Beruflich Dokumente
Kultur Dokumente
SOP Document
Date: 18-Sep-2018
Version: 3.0
Contact: Chandra.reddy@colortokens.com
1|Page
SUMMARY PAGE
1. LOGIN 06
2.1. CHARTS 07
2.2 ALERTS 08
2.2.2 SUMMARY 08
2.2 3 LOGS 10
2.3.2 ACTIONS 12
2.3.3 LIVE 13
2.3.4 SEARCH 14
3. TICKETS 16
4. DEVICES 16
4.2 DEVICES 17
2|Page
4.2.2.8 CONVERTING YOUR SYSTEM FROM EVENT MODE TO TERMINATION MODE 20
5. PROC TREE 22
6. RULE RINGS 24
6.1 ACTIONS 24
6.2 ACTIVE 25
6.3 INACTIVE 25
6.4 MODULE-TRUST 25
6.5 PROCESS-TRUST 26
3|Page
7 PROCESS PROTECT 28
7.5 BLACKLIST 29
9 FILE PROTECT 31
9.1 USB 32
10 USERS 32
12. SETTINGS 33
12.1.3 REGISTRY 34
12.2 LICENSE 35
4|Page
12.3.1 RADAR BUILDS 37
12.4 PROFILES 38
12.5 GOLDEN-RULES 40
12.6 GOLDEN-WHITELIST 41
14. REPORTS 43
5|Page
1. LOGIN:
If you enter the dashboard URL in any browser, RCS DASHBOARD will be Loaded and
prompted for login/password. [This is the same login for User and Admin mode]
After entering USERNAME and PASSWORD you will be logged into RCS-DASHBOARD.
Below is the homepage of RCS-DASHBOARD.
6|Page
2. DIFFERENT SECTIONS IN DASHBOARD:
2.1 CHARTS
7|Page
In Charts Page we have different fields like:
ASSETS: It will give information about end points which are reporting to dashboard and
Where RADAR360 is Installed/Running.
2.2 ALERTS:
In alerts page we have different sections like High Alerts, Summary, Logs, Live and Search.
RADAR 360 proactively seeking out and analyzing suspicious behaviors and activities. If any
process
Behavior is suspicious then it displays under high alerts section.
2.2.2 SUMMARY:
The Summary section is again categorized into 5 columns:
The '#' Represents the number of times that particular event has occurred
We can even monitor the alerts based on time through the time period dropdown box.
8|Page
Blacklist: This column shows the Top 20 entries regarding blacklist.
Process: This column shows the Top 20 entries that have occurred due to any kind of rules
P-Trust: This column shows Top 20 entries that have occurred due to process bad
Trust Reason.
M-Trust: This column shows Top 20 entries that have occurred due to module bad Trust reasons.
9|Page
2.2.3 LOGS:
Filename: The process by which the alert generated was mentioned as filename.
VT Count: Virus Total Count for the particular process. [Trust Level].
X/0 => X number of AV’s analyzed the sample and none reported.
X/Y => X number of AV vendors analyzed the sample and Y number of AV vendors reported as bad
sample as per their analysis.
Filename: The process by which the alert generated was mentioned as filename.
VT Count: Virus Total Count for the particular process. [Trust Level].
X/0 => X number of AV’s analyzed the sample and none reported.
X/Y => X number of AV vendors analyzed the sample and Y number of AV vendors reported as bad
sample as per their analysis.
10 | P a g e
Event type: We have different type of events like Process event, File event, Driver event and
Module event. [These are essentially the sources of where alert is generated at sensor]
PROCESS: Whenever a process is trying for network connections (if that process is not in allowed
RULE List already), process event is generated.
DRIVER: If a particular process is not added into whitelist (with any combination Path+ Hash, Hash, Path
only), then driver event is generated. These alerts are generated only when system is in Whitelist mode.
Module: When DLL Files are injecting into a particular process, then module event is generated as per
Trust level settings for that system Modules.
(Settings => Rule Settings => MODULE Trust Settings).
By Default, the Latest 100 alerts Will Be Loaded Every time we refresh the alerts page.
Suppose, if we want the latest 2500 then you need to select 2500 option in dropdown box and select
ALL option in select filter tab, and then click on refresh button.
11 | P a g e
2.3.1 DIFFERENT TYPE OF FILTERS IN ALERTS PAGE:
HIGH: High alerts are the processes that are Driver Blocked and Terminated processes.
Suppose, if we want to know detailed information about an alert, then we need to click on
expand button.
In this we will get information like full path, reason, parent path, source and destination ip etc.
2.3.2 Actions:
The 1st button is used for converting an event into ticket, if the event is suspicious then we can convert
an event into ticket.
Just click on the 1st button then a dialog page will be opened.
Fill all the required information and then click on convert button, now ticket is created.
12 | P a g e
2nd button is for converting an event into rule.
We need to fill the reason in comment box and then click on convert button, now a new rule is created
6th button is used for suppressing the alert, which means you get the alert number of times, but you
don’t require so if choose the option it doesn’t appear after suppressing .
2.3.3 LIVE:
In the Live section again, we have 5 categories. They are:
File : If any file modification occurs automatically entry will be updated, we can track here.
Hardware: In the hardware section any hardware device like USB, Pen drive etc.. when connected to the
system then radar sensor will automatically update here.
IP Packet : The complete details of IP Packet will be displayed here.
Network : In the network section we trace the network traffic from which IP, connection to the
remote IP address has made, through which port numbers, with which protocol and
the connection status like ESTABLISHED or SYN-SENT or LAST-ACK.
URI Data : The URI data displays to which website our connection has made.
13 | P a g e
2.3.4 SEARCH:
We have 5 types of search techniques like Source Ip, Remote Ip, Hash, Path, and Event Id.
14 | P a g e
Hash: We can also search any application based on its MD5.
Path: Path based search can also possible here. First, we select the complete path.
15 | P a g e
3. TICKETS:
In the tickets section you can see all raised tickets and browse through them.
By clicking on the events section button for that ticket you can view the specific alerts for which the ticket
was raised.
4. DEVICES:
4.1 DEVICE TREE:
In this section you can create a node by right clicking on the parent node and then adding particular
info about that node.
16 | P a g e
A new device can be added to that specific node by drag and drop method to the specific node.
The new user will appear at right side. [Only admins can see and add devices to the nodes].
4.2 DEVICES:
In the device info section, a system information can be obtained by expanding to view more info
like device-uuid, IP address, Radar version, whether a system is live or not, mode [Whitelist
(Event or Block), NO block mode or Blacklist (Event or Block)] along with Rules effect mode
(Event, kill, kill tree mode) and to which node the device belongs to.
The device list can also be exported to a CSV file by clicking on down arrow button at top.
Suppose if you want restart RADAR in any user we can do it from Here.
But before restarting we need to select user, from All Users dropdown box and then click on
Restart button.
17 | P a g e
4.2.2 SENSOR MODES: [KERNEL LEVEL]
This is very important section; this section is used for converting systems into FREEZE MODE and
TERMINATION MODE. We have different options like
USE of FREEZE MODE- Only the whitelisted applications will run and remaining applications which
are not in whitelist will be blocked automatically.
After selecting a user, we need to select Add All Running Process to Whitelist option from
white list [THIS WILL ADD ALL RUNNING PROCESS IN A SYSTEM TO WHITELIST].
We can check which processes are added to whitelist by clicking on whitelist option under
Process Protect section.
The above image shows the process added to whitelist, and make sure the VT count is updated.
After adding all process, we can either move our system to whitelist [EVENT/BLOCK MODE]
If we select whitelist event then your system will be in whitelist event mode [we select this
option to check if any whitelisted applications are not added to whitelist]
18 | P a g e
WHITELIST-EVENT will allow applications which are in whitelist and not in whitelist also.
If we select whitelist block then your system is in freeze mode [Whitelist Block Mode]
WHITELIST-BLOCK will allow only the whitelisted applications to run and remaining which
are not in whitelist will be blocked.
After converting your system into FREEZE MODE, you can know by checking K-MODE in Devices
section.
2. Click on Mode > select whitelist based–event option, now your system is in event mode
19 | P a g e
4.2.2.7 RULES EFFECT MODE [USER LEVEL]:
Rules effect mode is completely based on user level, User/Enterprise can choose which process
should make net connections. To know more about a suspicious process, we can scrutinize with
the help of user level options.
EVENT MODE: An event will be generated if any process makes net connections without taking any
effect to that process.
KILL-P: An event will be generated if any process makes net connections with taking kill effect on
that process.
KILL-P&T: An event will be generated if any process makes net connections with taking kill effect on that
process and its parent also.
2. Go to Devices > Click on dropdown box > choose convert rules effect mode-kill
Now your system is in TERMINATION MODE, AFTER CONVERTING YOUR SYSTEM INTO
TERMINATION,
You can know by looking at R-MODE in Devices section.
20 | P a g e
4.2.2.12 PROCESS NOT IN WHITELIST [Ignore]:
Any applications that are not present in Whitelist and are running when the system is in Blacklist or
No Block mode, then while entering to WHITLIST MODE from any of the mode, NO ACTION will be
taken on those applications when this mode is applied.
Based on this rule when any orphan process runs without making any network connections then
the Rule effect takes place based on GLOBAL EFFECT MODE.
21 | P a g e
4.3 DEVICE EVENTS:
In device events section, if any CONFIG file of radar is corrupted then it is reported as an event.
In such a case mode of that system might revert to NO Block Mode and so on depends
on config files.
For further assistance contact COGNORE support team.
5. PROC-TREE:
Proc-Tree displays all currently running processes in the system.
22 | P a g e
Click on Proc-Tree->Select User
A) The Kill option kills the selected process.
We can kill process through PATH BASED, PID BASED [PROCESS ID], MD5 BASED [HASH].
23 | P a g e
6. RULE RINGS:
A Rule is like permission; all process will work based on the rules created by us.
6.1 ACTIONS:
In Rules, we have Modify and Remove option for every rule.
By clicking on Modify, the below dialog box will be displayed and we can modify the Rule effect
mode or we can add a particular rule to Golden Rule and add to any profile.
24 | P a g e
6.2 ACTIVE:
In order to view all the Active Rules and their Rule Effect Mode, click on the Active option
To delete any rule for any application, click on the delete icon after selecting the rule.
Now the rule for that application will be deleted from the Active column and application is not
affected by that rule
6.3 INACTIVE:
Any rule which is deleted from the Active column will be displayed in the Inactive
The rule for any application can be again activated by clicking on the “Re-Active” button.
The rule can also be deleted from the entire table by clicking on the “Delete” icon.
6.4 M-TRUST:
Based on the Module Trust values, this is used either kill applications or to create events.
When a Trust set is given, we must select either Event or Kill from the Trust Set Effect Mode
option.
When Event is selected, no matter whatever Trust Set Kill mode is selected.
When Kill is selected, then Trust Set Kill Mode gives options either to “Kill the Process only” or “Kill
the Process &Tree”.
The Min Trust Kill Value also must be entered such that it kills all the applications whose
module trust value is equal to or greater than the given value.
On selecting the Min Trust Kill Effect Mode, it helps to specify whether to “Kill the Process only” or
“Kill the Process &Tree”.
After entering all the fields click on Submit.
25 | P a g e
6.5 P-TRUST:
Based on the Rule Based Trust values, this is used to either kill applications or to create events
When a Trust set is given, we must select either Event or Kill from the Trust Set Effect Mode option
When Event is selected, no matter whatever Trust Set Kill mode is selected
When Kill is selected, then Trust Set Kill Mode gives options either to “Kill the Process only” or “Kill
the Process &Tree”
The Min Trust Kill Value also must be entered such that it kills all the applications whose
process trust value is equal to or greater than the given value
On selecting the Min Trust Kill Effect Mode, it helps to specify whether to “Kill the Process only” or
“Kill the Process &Tree”
The LATEST button fetches the latest info from the sensor.
26 | P a g e
6.6 RULES SET:
A. PROTECT PROCESS FROM BO, ROP and RCE EXPLOITS:
This rule is added to make sure that the child and parent process are same
[child & parent should be same]
Ex: If you have opened chrome, then the parent process should be chrome and the child
process should also be chrome
If this is not matching then the process will be terminated & event will be generated.
This rule is added to make sure that, if any child process is making network connections
other than the parent process then either to terminate the process or to generate an event.
Ex: If you have opened chrome, then instead of parent process if any child process is trying for
network connection then the process will be terminated.
We will add this rule for suspicious process like rundll32, Wscript, Cscript, PowerShell………,
whenever they are trying for a network connection then the process will be terminated.
It’s an exclude rule, we add this rule for a process which is not having parent and trying
for network connection. [NO PARENT BUT CHILD ALLOWED FOR NETWORK CONNECTION]
We add this rule for a process which is not having parent and not trying for network
connections. [NO PARENT BUT CHILD NOT ALLOWED FOR NETWORK CONNECTION]
27 | P a g e
7 PROCESS PROTECT:
All the applications that are allowed based on Path and Path & md5 will be displayed in PATH
BASED WHITELIST.
We can add any application to the Whitelist by selecting option and by providing the
details in the required fields.
The Option is helpful in adding the application to whitelist directly without being waited
until the alert comes.
We can delete single/multiple allowed Whitelist processes by selecting the process and clicking on
Option.
DELETE ENTRY option is useful to delete the selected whitelisted process.
DELETE All PATH HASH ENTRIES option is helpful to delete all Whitelist path fingerprint entries.
[user added fingerprint will only be deleted].
DELETE ALL PATH ONLY ENTRIES option is helpful to delete all whitelist path entries only.
REMOVE MD5 option is helpful in removing the md5 of selected whitelisted process.
ADD MD5 option is helpful in adding the md5 to a process which is in whitelist and doesn’t have md5.
28 | P a g e
7.2 MD5 BASED WHITELIST:
All the process/applications that are allowed based on only path will be displayed in the
MD5 BASED WHITELIST.
Click on DELETE option to delete allowed md5 in MD5 BASED WHITELIST Column.
7.5 BLACKLIST:
All the applications that are added to BLACKLIST will be displayed in the Blacklist Column .
29 | P a g e
We can add unnecessary process into BLACKLIST by
A) Trust Overriding [Settings > Misc. Operations > Trust Override]
B) By selecting the Column and providing the data in the displayed options.
C) Auto Add Bad Trust Process To Blacklist
30 | P a g e
By default, we have 4 mandatory rules related to Radar.
To add a new rule, just click on RULE option and provide the Rule name, Outbound/Inbound
directions and action to Allow/Block the connections.
[Specify Application Path, Protocol, IP address of local & remote if required]
We can easily Activate/Deactivate the allowed applications whether to make net connection or
not by just selecting the allowed rules and clicking on activate and deactivate option.
NOTE: Do not add a rule to block all apps, this may lead to crash the process which are making net
connections.
9.FILE PROTECT:
This section is useful to protect the Drivers, Directories, Apps & files etc.
We can manage which apps can use which files and vice versa.
We can add as many rules as possible to manage the permissions for particular app or file to open.
The created rule can be defused with the help of Deactivate option.
31 | P a g e
9.1 USB:
This USB option will not permit you to access the Hard drive or USB. It is useful to block the
complete USB accesses.
10 USERS:
The total users and the user details can be found in this section.
User details can be edited by clicking on modify option under action column.
If a user enters invalid credentials on login page continuously for 3 times, the account will be
blocked [Active becomes Inactive].
32 | P a g e
11 DUMPS:
For dumping multiple info about a particular system, first select a user from drop down box at
upper right and then refresh the dump page. For dumping an info regarding the particular settings
click on that dump and then view it in sometime.
12 SETTINGS:
In settings tab we have different categories like Profiles, Update sensor, Golden Rules, Golden
Whitelist, Golden File protect, Golden Firewall etc...
33 | P a g e
12.1 Misc. Operations:
12.1.1 MD5 EDIT:
In order to change the Trust value for any particular Hash we use Trust Override (as once sensor
gets trust from Dashboard DB, it will not ask again for the same. So, in any case we want to
overwrite forcefully this feature is used).
This can be done by first selecting "Based on MD5" option and entering the MD5 of the required
application.
Now the new Trust set can be entered and click on Submit.
12.1.3 REGISTRY:
We can add registry of a specific application location to examine if any changes are happened to
that.
34 | P a g e
12.1.4 QUARANTINE FILE:
Quarantine generally isolates the infected files from the computer's hard disk.
In order to Quarantine, specify the path to be quarantined in the space above and click on Submit.
In order to examine the process at later time we choose the DOWNLOAD FILE option, so that it
will download on our related cloud and we can look after that whenever necessary.
12.2 LICENSE:
License specifies details like User count, Device count, License Created Date, License End Date,
License Bought, and License used and License left.
The File Scanner is showing the complete details of file/application u have scanned like version
info, signer details, attributes & checksum of the file/application etc...
35 | P a g e
12.3 UPDATE SENSOR:
36 | P a g e
• When the update is completed "UPDATE SUCCESFULL" will be displayed in the Update
Status.
We can add new builds for Radar by clicking on the ADD BUILD option.
We can even delete any Radar build that is not required by clicking on 'X' option.
37 | P a g e
12.4 PROFILES:
In order to assign a set of rules or set of whitelists to any user or group of users at a time we can
create a profile.
To generate a new profile first select a user and click on the option, then all the
Set of rules and whitelist of that user will be automatically generated as a new profile.
• In order to add any Rule to the empty Profile we can select any Rule from the G-Rules
• Similarly, to add any Whitelist entry to the empty Profile we can select any entry from the
G-Whitelist
38 | P a g e
• In order to view the added Rules or Whitelist entries click on the 3rd and 4th button in the
action column as shown below.
• Similarly, all the selected Whitelist entries will be displayed as shown below
39 | P a g e
12.5 GOLDEN-RULES:
These are the Rules related to all users.
The Rule Effect mode of the Rule can be modified by clicking on the modify option corresponding
to every rule (as shown below).
Select the Profile from top dropdown box and select the rule to which it is to be added and click on
modify option and then save option.
We can also delete several at a time by selecting the inessential rules and clicking on "Delete"
option.
40 | P a g e
12.6 GOLDEN-WHITELIST:
These are the set of Whitelist applications belongs to all users.
Operation Type of the Whitelist can also be modified by clicking on the modify option
corresponding to every entry.
After selecting the Profile from top dropdown box, select the required Operation type and select
the Whitelist entry to which it is to be added and click on modify option and then save option.
We can also delete several entries at a time by selecting the inessential whitelist entries and by
clicking on "Delete" option.
Similarly, we have GOLDEN BLACKLIST, GOLDEN FIREWALL and GOLDEN FILE PROTECT which
contain the processes and rules of all users.
41 | P a g e
12.7 SCHEMA SETTINGS:
This section is related to database, it gives the details of different database tables and its size.
13 TRACKING:
Tracking is a section where we can track the Actions done by the user (it may be regarding
anything like Whitelist, Rules or Actions)
This section is again segregated into Whitelist, Action, Rules, Command and others
In every category we have a Status filter with 3 options: Pending, Completed and All
Pending: This option displays only those application which are still pending (i.e. not yet
consumed by the sensor)
Completed: This option displays those applications whose respective Actions given by the user is
completed (i.e. consumed by the sensor)
42 | P a g e
14 REPORTS:
To view a Report for any of the User, select any user and click on any of the Report Type.
The starting date and ending date must also be specified so that it displays the particular Report
Type between the dates specified.
43 | P a g e
44 | P a g e