RADAR360°

SOP Document

This document explains different controls present on RADAR central

Dashboard and how to use the options available to control and configure
Sensor at Endpoint.

Prepared by: ColorTokens HYD-IRC Team

Date: 18-Sep-2018

Version: 3.0

Reviewed by: ColorTokens HYD-R&D Team

Contact: Chandra.reddy@colortokens.com

1|Page
SUMMARY PAGE
1. LOGIN 06

2. DIFFERENT SECTIONS IN DASHBOARD 07

2.1. CHARTS 07

2.2 ALERTS 08

2.2.1 HIGH ALERTS 08

2.2.2 SUMMARY 08

2.2 3 LOGS 10

2.3.1 DIFFERENT TYPE OF FILTERS IN ALERTS 12

2.3.2 ACTIONS 12

2.3.3 LIVE 13

2.3.4 SEARCH 14

3. TICKETS 16

4. DEVICES 16

4.1 DEVICES TREE 16

4.2 DEVICES 17

4.2.1 RESTART RADAR 17

4.2.2 SENSOR MODES [KERNEL LEVEL] 18

4.2.2.1 NO-BLOCK MODE/SAFE MODE 18

4.2.2.2 WHITELIST MODE/FREEZE MODE 18

4.2.2.3 STEPS TO CONVERT A USER FROM SAFE MODE TO FREEZE MODE 18

4.2.2.4 CONVERT YOUR SYSTEM FROM FREEZE TO EVENT MODE 19

4.2.2.5 CONVERT YOUR SYSTEM FROM EVENT TO FREEZE MODE 19

4.2.2.6 BLACKLIST MODE 19

4.2.2.7 RULES EFFECT MODE [USER LEVEL] 20

2|Page
4.2.2.8 CONVERTING YOUR SYSTEM FROM EVENT MODE TO TERMINATION MODE 20

4.2.2.9 ADD ALL RUNNING PROCESS TO WHITELIST 20

4.2.2.10 REFRESH ALL WHITELIST PATH MD5 20

4.2.2.11 CLEAR FINGERPRINT FOR ALL WHITELIST PATHS 20

4.2.2.12 PROCESS NOT IN WHITELIST [Ignore] 21

4.2.2.13 PROCESS NOT IN WHITELIST [Event] 21

4.2.2.14 PROCESS NOT IN WHITELIST [Kill] 21

4.2.2.15 PROCESS NOT IN WHITELIST [Kill-Tree] 21

4.2.2.16 ORPHAN PROCESS WITH NO NETWORK [Ignore] 21

4.2.2.17 ORPHAN PROCESS WITH NO NETWORK [Event] 21

4.2.2.18 ORPHAN PROCESS WITH NO NETWORK [Global Effect Mode] 21

4.2.2.19 MARK RADAR AS CRITICAL PROCESS 21

4.3 DEVICE EVENTS 22

4.4 ERROR DETAILS 22

5. PROC TREE 22

6. RULE RINGS 24

6.1 ACTIONS 24

6.2 ACTIVE 25

6.3 INACTIVE 25

6.4 MODULE-TRUST 25

6.5 PROCESS-TRUST 26

6.6 RULES SET 27

3|Page
7 PROCESS PROTECT 28

7.1 PATH BASED WHITELIST 28

7.2 MD5 BASED WHITELIST 29

7.3 WHITELIST SETTINGS 29

7.4 SUPPRESSED EVENTS 29

7.5 BLACKLIST 29

7.6 BLACKLIST SETTINGS 30

8.0 NETWORK FIREWALL 30

9 FILE PROTECT 31
9.1 USB 32
10 USERS 32

10.1 MANAGE USER 32

11. DUMPS 33

12. SETTINGS 33

12.1 MISC OPERATIONS 34

12.1.1 MD5 EDIT 34

12.1.2 TRUST OVERRIDE 34

12.1.3 REGISTRY 34

12.1.4 QUARINTINE FILE 35

12.1.5 DOWNLOAD FILE 35

12.2 LICENSE 35

12.2.1 FILE SCANNER 35

12.3 UPDATE SENSOR 36

4|Page
12.3.1 RADAR BUILDS 37

12.3.2 RADAR WATCHDOG BUILDS 37

12.4 PROFILES 38

12.5 GOLDEN-RULES 40

12.6 GOLDEN-WHITELIST 41

12.7 SCHEMA SETTINGS 42

13. TRACKING 42

14. REPORTS 43

5|Page
1. LOGIN:
If you enter the dashboard URL in any browser, RCS DASHBOARD will be Loaded and
prompted for login/password. [This is the same login for User and Admin mode]

After entering USERNAME and PASSWORD you will be logged into RCS-DASHBOARD.
Below is the homepage of RCS-DASHBOARD.

6|Page
2. DIFFERENT SECTIONS IN DASHBOARD:

2.1 CHARTS

7|Page
In Charts Page we have different fields like:

ALERTS, ASSETS, RISK, SOURCE, THREAT, TICKETS.

ASSETS: It will give information about end points which are reporting to dashboard and
Where RADAR360 is Installed/Running.

TICKETS: Whenever a suspicious process/malware is found, Analyst converts an Alert

Into ticket. [This is Dashboard inbuilt simple incident management work flow]

While converting Alert into a Ticket, there will be two categories,

Risk Level and Threat Type.

2.2 ALERTS:
In alerts page we have different sections like High Alerts, Summary, Logs, Live and Search.

2.2.1 HIGH ALERTS:

RADAR 360 proactively seeking out and analyzing suspicious behaviors and activities. If any
process
Behavior is suspicious then it displays under high alerts section.

2.2.2 SUMMARY:
The Summary section is again categorized into 5 columns:

Whitelist: This column shows the Top 20 entries regarding whitelist.

The '#' Represents the number of times that particular event has occurred

We can even monitor the alerts based on time through the time period dropdown box.

8|Page
Blacklist: This column shows the Top 20 entries regarding blacklist.

Process: This column shows the Top 20 entries that have occurred due to any kind of rules

P-Trust: This column shows Top 20 entries that have occurred due to process bad
Trust Reason.

M-Trust: This column shows Top 20 entries that have occurred due to module bad Trust reasons.

9|Page
2.2.3 LOGS:

Filename: The process by which the alert generated was mentioned as filename.

IP Address: A particular systems IP which is reported when alert is generated.

VT Count: Virus Total Count for the particular process. [Trust Level].

0/0 => Not Found in local DB

X/0 => X number of AV’s analyzed the sample and none reported.

X/Y => X number of AV vendors analyzed the sample and Y number of AV vendors reported as bad
sample as per their analysis.

Filename: The process by which the alert generated was mentioned as filename.

IP Address: A particular systems IP which is reported when alert is generated.

VT Count: Virus Total Count for the particular process. [Trust Level].

0/0 => Not Found in local DB

X/0 => X number of AV’s analyzed the sample and none reported.

X/Y => X number of AV vendors analyzed the sample and Y number of AV vendors reported as bad
sample as per their analysis.

10 | P a g e
Event type: We have different type of events like Process event, File event, Driver event and
Module event. [These are essentially the sources of where alert is generated at sensor]

PROCESS: Whenever a process is trying for network connections (if that process is not in allowed
RULE List already), process event is generated.

DRIVER: If a particular process is not added into whitelist (with any combination Path+ Hash, Hash, Path
only), then driver event is generated. These alerts are generated only when system is in Whitelist mode.

Module: When DLL Files are injecting into a particular process, then module event is generated as per
Trust level settings for that system Modules.
(Settings => Rule Settings => MODULE Trust Settings).

FILTER OPTION: To select only a particular type of alerts (process, module…………)

DROPDOWN: To select a specified range of alerts (100,250,500….)

By Default, the Latest 100 alerts Will Be Loaded Every time we refresh the alerts page.

Suppose, if we want the latest 2500 then you need to select 2500 option in dropdown box and select
ALL option in select filter tab, and then click on refresh button.

In the same way we will do it for all alerts.

11 | P a g e
2.3.1 DIFFERENT TYPE OF FILTERS IN ALERTS PAGE:
HIGH: High alerts are the processes that are Driver Blocked and Terminated processes.

ALL: This is used for loading all alerts.

DRIVER, PROCESS, MODULE: (explained above).

Suppose, if we want to know detailed information about an alert, then we need to click on
expand button.

Detailed information about an alert will be as below:

In this we will get information like full path, reason, parent path, source and destination ip etc.
2.3.2 Actions:

The 1st button is used for converting an event into ticket, if the event is suspicious then we can convert
an event into ticket.
Just click on the 1st button then a dialog page will be opened.

Fill all the required information and then click on convert button, now ticket is created.

12 | P a g e
2nd button is for converting an event into rule.

We need to fill the reason in comment box and then click on convert button, now a new rule is created

3rd button is for deleting/ignoring the alerts.

4th button is for updating VT count.

5th button is for download the file.

6th button is used for suppressing the alert, which means you get the alert number of times, but you
don’t require so if choose the option it doesn’t appear after suppressing .

2.3.3 LIVE:
In the Live section again, we have 5 categories. They are:

File : If any file modification occurs automatically entry will be updated, we can track here.
Hardware: In the hardware section any hardware device like USB, Pen drive etc.. when connected to the
system then radar sensor will automatically update here.
IP Packet : The complete details of IP Packet will be displayed here.

Network : In the network section we trace the network traffic from which IP, connection to the
remote IP address has made, through which port numbers, with which protocol and
the connection status like ESTABLISHED or SYN-SENT or LAST-ACK.
URI Data : The URI data displays to which website our connection has made.

13 | P a g e
 2.3.4 SEARCH:
We have 5 types of search techniques like Source Ip, Remote Ip, Hash, Path, and Event Id.

Source IP: Here we can search based on Source IP address.

Remote IP: Here we can search based on Remote IP address.

14 | P a g e
Hash: We can also search any application based on its MD5.

Path: Path based search can also possible here. First, we select the complete path.

Event ID: Search alert based on id is also possible here.

15 | P a g e
3. TICKETS:

In the tickets section you can see all raised tickets and browse through them.
By clicking on the events section button for that ticket you can view the specific alerts for which the ticket
was raised.

4. DEVICES:
4.1 DEVICE TREE:
In this section you can create a node by right clicking on the parent node and then adding particular
info about that node.

16 | P a g e
A new device can be added to that specific node by drag and drop method to the specific node.
The new user will appear at right side. [Only admins can see and add devices to the nodes].

4.2 DEVICES:
In the device info section, a system information can be obtained by expanding to view more info
like device-uuid, IP address, Radar version, whether a system is live or not, mode [Whitelist
(Event or Block), NO block mode or Blacklist (Event or Block)] along with Rules effect mode
(Event, kill, kill tree mode) and to which node the device belongs to.

The device list can also be exported to a CSV file by clicking on down arrow button at top.

4.2.1 RESTART RADAR:

Suppose if you want restart RADAR in any user we can do it from Here.
But before restarting we need to select user, from All Users dropdown box and then click on
Restart button.

17 | P a g e
 4.2.2 SENSOR MODES: [KERNEL LEVEL]
This is very important section; this section is used for converting systems into FREEZE MODE and
TERMINATION MODE. We have different options like

WHITELIST BASED, BLACKLIST BASED, NO-BLOCK MODE

4.2.2.1 NO-BLOCK MODE:

SAFE MODE is nothing but No-Block mode, after installing RADAR360 tool in any system, the
system will be in No-Block mode [SAFE MODE], which means each and every process is allowed
to run.

4.2.2.2 WHITELIST MODE/FREEZE MODE:

WHITELIST MODE means allowing only the whitelisted applications given by the user.

USE of FREEZE MODE- Only the whitelisted applications will run and remaining applications which
are not in whitelist will be blocked automatically.

4.2.2.3 STEPS TO CONVERT A USER FROM SAFE MODE TO FREEZE MODE:

1st We need to select a user from All Users dropdown box.

After selecting a user, we need to select Add All Running Process to Whitelist option from
white list [THIS WILL ADD ALL RUNNING PROCESS IN A SYSTEM TO WHITELIST].

We can check which processes are added to whitelist by clicking on whitelist option under
Process Protect section.

The above image shows the process added to whitelist, and make sure the VT count is updated.
After adding all process, we can either move our system to whitelist [EVENT/BLOCK MODE]

If we select whitelist event then your system will be in whitelist event mode [we select this
option to check if any whitelisted applications are not added to whitelist]

18 | P a g e
 WHITELIST-EVENT will allow applications which are in whitelist and not in whitelist also.

If we select whitelist block then your system is in freeze mode [Whitelist Block Mode]

WHITELIST-BLOCK will allow only the whitelisted applications to run and remaining which
are not in whitelist will be blocked.

After converting your system into FREEZE MODE, you can know by checking K-MODE in Devices
section.

If it is in block, then your system is in FREEZE MODE

If it is in event, then your system is in EVENT MODE

4.2.2.4 CONVERTING YOUR SYSTEM FROM FREEZE TO EVENT MODE:

1. Select user from All User dropdown box

2. Click on Mode > select whitelist based–event option, now your system is in event mode

Now we can run new application.

4.2.2.5 CONVERTING YOUR SYSTEM FROM EVENT TO FREEZE MODE:

For converting just select REFRESH ALL WHITELIST PATH MD5 and then select WHITE LIST
MODE-BLOCK.

4.2.2.6 BLACKLIST MODE:

This is just opposite to WHITELIST MODE, only the blacklisted applications are blocked and
remaining will be allowed to run.

19 | P a g e
4.2.2.7 RULES EFFECT MODE [USER LEVEL]:
Rules effect mode is completely based on user level, User/Enterprise can choose which process
should make net connections. To know more about a suspicious process, we can scrutinize with
the help of user level options.

EVENT MODE: An event will be generated if any process makes net connections without taking any
effect to that process.
KILL-P: An event will be generated if any process makes net connections with taking kill effect on
that process.
KILL-P&T: An event will be generated if any process makes net connections with taking kill effect on that
process and its parent also.

4.2.2.8 CONVERT YOUR SYSTEM FROM EVENT MODE TO TERMINATION MODE:

1. Select user from All Users dropdown box

2. Go to Devices > Click on dropdown box > choose convert rules effect mode-kill

Now your system is in TERMINATION MODE, AFTER CONVERTING YOUR SYSTEM INTO
TERMINATION,
You can know by looking at R-MODE in Devices section.

If it is in kill-P, then your system is in TERMINATION

4.2.2.9 ADD ALL RUNNING PROCESS TO WHITELIST:

By clicking on this option, all the currently running processes in the system automatically gets added to
the Whitelist.

4.2.2.10 REFRESH ALL WHITELIST PATH MD5:

This option refreshes all the MD5s in the Whitelist.

4.2.2.11 CLEAR FINGERPRINT FOR WHITELIST PATHS:

This option clears all the fingerprints that are added to the Whitelist paths.

20 | P a g e
4.2.2.12 PROCESS NOT IN WHITELIST [Ignore]:
Any applications that are not present in Whitelist and are running when the system is in Blacklist or
No Block mode, then while entering to WHITLIST MODE from any of the mode, NO ACTION will be
taken on those applications when this mode is applied.

4.2.2.13 PROCESS NOT IN WHITELIST [Event]:

Any applications that are not present in Whitelist and are running when the system is in Blacklist
or No Block mode, then while entering to WHITLIST MODE from any of the mode, an EVENT will
be displayed for those applications in the ALERTS when this mode is applied

4.2.2.14 PROCESS NOT IN WHITELIST [Kill]:

Any applications that are not present in Whitelist and are running when the system is in Blacklist or No
Block mode, then while entering to WHITLIST MODE from any of the mode, then those applications
will be killed when this mode is applied.
4.2.2.15 PROCESS NOT IN WHITELIST [Kill-Tree]:
Any applications that are not present in Whitelist and are running when the system is in Blacklist or No
Block mode, then while entering to WHITLIST MODE from any of the mode, then the entire tree will be
killed when this mode is applied.

4.2.2.16 ORPHAN PROCESS WITH NO NETWORK [Ignore]:

Based on this rule when any orphan process runs without making any network connections then
NO ACTION will be taken on such processes.

4.2.2.17 ORPHAN PROCESS WITH NO NETWORK [Event]:

Based on this rule when any orphan process runs without making any network connections then an
Event for that process will be displayed in the ALERTS.

4.2.2.18 ORPHAN PROCESS WITH NO NETWORK [Global Effect Mode]:

Based on this rule when any orphan process runs without making any network connections then
the Rule effect takes place based on GLOBAL EFFECT MODE.

4.2.2.19 MARK RADAR AS CRITICAL PROCESS:

By selecting this option will not let you to stop radar service. If you forcefully stop the radar its
might crash the system.
To undo this, we have an option “MARK RADAR AS NON-CRITICAL PROCESS”.

21 | P a g e
4.3 DEVICE EVENTS:
In device events section, if any CONFIG file of radar is corrupted then it is reported as an event.

In such a case mode of that system might revert to NO Block Mode and so on depends
on config files.
For further assistance contact COGNORE support team.

4.4 ERROR DETAIL:

This section displays errors regarding requests made to server or database.

5. PROC-TREE:
Proc-Tree displays all currently running processes in the system.

22 | P a g e
Click on Proc-Tree->Select User
A) The Kill option kills the selected process.

We can kill process through PATH BASED, PID BASED [PROCESS ID], MD5 BASED [HASH].

B) Option adds the selected process to Whitelist.

Allow the Process based on your choice.

Similarly, we can add an unwanted process to Blacklist also.

C) option adds a rule to the selected process.

Select any application and click on Rule->Rule Action->Rule effect

Enter the comments and click on Convert.

23 | P a g e
6. RULE RINGS:

A Rule is like permission; all process will work based on the rules created by us.

In Rules, we have 4 different columns.

1) Active
2) In-Active
3) M-Trust
4) P-Trust

6.1 ACTIONS:
In Rules, we have Modify and Remove option for every rule.

By clicking on Modify, the below dialog box will be displayed and we can modify the Rule effect
mode or we can add a particular rule to Golden Rule and add to any profile.

24 | P a g e
6.2 ACTIVE:
In order to view all the Active Rules and their Rule Effect Mode, click on the Active option

To delete any rule for any application, click on the delete icon after selecting the rule.

Now the rule for that application will be deleted from the Active column and application is not
affected by that rule

6.3 INACTIVE:

Any rule which is deleted from the Active column will be displayed in the Inactive

The rule for any application can be again activated by clicking on the “Re-Active” button.

The rule can also be deleted from the entire table by clicking on the “Delete” icon.

6.4 M-TRUST:

Based on the Module Trust values, this is used either kill applications or to create events.

Based on the modes selected, the respective actions will be performed.

Firstly, select a user

When a Trust set is given, we must select either Event or Kill from the Trust Set Effect Mode
option.

When Event is selected, no matter whatever Trust Set Kill mode is selected.

When Kill is selected, then Trust Set Kill Mode gives options either to “Kill the Process only” or “Kill
the Process &Tree”.

The Min Trust Kill Value also must be entered such that it kills all the applications whose
module trust value is equal to or greater than the given value.
On selecting the Min Trust Kill Effect Mode, it helps to specify whether to “Kill the Process only” or
“Kill the Process &Tree”.
After entering all the fields click on Submit.

25 | P a g e
6.5 P-TRUST:

Based on the Rule Based Trust values, this is used to either kill applications or to create events

Based on the modes selected, the respective actions will be performed

Firstly, select a user

When a Trust set is given, we must select either Event or Kill from the Trust Set Effect Mode option

When Event is selected, no matter whatever Trust Set Kill mode is selected

When Kill is selected, then Trust Set Kill Mode gives options either to “Kill the Process only” or “Kill
the Process &Tree”

The Min Trust Kill Value also must be entered such that it kills all the applications whose
process trust value is equal to or greater than the given value

On selecting the Min Trust Kill Effect Mode, it helps to specify whether to “Kill the Process only” or
“Kill the Process &Tree”

After entering all the fields click on Submit

The LATEST button fetches the latest info from the sensor.

26 | P a g e
6.6 RULES SET:
A. PROTECT PROCESS FROM BO, ROP and RCE EXPLOITS:

This rule is added to make sure that the child and parent process are same
[child & parent should be same]

Ex: If you have opened chrome, then the parent process should be chrome and the child
process should also be chrome

If this is not matching then the process will be terminated & event will be generated.

B. PROTECT PROCESS WITH C&C EXPLOITS:

This rule is added to make sure that, if any child process is making network connections
other than the parent process then either to terminate the process or to generate an event.

Ex: If you have opened chrome, then instead of parent process if any child process is trying for
network connection then the process will be terminated.

C. DENY PROCESS FROM NETWORK CONNECTION:

We will add this rule for suspicious process like rundll32, Wscript, Cscript, PowerShell………,
whenever they are trying for a network connection then the process will be terminated.

D. ALLOW PROCESS FROM NETWORK CONNECTION:

This will allow a process to make network connection.

E. ALLOW ORPHAN PROCESS WITH NETWORK CONNCETION:

It’s an exclude rule, we add this rule for a process which is not having parent and trying
for network connection. [NO PARENT BUT CHILD ALLOWED FOR NETWORK CONNECTION]

F. ALLOW ORPHAN PROCESS WITHOUT NETWORK CONNCETION:

We add this rule for a process which is not having parent and not trying for network
connections. [NO PARENT BUT CHILD NOT ALLOWED FOR NETWORK CONNECTION]

G. PROCESS RUN ONLY UNDER THIS PARENT:

This is the special rule for a particular process which is run under specific parent only.
[CHILD PROCESS RUN UNDER SPECIFIC PARENT ONLY]

Ex: Rundll32.exe must run under SVCHOST.EXE only

27 | P a g e
7 PROCESS PROTECT:

All the applications that are added to Whitelist will be displayed.

To view the applications first select a user.

7.1 PATH BASED WHITELIST:

All the applications that are allowed based on Path and Path & md5 will be displayed in PATH
BASED WHITELIST.
We can add any application to the Whitelist by selecting option and by providing the
details in the required fields.

The Option is helpful in adding the application to whitelist directly without being waited
until the alert comes.
We can delete single/multiple allowed Whitelist processes by selecting the process and clicking on
Option.
DELETE ENTRY option is useful to delete the selected whitelisted process.
DELETE All PATH HASH ENTRIES option is helpful to delete all Whitelist path fingerprint entries.
[user added fingerprint will only be deleted].
DELETE ALL PATH ONLY ENTRIES option is helpful to delete all whitelist path entries only.
REMOVE MD5 option is helpful in removing the md5 of selected whitelisted process.
ADD MD5 option is helpful in adding the md5 to a process which is in whitelist and doesn’t have md5.

28 | P a g e
7.2 MD5 BASED WHITELIST:
All the process/applications that are allowed based on only path will be displayed in the
MD5 BASED WHITELIST.

Click on DELETE option to delete allowed md5 in MD5 BASED WHITELIST Column.

7.3 WHITELIST SETTINGS:

ADD ALL GOOD TRUST PROCESS TO WHITELIST
Using this option adds all good trust processes that are running in your system into whitelist.

7.4 SUPPRESSED EVENTS:

If you want to put an end to an alert you can suppress the process in the LOGS action section. So
that it will not display an event next time in the alerts section.
All the processes that are suppressed will be displayed in the SUPPRESSED EVENTS Section.

7.5 BLACKLIST:
All the applications that are added to BLACKLIST will be displayed in the Blacklist Column .

29 | P a g e
We can add unnecessary process into BLACKLIST by
A) Trust Overriding [Settings > Misc. Operations > Trust Override]
B) By selecting the Column and providing the data in the displayed options.
C) Auto Add Bad Trust Process To Blacklist

[Blacklist settings > Auto add bad trust process to blacklist]

7.6 BLACKLIST SETTINGS:
This section is vice-versa to WHITELIST SETTINGS.
ADD ALL GOOD TRUST PROCESS TO BLACKLIST
Using this option adds all bad trust processes that are running in your system into Blacklist.

8.0 NETWORK FIREWALL:

Process Firewall is a kind of important section that allow process/applications to make Network
Connections.
To view the applications first select a user.

30 | P a g e
By default, we have 4 mandatory rules related to Radar.
To add a new rule, just click on RULE option and provide the Rule name, Outbound/Inbound
directions and action to Allow/Block the connections.
[Specify Application Path, Protocol, IP address of local & remote if required]
We can easily Activate/Deactivate the allowed applications whether to make net connection or
not by just selecting the allowed rules and clicking on activate and deactivate option.
NOTE: Do not add a rule to block all apps, this may lead to crash the process which are making net
connections.

9.FILE PROTECT:
This section is useful to protect the Drivers, Directories, Apps & files etc.
We can manage which apps can use which files and vice versa.

We can add as many rules as possible to manage the permissions for particular app or file to open.
The created rule can be defused with the help of Deactivate option.

31 | P a g e
9.1 USB:
This USB option will not permit you to access the Hard drive or USB. It is useful to block the
complete USB accesses.

10 USERS:
The total users and the user details can be found in this section.

User details can be edited by clicking on modify option under action column.
If a user enters invalid credentials on login page continuously for 3 times, the account will be
blocked [Active becomes Inactive].

10.1 MANAGE USER:

This section is used by ADMIN to add/remove the roles of users and node admins.

32 | P a g e
11 DUMPS:
For dumping multiple info about a particular system, first select a user from drop down box at
upper right and then refresh the dump page. For dumping an info regarding the particular settings
click on that dump and then view it in sometime.

12 SETTINGS:
In settings tab we have different categories like Profiles, Update sensor, Golden Rules, Golden
Whitelist, Golden File protect, Golden Firewall etc...

33 | P a g e
12.1 Misc. Operations:
12.1.1 MD5 EDIT:

This can be used for updating and checking VT count.

12.1.2 TRUST OVERRIDE:

In order to change the Trust value for any particular Hash we use Trust Override (as once sensor
gets trust from Dashboard DB, it will not ask again for the same. So, in any case we want to
overwrite forcefully this feature is used).
This can be done by first selecting "Based on MD5" option and entering the MD5 of the required
application.
Now the new Trust set can be entered and click on Submit.

12.1.3 REGISTRY:

We can add registry of a specific application location to examine if any changes are happened to
that.

34 | P a g e
12.1.4 QUARANTINE FILE:
Quarantine generally isolates the infected files from the computer's hard disk.

In order to Quarantine, specify the path to be quarantined in the space above and click on Submit.

12.1.5 DOWNLOAD FILE:

In order to examine the process at later time we choose the DOWNLOAD FILE option, so that it
will download on our related cloud and we can look after that whenever necessary.

12.2 LICENSE:

License specifies details like User count, Device count, License Created Date, License End Date,
License Bought, and License used and License left.

12.2.1 FILE SCANNER:

Ever needed to know if a file you have access to is infected with a virus but didn't have immediate
access to a virus scanner? File Scanner can help! Simply upload your suspect file and wait a few
seconds to see the scan result.

The File Scanner is showing the complete details of file/application u have scanned like version
info, signer details, attributes & checksum of the file/application etc...

35 | P a g e
12.3 UPDATE SENSOR:

To upgrade the sensor, we can use the Upgrade Sensor option.

Similarly Update Radar and Update Radar Watchdog options.
• Upgrading sensor can be done only for 1 user.
• Updating Radar & Radar watchdog can be done at Tree level.

To update Radar for the user:

• Select the user and click on Update Sensor option
• In order to apply for group of users select the required group.
• Now click on the Product Version from dropdown list and choose the required version.
• Click on Apply
• Once the updates are applied "UPDATE SCHEDULED" will be displayed in the Update status
column for those particular users
• When the sensor picks that there is an update then the Update status will be changed to
"UPDATE IN PROGRESS"

36 | P a g e
 • When the update is completed "UPDATE SUCCESFULL" will be displayed in the Update
Status.

12.3.1 RADAR BUILDS:

We can add new builds for Radar by clicking on the ADD BUILD option.
We can even delete any Radar build that is not required by clicking on 'X' option.

12.3.2 RADAR WATCHDOG BUILDS:

We can add new builds for Radar Watchdog by clicking on the ADD BUILD option.
We can even delete any Radar Watchdog Build that is not required by clicking on 'X' option .

37 | P a g e
12.4 PROFILES:
In order to assign a set of rules or set of whitelists to any user or group of users at a time we can
create a profile.

On clicking on the option a dialog box will be displayed as shown below

• After filling the required details, then click in Save option
• Now a new empty Profile with the given name will be created without any Rules or
Whitelist entries

To generate a new profile first select a user and click on the option, then all the
Set of rules and whitelist of that user will be automatically generated as a new profile.
• In order to add any Rule to the empty Profile we can select any Rule from the G-Rules
• Similarly, to add any Whitelist entry to the empty Profile we can select any entry from the
G-Whitelist

38 | P a g e
• In order to view the added Rules or Whitelist entries click on the 3rd and 4th button in the
action column as shown below.

• All the selected Rules will be displayed as shown below

• Similarly, all the selected Whitelist entries will be displayed as shown below

39 | P a g e
12.5 GOLDEN-RULES:
These are the Rules related to all users.

The Rule Effect mode of the Rule can be modified by clicking on the modify option corresponding
to every rule (as shown below).
Select the Profile from top dropdown box and select the rule to which it is to be added and click on
modify option and then save option.

We can also delete several at a time by selecting the inessential rules and clicking on "Delete"
option.

40 | P a g e
12.6 GOLDEN-WHITELIST:
These are the set of Whitelist applications belongs to all users.

Operation Type of the Whitelist can also be modified by clicking on the modify option
corresponding to every entry.

After selecting the Profile from top dropdown box, select the required Operation type and select
the Whitelist entry to which it is to be added and click on modify option and then save option.
We can also delete several entries at a time by selecting the inessential whitelist entries and by
clicking on "Delete" option.
Similarly, we have GOLDEN BLACKLIST, GOLDEN FIREWALL and GOLDEN FILE PROTECT which
contain the processes and rules of all users.

41 | P a g e
12.7 SCHEMA SETTINGS:
This section is related to database, it gives the details of different database tables and its size.

13 TRACKING:
Tracking is a section where we can track the Actions done by the user (it may be regarding
anything like Whitelist, Rules or Actions)
This section is again segregated into Whitelist, Action, Rules, Command and others
In every category we have a Status filter with 3 options: Pending, Completed and All

Pending: This option displays only those application which are still pending (i.e. not yet
consumed by the sensor)

Completed: This option displays those applications whose respective Actions given by the user is
completed (i.e. consumed by the sensor)

All: This option displays all pending and completed entries.

42 | P a g e
14 REPORTS:
To view a Report for any of the User, select any user and click on any of the Report Type.
The starting date and ending date must also be specified so that it displays the particular Report
Type between the dates specified.

43 | P a g e
44 | P a g e