-
Installation Guide for Cisco Security Manager 3.0.1
-
Preface
-
Overview
-
Requirements and Dependencies
-
Preparing a Server for Installation
-
Installing, Upgrading, Downgrading, Uninstalling, and Reinstalling Server Applications
-
Installing, Patching, and Uninstalling Security Manager Client
-
Post-installation Server Tasks
-
Preparing to Use Security Manager
-
Security Manager Server Installation GUI Reference
-
Troubleshooting
-
Cisco Security Agent: Standalone Agent Overview
-
Helpful Reference Information
-
Index
-
Table Of Contents
Cisco Security Agent: Standalone Agent Overview
Understanding and Managing Security Level Settings
Responding to Query Challenges
Uninstalling the Standalone Agent
Cisco Security Agent: Standalone Agent Overview
This appendix describes the standalone version of Cisco Security Agent 5.0.0.187 that is sometimes installed on a Security Manager server.
Note
•
•
This appendix contains the following major sections:
•
•
•
The Basics
If your target server is not protected by the full, commercial version of Cisco Security Agent when you start to install Security Manager, Security Manager installs a customized, standalone version of Cisco Security Agent, with predefined policies that you cannot change. See Cisco Security Agent, page 1-6.
Once installed, the standalone agent controls system operations with policies that allow or deny specific system actions. The agent checks whether an action is allowed or denied before any system resources are accessed and acted upon. The agent never interferes with your daily operations unless it detects what it considers to be a forbidden or unexpected system operation. Nonetheless, its rules are meant to protect your server from rootkits or similarly malicious software and are therefore very strict.
The standalone agent combines Security Manager-specific policies with baseline policies for Windows. To learn about the baseline policies for Windows, log in to your Cisco.com account, then go to http://www.cisco.com/pcgi-bin/Software/
Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/cw2000/csa/fcs-csamc-4.5.1.616-CSA-Policy-Descriptions.zip&app=Tablebuild&status=showC2A.
Note
Agent Log Files
Three log files for the standalone agent are stored in the C:\Program Files\Cisco Systems\CSAgent\log subdirectory:
CSAgent-Install.log
installation log file
csalog.txt
general log file
securitylog.txt
security events log file
Understanding and Managing Security Level Settings
You can right-click the agent icon in the server system tray to change the security level setting at any time. The security level setting determines whether the agent imposes high, medium, or low-security restrictions on your server, or if it imposes no restrictions. The default is medium. Every level that you might select provides a distinct balance between security and convenience.
If you set the agent security level to high, it prevents your server from accepting inbound connections on any UDP or TCP ports except the specific ports that Security Manager and Common Services use. In addition, if the level is high and if the agent detects an untrusted rootkit, all connections (inbound and outbound) are blocked.
Responding to Query Challenges
When you right-click the agent icon and select Security Level > Off to disable your standalone agent, it displays a kind of challenge-response prompt that is commonly called a CAPTCHA (which stands for "completely automated public Turing test to tell computers and humans apart").
Figure A-1 Challenge-Response Prompt
This method confirms that malicious software is not responsible for the request to disable your agent. To learn more, see Using Management Center for Cisco Security Agents 5.0.
Uninstalling the Standalone Agent
Caution
As a temporary alternative, you can right-click the agent icon in your server system tray, then select a lower security level setting or select the option that disables the standalone agent.
Another alternative is to reset the standalone agent, which clears its rootkit detection status. To reset the agent, select Start > Programs > Cisco Systems > Cisco Security Agent > Reset Cisco Security Agent.
To uninstall the standalone agent (even though we recommend that you do not uninstall it), select Start > Programs > Cisco Security Agent > Uninstall Cisco Security Agent.
You must reboot.
