are drawn from the list
containing the known Master Management Server plus all Management
Proxy Servers.
3. Select any secondary server using the drop-down menu in the Secondary
server field.
You can reorder the list of servers, from highest to lowest priority, by
selecting a server and using the up and down arrows to move the server up
and down the list. The endpoint contacts the secondary servers starting from
the top server in the list and continues down the list until it successfully
phones home.
4. Specify the duration between phone home attempts in the Phone home
every field.
You can change the units for this field using the drop-down menu next to the
field. For example, to have the Clients phone home every day, enter 24 and
select Hours for the units.
You must specify the time in minutes or hours.
5. (Optional) Enable at least one of the following options to specify when the
Client phones home:
At system start-up
Enable this option to have the Client attempt to phone home each time
the Client starts after the phone home interval has expired.
When system wakes up
Enable this option to have the Client attempt to phone home each time
the client wakes from standby mode after the phone home interval has
expired.
More information:
The Content Update Policy controls when and where the endpoints in your
organization check for content updates.
These settings let you configure the proxy server's settings if the endpoints
need to use a proxy to access the Internet.
These settings let you specify the components to check for any available
updates.
6. Configure the Redistribution Settings. (see page 238)
More information:
Use the Name and General Policy Settings to specify the name and description
for the policy. You can also lock the policy to prevent end users from making any
changes to your policy settings.
You can also specify the policy as the new, default policy for that policy type, in
place of the CA-recommended policy. The default policy is included in any
Remote Installation packages that include this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are also used to initialize fields when you create a new policy of this
type.
2. Click the policy category containing the policy you want to create.
The policy category opens and displays the list of policies.
4. Click New.
The Name and General Settings page for the policy opens.
Name
Specifies a name for the policy. Names are limited to 128 characters in
length. Policy names can be duplicated across policy types. The names
of partition-specific policies can be duplicated within the same policy
type across different partitions.
Description
Provides a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
6. In the Lock Settings pane, specify whether to enable or disable the Lock
settings when applying this policy option.
Enable this option if you do not want end users to change the settings of this
policy.
Note: If an end user has a valid reason for needing to change a policy's
settings, and the policy is locked, you must create and deploy a new policy
with that user's specific settings.
7. In the Default Policy pane, choose to enable or disable the following option:
Make this policy the default for this policy type
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Update Schedule options for the Content Update policy lets you schedule
when the endpoints in your organization check for updates and how long past
signatures are kept in case a signature rollback is required.
1. Open the Update Schedule page by either clicking Next on the General Policy
Settings page of the Content Update Policy, or by clicking the Update
Schedule link in the Steps to Create Policy pane.
The endpoint checks for and downloads updates each time it starts.
Perform update according to schedule below
The endpoint checks for and downloads updates according to a schedule
you specify. You can specify to run the update once, or to have the
update repeated regularly. If the client is not running at the scheduled
time for an update, the client performs the update the next time it starts.
3. Specify the number of days signatures are saved in the Number of Days to
Save Signatures for Rollback field.
Signatures older than this limit are deleted to save space and you cannot
revert to them.
4. Click Next.
The Server List page appears.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Server List of the Content Update policy lets you specify the resources that
endpoints use to gather content updates and the order in which they are
contacted. These resources include:
■ CA Content Update Server at etrustdownloads.ca.com. (the default
resource)
■ An internal Redistribution Server using HTTP
■ An internal network share using UNC format, such as
\\ComputerName\SharedFolder\ContentUpdate. The system IP address can
be used instead of the host name.
The order of the specified resources is very important. When checking for
updates, the endpoints check the first resource on the list. If it is unavailable, the
endpoints continue trying to contact each resource on the list in turn, until a
successful download occurs. Each attempt is noted in the ccupdate log file on the
endpoint. If none of the resources can be reached, the endpoint attempts the
download process again at the next scheduled interval, or when the user
manually starts the update using the Download Now button in the Client user
interface.
1. Open the Server List page by either clicking Next on the Update Schedule
page of the Content Update Policy, or by clicking the Server List link in the
Steps to Create Policy pane.
The Server List page appears. By default, the CA Content Update Server
appears.
2. To add other resources, click Add and select either the HTTP or UNC protocol.
■ If you selected HTTP, specify the Redistribution Server name and port,
and click Save.
The UNC can use either the IP address or host name of the of your
network share. For example:
\\ComputerName\SharedFolder\ContentUpdate or
\\IPaddress\SharedFolder\ContentUpdate
■ To modify a server, select the server and click Modify. Edit the server
settings as necessary and click Save.
■ To delete a server, select the server and click Delete.
3. Select a resource and use the arrows to reposition the resource in the list.
4. Click Next.
More information:
If your network requires that endpoints access a proxy server to reach the
Internet, you must specify that server in the Proxy Server options for your
Content Update policy to download and install updates.
Proxy servers stand between endpoints and the Internet to provide an additional
layer of privacy and security for your system. You can configure your policy to
automatically detect your proxy settings or to connect through a specific proxy
server to obtain updates. In addition, if your proxy server requires
authentication, you can configure the policy to automatically supply your
credentials to allow you to connect to the Internet.
Alternatively, you can specify that a proxy server should not be used to connect
to the Internet.
Using a proxy server is optional, and if your network does not use a proxy server,
you do not have to enter information here.
3. Select the Proxy server requires authentication option if your proxy server
requires you to enter credentials, and specify the name and password to use
in the appropriate fields.
4. Click Next.
More information:
The Components for Updating page of a Content Update policy lets you specify
which components to download when checking for newer component versions.
1. Open the Components for Updating page by either clicking Next on the Proxy
Server page of the Content Update Policy, or by clicking the Components for
Updating link in the Steps to Create Policy pane.
The Components for Updating page appears.
2. In the Components list, select the components you want to have updated in
this policy.
3. Click Next.
The Redistribution Settings page appears.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
You can select from Description
the following
components:
Component Name
Client User Interface Select this component to allow updates to the GUI
for the Client.
More information:
The Content Update policy Redistribution Settings only apply to systems that
have a Redistribution Server installed. If an endpoint that receives this policy
does not have a Redistribution Server installed, these settings are ignored.
3. Specify the length of time in minutes between the time the updates are
downloaded and when they are made available to other endpoints or other
Redistribution Servers if you are using a tiered implementation.
4. Select the components you want to make available to other endpoints in the
Redistribution Components table.
5. Click Save to save your settings, close the wizard, and return to the Global
Policy Definitions page.
Alternatively, you can click Back to return to the previous page, click Discard
to remove any changes you made, or click Close to close the policy.
More information:
The Event Management Policy controls how the Client communicates events to
the event server. You can use these settings to identify the event servers,
configure the type and severity of events you want reported, specify the
transmission intervals, and set a range of other options.
These settings let you specify the primary and any secondary event servers
and the protocol used to communicate with these servers.
More information:
Use the Name and General Policy Settings to specify the name and description
for the policy. You can also lock the policy to prevent end users from making any
changes to your policy settings.
You can also specify the policy as the new, default policy for that policy type, in
place of the CA-recommended policy. The default policy is included in any
Remote Installation packages that include this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are also used to initialize fields when you create a new policy of this
type.
2. Click the policy category containing the policy you want to create.
The policy category opens and displays the list of policies.
4. Click New.
The Name and General Settings page for the policy opens.
Name
Specifies a name for the policy. Names are limited to 128 characters in
length. Policy names can be duplicated across policy types. The names
of partition-specific policies can be duplicated within the same policy
type across different partitions.
Description
Provides a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
6. In the Lock Settings pane, specify whether to enable or disable the Lock
settings when applying this policy option.
Enable this option if you do not want end users to change the settings of this
policy.
Note: If an end user has a valid reason for needing to change a policy's
settings, and the policy is locked, you must create and deploy a new policy
with that user's specific settings.
7. In the Default Policy pane, choose to enable or disable the following option:
Make this policy the default for this policy type
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Event Server Settings of an Event Management policy specify the servers to
which Clients forward information about events. You can identify a primary
server, a secondary server, and additional back-up servers, if necessary. In
addition, you can specify the protocol used for communication between the
endpoints and the Event Server.
A primary server is the first Event Server endpoints contact when forwarding an
event. If the endpoint cannot reach the primary server, it tries to contact the
secondary server. If the endpoint cannot reach the secondary server, it tries to
contact the other listed back-up servers.
2. Select the primary Event Server for this policy using the drop-down menu in
the Primary Server field.
The primary Event Server is the first server the Client contacts when
forwarding events.
Note: If you cannot find the primary server in the list, select Other, enter the
name of the server, and click Save.
3. Select a secondary Event Server for this policy using the drop-down menu in
the Secondary Server field.
The secondary Event Server is a back-up server that the Client contacts if it
is unable to contact the primary server.
Note: If you cannot find the server in the list, select Other, enter the name
of the server, and click Save.
To remove a server from the list, click the trash can icon next to the server's
name.
4. Select one of the following protocols and specify the associated port to
identify the protocol to use for communication between endpoints and Event
Servers:
HTTP
Use Hypertext Transfer Protocol (HTTP) for the transmission protocol
when the Client sends events to the Event Server.
HTTPS
Use Hypertext Transfer Protocol Secure (HTTPS) for the transmission
protocol. HTTPS is a combination of the Hypertext Transfer Protocol and
a cryptographic protocol. This option better ensures the security of your
network, but can slow down traffic.
6. Click Next.
The Event Management Filter Options page appears.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
2. In the Filter by Severity pane, select the level of event severity you want
reported.
You can specify to have events that have been flagged of High, Medium, or
Low severity reported by the Client to the Event Server.
3. In the Filter by Source pane, select the components you want to be able to
report events to the event server:
Anti-Malware Client
Intrusion Protection
Enable this option to have the Intrusion Protection events reported.
Vulnerability Assessment
Reports all Vulnerability Assessment events.
Groupware
Reports Groupware events, including events generated from the
Groupware scanner when scanning email servers.
More information:
Alternatively, you can click Back to return to the previous page, click Discard
to remove any changes you made, or click Close to close the policy.
More information:
The Client Options Policy controls logging parameters on the Client, the Client
license synchronization, and the level of access and control end users have on
the Client.
These settings let you specify log parameters for the Client, schedule the
synchronization of the Client with the license server, and specify the control
end users have on the Client.
More information:
Use the Name and General Policy Settings to specify the name and description
for the policy. You can also lock the policy to prevent end users from making any
changes to your policy settings.
You can also specify the policy as the new, default policy for that policy type, in
place of the CA-recommended policy. The default policy is included in any
Remote Installation packages that include this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are also used to initialize fields when you create a new policy of this
type.
2. Click the policy category containing the policy you want to create.
The policy category opens and displays the list of policies.
The Global Policy Definition window for that specific policy opens and
displays a list of available policies.
4. Click New.
The Name and General Settings page for the policy opens.
Specifies a name for the policy. Names are limited to 128 characters in
length. Policy names can be duplicated across policy types. The names
of partition-specific policies can be duplicated within the same policy
type across different partitions.
Description
Provides a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
6. In the Lock Settings pane, specify whether to enable or disable the Lock
settings when applying this policy option.
Enable this option if you do not want end users to change the settings of this
policy.
Note: If an end user has a valid reason for needing to change a policy's
settings, and the policy is locked, you must create and deploy a new policy
with that user's specific settings.
7. In the Default Policy pane, choose to enable or disable the following option:
Make this policy the default for this policy type
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.
Select this option to limit the policy to only this partition. The policy will
not appear in the list of available policies in other partitions.
Select this option to make the policy available across all partitions.
9. Click Next to move to the next page in the policy creation process.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
Client Options policy settings let you specify log options and access options on
endpoints, and schedule when the Client synchronizes with the license server.
■ Log options allow you to specify whether to allow end users to delete logs on
the endpoints. Disabling this option preserves log files and ensures that
users are not able to delete important information. Enabling this option
allows users to control the size and growth of logs on the endpoints.
If you enable this option, the Local Log Retention Period and Local Log Size
Limit fields become active. Use these fields to set the following options:
– Identify how long the Client retains log files on the endpoint
– Specify how large logs can become before being overwritten. This option
can help to conserve space on the Client and to ensure that logs do not
become very large.
– Allow end users to stop or start Total Defense services on the Client.
Enable this option if you think end users might run services that could
conflict with Total Defense services.
– Allow the Client to appear in the Add or Remove Programs dialog from
the Control Panel. You can use this feature to allow or block end users
from removing the Client from endpoints. While this option allows users
to remove the Client if it conflicts with other programs, it can leave
systems vulnerable to infection if end users remove the Client without
installing other malware protection.
– Let endpoint users access the Client UI. While this option allows end
users to run malware scans on demand for greater protection, you
should ensure that end users are not able to change critical or necessary
options. Enabling this option is best if you have a good grasp on your
policies or feel that your end users can benefit from accessing the Client
UI.
2. Specify whether to delete client logs using the Never delete logs option.
If you specify to delete logs, the Local Log Retention Period and Local Log
Size Limit fields are enabled.
If you select the Never delete logs option, these fields do not apply and are
not enabled.
3. Specify how long you want the Client to retain logs, if applicable, in the Local
Log Retention Period field.
4. Specify the maximum size limit of the Client logs, if applicable, in the Local
Log Size Limit field.
When a log exceeds this size, the oldest items in the logs are overwritten.
The Client synchronizes with the license server when this interval expires.
6. Enable the Allow stopping and starting of Total Defense services option to let
end users start and stop the services related to the Total Defense system.
This option allows end users to start and stop Total Defense services on the
Client if they conflict with other services running on the endpoint.
7. Specify whether to allow the Client to appear in the Add or Remove Programs
dialog using the Show Total Defense Client in Add or Remove Programs
option.
This option allows users to remove the Client if they detect conflict with other
programs running on the endpoint.
Note: Use this option with caution. If end users remove the Client without
installing other malware protection, they can leave their systems vulnerable
to infection.
8. Enable the Allow endpoint user to access client UI option to allow end users
to use endpoints to run malware scans on demand and perform other
operations using the Client UI.
You should ensure that end users are not able to change critical or necessary
options.
9. Click Save to save your changes and return to the Global Policy Definitions
page.
Alternatively, click Back to return to the previous page, click Discard to clear
any changes you made, or click Close to close the policy without saving your
changes.
More information:
Real-time Policies
Real-time policies control the options and settings for the Client's real-time
anti-malware scanner. These options include the action the Client takes
when it finds an infection, how the Client treats archived files, and any
allowed exclusions to the scan.
More information:
The Anti-Malware Real-time policy controls the options and settings for the
Client's real-time anti-malware scanner. These options include the actions the
Client takes when it finds infections, determines how the Client treats archived
files, and identifies any allowed exclusions to the scan.
These settings include naming and describing the policy, locking the policy
settings, and indicating whether this is the default policy.
These settings let you control the scanner and scanning methods of the
real-time anti-malware scanner.
These settings let you control the targets the real-time scanner checks. You
can specify whether the scanner checks incoming email, or floppy drives,
and whether to exempt any file extensions from scanning.
These settings let you exclude specific objects from scans. The real-time
scanner ignores the specified objects when scanning the endpoint.
More information:
Use the Name and General Policy Settings to specify the name and description
for the policy. You can also lock the policy to prevent end users from making any
changes to your policy settings.
You can also specify the policy as the new, default policy for that policy type, in
place of the CA-recommended policy. The default policy is included in any
Remote Installation packages that include this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are also used to initialize fields when you create a new policy of this
type.
2. Click the policy category containing the policy you want to create.
The policy category opens and displays the list of policies.
4. Click New.
The Name and General Settings page for the policy opens.
Name
Specifies a name for the policy. Names are limited to 128 characters in
length. Policy names can be duplicated across policy types. The names
of partition-specific policies can be duplicated within the same policy
type across different partitions.
Description
Provides a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
6. In the Lock Settings pane, specify whether to enable or disable the Lock
settings when applying this policy option.
Enable this option if you do not want end users to change the settings of this
policy.
Note: If an end user has a valid reason for needing to change a policy's
settings, and the policy is locked, you must create and deploy a new policy
with that user's specific settings.
7. In the Default Policy pane, choose to enable or disable the following option:
Make this policy the default for this policy type
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Options and Actions settings of a Real-time policy let you enable the
real-time protection for the Client. You can then set the options and cleaning
actions taken by the Real-time scanner on the Client. For example, you can
specify whether the Client should delete infected items or attempt to clean them.
1. Open the Options and Actions page by either clicking Next on the General
Policy Settings page of the Real-time Policy, or by clicking the Options and
Actions link in the Steps to Create Policy pane.
The Options and Actions page appears.
2. Select Enable Real-time Protection.
3. Use the Perform a Scan on drop-down menu In the Options pane to specify
the endpoint user actions to be scanned. You can specify the following
options
■ All File Access: The scanner checks when any file is accessed in any
manner.
■ Read or Execute: The scanner checks only when a file is read or run by
the endpoint user. Writing to a file or performing another action does not
activate the scanner.
4. Specify the scan mode to be used by the endpoint in the Scan Mode field. You
can specify either Normal or Deep mode.
5. Specify the action you want the Client to take when an infection is detected
in the Infection Treatment field. You can select the following options:
6. Specify whether you want the Client to clean detected boot sector infections
or to report the detected boot sector infection without attempting to remove
it.
7. Enter a maximum time limit for scans to run in the Scan Timeout field.
If the real-time scanner reaches the time limit, it reports a failure due to
timeout.
8. Use the options in the Scan fail timeout action field and the Scan fail error
action field to specify whether to Allow or Prevent access to files if a scan
failed because it timed out or failed due to error.
If a scan fails, either because of error or because it reached the maximum
time limit, these options determine whether end users can access the file on
which the scan failed.
9. In the Auto clean Actions pane, specify the action to take if the Real-time
scanner cannot clean an infected file. You can specify the following actions:
■ Rename: The Client renames infected files it cannot clean, changing the
file extension to try to prevent the infected file from being opened.
10. Enable the Copy to quarantine before cleaning option to have any infected
files copied to the Quarantine folder before the Client attempts to clean the
original file.
This allows you to retrieve the original, uncleaned file from the Quarantine if
necessary.
11. Select the Enable System Repair option to have the Client attempt system
cures when an infection is found.
Running a system cure ensures that the system is protected, but can limit
the availability of the computer while the scan is running.
Note: You can only set the Auto Clean Actions if you set the Infection
treatment to Clean. Otherwise, there options are blocked.
12. In the Macro Virus Treatment pane, specify the actions that the real-time
scanner takes when it detects, but cannot clean, macro viruses.
You can configure the policy to remove only infected macros when a macro
virus is detected but cannot be cleaned, or you can remove all macros.
■ Removing only the infected macros saves users' custom macros, but can
make the endpoints vulnerable to infection.
■ Removing all macros eliminates the threat, but removes all custom
macros from endpoints.
More information:
The Advanced Real-time Settings of a Real-time policy let you set the advanced
options, such as whether to use heuristic scanning or whether to scan removable
media when the endpoint powers down.
1. Open the Advanced Real-time Settings page by either clicking Next on the
Options and Actions page of the Real-time Policy, or by clicking the Advanced
Real-time Settings link in the Steps to Create Policy pane.
3. Select the Use advance heuristic scanning option to enable the advanced
Heuristic Scanning.
4. Select the Scan alternate data streams (NTFS) option to allow the Client to
scan the Alternate Data Steams found in files in an NTFS based system.
6. Use the Do not scan during backup option to prevent the Client from
scanning files when they are accessed for saving to a backup, allowing the
backup operation to proceed faster.
7. Use the Use already-scanned cache option to allow the scanner to record
files that it scans, to avoid scanning those files if it can detect that no
changes have been made.
8. Specify the Maximum cache size, if you enabled the Use already-scanned
cache option, to specify the maximum size of the cache.
If adding a file name to the cache causes the cache to exceed the size limit,
the earliest entry is replaced.
9. Click Next.
More information:
The Real-time Targets settings of a Real-time policy let you specify the items
protected by real-time scanning. You can specify hardware, including floppy
drives or storage devices such as USB devices, to protect, and you can extend
the real-time protection to incoming email attachments. In addition, you can
identify specific types of files to exclude from real-time scanning.
Note: You must enable a Protected Area to have the Client scan files found on
that area when accessed. For example if you enable USB, the Client scans the file
on the USB device for malware every time the endpoint accesses that file.
1. Open the Real-time Targets page by either clicking Next on the Advanced
Real-time Settings page of the Real-time Policy, or by clicking the Real-time
Targets link in the Steps to Create Policy pane.
3. If you enabled email protection, enter the POP3 port number used to connect
with your email server, and the SMTP Port number used by your email
server, and, in the E-mail Action field, specify the action for the Client to take
when it detects an infection.
You can configure the Client to either remove the infected attachment or
attempt to clean it. If you enable the Clean option and the cleaning operation
is successful, you can access the attachment.
4. Specify the files to include or exclude from scanning using the File extensions
to scan option.
You can configure the scanner to scan all extensions, or specific file
extensions only, using the following options:
All extensions
The Client scans all files, regardless of the extension.
■ To remove an extension from the list, select the file extension and click
Remove.
If you protect your CD and DVD drives, the scanner checks inserted disks for
malware. If malware is found, access to the file is denied. You cannot clean
CDs or DVDs of malware.
7. Click Next.
More information:
The Archive Settings of a Real-time policy let you specify how the Real-time
scanner treats Archive files.
1. Open the Archive Settings page by either clicking Next on the Real-time
Targets page of the Real-time Policy, or by clicking the Archive Settings link
in the Steps to Create Policy pane.
2. Enable Scan Archives.
Note: You must enable the Scan Archives option to set the parameters for
the Archive Settings.
3. Enter a value in the Maximum Nested Level field in the Settings pane to
identify the maximum number of nested levels the Client scans.
Any file in the archive nested above the level you set is ignored and viewed
as clean. All files nested below the level you set are scanned.
A nested archive is an archive file stored within another archive file. For
example, if you added an archive file called example zip to an existing
archive, example zip would be nested at level one. If you stored another
archive file in example.zip, that file would be nested at level two. If you set
the Maximum nested level to zero, the Client would not scan the example zip
file or its contents.
4. Enter a value in the Maximum Compression Ratio field to indicate the highest
compression ratio a file can have and still be scanned.
The compression ratio is the ratio of initial size of the file compared to the
final compressed size of the file. Scanning files with a high compression ratio
slows down the scanning process, but provides better protection. However,
malware sometimes hides in files with a large compression ratio, and trying
to extract such a file for scanning can slow down or freeze your computer.
The Client does not scan any file in an archive that, when extracted, is larger
than this limit.
Setting a high value prevents the Client from scanning archived files that
might expand too much and slow down or freeze your computer. However,
these large archives could still contain malware and lead to vulnerability.
6. Enable the Stop scanning on first infection option to have the Client stop
scanning an archive file if an infection is found.
This option stops the Client from spending time scanning archives that are
known to be infected, but the Client cannot detect any additional infections
present in an archive file.
If you choose not to enable this option, the Client continues to scan archives
after finding an infected item.
You should enable this option if you automatically delete infected files. If you
clean infected files, scan the entire archive to find all possible infections.
7. In the Archive Type pane, enable the archive types you want the Client to
scan.
For example, if you want the Client to scan zip files, you would enable the ZIP
archive row.
8. Click Next.
The Real-time Exclusions page appears.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Real-time Exclusions of a Real-time policy let you specify the objects you
want to exclude from real-time scans. Exclusion lists let you exclude applications
you use or specific files or folders that you know to be malware-free from
real-time scanning.
You create this exclusion by first selecting the type of object to exclude using the
Filter pane, then specifying the object in the Exclude pane.
■ To remove an object from the list, select the object and click Remove.
■ For the Exclude Malware from Scan by Category list, unselect any
category to configure the real-time scanner not to search for those
categories of malware.
4. Click Save to save your changes and return to the Global Policy Definitions
page.
More information:
The Scheduled Scan Options policy controls the options for scheduled scans.
When the Client runs a scheduled scan, it uses the options provided by this
policy. If, for example, you have this policy set to remove all macros when an
infected macro is found, then if a scheduled scan encounters a macro virus, all
related macros are deleted on that machine.
These settings include naming and describing the policy, locking the policy
settings, and indicating whether this is the default policy.
These options let you configure the scan mode used, any file extensions the
scan ignores, and whether the scanner only detects infections on the boot
sector, or attempts to clean such infections.
More information:
Use the Name and General Policy Settings to specify the name and description
for the policy. You can also lock the policy to prevent end users from making any
changes to your policy settings.
You can also specify the policy as the new, default policy for that policy type, in
place of the CA-recommended policy. The default policy is included in any
Remote Installation packages that include this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are also used to initialize fields when you create a new policy of this
type.
2. Click the policy category containing the policy you want to create.
The policy category opens and displays the list of policies.
The Global Policy Definition window for that specific policy opens and
displays a list of available policies.
4. Click New.
The Name and General Settings page for the policy opens.
Specifies a name for the policy. Names are limited to 128 characters in
length. Policy names can be duplicated across policy types. The names
of partition-specific policies can be duplicated within the same policy
type across different partitions.
Description
Provides a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
6. In the Lock Settings pane, specify whether to enable or disable the Lock
settings when applying this policy option.
Enable this option if you do not want end users to change the settings of this
policy.
Note: If an end user has a valid reason for needing to change a policy's
settings, and the policy is locked, you must create and deploy a new policy
with that user's specific settings.
7. In the Default Policy pane, choose to enable or disable the following option:
Make this policy the default for this policy type
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
The Scan Options settings of a Schedule Scan Options policy let you specify the
options for scheduled scans. These options include setting the scan mode, what
files are exempt from scanning, and whether the boot sector is scanned or not.
1. Open the Scan Options page by either clicking Next on the General Policy
Settings page of the Schedule Scan Options Policy, or by clicking the Scan
Options link in the Steps to Create Policy pane.
2. In the Options pane, select the scan mode used by the endpoint. You can
select one of the following options:
Normal
Select this option to run the scanner in the normal, default mode.
Deep
Select this option to detect malware that is inactive or has been
deliberately modified, such as in a testing laboratory. Use this mode if
you suspect you have an infection that was not detected by the Normal
mode. Deep mode runs significantly slower than Normal mode.
3. For the File extensions to scan option, select one of the following:
All extensions
Select this option to have the Client scan all files, regardless of the
extension.
Select this option to have the Client scan all files except the ones you
specify. Use this option when you only want the Client to ignore only a
small number of file extensions, to avoid having to list all the extensions
you want included.
■ To remove a file from the list, select the file extension and click Remove.
5. For the Boot Sector field, set whether you want the Client to report boot
sector infections or to attempt to clean the boot sector infection. You can
choose from the following options:
Report only
Select this option to report boot sector infections. The Client does not
attempt to remove the infection.
More information:
The Scan Actions settings of a Schedule Scan Options policy let you specify the
actions taken by scheduled scans. These actions include whether the scan
attempts to clean infections and how the scan treats macro viruses.
1. Open the Scan Actions page by either clicking Next on the Scan Options page
of the Schedule Scan Options Policy, or by clicking the Scan Actions link in
the Steps to Create Policy pane.
2. In the Infection Treatment pane, select what action you want the Client to
take when an infection is detected. You can select the following options:
Clean file
Select this option to have the Client attempt to clean the infected file.
Delete file
Select this option to have the Client attempt to delete the infected file.
Leave file
Select this option to have the Client leave the infected file as is. The file
remains infected and can still cause problems.
Rename file
Select this option to have the Client attempt to rename the infected file.
When renaming, the Client attempts to change the file extension to try
to prevent the infected file from being opened.
■ Delete: Select this option to have the Client delete an infected file if
it cannot clean the file.
■ Leave: Select this option to have the Client leave the infected file
intact if a cleaning attempt fails. The file will remain infected and
could still cause potential problems.
■ Rename: Select this option to have the Client rename the infected
file if it could not clean the file. When renaming, the Client attempts
to change the file extension to try to prevent the infected file from
being opened.
4. In the Macro Virus Treatment pane, specify how you want the scanner to
treat macro viruses. You can select one of the following options:
5. In the System Repair pane, set the Enable System Repair option.
Enable this option to have the Client attempt system cures when an infection
is found. Running a system cure ensures the system is protected but could
limit the availability of the computer while the scan is running.
6. Click Next to continue creating the Scheduled Scan Option policy.
More information:
The Archive Settings of a Schedule Scan Options let you specify how the
scheduled scans treat Archive files.
Enter the maximum uncompressed size of a file. The Client does not scan
any file in an archive that, when extracted, is larger than this limit.
Setting a high value prevents the Client from scanning some archived
files that could expand too much and slow down or freeze your
computer. However, these large archives could still contain malware and
lead to vulnerability.
Enable this option to have the Client stop scanning an archive file if an
infection is found. If you do not enable this, the Client continues to scan
the archive after finding an infected item. Enabling this option stops the
Client from spending time scanning a known infection, but the Client will
not find any additional infections in the file if they are present.
You should enable this option if you automatically delete infected files. If
you clean infected files, you may want to scan the entire archive to find
all possible infections.
5. In the Archive Type pane, enable the archive types you want the Client to
scan. For example, to have the Client scan .zip files, enable the ZIP archive
row.
More information:
The Advanced Protection options of a Scheduled Scan Options policy let you set
the advanced options, such as if heuristic scanning is used or all accounts on the
endpoint are scanned.
1. Open the Advanced Protection page by either clicking Next on the Archive
Settings page of the Scheduled Scan Options Policy, or by clicking the
Advanced Protection link in the Steps to Create Policy pane.
2. In the Advanced Protection pane, you can set the following options:
Scan all user accounts
Select this option to have the scheduled scan check all user accounts on
the endpoint, not just the user currently logged on to the endpoint.
Note: This option only scheduled Quick Scans.
Select this option to prevent the scanner from checking any file
transferred to an external storage device. If you scan information moved
to external devices, the scan could take longer to complete.
Select this option to allow the Client to scan the Alternate Data Steams
found in files in an NTFS based system.
Enable this option to allow the scanner to record files that it scans,
allowing it to avoid scanning those files if it can detect that no changes
have been made.
3. Click Save to save your changes and return to the Global Policy Definitions
page.
Click Back to return to the previous page. Click Discard to remove any
changes you made. Click Close to close the policy.
More information:
The Scheduled Jobs policy lets you schedule when the Client runs a scan. The
end user can still perform manual scanning outside of the Scheduled Jobs policy.
These settings include naming and describing the policy, locking the policy
settings, and indicating whether this is the default policy.
These settings let you add scheduled scan jobs, specifying when each scan is
to take place.
More information:
Use the Name and General Policy Settings to specify the name and description
for the policy. You can also lock the policy to prevent end users from making any
changes to your policy settings.
You can also specify the policy as the new, default policy for that policy type, in
place of the CA-recommended policy. The default policy is included in any
Remote Installation packages that include this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are also used to initialize fields when you create a new policy of this
type.
2. Click the policy category containing the policy you want to create.
The policy category opens and displays the list of policies.
4. Click New.
The Name and General Settings page for the policy opens.
Description
Provides a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
6. In the Lock Settings pane, specify whether to enable or disable the Lock
settings when applying this policy option.
Enable this option if you do not want end users to change the settings of this
policy.
Note: If an end user has a valid reason for needing to change a policy's
settings, and the policy is locked, you must create and deploy a new policy
with that user's specific settings.
7. In the Default Policy pane, choose to enable or disable the following option:
Make this policy the default for this policy type
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Scan Job Schedule settings of a Scan Jobs policy let you specify scheduled
scan jobs that will occur on the endpoints which receive the policy. Setting a
schedule scan job ensures that your endpoints are scanned for malware on a
regular basis.
A Scan Job Policy can consist of any number of individual jobs. Each job has its
own schedule, target or targets, and other parameters. This allows you to have
different areas of the machine scanned at different times or with different
settings.
1. Open the Scan Job Schedule settings page by either clicking Next on the
Name and General Settings page of the Scan Job Policy, or by clicking the
Scan Job Schedule link in the Steps to Create Policy pane.
The Scan Job Definition page opens. If you are editing a policy, a listing of
the existing scheduled jobs is displayed.
Scan type
Select a type of scan for this scheduled scan. You can select one of the
following options:
4. (Optional) If you selected Custom for the Scan type, you must specify the
directories you want scanned.
■ To add a directory, enter the path and click Add. The directory is added
to the List of folders.
■ To remove a directory, select the directory from the list and click
Remove.
■ To edit a directory, select the directory, click edit, make any necessary
changes, and click Update.
5. In the Schedule Scan pane, set the time when you want the scan to start.
You must set the date and the time when you want the scan to start.
6. (Optional) To repeat this scan on a regular basis, set the Repeat Every
interval. Enter the number of hours and minutes between each run of the
scan job.
7. Use the CPU Priority drop-down menu to set the amount of CPU cycles the
scanner uses when running the scheduled scan. You can select from one of
the following options:
■ High: Runs the scan with the highest priority, taking CPU cycles
away from other uses.
■ Medium: Runs the scan with the same priority as other running
programs.
■ Low: Runs the scan with a lower priority, letting other processes use
more of the CPU cycles.
■ Idle: Runs the scan only when the CPU is not in use.
To limit the duration of the scan, enable this option and set the number
of minutes the scan is allowed to run.
Finish Scan By
To have the scan end by a scheduled time, enable this option and set the
time when you want the scan to finish by.
The Scan Jobs Definition pane displays the list of jobs included with this
policy. The scan is added to the list.
■ To delete a scan job, select the job and click Delete Job.
■ To edit an existing job, select a job and click Edit Job.
Note: Click Discard to cancel the changes and not add the new job.
10. Click Save to save your changes and return to the Global Policy Definitions
page.
Click Back to return to the previous page. Click Discard to remove any
changes you made. Click Close to close the policy.
More information:
When the Client finds a new virus or potential threat, it can submit such malware
to CA. CA has a research team that gathers malware and attempts to quickly find
ways to cure it and prevent it spreading. The Malware Submission policy lets you
control the email template used to contact CA when new malware is found.
These settings include naming and describing the policy, locking the policy
settings, and indicating whether this is the default policy.
More information:
Use the Name and General Policy Settings to specify the name and description
for the policy. You can also lock the policy to prevent end users from making any
changes to your policy settings.
You can also specify the policy as the new, default policy for that policy type, in
place of the CA-recommended policy. The default policy is included in any
Remote Installation packages that include this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are also used to initialize fields when you create a new policy of this
type.
2. Click the policy category containing the policy you want to create.
The policy category opens and displays the list of policies.
The Global Policy Definition window for that specific policy opens and
displays a list of available policies.
4. Click New.
The Name and General Settings page for the policy opens.
Specifies a name for the policy. Names are limited to 128 characters in
length. Policy names can be duplicated across policy types. The names
of partition-specific policies can be duplicated within the same policy
type across different partitions.
Description
Provides a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
6. In the Lock Settings pane, specify whether to enable or disable the Lock
settings when applying this policy option.
Enable this option if you do not want end users to change the settings of this
policy.
Note: If an end user has a valid reason for needing to change a policy's
settings, and the policy is locked, you must create and deploy a new policy
with that user's specific settings.
7. In the Default Policy pane, choose to enable or disable the following option:
Make this policy the default for this policy type
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Submission Settings of a Malware Submission policy let you specify the reply
email address and customer site ID used when submitting malware information
to CA.
1. Open the Submission Settings page by either clicking Next on the Name and
General Settings page of the Malware Submission Policy, or by clicking the
Submission Setting link in the Steps to Create Policy pane.
3. Click Save to save your changes and return to the Global Policy Definitions
page.
Click Back to return to the previous page. Click Discard to remove any
changes you made. Click Close to close the policy.
More information:
The Proactive Protection policies help ensure the protection of your network.
These policies control network and application access, protect the system files of
the endpoints, and help you locate vulnerabilities in your network. Proactive
Protection policies are built using rules, Rule Sets, and definitions you specify in
the Advanced Configuration options. You can also use the default Advanced
Configuration objects.
Firewall Policies
The Firewall Policies control the Firewall portion of the Management Console.
You can specify which applications have Internet access, and the websites
such applications can access.
The Intrusion Protection policies let you protect your network and endpoints
from any unwanted intrusion.
More information:
The firewall rules let you specify whether an application is allowed to access ports
and protocols over certain IP address communication. It also lets you specify the
network zones in which each network interface is placed.
These options let you select the Firewall rule sets that apply to this policy.
These options let you control the firewall itself, including options such as how
the firewall reacts to port use.
You can review the rule applied by each Rule Set and see the order in which
the rules are applied.
More information:
Use the General Policy Settings to specify the name and description for the
policy. You can also lock the policy to prevent end users from making local
modifications to the policy, and specify whether it is the default policy for all
other firewall policies and automatically included in future installation packages.
4. Click New.
The Name and General Policy Settings page for the policy opens.
Provide a unique name for the policy. Names are limited to 128
characters in length.
Description
Provide a unique description for the policy. Descriptions should help
explain the nature or use of the policy. Descriptions are limited to 128
characters in length.
Protection Mode
Select this option to enforce all aspects of the policy. When selected, if
you create rules that prevent certain actions, these rules are enforced.
Monitor Mode
Select this option to apply the policy with all rules enforced as defined
except those which prevent access. If a rule prevents access, the rule is
treated as allowing access, but events are still generated to allow
monitoring of the access.
7. In the Lock Settings pane, specify whether to enable or disable the Lock
settings when applying this policy option.
Enable this option if you do not want end users of the Client to be able to
change the settings of this policy. Enable this option to ensure the policy is
not changed by your end users.
Note: If an end user has a valid reason for needing to change these settings,
you must redeploy the policy to create any changes.
8. In the Default Policy pane, specify whether to enable or disable the Would
you like to make this policy the default for this policy type option.
Enable this option to use the policy you are creating or editing as the default
policy for this policy type. The default policies are automatically applied
when a new Client is installed on an endpoint.
9. Click Next to continue creating the policy.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
When creating any Proactive Protection policy, you must select the Rule Sets
that contain the rules applied by that policy. You can use predefined Rule Sets or
create your own rules and Rule Sets using the Advanced Configuration option.
The Firewall Policies control which applications have Internet access and the
websites applications can visit.
1. Open the Rule Sets page by either clicking Next on the General Policy
Settings page of the Firewall Policy, or by clicking the Rule Sets link in the
Steps to Create Policy pane.
2. In the Select Baseline Rule Sets pane, select the baseline Rule Set used for
this Firewall policy.
3. In the Select Add-On Firewall Rule Sets pane, specify any additional Rule
Sets you want applied with this policy.
Use the double arrows to move Add-on Rule Sets between the available Rule
Set list and the selected Rule Set list.
4. Click Next to continue creating the Firewall policy.
The User-Specific Add-on Rule Sets page opens.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
When creating a Firewall policy, you can add Rule Sets that only apply to a
specific set of users as you create the policy. Rules specified on the Firewall
Policy Rule Sets page are applied to all users, but the rules specified on the
User-Specific Add-on Rule Sets page are applied to only the users in the selected
user list.
1. Open the User-Specific Add-on Rule Sets page by either clicking Next on the
Rule Sets page of the Firewall Policy, or by clicking the User-Specific Add-on
Rule Sets link in the Steps to Create Policy pane.
2. In the Manage User Lists pane, select a user list.
User lists identify the users to which add-on Rule Sets apply.
Alternatively, you can click New User List to create a new user list or click
Delete User List to remove a user list from the pane.
3. In the Define User List pane, select the user type in the User Type field, enter
a name, and click Add to specify the users.
Alternatively, you can perform the following:
■ To modify an existing user, select the user and click Modify. Once you
have made the necessary changes, click Update.
4. In the Define User List pane, specify any additional rule sets you want
applied with this user list.
Use the double arrows to move add-on Rule Sets between the available Rule
Set list and the selected Rule Set list.
The Policy Options of a Firewall policy let you specify options that control your
firewall policy, including stealth settings and port scan detection. You can also
set the audit level for Port Scan access, to define when an event is sent to the
event server.
4. Specify the audit level for invalid network packets in the Audit Invalid
Network Packets pane, and the audit level for the Firewall Engine in the Audit
Firewall Engine Status pane.
5. In the Stealth Setting pane, set the audit level for the stealth settings, and
enable the following monitoring options:
After adding all the Rule Sets and specifying the policy options for a Firewall
policy, you should review the rule order.
The order of the rules is important as it is possible to negate rules if the order is
incorrect. Reviewing the rule order also lets you make sure that you have
included only the rules you want in the policy. Once you have reviewed the rules,
you can save and deploy the policy.
1. Open the Review Rule Order page by either clicking Next on the Policy
Options page of the Firewall Policy, or by clicking the Review Rule Order link
in the Steps to Create Policy pane.
2. Select a User list to display the rules that apply to that list.
Rules are listed in order, from top to bottom.
#
The order number for the rule.
Rule Name
By enabling Show Details, the Rule list displays the following additional
information:
Access
Application
Applications to which the rule applies.
Transport
The transport protocols that apply to the rule.
Direction
Remote IP
Any remote IP address to which the rule applies.
Routed Rule
Whether the rule applies to IP addresses that have been routed to a
different address.
Local IP
Any local IP address to which the rule applies.
Zone
The zone to which the rule applies.
Time Frame
Application Control Policies control which applications are enrolled in the known
application groups. These policies also control which applications are allowed to
spawn other applications and identify the applications for which an integrity
check is needed. You can also use these policies to specify the action to take if an
integrity check fails.
Unlike Firewall and OS Security policies, where the order of rules can determine
the successful application of a policy, rule order is not important in Application
Control policies, so you need not review it once you have created the policy.
These options let you specify the Application Control Rule Sets in use by this
policy.
More information:
Use the General Policy Settings to specify the name and description for the
policy. You can also lock the policy to prevent changes on the Client and specify
whether it is the default policy, installed on all Clients at installation.
2. Click the policy category containing the policy you want to create.
The policy category opens, containing the list of policies.
The Global Policy Definition window for that specific policy opens, displaying
a list of available policies.
4. Click New.
The Name and General Settings page for the policy opens.
Provide a unique name for the policy. Names are limited to 128
characters in length.
Description
Protection Mode
Select this option to enforce all aspects of the policy. When selected, if
you create rules that prevent certain actions, these rules are enforced.
Monitor Mode
Select this option to apply the policy with all rules enforced as defined
except those which prevent access. If a rule prevents access, the rule is
treated as allowing access, but events are still generated to allow
monitoring of the access.
7. In the Lock Settings pane, specify whether to enable the Lock settings when
applying this policy option to ensure that the policy is not changed by end
users.
Enable this option if you do not want end users of the Client to be able to
change the settings of this policy.
Note: If an end user has a valid reason for needing to change these settings,
you must redeploy the policy to create any changes.
8. In the Default Policy pane, specify whether to enable the Would you like to
make this policy the default for this policy type option to indicate that this is
the default policy for this policy type.
When creating any Proactive Protection policy, you must select the Rule Sets,
containing the rules applied by that policy. You can use predefined Rule Sets, or
create your own rules and Rule Sets using the Advanced Configuration option.
The Application Control Policies control which applications can be installed and
run on the endpoint.
1. Open the Rule Sets page by either clicking Next on the General Policy
Settings page of the Application Control Policy, or by clicking the Rule Sets
link in the Steps to Create Policy pane.
2. In the Select Baseline Rule Sets pane, select the baseline Rule Set used for
this Application Control policy. You must select Rule Sets for the following
categories:
Known Applications Use Rule Set
Specify the Rule Set to use to govern the known applications on the
endpoint.
Integrity Check Rule Set
Specify the Rule Set to use to control integrity checks on the endpoint.
This is an optional is Rule Set. You must enable the Rule Set to use this
feature.
3. In the Select Add-On Application Spawning Rule Sets pane, specify any
additional rule sets you want applied with this policy.
Use the double arrows to move Rule Sets between the available Rule Set list
and the selected Rule Set list.
4. Click Next to continue creating the Application Control policy.
The Policy Options of an Application Control policy let you specify whether to use
the known application database and identify the audit levels for the Application
Control policy. The audit level defines when an event is sent to the event server.
When specifying audit levels, a high setting sends the event immediately, where
as low and medium setting send events based on the triggers defined in the
event policy. To ignore events, set the audit level to Ignore.
1. Open the Policy Options page by either clicking Next on the User-Specific
Add-on Rule Sets page of the Application Control Policy, or by clicking the
Policy Options link in the Steps to Create Policy pane.
2. Enable the Use Known Applications Database option to specify that the
Known Application Use Rules use this database to enroll applications in one
of the application groups as per the rule.
You must ensure that all applications used by your endpoints are properly
enrolled or you could encounter issues.
3. In the Action and Audits Levels pane, set the following options:
The OS System Security policy controls which applications have access to the
endpoint's system files and settings. Using OS System Security polices lets you
protect COM ports, devices, hidden files and directories, and other system critical
components.
These options let you select the OS System Security Rule Sets that apply to
this policy.
More information:
Use the Name and General Policy Settings to specify the name and description
for the policy. You can also lock the policy to prevent changes on the Client and
specify whether it is the default policy, installed on all Clients at installation.
2. Click the policy category containing the policy you want to create.
The policy category opens, containing the list of policies.
The Global Policy Definition window for that specific policy opens, displaying
a list of available policies.
4. Click New.
The Name and General Settings page for the policy opens.
Provide a unique name for the policy. Names are limited to 128
characters in length.
Description
Protection Mode
Select this option to enforce all aspects of the policy. When selected, if
you create rules that prevent certain actions, these rules are enforced.
Monitor Mode
Select this option to apply the policy with all rules enforced as defined
except those which prevent access. If a rule prevents access, the rule is
treated as allowing access, but events are still generated to allow
monitoring of the access.
7. In the Lock Settings pane, specify whether to enable the Lock settings when
applying this policy option to ensure that the policy is not changed by end
users.
Enable this option if you do not want end users of the Client to be able to
change the settings of this policy.
Note: If an end user has a valid reason for needing to change these settings,
you must redeploy the policy to create any changes.
8. In the Default Policy pane, specify whether to enable the Would you like to
make this policy the default for this policy type option to indicate that this is
the default policy for this policy type.
When creating any Proactive Protection policy, you must select the Rule Sets
applied by that policy. Rule sets contain multiple rules to be applied by the policy.
You can use predefined Rule Sets, or create your own rules and Rule Sets using
the Advanced Configuration option. The OS Security Policies control which
applications can impact your operating system.
1. Open the Rule Sets page by either clicking Next on the General Policy
Settings page of the OS Security Policy, or by clicking the Rule Sets link in
the Steps to Create Policy pane.
2. In the Select Baseline Rule Sets pane, select the baseline Rule Set used for
this OS Security policy. You must select Rule Sets for the following
categories:
Baseline OS Security Rule Set
Specify which Rule Set forms the baseline for this OS Security policy. The
baseline rule forms the foundation of your OS Security policy.
Baseline OS Security Guard Rule Set
Select the OS Security Guard Rule Set. The Guard rules can be used to
turn on or off OS security rules such as file access or device access rules
for a specific application or application group. The OS security rules are
applied only if the Guard rule is set to on.
3. In the Select Add-On OS Security Rule Sets pane, specify any additional rule
sets you want applied with this policy. Use the double arrows to move Rule
Sets between the available Rule Set and the selected Rule Set list.
4. Click Next to continue creating the OS Security policy.
The User-Specific Add-on Rule Sets page opens.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
When creating an OS Security policy, you can add Rule Sets as you create the
policy. You can use these user-specific add-on Rule Sets to limit access to certain
applications without going through the Advanced Configuration options.
1. Open the User-Specific Add-on Rule Sets page by either clicking Next on the
Rule Sets page of the OS Security Policy, or by clicking the User-Specific
Add-on Rule Sets link in the Steps to Create Policy pane.
■ To specify a user, select the user type in the User Type field, enter a
name, and click Add.
■ To modify an existing user, select the user and click Modify. Once you
have made the necessary changes, click Update.
4. In the Define User List pane, specify any additional Rule Sets you want
applied with this user list.
Use the double arrows to move add-on Rule Sets between the available Rule
Set list and the selected Rule Set list.
The Policy Options of an OS Security policy let you specify options that control
interactions with endpoint operating systems. You can opt to bypass user-mode
hooks or DLL code injections. You can also set the audit level for the OS security
engine. The audit level defines when an event is sent to the event server. When
specifying audit levels, a high setting sends the event immediately, where as low
and medium setting send events based on the triggers defined in the event
policy. To ignore events, set the audit level to Ignore.
1. Open the Policy Options page by either clicking Next on the User-Specific
Add-on Rule Sets page of the OS Security Policy, or by clicking the Policy
Options link in the Steps to Create Policy pane.
Specify the audit level for the OS Security engine. The audit level defines
when an event is sent to the event server. When specifying audit levels,
a high setting sends the event immediately, where as low and medium
setting send events based on the triggers defined in the event policy. To
ignore events, set the audit level to Ignore.
After adding all the Rule Sets and specifying the policy options for an OS System
Security policy, you should review the rule order. The order of the rules is
important as it is possible to negate rules if the order is incorrect. Reviewing the
rule order also lets you make sure that you have included only the rules you want
in the policy. Once you have reviewed the rules, you can save and deploy the
policy.
1. Open the Review Rule Order page by either clicking Next on the Policy
Options page of the OS System Security Policy, or by clicking the Review
Rule Order link in the Steps to Create Policy pane.
2. Select a Rule Type to display the rules that apply to that type.
By enabling Show Details, the Rule list displays the following additional
information:
Application
Protected Object
The object or object groups protected by this rule. The object listed
depends on the Rule Type selected. This column does not appear if you
select a type of System Privilege, DLL Loading, or Remote Process
Control.
Target Application
The application targeted by this rule. This column only appears for the
Remote Process Control Rule Type.
Read
Whether the rule allows read access, and whether that access is audited.
This category only applies to file and registry objects.
Create
Whether the rule allows file or registry creation access, and whether that
access is audited. This category only applies to file and registry objects.
Write
Whether the rule allows write access, and whether that access is
audited. This category only applies to file and registry objects.
Delete
Whether the rule allows deletion, and whether that access is audited.
This category only applies to file and registry objects.
In-Process Creation
Whether the rule allows COM object creation during a process, and
whether that access is audited. This category only applies to COM
objects.
Out-of-Process Creation
Whether the rule allows COM object creation outside of an existing
process, and whether that access is audited. This category only applies
to COM objects.
Remote Creation
Whether the rule allows COM object to be remotely created, and whether
that access is audited. This category only applies to COM objects.
Whether the rule allows a review of the status of an open service, and
whether that access is audited. This category only applies to service
objects.
Install Service
Whether the rule allows installation of a service, and whether that access
is audited. This category only applies to service objects.
Control Service
Whether the rule allows control of a service, and whether that access is
audited. This category only applies to service objects.
Delete Service
Whether the rule allows deletion of a service, and whether that access is
audited. This category only applies to service objects.
Query Service
Whether the rule allows queries for service information, and whether
that access is audited. This category only applies to service objects.
Start Service
Whether the rule allows a service to be started, and whether that access
is audited. This category only applies to service objects.
Stop Service
Whether the rule allows a service to be stopped, and whether that access
is audited. This category only applies to service objects.
Access Device
Whether the rule allows a device to be accessed, and whether that
access is audited. This category only applies to device objects.
Clipboard Access
Whether the rule allows clipboard, and whether that access is audited.
This category only applies to system privilege.
System Shutdown
Whether the rule allows shutting down the system, and whether that
access is audited. This category only applies to system privilege.
Load DLL
Whether the rule allows loading of a DLL, and whether that access is
audited. This category only applies to DLL Loading.
Whether the rule allows remote injection of code into memory, and
whether that access is audited. This category only applies to Remote
Control Access objects.
Inject DLL
Whether the rule allows remote injection of a DLL, and whether that
access is audited. This category only applies to Remote Control Access
objects.
Whether the rule allows remote injection of UI activity, and whether that
access is audited. This category only applies to Remote Control Access
objects.
Time Frame
Click Back to return to the previous page. Click Discard to remove any
changes you made. Click Close to close the policy.
The Intrusion Protection policy lets you protect your network and the endpoints
from any unwanted intrusion.
These options let you select the Intrusion Protection Rule Sets that apply to
this policy.
More information:
Use the Name and General Policy Settings to specify the name and description
for the policy. You can also lock the policy to prevent end users from making any
changes to your policy settings.
You can also specify the policy as the new, default policy for that policy type, in
place of the CA-recommended policy. The default policy is included in any
Remote Installation packages that include this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are also used to initialize fields when you create a new policy of this
type.
2. Click the policy category containing the policy you want to create.
The policy category opens and displays the list of policies.
4. Click New.
The Name and General Settings page for the policy opens.
Name
Specifies a name for the policy. Names are limited to 128 characters in
length. Policy names can be duplicated across policy types. The names
of partition-specific policies can be duplicated within the same policy
type across different partitions.
Description
Provides a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
6. In the Lock Settings pane, specify whether to enable or disable the Lock
settings when applying this policy option.
Enable this option if you do not want end users to change the settings of this
policy.
Note: If an end user has a valid reason for needing to change a policy's
settings, and the policy is locked, you must create and deploy a new policy
with that user's specific settings.
7. In the Default Policy pane, choose to enable or disable the following option:
Make this policy the default for this policy type
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
When creating any Proactive Protection policy, you must select the Rule Set
groups applied by that policy. Rule set groups contain collections of Rule Sets.
You can use predefined Rule Set groups, or create your own using the Advanced
Configuration option.
1. Open the Select Rule Set Group page by either clicking Next on the General
Policy Settings page of the Intrusion Protection Policy, or by clicking the
Select Rule Set Group link in the Steps to Create Policy pane.
2. In the Available Rule Set Group table, select the Rule Set group to add to this
policy.
Use the arrows to move Rule Set groups between the available Rule Set
groups list and the selected Rule Set group.
3. Click Save to save your changes and return to the Global Policy Definitions
page.
Click Back to return to the previous page. Click Discard to remove any
changes you made. Click Close to close the policy.
Description
Select this option to search the Description column. This column lists the
descriptions for the Rule Set groups.
# of Rule Sets
Select this option to search in only the # of Rule Sets column. This
column lists the number of Rule Sets in the groups.
# of Rules
Select this option to search the Total # of Rules column. This column lists
the total number of rules in the group.
4. Click Next to move to the next matching entry in the list. Click Prev to move
to the previous entry in the list.
The Select Rule Set Groups and Available Rule Set Groups tables contain the
following fields:
+/-
Expand or collapse the Rule Set group to display the Rule Sets in each group.
If you mouse over a Rule Set, you can see the details for that set.
Writable
Indicates whether you can edit the Rule Set group. If not checked, the Rule
Set group is read-only.
Built-In
Indicates whether the Rule Set group is built-in to the CA Total Defense
Server.
The total number of rules in the Rule Set group. This total is the sum of all
the rules in each Rule Set.
The Vulnerability Assessment policy lets you check to see if there are any
network vulnerabilities. You can specify controls such as how many login
attempts are allowed before a user is locked out, the minimum password length,
local shared directory restrictions, and other features that let you protect your
network.
These options let you schedule when the vulnerability assessment scan
occurs.
These options let you specify what you consider to be vulnerable passwords
or user settings.
4. Configure the Local Share Settings. (see page 308)
These options let you check on local shared drives, letting you prevent
network vulnerabilities associated with open shares.
More information:
Use the Name and General Policy Settings to specify the name and description
for the policy. You can also lock the policy to prevent end users from making any
changes to your policy settings.
You can also specify the policy as the new, default policy for that policy type, in
place of the CA-recommended policy. The default policy is included in any
Remote Installation packages that include this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are also used to initialize fields when you create a new policy of this
type.
2. Click the policy category containing the policy you want to create.
The policy category opens and displays the list of policies.
4. Click New.
The Name and General Settings page for the policy opens.
Name
Specifies a name for the policy. Names are limited to 128 characters in
length. Policy names can be duplicated across policy types. The names
of partition-specific policies can be duplicated within the same policy
type across different partitions.
Description
Provides a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
6. In the Lock Settings pane, specify whether to enable or disable the Lock
settings when applying this policy option.
Enable this option if you do not want end users to change the settings of this
policy.
Note: If an end user has a valid reason for needing to change a policy's
settings, and the policy is locked, you must create and deploy a new policy
with that user's specific settings.
7. In the Default Policy pane, choose to enable or disable the following option:
Make this policy the default for this policy type
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
When creating a Vulnerability Assessment policy, you must specify when the
vulnerability assessment scan must take place. Generally, you can set the scan
to reoccur as often as needed. It is recommended you run the scan at least once
a month. You can also create a onetime scan to run the scan only once or if you
want to run the scan before the next scheduled scan is due.
1. Open the Scan Schedule page by either clicking Next on the General Policy
Settings page of the Vulnerability Assessment policy, or by clicking the Scan
Schedule link in the Steps to Create Policy pane.
More information:
The Account and Password settings of a Vulnerability Assessment policy let you
view information on how accounts and passwords are maintained on your
network. You can see information on all the passwords that are under or over a
specified length, how long since a password was last updated, and more. You can
also specify the account lock out settings.
1. Open the Account and Password Settings page by either clicking Next on the
Scan Schedule page of the Vulnerability Assessment Policy, or by clicking the
Account and Password Settings link in the Steps to Create Policy pane.
2. In the Account and Password Settings pane, you can enable the following
settings:
Disabled Accounts
Allow the Management Console to review all disabled accounts.
Locked Accounts
Report all users logged off due to inactivity for longer than the time
specified. You must specify a number of minutes.
3. In the Account Lockout Settings pane, you can enable the following options:
The duration a user must wait before being able to be manually removed
from lockout. You must specify the length of time.
4. Click Next to continue creating the Vulnerability Assessment policy.
More information:
When performing the vulnerability assessment, you can have the Management
Console report on the open shared network drives in your network domain. You
can set the options for checking these shares on the Local Share Settings page of
the Vulnerability Assessment Policy.
More information:
This section describes the Advanced Configuration, found under the Proactive
Protection policies. These configurations are similar to the Building Blocks used
to create policies in the HIPS r8.0 and 8.1 releases. CA Total Defense product
includes some built-in Proactive Protection policy components, which you can
customize to your needs. You can also create your own components if you find
the built-in components do not cover the areas you need to protect. Components
include definitions, rules, Rule Sets, and Rule Set groups.
Definitions are the basic building blocks, and can be as simple as a defined time
frame when a rule applies or a range of IP address that a rule allows or blocks.
Definitions are specific and are not combined into groups or sets. You can,
however, have multiple types of a similar definition. For example, to have some
rules that apply during business hours and other rules that apply after business
hours, you could have two Timeframe definitions, one defining when business
hours are, and one defining non-business hours. Definitions can also be used
across all Proactive Protection Policies. You would only need to create one
Timeframe definition for business hours if those same hours applied to both
Firewall and OS Security policies.
Rules govern the specific behavior that is either allowed or prevented. Rules are
specific to the type of policy you are creating. A Firewall rule could not be used to
build an Intrusion Protection policy as the specifics of the rule do not apply.
Rule sets are simply collections of rules. You can use Rule Sets to group specific
rules together, allowing you to organize your rules as you need. For example,
you could have a Rule Set that applies only to outbound traffic on laptops and
another Rule Set that applies to inbound traffic on laptops.
Rule set groups are collections of Rule Sets. For example, you could have a Rule
Set group that covers all Rule Sets that apply to laptop machines and one Rule
Set group that applies to all desktop machines.
You can access Advanced Configuration pages from either the Global Policy
Definitions or the Policies and Partitions menus.
Note: If you access an Advanced Configuration page from the Global Policies
area, the components you create are Global Policy Components. If you access an
Advanced Configuration page from a specific partition area, you create Partition
Specific Policy Components.
The Global Policy Definitions page for that policy type opens.
3. Click Advanced Configuration and select Built-in Policy Components or All
Advanced Policy Components from the drop-down menu.
5. Select the policy whose Advanced Configuration you want to access and click
Manage Policies.
The Policy Assignment Tree window opens for that specific policy type of that
partition or branch.
Note: If you access an Advanced Configuration page from the Global Policies
area, the components you create are Global Policy Components. If you access an
Advanced Configuration page from a specific partition area, you create Partition
Specific Policy Components.
The CA Total Defense White list, a list of the applications allowed to run on
your network. You can enroll applications to this list
The CA Total Defense Black list, a list of the applications not permitted to run
on your network. You can enroll applications to this list
Installations List
The CA Total Defense Installations list, a list of the applications allowed to act
as installers for other applications. You can enroll applications to this list.
Access Controls
Access permissions for system devices and drives.
Hidden Directories for Restricted Applications
This section describes the process of setting the Firewall Advanced configuration
options. The Built-in Policy Components for the Firewall include:
How your network treats the security zones defined on the Internet.
Monitoring of Port Listening
How CA Total Defense product monitors port listening attempts.
The other Advanced configuration options accessible from the Firewall policies
include Firewall Rules and Rule Sets, Firewall Zone Rules and Rule Sets, and the
basic definitions used by the Firewall policies. These definitions include
Transport, IP Address, and Time Frame definitions.
Applications accepting network connections are those that you would expect
others to access over your network. An example could be a timesheet application
or other service that resides on a server and is accessed remotely. You must
include these applications in the Applications Accepting Network Connections
list.
This application group is used in a built-in firewall rule which allows Internet
access to the applications enrolled in this group. This built-in rule is used in a
built-in policy. If you are using this built-in policy then you can manage the
applications accepting network connections from this page.
This page includes a Find function. You can use this function to help you find
specific applications. When using this function, specify the name or characters to
find, then use the next and previous buttons to move to the next or previous
corresponding entry.
Do not use wildcards as this is a character matching search and looks for those
specific characters when searching.
Filename
Search the Filename field. The filename field typically includes both the
path and the application filename.
Description
Search the Description field.
Clicking this button opens a drop down menu with two options, Enroll New
Application and Enroll New Application Subgroup. Enrolling a new application
lets you add the application to one of the various application lists. Enrolling
new application subgroups lets you create ways to organize your
applications to help you better manager your work. More information on the
enrollment process is covered in other sections.
Edit
Select a group or application and click this button to edit that object. Editing
is the same as creating a new object; you are just changing the existing
values.
Delete
Select a group or application and click this button to remove that group or
application from the list.
Click this button to enroll groups of applications all identified in the same
manner at one time. For example, if you are adding a list of applications
based on file names, use this option to enroll all the applications at one time
instead of enrolling each application as a new one.
This table lists the available application groups. The top group can contain
subgroups of applications.
This table lists the definition, file name, and description of the applications
enrolled in the selected group.
More information:
You must include all applications to which you want to give Internet access on
the Applications with Internet Access list. By default, certain instant messenger
service applications and web browser applications are pre-populated to this list.
Still, you can add or remove some of these applications, as necessary. You can
also add other software that requires activation or licensing transfers across the
Internet. This page lets you enroll or remove applications from the Applications
with Internet Access list.
This application group is used in a built-in firewall rule which allows Internet
access to the applications enrolled in this group. This built-in rule is used in a
built-in policy. If you are using this built-in policy then you can manage the
applications having Internet access from this page.
This page includes a Find function. You can use this function to help you find
specific applications. When using this function, specify the name or characters to
find, then use the next and previous buttons to move to the next or previous
corresponding entry.
Do not use wildcards as this is a character matching search and looks for those
specific characters when searching.
Definition
Search the Definition field. The definition is typically the filename of the
application only.
Filename
Search the Filename field. The filename field typically includes both the
path and the application filename.
Description
You can enter any number of characters and the search looks for that string
of characters. Do not use wildcards as these are treated as characters, not
wildcards.
4. Click Next to move to the next matching entry in the list. Click Prev to move
to the previous entry in the list.
Clicking this button opens a drop down menu with two options, Enroll New
Application and Enroll New Application Subgroup. Enrolling a new application
lets you add the application to one of the various application lists. Enrolling
new application subgroups lets you create ways to organize your
applications to help you better manager your work. More information on the
enrollment process is covered in other sections.
Edit
Select a group or application and click this button to edit that object. Editing
is the same as creating a new object; you are just changing the existing
values.
Delete
Select a group or application and click this button to remove that group or
application from the list.
Click this button to enroll groups of applications all identified in the same
manner at one time. For example, if you are adding a list of applications
based on file names, use this option to enroll all the applications at one time
instead of enrolling each application as a new one.
This table lists the available application groups. The top group can contain
subgroups of applications.
This table lists the definition, file name, and description of the applications
enrolled in the selected group.
More information:
The built-in Internal Network Definition page lets you define the intranet IP
address for your network. From this page, click the Add/Remove IP Addresses
button to update the intranet definition for your network.
To add an IP address
2. Click Save.
The changes are saved and you are returned to the Open System Ports page.
To remove an IP address
1. Select the IP address to remove from the list and click Remove.
The address is removed from the table.
2. Click Save.
The changes are saved and you are returned to the Open System Ports page.
To modify an IP address
1. Select the IP address to modify from the list and click Modify.
2. Change the IP address.
Alternatively, use the Clear button to clear the IP Address field, if necessary.
3. Click Update.
The address is updated to the new value.
4. Click Save.
The changes are saved and you are returned to the Open System Ports page.
The built-in Open System Ports page lets you define the allowed open ports on
your network. From this page, click the Add/Remove Ports button to update the
open port list for your network.
Use this page to add, edit, or remove open ports. You can also specify whether to
negate source or destination ports.
The manner of specifying ports depends on the protocol you use. For most
protocols, you can choose a single port, a range of ports, or all ports.
When specifying a single port or range of ports, you must also supply the
required values. For the ICMP protocol you must specify a function.
3. Click Add.
The ports are added to the table.
4. Click Save.
The changes are saved and you are returned to the Open System Ports page.
To remove a port
1. Select the port to remove from the list and click Remove.
The port is removed from the table.
2. Click Save.
The changes are saved and you are returned to the Open System Ports page.
To modify a port
1. Select the port to modify from the list and click Modify.
2. Change the protocol and destination port.
3. Click Update.
Negating source or destination ports applies to all ports in the list. Negating a
group of ports means that all the ports save those listed are available to use.
The Custom Firewall Rules page lets you add or remove rules used by the built-in
Firewall Rule set. This Rule Set forms the basis for the Firewall policies.
New
Click this button to create a new Firewall Rule. Once the rule is created, the
rule is added to the rules table and can be used in the Custom Firewall Rule
Set.
Edit
Select a rule and click Edit to edit the rule. Some definitions are read-only
and cannot be edited.
Delete
Select a rule and click Delete to delete the rule. Deleting the rule removes
the rule from the Management Server. You should only delete rules if you do
not plan to use them again.
To simply remove a rule from the Rule Set, use the Remove Rule button.
Some definitions are read-only and cannot be deleted.
Add Rule
Select a rule and click Add Rule to add the rule to the Custom Firewall Rule
Set.
Remove Rule
Select a rule and click Remove Rule to remove the rule from the Custom
Firewall Rule Set, but not delete the rule completely.
Priority
Select a rule and use the Priority arrows to move the rule up and down the
listing. The rules are prioritized from highest to lowest. Higher priority rules
are applied first.
Note: The rules can be enabled or disabled by selecting the check box in the
Selected Rule list
3. Specify the remote and local IP addresses associated with this Rule Set (see
page 323).
4. Specify the access permissions, audit levels, Firewall zones and time frame
for this Rule Set (see page 323).
More information:
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
From this page, you can specify the applications or application groups to which a
rule applies:
1. Specify whether you want this rule to apply to all applications, a group of
applications, or a specific application.
2. Click Next to move to the next page. Click Save to save your changes.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
This page lets you specify the communications protocol and the directions of
communication in the built-in custom Firewall Rule Set.
If you want the rule to apply to two protocols, create the rule for one
protocol, copy and paste the rule, then edit the copy and change the
protocol.
You can specify inbound or outbound, but you cannot select both.
To create the same rule for both traffic directions, create the rule, copy and
paste the rule, then edit the copy and change the direction.
3. Click Next.
The Remote and Local IP Address pane opens.
Alternatively, click Save to save your changes.
Your changes are saved, the page closes. Click Back to return to the previous
page. Click Discard to remove any changes you made. Click Close to close
the page without saving changes.
This page lets you specify the remote and local IP address used in the built-in
custom Firewall Rule Sets.
3. Click Next.
The Access Permission, Audit Level, Firewall Zone, and Time Frame pane
opens.
Alternatively, click Save to save your changes.
Your changes are saved, the page closes. Click Back to return to the previous
page. Click Discard to remove any changes you made. Click Close to close
the page without saving changes.
Specify Access Permissions, Audit Levels, Firewall Zones, and Time Frames
This page lets you specify the access permissions, audit levels, Firewall zones,
and time frames in the built-in custom Firewall Rule Sets.
The Firewall Zone Assignment page lets you define the rules used by the built-in
Firewall Zone Rule set. This Rule Set forms the basis for the Firewall Zone
policies. This is a built-in Firewall zone assignment Rule set which is referenced
in built-in policies. This page lets you modify this Rule Set.
Select a rule and click Edit to edit the rule. Some definitions are read-only
and cannot be edited.
Delete
Select a rule and click Delete to delete the rule. Deleting the rule removes
the rule from the Management Server. Only delete rules if you do not plan to
use them again.
To simply remove a rule from the Rule Set, use the Remove Rule button.
Some definitions are read-only and cannot be deleted.
Add Rule
Select a rule and click Add Rule to add the rule to the Built-in Firewall Rule
Set.
Remove Rule
Select a rule and click Remove Rule to remove the rule from the Built-in
Firewall Rule Set, but not delete the rule completely.
Priority
Select a rule and use the Priority arrows to move the rule up and down the
listing. The rules are prioritized from highest to lowest. Higher priority rules
are applied first.
Firewall Zone rules are used to make up your Firewall Zone policy and control
settings for different network zones.
2. Enter the name and description for the rule and click Next.
The Interface Identification pane opens, replacing the Name and General
Settings pane.
3. In the Identify Interface By pane, use one of the radio button options to
specify how a network interface is identified.
4. In the Specify Firewall Zone and Audit Level pane, select the Firewall Zone,
then select the audit level for this rule.
5. Click Save to save your changes.
Your chances are saved, and the pages close. Click Back to return to the
previous page. Click Discard to remove any changes you made. Click Close
to close the page without saving changes.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
This page lets you configure the interface identifications for selected zones.
1. In the Identify Interface By pane, specify how you would like to identify the
zone and provide the corresponding address information.
2. In the Specify Firewall Zone and Audit Level pane, select the Firewall Zone,
then select the audit level for this rule.
This page lets you monitor all the applications which can open a port. On this
page, you can enroll applications into the group or subgroups that are not
monitored. On this page, you can specify the following options:
Audit Level for Selected Applications
Select an application or application group and specify the audit level using
this option. When any application in this group opens a port, an event is
raised based on this audit level. The audit level defines when an event is sent
to the event server. When specifying audit levels, a high setting sends the
event immediately, while low and medium settings send events based on the
triggers defined in the event policy. To ignore events, set the audit level to
Ignore. You can choose from the following audit levels:
High
All details are sent immediately to the event server.
Medium
Event details are sent to the event server based on triggers defined in
the event policy.
Low
Event details are sent to the event server based on triggers defined in
the event policy.
Ignore
All events are ignored.
This page includes a Find function. You can use this function to help you find
specific applications. When using this function, specify the name or characters to
find, then use the next and previous buttons to move to the next or previous
corresponding entry.
Do not use wildcards as this is a character matching search and looks for those
specific characters when searching.
Description
Search the Description field.
Clicking this button opens a drop down menu with two options, Enroll New
Application and Enroll New Application Subgroup. Enrolling a new application
lets you add the application to one of the various application lists. Enrolling
new application subgroups lets you create ways to organize your
applications to help you better manager your work. More information on the
enrollment process is covered in other sections.
Edit
Select a group or application and click this button to edit that object. Editing
is the same as creating a new object; you are just changing the existing
values.
Delete
Select a group or application and click this button to remove that group or
application from the list.
Click this button to enroll groups of applications all identified in the same
manner at one time. For example, if you are adding a list of applications
based on file names, use this option to enroll all the applications at one time
instead of enrolling each application as a new one.
This table lists the available application groups. The top group can contain
subgroups of applications.
This table lists the definition, file name, and description of the applications
enrolled in the selected group.
More information:
The Application Control Advanced Configuration lets you create building blocks
used in Application Control Policies. The built-in policy components include:
Application White List
The Application White list should contain those applications allowed to run on
your network. If you limit the applications available to your end users, or
need very strong protection for your network, you may use the Application
White list heavily. For example, you could add the instant messenger
application your company uses to the White list, which would block all
others, preventing unwanted work distractions or access.
The Installations list contains all the applications that are allowed to be
installed on your network. If, for example, certain application upgrades do
not meet your security standards, you could keep the older versions of the
application on the list, but remove the newest release from the list until you
feel all security issues have been resolved.
In addition to the pre-defined application lists, you can create your own
application lists, enroll applications in that list and create DLL lists, and enroll
DLLs into that list. You can also create rules governing the Known Application
Database, Integrity Checks, and Application Spawning. You can also add
Certificate definitions.
The Configure Application White List page lets you add applications and
application groups to the Application White lists. Use this list to allow the running
of only those applications on the list.
The Application White lists let you enroll applications and sub groups in a group
named Trusted. This application group is referenced in many different type of
rules, such as the application spawning rule "Allow trusted applications". This
group is also used in many OS security rules which allow access to registries and
files for these applications.
This page includes a Find function. You can use this function to help you find
specific applications. When using this function, specify the name or characters to
find, then use the next and previous buttons to move to the next or previous
corresponding entry.
Do not use wildcards as this is a character matching search and looks for those
specific characters when searching.
Description
Search the Description field.
New
Clicking this button opens a drop down menu with two options, Enroll New
Application and Enroll New Application Subgroup. Enrolling a new application
lets you add the application to one of the various application lists. Enrolling
new application subgroups lets you create ways to organize your
applications to help you better manager your work. More information on the
enrollment process is covered in other sections.
Edit
Select a group or application and click this button to edit that object. Editing
is the same as creating a new object; you are just changing the existing
values.
Delete
Select a group or application and click this button to remove that group or
application from the list.
Application Group
This table lists the available application groups. The top group can contain
subgroups of applications.
More information:
The Configure Application Black List page lets you add applications and
application groups to the Application Black Lists.
The Application Black lists are used in an application spawning rule called "Block
BlackList Applications" which prevents spawning of these applications by any
other application.
This page includes a Find function. You can use this function to help you find
specific applications. When using this function, specify the name or characters to
find, then use the next and previous buttons to move to the next or previous
corresponding entry.
Do not use wildcards as this is a character matching search and looks for those
specific characters when searching.
Description
Search the Description field.
New
Clicking this button opens a drop down menu with two options, Enroll New
Application and Enroll New Application Subgroup. Enrolling a new application
lets you add the application to one of the various application lists. Enrolling
new application subgroups lets you create ways to organize your
applications to help you better manager your work. More information on the
enrollment process is covered in other sections.
Edit
Select a group or application and click this button to edit that object. Editing
is the same as creating a new object; you are just changing the existing
values.
Delete
Select a group or application and click this button to remove that group or
application from the list.
Application Group
This table lists the available application groups. The top group can contain
subgroups of applications.
More information:
The Configure Installations List page lets you add applications and application
groups to the Installations lists. The Installations list is used in the Known
Application Use rule "Installations". This rule enrolls applications marked as
installers in this group. This list is also used in the Application Spawning rule
"Allow Installers". This rule lets you specify applications that can be spawned and
used as installers.
This page includes a Find function. You can use this function to help you find
specific applications. When using this function, specify the name or characters to
find, then use the next and previous buttons to move to the next or previous
corresponding entry.
Do not use wildcards as this is a character matching search and looks for those
specific characters when searching.
Description
Search the Description field.
New
Clicking this button opens a drop down menu with two options, Enroll New
Application and Enroll New Application Subgroup. Enrolling a new application
lets you add the application to one of the various application lists. Enrolling
new application subgroups lets you create ways to organize your
applications to help you better manager your work. More information on the
enrollment process is covered in other sections.
Edit
Select a group or application and click this button to edit that object. Editing
is the same as creating a new object; you are just changing the existing
values.
Delete
Select a group or application and click this button to remove that group or
application from the list.
Application Group
This table lists the available application groups. The top group can contain
subgroups of applications.
More information:
This page includes a Find function. You can use this function to help you find
specific applications. When using this function, specify the name or characters to
find, then use the next and previous buttons to move to the next or previous
corresponding entry.
Do not use wildcards as this is a character matching search and looks for those
specific characters when searching.
Description
Search the Description field.
New
Clicking this button opens a drop down menu with two options, Enroll New
Application and Enroll New Application Subgroup. Enrolling a new application
lets you add the application to one of the various application lists. Enrolling
new application subgroups lets you create ways to organize your
applications to help you better manager your work. More information on the
enrollment process is covered in other sections.
Edit
Select a group or application and click this button to edit that object. Editing
is the same as creating a new object; you are just changing the existing
values.
Delete
Select a group or application and click this button to remove that group or
application from the list.
Application Group
This table lists the available application groups. The top group can contain
subgroups of applications.
More information:
The Enroll DLL Modules and DLL Module Groups Advanced Configuration lets you
create DLL related building blocks for use in Application Control or OS Security
policies. You can use these DLL Modules and groups to limit or allow DLL actions,
ensuring the protection of your network from unwanted actions.
You can enroll just a lone DLL as a DLL module or enroll a DLL as a DLL module,
then combine the DLL modules into a DLL module group. You can also add DLL
modules as subgroups to a DLL module group.
This page includes the Find tool. You can use this tool to help you find specific
DLLs. When using this tool, specify the name or characters to find, then use the
Next and Previous buttons to move to the next or previous corresponding entry.
Do not use wildcards as this is a character search and the search looks for those
characters in the search area.
Definition
Select this option to search the Definition field. Usually the definition is
the filename of the DLL only.
Filename
Select this option to search the Filename field. Usually the filename field
includes both the path and the DLL filename.
Description
3. Enter the search string. You can enter any number of characters and the
search looks for that string of characters. Do not use wildcards as these are
treated as characters, not wildcards.
4. Click Next to move to the next matching entry in the list. Click Prev to move
to the previous entry in the list.
Clicking this button opens a drop-down menu with two options, Enroll New
DLL Module and Enroll New DLL Module Group. Enrolling a new DLL lets you
add the DLL for use in policies. Enrolling new DLL module groups lets you
create ways to organize your DLL modules to help you better manager your
work. More information on the enrollment process is covered in other
sections.
Edit
Select a group or DLL and click this button to edit that object. Editing is the
same as creating a new object; you are just changing the existing values.
Delete
Select a group or DLL and click this button to remove that group or DLL from
the list.
Enrolling a DLL into a DLL Module lets you create rules that allow or restrict that
DLL. You can also enroll the DLL modules into a group, allowing you to create
rules that govern a set of DLLs.
1. Configure the name and general setting for the DLL module (see page 321).
2. Specify the DLL for the DLL module (see page 339).
3. Specify any Identity Redirections that apply to the DLL (see page 341).
4. Add the DLL module to a DLL module group (see page 341).
Configure Names and General Settings
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
Alternatively, click Save to save your changes and close the page, click
Discard to remove any changes you made but keep the page open, or click
Close to close the page without saving changes.
Specify DLL Module Identification
To enroll a DLL into a new DLL module, you must specify the DLL module
identification.
2. Select to identify the DLL by one of the following options, and provide the
details for that option when applicable:
Path
Identify the DLL by its path. Use this option if you know the path will be
constant.
Filename
Identify the DLL by the filename. Use this method if you do not think
malware may masquerade as the DLL.
Checksum
Enroll DLLs based on their checksum. You must copy the DLL to the
WebServices\CheckSum folder where the Management Console is
installed. You can add multiple checksums as necessary.
Alternatively, click Save to save your changes and return to the Enroll DLL
Modules and DLL Module Groups page.
Specify Identity Redirections
Some applications serve as surrogates for other code. The purpose of Identity
Redirection is to correctly handle situations where one executable interprets
other files.
For example, without Identity Redirection all *.msi installation packages would
be treated the same because the msiexec.exe application is installing them all.
All *.vbs and *.js script files are treated the same as they are interpreted by the
wscript.exe process.
The Identity Redirections page lets you specify whether an application is run
through one of the identity redirections.
1. Highlight any applicable Identity Redirection and use the double arrows to
move the redirection to the correct list.
2. Click Next to move to the next page. Click Save to save your changes.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
More information:
You can also enroll a DLL module into a DLL module group.
1. Open the Add DLL Module to DLL Module Groups page by either clicking Next
on the Specify Identity Redirections page, or by clicking the Add DLL Module
to DLL Module Groups link in the Steps to Create Policy pane.
In addition to enrolling DLL modules, you can create and enroll DLL module
groups. DLL module groups are a way to group similar DLLs so that you can
create policies for that set of DLLs.
You can also add DLL module groups to other groups. For example, you could
create a DLL module group for all DLLs related to a single application, and add
that group as a subgroup of a DLL module group you create for all application
DLLs.
1. Configure the name and general settings of the DLL module group (see
page 321).
2. Add DLL modules to the DLL module group (see page 343).
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
After specifying the name and general settings for the DLL module group, you
must specify the DLLs contained in the group. You must first enroll the DLLs in
order to add the DLLs to a DLL module group.
1. Open the Add DLL Modules to DLL Module Groups page by either clicking
Next on the Name and General settings page of the Enroll DLL Module Group,
or by clicking the Add DLL Modules to DLL Module Groups link in the Steps to
Create Policy pane.
2. Highlight the DLLs to add to the group and use the double arrows to move
the DLLs to the correct list.
3. Click Next to continue to the Add DLL Module Groups as Subgroups page.
Alternatively, click Save to save your changes and Enroll DLL Modules and
DLL Module Groups page.
You may wish to combine several DLL module groups into a large group. For
example, you may have DLL module groups for each application. You may want
to create a DLL module group that contains each application DLL module group
you create. You can then use the larger group in rules so you do not have to
create the same rule for each smaller group.
2. Highlight any DLL Module Subgroups to add to the group and use the double
arrows to move the subgroup to the correct list.
3. Click Save to save your changes and return to the Enroll DLL Modules and
DLL Module Groups page.
Alternatively, click Back to return to the previous page, click Discard to
remove any changes you made, or click Close to close the policy.
If necessary, you can enroll multiple DLL modules at one time. When enrolling
multiple modules, ensure that all the modules share the same identification
method, then select the DLL modules and add the modules to groups.
Note: When using checksum validation, you must copy the DLL modules to the
WebServices\CheckSum folder.
2. Add the DLL modules to the DLL module group. (see page 345)
Select Multiple DLL Modules to Enroll
When enrolling multiple modules, all the modules must share the same
identification method. You can choose to enroll DLL modules based on path, file
name, checksum, those signed by a specific certificate or a combination of these
options.
Note: When using checksum validation, you must copy the DLL modules to the
WebServices\CheckSum folder.
2. Select to identify the DLL modules by one of the following options, and
provide the details for that option when applicable:
Path
Identify the DLL modules by the path to the DLL modules. Use this option
if you know the path will be constant.
Filename
Identify the DLL modules by filename. Use this method if you do not
think malware may masquerade as the DLL modules.
Checksum
Enroll DLL modules based on their checksum. You must copy the DLL
modules to the WebServices\CheckSum folder, then the MD5 checksum
is calculated. You can add multiple checksums as necessary.
After selecting the DLL modules to enroll, you must add the modules to the
available module groups. This lets you group modules for easier use.
1. Open the Add DLL Modules to DLL Module Groups page by either clicking
Next on the Select Multiple DLL Modules to Enroll page, or by clicking the Add
DLL Modules to DLL Module Groups link in the Steps to Create Policy pane.
2. Highlight the modules to add to the group and use the double arrows to
move the modules to the correct list.
3. Click Save to save your changes.
Your changes are saved, and the page closes. Click Back to return to the
previous page. Click Discard to remove any changes you made. Click Close
to close the page without saving changes.
The OS Security Advanced Configuration lets you modify the built-in policy
components used in the built-in OS Security Policies. The built-in policy
components include:
Access Controls
Access Controls let you specify device access permissions for the built-in OS
Security policies.
Directories
The directories built-in policy components let you specify which directories
can be accessed by the restricted applications and by end users.
Registry Keys
The registry key built-in policy components let you specify which registry
keys can be accessed by the restricted applications and by end users when
using the built-in OS Security policies.
Services
The built-in services policy components let you specify which services can be
accessed by the restricted applications and by end users when using the
built-in OS Security policies.
COM Objects
The built-in COM Policy components let you specify which COM objects can
be accessed by the restricted applications and by end users when using the
built-in OS Security policies.
In addition, under the Other Advanced Configuration options, you can create OS
Security rules and Rule Sets and Guard rules and Rule Sets You can also create
definitions for File, Registry, COM, Service, Device, and Time Frame objects.
The OS Security Access Controls page lets you set the access controls for built-in
OS Security policies and Rule Sets. These settings are only for built-in policies or
the policies using built-in Rule Sets. You must create your own Rule Sets for
custom policies.
When specifying access controls, you can select from the following options:
No Access
No access is permitted at all. You can select this option for both storage
devices and miscellaneous ones.
Read-Only Access
Data can be read from the device, but cannot be written to the device. This
option only applies to storage devices. You can use this option to allow
access to removable media, but to prevent files from being copied to such
removable media.
Full Access
Full read and write access is allowed for the given device. This can apply to
both storage and miscellaneous devices.
1. Set the access controls for all the available options to suit your needs.
2. Click Apply.
The access settings are saved, and all policies now use the new access
settings.
The Hidden Directories for Restricted Applications page lets you specify
directories which are hidden from restricted applications. There is a built-in rule
which allows full access to all files by any application, so you can use this page to
hide some files or directories from restricted applications.
3. Click Add.
The directory is added to the list.
4. Click Save
Your changes are saved and the Configure Hidden Directories for Restricted
Application pane closes.
3. Click Save
Your changes are saved and the Configure Hidden Directories for Restricted
Application pane closes.
3. Enter the new path in the Item field and click Modify.
The directory is updated to match the new path.
4. Click Save
Your changes are saved and the Configure Hidden Directories for Restricted
Application pane closes.
You can also clear the item field by clicking Clear. To discard any changes you
made and not save them, click Discard.
The Read-only Directories for Restricted Applications page lets you specify which
directories are read-only for restricted applications.
3. Click Add.
The directory is added to the list.
4. Click Save
Your changes are saved and the Configure Read-only Directories for
Restricted Application pane closes.
3. Click Save
Your changes are saved and the Configure Read-only Directories for
Restricted Application pane closes.
3. Enter the new path in the Item field and click Modify.
The directory is updated to match the new path.
4. Click Save
Your changes are saved and the Configure Read-only Directories for
Restricted Application pane closes.
You can also clear the item field by clicking Clear. To discard any changes you
made and not save them, click Discard.
The Hidden Directories for Users page lets you specify all directories that are
hidden from users on the endpoints. If you do not specify a directory, users
cannot access any hidden directories.
3. Click Add.
The directory is added to the list.
4. Click Save
Your changes are saved and the Configure Hidden Directories for Users pane
closes.
3. Enter the new path in the Item field and click Modify.
The directory is updated to match the new path.
4. Click Save
Your changes are saved and the Configure Hidden Directories for Users pane
closes.
You can also clear the item field by clicking Clear. To discard any changes you
made and not save them, click Discard.
The Read-only Directories for Users page lets you specify all directories that are
read-only to users. If you do not specify a directory, users have read and write
permissions for all directories.
3. Click Add.
The directory is added to the list.
4. Click Save
Your changes are saved and the Configure Read-only Directories for Users
pane closes.
3. Click Save
Your changes are saved and the Configure Read-only Directories for Users
pane closes.
3. Enter the new path in the Item field and click Modify.
The directory is updated to match the new path.
4. Click Save
Your changes are saved and the Configure Read-only Directories for Users
pane closes.
You can also clear the item field by clicking Clear. To discard any changes you
made and not save them, click Discard.
The Hidden Registry Keys for Users page lets you specify registry keys that are
hidden from the users. If you do not specify a hidden registry key, users can
access any registry keys. The values you enter for the hidden registry keys
should start with HKCR, HKCU, HKLM, HKU or HKCC.
2. In the Item field, enter the value of the hidden registry key.
3. Click Add.
4. Click Save
Your changes are saved and the Configure Hidden Registry Keys for Users
pane closes.
3. Click Save
Your changes are saved and the Configure Hidden Registry Keys for Users
pane closes.
Your changes are saved and the Configure Hidden Registry Keys for Users
pane closes.
You can also clear the item field by clicking Clear. To discard any changes you
made and not save them, click Discard.
The Hidden Custom Registry Keys for Restricted Applications page lets you
specify registry keys that are hidden to applications on the restricted applications
list. The values you enter for the hidden registry keys should start with HKCR,
HKCU, HKLM, HKU or HKCC.
3. Click Add.
The Configure Hidden Custom Registry Keys for Restricted Applications pane
opens.
Your changes are saved and the Configure Hidden Custom Registry Keys for
Restricted Applications pane closes.
4. Click Save
Your changes are saved and the Configure Hidden Custom Registry Keys for
Restricted Applications pane closes.
You can also clear the item field by clicking Clear. To discard any changes you
made and not save them, click Discard.
The Read-only Custom Registry Keys for Restricted Applications page lets you
specify which custom registry keys are read-only to the restricted application
list. If you do not specify any read-only registry keys, restricted applications
have read and write access to all non-hidden registry keys.
2. In the Item field, enter the value of the read-only registry key.
3. Click Add.
The registry key is added to the list.
4. Click Save
Your changes are saved and the Configure Read-only Custom Registry Keys
for Restricted Applications pane closes.
4. Click Save
Your changes are saved and the Configure Read-only Custom Registry Keys
for Restricted Applications pane closes.
You can also clear the item field by clicking Clear. To discard any changes you
made and not save them, click Discard.
The Read-only Registry Keys for Users page lets you specify which registry keys
are read-only to the users on the endpoint. If you do not specify any read-only
registry keys, users have read and write access to all non-hidden registry keys.
2. In the Item field, enter the value of the read-only registry key.
3. Click Add.
The registry key is added to the list.
4. Click Save
Your changes are saved and the Configure Read-only Registry Keys for Users
pane closes.
Your changes are saved and the Configure Read-only Registry Keys for Users
pane closes.
4. Click Save
Your changes are saved and the Configure Read-only Registry Keys for Users
pane closes.
You can also clear the item field by clicking Clear. To discard any changes you
made and not save them, click Discard.
The Protected Custom Services for Restricted Applications page lets you specify
which services are protected from any attempts at running or changing the
services for restricted applications. You specify which services the restricted
applications cannot modify. If you do not specify any protected services,
restricted applications can modify or access all services.
3. Click Add.
The service is added to the list.
4. Click Save
Your changes are saved and the Configure Protected Custom Services for
Restricted Applications pane closes.
Your changes are saved and the Configure Protected Custom Services for
Restricted Applications pane closes.
4. Click Save
Your changes are saved and the Configure Protected Custom Services for
Restricted Applications pane closes.
You can also clear the item field by clicking Clear. To discard any changes you
made and not save them, click Discard.
The Protected Services for Users page lets you specify which services are
protected from any attempts at running or changing the services by users on the
endpoint. If you do not specify any protected services, users can modify or
access all services.
3. Click Add.
The protected service is added to the list.
4. Click Save
Your changes are saved and the Configure Protected Services for Users pane
closes.
Your changes are saved and the Configure Protected Services for Users pane
closes.
4. Click Save
Your changes are saved and the Configure Protected Services for Users pane
closes.
You can also clear the item field by clicking Clear. To discard any changes you
made and not save them, click Discard.
The Protected Custom COM Objects for Restricted Applications page lets you
specify which COM objects restricted applications cannot create. If you do not
specify any protected COM objects, restricted applications can create all COM
objects. The values should be in valid CLSID format, for example,
0CD7A5C0-9F37-11CE-AE65-08002B2E1262
2. In the Item field, enter the value of the protected COM object.
3. Click Add.
Your changes are saved and the Configure Protected Custom COM Objects
for Restricted Applications pane closes.
4. Click Save
Your changes are saved and the Configure Protected Custom COM Objects
for Restricted Applications pane closes.
You can also clear the item field by clicking Clear. To discard any changes you
made and not save them, click Discard.
The Protected COM Objects for Users page lets you specify which COM objects
users on the endpoint cannot create. If you do not specify any protected COM
objects, users can modify or access all COM objects.
2. In the Item field, enter the value of the protected COM object.
3. Click Add.
The protected COM object is added to the list.
4. Click Save
Your changes are saved and the Configure Protected COM Objects for Users
pane closes.
3. Click Save
Your changes are saved and the Configure Protected COM Objects for Users
pane closes.
You can also clear the item field by clicking Clear. To discard any changes you
made and not save them, click Discard.
When populating a Rule Set with rules, you can copy rules from one Rule Set and
paste them into another rules set using the copy and paste feature. When
pasted, the copy uses the original rule's name with a number appended to the
end.
Rule Set Groups let you organize your Rule Sets into groups. You can then use
these groups when creating policies. This lets you easily create policies by only
selecting one Rule Set group that applies instead of having to pick the Rule Sets
each time you create a policy.
Note: Some Rule Set groups are read-only. You can view the details of these
Rule Set groups, but you cannot edit those details. If you select a read-only Rule
Set group, the Edit button changes to the View button.
New
Click this button to create a new Rule Set group.
Edit
Select a Rule Set group and click this button to edit that object. Editing is the
same as creating a new object; you are just changing the existing values.
Copy
Select a Rule Set group and click this button to add a copy to the memory.
Paste
Delete
Select a Rule Set group and click this button to remove that group from the
list.
View
This button only appears if you select a read-only Rule Set group. Click this
button to view the details of the Rule Sets group. You cannot edit the details
of the Rule Set group.
1. Click New.
The Create Intrusion Protection Rule Set Group window opens to the Name
and General Settings pane.
2. Enter the name and description for the application and click Next.
The Select Rule Sets pane opens.
3. Select the Rule Set to add from the Available Rule Sets table and use the Up
arrow to move the Rule Set to the Selected Rules table.
The Name and General Settings page lets you specify the name and a description
for the rule set group you are creating.
Note: if you access this page from the Global Policy Definition menu, you will
create a global rule set group that can be used across all partitions. If you access
this page from within a specific partition, you will create a rule set group that can
only be used in that partition.
When creating a Rule Set group, you must add the Rule Sets to the group. You
add the Rule Sets on the Select Rule Sets page for that rule group.
1. Select the Rule Set to add from the Available Rule Sets table.
2. Use the Up arrow to move the Rule Set to the Selected Rules table.
3. Click Save to save your changes.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
Additionally, you can remove a Rule Set from the Selected Rule Sets table by
selecting the Rule Set and using the Down arrow button to move the rule to the
Available Rule Sets table.
Rule Sets contain rules that can be used in Rule Set groups or in policies. From
this page you can create new Rule Sets or view existing Rule Sets.
Note: Some Rule Sets are read-only. You can view the details of these Rule Sets,
but you cannot edit those details. If you select a read-only Rule Set, the Edit
button changes to the View button.
New
Click this button to create a new Rule Set.
Edit
Select a Rule Set and click this button to edit that object. Editing is the same
as creating a new object; you are just changing the existing values.
Copy
Select a Rule Set and click this button to add a copy to the memory.
Paste
Click this button to paste a copy of the Rule Set.
Delete
Select a Rule Set and click this button to remove that set from the list.
View
This button only appears if you select a read-only Rule Set .Click this button
to view the details of the Rule Set. You cannot edit the details of the Rule Set.
1. Click New.
The Create Intrusion Protection Rule window opens to the Name and General
Settings pane.
2. Enter the name and description for the application and click Save.
Your changes are saved and you are returned to the Rule Set page.
The Name and General Settings page lets you specify the name and a description
for the rule set you are creating. This page is common to almost all Advanced
Configuration policy component objects.
Note: if you access this page from the Global Policy Definition menu, you will
create a global rule set that can be used across all partitions. If you access this
page from within a specific partition, you will create a rule set that can only be
used in that partition.
You can view the rules included in a Rule Set from the View Included Rules page.
3. Click Next.
4. The View Included Rules page opens displaying the rules found in the Rule
Set.
Note: Rules are added to the Rule Set from the Configure Intrusion Protection
Rules page.
Intrusion Protection rules are used to make Intrusion Protection policies. These
rules let you specify expected packet content and other information using
tokens. You can create rules with one or multiple tokens, depending on your
needs for that rule. When creating an Intrusion Protection rule, you can create
the tokens in the order suggested and later reorder the tokens as necessary.
Alternatively, you can jump around, creating the tokens in the order you need.
However, the process described here follows the order suggested by the
Intrusion Protection Rule editor.
When viewing rules, the page only displays the rules for the Rule Set you select.
Use the Select Rule Set drop-down menu to pick the Rule Set to view.
Important! You cannot add rules to the built-in Rule Sets. If you attempt to
create a rule without first creating a user-defined Rule Set, the Management
Console displays an error when you try to save the rule.
4. Set the Access Permission and Audit Level. (see page 370)
Specify whether this rule prevents or monitors access. You must also specify
the audit level for this rule.
Specify the details for any PCRE tokens related to this rule. Use Perl
Compatible Regular Expressions (PCRE) tokens to create rules using a
regular expression C library based on Perl's external interface.
15. Reorder the Tokens. (see page 393)
Review the order of the tokens. Tokens are applied in the order listed on this
page and might need to be adjusted to ensure the rule behaves properly.
The Name and General Settings page lets you specify the name and a description
for the rule you are creating. This page is common to almost all Advanced
Configuration policy component objects.
Note: If you access this page from the Global Policy Definition menu, the rules
you create are global, and can be used across all partitions. If you access this
page from within a specific partition, you create rules that can only be used in
that partition.
2. Click Next to move to the next page. Click Save to save your changes.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
The Transport Settings page lets you specify the protocol and port or set of ports
to which this rule applies. You can select from a list of existing transports, or
specify your own private transport settings. Specifying your own settings lets
you create rules that apply to only certain source or destination ports, limiting
the scope of the rule to match your needs.
To add a new transport for use with multiple rules, create the transport using the
Transport Definitions found under Configure Other Intrusion Protection
Advanced Policy Components.
Select this option to specify your own transport setting unique to this
rule. If you use this option, you must add additional protocol
information. This protocol cannot be reused in other rules. If you wish to
reuse the protocol, create a Transport Definition for this protocol.
3. (Optional) If you selected Use Private Transport, enable Negate Source Ports
to prevent this rule from applying to incoming traffic.
5. (Optional) If you selected Use Private Transport, you must add information
to describe the one or more protocols.
More information:
Configure IP Addresses
You can create Intrusion Protection rules that apply only to traffic between two
sites. When configuring such rules, you must specify the remote IP address, the
local IP address, and which traffic you want blocked or monitored.
You can only specify inbound or outbound traffic per rule. To block both types of
traffic, you must create two rules, one blocking inbound, the other blocking
outbound traffic.
When specifying an address, you must select the address from a drop-down
menu of IP addresses that have already been defined. To define an IP Address,
use the IP Address Definitions editor found under Configure Other Intrusion
Protection Advanced Policy Components.
More information:
The Access Permission and Audit Level page lets you specify if the Intrusion
Protection rule prevents access or simply monitors access.
You can also specify the audit level of the rule. Every time the endpoint applies
this rule, the endpoint generates an event based on the level you specify on this
page. The Event Management Policy in force on the endpoint controls whether if
the event is reported to the Event Server.
1. Open the Access Permission and Audit Level page by either clicking Next on
the IP Address Settings page of the Create Intrusion Protection Rule, or by
clicking the Access Permission and Audit Level link in the Steps to Create
Rule pane.
2. Specify whether you want this rule to prevent access or simply to monitor
access, and specify the audit level for this rule.
3. Click Next.
The Select Rule Set Used page opens.
Alternatively, click Save to save your changes and return to the Intrusion
Protection Rules page, click Back to return to the previous page, click Discard
to remove any changes you made, or click Close to close the page without
saving changes.
More informaton:
The Select Rule Set Used page lets you specify which Rule Set should contain the
rule you are creating. You can use this page to create a rule in a Rule Set other
than the one you selected in the Select Rule Set drop-down menu.
You can only select a user-defined Rule Set. You cannot add a rule to a built-in
Rule Set. If you try to save the rule you created to a built-in Rule Set, the
Management Console displays an error message.
By default, if you did not select a Rule Set from the Select Rule Set drop-down
list, or you selected a built-in Rule Set, the Management Console places the rule
in the first Rule Set listed on this page.
More information:
Use Flow tokens to allow rules to apply only to certain directions of traffic flow.
You can specify if the rule applies from Client to Server or from Server to Client.
You can also specify if the rule applies to established connections or to rebuilt
packet streams.
Client to Server
Select this option to have this rule apply to packets going from the
endpoint to a server, in reassembled TCP stream, when the endpoint is a
client in relation to the server.
Server to Client
Select this option to have this rule apply to packets going from the
endpoint to a client, in reassembled TCP stream, when the endpoint acts
as a server in relation to the client.
Both Directions
Select this option to have this rule apply to both directions of
communication.
3. Specify the Connection State. You can choose one of the following options:
Select this option to have this rule apply regardless of the state of the
connection.
Stateless
Select this option to have this rule apply only to stateless connections.
Established
Select this option to have this rule apply only to established TCP
connections.
4. Specify the Stream Type. You can choose one of the following options:
Any Stream
Select this option to have this rule apply regardless of the stream state.
No Stream
Select this option to have this rule apply only on stream packs that were
not rebuilt.
Stream Only
Select this option to have this rule apply only on rebuilt stream packets.
Use this option if you suspect an outside source is altering the stream
packets.
5. Click Add.
6. Click Next.
7. The Configure IP Fragmentation Tokens page opens.
Alternatively, click Save to save your changes and return to the Intrusion
Protection Rules page, click Back to return to the previous page, click Discard
to remove any changes you made, or click Close to close the page without
saving changes.
Add
Specify the token information and click this button to add the token. This
button only appears if you have no tokens selected.
Update
Select a token in the list, change any value, and click this button to update
the token to the new values. This button is only visible if you select a token.
Delete
Select a token in the list and click this button to delete it. This button is active
if you have a token selected.
Clear
Click this button to clear all data you entered, resetting the values to the
default state. This button is active if you have no token selected.
De-Select Grid Item
To add a new item, you cannot have any of the items in the list selected. Use
this button to de-select the current item, so that you can add a new token.
This button is active if you have a token selected.
Use IP Fragmentation tokens to have the rule apply to packets with certain IP
Fragmentation Bits set or unset. For example, you can create a rule that detects
packets with only the Reserve Bit set or with the Reserve Bit and Do not
Fragment Bit not set.
MF Bit
Enable to have the rule check the More Fragment bit.
DF Bit
Enable to have the rule check the Do Not Fragment bit.
Res Bit
3. Select the appropriate Flag Set Modifiers. You can select from the following
options:
4. Click Add.
The token is added to the list.
5. Click Next.
6. The Configure TCP Flag Tokens page opens.
Alternatively, click Save to save your changes and return to the Intrusion
Protection Rules page, click Back to return to the previous page, click Discard
to remove any changes you made, or click Close to close the page without
saving changes.
Add
Specify the token information and click this button to add the token. This
button only appears if you have no tokens selected.
Update
Select a token in the list, change any value, and click this button to update
the token to the new values. This button is only visible if you select a token.
Delete
Select a token in the list and click this button to delete it. This button is active
if you have a token selected.
Clear
Click this button to clear all data you entered, resetting the values to the
default state. This button is active if you have no token selected.
Use TCP Flag tokens to have the rule apply only if specific TCP flag bits are
present in the packet.
1. Open the Configure TCP Flag Tokens page by either clicking Next on the
Configure IP Fragmentation Token page of the Create Intrusion Protection
Rule, or by clicking the Configure TCP Flag Tokens link in the Steps to Create
Rule pane.
Select this option to check the FIN flag. The FIN flag is set if the sender
is not transmitting any more data.
SYN
PUSH
Select this option to check if the Push flag is set.
ACK
3. Select the appropriate Modifier Flags. You can select from the following
options:
4. Click Add.
Alternatively, click Save to save your changes and return to the Intrusion
Protection Rules page, click Back to return to the previous page, click Discard
to remove any changes you made, or click Close to close the page without
saving changes.
Add
Specify the token information and click this button to add the token. This
button only appears if you have no tokens selected.
Update
Select a token in the list, change any value, and click this button to update
the token to the new values. This button is only visible if you select a token.
Delete
Select a token in the list and click this button to delete it. This button is active
if you have a token selected.
Clear
Click this button to clear all data you entered, resetting the values to the
default state. This button is active if you have no token selected.
Use Content tokens to create rules that search for specific content in a packet
payload. During the check, if Intrusion Protection finds data exactly matching the
argument data string within the packet’s payload, it applies the rule to this
communication.
Note: Checking the packet payload can have significant CPU requirements and
can hinder a computer's performance.
When creating Content tokens, you define a string or binary sequence using
c-notation. This is the data for which the Intrusion Protection searches in the
payload. Under normal circumstances, the data is case sensitive.
1. Open the Configure Content Tokens page by either clicking Next on the
Configure TCP Flag Token page of the Create Intrusion Protection Rule, or by
clicking the Configure Content Tokens link in the Steps to Create Rule pane.
You must specify the value for each Content token. The value is the string or
binary sequence for which the Intrusion Protection is searching.
3. Specify the Offset if you are not enabling the Relative Offset option in the
Search Flags.
4. Specify the Depth if you are not enabling the Relative Depth option in the
Search Flags.
To set this value, enable Relative Depth in the Additional Search Flags
column, then enter the Within value.
You must enable Relative Depth to identify content by Within.
6. Set the Distance value, if necessary. To set this value, enable Relative Offset
in the Additional Search Flags column, then enter the Distance.
Negation/Complement
Apply the rule to all packets not containing the value you set.
URI Content
Restrict the search to only the normalized request URI field. URI
normalization is the process by which URIs are modified and
standardized in a consistent manner. Normalization helps you determine
if two syntactically different URIs are equivalent.
No Case
Have Intrusion Protection search for the data, regardless of case. For
example, if you are searching for the value "Too" and enable this option,
Intrusion Protection would apply this rule if the payload contained "too",
"Too", or even "tOO".
RegExp
Treat the value as a PERL compatible regular expression. The rule only
applies if the expression is true based on the data in the packet.
Relative Depth
Have the rule check against a relative depth rather than a set value. If
you enable this option, you must specify the range of the relative depth
in the Within field.
Relative Offset
Have the rule check against a relative offset rather than a set value. If
you enable this option, you must specify the range of the relative offset
in the Distance field.
8. Click Add.
The token is added to the list.
9. Click Next.
Specify the token information and click this button to add the token. This
button only appears if you have no tokens selected.
Update
Select a token in the list, change any value, and click this button to update
the token to the new values. This button is only visible if you select a token.
Delete
Select a token in the list and click this button to delete it. This button is active
if you have a token selected.
Clear
Click this button to clear all data you entered, resetting the values to the
default state. This button is active if you have no token selected.
De-Select Grid Item
To add a new item, you cannot have any of the items in the list selected. Use
this button to de-select the current item, so that you can add a new token.
This button is active if you have a token selected.
Use General tokens to specify an exact value that the rule checks for in the
packet. This value must fulfill the specified relation within the rule with the
protocol parameters of the analyzed packet. You can also specify if the token
should be equal to, not equal to, greater than, or lesser than the value you
assign.
1. Open the Configure General Tokens page by either clicking Next on the
Configure Content Token page of the Create Intrusion Protection Rule, or by
clicking the Configure General Tokens link in the Steps to Create Rule pane.
The Configure General Tokens page opens.
2. Specify the token identifier to be checked in the Token ID field.
Use this token to test the packet payload size. You can set a high value
to check for abnormally sized packets, which can be useful for detecting
buffer overflows.
Is Data At
Use this token to check whether the packet payload has data at a
specified location. Unlike other tokens, this token has special Relation.
Leave the Relation blank to check for data at a specific location. Select
Relative to check the data relative to the last correct match.
Same Address
Use this token to check if the source IP address is the same as the
destination IP address. For this token, do not specify a Relation or Value.
IP TTL
Use this token to check the IP time-to-live value. Use this token in the
detection of trace route attempts.
IP TOS
Use this token to check the IP TOS field for the value you specify.
IP Opt
Use this token to check if a specific IP option is present. All of these
options are defined in the Internet Protocol documentation found at
http://www.iana.org/, under IP Option Numbers. You can check for the
following options:
Note: You can only have one IP Opt token per rule.
■ End of List: Checks if the End of List option is present. If this option
is present, there should be no additional IP options listed after this
value.
■ Any IP Options are Set: Use this value to check if any IP options are
set in the packet.
IP Protocol
Use this token to check the IP protocol header for the protocol you
specify.
TCP Seq
TCP Ack
Use this token to check for a specific TCP acknowledgment number.
ICMP Type
Use this token to check for a specific ICMP type value.
ICMP Code
Use this token to check for a specific ICMP code value.
Echo Id
Use this token to check for a specific ICMP ID value. Some channel
programs use static ICMP fields when communicating. If you know the
field value, you can use this token to check for that value.
Echo Seq
Use this token to check for a specific ICMP sequence value. Some
channel programs use static ICMP fields when communicating. If you
know the field value, you can use this token to check for that value.
TCP Window
To create a range, you must create two tokens, one for each boundary of the
range. For example, you could set D Size to greater than 10 and less than
100 to create a rule that applies when the packet payload size is between 10
and 100.
For the Is Data At token, select Absolute to look for data at a specific point in
the payload, or select Relative to look for the data based on a relative to the
end of the data.
For Same Address there is no Relation to specify.
5. Click Add.
The token is added to the list.
6. Click Next.
Specify the token information and click this button to add the token. This
button only appears if you have no tokens selected.
Update
Select a token in the list, change any value, and click this button to update
the token to the new values. This button is only visible if you select a token.
Delete
Select a token in the list and click this button to delete it. This button is active
if you have a token selected.
Clear
Click this button to clear all data you entered, resetting the values to the
default state. This button is active if you have no token selected.
De-Select Grid Item
To add a new item, you cannot have any of the items in the list selected. Use
this button to de-select the current item, so that you can add a new token.
This button is active if you have a token selected.
Use Flow Bits tokens to control a temporary variable in the Intrusion Protection
engine that rules can check, set, or unset. For example, you can use this token
if you want to signal capture of a specific packet for future searches. This token
allows rules to track states across transport protocol sessions.
There are seven operations associated with the Flow Bits token. For these
operations you must specify a name for the state being checked. Limit this name
to any alphanumeric string including periods, dashes, and underscores.
1. Open the Configure Flow Bits Tokens page by either clicking Next on the
Configure General Token page of the Create Intrusion Protection Rule, or by
clicking the Configure Flow Bits Tokens link in the Steps to Create Rule pane.
Set
Set the specified state for the current flow.
Unset
Toggle
Toggle the specified state. If the state is set, it becomes unset; if the
state is unset, it becomes set.
Isset
Isnotset
Check whether the specified state is not set.
Noalert
Specify that the rule should not generate an alert, regardless of the rest
of the detection options specified for this token.
Reset
Check whether the specified state has been reset.
4. Click Add.
Alternatively, click Save to save your changes and return to the Intrusion
Protection Rules page, click Back to return to the previous page, click Discard
to remove any changes you made, or click Close to close the page without
saving changes.
Specify the token information and click this button to add the token. This
button only appears if you have no tokens selected.
Update
Select a token in the list, change any value, and click this button to update
the token to the new values. This button is only visible if you select a token.
Delete
Select a token in the list and click this button to delete it. This button is active
if you have a token selected.
Clear
Click this button to clear all data you entered, resetting the values to the
default state. This button is active if you have no token selected.
De-Select Grid Item
To add a new item, you cannot have any of the items in the list selected. Use
this button to de-select the current item, so that you can add a new token.
This button is active if you have a token selected.
Use the Byte Test token to test a byte field against a specific value. You can use
this token to test binary values or to convert representative byte strings to their
binary equivalent and then test.
1. Open the Configure Byte Test Tokens page by either clicking Next on the
Configure Flow Bits Token page of the Create Intrusion Protection Rule, or by
clicking the Configure Byte Test Tokens link in the Steps to Create Rule pane.
Specify the value that the byte test token checks against.
Offset
Specify any offset value for this token. If you specify an offset, the token
jumps this distance ahead in the packet before checking values.
Size
Specify the number of bytes examines when checking values.
Little Endian
Select this option to process the contents data as little-endian.
Big Endian
Auto
Select this option to let the Intrusion Protection determine the best
processing option.
Like C
Select this option to convert the contents in a string format.
Hex
Select this option to convert the string data to hexadecimal notation.
Dec
Equal
Select this option to have the rule apply if the values match.
Xor
Select this option to match 2 values so that one or the other but not both
match the value specified in the rule.
Greater
Select this option to have the rule apply if the value specified is greater
than the value in the packet.
Less
Select this option to have the rule apply if the value specified is less than
the value in the packet.
And
Select this option to match two values so that both match the value
specified in the rule.
Or
Select this option to match two values so that one or both match the
value specified in the rule.
6. Click Add.
The token is added to the list.
7. Click Next.
The Configure Byte Jump Tokens page opens.
Alternatively, click Save to save your changes and return to the Intrusion
Protection Rules page, click Back to return to the previous page, click Discard
to remove any changes you made, or click Close to close the page without
saving changes.
Update
Select a token in the list, change any value, and click this button to update
the token to the new values. This button is only visible if you select a token.
Delete
Select a token in the list and click this button to delete it. This button is active
if you have a token selected.
Clear
Click this button to clear all data you entered, resetting the values to the
default state. This button is active if you have no token selected.
Use the Byte Jump token to read a length from the packet, skip ahead that
distance in the packet and check the packet contents at the new location. Use
these tokens to skip over specific portions of length-encoded protocols and
perform detection in very specific locations. When creating Byte Jump tokens,
you specify the extracted number information, data type, and search flags.
1. Open the Configure Byte Jump Tokens page by either clicking Next on the
Configure Byte Test Token page of the Create Intrusion Protection Rule, or
by clicking the Configure Byte Jump Tokens link in the Steps to Create Rule
pane.
Size
Little Endian
Select this option to process the contents data as little-endian.
Big Endian
Auto
Select this option to let the Intrusion Protection determine the best
processing option.
Like C
Select this option to store the contents in a string format in the packet
Hex
Select this option to convert the string data to hexadecimal notation.
Dec
Select this option to convert the string data to decimal notation.
Oct
4. (Optional) In the Search Flags column, enable flags that control how the
search behaves.
Select this option to round the number of converted bytes up to the next
32-bit boundary.
Relative
Select this option to use an offset relative to last pattern match.
From Beginning
Select this option to skip forward from the beginning of the packet
payload instead of from the current position in the packet.
5. Click Add.
The token is added to the list.
6. Click Next.
Add
Specify the token information and click this button to add the token. This
button only appears if you have no tokens selected.
Update
Select a token in the list, change any value, and click this button to update
the token to the new values. This button is only visible if you select a token.
Delete
Select a token in the list and click this button to delete it. This button is active
if you have a token selected.
Clear
Click this button to clear all data you entered, resetting the values to the
default state. This button is active if you have no token selected.
Use Perl Compatible Regular Expressions (PCRE) tokens to create rules using a
regular expression C library based on Perl's external interface. For more detail on
what you can do using a PCRE regular expression, see the PCRE web site at
http://www.pcre.org. When creating PCRE tokens, you provide an expression
string. By default, the expression string is treated as one big line of characters.
The characters ˆ and $ are matched at the beginning and ending of the string
respectively.
<expression>
This is the PCRE compatible string of characters
<modifiers>
This is a modifier or list of modifiers. You can use any of the following
modifiers:
■ i: Use this modifier if you want the expression to be matched regardless
of case.
2. In the Value field, enter the expression for the token. The PCRE expression
format is:
=/<expression>/<modifiers>
3. Click Add.
Add
Specify the token information and click this button to add the token. This
button only appears if you have no tokens selected.
Update
Select a token in the list, change any value, and click this button to update
the token to the new values. This button is only visible if you select a token.
Delete
Select a token in the list and click this button to delete it. This button is active
if you have a token selected.
Clear
Click this button to clear all data you entered, resetting the values to the
default state. This button is active if you have no token selected.
De-Select Grid Item
To add a new item, you cannot have any of the items in the list selected. Use
this button to de-select the current item, so that you can add a new token.
This button is active if you have a token selected.
Initially the tokens are added to this list in the order in which you created them.
If, for example, you create the tokens in the same order as the pages of the Rule
editor, you would have created your Flow tokens before any Content or General
tokens. If this does not meet your needs, especially with more complicated
tokens, you can use the Reorder the Tokens page to change the order of the
tokens to ensure that they are used in the correct order.
For example, if you want to detect a value using Flow Bits tokens and you follow
the steps, you create a Content token first, then Flow Bits tokens. However, the
Flow Bits order always depends on the operation, and, for the operation "ISSET",
the Flow Bits token must come before the Content token. In this case, you would
have to reorder the tokens so that the Flow Bits token is applied first.
For another example, if a rule contains several Content and PCRE tokens, these
tokens must be arranged in sequential order,
<Content1><PCRE1><Content2><PCRE2>, etc. One method to create this
sequence is to add all the Content tokens first, then add all the PCRE tokens. You
would then rearrange the tokens on this page to match the order you need.
Note: You do not have to create tokens in the order presented by the editor. You
can go to the needed page using the Back and Next buttons, or click the link to
the page in the Steps to Create pane. The tokens are added in the in the order
you create them. However, the Reorder the Tokens page is the only place where
you can see all the tokens entered and in the current order.
1. Open the Reorder Tokens page by either clicking Next on the Configure PCRE
Token page of the Create Intrusion Protection Rule, or by clicking the
Reorder Tokens link in the Steps to Create Rule pane.
3. Use the priority arrows to move the token up or down in the priority list.
The higher the token is in the list, the earlier in the Intrusion Protection
process the token is used. You can also drag-and-drop tokens to change
their position.
4. Click Save.
The All Advanced Policy Components option let you create definitions, rules, and
Rule Sets for Proactive Protection policies. The rules and Rule Sets are specific to
the policy type. Definitions can be used across policies and rules.
Firewall Rule Sets contain a collection of Firewall Rules. Use the Rule Sets when
creating Firewall policies. This page lets you create, edit, and delete Rule Sets.
You can also reorder the Rule Set as necessary and disable or enable selected
rules within the Rule Set.
1. In the Navigation pane, click Policies, expand Global Policy Definitions, and
expand Proactive Protection.
2. Click Firewall.
The Global Firewall Policy Definitions page opens.
New
Click this button to create a new Rule Set.
Edit
Select a Rule Set and click this button to edit that object. Editing is the same
as creating a new object; you are just changing the existing values.
Copy
Select a Rule Set and click this button to add a copy to the memory.
Paste
1. Click New.
The Create New Firewall Rule Set window opens to the Name and General
Settings pane.
2. Enter the name and description for the Rule Set and click Next.
The Select Rules pane opens.
3. Select the rule to add from the Available Rules table and use the double
arrows to move the rule to the Selected Rules table.
Note: Alternatively, you can remove a rule from the Selected Rules table by
selecting the rule and using the double arrow button to move the rule to the
Available Rules table.
4. Change the rule order, if necessary, by selecting a rule and using the up and
down arrows to move it up or down the list.
3. Select the Rule Set whose order you want to change and use the Priority
arrows to move the rule up and down the list.
The rule with the highest priority is at the top of the list.
If there is a check mark in the box, the rule is enabled. If there is no check
mark, the rule is disabled.
Rule Sets can be ordered as necessary. Ordering the Rule Sets lets you ensure
the rules which are most important to you have the highest priority.
When viewing the Rule Sets order, the Rule Set at the top of the list has the
highest priority.
3. Select a Rule Set, then change the position of the Rule Set using the up and
down Priority arrows. The higher the Rule Set is on the list, the higher the
priority.
Changes are saved once you move a rule.
The Name and General Settings page lets you specify the name and a description
for the Policy Component you are creating. For Rule sets, this page includes an
additional option letting you set whether a Rule Set is a baseline Rule Set or an
add-on Rule Set. Baseline Rule Sets form the ground work of a policy, whereas
add-on Rule Sets are additional rules that can be optionally added to policies.
3. Click Next to move to the next page. Click Save to save your changes.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
Select Rules
When creating a Rule Set, you must add the rules to the set. You add the rules on
the Select Rules page for that Rule Set.
1. Select the rule to add from the Available Rules table and use the double
arrows to move the rule to the Selected Rules table.
Note: Alternatively, you can remove a rule from the Selected Rules table by
selecting the rule and using the double arrow button to move the rule to the
Available Rules table.
2. Change the rule order, if necessary, by selecting a rule and using the up and
down arrows to move the rule up or down the list.
3. You can disable or enable rules within the rules set, if necessary.
■ To disable a rule, remove the check mark in the Enable field of that rule.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
You can manage Firewall rules from the Firewall Rules tab. These rules control
access to and from your network. You can create, edit, or delete rules from this
page. You can also copy and paste rules as necessary.
1. In the Navigation pane, click Policies, expand Global Policy Definitions, and
expand Proactive Protection.
2. Click Firewall.
The Global Firewall Policy Definitions page opens.
Firewall rules are used to make up your Firewall policy and control access to and
from your network.
2. Enter the name and description for the application and click Next.
The Application or Application Group pane opens, replacing the Name and
General Settings pane.
If you want the rule to apply to two protocols, create the rule for one
protocol, copy and paste the rule, then edit the copy and change the
protocol.
6. Click Next.
The Remote and Local IP Address pane opens, replacing the
Communications Protocol and Direction pane.
8. (Optional) Enable Routed Traffic, and specify any local IP address to which
this rule applies.
9. Click Next.
The Access Permission, Audit Level, Firewall Zone, and Time Frame pane
opens.
10. Specify the Access Permission and Audit level for this rule.
11. Specify the Firewall Zone for this rule, and specify the time frame during
which this rule applies
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
Firewall rules are used to make up your Firewall policy and control access to and
from your network.
1. Click New.
The Create Firewall Rule Page opens to the Name and General Setting pane.
2. Enter the name and description for the application and click Next.
The Application or Application Group pane opens, replacing the Name and
General Settings pane.
If you want the rule to apply to two protocols, create the rule for one
protocol, copy and paste the rule, then edit the copy and change the
protocol.
6. Click Next.
The Remote and Local IP Address pane opens, replacing the
Communications Protocol and Direction pane.
8. (Optional) Enable Routed Traffic, and specify any local IP address to which
this rule applies.
9. Click Next.
The Access Permission, Audit Level, Firewall Zone, and Time Frame pane
opens.
10. Specify the Access Permission and Audit level for this rule.
11. Specify the Firewall Zone for this rule, and specify the time frame during
which this rule applies
This page lets you specify the communications protocol and the directions of
communication in the built-in custom Firewall Rule Set.
To create the same rule for both traffic directions, create the rule, copy and
paste the rule, then edit the copy and change the direction.
3. Click Next.
This page lets you specify the remote and local IP address used in the built-in
custom Firewall Rule Sets.
3. Click Next.
The Access Permission, Audit Level, Firewall Zone, and Time Frame pane
opens.
Specify Access Permissions, Audit Levels, Firewall Zones, and Time Frames
This page lets you specify the access permissions, audit levels, Firewall zones,
and time frames in the built-in custom Firewall Rule Sets.
1. Specify the Access Permission and Audit level for this rule.
2. Specify the Firewall Zone for this rule.
Firewall Zone Rule Sets contain a collection of Firewall Zone Rules. Use the Rule
Sets when creating Firewall policies. This page lets you create, edit, and delete
Rule Sets.
1. In the Navigation pane, click Policies, expand Global Policy Definitions, and
expand Proactive Protection.
2. Click Firewall.
Copy
Select a Rule Set and click this button to add a copy to the memory.
Paste
Click this button to paste a copy of the Rule Set.
Delete
Select a Rule Set and click this button to remove that group or application
from the list.
1. Click New.
The Create New Firewall Zone Rule Set window opens to the Name and
General Settings pane.
2. Enter the name and description for the application and click Next.
The Select Rules pane opens.
3. Select the rule to add from the Available Rules table and use the double
arrows to move the rule to the Selected Rules table.
Note: Alternatively, you can remove a rule from the Selected Rules table by
selecting the rule and using the double arrow button to move the rule to the
Available Rules table.
The Name and General Settings page lets you specify the name and a description
for the Policy Component you are creating. For Rule sets, this page includes an
additional option letting you set whether a Rule Set is a baseline Rule Set or an
add-on Rule Set. Baseline Rule Sets form the ground work of a policy, whereas
add-on Rule Sets are additional rules that can be optionally added to policies.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
Select Rules
When creating a Rule Set, you must add the rules to the set. You add the rules on
the Select Rules page for that Rule Set.
1. Select the rule to add from the Available Rules table and use the double
arrows to move the rule to the Selected Rules table.
Note: Alternatively, you can remove a rule from the Selected Rules table by
selecting the rule and using the double arrow button to move the rule to the
Available Rules table.
2. Change the rule order, if necessary, by selecting a rule and using the up and
down arrows to move the rule up or down the list.
3. You can disable or enable rules within the rules set, if necessary.
■ To disable a rule, remove the check mark in the Enable field of that rule.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
You can manage Firewall Zone rules from the Firewall Zone Rules tab. These
rules control zone access and communication. You can create, edit, or delete
rules from this page. You can also copy and paste rules as necessary.
1. In the Navigation pane, click Policies, expand Global Policy Definitions, and
expand Proactive Protection.
2. Click Firewall.
The Global Firewall Policy Definitions page opens.
Firewall Zone rules are used to make up your Firewall Zone policy and control
settings for different network zones.
2. Enter the name and description for the rule and click Next.
The Interface Identification pane opens, replacing the Name and General
Settings pane.
3. In the Identify Interface By pane, use one of the radio button options to
specify how a network interface is identified.
4. In the Specify Firewall Zone and Audit Level pane, select the Firewall Zone,
then select the audit level for this rule.
5. Click Save to save your changes.
Your chances are saved, and the pages close. Click Back to return to the
previous page. Click Discard to remove any changes you made. Click Close
to close the page without saving changes.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
This page lets you configure the interface identifications for selected zones.
1. In the Identify Interface By pane, specify how you would like to identify the
zone and provide the corresponding address information.
2. In the Specify Firewall Zone and Audit Level pane, select the Firewall Zone,
then select the audit level for this rule.
1. In the Navigation pane, click Policies, expand Global Policy Definitions, and
expand Proactive Protection.
2. Click Application Control.
5. Click the Known Application Database Rules and Rule Sets tab.
New
Click this button to create a new Rule Set.
Edit
Select a Rule Set and click this button to edit that object. Editing is the same
as creating a new object; you are just changing the existing values.
Copy
Select a Rule Set and click this button to add a copy to the memory.
Paste
Click this button to paste a copy of the Rule Set.
Delete
Select a Rule Set and click this button to remove that group or application
from the list.
1. Click New.
The Create New Known Application Database Rule Set window opens to the
Name and General Settings pane.
2. Enter the name and description for the application and click Next.
3. Select the rule to add from the Available Rules table, and use the double
arrows to move the rule to the Selected Rules table.
Note: Alternatively, you can remove a rule from the Selected Rules table by
selecting the rule and using the double arrow button to move the rule to the
Available Rules table.
4. (Optional) You can disable or enable rules within the rules set.
■ To disable a rule, remove the check mark in the Enable field of that rule.
■ To enable a rule, make sure the check mark is present.
The Name and General Settings page lets you specify the name and a description
for the Policy Component you are creating. For Rule sets, this page includes an
additional option letting you set whether a Rule Set is a baseline Rule Set or an
add-on Rule Set. Baseline Rule Sets form the ground work of a policy, whereas
add-on Rule Sets are additional rules that can be optionally added to policies.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
Select Rules
When creating a Rule Set, you must add the rules to the set. You add the rules on
the Select Rules page for that Rule Set.
1. Select the rule to add from the Available Rules table and use the double
arrows to move the rule to the Selected Rules table.
Note: Alternatively, you can remove a rule from the Selected Rules table by
selecting the rule and using the double arrow button to move the rule to the
Available Rules table.
2. Change the rule order, if necessary, by selecting a rule and using the up and
down arrows to move the rule up or down the list.
This option may not apply to all Rule Sets.
3. You can disable or enable rules within the rules set, if necessary.
■ To disable a rule, remove the check mark in the Enable field of that rule.
■ To enable a rule, ensure that the check mark is present.
Known Applications Database Use Rules are used to populate application groups
on the endpoints using the Known Application Database.
1. In the Navigation pane, click Policies, expand the Global Policy Definitions
item, expand the Proactive Protection item, and click Application Control.
The Global Application Control Policy Definitions page opens.
4. Click the Known Application Database Rules and Rule Sets tab.
5. Click the Known Application Database Use Rules sub tab.
The Known Application Database Use Rules page opens.
Copy
Select a rule and click this button to add a copy to the memory.
Paste
Click this button to paste a copy of the rule.
Delete
Select a rule and click this button to remove that rule from the list.
2. Enter the name and description for the rule and click Next.
The Specify Application Group and Enrollment Options pane opens.
3. Specify the Application group for the rule and indicate whether the rule
should allow applications to be enrolled in the group or prevented from
enrolling.
6. Click Next.
7. Select all of the necessary Usage Expression Flags that must be true for an
application to qualify for the enrollment in the group, and click Next.
8. Select all of the applicable Special Access Flags that must be true for an
application to qualify for the enrollment in the group.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
Alternatively, click Save to save your changes and close the page, click
Discard to remove any changes you made but keep the page open, or click
Close to close the page without saving changes.
Known Application Database Rules are used to build Application Control policies.
The Create New Known Application Database Rule Set window opens to the
Name and General Settings pane.
2. Enter the name and description for the rule and click Next.
3. Specify the Application group for the rule and indicate whether the rule
should allow applications to be enrolled in the group or prevented from
enrolling.
5. Specify how the application is identified and click Next. You can select as
many options as necessary.
6. Select all of the applicable Usage Expression Flags that must be true for an
application to qualify for the enrollment in the group.
You can select as many as necessary.
7. Click Next.
The Specify Special Access Flags pane opens.
8. Select all of the applicable Special Access Flags that must be true for an
application to qualify for the enrollment in the group.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
Known Application Database Rules are used to build Application Control policies.
The Create New Known Application Database Rule Set window opens to the
Name and General Settings pane.
2. Enter the name and description for the rule and click Next.
3. Specify the Application group for the rule and indicate whether the rule
should allow applications to be enrolled in the group or prevented from
enrolling.
5. Specify how the application is identified and click Next. You can select as
many options as necessary.
6. Select all of the applicable Usage Expression Flags that must be true for an
application to qualify for the enrollment in the group.
You can select as many as necessary.
7. Click Next.
The Specify Special Access Flags pane opens.
8. Select all of the applicable Special Access Flags that must be true for an
application to qualify for the enrollment in the group.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page without
saving changes.
Known Application Database Rules are used to build Application Control policies.
The Create New Known Application Database Rule Set window opens to the
Name and General Settings pane.
2. Enter the name and description for the rule and click Next.
3. Specify the Application group for the rule and indicate whether the rule
should allow applications to be enrolled in the group or prevented from
enrolling.
5. Specify how the application is identified and click Next. You can select as
many options as necessary.
6. Select all of the applicable Usage Expression Flags that must be true for an
application to qualify for the enrollment in the group.
You can select as many as necessary.
7. Click Next.
The Specify Special Access Flags pane opens.
8. Select all of the applicable Special Access Flags that must be true for an
application to qualify for the enrollment in the group.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page without
saving changes.
Known Application Database Rules are used to build Application Control policies.
The Create New Known Application Database Rule Set window opens to the
Name and General Settings pane.
2. Enter the name and description for the rule and click Next.
3. Specify the Application group for the rule and indicate whether the rule
should allow applications to be enrolled in the group or prevented from
enrolling.
5. Specify how the application is identified and click Next. You can select as
many options as necessary.
6. Select all of the applicable Usage Expression Flags that must be true for an
application to qualify for the enrollment in the group.
You can select as many as necessary.
7. Click Next.
The Specify Special Access Flags pane opens.
8. Select all of the applicable Special Access Flags that must be true for an
application to qualify for the enrollment in the group.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page without
saving changes.
Integrity Check Rule Sets contain a collection of Integrity Check Rules. Use the
Rule Sets when creating Application Control policies. This page lets you create,
edit, and delete Rule Sets.
1. In the Navigation pane, click Policies, expand Global Policy Definitions, and
expand Proactive Protection.
2. Click Application Control.
New
Click this button to create a new Rule Set.
Edit
Select a Rule Set and click this button to edit that object. Editing is the same
as creating a new object; you are just changing the existing values.
Copy
Select a Rule Set and click this button to add a copy to the memory.
Paste
1. Click New.
The Create New Integrity Check Rule Set window opens to the Name and
General Settings pane.
2. Enter the name and description for the application and click Next.
The Select Rules pane opens.
3. Select the rule to add from the Available Rules table and use the double
arrows to move the rule to the Selected Rules table.
Note: Alternatively, you can remove a rule from the Selected Rules table by
selecting the rule and using the double arrow button to move the rule to the
Available Rules table.
The Name and General Settings page lets you specify the name and a description
for the Policy Component you are creating. For Rule sets, this page includes an
additional option letting you set whether a Rule Set is a baseline Rule Set or an
add-on Rule Set. Baseline Rule Sets form the ground work of a policy, whereas
add-on Rule Sets are additional rules that can be optionally added to policies.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
Select Rules
When creating a Rule Set, you must add the rules to the set. You add the rules on
the Select Rules page for that Rule Set.
1. Select the rule to add from the Available Rules table and use the double
arrows to move the rule to the Selected Rules table.
Note: Alternatively, you can remove a rule from the Selected Rules table by
selecting the rule and using the double arrow button to move the rule to the
Available Rules table.
2. Change the rule order, if necessary, by selecting a rule and using the up and
down arrows to move the rule up or down the list.
3. You can disable or enable rules within the rules set, if necessary.
■ To disable a rule, remove the check mark in the Enable field of that rule.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
You can manage Integrity Check rules from the Integrity Check Rules tab. These
rules lets you specify whether the application is allowed to run or prevented if the
integrity check fails.
Use these rules when creating Integrity Check Rule Sets and Application Control
policies.
You can create, edit, or delete rules from this page. You can also copy and paste
rules as necessary.
5. Click the Integrity Check Database Rules and Rule Sets tab.
6. Click the Integrity Check Rules sub tab.
The Integrity Check Rules page opens.
New
Copy
Select a rule and click this button to add a copy to the memory.
Paste
Click this button to paste a copy of the rule.
Delete
Select a rule and click this button to remove that rule from the list.
1. Click New.
The Create New Integrity Check Rule Set window opens to the Name and
General Settings pane.
2. Enter the name and description for the rule and click Next.
The Specify Application, Module, or Group pane opens.
3. In the Check Integrity Of section, specify the object to have its integrity
checked by selecting the category and using the drop-down menu to pick the
object.
You can only select one category and one object.
4. In the Access Result and Audit Level section, specify the access result.
■ To allow the application to run if the integrity check succeeds, select
Allow.
5. In the Access Result and Audit Level section, specify the Audit Level for this
rule.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
Use the Specify Application, Module, or Group page to indicate which object has
its integrity verified by this rule.
2. In the Access Result and Audit Level section, specify the action to take based
on the result of the integrity check:
■ To allow the application to run if the integrity check succeeds, select
Allow.
3. In the Access Result and Audit Level section, specify the Audit Level for this
rule.
1. In the Navigation pane, click Policies, expand the Global Policy Definitions
item, and expand the Proactive Protection item.
2. Click Application Control.
The Global Application Control Policy Definitions page opens.
New
Click this button to create a new Rule Set.
Edit
Select a Rule Set and click this button to edit that object. Editing is the same
as creating a new object; you are just changing the existing values.
Copy
Select a Rule Set and click this button to add a copy to the memory.
Paste
Click this button to paste a copy of the Rule Set.
Delete
Select a Rule Set and click this button to remove that group or application
from the list.
1. Click New.
The Create New Application Spawning Rule Set window opens to the Name
and General Settings pane.
2. Enter the name and description for the application and click Next.
The Select Rules pane opens.
3. Select the rule to add from the Available Rules table and use the double
arrows to move the rule to the Selected Rules table.
Note: Alternatively, you can remove a rule from the Selected Rules table by
selecting the rule and using the double arrow button to move the rule to the
Available Rules table.
The Name and General Settings page lets you specify the name and a description
for the Policy Component you are creating. For Rule sets, this page includes an
additional option letting you set whether a Rule Set is a baseline Rule Set or an
add-on Rule Set. Baseline Rule Sets form the ground work of a policy, whereas
add-on Rule Sets are additional rules that can be optionally added to policies.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
Select Rules
When creating a Rule Set, you must add the rules to the set. You add the rules on
the Select Rules page for that Rule Set.
1. Select the rule to add from the Available Rules table and use the double
arrows to move the rule to the Selected Rules table.
Note: Alternatively, you can remove a rule from the Selected Rules table by
selecting the rule and using the double arrow button to move the rule to the
Available Rules table.
2. Change the rule order, if necessary, by selecting a rule and using the up and
down arrows to move the rule up or down the list.
3. You can disable or enable rules within the rules set, if necessary.
■ To disable a rule, remove the check mark in the Enable field of that rule.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
1. In the Navigation pane, click Policies, expand the Global Policy Definitions
item, and expand the Proactive Protection item.
2. Click Application Control.
New
Click this button to create a new Rule Set.
Edit
Select a Rule Set and click this button to edit that object. Editing is the same
as creating a new object; you are just changing the existing values.
Copy
Select a Rule Set and click this button to add a copy to the memory.
Paste
Click this button to paste a copy of the Rule Set.
Delete
Select a Rule Set and click this button to remove that group or application
from the list.
1. Click New.
The Create New Application Spawning Rule window opens to the Name and
General Settings pane.
2. Enter the name and description for the application and click Next.
The Target and Spawned Applications pane opens.
3. In the Apply this Rule to section, specify whether this rule applies to all
applications, an application group, or a specific application.
If you select Application Group or Application, you must specify the group or
application using the drop-down menus.
4. In the Select Which Application is Spawned section, specify whether this rule
allows all applications, an application group, or a specific application to
spawn.
If you select Application Group or Application, you must specify the group or
application using the drop-down menus.
5. Click Next.
The Specify Rule Actions and Time Frame pane opens.
6. In the Allow or Prevent Action and Audit level, specify the following
information and the audit level for each of these:
Start Application
Whether the application is allowed to start other applications.
Use Security
Whether you want the application to allow use of the default integrity
level or whether it is prevented from doing so.
7. In the Select Time Frame section, specify the time frame during which this
rule applies.
If you do not specify a time frame, the rule always applies.
8. Click Save to save your changes.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
Alternatively, click Save to save your changes and close the page, click
Discard to remove any changes you made but keep the page open, or click
Close to close the page without saving changes.
This page lets you specify the target and spawned applications allowed by the
Application Spawning rule.
1. In the Apply this Rule to section, specify whether this rule applies to all
applications, an application group, or a specific application.
If you select Application Group or Application, you must specify the group or
application using the drop-down menus.
2. In the Select Which Application is Spawned section, specify whether this rule
allows all applications, an application group, or a specific application to
spawn.
If you select Application Group or Application, you must specify the group or
application using the drop-down menus.
3. Click Next.
This page lets you specify the rule actions and when the rule applies.
1. In the Allow or Prevent Action and Audit level, specify the following
information and the audit level for each of these:
Start Application
Whether the application is allowed to start other applications.
Use Security
Whether spawned applications use their own security setting (Child) or
that of the application which spawned them (Parent).
Whether you want the application to allow use of the default integrity
level or whether it is prevented from doing so.
2. In the Select Time Frame section, specify the time frame during which this
rule applies.
If you do not specify a time frame, the rule always applies.
3. Click Save to save your changes.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
OS Security Rule Sets contain a collection of OS Security Rules. Use the Rule
Sets when creating OS Security policies. This page lets you create, edit, and
delete Rule Sets. You can also reorder the Rule Sets as necessary.
1. In the Navigation pane, click Policies, expand the Global Policy Definitions
item, expand the Proactive Protection item, and click OS Security.
The OS Security Policy Definitions page opens.
3. Select the OS Security Rules and Rule Sets tab and select the OS Security
Rule Sets sub tab.
The OS Security Rule Sets page opens.
New
Click this button to create a new Rule Set.
Edit
Select a Rule Set and click this button to edit that object. Editing is the same
as creating a new object; you are just changing the existing values.
Copy
Select a Rule Set and click this button to add a copy to the memory.
Paste
Delete
Select a Rule Set and click this button to remove that group or application
from the list.
1. Click New.
The Create New OS Security Rule Set window opens to the Name and
General Settings pane.
2. Enter the name and description for the Rule Set and click Next.
The File Access Rules pane opens.
3. Select the rule to add from the Available Rules table and use the double
arrows to move the rule to the Selected Rules table.
Change the rule order, if necessary by selecting a rule and using the up and
down arrows to move the rule up or down the list.
4. Click Next.
Rule Sets can be ordered as necessary. Ordering the Rule Sets lets you ensure
the rules which are most important to you have the highest priority.
When viewing the Rule Sets order, the Rule Set at the top of the list has the
highest priority.
3. Select a Rule Set, then change the position of the Rule Set using the up and
down Priority arrows. The higher the Rule Set is on the list, the higher the
priority.
Changes are saved once you move a rule.
The Name and General Settings page lets you specify the name and a description
for the Policy Component you are creating. For Rule sets, this page includes an
additional option letting you set whether a Rule Set is a baseline Rule Set or an
add-on Rule Set. Baseline Rule Sets form the ground work of a policy, whereas
add-on Rule Sets are additional rules that can be optionally added to policies.
3. Click Next to move to the next page. Click Save to save your changes.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
From this page, you can select the rules that make up the OS Security Rule set.
For OS Security Rule sets, there are several rule categories from which you can
select the rules. Each category has its own page to better organize the rules.
3. (Optional) Change the rule order as necessary by selecting a rule and using
the up and down arrows to move the rule up or down the list.
Alternatively, click Save to save your changes, click Discard to remove any
changes you made but keep the page open, or click Close to close the page
without saving changes.
From this page, you can select the rules that make up the OS Security Rule set.
For OS Security Rule sets, there are several rule categories from which you can
select the rules. Each category has its own page to better organize the rules.
3. (Optional) Change the rule order as necessary by selecting a rule and using
the up and down arrows to move the rule up or down the list.
4. Click Next to continue to the next page if applicable.
5. Alternatively, click Save to save your changes, click Discard to remove any
changes you made but keep the page open, or click Close to close the page
without saving changes.
From this page, you can select the rules that make up the OS Security Rule set.
For OS Security Rule sets, there are several rule categories from which you can
select the rules. Each category has its own page to better organize the rules.
2. Use the double arrows to move the rule to the Selected Rules table.
3. (Optional) Change the rule order as necessary by selecting a rule and using
the up and down arrows to move the rule up or down the list.
From this page, you can select the rules that make up the OS Security Rule set.
For OS Security Rule sets, there are several rule categories from which you can
select the rules. Each category has its own page to better organize the rules.
3. (Optional) Change the rule order as necessary by selecting a rule and using
the up and down arrows to move the rule up or down the list.
4. Click Next to continue to the next page if applicable.
5. Alternatively, click Save to save your changes, click Discard to remove any
changes you made but keep the page open, or click Close to close the page
without saving changes.
From this page, you can select the rules that make up the OS Security Rule set.
For OS Security Rule sets, there are several rule categories from which you can
select the rules. Each category has its own page to better organize the rules.
3. (Optional) Change the rule order as necessary by selecting a rule and using
the up and down arrows to move the rule up or down the list.
5. Alternatively, click Save to save your changes, click Discard to remove any
changes you made but keep the page open, or click Close to close the page
without saving changes.
From this page, you can select the rules that make up the OS Security Rule set.
For OS Security Rule sets, there are several rule categories from which you can
select the rules. Each category has its own page to better organize the rules.
3. (Optional) Change the rule order as necessary by selecting a rule and using
the up and down arrows to move the rule up or down the list.
5. Alternatively, click Save to save your changes, click Discard to remove any
changes you made but keep the page open, or click Close to close the page
without saving changes.
From this page, you can select the rules that make up the OS Security Rule set.
For OS Security Rule sets, there are several rule categories from which you can
select the rules. Each category has its own page to better organize the rules.
3. (Optional) Change the rule order as necessary by selecting a rule and using
the up and down arrows to move the rule up or down the list.
4. Click Next to continue to the next page if applicable.
5. Alternatively, click Save to save your changes, click Discard to remove any
changes you made but keep the page open, or click Close to close the page
without saving changes.
From this page, you can select the rules that make up the OS Security Rule set.
For OS Security Rule sets, there are several rule categories from which you can
select the rules. Each category has its own page to better organize the rules.
2. Use the double arrows to move the rule to the Selected Rules table.
3. (Optional) Change the rule order as necessary by selecting a rule and using
the up and down arrows to move the rule up or down the list.
OS Security Rules let you protect certain objects from applications. Use the rules
when creating OS Security policies and Rule Sets. This page lets you create, edit,
and delete rules for the objects. This page is divided into several tabs, one for
each object type you can protect. All tabs function in the same manner, but only
display rules related to objects of that type.
1. In the Navigation pane, click Policies, expand Global Policy Definitions, and
expand Proactive Protection.
2. Click OS Security.
The OS Security Policy Definitions page opens.
New
Click this button to create a new Rule Set.
Edit
Select a Rule Set and click this button to edit that object. Editing is the same
as creating a new object; you are just changing the existing values.
Copy
Select a Rule Set and click this button to add a copy to the memory.
Paste
Click this button to paste a copy of the Rule Set.
Delete
Select a Rule Set and click this button to remove that group or application
from the list.
1. Click the tab of the object type you want to protect and click New.
The Create New OS Security Rule window opens to the Name and General
Settings pane.
2. Enter the name and description for the rule and click Next.
The Target Application and Protected object pane opens.
3. In the Apply this Rule to section, specify whether this rule applies to all
applications, an application group, or a specific application.
If you select Application Group or Application, you must specify the group or
application using the drop-down menus.
4. In the bottom section, specify whether this rule protects against all objects
of this type or a specific object.
If you select a specific object, you must specify the object in the drop-down
menu. The objects available vary depending on the type of object you
selected for this rule.
5. Click Next.
6. In the Allow or Prevent Action and Audit level, specify which actions are
allowed or prevented and the audit level for each of these actions.
7. In the Select Time Frame section, specify the time frame during which this
rule applies.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
This page lets you specify the target application and any applicable protected
objects.
1. In the Apply this Rule to section, specify whether this rule applies to all
applications, an application group, or a specific application.
If you select Application Group or Application, you must specify the group or
application using the drop-down menus.
This page lets you specify the rule actions and when the rule applies.
1. In the Allow or Prevent Action and Audit level, specify which actions are
allowed or prevented and the audit level for each of these.
2. In the Select Time Frame section, specify the time frame during which this
rule applies.
The Guard Rule Sets contain a collection of Guard Rules. Guard rules let you
specify which of the OS Security rules are applied for the selected application or
group.
For example, application file access rules are applicable only if the file guard is
active for that application in the guard rule. Use the Rule Sets when creating OS
Security policies.
This page lets you create, edit, and delete Rule Sets.
2. Click OS Security.
The Global OS Security Policy Definitions page opens.
New
Click this button to create a new Rule Set.
Edit
Select a Rule Set and click this button to edit that object. Editing is the same
as creating a new object; you are just changing the existing values.
Copy
Select a Rule Set and click this button to add a copy to the memory.
Paste
Click this button to paste a copy of the Rule Set.
Delete
Select a Rule Set and click this button to remove that group or application
from the list.
1. Click New.
The Create New Guard Rule Set window opens to the Name and General
Settings pane.
2. Enter the name and description for the application and click Next.
The Select Rules pane opens.
3. Select the rule to add from the Available Rules table and use the double
arrows to move the rule to the Selected Rules table.
Note: Alternatively, you can remove a rule from the Selected Rules table by
selecting the rule and using the double arrow button to move the rule to the
Available Rules table.
The Name and General Settings page lets you specify the name and a description
for the Policy Component you are creating. For Rule sets, this page includes an
additional option letting you set whether a Rule Set is a baseline Rule Set or an
add-on Rule Set. Baseline Rule Sets form the ground work of a policy, whereas
add-on Rule Sets are additional rules that can be optionally added to policies.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
Select Rules
When creating a Rule Set, you must add the rules to the set. You add the rules on
the Select Rules page for that Rule Set.
1. Select the rule to add from the Available Rules table and use the double
arrows to move the rule to the Selected Rules table.
Note: Alternatively, you can remove a rule from the Selected Rules table by
selecting the rule and using the double arrow button to move the rule to the
Available Rules table.
2. Change the rule order, if necessary, by selecting a rule and using the up and
down arrows to move the rule up or down the list.
3. You can disable or enable rules within the rules set, if necessary.
■ To disable a rule, remove the check mark in the Enable field of that rule.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
The Guard Rules let you protect your applications from unwanted access.
1. In the Navigation pane, click Policies, expand the Global Policy Definitions
item, and expand the Proactive Protection item.
2. Click OS Security.
The Global OS Security Policy Definitions page opens.
Copy
Select a Rule Set and click this button to add a copy to the memory.
Paste
Click this button to paste a copy of the Rule Set.
Delete
Select a Rule Set and click this button to remove that group or application
from the list.
The Create New Guard Rule Set window opens to the Name and General
Settings pane.
2. Enter the name and description for the application and click Next.
3. Specify whether you want this rule to apply to all applications, a group of
applications, or a specific application, and click Next.
4. In the Active Guard Settings section, enable each object that you want to
have protected by the active guard.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
Alternatively, click Save to save your changes and close the page, click
Discard to remove any changes you made but keep the page open, or click
Close to close the page without saving changes.
From this page, you can specify the applications or application groups to which a
rule applies:
1. Specify whether you want this rule to apply to all applications, a group of
applications, or a specific application.
2. Click Next to move to the next page. Click Save to save your changes.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
From this page, you can specify the Active Guard settings for this rule:
1. In the Active Guard Settings section, enable each object that you want to
have protected by the active guard.
Certificate definitions let you specify certificate details for use in Application
Control policies. Each definition covers one certificate. If you have multiple
certificates, you must create a definition for each. When creating certificate
definitions, follow this process:
New
Click this button to create a new definition of this type. Once clicked, the
page shifts to the Name and General Settings pane for this type of definition.
Edit
Select a definition and click this button to edit that definition. Editing a
definition is the same as creating a new definition, save you are changing the
existing values.
Copy
Select a definition and click this button to copy the definition. The new copy
is stored in memory until pasted.
Paste
Click this button to paste a copied definition. The pasted copy's name is
appended with a number to indicate it is a copy. You cannot paste without
first copying a definition.
Delete
Select a definition and click this button to delete the definition. There is no
confirmation screen, so be careful when deleting definitions.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
The Certificate Details page lets you specify the details of a certificate for a
certificate definition. Each definition applies to only one certificate.
1. In the Public Key field, enter the value of the public key for this certificate.
This field is required.
2. In the Issued To field, enter to whom the certificate has been issued.
This field is optional. You can use this field if the certificate was issued by a
third party and you want to ensure only certificates issued by that third party
are valid.
3. Using the Valid From and Valid To fields, entering the date range for which
the certificate is valid.
This field is optional.
4. Click Save to save your changes.
File definitions define a group of files or folders for use in OS Security. When
creating file definitions, follow this process:
Click this button to create a new definition of this type. Once clicked, the
page shifts to the Name and General Settings pane for this type of definition.
Edit
Select a definition and click this button to edit that definition. Editing a
definition is the same as creating a new definition, save you are changing the
existing values.
Copy
Select a definition and click this button to copy the definition. The new copy
is stored in memory until pasted.
Paste
Click this button to paste a copied definition. The pasted copy's name is
appended with a number to indicate it is a copy. You cannot paste without
first copying a definition.
Delete
Select a definition and click this button to delete the definition. There is no
confirmation screen, so be careful when deleting definitions.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
The file definition page lets you add file definitions for OS Security rules and
policies.
2. Click Add.
The file is added to the list.
3. Click Save to save your changes.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
3. Click Update.
Registry definitions define a group of registry keys for use in OS Security. When
creating registry definitions, follow this process:
1. Specify the name and general setting (see page 321).
2. Specify the registry items (see page 445).
New
Click this button to create a new definition of this type. Once clicked, the
page shifts to the Name and General Settings pane for this type of definition.
Edit
Select a definition and click this button to edit that definition. Editing a
definition is the same as creating a new definition, save you are changing the
existing values.
Copy
Select a definition and click this button to copy the definition. The new copy
is stored in memory until pasted.
Paste
Click this button to paste a copied definition. The pasted copy's name is
appended with a number to indicate it is a copy. You cannot paste without
first copying a definition.
Delete
Select a definition and click this button to delete the definition. There is no
confirmation screen, so be careful when deleting definitions.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
The registry definition page lets you add registry definitions for OS Security rules
and policies. The values you enter for the registry keys should start with HKCR,
HKCU, HKLM, HKU or HKCC.
1. In the Item field, enter the value of the registry item and click Add.
The registry item is added to the list.
3. Click Update.
The registry item is updated to match the new details.
5. Click Save.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes. .
COM definitions define a group of OLE or COM objects for use in OS Security.
When creating COM definitions, follow this process:
Click this button to create a new definition of this type. Once clicked, the
page shifts to the Name and General Settings pane for this type of definition.
Edit
Select a definition and click this button to edit that definition. Editing a
definition is the same as creating a new definition, save you are changing the
existing values.
Copy
Select a definition and click this button to copy the definition. The new copy
is stored in memory until pasted.
Paste
Click this button to paste a copied definition. The pasted copy's name is
appended with a number to indicate it is a copy. You cannot paste without
first copying a definition.
Delete
Select a definition and click this button to delete the definition. There is no
confirmation screen, so be careful when deleting definitions.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
The OLE/COM definition page lets you add OLE or COM definitions for OS Security
rules and policies.
1. In the Item field, enter the CLSID (class ID) of the COM component in a valid
format and click Add.
The OLE/COM item is added to the list.
3. Click Update.
The OLE/COM item is updated to match the new details.
4. Click Save to save your changes.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
Click this button to create a new definition of this type. Once clicked, the
page shifts to the Name and General Settings pane for this type of definition.
Edit
Select a definition and click this button to edit that definition. Editing a
definition is the same as creating a new definition, save you are changing the
existing values.
Copy
Select a definition and click this button to copy the definition. The new copy
is stored in memory until pasted.
Paste
Click this button to paste a copied definition. The pasted copy's name is
appended with a number to indicate it is a copy. You cannot paste without
first copying a definition.
Delete
Select a definition and click this button to delete the definition. There is no
confirmation screen, so be careful when deleting definitions.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
The service definition page lets you add service definitions for OS Security rules
and policies. The items you are defining are service names. A service is identified
by its registry key name found under
HKLM\System\CurrentControlSet\Services.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
3. Click Update.
The service item is updated to match the new details.
Click this button to create a new definition of this type. Once clicked, the
page shifts to the Name and General Settings pane for this type of definition.
Edit
Select a definition and click this button to edit that definition. Editing a
definition is the same as creating a new definition, save you are changing the
existing values.
Copy
Select a definition and click this button to copy the definition. The new copy
is stored in memory until pasted.
Paste
Click this button to paste a copied definition. The pasted copy's name is
appended with a number to indicate it is a copy. You cannot paste without
first copying a definition.
Delete
Select a definition and click this button to delete the definition. There is no
confirmation screen, so be careful when deleting definitions.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
The device definition page lets you add device definitions for OS Security rules
and policies. For devices, there is a strict pattern you must follow for specifying
the path.
You can use wildcards to define the path. For example, you can specify the
following path using wildcards:
Tcpip\DevN\*\RawIp *\Link\Modem\*
1. In the Item field, enter the value of the device item and click Add.
The device item is added to the list.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
3. Click Update.
The device item is updated to match the new details.
Transport definitions define a group of open ports and protocols that can be used
in various rules. One transport definition can contain any number of protocols
over any ports. When creating a transport definition, follow this procedure:
1. Specify the name and general setting (see page 321).
New
Click this button to create a new definition of this type. Once clicked, the
page shifts to the Name and General Settings pane for this type of definition.
Edit
Select a definition and click this button to edit that definition. Editing a
definition is the same as creating a new definition, save you are changing the
existing values.
Copy
Select a definition and click this button to copy the definition. The new copy
is stored in memory until pasted.
Paste
Click this button to paste a copied definition. The pasted copy's name is
appended with a number to indicate it is a copy. You cannot paste without
first copying a definition.
Delete
Select a definition and click this button to delete the definition. There is no
confirmation screen, so be careful when deleting definitions.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
Use this page to add, edit, or remove open ports. You can also specify whether to
negate source or destination ports.
When specifying a single port or range of ports, you must also supply the
required values. For the ICMP protocol you must specify a function.
3. Click Add.
To remove a port
1. Select the port to remove from the list and click Remove.
To modify a port
1. Select the port to modify from the list and click Modify.
3. Click Update.
The port is updated to the new value.
4. Click Save.
The changes are saved and you are returned to the Open System Ports page.
Negating source or destination ports applies to all ports in the list. Negating a
group of ports means that all the ports save those listed are available to use.
New
Click this button to create a new definition of this type. Once clicked, the
page shifts to the Name and General Settings pane for this type of definition.
Edit
Select a definition and click this button to edit that definition. Editing a
definition is the same as creating a new definition, save you are changing the
existing values.
Copy
Select a definition and click this button to copy the definition. The new copy
is stored in memory until pasted.
Paste
Click this button to paste a copied definition. The pasted copy's name is
appended with a number to indicate it is a copy. You cannot paste without
first copying a definition.
Delete
Select a definition and click this button to delete the definition. There is no
confirmation screen, so be careful when deleting definitions.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
Alternatively, click Save to save your changes and close the page, click
Discard to remove any changes you made but keep the page open, or click
Close to close the page without saving changes.
To add an IP address
2. Click Save.
The changes are saved and you are returned to the Open System Ports page.
To remove an IP address
1. Select the IP address to remove from the list and click Remove.
To modify an IP address
1. Select the IP address to modify from the list and click Modify.
3. Click Update.
Time Frame definitions define an interval or intervals of time that can be used in
rules. When creating a Time Frame definition, follow this procedure:
1. Specify the name and general setting (see page 457).
2. Specify the time periods for the Time Frame definition (see page 457).
Click this button to create a new definition of this type. Once clicked, the
page shifts to the Name and General Settings pane for this type of definition.
Edit
Select a definition and click this button to edit that definition. Editing a
definition is the same as creating a new definition, save you are changing the
existing values.
Copy
Select a definition and click this button to copy the definition. The new copy
is stored in memory until pasted.
Paste
Click this button to paste a copied definition. The pasted copy's name is
appended with a number to indicate it is a copy. You cannot paste without
first copying a definition.
Delete
Select a definition and click this button to delete the definition. There is no
confirmation screen, so be careful when deleting definitions.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
3. Alternatively, click Save to save your changes and close the page, click
Discard to remove any changes you made but keep the page open, or click
Close to close the page without saving changes.
Use this page to add or remove time intervals to your time frame definition.
2. Enter the start time in the Time From field and the ending time in the Time To
field to identify the time interval and click Add.
The time interval is added to the table.
3. Click Update.
Additionally, you can use the Clear button to clear the data fields instead of
adding the time interval.
When using checksums, the checksum related options are used for integrity
check rules. To use integrity check on an application, you must enroll the
application using one of the checksum options. When using checksums, you
must copy the file to the Management Console server in the directory
WebServices\Checksum, then calculate the checksum. You can also add multiple
checksums, as necessary. This must be done if there are multiple versions of
same file, since each file has a different checksum.
1. Click New, and select Enroll New Application from the drop-down menu.
The Enroll New Application window opens to the Name and General Settings
pane.
2. Enter the name and description for the application and click Next.
Path
Use this option to specify the path to the application executable. Use this
option if you know the path is constant.
Filename
Checksum
Use this option to enroll applications based on their checksum. You must
copy the file to the Management Console server in the directory
WebServices\Checksum, then calculate the checksum. You can add
multiple checksums if you have multiple versions of same file, since each
file has a different checksum.
Use this option to enroll the application based on a Known Certificate and
path.
Signed by Known Certificate and Filename
Use this option to enroll the application based on a Known Certificate and
filename.
4. Click Next.
You can use Associated groups if the application you enroll creates another
application. The Associated Group specifies an application group in which the
created application is enrolled.
These groups are especially useful in installations, since you can have any
files installed by an installer enrolled in the associated group.
6. Click Next.
The Identity Redirection pane opens.
7. Highlight any applicable Identity Redirection, use the double arrows to move
the redirection to the correct list, and click Next.
8. Highlight any applicable application group and use the double arrows to
move the group to the correct list.
Your changes are saved, and the Enroll New Application page closes.
Alternatively, click Back to return to the previous page, click Discard to
remove any changes you made, or click Close to close the page without
saving changes.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
Alternatively, click Save to save your changes and close the page, click
Discard to remove any changes you made but keep the page open, or click
Close to close the page without saving changes.
When using checksums, the checksum related options are used for integrity
check rules. To use integrity check on an application, you must enroll the
application using one of the checksum options. When using checksums, you
must copy the file to the Management Console server in the directory
WebServices\Checksum, then calculate the checksum. You can also add multiple
checksums, as necessary. This must be done if there are multiple versions of
same file, since each file has a different checksum.
1. Click New, and select Enroll New Application from the drop-down menu.
The Enroll New Application window opens to the Name and General Settings
pane.
2. Enter the name and description for the application and click Next.
The Application Identification pane opens.
Path
Use this option to specify the path to the application executable. Use this
option if you know the path is constant.
Filename
Use this option to specify the filename of the application.
Checksum
Use this option to enroll applications based on their checksum. You must
copy the file to the Management Console server in the directory
WebServices\Checksum, then calculate the checksum. You can add
multiple checksums if you have multiple versions of same file, since each
file has a different checksum.
Use this option to enroll the application based on both certificate and
path.
Use this option to enroll the application based on a Known Certificate and
path.
Use this option to enroll the application based on a Known Certificate and
filename.
4. Click Next.
You can use Associated groups if the application you enroll creates another
application. The Associated Group specifies an application group in which the
created application is enrolled.
These groups are especially useful in installations, since you can have any
files installed by an installer enrolled in the associated group.
6. Click Next.
The Identity Redirection pane opens.
7. Highlight any applicable Identity Redirection, use the double arrows to move
the redirection to the correct list, and click Next.
The Add Application to Application Groups pane opens.
8. Highlight any applicable application group and use the double arrows to
move the group to the correct list.
Your changes are saved, and the Enroll New Application page closes.
When using checksums, the checksum related options are used for integrity
check rules. To use integrity check on an application, you must enroll the
application using one of the checksum options. When using checksums, you
must copy the file to the Management Console server in the directory
WebServices\Checksum, then calculate the checksum. You can also add multiple
checksums, as necessary. This must be done if there are multiple versions of
same file, since each file has a different checksum.
1. Click New, and select Enroll New Application from the drop-down menu.
The Enroll New Application window opens to the Name and General Settings
pane.
2. Enter the name and description for the application and click Next.
Path
Use this option to specify the path to the application executable. Use this
option if you know the path is constant.
Filename
Checksum
Use this option to enroll applications based on their checksum. You must
copy the file to the Management Console server in the directory
WebServices\Checksum, then calculate the checksum. You can add
multiple checksums if you have multiple versions of same file, since each
file has a different checksum.
Use this option to enroll the application based on a Known Certificate and
path.
Signed by Known Certificate and Filename
Use this option to enroll the application based on a Known Certificate and
filename.
4. Click Next.
You can use Associated groups if the application you enroll creates another
application. The Associated Group specifies an application group in which the
created application is enrolled.
These groups are especially useful in installations, since you can have any
files installed by an installer enrolled in the associated group.
6. Click Next.
The Identity Redirection pane opens.
7. Highlight any applicable Identity Redirection, use the double arrows to move
the redirection to the correct list, and click Next.
8. Highlight any applicable application group and use the double arrows to
move the group to the correct list.
Your changes are saved, and the Enroll New Application page closes.
Some applications serve as surrogates for other code. The purpose of Identity
Redirection is to correctly handle situations where one executable interprets
other files.
For example, without Identity Redirection all *.msi installation packages would
be treated the same because the msiexec.exe application is installing them all.
All *.vbs and *.js script files are treated the same as they are interpreted by the
wscript.exe process.
The Identity Redirections page lets you specify whether an application is run
through one of the identity redirections.
1. Highlight any applicable Identity Redirection and use the double arrows to
move the redirection to the correct list.
2. Click Next to move to the next page. Click Save to save your changes.
Your changes are saved, and the page closes. Click Discard to remove any
changes you made but keep the page open. Click Close to close the page
without saving changes.
More information:
When using checksums, the checksum related options are used for integrity
check rules. To use integrity check on an application, you must enroll the
application using one of the checksum options. When using checksums, you
must copy the file to the Management Console server in the directory
WebServices\Checksum, then calculate the checksum. You can also add multiple
checksums, as necessary. This must be done if there are multiple versions of
same file, since each file has a different checksum.
1. Click New, and select Enroll New Application from the drop-down menu.
The Enroll New Application window opens to the Name and General Settings
pane.
2. Enter the name and description for the application and click Next.
Path
Use this option to specify the path to the application executable. Use this
option if you know the path is constant.
Filename
Checksum
Use this option to enroll applications based on their checksum. You must
copy the file to the Management Console server in the directory
WebServices\Checksum, then calculate the checksum. You can add
multiple checksums if you have multiple versions of same file, since each
file has a different checksum.
Use this option to enroll the application based on a Known Certificate and
path.
Signed by Known Certificate and Filename
Use this option to enroll the application based on a Known Certificate and
filename.
4. Click Next.
You can use Associated groups if the application you enroll creates another
application. The Associated Group specifies an application group in which the
created application is enrolled.
These groups are especially useful in installations, since you can have any
files installed by an installer enrolled in the associated group.
6. Click Next.
The Identity Redirection pane opens.
7. Highlight any applicable Identity Redirection, use the double arrows to move
the redirection to the correct list, and click Next.
8. Highlight any applicable application group and use the double arrows to
move the group to the correct list.
Your changes are saved, and the Enroll New Application page closes.
For example, you can create an application group for instant messenger
applications. You can then limit these applications using certain rules without
adding a new rule for each new instant messenger application. Simply create one
rule for the instant messenger application group and add applications to that
group as necessary.
1. Click New and select Enroll New Application Group from the drop-down
menu.
The Enroll New Application window opens to the Name and General Settings
pane.
2. Enter the name and description for the application group and click Next.
3. Highlight the applications to add to the group and use the double arrows to
move the application to the correct list.
4. Click Next.
The Add Application Groups as Subgroups pane opens.
Note: Not all Enroll New Application Groups pages include the Add
Application Groups as Subgroups pane.
5. Highlight the application subgroup to add to the group and use the double
arrows to move the application subgroup to the correct list.
6. Click Save to save your changes and close the Enroll New Application Group
Page.
Alternatively, click Back to return to the previous page, click Discard to
remove any changes you made, or click Close to close the page without
saving changes.
The Name and General Settings page lets you specify the name and a description
for the policy component you are creating. This page is common to almost all
Advanced Configuration policy component objects.
Note: If you access this page from the Global Policies area, the components you
create are Global Policy Components. If you access this page from a specific
partition area, you create Partition Specific Policy Components.
When creating an application group you must add applications to that group. The
Add Applications to Application Group page lets you add these applications to the
group.
1. Highlight the applications to add to the group and use the double arrows to
move the application to the correct list.
2. Click Save to save your changes.
Your changes are saved, and the Enroll New Application Group pages close.
Click Back to return to the previous page. Click Next to move to the next
page. Click Discard to remove any changes you made. Click Close to close
the page without saving changes.
Filename
Identify the application based on the application filename.
Checksum
3. Highlight the available unknown applications to enroll and use the double
arrows to move the application to the correct list.
4. Click Next.
The Add Applications to Application Groups pane opens.
Checksum
Identify the application based on its checksum.
3. Highlight the available unknown applications to enroll and use the double
arrows to move the application to the correct list.
4. Click Next.
The Add Applications to Application Groups pane opens.
6. Click Save to save your changes and close the Enroll Unknown Applications
Page.
Alternatively, click Back to return to the previous page, click Discard to remove
any changes you made, or click Close to close the page without saving changes.
Filename
Identify the application based on the application filename.
Checksum
3. Highlight the available unknown applications to enroll and use the double
arrows to move the application to the correct list.
4. Click Next.
The Add Applications to Application Groups pane opens.
Alternatively, click Back to return to the previous page, click Discard to remove
any changes you made, or click Close to close the page without saving changes.
If necessary, you can enroll multiple applications at one time. When enrolling
multiple applications, all the applications must share the same identification
method.
Path
Identify applications by the path to the applications.
Filename
4. Click Add, browse to the applications location, select the application and click
Open to add the multiple applications to enroll.
If you are selecting applications based on checksum, the files must reside on
the server so the proper checksum can be calculated.
6. Highlight the groups in which to enroll the applications selected on the first
page and use the double arrows to move the group to the correct list.
If necessary, you can enroll multiple applications at one time. When enrolling
multiple applications, all the applications must share the same identification
method.
Checksum
Identify applications based on their checksum.
You must provide the path if you are identifying the applications by path in
any manner. Otherwise, you can leave this field blank.
4. Click Add, browse to the applications location, select the application and click
Open to add the multiple applications to enroll.
If you are selecting applications based on checksum, the files must reside on
the server so the proper checksum can be calculated.
6. Highlight the groups in which to enroll the applications selected on the first
page and use the double arrows to move the group to the correct list.
7. Click Save to save your changes.
Your changes are saved, and the Enroll Multiple Applications page closes. Click
Back to return to the previous page. Click Discard to remove any changes you
made. Click Close to close the page without saving changes.
Filename
Identify the application based on the application filename.
Checksum
3. Highlight the available unknown applications to enroll and use the double
arrows to move the application to the correct list.
4. Click Next.
The Add Applications to Application Groups pane opens.
Alternatively, click Back to return to the previous page, click Discard to remove
any changes you made, or click Close to close the page without saving changes.
The Groupware policies let you control the Client Groupware scanner. The
Groupware scanner is placed on your email or groupware servers and is
responsible for checking groupware for malware. You do not need to use all of
the Groupware policies. For example, if your company does not use a NetApp
server, you do not need to configure a NetApp Real-time policy. Groupware
policies include the following:
The Lotus Domino Schedule Scan policies let you schedule when the Client
scans the email server. You can schedule when the scans occur, if the scans
are reoccurring, what is scanned, and any time limitations on the scan.
The MS SharePoint Real-time policies let you control the settings of the MS
SharePoint real-time Groupware scanner. This scanner protects your MS
SharePoint content management server.
The NetApp Real-time policies let you control the settings of the NetApp
real-time Groupware scanner. This scanner protects your NetApp Filer.
More information:
The MS Exchange Real-time policy lets you control the settings of the MS
Exchange real-time Groupware scanner. This scanner protects your email MS
Exchange server.
More information:
Use the Name and General Policy Settings to specify the name and description
for the policy. You can also lock the policy to prevent end users from making any
changes to your policy settings.
You can also specify the policy as the new, default policy for that policy type, in
place of the CA-recommended policy. The default policy is included in any
Remote Installation packages that include this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are also used to initialize fields when you create a new policy of this
type.
2. Click the policy category containing the policy you want to create.
The policy category opens and displays the list of policies.
The Global Policy Definition window for that specific policy opens and
displays a list of available policies.
4. Click New.
The Name and General Settings page for the policy opens.
Specifies a name for the policy. Names are limited to 128 characters in
length. Policy names can be duplicated across policy types. The names
of partition-specific policies can be duplicated within the same policy
type across different partitions.
Description
Provides a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
6. In the Lock Settings pane, specify whether to enable or disable the Lock
settings when applying this policy option.
Enable this option if you do not want end users to change the settings of this
policy.
Note: If an end user has a valid reason for needing to change a policy's
settings, and the policy is locked, you must create and deploy a new policy
with that user's specific settings.
7. In the Default Policy pane, choose to enable or disable the following option:
Make this policy the default for this policy type
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Scan Options settings of an MS Exchange Real-time policy let you specify the
options for the MS Exchange Real-time Groupware scanner. These options
include specifying the secondary cleaning action, whether the Quarantine is
enabled, and how many threads are devoted to scanning.
1. Open the Scan Options page by either clicking Next on the General Policy
Settings page of the MS Exchange Real-time Policy, or by clicking the Scan
Options link in the Steps to Create Policy pane.
2. Select the Enable Protection option. You must select this option if you want
real-time protection for your MS Exchange server.
Quarantine
Enable or disable the quarantine for the email Exchange server. Enabling
the quarantine means that infected emails are first moved to the
quarantine before any cleaning attempts are made.
Use the drop-down menu to select one of the following scan mode
options:
■ Normal: Select this option to run the scanner in the normal, default
mode.
4. In the Advanced Protection pane, you can set the following options:
Heuristic Scanning
Specify the number of threads in the global thread pool. Note that when
you increase the number of scanning threads, you can adversely affect
the performance of your system.
More information:
The Scan Filters settings of an MS Exchange Real-time policy let you specify the
files you want included or excluded from the email scan. When you set these
filters, you must first specify whether to include or exclude the file, then list the
file.
Select this option to edit the inclusion list. Any file found in the inclusion
list is always scanned even if the scanner would normally ignore the file
because of other options.
Select this option to edit the exclusion list. Any file found in the exclusion
list is always skipped during scanning. You can exclude a file if you know
that file is accessed or shared often, but poses no security risk, such as
a known signature image.
3. Specify the files for the list you selected and specify the action to take:
■ To add a file to the list, enter the file name and click Add.
■ To remove a file from the list, select the file and click Remove.
■ To edit a file name, select the file name and click Edit.
More information:
The Mail Options settings of an MS Exchange Real-time policy let you determine
whether the scanner checks the body of emails for malware, set the scan timeout
duration, and indicate whether to use proactive scanning.
1. Open the Mail Options page by either clicking Next on the Scan Filter page of
the MS Exchange Real-time Policy, or by clicking the Mail Options link in the
Steps to Create Policy pane.
2. Enable Scan Message Bodies if you want the email scanner to actively scan
the bodies of emails for any malware.
3. In the Scanning Options pane, you can enable the following options:
Proactive Scanning
Select this option to allow the email Exchange scanner to proactively
scan all emails. This proactive scanning means the emails are scanned
before reaching their intended target. This ensures better protection, but
requires more processing cycles.
Specify the timeout duration for any scanned email. If the scanner takes
longer than the specified time when scanning an email, the scanner
reports a failure due to timeout and uses the Scan Error Action you
specified in the Scan Options page of this policy.
More information:
The Notification settings of an MS Exchange Real-time policy let you specify who
is notified when malware is found on the Exchange server. When malware is
found, a notification email is sent out to specific recipients, depending on the
options you select on this page.
3. If you enabled Notify System Administrators, you must specify the email
address for each administrator in the Administrators pane. Enter the email
address and click Add.
To remove an email address from the list, select the address and click
Remove.
The return address used when sending out notification emails. All replies
to the notification email are sent to the return address.
Subject
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Pre-Scan Filter of an MS Exchange Real-time policy lets you configure the
pre-scan filters that let you block unwanted attachments and other content from
your network. You can any combination of these filters. For example, you can
use the Extension Block filter to block all .zip files, but create an exception
allowing the file update.zip in the Extension Block Exemption list.
2. In the Pre-Scan Block pane, select a filter. You can choose from the following
options:
Extension Blocks
Use this list to block files based on the file extension. For example, you
can block all .zip files from being sent.
Use this list to create exemptions to the Extension Block list. For
example, to block all .txt attachments, but allow the file update.txt, add
.txt to the Extension Block list and add the file update.txt to the
Extension Block Exemption list.
MIME Blocks
Use this list to block specific MIME types. For example, you can block
jpeg files from your email Exchange by blocking the jpeg MIME type.
Folder Exemptions
Use this list to block emails from being transferred to certain folders or
locations.
3. Specify the objects for the list you selected and select the action to take.
■ To add an object to the list, enter the object name and click Add.
■ To remove an object from the list, select the object and click Remove.
■ To edit an object name, select the object name and click Edit.
4. Click Next to continue creating the MS Exchange Real-time policy.
More information:
The Archive Options of an MS Exchange Real-time policy lets you configure how
the scan handles archives such as .zip and .rar files.
1. Open the Archive Options page by either clicking Next on the Pre-Scan Filter
page of the MS Exchange Real-time Policy, or by clicking the Archive Options
link in the Steps to Create Policy pane.
2. Enable the Scan Archives option.
You must enable this option to customize this feature in the policy.
3. In the Archive Type pane, enable the archive types you want the Client to
scan.
For example, if you want the Client to scan zip files, enable the ZIP archive
row.
Enable this option to have the scanner remove all encrypted archived
files. Encrypted archive files cannot be scanned and can pose a danger to
your network.
Enter the maximum number of nested levels the Client scans. A nested
archive is an archive file stored within another archive file.
For example, if you added the file example zip to an existing archive, the
file example zip would be nested at level one. If you set the Maximum
nested level to zero, the Client would not scan the example zip file or its
contents. Any file in the archive nested at a level higher than the value
you set, is ignored and viewed as clean. All files nested at levels lower
than the level you set are scanned.
6. Click Save to save your changes and return to the Global Policy Definitions
page.
Click Back to return to the previous page. Click Discard to remove any
changes you made. Click Close to close the policy.
More information:
The MS Exchange Schedule Scan policy lets you schedule when the Client scans
the email server. You can schedule when the scans occur, specify whether the
scans are reoccurring, identify what is scanned, and set any time limitations on
the scan.
These settings include naming and describing the policy and indicating
whether this is the default policy.
More information:
Use the Name and General Policy Settings to specify the name and description
for the policy.
You can also specify the policy as a default policy. A default policy is included in
the Remote Installation package that includes this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are used to initialize fields when a new policy of this type is being
created.
3. Click the policy category containing the policy you want to create.
The policy category opens, containing the list of policies.
5. Click New.
The Name and General Settings page for the policy opens.
Provide a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
7. In the Default Policy pane, enable or disable the Make this policy the default
for this policy type option.
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.
9. Click Next to move to the next page in the policy creation. Alternatively, click
Save to save your changes and return to the Global Policy Definitions page.
More information:
The Job Schedule settings of an MS Exchange Scheduled Scan policy let you
schedule when the scan occurs and if the scan is a reoccurring job.
1. Open the Scan Options page by either clicking Next on the General Policy
Settings page of the MS Exchange Scheduled Scan Policy, or by clicking the
Job Schedule link in the Steps to Create Policy pane.
2. Enable Perform Scheduled Scan.
Note: You must enable this option to include a scheduled scan in the policy.
If you do not want to include a scheduled scan, do not enable this option.
Job Name
Provide a name for this scheduled scan.
Job Description
4. Using the Start Time fields, specify the date and time when the scheduled
scan should start.
5. Using the Repeat Every fields, specify if and when you want the schedule to
reoccur.
If you do not want the scheduled scan to reoccur, leave the fields set to zero.
6. Click Next to continue creating the MS Exchange Scheduled Jobs Policy.
The Scan Options page opens.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
More information:
The Scan Options of an MS Exchange Scheduled Scan policy let you set whether
the scan checks all email messages or ignores messages which have been
previously scanned. You can also limit the amount of time the scan is allowed to
run.
1. Open the Scan Options page by either clicking Next on the Job Schedule
page of the MS Exchange Scheduled Scan Policy, or by clicking the Scan
Options link in the Steps to Create Policy pane.
If this is the first time the scanner is checking this Exchange server, all
messages are scanned.
Scan Messages Dated After
Select this option and specify a date to scan all emails that arrived after
the specified date. Only those emails received after this date are
scanned.
3. In the Scan Run Time pane, specify the time limit of the scan.
If the scan exceeds this time limit, the scan stops. If this is a reoccurring
scan, the scan begins where it left off at the next occurrence.
4. Click Save to save your changes and return to the Global Policy Definitions
page.
Click Back to return to the previous page. Click Discard to remove any
changes you made. Click Close to close the policy.
The Lotus Domino Real-time policy lets you control the settings of the Lotus
Domino real-time groupware scanner. This scanner protects your Lostus Domino
email server.
These options let you control how the scanner functions. You can set options
such as whether the quarantine is enabled, or the action to take if the
scanner cannot clean an infection.
These options let you control how the groupware scanner handles archived
files.
More information:
Use the Name and General Policy Settings to specify the name and description
for the policy. You can also lock the policy to prevent end users from making any
changes to your policy settings.
You can also specify the policy as the new, default policy for that policy type, in
place of the CA-recommended policy. The default policy is included in any
Remote Installation packages that include this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are also used to initialize fields when you create a new policy of this
type.
2. Click the policy category containing the policy you want to create.
The policy category opens and displays the list of policies.
4. Click New.
The Name and General Settings page for the policy opens.
Name
Specifies a name for the policy. Names are limited to 128 characters in
length. Policy names can be duplicated across policy types. The names
of partition-specific policies can be duplicated within the same policy
type across different partitions.
Description
Provides a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
6. In the Lock Settings pane, specify whether to enable or disable the Lock
settings when applying this policy option.
Enable this option if you do not want end users to change the settings of this
policy.
Note: If an end user has a valid reason for needing to change a policy's
settings, and the policy is locked, you must create and deploy a new policy
with that user's specific settings.
7. In the Default Policy pane, choose to enable or disable the following option:
Make this policy the default for this policy type
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Scan Options settings of a Lotus Domino Real-time policy let you specify the
options for the Lotus Domino real-time groupware scanner. These options
include specifying the secondary cleaning action, indicating whether the
Quarantine is enabled, and setting the number of threads devoted to scanning.
1. Open the Scan Options page by either clicking Next on the General Policy
Settings page of the Lotus Domino Real-time Policy, or by clicking the Scan
Options link in the Steps to Create Policy pane.
2. Select the Enable Protection option.
You must select this option if you want real-time protection for your Lotus
Domino server.
Enable or disable the quarantine for the email server. Enabling the
quarantine means that infected emails are first moved to the quarantine
before any cleaning attempts are made.
Use the drop-down menu to select one of the following scan mode
options:
■ Normal: Select this option to run the scanner in the normal, default
mode.
4. In the Advanced Protection pane, you can set the following options:
Heuristic Scanning
Enable or disable heuristic scanning. Enabling heuristic scanning lets the
email scanner search for infections using alternative methods in addition
to the regular scanning methods. These alternative methods require
more time for the scan to complete, but help to ensure that all infections
are located. Disabling Heuristic Scanning speeds up the scanning
process, but might not catch all infections.
Scanning Threads
Specify the number of threads in the global thread pool.
Note that when you increase the number of scanning threads, you can
adversely affect the performance of your system.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
More information:
The Scan Filters settings of a Lotus Domino Real-time policy let you specify the
files you want included or excluded from the email scan. When you set these
filters, you must first specify whether to include or exclude the file, then list the
file.
1. Open the Scan Filters page by either clicking Next on the Scan Options page
of the Lotus Domino Real-time Policy, or by clicking the Scan Filter link in the
Steps to Create Policy pane.
2. For the Filter, select one of the following:
3. Specify the files for the list you selected and select an action.
■ To add a file to the list, enter the file name and click Add.
■ To remove a file from the list, select the file and click Remove.
■ To edit a file name, select the file name and click Edit.
4. Click Next to continue creating the Lotus Domino Real-time policy.
The Mail Options settings of a Lotus Domino Real-time policy let you determine
whether the scanner checks the body of emails for malware.
1. Open the Mail Options page by either clicking Next on the Scan Filter page of
the Lotus Domino Real-time Policy, or by clicking the Mail Options link in the
Steps to Create Policy pane.
2. Enable Scan Message Bodies if you want the email scanner to actively scan
the bodies of emails for malware.
3. Click Next to continue creating the Lotus Domino Real-time policy.
The Notifications page opens.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Notification settings of a Lotus Domino Real-time policy let you specify who
is notified when malware is found on the email server. When a malware is found,
a notification email is sent out to specified recipients based on the options you
select on this page.
Enable this option to have the notification email sent to the mailbox
owner.
Notify Message Sender
Enable this option to have the sender of the infected message receive
the notification email.
3. If you enabled Notify System Administrators, you must specify the email
address for each administrator in the Administrators pane.
■ To add an email address to the list, enter the email address and click
Add.
■ To remove an email address from the list, select the address and click
Remove.
Specify the return address used when sending out notification emails. All
replies to the notification email are sent to the return address.
Subject
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Pre-Scan Filter of a Lotus Domino Real-time policy lets you configure
pre-scan filters that let you block unwanted attachments and other content from
your network. You can use any combination of these filters. For example, you
could use the Extension Block filter to block all .zip files, but create an exception
allowing the file update.zip with the Extension Block Exemption list.
2. In the Pre-Scan Block pane, select a filter. You can choose from the following
options:
Extension Blocks
Use this list to block files based on the file extension. For example, you
can block all .zip files from being sent.
Use this list to create exemptions to the Extension Block list. For
example, to block all .txt attachments, but allow the file update.txt, you
would add .txt to the Extension Block list and add the file update.txt to
the Extension Block Exemption list.
■ To edit an object name, select the object name and click Edit.
4. Click Next to continue creating the Lotus Domino Real-time policy.
More information:
The Archive Options of a Lotus Domino Real-time policy lets you configure how
the scan handles archives such as .zip and .rar files.
3. In the Archive Type pane, enable the archive types you want the Client to
scan. For example, if you want the Client to scan zip files, you would enable
the ZIP archive row.
Enable this option to have the Client stop scanning an archive file if an
infection is found. If you do not enable this, the Client continues to scan
the archive after finding an infected item. Enabling this option stops the
Client from spending time scanning a known infection, but the Client
cannot find any additional infections in the file if they are present.
You should enable this option if you automatically delete infected files. If
you clean infected files, you may want to scan the entire archive to find
all possible infections.
Enter the maximum number of nested levels the Client scans. A nested
archive is an archive file stored within another archive file. For example,
if you added example zip to an existing archive, that example zip would
be nested at level one. If you set the Maximum nested level to zero, it
would not scan the example zip file or its contents. Any file in the archive
nested at levels higher than the value you set is ignored and viewed as
clean. All files nested at levels lower than the level you set are scanned.
More information:
The Lotus Domino Schedule Scan policy lets you schedule when the Client scans
the email server. You can schedule when the scans occur, if the scans are
reoccurring, what is scanned, and any time limitations on the scan.
These options let you schedule when the scan occurs and if the scan is a
reoccurring job.
These options let you set whether the scan checks all email messages or
ignore messages which have been previously scanned. You can also limit the
amount of time the scan is allowed to run.
More information:
Configure Lotus Domino Scheduled Scan Policy Name and General Settings
Use the Name and General Policy Settings to specify the name and description
for the policy.
You can also specify the policy as a default policy. A default policy is included in
the Remote Installation package that includes this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are used to initialize fields when a new policy of this type is being
created.
3. Click the policy category containing the policy you want to create.
The policy category opens, containing the list of policies.
5. Click New.
The Name and General Settings page for the policy opens.
Description
Provide a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
7. In the Default Policy pane, enable or disable the Make this policy the default
for this policy type option.
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.
Select this option to limit the policy to only this partition. The policy will
not appear in the list of available policies in other partitions.
Share this Policy with all Partitions
Select this option to make the policy available across all partitions.
9. Click Next to move to the next page in the policy creation. Alternatively, click
Save to save your changes and return to the Global Policy Definitions page.
More information:
The Job Schedule settings of a Lotus Domino Scheduled Scan policy let you
schedule when the scan occurs and specify whether the scan is a reoccurring job.
1. Open the Scan Options page by either clicking Next on the General Policy
Settings page of the Lotus Domino Scheduled Scan Policy, or by clicking the
Job Schedule link in the Steps to Create Policy pane.
2. Enable Perform Scheduled Scan.
Note: You must enable this option to include a scheduled scan in the policy.
If you do not want to include a scheduled scan, do not enable this option.
3. In the Job Settings pane, provide a name and a description for this scheduled
scan.
4. Specify the date and time when the scheduled scan should start in the Start
Time fields.
5. Specify when you want the schedule to reoccur in the Repeat Every fields.
If you do not want the scheduled scan to reoccur, leave the fields set to zero.
6. Click Next to continue creating the Lotus Domino Scheduled Jobs Policy.
More information:
The Scan Options of a Lotus Domino Scheduled Scan policy let you set whether
the scan checks all email messages or ignore messages which have been
previously scanned. You can also limit the amount of time the scan is allowed to
run.
Select this option to scan all emails that arrived after a specified date.
After selecting this option, you must provide a date. Only those emails
received after this date are scanned.
3. In the Scan Run Time pane, specify the time limit of the scan. If the scan
exceeds this time limit, the scan stops. If this is a reoccurring scan, the scan
begins wherever it left off at the next occurrence.
4. Click Save to save your changes and return to the Global Policy Definitions
page.
Click Back to return to the previous page. Click Discard to remove any
changes you made. Click Close to close the policy.
More information:
The MS SharePoint Real-time policy lets you control the settings of the MS
SharePoint real-time groupware scanner. This scanner protects your MS
SharePoint content management server.
These options let you control how the scanner functions. You can set options
such as whether the quarantine is enabled, or if an item should be deleted if
the scanner cannot clean an infection.
More information:
Use the Name and General Policy Settings to specify the name and description
for the policy. You can also lock the policy to prevent end users from making any
changes to your policy settings.
You can also specify the policy as the new, default policy for that policy type, in
place of the CA-recommended policy. The default policy is included in any
Remote Installation packages that include this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are also used to initialize fields when you create a new policy of this
type.
2. Click the policy category containing the policy you want to create.
The policy category opens and displays the list of policies.
4. Click New.
The Name and General Settings page for the policy opens.
Name
Specifies a name for the policy. Names are limited to 128 characters in
length. Policy names can be duplicated across policy types. The names
of partition-specific policies can be duplicated within the same policy
type across different partitions.
Description
Provides a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
6. In the Lock Settings pane, specify whether to enable or disable the Lock
settings when applying this policy option.
Enable this option if you do not want end users to change the settings of this
policy.
Note: If an end user has a valid reason for needing to change a policy's
settings, and the policy is locked, you must create and deploy a new policy
with that user's specific settings.
7. In the Default Policy pane, choose to enable or disable the following option:
Make this policy the default for this policy type
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Scan Options settings of a MS SharePoint Real-time policy let you specify the
options for the MS SharePoint real-time groupware scanner. These options
include specifying the secondary cleaning action, if the Quarantine is enabled,
and how many threads are devoted to scanning.
1. Open the Scan Options page by either clicking Next on the General Policy
Settings page of the MS SharePoint Real-time Policy, or by clicking the Scan
Options link in the Steps to Create Policy pane.
2. Select the Enable Protection option. You must select this option if you want
real-time protection for your MS SharePoint server.
Enable or disable the quarantine for the server. Enabling the quarantine
means that infected files are first moved to the quarantine before any
cleaning attempts are made.
Use the drop-down menu to select one of the following scan mode
options:
■ Normal: Select this option to run the scanner in the normal, default
mode.
4. In the Advanced Protection pane, you can set the following options:
Heuristic Scanning
Enable or disable heuristic scanning. Enabling heuristic scanning lets the
scanner search for infections using alternative methods in addition to the
regular scanning methods. These alternative methods require more time
for the scan to complete, but help ensure all infections are located.
Disabling Heuristic Scanning speeds up the scanning process, but might
not catch all infections.
Scanning Threads
Specify the number of threads in the global thread pool. Note that when
you increase the number of scanning threads, you can adversely affect
the performance of your system.
5. Click Next to continue creating the MS SharePoint Real-time policy.
The Scan Filter page opens.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Scan Filter settings of an MS SharePoint Real-time policy let you specify the
files you want included or excluded from the scan. When specifying. you must
first select to either include or exclude the file, then list the file.
1. Open the Scan Filter page by either clicking Next on the Scan Options page
of the MS SharePoint Real-time Policy, or by clicking the Scan Filter link in
the Steps to Create Policy pane.
2. For the Filter , select one of the following:
■ To add a file to the list, enter the file name and click Add.
■ To remove a file from the list, select the file and click Remove.
■ To edit a file name, select the file name and click Edit.
More information:
The Archive Options of an MS SharePoint Real-time policy lets you configure how
the scan handles archives such as .zip and .rar files.
1. Open the Archive Options page by either clicking Next on the Scan Filter
page of the MS SharePoint Real-time Policy, or by clicking the Archive
Options link in the Steps to Create Policy pane.
2. Enable the Scan Archives option. You must enable this option to customize
this feature in the policy.
3. In the Archive Type pane, enable the archive types you want the Client to
scan. For example, if you want the Client to scan zip files, you would enable
the ZIP archive row.
Enable this option to have the scanner remove all encrypted archived
files. Encrypted archive files cannot be scanned and can pose a danger to
your network.
Enable this option to have the Client stop scanning an archive file if an
infection is found. If you do not enable this, the Client continues to scan
the archive after finding an infected item. Enabling this option stops the
Client from spending time scanning a known infection, but the Client
cannot find any additional infections in the file if they are present.
You should enable this option if you automatically delete infected files. If
you clean infected files, you may want to scan the entire archive to find
all possible infections.
Enter the maximum number of nested levels the Client scans. A nested
archive is an archive file stored within another archive file.
For example, if you added the file example zip to an existing archive, the
file example zip would be nested at level one. If you set the Maximum
nested level to zero, the Client would not scan the example zip file or its
contents. Any file in the archive nested at a level higher than the value
you set, is ignored and viewed as clean. All files nested at levels lower
than the level you set are scanned.
Enter the maximum uncompressed size of a file. The Client does not scan
any file in an archive that, when extracted, is larger than this limit.
Setting a high value prevents the Client from scanning archived files that
expand too much and slow down or freeze your computer. However,
these large archives can still contain malware and lead to vulnerability.
6. Click Save to save your changes and return to the Global Policy Definitions
page.
Click Back to return to the previous page. Click Discard to remove any
changes you made. Click Close to close the policy.
More information:
The MS SharePoint Schedule Scan policy lets you schedule when the Client scans
the MS SharePoint server. You can schedule when the scans occur, whether the
scans are reoccurring, what is scanned, and any time limitations on the scan.
These settings include naming and describing the policy and indicating
whether this is the default policy.
These options let you set whether the scan checks all files or ignore files
which have been previously scanned. You can also limit the amount of time
the scan is allowed to run.
More information:
Use the Name and General Policy Settings to specify the name and description
for the policy.
You can also specify the policy as a default policy. A default policy is included in
the Remote Installation package that includes this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are used to initialize fields when a new policy of this type is being
created.
3. Click the policy category containing the policy you want to create.
The policy category opens, containing the list of policies.
The Global Policy Definition window for that specific policy opens, displaying
a list of available policies.
5. Click New.
The Name and General Settings page for the policy opens.
Name
Provide a name for the policy. Names are limited to 128 characters in
length. Policy names can be duplicated across policy types. The names
of partition-specific policies can be duplicated within the same policy
type across different partitions.
Description
Provide a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
7. In the Default Policy pane, enable or disable the Make this policy the default
for this policy type option.
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.
More information:
The Job Schedule settings of an MS SharePoint Scheduled Scan policy let you
schedule when the scan occurs and indicate whether the scan is a reoccurring
job.
1. Open the Scan Options page by either clicking Next on the General Policy
Settings page of the MS SharePoint Scheduled Scan Policy, or by clicking the
Job Schedule link in the Steps to Create Policy pane.
Note: You must enable this option to include a scheduled scan in the policy.
If you do not want to include a scheduled scan, do not enable this option.
3. In the Job Settings pane, enter a name and description for this scheduled
scan.
4. Specify the date and time when the scheduled scan should start in the Start
Time fields.
5. Specify if and when you want the schedule to reoccur in the Repeat Every
fields.
If you do not want the scheduled scan to reoccur, leave the fields set to zero.
6. Click Next to continue creating the MS SharePoint Scheduled Jobs Policy.
The Scan Options page opens.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Scan Options of an MS SharePoint Scheduled Scan policy let you set whether
the scan checks the files in all folders or ignores files in folders which have been
previously scanned. You can also limit the amount of time the scan is allowed to
run.
1. Open the Scan Options page by either clicking Next on the Job Schedule
page of the MS SharePoint Scheduled Scan Policy, or by clicking the Scan
Options link in the Steps to Create Policy pane.
2. In the Scan Selection pane, select one of the following options:
Scan All Folders
Select this option to scan all folders created or added after a specified
date. After selecting this option, you must provide a date. Only those file
found in folders created or added after this date are scanned.
3. In the Scan Run Time pane, specify the time limit of the scan. If the scan
exceeds this time limit, the scan stops. If this is a reoccurring scan, the scan
begins wherever it left off at the next occurrence.
4. Click Save to save your changes and return to the Global Policy Definitions
page.
Click Back to return to the previous page. Click Discard to remove any
changes you made. Click Close to close the policy.
More information:
The NetApp Real-time policy lets you control the settings of the NetApp real-time
groupware scanner. This scanner protects your NetApp Filer.
These settings include naming and describing the policy, locking the policy
settings, and indicating whether this is the default policy.
2. Configure the Scan Options. (see page 522)
These options let you control how the scanner functions. You can set options
such as whether the quarantine is enabled, or if an item should be deleted if
the scanner cannot clean an infection.
These options let you control how the groupware scanner handles archived
files.
More information:
Use the Name and General Policy Settings to specify the name and description
for the policy. You can also lock the policy to prevent end users from making any
changes to your policy settings.
You can also specify the policy as the new, default policy for that policy type, in
place of the CA-recommended policy. The default policy is included in any
Remote Installation packages that include this policy type. However, you can
change the default policy selection when creating a package. The values in the
default policy are also used to initialize fields when you create a new policy of this
type.
2. Click the policy category containing the policy you want to create.
The policy category opens and displays the list of policies.
4. Click New.
The Name and General Settings page for the policy opens.
Name
Specifies a name for the policy. Names are limited to 128 characters in
length. Policy names can be duplicated across policy types. The names
of partition-specific policies can be duplicated within the same policy
type across different partitions.
Description
Provides a description for the policy. Descriptions should help explain the
nature or use of the policy. Descriptions are limited to 128 characters in
length.
6. In the Lock Settings pane, specify whether to enable or disable the Lock
settings when applying this policy option.
Enable this option if you do not want end users to change the settings of this
policy.
Note: If an end user has a valid reason for needing to change a policy's
settings, and the policy is locked, you must create and deploy a new policy
with that user's specific settings.
7. In the Default Policy pane, choose to enable or disable the following option:
Make this policy the default for this policy type
Enable this option if you want the policy you are creating or editing to be
used as the default policy for this policy type. The default policies are
automatically included when creating a Remote Installation package.
However, you can change the default policy selection when creating a
package.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Scan Options settings of a NetApp Real-time policy let you specify the
options for the NetApp real-time groupware scanner. These options include
specifying the secondary cleaning action, if the Quarantine is enabled, and the
number of threads devoted to scanning.
1. Open the Scan Options page by either clicking Next on the General Policy
Settings page of the NetApp Real-time Policy, or by clicking the Scan Options
link in the Steps to Create Policy pane.
2. Select the Enable Protection option. You must select this option if you want
real-time protection for your NetApp server.
Enable or disable the quarantine for the NetApp Filer. Enabling the
quarantine means that infected files are first moved to the quarantine
before any cleaning attempts are made.
Use the drop-down menu to select one of the following scan mode
options:
■ Normal: Select this option to run the scanner in the normal, default
mode.
4. In the Advanced Protection pane, you can set the following options:
Heuristic Scanning
Enable or disable heuristic scanning. Enabling heuristic scanning lets the
email scanner search for infections using alternative methods in addition
to the regular scanning methods. These alternative methods require
more time for the scan to complete, but help ensure all infections are
located. Disabling Heuristic Scanning speeds up the scanning process,
but might not catch all infections.
Scanning Threads
Specify the number of threads in the global thread pool. Note that when
you increase the number of scanning threads, you can adversely affect
the performance of your system.
5. Click Next to continue creating the NetApp Real-time policy.
The Scan Filter page opens.
Alternatively, click Save to save your changes and return to the Global Policy
Definitions page.
More information:
The Scan Filters settings of a NetApp Real-time policy let you specify the files you
want included or excluded from the email scan. When specifying. you must first
select to either include or exclude the file, then list the file.
1. Open the Scan Filters page by either clicking Next on the Scan Options page
of the NetApp Real-time Policy, or by clicking the Scan Filter link in the Steps
to Create Policy pane.
2. For the Filter, select one of the following:
■ To add a file to the list, enter the file name and click Add.
■ To remove a file from the list, select the file and click Remove.
■ To edit a file name, select the file name and click Edit.
More information:
The Archive Options of a NetApp Real-time policy lets you configure how the scan
handles archives such as .zip and .rar files.
1. Open the Archive Options page by either clicking Next on the Pre-Scan Filter
page of the NetApp Real-time Policy, or by clicking the Archive Options link in
the Steps to Create Policy pane.
2. Enable the Scan Archives option. You must enable this option to customize
this feature in the policy.
3. In the Archive Type pane, enable the archive types you want the Client to
scan.
For example, if you want the Client to scan zip files, you would enable the ZIP
archive row.
Enter the maximum uncompressed size of a file. The Client does not scan
any file in an archive that when extracted is larger than this limit. Setting
a high value prevents the Client from scanning some archived files that
expand too much and slow down or freeze your computer. However,
these large archives could still contain malware and lead to vulnerability.
6. Click Save to save your changes and return to the Global Policy Definitions
page.
Click Back to return to the previous page. Click Discard to remove any
changes you made. Click Close to close the policy.
Licensing
This section contains procedures related to licensing.
The License Management page lets you perform the following actions:
■ Access the Product Subscription Management tool
■ Manually synchronize the licenses
■ Set when automatic synchronization occurs
The PSM tool lets you proactively manage your CA Total Defense licenses.
The Licensing page opens, listing the days remaining until your license
expires and when the synchronization occurs.
Your system automatically synchronizes with the licensing servers every twenty
four hours. You may specify the time when this occurs.
Licensing Messages
Depending on the status of your license, you may see a message in the banner
area of the Management Console. The banner appears near the top of the
console, just below the product name. It also contains "Logged in as:" and the
date and time.
If you have not activated your license the banner displays the following
message:
Your license registration is not complete. Click here for help.
Note: Only a user with Administrator privileges on the Management Console can
complete the registration process.
If your license is within 90, 60, or 30 days of expiration, the banner displays the
following message:
At 90 days and 60 days, you only see the message displayed the first time you
log in to the Management Console. Thirty days prior to license expiration, the
Management Console always displays this message.
If the license is past the expiration date and within the grace period, the banner
displays the following message:
CA Total Defense License has expired. Grace period will end in <#>
days.
CA provides a 30-day grace period at the end of the license subscription to allow
time for product renewal. You must purchase a new license prior to the end of the
grace period.
If you did not activate the license for your CA Total Defense product, the
Management Console displays the following message:
This message appears if you did not activate your license when you installed the
product. You must activate your license within 30 days or the product will no
longer work.
Note: Only a user with Administrator privileges on the Management Console can
complete the registration process.
There are two options for completing the licensing registration process and
activating your license, online license activation and offline license activation.
Online license activation
For offline license activation, you must download and install the CA Total
Defense Licensing Utility, then follow the instructions provided in the help for
that utility. Visit this site https://ems.ca.com/synctool to download the
utility.
4. Click Licensing.
The Licensing page opens, listing the days remaining until your license
expires and when the synchronization occurs.
5. Click Synchronize Licenses.
The following sections contain procedures for the Product Subscription Licensing
tool.
2. In the Filter Endpoints section, enter your filter criteria. You can filter the list
using the following criteria:
Note: You cannot use wildcard characters when filtering the endpoint lists.
Domain Name
The list displays only those endpoints that match your criteria.
Reassign Licenses
3. Click Reassign.
A warning message appears.
4. Click OK.
A list of available Entitlement Keys replaces the list of endpoints.
5. Select the Entitlement Key for the license you want to assign to the endpoint.
6. Click Reassign.
The endpoint is reassigned to the license you specified. If the endpoint was
listed as unassigned, it moves to the Assigned Endpoint list.
Unassign Licenses
Unassigning licenses allows you to recover licenses from endpoints that are no
longer in use, so that you can reassign those licenses to other endpoints.
1. Select the the server or proxy that contains the endpoint from which you
want to unassign a license.
The Assigned Endpoints page opens, displaying the server or proxy details.
2. Filter the endpoints as needed and select one or more endpoints from which
to unassign licenses.
3. Click Unassign.
A warning message appears.
4. Click OK.
The licenses are unassigned from the endpoints and ready to be reassigned
as necessary. The endpoints now appear in Unassigned Endpoints list. They
will remain there in case you decide to reassign a license to them at a later
time.
To view the Product Information page, click Product Information. The Product
Information page opens, displaying the details of your current product.
Expiration Date
The license expiration date for your product. If you have not renewed your
product by this date, your system enters the thirty day grace period. Once
that grace period expires, you must request a product upgrade instead of
renewing your license.
The Product Information has a table listing the features included in your product.
This table displays the following information:
Serial Number
The serial number assigned to the feature.
Feature Name
The name of the feature.
Version
The current version number of the feature installed.
Customer Details
This tab displays the customer details for your purchase, including the
purchasing contact and the technical contact in your company for this
product. You can edit these details from this tab.
Order Details
This tab displays the order details for your purchased products. Use this tab
to link new orders to your existing product listings. You may need to link
orders if you purchase a new product or additional endpoints.
Reseller Details
This tab contains the reseller details included with your product, if you are
reselling the product as part of your own applications.
Editing the contact details lets you update the contact information for both your
purchase contact details and technical contact details.
2. Select the Customer Details tab and click the Edit Contact button next to the
contact to edit.
The tab displays the edit fields for the selected contact.
If your company has purchased several orders over a period of time, you can link
each order your account to ease the management of your licenses. When linking
an order to your account you need the Order Number and the associated license
key.
You can view the support contact details for a variety of regions.
3. Use the drop down menu to view contact information for other regions.
To view the License Request page, click License Request. The License Request
page opens, displaying the details of your current product license.
Expiration Date
The license expiration date for your product. If you have not renewed your
product by this date, your system enters the thirty day limited function grace
period. Once that grace period expires, you must repurchase your product
license instead of renewing your license.
Use this tab when requesting an active license renewal. If your license and
the grace period have expired, this tab changes to Upgrade and you have to
request a product upgrade instead. The procedure for upgrading is the same
as renewing.
Migrate to
Use this tab to request a product migration. Migrating your product allows
you to carry your existing license over to a new product suite, increasing the
features you can access.
Use the Renew tab when requesting a renewal of an active license. If your license
and the grace period have expired, this tab changes to Upgrade and you have to
request a product upgrade instead. The procedure for upgrading is the same as
renewing.
4. Enter the number of endpoints you want included with this renewal.
5. Click Send Request.
After you submit a request, the reseller or partner will contact you to proceed
with the renewal, migration, or upgrade procedure. You will then receive a new
license key. If performing a migration, you enter the new license key during
installation. If renewing or upgrading the product, you add the new license key
with the PSM tool.
The Product Information page opens and displays the details of your current
product.
2. If renewing a product:
a. Click the Order Details tab.
The Order Details tab opens and displays the order information for your
product purchases.
b. Click Link Order.
5. Click Submit.
At the next regularly scheduled synchronization time, the PSM sends the
information to the CA Entitlement System and associates the new key with
the server's node-id. If renewing a product, you can use the Synchronize
Licenses button in the Management Console to send the information
immediately.
Migrate a License
Use the Migrate tab to request a migration of your product. Migrating your
product allows you to carry your existing license over to a new product suite,
increasing the features you can access. The Migrate tab only captures the sales
request. After submitting a request, the reseller or partner completes the
migration process and sends you a new license-key which is used for the
migration.
The License Request page opens, displaying the details of your current
product license.
2. Click the Migrate tab.
Endpoint Discovery
Endpoint Discovery searches your network and collects a list of all unmanaged
endpoints. By default, this feature runs every 24 hours to ensure that all
endpoints are accounted for, including laptops or other endpoints that may be
disconnected from the network on a regular basis. You can change this schedule
depending on how often you expect endpoints to be disconnected from and
reconnected to your network. You can also configure the time of day when
Endpoint Discovery runs. You can also manually run Endpoint Discovery. This is
advantageous if you have installed a large number of endpoints and you want to
discover these machines quickly instead of waiting for the scheduled interval.
The Results of the Most Recent Discovery displays the following information:
Discovery Type
The type of last discovery, Full or Incremental.
Start Time
Completion Time
The time when the last discovery ended.
Completion Status
The completion status for the last discovery. The status may either be
SUCCESS or FAILED. If the status is FAILED, the Management Console lists
the possible reason.
Job Initiation
Whether the job was Manual or Scheduled. A manual job was started by a
user, where as a scheduled job is planned and run by the Management
Server.
The total number of endpoints found during the last discovery process. This
count includes both known and new endpoints.
The total number of new endpoints found during the last discovery process.
This count only includes new endpoints, and excludes previously discovered
endpoints.
Endpoints Removed
Lists the number of endpoints that were previously in the list of discovered
endpoints, but were not found when this discovery process ran. If you run a full
discovery, then any previously discovered endpoint that is not found, is
removed. If you run an incremental discovery, the Maximum Missed Discoveries
parameter determines when an endpoint is removed from the list of discovered
endpoints. During incremental discovery, the Management Server records the
number of times an endpoint is not found. Once this number matches the
Maximum Missed Discoveries parameter, the Management Server removes the
endpoint from the list. If Management Server finds the endpoint during an
incremental discovery, this count is reset.
The Results of the Most Recent Discovery displays the following information:
Discovery Type
Completion Time
The time when the last discovery ended.
Completion Status
The completion status for the last discovery. The status may either be
SUCCESS or FAILED. If the status is FAILED, the Management Console lists
the possible reason.
Job Initiation
Whether the job was Manual or Scheduled. A manual job was started by a
user, where as a scheduled job is planned and run by the Management
Server.
Endpoints Removed
The total number of endpoints the discovery process did not find during the
last discovery. The Management Console keeps track of the total number of
endpoints found prior to running the discovery process. When the discovery
process is run, if this number exceeds the total number of endpoints found,
the difference is listed here as the number of endpoints removed.
You can also run Endpoint Discovery manually. Manually running Endpoint
Discovery can be advantageous if you installed a large number of machines and
want the Management Console to discover these machines quickly, rather than
waiting for the scheduled interval.
You can run the Endpoint Discovery in either Full Discovery mode or Incremental
Discovery mode. When you run Endpoint Discovery in Full Discovery mode, your
entire network is scanned for new endpoints. This process is slower than running
an Incremental Discovery, but ensures that no endpoints are missed.
The process runs until completion unless you click Stop Discovery or
Endpoint Discovery encounters an error.
The process runs until completion unless you click Stop or the Endpoint
Discovery encounters an error.
You must configure the Endpoint Discovery process to ensure the Management
Console can properly discover each endpoint. The configurations you set include
the scheduled interval for the Endpoint Discovery. When you run a manual
Endpoint Discovery, it uses whatever configuration values you last set. Use the
following process when configuring the Endpoint Discovery:
4. Specify the IP range exclusions for the Discovery process. (see page 544)
Excluding certain IP address ranges lets you skip over network devices such
as printers allowing for a faster Endpoint Discovery process.
5. (Optional) Specify the Port Scanning parameters for the Discovery process.
(see page 549)
You must set the ports the Management Console will use if you are using the
TCP sweep to scan for endpoints or are using Active Fingerprinting scanning
to determine the OS of the endpoint. If these methods are enabled, the
performance of the system greatly depends on how well you configure the
port scanning parameters.
6. Specify any advanced parameters for the Discovery process. (see page 551)
Setting the Advanced parameters lets you determine the timeouts and
number of retries allowed for the various Endpoint Discovery methods. You
can also specify the maximum number of packets or threads used when the
Management Console runs the Endpoint Discovery.
7. Specify the logging options for the Endpoint Discovery log. (see page 553)
Setting the logging option ensures that the Endpoint Discovery records all
transactions that are of interest to you.
Note: At any point, you can click Save to save all the changes you have made.
Click Back or Next to save any changes you make and move to a different page.
To restore the settings to the previously saved state, click Restore Previous
Settings. You can also jump to a specific page by clicking the page link in the
Steps for Configuring Discovery pane.
Scheduling the Endpoint Discovery allows this process to take place at regularly
scheduled times and intervals. This ensures that your list of endpoints remains
up to date, and allows for proper protection for your network. To run Endpoint
Discovery at the scheduled times, you must enable the Schedule Discovery Jobs
option. If you do not enable this option, you must manually run the Endpoint
Discovery to locate new endpoints.
You should schedule Endpoint Discovery if you believe that endpoints can be
added or removed from your network without your knowledge. This may happen
in a large organization with distributed IT Departments handling the addition of
endpoints to the network. If you have a small network and know when endpoints
are added or removed, you may opt to manually run Endpoint Discovery only
when you add or remove endpoints.
The Endpoint Discovery pane opens and displays the results from the last
time the discovery process ran.
3. Click Configure.
The Configure Discovery window opens on the Schedule Discovery page.
Note: You must enable this option to run Endpoint Discovery at a scheduled
time. If you do not enable this option, you must periodically manually run
Endpoint Discovery to locate new endpoints.
Enter the date on which you want the Endpoint Discovery process to
begin.
Note: Do not pick a date that has already passed unless you plan to
have the Endpoint Discovery process repeat at a specified interval. If you
do set the date and time to a past day and do not set the Repeat Every
interval, the scheduled Endpoint Discovery process will not run.
Time
Enter the time at which you want the Endpoint Discovery process to
begin.
Repeat Every
Enter the interval between each Endpoint Discovery. For example, to run
the Discovery every day, enter either 1 in the Days field or 24 in the
Hours field.
6. In the Select Rediscovery method pane, select one of the following options:
Full Discovery
When you run Endpoint Discovery in Full Discovery mode, the
Management Console checks the entire visible network for new
endpoints. This process is slower than running an Incremental
Discovery, but ensures no endpoints are missed.
Incremental Discovery
7. In the Options pane, enter a value in the Maximum Missed Discoveries field
to specify the maximum number of attempts the Management Console
makes before declaring an endpoint as inactive.
One attempt is made for each scan. If an endpoint is not active for the
specified number of attempts, the endpoint is considered inactive and
removed from the list of active endpoints.
8. Click Save.
Your changes are saved.
The Endpoint Discovery must have Administrative access to properly find all
endpoints.
3. Click Configure.
The Configure Discovery window opens on the Schedule Discovery page.
Select this option to enable the DNS Scan discovery method. Using the
DNS method, the Management Console searches for endpoints based on
the domain names used.
The Endpoint Discovery must have Administrative access to properly find all
endpoints. Enter these credentials on the Discovery Authentication Credentials
page.
The Endpoint Discovery pane opens and displays the results from the last
time the discovery process ran.
3. Click Configure.
You must enter a username and password or the Endpoint Discovery does
not function.
6. Click Save.
When running an Endpoint Discovery, you can exclude certain IP address ranges
using the IP Range Exclusion list. The Exclusion list lets you exempt a range of IP
addresses from the Endpoint Discovery. For example, if you know that the IP
addresses in a range are all assigned to printers or other devices that you do not
want to discover, you can exclude the IP address range.
3. Click Configure.
The Configure Discovery window opens on the Schedule Discovery page.
5. Enter an IP address in the IP address field in the Exclude Ranges pane and
click Add to add an address to the IP Range Exclusion list.
■ Explicit range support with fixed CIDR suffix for the starting and ending
IP address, for example: 1.2.3.12/24-1.2.3.252/24.
■ Explicit range support for full IPv6 addresses (not abbreviated) and use
of CIDR type prefix masking is also supported.
6. Click Clear to reset the IP address field. You can also modify or remove
addresses from the list.
■ To remove an IP address from the list, select the address and click
Remove,
7. Click Save.
You can set the ports the Management Console uses for the discovery process by
configuring the port scanning parameters.
The Endpoint Discovery pane opens and displays the results from the last
time the discovery process ran.
3. Click Configure.
The Management Console scans for endpoints using the Preferred Ports
that are defined after this option. You can use both configured ports and
open ports when scanning.
Note: These options are only available if you enabled Port Scanning.
7. Use the Preferred Ports pane to add or delete preferred ports used when you
enable Port Scanning and Use Configured Ports.
These preferred ports are the first ports the Management Console uses when
attempting to locate endpoints through Port Scanning.
■ To add a port, enter the port number in the Add Port to Preferred List
field and click Add. You can have a maximum of 10 preferred ports.
■ To remove a port, select the port in the List of Preferred Ports to Scan
table and click Remove. The port is removed from the list.
8. Click Save.
Your changes are saved. Click Close to close the page, or go back and make
any additional changes using the Back button.
Set the Advanced parameters to determine the timeouts and number of retries
allowed for the various Endpoint Discovery methods. You can also specify the
maximum number of packets or threads used when the Management Console
runs the Endpoint Discovery.
3. Click Configure.
The Configure Discovery window opens on the Schedule Discovery page.
5. In the Timeouts and Retries pane, configure the time the Management
Console waits before it declares an address is invalid due to timeout, and the
number of retries the Management Console attempts before declaring an
address as invalid. Set the following values:
Enter the maximum packet rate for the Management Console. The
Management Console does not exceed this maximum. Entering a higher
value lets the Management Console complete the scan at a faster rate,
but hinders overall network performance.
Specify the logging options to ensure that the Endpoint Discovery records all
transactions that are of interest to you.
Note: At any point, click Save to save the changes you have made. Click Back or
Next to save changes and move to a different page. To restore the settings to the
previously-saved state, click Restore Previous Settings. You can also jump to a
specific page by clicking the page link in the Steps for Configuring Discovery
pane.
1. Click Configure, Environment.
The Navigation Pane expands to show configuration options for the
Management Server.
3. Click Configure.
The Configure Discovery window opens to the Schedule Discovery page.
5. In the Options pane, set the Log Level to one of the following values:
Critical
This option logs only critical events that cause the Endpoint Discovery
process to terminate unexpectedly.
Error
This option logs only critical events and other errors. Warning and
informational messages are not logged.
Warning
This option logs all warnings, errors, and critical events. Only
informational events are not logged.
Informational
This option logs all events. Selecting this option can result in your log
reaching its size limit very quickly.
Debug
This setting records the maximum amount of information, but should not
be used unless you are instructed to by CA support personnel. Using this
option greatly increases the amount of information logged, and quickly
causes your log to reach its maximum size.
When the log exceeds this size, the Management Console either overwrites
or rotates the log, depending on the next option you set.
7. Specify one of the following options in the Action When Maximum Log Size is
Reached section:
Overwrite
The Log overwrites the oldest date when the log reaches its size limit.
Rotate
The Log rotates out and creates a new log when the log reaches its size
limit.
8. Click Save.
Your changes are saved.
9. Click Close to close the page, or click Back to return and make any additional
changes.
The Management Proxy Servers page opens, displaying the name and status of
each proxy with following information:
Endpoints Managed
CPU
Lists the percentage of CPU in use on the proxy server across all applications.
This is the same percentage you see in use on the server if you looked at the
Windows Task Manager.
Disk
List the percentage of total disk space in use on the proxy server.
Click the arrow to expand the information. The page displays the following
additional information for that proxy:
Last Endpoint Synchronization
Synchronization Interval
How often the proxy attempts to synchronize with the Management Server.
When the proxy server last synchronized with the primary management
server.
The Management Proxy Servers page also provides the following features:
Add
Opens the Add Installed Proxy page where you can manually add a proxy
server. You should only have to add a proxy manually if the proxy cannot
automatically communicate with the Master Management Server. A proxy
may not be able to communicate if the proxy is located in a DMZ or another
location with limited network access.
Configure
Opens the Configure Proxy Settings page for the selected proxy
Disable
Disables the selected proxy server. If a proxy server is disabled, endpoints
can no longer communicate it. An endpoint will not attempt to communicate
with another proxy server unless the endpoint's Phone Home policy lists
another proxy.
Enable
Remove
Removes the selected proxy server. The proxy is completely removed from
the proxy database and that server can no longer act as a proxy. Do not
remove a proxy unless the proxy software has been uninstalled from the
machine or the machine has been permanently removed from your network.
Activate
Activates the selected inactive proxy server. If a new proxy server can
communicate with the Master Management Server, the proxy is
automatically added to the proxy list. However, if the proxy is inactive you
must activate the proxy. If you add a proxy server using the Add button, you
do not need to activate the proxy.
You can narrow down the number of proxy servers displayed at one time using
the View by Status drop-down list. To narrow down the list, select one of the
following statuses from the View by Status drop-down menu:
Show All
Displays all proxy servers.
Active
Displays only currently active proxy servers.
Inactive
Out of Date
Displays all proxy servers that are not currently synchronized with the
management server.
Enabled
Displays only currently enabled proxy servers.
Disabled
Displays only currently disabled proxy servers.
To find a proxy, enter the exact name of the proxy in the Find field and click Go.
The Management Console highlights the proxy whose name you entered. The
server reports an error if it cannot find the proxy by name.
There are two methods you can use when adding a management proxy server.
Under most circumstances, you can simply install the proxy server and the
server shows up in the Management Proxy Server list. In this case, you simply
need to activate the server to finish the installation and start using the proxy.
Activation requires user interaction to prevent someone from infiltrating your
network by gaining your security certificate and masquerading as a proxy.
If your proxy is in a DMZ or an isolated environment, you may have to add the
proxy server manually. In this case, you must add the proxy and provide the
correct security certificate.
4. Click Add.
The Add Installed Proxy page opens.
5. Enter a name for the server in the Server Name field, click Browse, and
locate the security certificate for the proxyV. Enter a name for the
server in the Server Name field. This name must exactly match the server
name on the certificate.
Note: If you plan to use the default port of 44346, you only need to enter the
server name.
If you are not using the default port, you must enter the server name and
port as:
Servername:port
For example to use port 33433 on the Example server, you would enter
Example:33433.,
6. Click Upload Certificate, and locate the security certificate for the proxy.
Once you have located the certificate, click Open to upload the certificate.
Note: The default location for the certificate on the proxy is C:\Program
Files\CA\TotalDefense\ManagementServer\WebServices\CertFile.
7. You can copy this file to the machine on which you view the Management
Console or map a drive to the proxy so you can select the certificate directly.
8. .
9. Select a value for the Time Interval for Endpoint Synchronization, the time
the Management Console waits until attempting to synchronize with the
endpoints.
10. Click Add.
You can configure the time interval a proxy server waits till polling the associated
endpoints. You can also specify any proxy server database configuration options
such as the database access criteria or if the proxy server access an Active
Directory Server for the proxy's directory information.
When selecting an Active Directory Server, you should select a server that has
the shortest path to the proxy for network optimization purposes.
Server Name
If you are not using the default port, you must enter the server name
and port as:
Servername:port
For example to use port 33433 on the Example server, you would enter
Example:33433.
Database Instance
The name of the database instance on the server used by the proxy.
User Name
The user name associated with the database. The user you assign must
have administrative access to the Microsoft SQL Server database the
proxy server uses.
Password
6. Click Apply.
The proxy's configuration is updated.
Click Discard to remove any changes you made, but stay on this page. Click
Cancel to stop the process and return to the Management Proxy Server page.
Active Directory
This section contains procedures related to Active Directory.
You can configure the Management Server to use your organization's existing
Active Directory implementation.
To view Active Directory servers, click Configure, then click Environment, and
Directory Services.
The Active Directory Configuration page displays the available Active Directory
servers and lists the following information about each available directory:
Server Name
The name of the Active Directory server.
Server Port
The port used to contact the Active Directory server.
Authentication
Use SSL
Whether the Active Directory server uses the Secure Sockets Layer protocol.
User Name
Lists the user name used to connect to the Active Directory server. This user
name must have the Schema Administrator privilege on the Active Directory
server.
Add
Select an Active Directory server and click this button to edit this server.
Delete
Select an Active Directory server and click this button to delete this server.
You can add a new Active Directory server, as necessary. You must have the
access information for that server, including the user name and password used
to connect with that server.
The following conditions apply when using Active Directory on Windows 2000:
■ The password policy must specify reversible encryption for the Domain. If
this setting is changed, the user that is being used to connect must also
change his or her password after the password policy has changed for the
setting to take effect.
■ Use the fully qualified Domain name of the Active Directory server. For
example,
Use: adserver.travis.ourcompany.com
The following conditions apply when using Active Directory on Windows 2003
and later:
■ Use the fully qualified Domain name of the Active Directory server. For
example,
Use: adserver.travis.ourcompany.com
The Active Directory Configuration page opens, populated with the available
Active Directory servers.
3. Click Add.
4. Enter the name of the Active Directory server in the Server Name field.
The contents of the Server Port field, indicating the port used to contact this
server, and the Active Directory Tree Name field, indicating the Active
Directory tree name used by this server, are determined automatically.
6. Enable the Use SSL option to use the Secure Sockets Layer protocol.
This option is only enabled if you select Secured Connection for the
Authentication Method.
7. Enter the user name and password used to access the Active Directory
server in the appropriate fields.
This option is only enabled if you select Secured Connection for the
Authentication Method.
8. Click Save to save your changes.
You can edit or delete Active Directory servers from the Active Directory
Configuration page. You can also show or hide the Alternate Active Directory
Server pane.
The Active Directory Configuration page opens, populated with the available
Active directory servers.
3. Click Show/Hide Alternate Servers.
Server Databases
The CA Total Defense product includes multiple databases. The Management
Server and Endpoint Discovery feature share a common database. The Events
Server uses a different database.
From the Management Server page, you can modify the connection string for the
Management Server and Endpoint Discovery if you need to relocate a database
after installation. You can use the Event Server Database, Connections page to
modify the connection string for the Event Server.
You must periodically perform maintenance on the Event Server database. Use
the options found under Event Server, Maintenance to schedule maintenance on
a regular basis or to perform immediate maintenance. Additionally, you can
review the maintenance history for the Event Server database.
The Event Server database includes archive options that allow you to save
events. Use these options to specify when and under what condition the Events
database is archived. You can also view the archive history and the archived
databases.
The Management Server page lets you configure the Management server
settings and specify the Discovery server access information. You can also set
the Topology and Certificate Distribution password from this page.
User Name
Enter the user name used to access the Management server's database.
Password
Enter the password associated with that user name.
5. Click Apply.
Note: Do not include curly braces, { or }, in the Login name field, as they are
not supported.
4. Enter the user name and password to use to access the Discovery database.
5. Click Apply.
5. Click Apply.
To discard any changes you make to the fields on this page, click the appropriate
Discard button.
Event Server
Events collected by the Management Console are stored in the Event Database.
This database is stored on a server. This server may be part of the Management
Console, or may be a separate machine depending on your setup. When
managing the Event server, you can configure the Database options, perform
maintenance on the server, and view the archive settings and history for the
Event server.
The Storage Connection page lets you specify the Microsoft SQL Server,
authentication information, and instance name for the Event Server. You can
also specify the user name and password credentials.
The Event Server option expands, displaying the various subsections you
can select.
4. Click Database.
The Database option expands, letting you select Connection or Preferences.
5. Click Connection.
The Storage Connection page opens, displaying the configuration for the
connection.
Password
Enter the password associated with that user name.
Instance
The Storage Preference page lets you specify how much detail for each event is
saved. The more information saved, the more space is required for the event
database.
The Event Server option expands, displaying the various subsections you
can select.
4. Click Database.
The Database option expands, letting you select Connection or Preferences.
5. Click Preferences.
The Storage Preference page opens, displaying the storage option.
6. Using the Storage Type drop-down menu, select one of the following
options:
Normal (Light)
Select this option to store only the minimal number of event fields. This
option should suffice for most reporting and event viewing needs.
Comprehensive (Full)
You must maintain the Event Server to ensure that it does not run out of room to
store incoming events. The Run Now page lets you perform immediate
maintenance on your Event database if, for example, your database has
exceeded its size limitations.
The Event Server option expands, displaying the various subsections you
can select.
4. Click Maintenance.
Select this option and enter a number of days to delete any records older
than the specified number of days.
7. (Optional) Limit the time the record purge operation runs by selecting Limit
Run Time and specifying the maximum length of time, in hours and minutes,
you want the purge to run.
8. Click Go.
You are prompted to confirm the deletion.
9. Click Yes.
The selected records are deleted, clearing storage space for new events.
The Scheduled Maintenance page lets you specify when routine maintenance
occurs on the Event database. You can also specify the parameters for the
routine maintenance.
You must maintain the Event Server to ensure the server does not run out of
room to store incoming events. By performing scheduled maintenance, you
lower the risk of needing to perform immediate maintenance of the database.
To schedule maintenance
4. Click Maintenance.
The Maintenance option expands, providing the Run Now, Schedule, or
History features.
5. Click Schedule.
The Schedule Maintenance page opens, displaying the scheduling options.
8. (Optional) Limit the time the record purge operation runs by selecting Limit
Run Time and specifying the maximum length of time, in hours and minutes,
you want the purge to run.
9. Select one of the options in the Scheduler pane to specify when the
maintenance occurs:
Daily
Perform daily maintenance at the time you specify. You must provide the
time zone, start time, and date for this maintenance, and specify
whether the task is performed every day, only on weekdays, or at a
specified interval.
Weekly
Perform weekly maintenance. You must provide the time zone and start
time for this maintenance, specify how often the maintenance is
performed, and identify the days of the week on which to perform the
maintenance.
Monthly
Perform monthly maintenance monthly. You must provide the time zone
and start time for this maintenance. You must also specify when this
maintenance occurs by either specifying a specific date each month or,
for a more flexible option, specifying a day each month, such as the first
Monday of every month, on which the maintenance is performed. You
can also specify the months in which maintenance is performed.
10. Click Apply.
The Maintenance History page lets you view when maintenance was performed
on the Event database. You can also clear history, if necessary.
4. Click Maintenance.
The Maintenance option expands, providing the Run Now, Schedule, and
History features.
5. Click History.
The Maintenance History page opens, displaying the maintenance history.
Initiated By
The user who last ran the server maintenance.
Type
Description
Start Time
End Time
The time the maintenance ended.
Status
The status of the maintenance attempt.
Records Deleted
The Event Server option expands, displaying the various subsections you
can select.
4. Click Maintenance.
The Maintenance option expands, providing the Run Now, Schedule, and
History features.
5. Click History.
The Maintenance History page opens, displaying the maintenance history.
7. Click Yes
The history is cleared.
The Archiving page lets you specify when, and under what conditions, the event
database is archived.
Archiving the event database lets you save space on the event server without
deleting past events. The archives still take up space, but not as much as the full
records.
The Event Server option expands, displaying the various subsections you
can select.
4. Click Archiving.
The Archiving option expands, providing the Archiving, History, and
Databases options.
6. Enable the Conditional option to archive the event database when the
database exceeds a specified size limit.
If you enable this option, you must specify the size limitation.
7. Enable the Scheduled option to specify when to run the archiving operation.
You must enable this option to set a schedule for archiving.
8. Select one of the following options to specify when the archiving occurs:
Daily
Perform daily archiving at the time you specify. You must provide the
time zone, start time, and date for this archiving, and specify if the task
is performed every day, only on weekdays, or at specified intervals.
Weekly
Perform weekly archiving. You must provide the time zone and start time
for this archiving, specify how often the archiving is performed, and
identify the days of the week on which to perform the archiving.
Monthly
Perform monthly archiving. You must provide the time zone and start
time for this archiving. You must also specify when this archiving occurs
by either specifying a specific date each month or, for a more flexible
option, specifying a particular day, such as the first Monday of each
month, on which the archiving occurs. You can also specify the months
during which archiving is performed.
9. Click Apply.
Your changes are saved and the archiving is scheduled.
If you no longer want to perform scheduled archiving, open the Archiving page,
disable the Conditional and Scheduled options, and click Apply.
The Archiving History page lets you view when archiving was performed on the
Event database. You can also clear the history, if necessary.
4. Click Archiving.
The Archiving option expands, providing the Archiving, History, and
Databases features.
5. Click History.
The Archiving History page opens, displaying the archiving history.
Initiated By
The user who last ran the database archiving.
Type
Created on
The date on which the data stored in the archive was first created.
Archived on
Database
The name of the database that was archived.
Details
Additional information about the archiving that occurred.
The Event Server option expands, displaying the various subsections you
can select.
4. Click Archiving.
5. Click History.
The Archiving History page opens, displaying the archiving history.
7. Click Yes
The history is cleared.
The Archived Databases page displays the archived copies of the event database
that were created and lists when the archive was created, when it was last
updated, and which database was archived.
4. Click Archiving.
The Archiving option expands, providing the Archiving, History, and
Databases features.
5. Click Databases.
The Archived Databases page opens, displaying the archived databases.
Created on
The date on which the information in the archive was first created.
Archived on
The date on which the archive was created.
Database
The name of the database archived.
User Roles
This section contains procedures related to User Roles.
User Roles lets you specify which users have which privileges or permissions in
the Total Defense product. You manage user roles using the User Roles page.
The User Roles page lists the users and the roles they have been assigned. Each
role grants certain permission to that user.
When adding users, you may add them individually or you may add a user group
defined on a domain. Any user in a user group inherits the same roles as the user
group, and show up in the user list with the inherited roles included.
Note: The Administrator or User Manager can modify the role assignments for
any user. However these users may not remove their own ability to manage
roles.
To view the user roles, in the Navigation Pane, click User Roles under Configure.
The User Roles page displays the assigned user roles, and displays the following
information:
Name
Lists the user accounts and user groups. Expand a user group to shows all
users within that group.
Domain
Lists the domain of the user account.
Global Roles
Additionally, if you move your mouse over one of the User Role icons, a pop-up
lists the domain and user name of the user, the role, if the role is assigned
directly to the user, and if the role is inherited from a group.
Add
Allows you to add new users who do not have assigned roles.
Remove All Roles From User
Details
Legend
Displays the User Roles legend, indicating which icon matches which user
role.
The User Roles page lets you filter the view using the following drop-down
menus:
View By Roles
Domain
Displays only those users from the specified domain. You can also enter
only part of the name to find all the users with a domain matching the
string you enter.
As you enter characters into either of the filter fields, the display
immediately shows the users that match the characters you entered. For
example, if you enter "a" in User Name, then only users with "a" in their
name are shown. If you enter "ab," only users with "ab" are shown.
In addition to filtering the user list, you can use the list to add or remove roles
from users. You can add or remove user roles from an existing user or user
group. You cannot, however, remove a user from a user group or add new users
or groups to the list. For this, you have to use the Add Users page accessed by
clicking the Add button.
The role is added or removed from the user. If the role was inherited from a
group, a pop-up appears, informing you of the inheritance. To change a role
that is inherited from a group, you must either change the group's roles or
remove the user from the group.
The Role Assignment Details page provides detailed information about the roles
assigned to a selected user.
Type
Lists how the role was assigned to the user. Some roles may be inherited
from user groups, others are assigned directly.
The list of users to whom you can assign user roles is drawn from the local users
on the Management Server and the set of domain users. From the Add Users
page you can add a user or a user group to the selected user role. You may also
add users to a user role on the User Roles page, but you may not add user
groups.
4. Click Add.
5. In the Name field under Available Users, enter the name of the user.
You can also enter a partial name or use wild cards to find a selection of
users.
6. In the Domain field, select the domain where the user is located or where
you want to search.
7. Click Go.
The Management Console searches for users that match the criteria you
selected. All matching users are added to the user list.
8. Select the user or user group to add to the role and click the arrow to move
the user to the Assigned Users list for the role.
You can also use this page to remove a user or user group from the CA Total
Defense user list.
2. Select a User Role that is assigned to the user you want to remove, using the
View by Roles drop-down menu.
3. Click Add.
4. In the Assigned Users table, select the user or group to remove from the
role, and click the arrow to remove the user or group from the role.
To discard the changes click Discard. When finished, or to exit the page
without making any changes, click Close.
3. Select Roll back signatures to, and click the calendar icon to select the date
to which to roll back.
4. Click Apply.
Your request is submitted. If you have the proper permissions and there are
no pending actions blocking the rollback, the signature rolls back to the
version to the date you specified.
After all conflicts any resolved, you must resume the signature updates.
Your request is submitted. If you have the proper permissions and there are
no pending actions blocking this action, the signature updates resume.
caamscanner.exe
/fullscan
Performs an Anti-malware full scan.
/customscan
Performs a scan on a list of provided paths, including all files and subfolders
found in that location. The syntax for this parameter is:
/customscan PathName
All command line parameters use the currently defined Anti-Malware policy for
any additional scan settings.
The command line scan writes output to a log text file, caamdebuglog.log,
located at:
%ALLUSERSPROFILE%\Application Data\CA\TDClient\AM
ProgramData\CA\TDClient\AM
If you later deploy the full version of Microsoft SQL Server 2005, you can move
your Total Defense database to your new SQL Server installation without loss of
data.
Note: You can also use this procedure to copy the Total Defense database to
another database.
2. From the Start, Programs menu, select Microsoft SQL Server 2005, and
select SQL Server Management Studio Express.
Microsoft SQL Server Management Studio appears.
4. Right-click the itmdb item and select Tasks, and then select Back Up from
the pop-up menu.
5. Ensure that the Backup type is set to Full, make a note of the path in the
Destination field, and click OK.
The backup begins. You are prompted when the backup is complete.
6. Copy the backup file you created, itmdb.bak, to the new database server.
7. Launch the SQL Server Management Studio on the new database server and
log in.
8. Right-click the Database tree node and select Restore Database from the
pop-up menu.
9. Enter itmdb in the To database field in the Destination for restore section of
the Restore dialog.
10. Select the From device option in the Source for restore section, and select
the itmdb.bak file you copied from the SQL Express server.
11. Ensure that the full database is selected in the list of backup sets to restore
and click OK to restore the database.
The database is restored and you are prompted when the restore operation
is complete.
Important! When the database has been restored, you must point the
Management Server to the new database to complete the migration.
You can migrate your databases to a new SQL Server database or you can import
your existing databases to a new location.
Note: You must ensure that your new SQL Server database is properly
configured to work with CA Total Defense. Before you migrate, review the
pre-installation tasks outlined in the CA Total Defense Quick Install Guide to
ensure that you have properly configured your database.
3. Note the names of the Events, Reports, and Notifications databases listed in
the Database names section.
where
– de - German
– en - English
– es - Spanish
– fr - French
– it - Italian
– ja - Japanese
– ko - Korean
– pt - Brazilian Portuguese
– zh - Simplified Chinese
– zh - Traditional Chinese
For example, to create an Events database using localhost as the Host name,
SQLEXPRESS as the SQL Server instance, Admin as the user name, Pass123
as the password, EventsDB as the new database name, and English as the
language, enter the following:
EventTool.exe -createeventsdb localhost SQLEXPRESS Admin Pass123 EventsDB en
5. If you are importing full databases to a new location, open SQL Server
Management Studio, log in to the new SQL Server, and perform the following
procedure.
Note: If you are migrating to a new SQL Server database, skip this step.
a. Right-click any of the databases and select Tasks, and then select Import
Data from the pop-up menu.
The SQL Server Import and Export Wizard opens. Follow the prompts to
complete the wizard:
b. Enter information about the old database on the old SQL Server in the
Data Source details, and click Next.
c. Enter information about your new database in the Destination fields, and
click Next.
d. Select Copy data from one or more tables or views, and click Next.
e. In the Select Source Tables and Views dialog, select all tables and click
Edit Mappings.
f. In the Transfer Settings dialog, ensure that the Drop and recreate new
destination tables option is not selected, select the Delete rows in
existing destination tables option and the Enable identity insert options,
and click OK.
g. Click Next in the SQL Server Import and Export Wizard, select the Run
immediately option and click Finish.
8. Configure your new server connection settings and test the connection using
the Test Connection button.
9. Click Apply to apply your server connection settings.
Note: When you have moved to the new SQL Server, Archived databases on the
original database location are no longer accessible.
If you are already using Microsoft SQL Server and plan to use it with CA Total
Defense, verify that the following items are configured before you install CA Total
Defense:
■ You are using Windows and SQL authentication (mixed mode authentication)
■ You have enabled the TCP/IP protocol and assigned the port
If you choose to install Microsoft SQL Server Express during installation, these
items are installed with all necessary settings configured.
Database Connectivity
■ You specify both the domain name and the user name (for example,
mydomain\myuser).
■ You use the correct case when entering the user name. User names are
case-sensitive.
For example, in a domain called LAB.LOCAL, the credentials should look like
LAB\Administrator.
Error 50029 signifies that an invalid user name was entered during installation.
During installation, the user name must be supplied in one of the following
formats:
■ If the user name is a domain user, specify the user as:
domain\UserName
■ If the user name is part of an built-in domain, specify the user as:
.\UserName or LocalMachine\UserName
The SMB scan engine and DNS scan engine results form the basis for the search
performed by the rest of the scan engines. However, if these scans fail to find
any endpoints, the subsequent scan engines cannot run.
For the SMB scan engine to work, the following services must be started by the
operating system at system boot-up on the machine from which Endpoint
Discovery is launched:
■ Server service
■ Workstation service
For the DNS scan engine, the DNS zone transfer must be enabled to receive a list
of hosts and IP addresses. The Zone transfer needs to be manually configured on
DNS server.
Check the following list for reasons why Endpoint Discovery is prolonged:
■ The maximum number of scan threads is set too low while the network to
discover is extremely large. If possible, try to increase the maximum number
of scan threads.
■ You have the Active Fingerprinting engine enabled, port scan mode is
enabled, and the maximum port value is set high with the max scan thread
set too low. Try increasing the max scan thread number, or set the known
ports to configure and specify the known ports.
■ You have the Active Fingerprinting engine enabled, port scan mode is
enabled, the max scan thread is set too low and the specified preferred ports
are not actually open ports across the network, or you did not specify any
preferred ports. Make sure the preferred ports are configured properly and
that the ports are open across your network.
■ You have the ICMP, TCP or Active Fingerprinting timeouts set to a high value
and the max scan threads is too low. Try increasing the max scan threads or
choose a lower value for timeouts.
The Endpoint Discovery SMB engine attempts to get all primary domains on the
network and determine the hosts in each domain using the SMB protocol. The
result is a list of hostnames and their operating system. Endpoint Discovery then
tries to resolve the hostname to an IP address using the DNS server (as
"nslookup" does). Some hostnames are not resolved to an IP address. In this
case, the Unmanaged Endpoints list only displays the hostname and operating
system.
2. Select all categories for Total Defense Logging and click Apply.
There is no need to recycle anything.
Change this value to any number besides 0 to generate a Diagnostic report (even
if there is no error).
Note: You must restart the Report Service for this change to take effect.
This report contains three layers of information that can help diagnose the
problem:
First layer: General Information
This section contains several general items such as the name of the report,
report ID, database connection string, the account that implemented the
report, its layout, language, time zone, the physical location (known as the
drop folder), and which .NET object implemented the report.
Note: The most important item in this section is the database connection
string. Most report failures occur because of an improper configuration of the
SQL Server or network access issues to the SQL Server.