Comodo Watch - Admin Guide€¦ · malware, hacking attacks, social engineering and phishing. It's...

Comodo WatchSoftware Version 1.0

Administrator GuideGuide Version 1.0.082714

Comodo Security Solutions1255 Broad Street

STE 100Clifton, NJ 07013

Comodo Watch - Admin Guide

Table of Contents1.Introduction to Comodo Watch................................................................................................................................................. 3

1.1.Installation and Activation .................................................................................................................................................. 4

1.2.Configuring cWatch System with Local Network for Monitoring Web Traffic......................................................................16

1.3.Configuring cWatch System and Mail Transfer Agent for Monitoring Email Traffic ...........................................................17

1.4.Logging-in to the Administrative Console.......................................................................................................................... 19

2.The cWatch Administrative Console....................................................................................................................................... 212.1.Configuring cWatch........................................................................................................................................................... 21

2.1.1.Main Configuration................................................................................................................................................... 22

2.1.2.Sniffer Configuration................................................................................................................................................. 23

2.1.3.Content Analysis Rules............................................................................................................................................ 25

2.1.4.Configuring Email Notifications................................................................................................................................ 26

2.2.Checking cWatch System Status...................................................................................................................................... 27

2.3.Reports.............................................................................................................................................................................. 29

2.3.1.HTTP Analyser Reports............................................................................................................................................ 30

2.3.2.Email Analyser Reports............................................................................................................................................ 35

2.4.Changing Comodo Watch Administrative Console Password...........................................................................................39

2.5.Managing Your Account..................................................................................................................................................... 40

About Comodo............................................................................................................................................................................ 44

Comodo Watch - Admin Guide | © 2014 Comodo Security Solutions Inc. | All rights reserved 2


1.Introduction to Comodo WatchToday's network administrators face the unenviable task of making sure employees are kept secure against an ever-rising tide of malware, hacking attacks, social engineering and phishing. It's an unpredictable and poisonous environment which confronts even the best prepared administrators with a unique challenge on a daily basis. Comodo Watch meets this challenge by providing immediate notification and visibility over malware outbreaks over all network and mail traffic. After the application has been installed and configured on a local server, cWatch uses a proprietary combination of cloud and local based virus scans, real-time behavior analysis, automatic file look-up and multiple blacklist checks to quickly and accurately identify known and unknown threats.

Once configured, all network traffic will be examined by the following cWatch technologies:

• Comodo Antivirus - Continuously updated antivirus scanner which provides dependable protection against known malicious files.

• Cloud-based file look-up service - File reputation service which Instantly checks a files signature against the very latest database to ascertain whether or not it is trusted, malicious or unknown.

• Comodo Automated Malware Analysis (CAMAS) - A cloud based behavior analysis service which improves detection of zero-day threats by rigorously testing the run-time actions of unknown files

• ClamAV - ClamAV is designed to scan mail gateways for malicious files and provides another layer of protection on top of Comodo Antivirus

• Blacklist checking - Real-time checks of whether the domains, URLs and IP addresses visited by your users are flagged as malicious by major blacklisting services.

Guide Structure


Comodo Watch - Admin GuideThis guide is intended to take you through the configuration and use of cWatch and is broken down into the following main sections.

• Introduction to Comodo Watch

• Installation and Activation • Configuring cWatch System with Local Network for Monitoring Web Traffic• Configuring cWatch System and Mail Transfer Agent for Monitoring Email Traffic• Logging-in to the Administrative Console

• The cWatch Administrative Console

• Configuring cWatch• Checking cWatch System Status• Reports• Changing cWatch Administrative Console Password• Managing Your Account

1.1.Installation and Activation cWatch can be downloaded in ISO format from https://download.comodo.com/catp/cwatch.iso

Activation and use of cWatch is free during the beta-period, but you will need a Comodo Accounts Manager (CAM) account in order to obtain the key required to activate your license.

• If you do not yet have a CAM account, please create one by clicking the 'Sign Up to Comodo Watch Service' link at https://accounts.comodo.com/account/signup

• If you have a CAM account:

• Login at https://accounts.comodo.com/account/login

• Click 'My Account'

• Click 'Sign Up to Comodo Watch'

You will be taken to the purchase page of Comodo Watch.

• Select the subscription package you want to use from the list displayed.


https://accounts.comodo.com/account/login

https://accounts.comodo.com/account/signup

https://download.comodo.com/catp/cwatch.iso


• Enter the User Details and Contact Information in the respective fields under 'Customer Information'.

• If you have already logged-in, the contact details will be auto-populated

• If you already having an account with Comodo, check 'Yes' box. You will only need to enter your Email Address/Login ID , Password, and Contact Information.

Note: Fields marked with * are mandatory.



• Select the payment options and fill the credit card details.



• Select the checkbox in the 'Communication Options' section, if you want to be kept informed about special offers, Comodo products and upgrades.

• Read the Terms and Conditions and accept to it by selecting the 'I accept the Terms and Conditions' check box.

• Click 'SIGN UP.'

You will receive a confirmation email and the license key at the email address. You can also get the license key from https://accounts.comodo.od.ua/capt/capt_subscriptions.


https://accounts.comodo.od.ua/capt/capt_subscriptions

Comodo Watch - Admin GuideYou can activate your cWatch product by applying the license key in the My Account interface of cWatch administrative console. Refer to the explanation of activating, upgrading and renewing your License under the chapter Managing Your Account for more details.

Minimum Hardware Requirements

• Processor - Dual core

• RAM - 4 GB RAM

• Hard Disk - 100 GB

• CD/DVD drive

Installation

The cWatch application runs on Ubuntu Linux and should be installed on a local server in your network. Once the .iso file is downloaded and burned to CD or DVD, please follow these installation instructions:

• Insert the installation disc into the CD/DVD drive of your cWatch server and boot the system from the disc.

• Click 'Install Ubuntu'



• Keep the 'Download updates while installing' checkbox unchecked.

• Click 'Continue'

• Proceed with partitioning as required. Make sure to have enough space for /usr/local directory (>10 Gb depending on traffic).

• Click 'Install Now'



Note: Make sure to set the time zone to UTC. If required, you can do this later using the following command in the terminal window:

sudo dpkg-reconfigure tzdata

• Select Etc and then select UTC

• Click 'Continue'.

• Select the language from the list and click 'Continue'.



• The installation progress will be displayed. When completed, remove installation disc and reboot the system.

• The customized Ubuntu desktop will appear.

• Login with the following credentials:

• Logname: comodo

• Password: cWatchproj

Note: The password must be changed after the first login.



• Enter the new UNIX password and confirm it.

The Ubuntu Desktop will be displayed.

• Click the Comodo Watch icon on the desktop. The Comodo Watch administrative interface will open the Firefox browser.

When you are launching the Comodo Watch administrative console for the first time, the browser will display a warning.



• Click 'I Understand the Risks'...



… and then click 'Add Exception'. A confirmation dialog will be displayed.



• Click 'Confirm Security Exception'.The login screen for the administrative console will open.

• Login to the admin panel with the default credentials:

• Username - admin

• Password - cWatch_adminFrom the next login attempt, you willl not be asked to add connection to cWatch Administrative console to be added to exceptions. You can change the login password in the admin panel in the 'Change Password' section.

Note: Make sure to set the timezone to UTC. If you didn't do this during installation, you can do so now using the following command in the terminal window:sudo dpkg-reconfigure tzdata

• Select Etc and the select UTC

Next steps:• Configuring cWatch System with Local Network for Monitoring Web Traffic

• Configuring cWatch System and Mail Transfer Agent for Monitoring Email Traffic

• Accessing the Administrative Console



1.2.Configuring cWatch System with Local Network for Monitoring Web Traffic

To be effective, cWatch must be able to monitor all network traffic. This can be done in multiple ways:

• Parallel Method

• Transparent Method

The parallel method assumes that the local network gateway sends a mirror of all the in <=> out traffic to the cWatch server. The transparent method assumes the cWatch server receives traffic by operating in bridged mode.

Note: There are several configuration methods and types available and the administrators can use whichever is convenient to them. The main objective is that the cWatch system should be able see the web traffic in the network that the administrators want to monitor the clients.

Parallel MethodTraffic can be mirrored to the cWatch server using via hardware or software methods.

Hardware Solution

There are several possible solutions to mirror traffic at the hardware level:

• HUB - This requires no configuration at all, just plug the cWatch server into one on the HUB's ports.

• Configure one SWITCH port to be a traffic mirror - This is a good and flexible solution. Many modern switches and hardware routers have the ability to dedicate one of their NICs for traffic mirroring. For more information about this method, please visit http://www.securitywizardry.com/index.php/tools/switch-port-mirroring.html

• Use special hardware (Network TAP) - This is the best solution for traffic mirroring. A network tap is a 'bump-in-the-wire device' designed only to copy traffic passing through it to a monitor port.

Software Solution

The method explained below shows how to configure a gateway powered by Linux to copy all its passing traffic to cWatch server. Other *NIX like operating systems may have similar solutions. Please refer to corresponding manuals for that.

IPtables have been the simplest version of firewalls in the NIX world for years. They allow you to apply NAT to traffic, reconstruct your TTL, drop and/or log and even duplicate interface traffic.

Setup example:

Gateway = 10.0.0.1

cWatch server = 1.0.0.2

LAN = 10.0.0.0/8

Run the following commands on the Gateway:

iptables -t mangle -I PREROUTING -p tcp -j TEE --gateway 10.0.0.2

iptables -t mangle -I POSTROUTING -p tcp -j TEE --gateway 10.0.0.2

Now all TCP traffic coming from LAN 10.0.0.0/8 will be *copied* to cWatch server with IP 10.0.0.2

Note: cWatch server and local GW must belong to the same network


http://www.securitywizardry.com/index.php/tools/switch-port-mirroring.html

Comodo Watch - Admin GuideTransparent Method - Bridge Solution

A bridge is a method to connect two Ethernet segments together that is protocol independent. Packets are forwarded based on Ethernet address, rather than IP address (like a router). Since forwarding is done at Layer 2, all protocols can go transparently through a bridge.

The bridge solution requires the cWatch server to have two physical NICs. The cWatch server needs to be configured appropriately (i.e. NetworkManager should be disabled).

Administrators can use script /etc/network/if-up.d/bridge. At least one option should be set:

...

# Set IP of bridge for ssh access

ifconfig br0 192.168.75.89 netmask 255.255.255.0 broadcast 192.168.75.255

...

Before running the script, make it executable and un-check the box "Enable Networking" in NetworkManager. For more details about Linux Bridging, please visit http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge

1.3.Configuring cWatch System and Mail Transfer Agent for Monitoring Email Traffic

Both cWatch and your Mail Transfer Agent (MTA) must be configured in order for the solution to monitor mail traffic.

Configuring cWatch

• Login to the Administrative Console.

• Click Configuration and then Main Configuration.

• Select the checkbox beside 'Enable SMTP analysis server'.


http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge


• Select the network service IP address that is used for network services, including SMTP analysis service.

• Click the 'Update' button.

Configuring MTA

The company MTA must be configured to send a blind carbon copy (BCC) of email messages to cWatch.

Click the following for more details:

• Postfix

• Exim

• Sendmail

• Microsoft Exchange Server

• Windows MDaemon

Postfix

Edit the /etc/postfix/main.cf file and create a /etc/postfix/sender_bcc file. Make sure to take a backup of the files before editing, in case something goes wrong! (cp /etc/postfix/main.cf /etc/postfix/main.cf.old)

• Edit the /etc/postfix/main.cf file and add the following line:

sender_bcc_maps = hash:/etc/postfix/sender_bcc

• Create the file /etc/postifx/sender_bcc

#emails from #BCC to [email protected] [email protected]

• You then need to run the following commands:

postmap /etc/postfix/sender_bcc

postfix reload

• For example, BCC address will look like given below,

ctp_bcc@[192.168.75.89]

where 192.168.75.89 is the address of cWatch server


Comodo Watch - Admin GuideFor more details, please visit http://www.postfix.org/ADDRESS_REWRITING_README.html

Exim

• Edit /etc/exim4/exim4.conf and add near the top the following commands:

system_filter = /etc/exim4/mail.filter

system_filter_user = Debian-exim

• Restart Exim

• Edit /etc/exim4/mail.filter as per the documentation creating something like :

# Exim filter

logfile /tmp/mail.log

logwrite "$tod_log $h_to $h_from $h_subject "

if $header_x-loop-systemfilter contains 'ok'

then

logwrite "Mail loop?"

finish

endif

headers add "X-Loop-SystemFilter: ok"

if $sender_address contains "@test.com" and $h_to contains "[email protected]"

then

logwrite "$tod_log Mail to: $h_to from: $sender_address subject: $h_subject bcc'ed to [email protected]"

unseen deliver [email protected]

endif

So, mail sent from someone matching @test.com to [email protected] will be bcc'ed to [email protected]. Changing [email protected] to just @example.org would obviously catch everything going to the example.org domain through the server.

Sendmail

For sendmail, administrators have to use 'mailforward' or 'mimedefand' filter.

Please visit https://www.milter.org/milter/62 or http://www.mimedefang.org/ for details on how to configure Sendmail.

Microsoft Exchange Server

Please visit http://www.google.com/support/enterprise/static/postini/docs/admin/en/arch_ex07_config/jrnl_ms_setup.html for more details.

Windows MDaemon

Please visit http://adminsavvy.blogspot.in/2013/06/create-bcc-of-incoming-and-outgoing.html for more details.

1.4.Logging-in to the Administrative ConsoleAfter logging-in to the cWatch, click the 'COMODO WATCH' icon on the left hand side menu or double click the 'COMODO WATCH' desktop icon on the Ubuntu desktop.


http://adminsavvy.blogspot.in/2013/06/create-bcc-of-incoming-and-outgoing.html

http://www.google.com/support/enterprise/static/postini/docs/admin/en/arch_ex07_config/jrnl_ms_setup.html

http://www.mimedefang.org/

https://www.milter.org/milter/62

http://www.postfix.org/ADDRESS_REWRITING_README.html


The cWatch admin console login interface will be displayed in Mozilla Firefox browser.

• Enter the username and password in the respective fields and click the 'LOGIN' button.

If this is the first time you are logging-in to the interface, then enter the default credentials:

• Username: admin

• Password: cWatch_admin

The default credentials can be changed in the 'Change Password' screen. Refer to the section 'Changing cWatch Administrative Console Password' section for more details.



2.The cWatch Administrative ConsoleThe cWatch Administrative Console is the nerve center of cWatch monitoring system, allowing administrators to configure and monitor web and email traffic on networked computers. cWatch monitors all incoming and outgoing web traffic, uses multiple detection technologies to identify malware and features instant email notifications when suspicious events occur. The interface also features a constantly updated reports section which contains details on the name, location, time and severity of any malware outbreaks.

Main Areas:

• Configuration - Allows you to configure cWatch to monitor web and email traffic for unsafe content. Clicking on any of the configuration icons will open a dedicated settings screen. See Configuring cWatch for more details.

• System Monitoring - Enables you to view a summary of the overall operating health of the cWatch environment. Any faults will be displayed here and, if configured, you will also receive an email alert. Refer to the section Checking cWatch System Status for more details.

• Reports - View and export lists of discovered malware, suspicious files, unsafe domains and unsafe IPs. Refer to the section Reports for more details.

• My Account - Allows you to view license and update license details. You can also login to Comodo Accounts Manager (CAM) where you can view and modify account details. Refer to the section Managing Your Account for more details.

• Change Password - Allows administrators to change the current password to a new one. Refer to the section Changing cWatch Administrative Console Password for more details.

2.1.Configuring cWatchThe cWatch system configuration screen allows you to configure various monitoring settings such as network IP address, enable /disable SMTP analysis server, clients network to be monitored, content analysis rules and email notifications.



Click the following links for more details on each of the configuration:

• Main Configuration

• Sniffer Configuration

• Content Analysis Rules

• Configuring Email Notifications

2.1.1. Main ConfigurationIn the Main Configuration screen, you can select the network IP address of the cWatch server as well as enable or disable the option to monitor emails.

To access the Main Configuration screen, click Configuration > Main Configuration



• Local IP - Select the network IP address of the cWatch server.

• Enable SMTP analysis server - Select this option to enable the cWatch monitoring system to analyze the email traffic that is sent to it as BCC. Refer to the section Configuring cWatch System and Mail Transfer Agent for Monitoring Email Traffic for more details.

• Enable web content checking - Select this option to enable the cWatch monitoring system to analyze the content of web pages visited by clients in the network. Refer to the section Sniffer Configuration for more details on specifying the network of clients to be monitored.

• Click the 'UPDATE' button.

2.1.2. Sniffer ConfigurationIn the Sniffer Configuration screen, you can enter the network of clients that are to be monitored. You can add multiple client networks in this screen and configure other sniffer configuration settings. For the monitoring service to work, you should have configured the local network to send traffic to cWatch. Refer to the section Configuring cWatch System with Local Network for Monitoring Web Traffic for more details.

To access the Sniffer Configuration screen, click Configuration > Sniffer Configuration



Sniffer Configuration - Table of Parameters

Configuration Parameter Description

Clients network Enter the clients network IP address or CIDR notation that cWatch server should monitor for web traffic. Multiple addresses can be entered here separated by comas. For example, 192.168.0.128/25,192.168.0.10

Listening network filter Enter the TCP ports or ranges that should be monitored for web traffic. Multiple ports can be entered separated by comas. For example, 80,8080-18000

Listening network interface Choose the network interface that cWatch server should listen to. The options available are eth0 and lo.

Debug level Enter the debug level (0 - 10). Higher the value means more extensive log files will be created (only useful for debugging the application). Default value is 1. You can view the log file in the 'cwatch' folder in the cWatch system.

Max number of dump files in the queue

cWatch extracts key information from web traffic and creates dump files which are then queued for malware analysis. Normally, malware analysis of web traffic will take place in real-time and the dump files will be queued only during peak load time when the analysis engine is busy. The value entered here determines how many dump files can be queued at a time. If the dump files are not analyzed within the time set in the next option, 'Interval of dumping files rotation (mins)', then the older files will be cleared without analysis and new ones will be added in the queue.

Comodo recommends to set the value between 3 and 10. Default value is 10.

Interval of dumping files rotation The value entered here determines how long dump files should be queued for analysis


Comodo Watch - Admin Guide(mins) before they are discarded and replaced with new ones. The value you enter here will

depend on the volume of web traffic and disk space. The value should be decreased if the network traffic is high and vice-versa. Default value is 5.


2.1.3. Content Analysis RulesContent analysis rules determine the composition and configuration of the cWatch malware analysis engine. The more scanning components you enable, the better the analysis of traffic and detection of malware.

To access the Content Analysis Rules screen, click Configuration > Content Analysis Rules

Content Analysis Rules - Table of Parameters

Configuration Parameter Description

Max number of analyser processes Enter the maximum quantity of analyser processes that should run concurrently. The value entered here will depend on the amount of traffic being analyzed and on the hardware resources of the system on which cWatch is installed (CPU, memory etc).

Default value is 20.

analyser sleep timeout Enter the time in seconds after which the analyser will enter sleep mode if no traffic is available for monitoring.


Comodo Watch - Admin GuideDebug level Enter the debug level (0 - 10). Higher the value means more verbose log files will be

created (only useful for debugging the application). Default value is 1. You can view the log file in the cwatch folder in the cWatch system.

Perform a remote scan files with Comodo Automated Malware Analysis

Comodo Automated Malware Analysis (CAMAS) is a cloud based virus scanning and behavior monitoring system. Files with the security status 'unknown' are submitted and tested on CAMAS to check whether they perform malicious actions when they are run or opened. By default this setting is enabled.

Comodo Automated Malware Analysis response waiting limit (sec.)

If there is no response from CAMAS, the cWatch analyser will stop the checking. Enter the time in seconds after which cWatch will terminate the remote scan process. Default time is set to 450 seconds.

Perform a local scan with Comodo AV

Comodo Antivirus (CAV) is an industry recognized virus scanner that, if enabled, will run a local virus scan on all files passing through your network. The CAV signature database is updated daily. This setting is enabled by default.

Comodo AV response waiting limit (sec.)

If there is no response from Comodo AV, the cWatch analyser will stop checking. Enter the time in seconds after which cWatch will terminate the local scan process. Default time is set to 60 seconds.

Perform a remote scan with ClamAV ClamAV - An open source antivirus engine designed for detecting malware on mail gateways. By default this setting is enabled.

ClamAV response waiting limit (sec.) If there is no response from ClamAV, the cWatch analyser will stop checking. Enter the time in seconds after which cWatch will terminate the remote scan process. Default time is set to 60 seconds.

Perform a remote scan with Comodo File Look-up

Comodo's File Look-up service contains the very latest database of known malware signatures. If enabled, cWatch will create signatures of unknown files on your network and check for their presence in this database in real-time. By default this setting is enabled.

Comodo File Lookup response waiting limit (sec.)

If there is no response from Comodo File Look-up server database, the cWatch analyser will stop checking. Enter the time in seconds after which cWatch will terminate the remote scan process.

Perform domains black-list checking If enabled, cWatch will also pass external requests from your network through a locally-stored database of blacklisted domains, IP addresses and URLs. cWatch will regularly download updates to this database to ensure you receive the very latest protection. By default, all the three settings are enabled.

Perform IPs black-list checking

Perform URLs black-list checking


2.1.4. Configuring Email NotificationscWatch will issue email alerts if suspicious events occur on your network or if any problem is found with the cWatch system configuration. Notifications are sent to the address configured in the 'Email Notifications' screen.

To access the Email Notifications screen, click Configuration > Email Notifications.



• Email address notifications sender - Enter the email address from which notifications should be sent.

• Email address to receive notifications - Enter the email address to which notifications should be sent.

• Sendmail - Enable this option if Sendmail MTA is used for sending mails.

• SMTP Server - Once you select this option, the fields to enter SMTP details will be displayed.

• SMTP server address - Enter the server address from which the notifications will be sent.

• SMTP server port - Enter the SMTP server port number.

• SMTP client login - Enter the email username of the notification sender.

• SMTP client password - Enter the password used for the email client.


2.2.Checking cWatch System StatusThe 'System Status' screen provides at-a-glance information about the status of hardware and software on the cWatch server. Clicking on any item will reveal more details about the component in question. A notification will be sent to administrators if any


Comodo Watch - Admin Guideerrors are found. The recipient of these notifications is configured in the Email Notifications screen.

To access the 'System Status' screen, click 'System Monitoring'

If all components are working normally then 'OK' will be displayed at the top of the screen. 'Warning' text is displayed next to any problems:

• Click the item with the warning to show more details:



In the example above, the main cWatch analyser daemon has stopped running and needs to be restarted.

2.3.ReportscWatch generates comprehensive reports for both web and email traffic that are monitored and determined as unsafe or malicious. The HTTP analyser reports provides details of host IPs from which the web traffic originated, number of scanned sessions, number of malicious files detected and so on. The Email analyser reports provides details of from where the unsafe mail was sent, the date and time it was sent and so on.

Click the following links for more details on each report:

• HTTP analyser Report

• Email analyser Report



2.3.1. HTTP Analyser ReportsThe HTTP Analyser report provides details of suspicious actions that have occurred on your network. This includes any malicious or untrusted files which have been downloaded and any blacklisted domains, URLs or IPs that have been visited by your users. The threats are color coded according to severity categorized. For example, red indicates high risk.

To access the HTTP Analyser Report screen, click Reports > HTTP Analyser

The reports screen for all scanned hosts will be displayed:

The Reports interface displays the total number of hosts monitored, numbers of hosts identified with malicious and suspicious items and number of new hosts monitored as a summary at the top and a table containing details of the monitoring results.


Comodo Watch - Admin GuideScanned Hosts - Table of Parameters

Column Description

Host IP Displays the IP number of the system from which the web traffic originated.

Risk Displays the category of risk whether Safe, Suspicious or High Risk for the scanned sessions. The color code also indicates the risk category:

• Safe - Green

• Suspicious - Yellow

• High Risk - Red

Scanned Sessions Displays the total number of scanned sessions by cWatch.

Malware Files Displays the total number of downloaded files that were categorized as High Risk. Clicking on the number will display more details such as the source IP number and port from where the file was downloaded and more. Refer to Viewing Report for Individual Host for more details.

Suspicious Files Displays the total number of downloaded files that were categorized as Suspicious. Clicking on the number will display more details such as the source IP number and port from where the file was downloaded and more. Refer to Viewing Report for Individual Host for more details.

Unsafe Domains Displays the total number of blacklisted domains visited. Clicking on the number will display more details such as the destination IP number and port where the site is hosted and more. Refer to Viewing Report for Individual Host for more details.

Unsafe URLs Displays the total number of blacklisted URLs visited. Clicking on the number will display more details such as the destination IP number and port and more. Refer to Viewing Report for Individual Host for more details.

Unsafe IPs Displays the total number of blacklisted IPs visited. Clicking on the number will display more details such as the destination IP number and port and more. Refer to Viewing Report for Individual Host for more details.

By default, the report will be displayed for the current day. To change the date range, enter the date directly in the fields or click on it and select from the calendar.

• After selecting the date range, click the 'Show' button.

You can filter the entries to display 'All entries', 'High Risk entries' or 'Suspicious entries' by clicking on the filter button on the right.



• After selecting the date and risk category filters, click the 'Show' button.

The report for the selected date range and risk category filter will be displayed:

Viewing Report for Individual Host

You can view the detailed report for an individual host by clicking on the number under any of the unsafe item such as malware files, suspicious files and so on.



Scanned Hosts: Detailed Report for Individual Hosts - Table of Parameters

Column Description

Risk Displays the category of risk whether Suspicious or High Risk for the scanned sessions. The color code also indicates the risk category:


Comodo Watch - Admin Guide• Suspicious - Yellow

• High Risk - Red

Destination Displays the destination IP number and port from which the file was downloaded or blacklisted domains, URLs or IPs

Detected At The date and time at which the action was detected by cWatch.

SHA1 Displays the hash algorithm of unsafe detected by cWatch.

Details Displays the URL of the unsafe file that was downloaded and the detection tools that categorized the file as high risk/ suspicious.

• Click 'Return to IP List' link at the right to go back to main report page.

Export Report to CSV File

The log report can be exported to a comma separated value (CSV) file. Please note that exported file will display the entries in the same order as in the interface.

• Click the 'Export to CSV' button.

• In the ensuing dialog select 'Open' to view the file with an appropriate application or select 'Save file' to save the file to your computer.


Comodo Watch - Admin Guide• Click 'OK'.

The values in the log report will be separated by commas and this file can be opened with appropriate application such as Excel or Openoffic Calc for easy analysis.

2.3.2. Email Analyser ReportsThe Email Analyser report is highly informative and provides details such as email addresses of senders and recipients. The threats are categorized as high risk and suspicious with different color codes for each. While red color indicates high risk, yellow indicates suspicious mails that were detected.

To access the Email Analyser Reports screen, click Reports > Email Analyser

The reports screen for Checked Emails will be displayed:

By default, the report will be displayed for the current day. To change the date range, enter the date directly in the fields or click on it and select from the calendar.



• After selecting the date range, click the 'Show' button.

You can filter the entries to display 'All entries', 'High Risk entries' or 'Suspicious entries' by clicking on the filter button on the right.

• After selecting the date and risk category filters, click the 'Show' button.

The report for the selected date range and risk category filter will be displayed:



Checked Emails - Table of Parameters

Column Description

Risk Displays the category of risk whether Suspicious or High Risk for the scanned emails. The color code also indicates the risk category:


• High Risk - Red

From Displays the from address of the sender

To Displays the email address of the recipient

Proto Displays the protocol used for the mail transfer.

Created At The date and time at which the report was created for the checked email entry.

Action Clicking the 'Show details' link for an entry will display the full details such as message ID, nature of threat detected and which component(s) of cWatch engine detected the threat. Refer to Viewing Report for an Individual Email for more details.

Viewing Report for an Individual Email

You can view the detailed report for an individual email by clicking on the 'Show details' link under the 'Action' column. The individual report provides details such as message ID number, the email addresses of the sender and recipient, category of risk, when the email was detected as a threat, the hash algorithm of the attached malware file and which component(s) of cWatch detected it as a threat.



Checked Emails: Detailed Report for Individual Email - Table of Parameters

Column Description

Risk Displays the category of risk whether Suspicious or High Risk for the checked email. The color code also indicates the risk category:


• High Risk - Red

Detected At The date and time at which the email was detected by cWatch as a threat.

SHA1 Displays the hash algorithm of unsafe attachment detected by cWatch.

Details Displays the detection components that categorized the file as high risk/ suspicious.

• Click 'Return to E-Mail List' link at the right to go back to main report page.

Export Report to CSV

The log report can be exported to a comma separated value (CSV) file. Please note that exported file will display the entries in the same order as in the interface.

• Click the 'Export to CSV' button.



• In the ensuing dialog select 'Open' to view the file with an appropriate application or select 'Save file' to save the file to your computer.

• Click 'OK'

The values in the log report will be separated by commas and this file can be opened with appropriate application such as Excel or Openoffic Calc for easy analysis.

2.4.Changing Comodo Watch Administrative Console PasswordYou can change your cWatch admin console password at any time from the Change Password screen.

To change your password, click Change Password at the top:



• Enter your current password in the first text field.

• Enter the new password in the second text field and confirm it in the next text field.


The Password was successfully changed message will be displayed.

2.5.Managing Your AccountThe 'My Account' interface displays your licenses and their validity and allows you to upgrade or renew your license. You can also purchase new licenses from the interface for activation, upgrade or renewal.

The following sections provide more explanations on:

• Purchasing a new license for upgrade or renewal


Comodo Watch - Admin Guide• Activating, Upgrading or Renewing your license

To purchase a new license for upgrade or renewal

• Click Manage Account from the My Account interface. You will be taken to the login page of Comodo Accounts Manager (CAM) at https://accounts.comodo.com/login.

• If you already have an account with CAM, login to your account and click 'Sign Up to Comodo Watch' at the bottom of the page.

• If you are a new customer, click Create New Account and click 'Sign UP to Comodo Watch' Service.You will be taken to the purchase page of Comodo cWatch.

• Select the subscription package you want to use from the list displayed.

• Enter the User Details and Contact Information in the respective fields under 'Customer Information'.

• If you have already logged-in, the contact details will be auto-populated

• If you already having an account with Comodo, check 'Yes' box. You will only need to enter your Email Address/Login ID , Password, and Contact Information.

Note: Fields marked with * are mandatory.


https://accounts.comodo.com/login


• Select the payment options and fill the credit card details.

• Select the checkbox in the 'Communication Options' section, if you want to be kept informed about special offers, Comodo products and upgrades.



• Read the Terms and Conditions and accept to it by selecting the 'I accept the Terms and Conditions' check box.

• Click 'SIGN UP.'

You will receive a confirmation email and the license key at the email address. You can also get the license key from https://accounts.comodo.od.ua/capt/capt_subscriptions.

To Activate, Upgrade or Renew your license

• Paste the license key from the page https://accounts.comodo.od.ua/capt/capt_subscriptions into the text field in the 'My Account' interface and click 'Update'.

The entered license key will be checked and after successful validation, a confirmation message will be displayed.





About ComodoThe Comodo companies are leading global providers of Security, Identity and Trust Assurance services on the Internet. Comodo CA offers a comprehensive array of PKI Digital Certificates and Management Services, Identity and Content Authentication (Two-Factor - Multi-Factor) software, and Network Vulnerability Scanning and PCI compliance solutions. In addition, with over 10,000,000 installations of its threat prevention products, Comodo Security Solutions maintains an extensive suite of endpoint security software and services for businesses and consumers.

Continual innovation, a core competence in PKI and a commitment to reversing the growth of Internet-crime distinguish the Comodo companies as vital players in the Internet's ongoing development. Comodo, with offices in the US, UK, China, India, Romania and the Ukraine, secures and authenticates the online transactions and communications for over 200,000 business customers and millions of consumers, providing the intelligent security, authentication and assurance services necessary for trust in on-line transactions.

Comodo Security Solutions, Inc.

1255 Broad Street

STE 100

Clifton, NJ 07013

United States

Tel : +1.877.712.1309

Email: [email protected]

For additional information on Comodo - visit http://www.comodo.com.


http://www.comodo.com/

mailto:[email protected]

Date post:	21-Aug-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Comodo Watch - Admin Guide€¦ · malware, hacking attacks, social engineering and phishing. It's...

Documents