How to Perform Queries for Endpoint Visibility Using Saner Endpoint Security … · 2019-01-17 ·...

How to Perform Queries for Endpoint

Visibility Using Saner Endpoint Security

Solution 3.0.2

Query Management with Saner Endpoint Security Solution

Contents

Query Management with Saner Endpoint Security Solution .................................................................................. 3

Create a Custom Query: ............................................................................................................................................. 6

Create a Query to List Windows Startup Programs Present in the Endpoints: ......................................................... 8

Create a Query to List Windows Visual Effects Settings Value: ................................................................................. 9

Create a Query to List Unwanted Programs: ........................................................................................................... 11

Create a Query to List Unwanted Processes: ........................................................................................................... 13

Create a Query to List Threats Present in the Endpoints:........................................................................................ 15

Title Page No.


3

Query Management with Saner Endpoint

Security Solution

A query is a request for information from a database or live data from endpoints where the Saner agent is installed.

SecPod Saner Business supports natural language-based queries, related to processes, services, users, registry,

network, and device configurations on the endpoint. The Saner platform’s metadata model makes it easy to search

using unstructured natural language-based queries. This is the only platform that is fully compliant with well-

established standards, such as SCAP, STIX/TAXII

Query results are fetched in microseconds, to help make quick decisions around endpoint activities. Complex queries

can be created or multiple queries can be cascaded with AND and OR combinations. The scalable architecture of

Saner allows responses to IoCs in seconds without impacting the network or systems.

Queries are categorized into two types:

1) Default Queries - The Saner solution provides default queries that can fetch information such as anti-virus

information, hosts that have disabled the firewall, hosts that have disabled Bit locker protection, etc.

2) Custom Queries - Users can create custom queries.

• Select an account you want to manage. The menu expands. Click Queries on the menu.

Figure 1 highlights the Queries pane on the dashboard. To create a custom query, click the question mark icon on the

menu. A query contains two options:

i) Add Rule, to select supported probes. Multiple rules can be selected with AND or OR operations.

ii) Add Group, to join rules based on conditions. Multiple rules can be joined into one group.

Fig.1


4

Fig.2

The Run option displays the query results fetched from the database. The Edit and Delete buttons allow you to edit or

delete the queries.

Fig.3

The ( ) icon lists possible values of the selected attributes.

The ( ) icon lists attributes of a file probe.

The ( ) icon indicates that the probe will take time to execute and collect response from the agents.


5

In figure 3, the probe is File. File Path is a mandatory field attribute for the file probe. It sends a query to the agent

systems.

Define a Scope restricts the query to a particular group. When an administrator clicks the submit button the query is

sent only to the selected groups.

Total number of supported probes in Viser based on the OS

OS Total No. of Probes Special Probes

Windows 60 13

Linux 58 10

MAC 54 16

Note: When a query with mandatory attributes is created with a special probe, it is auto broadcast to the agents. For

a typical query, you must click the Submit button.


6

Create a Custom Query:

1. Specify the Name, Category, Severity and Operating System Family details.

2. Select the AND operation.

3. Select Registry Key Effective Rights probe and specify Hive and Key as the parameters.

4. Click Add Rule. Add a rule and file and the file path.

5. Click Create.

Fig.4

Figure 4 displays a query with multiple rules to check for Locky malware. Once the query is created or updated it

displays the result in real-time. Figure 5 displays details of the host infected with Locky malware.


7

Fig.5

Fig.6


8

Create a Query to List Windows Startup Programs Present in the Endpoints:

1. Click Queries > Create Query.

2. Specify the details -

Select the registry probe.

Specify the registry which lists all the startup programs present in the system.

3. Click Update.

Fig.7

Figure 7 displays a query for listing the Windows startup programs present in the endpoints.

Fig.8

Figure 8 displays the result of the above query.


9

Create a Query to List Windows Visual Effects Settings Value:

This query lists endpoints Visual Effects Settings Value which is an assessment parameter for the system performance.

To create this query,


2. Create 2 groups with each group containing 2 rules, AND and OR.

The group with AND operation contains 2 rules with registry probe specifying the path for ‘Key’ and value for the

‘Name’ attribute.

The group with OR operation contains 2 rules with HIVE attribute. This query searches in HKEY CURRENT USER or

HKEY LOCAL MACHINE.

3. Click Create.

Fig.9

Figure 9 shows a query to list Windows Visual Effects Settings.

Fig.10

Figure 10 shows the query results. To know more about the instances, click More.


10

Fig.11

Figure 11 shows the query result in detail. The value of the field ‘value’ is ‘1’ which indicates the result for best

appearance. The values can range from 0 to 2.

The default value of 0 is Let Windows choose what’s best for my computer.

Change the value to 1 for Adjust for best appearance.

Change the value to 2 for Adjust for best performance.

Note: If the host has a value ‘1’, the administrator needs to change the value to 2 for best performance by using the

CMD & Ctrl action:

CMD & Ctrl > Registry > Modify Registry > With the value ‘2’


11

Create a Query to List Unwanted Programs:



Select the registry probe -

Specify the registry which lists all the unwanted programs present in the system.

3. Click Update.

Fig.12

Figure 12 displays a query for listing unwanted programs.

Fig.13


12

The table in figure 13 lists the name of the unwanted programs present in the endpoints with the number of affected

instances. IT administrators can use this query to list the unwanted programs that consume a lot of memory.

Note: To delete or block the listed unwanted program, go to

CMD & Ctrl > Software Deployment > Application Management > Uninstall and select the unwanted program name

OR

CMD & Ctrl > Application Control > Application Block and select the unwanted program name from the list.


13

Create a Query to List Unwanted Processes:




Specify the registry which lists all the unwanted processes present in the system.

3. Click Update.

Fig.14

Figure 14 displays a query for listing unwanted processes, for example,

armsvc.exe - This process stands for Adobe Acrobat Update Service.

jusched.exe - This process stands for Java Update Scheduler.

NeroCheck.exe - This is a process from hardware manufacturers that searches for drivers that could trigger conflicts

with Nero Express, Nero, and NeroVision Express.

OSPPSVC.exe - This is a software process that comes with Microsoft Office 2010.

winampa.exe - This is a software process that places Winamp to the right at the bottom of the taskbar and ensures

that no other programs with media content are linked.

Sidebar.exe - This is a Windows process that consumes a lot of memory.

These processes consume a lot of system memory and are better stopped or removed.

Fig.15


14

The table in figure 15 lists the name of the unwanted processes present in the endpoints with the number of affected

instances. IT administrators can use this query to list the unwanted processes that consume a lot of memory.

Note: To delete or block the unwanted processes, go to

CMD & Ctrl > Process > Process Block or Stop Process by Name and select the unwanted process name from the list.


15

Create a Query to List Threats Present in the Endpoints:




Specify the registry which lists the malware present in the system.

3. Click Update.

Fig.16

Figure 16 displays a query for detecting the presence of the Cryptoshield malware in the endpoints. This query

contains four groups with AND OR operators that will search for a particular string present in a file and a registry

entry with specified keys. In the registry, it searches for the name Windows SmartScreen.


16

Fig.17

The table in figure 17 lists the path of the malware file and the registry entry.

Note: To delete the malware, go to

CMD & Ctrl > Security > Quarantine and specify the path of malware file. Remove the listed registry by going CMD &

Ctrl > Registry > Delete Registry.

About Us

SecPod Technologies creates cutting edge products to ensure endpoint security. Founded in 2008 and headquartered in

Bangalore with operations in USA, the company provides computer security software for proactively managing risks and

threats to endpoint computers.

Contact Us

Web: www.secpod.com Tel: +91-80-4121 4020

Email: [email protected] +1-918-625-3023

© SecPod Technologies

Date post:	24-May-2020
Category:	Documents
Upload:	others
View:	14 times
Download:	0 times

How to Perform Queries for Endpoint Visibility Using Saner Endpoint Security … · 2019-01-17 ·...

Documents