There are six essential steps for the quick deployment of Cisco® Security Agent:
1. Install the Cisco Security Agent Management Center. The Cisco Security Agent Management Center will create predefined groups and policies after the initial installation. Administrative tasks such as event monitoring, reporting, group and policy Assignment, and agent-kit creation are also performed using the Cisco Security Agent Management Console. See Section 4, Phase 1: Installing the Cisco Security Agent Management Center.
2. Update Cisco Security Agent Management Console license information. Licenses are required for Cisco Security Agent for desktops and servers. A separate license is required for data loss prevention (DLP). The license files are imported to the Cisco Security Agent Management Console. See Section 4.5, Installing the Product License Key.
3. Choose your policies for rapid deployment. Decide which security protections or acceptable use controls you need. For example, antivirus and personal firewall programs are security protections, and USB control and Payment Card Industry (PCI) compliance are acceptable use controls. Note that different options take different amounts of time for tuning (Table 1). These policies are categorized based on business requirements and can be selected individually. See Section 5, Phase 2: Planning Deployment and Choosing Policies.
4. Assign your selected policies to the default desktop group. You can have more than one group of agents. See Section 6.1, Assigning Targeted Hosts Security Policy to Default Desktop Group.
5. Deploy the agents. See Section 6.2, Deploying Windows Agent.
6. Tune the system. See Section 7, Phase 4: Tuning the System.
Table 1. Acceptable Usage Policies
Initial Configuration Level
Time Estimated for Deployment
Acceptable Usage Policies
Require VPN Hosts on Insecure Networks
Block Wireless Bridging
Block Writing Files to USB Devices
Audit System Integrity
More than 1 week
Data Loss Prevention for Desktops
More than 1 week
Protection from Zero-Day, Direct, and Indirect Attacks
Quarantine Compromised Applications
Quarantine Compromised Hosts
Welcome to the Cisco Security Agent 6.0 rapid deployment guide for desktops. The rapid deployment methodology is designed to enable you to get agents deployed on desktops quickly, with targeted functions and limited tuning.
This guide aims to reduce the time needed to deploy Cisco Security Agent by having the implementer choose a subset of functions required for the initial deployment. The result is a reduction in the amount of resources and time required to complete the initial deployment. Other security policies can be added over time to reflect changes in the organization's security policy. These additional security policies can be configured for Audit mode (nonblocking mode), so they do not affect the policies in production.
3. Getting Started
You will need the software and hardware listed here during deployment. You will also need the Cisco Security Agent documentation and some systems to run a pilot deployment.
3.1. Software and Hardware
• Management Center for Cisco Security Agents 6.0: This software is available on CD or by download from Cisco.com (http://www.cisco.com).
• Software license key for desktop protection from Cisco: Please note that the DLP content scanning function requires a separate license. If you do not have a license key, you can request one from Cisco.com (http://www.cisco.com/go/license).
The following are required for testing:
• Computer on which to install the Management Center for Cisco Security Agents software: Management Center for Cisco Security Agents is supported on Microsoft Windows 2003 Release 2, Standard and Enterprise Editions.
• System on which an agent can be installed: For this test, it is recommended that Microsoft Windows desktop or server computers be used (Windows Vista 32-bit, Windows XP, Windows 2003, or Windows 2000).
• IP communication between these systems: Communication between agents and servers uses TCP ports 80, 443, 5401, and 5402. Access to the Internet is helpful for downloading or reviewing online documentation.
• Installing Management Center for Cisco Security Agents 6.0
• Using Management Center for Cisco Security Agents 6.0
All documentation can be found online at http://www.cisco.com/go/csa as well as in the Documentations folder after unzipping the Cisco Security Agent 6.0 software package.
4. Phase 1: Installing the Cisco Security Agent Management Center
The Cisco Security Agent contains two components:
• Management Center for Cisco Security Agents, installed on a server that includes a web server, a configuration database, and a web-based interface: A Cisco Security Agent agent is automatically installed on the Cisco Security Agent Management Center system to protect it. Note that it is not necessary to tune the security for this agent.
• Cisco Security Agent, installed on desktops and servers across your enterprise, enforcing security policies on those systems: This guide focuses exclusively on deployment of Cisco Security Agent to desktop systems.
The Management Center for Cisco Security Agents must be installed first because it generates the agent installation packages (agent kits) you will need to install agents on your end systems. The Management Center for Cisco Security Agents also delivers security policies to agents, provides a management interface, receives events from agents, generates alerts, and performs a number of other functions.
4.1. Installing the Management Center
• Install Management Center for Cisco Security Agents.
• Update the licenses for Desktop and DLP.
• Check the Things To-Do list and eliminate warnings.
Estimated time to complete this task is 30 minutes.
1. Verify that the machine meets the minimum installation requirements listed in the document Installing Management Center for Cisco Security Agents 6.0.
2. Make sure that the machine is running Windows 2003 Release 2, Standard or Enterprise Edition, with all critical services installed.
Note: If you do not have Release 2 of Windows 2003, the Cisco Security Agent Management Console software will still install. You will see a message indicating that this is not a supported configuration. You should not run this configuration operationally, but this may be appropriate for demonstration and evaluation.
3. The system should have a static or fixed Dynamic Host Configuration Protocol (DHCP) IP address.
4. Verify that no other Web servers are running. If Internet Information Services (IIS) is running, remove the World Wide Web Publishing service.
5. Internet Explorer 6.0 or Firefox 1.5 or later should be installed.
6. Make sure that no other databases are installed.
7. The Management Center for Cisco Security Agents host name must be resolvable using Domain Name System (DNS) or Windows Internet Naming Service (WINS).
8. You must be logged in as administrator before you start the installation.
4.1.3. Task Steps
1. To install the Cisco Security Agent 6.0 software, run SETUP.EXE.
2. You will be asked to select a database. Select Local Database unless you are using a database on a separate server.
3. Follow the prompts until the installation is complete.
Note: Remember the user name and administrative password you select during the installation.
4. Reboot the system.
5. To access the Management Center for Cisco Security Agents, open your Internet browser and browse to https://<Management Center for Cisco Security Agents host name>/.
6. Log in with the user name and password you selected during the installation.
4.1.4 .Expected Outcome
You should be able to access the Management Center for Cisco Security Agents, as shown here.
4.2. Installing the Product License Key
1. Click Maintenance and choose Update License Information > License Information.
2. Click Browse and select the license file (*.lic extension) and upload the license.
Note: The DLP content scanning function requires a separate license. The Cisco Security Agent Evaluation license contains a license key enabling the DLP function.
4.2.1. Expected Outcome
You should see that the installed licenses listed as valid.
4.3. Changing the Default Admin to View Hidden Objects and Modify Read-Only Objects
2. Enable all the options under Advanced and Save.
4.4. Checking the Things To-Do List and Eliminating Warnings
The Things To Do area provides links to information and to administrative tasks that need your attention. There are three levels of tasks: red, yellow, and green. The red tasks are the most urgent, followed by the yellow tasks; the green items are informational. Although this list of tasks is prioritized, the Management Center for Cisco Security Agents does not force you to perform them in any particular order.
Clicking the link in the task row launches a pop-up window from which you can perform the entire task. If you need help performing a task, many pop-up windows display help when you right-click the background of the pop-up window and then click Help in the shortcut menu.
The following example shows the workflow for the Scheduled Backups task. Notice the appearance of the Scheduled Backup menu and the context-sensitive help description.
5. Phase 2: Planning Deployment and Choosing Policies
5.1. Desktop Security Policy Summary
The first task in using the rapid deployment methodology is to choose the security protections within Cisco Security Agent that you want to implement as part of the initial installation. Table 2 can assist in determining which Cisco Security Agent policies could be implemented.
The Initial Configuration Level column provides an approximation of the amount of effort needed to initially roll out the policy. Values reflect the amount of initial configuration information required prior to assigning the policies to the group. A setting of Low represents no configuration required. A setting of Medium indicates that some information is required and the policy may need some customization. A setting of High indicates that more information is required, perhaps requiring meeting with other business departments to discuss corporate security policies, policy customization, and rule creation.
The Tuning Overhead column provides an estimation of the amount of ongoing support needed for the policy as new applications are deployed on the network. Values represent the amount of tuning required to tune false positives. Notice that zero-day policies have a tuning overhead level of Medium. In Cisco Security Agent 6.0, zero-day policy functionality has been optimized to reduce the amount of tuning compared to earlier versions of Cisco Security Agent.
The Time Estimated for Deployment column shows the approximate amount of time needed for the policy to reach Protect mode. Values represent the amount of time spent tuning to eliminate false positives before cutting over to production. This time also depends on the number of users; this document assumes a 20 users. Some policy implementations are as simple as
Block Writing Files to USB Devices, which prevents files from being written to USB devices. Other policies, such as Anti-Spyware policy, may require a week of tuning in Audit mode (previously Test mode) to make exceptions for legitimate applications.
Some policies, such as Data Loss Prevention for Desktops and PCI Compliance policies, take a long time because meetings with appropriate personnel are needed to discuss corporate data security policy and obtain other detailed information regarding PCI compliance. These policies are not discussed further in this document.
A recommended approach is to deploy policies in Audit mode and then come back a week later and tune the observed behavior of the Cisco Security Agent alerts. This approach optimizes the number of person-hours spent.
Cisco Security Agent has an excellent record of preventing zero-day attacks. These policies are defined by Anti-Virus-Behavior Based, Anti-Spyware, Anti-Rootkit, Quarantine Compromised Applications, and Quarantine Compromised Hosts. More granular policies can be applied for further protection, such as Firewall-Centrally Managed and Firewall-User Managed policies (see "Protection from Zero-Day, Direct, and Indirect Attacks" in Table 2)
Zero-day policies are usually implemented first, though not always; organizations may choose to implement acceptable usage policies (AUPs) first, based on their business requirements (see "Acceptable Usage Policies" in Table 2)
Note: Anti-Virus-Signature Based policy controls the integrated Clam AntiVirus (ClamAV) scanning function and is enabled by assigning the policy at the group level.
Table 2. Policy Deployment Summary
Initial Configuration Level
Time Estimated for Deployment (based on 20 users)
Acceptable Usage Policies
Require VPN Hosts on Insecure Networks
Block Wireless Bridging
Block Writing Files to USB Devices
Audit System Integrity
Protection from Day-Zero, Direct, and Indirect Attacks
Quarantine Compromised Applications
Quarantine Compromised Hosts
5.2. Policy Descriptions
Table 3 provides brief descriptions of security policies. The policies are described in the following subsections.
Requires hosts on insecure networks to establish a VPN connection
Use the Anti-Rootkit policy to detect rootkits. Specifically, this policy watches for the loading of unauthorized kernel drivers. If you want to isolate systems with rootkits from the network, you should use this policy in conjunction with the Quarantine Compromised Hosts policy.
Deployment time is approximately 1 week, assuming a total of 20 users selected from different groups. As more agents are added, you may need to perform some incremental tuning.
Assign the policy to 20 users selected from a combination of groups, initially in Audit mode. If rootkit drivers are discovered on a system, the system will appear on the Cisco Security Agent Management Console dashboard in the Host Status Alerts section.
Low-level tuning is required. Drivers loaded dynamically as Windows drivers or drivers that modify kernel functions will be classified as rootkits. All network connections to and from the system are denied. Certain antivirus vendors such as Symantec and Trend may violate this rule, as may some video and mouse drivers; exceptions for these legitimate applications can be made using the wizard.
In the example shown here, Pecomm, known as the Storm Trojan, installs a wincom32.sys driver.
If you have the Quarantine Compromised Hosts policy assigned, this will deny all incoming and outgoing network connections and isolate the host from the network.
You can reset the agent security settings locally to allow normal network connections, or the agent can be reset them from the Cisco Security Agent Management Console under the Hosts tab.
To create exceptions from the Cisco Security Agent Management Console, you use the wizard.
Use the wizard to set the kernel driver as trusted. When using the wizard, you must enter justifications. The first step is to classify the trusted kernel module.
The second step is to create an exception rule to authorize the kernel module triggering this event; enter the justification.
The third step is to take into account all similar events.
The final step is to apply the kernel module exception rule to the associated Anti-Rootkit policy.
Exceptions are stored globally with the associated policy. Click Generate Rules; then click Generate.
Use the Anti-Sniffer policy to detect unknown packet sniffers. Sniffers detected on non-IT systems may be used for malicious purposes, such as to find passwords sent in clear text.
In the example shown here, Wireshark was run on xpclient. Notice the unauthorized component, PacketDriver, registering with the system.
Use the Anti-Spyware policy to detect and prevent the installation of spyware and malware-like applications. These applications may try to steal user data, ,create rogue services and accounts, trap keystrokes, and modify system configuration settings.
In the example shown here, the Deny rules represent the more severe events and should be looked at first.
In the example shown here, no tuning is required; the malicious action was denied and prevented. This is an example of a good alert. Usually spyware alerts will be triggered when downloaded or untrusted content writes to browser resources: for instance, when code is inserted into other processes.
Use the wizard if you believe the action to be a false positive and want to change browser settings. The wizard allows you to make an exception to the rule. You can also add the application to the white list (see Section 7, Phase 4: Tuning the System).
The alerts listed in the following example may or may not require tuning. Notice alerts provide visibility into what is happening on your system; these alerts merely log actions. Mouse, VMware, and video applications, for instance, may not be of interest, and you can tune these out using the wizard or add them to the white list.
5.2.4. Anti-Virus-Behavior Based
Use Anti-Virus-Behavior Based policy to prevent zero-day attacks and protect against direct and indirect attacks for which there are no known signatures. Note that this service is complementary to (and not a substitute for) Anti-Virus-Signature Based protection.
Not all Cisco Security Agent Management Console events require tuning. Expect to see events that have been denied due to suspected malicious actions, such as downloaded or untrusted applications that invoke command shells, or multiple violations that occur within the rule modules of the policy, such as untrusted applications or downloaded content that causes buffer overflow or traps keystrokes.
End users who install or download software for the first time will be queried to provide justification for downloading the software. This behavior may be acceptable, depending on the organization's security policy. Having the user manually enter justification from the keyboard helps prevent automated downloads that occur without the user's knowledge or consent.
Notice Query/Notify event appearing, which was triggered by the Anti-Virus-Behavior Based policy.
In the following example, WinZip was downloaded from http://www.winzip.com/index.htm.The end-user provided justification as to why the software was downloaded. These are good alerts and require no tuning.
The following example shows denied events, with no tuning is required. Cisco Security Agent is working as expected and prevents the malicious code. In the example, the user was asked to justify Zotob; Cisco Security Agent Anti-Virus-Behavior Based policy prevents the potentially malicious action, without enforcement of Anti-Virus-Signature Based policy.
The suspected file is quarantined by the Cisco Security Agent Anti-Virus-Behavior Based policy.
5.2.5. Anti-Virus-Signature Based
Use the Anti-Virus-Signature Based policy when the ClamAV function is used and you want to control the way that ClamAV scans for viruses.
A common problem with antivirus programs is reporting of false positives. Cisco Security Agent offers a centralized approach to tuning directly from the central management console, using the AntiVirus wizard.
Tune ClamAV false positives as shown in this example. The example uses the Eicar Test file to demonstrate false-positive tuning. Using the AntiVirus wizard will tune out the Eicar Test file so that it will not be scanned by ClamAV.
In the Cisco Security Agent Management Console, under Event Log, notice that ClamAV detected the Eicar virus, and Eicar.com was quarantined.
Click Wizard and select "Only this file"; you want to exclude eicar.com. Enter a justification for the exception. Notice that justifications are required.
Click Finish, then Generate Rules, and then Generate. These antivirus scan exceptions are enforced globally for all groups and are visible from the Configure > Global Settings > Antivirus Exceptions menu.
5.2.6. Audit System Integrity
Use Audit System Integrity policy to detect suspicious behavior on hosts as well as system configuration changes which may affect system integrity. By default, all suspicious behavior accessing the system configuration will be monitored, with no end-user interaction.
The wizard allows you to tune out false positives such as mouse and video drivers and other applications that may not be of interest.
The following example uses the wizard to tune out cmd.exe monitor alerts; notice that this tuning places cmd.exe on the white list.
Click through the wizard to create the exception.
The final step places the application cmd.exe on the white list.
Note: When filenames are placed on the grey list, the firewall policies prevent incoming requests. This topic is covered in more detail in the discussions of the firewall policies later in this document.
5.2.7. Block Wireless Bridging
Use Block Wireless Bridging policy to block wireless traffic when the system is connected to the corporate LAN.
Some configuration may be required for additional security, such as to implement wireless encryption settings and service set identifiers (SSIDs). Deployment time should be minimal (approximately 1 day).
Note: Wireless interfaces are active and will associate with access points, even when TCP and User Datagram Protocol (UDP) traffic is blocked. This behavior enables instant failover when the user undocks a laptop computer; the computer already has up-to-date IP addressing and routing information for the wireless interface.
5.2.8. Block Writing Files to USB Devices
The Block Writing Files to USB Devices policy prevents files from being written to USB devices and other removable media. End-users will be prevented from writing to USB devices, as dictated by the corporate security policy. If they try to write to such a device, the following message appears:
Notice the Deny rules triggered by the policy.
The operation was denied, and the notification rule that the end-user received is displayed.
5.2.9. Firewall-Centrally Managed
Use Firewall-Centrally Managed policy to provide a centrally managed distributed firewall for desktop systems. Outgoing connections are allowed, and incoming connections to fixed or well-known server ports are denied. Protection from network-based attacks is also provided, including protection against buffer overflows and IP packet-based exploits.
Use the wizard to create exception based on application, network services, etc. for incoming server or ephemeral connections.
Little end-user interaction should be needed; all outgoing connections are allowed by default.
Note: You should use only one of the Firewall policies: either centrally administered or user-administered. You will not get extra functions if you run both policies.
In the following example, netcat was run on XPCLIENT. Initially, the incoming process was denied. The wizard was then used to create an exception.
Note: This example is for demonstration purposes only. Also, with the port opened, the zero-day policies will prevent the remote execution of the command shell.
The action was prevented on the client system.
Notice the denied actions that were triggered by the Firewall-Centrally Managed desktop policy. This policy does not contain any query rules.
Events from netcat are prevented from accepting incoming connections.
Use the wizard to allow the connection. A justification must be provided.
Select Allow Operation and provide a justification.
Click Next and select "Take into account all similar events"; otherwise, you will have to create an exception for each application.
Click Next to apply the changes.
Click Next; a summary of the exception rule is displayed.
Click Next; the application class will be created.
Click Next to complete the exception rule creation.
Click Finish to complete the exception rule.
5.2.10. Firewall-User Managed
Use Firewall-User Managed policy to provide a personal firewall for desktop systems. The end user can selectively allow or deny network connectivity on a per-application basis. Protection from network-based attacks is also provided, including protection against buffer overflows and IP packet-based exploits.
A medium level of tuning is required. Initially, you should select Local Learn Mode, so that local applications and associated network connections can be learned. Run for a week in Audit mode. Then disable the Local Learn Mode option and select Enable.
You can also protect local directories and files from network access.
After the Enable option is selected, the end user will be prompted when an application other than those learned using Local Learn Mode tries to establish a connection. An associated permissions key will appear next to the application:
In the following example, IEXPLORE.EXE has HTTP network permissions, OUTLOOK.EXE has email network permissions, and pidgin.exe cannot make network connections.
Tuning is mostly performed locally; the end user can add and remove applications.
Note: This policy cannot make your policies less restrictive.
5.2.11. Quarantine Compromised Applications
Use Quarantine Compromised Applications policy to quarantine compromised applications (for example, applications subject to a buffer overflow attack) and prevent them from harming the system or other applications.
5.2.12. Quarantine Compromised Hosts
Use Quarantine Compromised Hosts policy to quarantine systems in which a rootkit was observed.
Note: This policy should be used in conjunction with Anti-Rootkit policy.
Assign the policy to 20 users selected from a combination of groups, initially in Audit mode.
Warning: Do not enable this policy in Protect mode until the Anti-Rootkit policy has been tuned. A false positive will cause the system to be isolated from the network.
5.2.13. Require VPN Hosts on Insecure Networks
Use Require VPN Hosts on Insecure Networks policy to require that remote users always connect to the corporate network over VPN. For example, use this policy when the organization employs Internet protections such as website reputational filtering that must be used at all times. The Cisco IronPort® web filter is an example of this type of protection. Remote users do not get the benefit of this protection when they are out of the office; connecting over VPN makes the user logically appear to be in the office for the purposes of this protection.
No configuration is required other than enabling this policy. Minimal tuning is required; you may need to create exceptions if you have specific applications that require access before VPN access is required.
End users will be prompted with a notification message when they are out of the office.
Audit mode is recommended initially.
Note: If you use this policy, you will need to specify some configuration options: the organization's DNS name, wireless SSIDs, etc.
6. Phase 3: Deploying Agents
6.1. Assigning Targeted Host Security Policy to Default Desktop Group
Management Center for Cisco Security Agents includes a set of predefined organizational units to help you manage agent policies. There are three basic organizational units:
• Group module: A collection of hosts used to streamline the process of assigning security policies to hosts at once, such as the following:
– Servers: All types
– Desktops: All types
– Servers: Apache Web Servers
– Servers: Boxborough
– Desktops: San Jose
Note: A host can be a member of multiple groups. For example, you may have an admin group, which allows query rules, and a nonadmin group, which has no user interaction rules.
• Host security policy (HSP) module: A collection of rule modules, attached to a group or groups, that have a similar purpose or depend on each other to work properly, such as the following:
– Require VPN Hosts on Insecure Networks
• Rule module: A collection of rules, attached to a policy or policies, that that serve the same purpose, such as the following:
– Protect file integrity
– Prevent music downloading
– Provide web server sample security
Note: You will need to switch to the Cisco Security Agent Management Console Advanced mode to see rule modules and rules. Unless you are creating rules or performing specialized modifications, use of Advanced mode is discouraged.
• Using the default Desktop Group, select the targeted host security policy and enable Audit mode.
• Assign your targeted host security policy to the default Desktop Group. In this example, the Block Writing Files to USB Devices policy was used.
Estimated time to complete this task is 10 minutes.
1. Log into Management Center for Cisco Security Agents.
2. Verify that you are in Simple mode as shown here.
6.1.3. Task Steps
1. Under Security Settings, click Host Security.
2. Choose Desktops for Windows.
3. Choose your host security policies. In the following example, Block Writing Files to USB Devices was selected.
4. Click Save and close the dialog box.
5. Click Generate Rules, and then click Generate. This action will also update the desktop agent kit.
Note: When the initial installation warning message appears, select the defaults and click Save.
6.1.4. Expected Outcome
The window will close, with no error message reported.
6.2. Deploying Windows Agent
In Section 6.1, you updated the desktop agent kit. Agent kits contain the agent binary files, support files, and setup files. They also contain the encryption certificate, the initial set of policies, and the group to which the host that is running the agent kit should belong. After installing a kit on a host, the agent starts enforcing its policy immediately and registers with the Management Center for Cisco Security Agents to check for newer policies.
Install the desktop Windows agent on an evaluation host.
Estimated time to complete this task is 5 minutes per host.
No setup is required. Note that local administrative rights are required to install the Cisco Security Agent agent kit.
6.2.3 Task Steps
1. On the machines on which you want to install the agent, enter the agent kit URL in a browser: https://<Management Center for Cisco Security Agents host name>/csamc60/kits.
Tip: If you are installing agents on multiple machines, you can use a software distribution tool to distribute the agent, or you can email the link to the agent kit to each user and have the users perform the installation.
2. Click the Desktops link, shown here.
3. Save the installation binary file to disk.
4. Double-click the installation binary file.
5. Follow the prompts (accept the defaults) until the installation is complete.
6. Reboot the system.
Note: Regardless of whether the system is rebooted, the agent service starts immediately and the system is protected. If the system is not rebooted, some functions are not immediately available. See the Installation Guide for more information.
7. Repeat this process for any other machines on which you want the agent installed.
6.2.4. Expected Outcome
The agent should register with the Cisco Security Agent Management Console.
6.3. Setting Up Agent Communication and Registration
When an agent is installed on a system, it starts protecting the system immediately. Shortly after it starts, it attempts to register with the Management Center for Cisco Security Agents. During registration, the agent connects to the Management Center for Cisco Security Agents, checks for updated policies, and delivers any events that it generated before registration.
Help ensure that your agents can register and communicate with Management Center for Cisco Security Agents.
Estimated time to complete this task is 5 minutes.
Go to a system where Cisco Security Agent is installed.
6.3.3. Task Steps
1. Double-click the Cisco Security Agent icon in the system tray to open the agent user interface.
2. Under Status, you should see the information that was generated when the agent registered with the Management Center for Cisco Security Agents. Click Poll.
Tip: If you get an error message saying that the fast poll was unsuccessful or the agent has not registered with the Management Center for Cisco Security Agents, make sure you can ping the management center by the name listed in the Management Center for Cisco Security Agents section of the Agent Status page. If the ping fails, you may have a problem with name resolution. Be sure that the name of the Management Center for Cisco Security Agents can be resolved.
3. Log into the Management Center for Cisco Security Agents.
4. Choose Systems > Hosts.
5. Check that all the systems that have an agent installed appear in the list.
6.3.4. Expected Outcome
The agents should be registered with the Management Center for Cisco Security Agents and be able to poll for new settings.
7. Phase 4: Tuning the System
Cisco Security Agent 6.0 introduces new ways of tuning the system. One method uses the new Simple view, which is used for managing the day-to-day operations of Cisco Security Agent. For experienced Cisco Security Agent administrators, the Advanced view is available; this view is similar to the view in previous versions of Cisco Security Agent.
The Simple view enables the Cisco Security Agent administrator to tune the system in these ways:
1. Enter applications on the white list: Use this option for system tuning when you have scripting applications or applications that must run on the system unhindered.
2. Use the Event wizard from the Cisco Security Agent alerts in the Cisco Security Agent Management Console: Use this option for system tuning when you need to create specific exceptions for applications, such as exceptions for accessing the application's resources. Note that you can use the wizard to create exceptions for Query, Deny, Terminate Process, and Set rules only. For High-Priority Deny and Monitor rules exceptions, you can create exceptions to the rule directly by defining the application and including it in the "But not in any of the selected classes" field.
3. Create localized policies from alerts generated by Cisco Security Agent: Use this option for system tuning when you notice that you are viewing many alerts in the Cisco Security Agent event log and it would be easier to create these exceptions in a localized group exceptions policy. This policy can then be reevaluated to determine whether it should be renamed as a specific function policy and distributed to the other groups.
4. Add nonrecommended applications to the black list: Use this option for applications that are not allowed to run on the basis of the company's security policy.
Tune the system using these techniques:
• Enter applications on the white list.
• Use the Event wizard.
• Add nonrecommended applications to the black list.
This task requires endpoint acceptance testing so the time to implement it will vary.
7.2. Task Steps
7.2.1. Entering Applications on the White List
In this example, the host security policy Block Writing Files to USB Devices prevents the application Launchpad.exe from accessing lpgdb.xml. Notice that these alerts appear in Audit mode (previously called Test mode).
1. Choose the Simple view, click Home, and check under Events by Policy for any alerts next to your policy.
2. If a policy has alerts, expand the alerts. In the example shown here, the Block Writing File to USB Devices policy alert has been expanded.
Note: Terminate and Deny alerts are usually are more severe than Query/Notify alerts.
3. In interpreting the received alerts, keep in mind that not all Deny alerts are bad. They can point to malicious attempts that are prevented by zero-update policies or to end users who are not in compliance. In the example here, Launchpad.exe is trying to access f:\..\lpgdb.xml. We will add the application launchpad.exe to the white list.
4. Click Home and choose Application Trust Levels > New. Enter Launchpad.exe as the filename, select White List as the trust level, and Windows as the selected OS. Enter the justification and click Save.
5. Click Generate Rules and then Generate.
7.2.2. Using the Event Wizard
In this example, a Notepad_FACL host security policy prevents file and write access to the Notepad_FACL folder. We will use the Event wizard to allow the application notepad.exe access to these files.
1. Choose the Simple view and click Home. Under Events by Policy, check whether any alerts appear next to the Notepad_FACL Test policy.
2. If alerts appear, expand the alerts. In the example shown here, the Notepad_FACL Test policy alert has been expanded.
3. Note: Terminate and Deny alerts are usually are more severe than Query/Notify alerts.
4. Beneath the event, click Wizard. You should see the following:
• Classify Application provides the Cisco Security Agent administrator with more information regarding the application.
• Allow Operation allows you to create an exception for the application, in this case notepad.exe, and take into account all similar events that were triggered by this rule.
• Analyze Operation allows the process to be analyzed. Windows and UNIX platforms are supported, and no separate licenses are required for behavior-based reporting. After the application is analyzed, the reports are comprehensive in that you will see all the resources that this application is using. If you suspect that this application may be malicious, you can analyze its operation.
• Stop Logging This Event prevents the process from logging events to the Cisco Security Agent Management Console.
• Suppress Similar Events allows the process to log events to the Cisco Security Agent Management Console and suppress events of the same type.
• Purge Similar Events allows you to purge similar events created by the process from the Cisco Security Agent Management Console. This option is helpful when you are tuning out false positives on the Cisco Security Agent Management Console and you do not want to see the events again in the Cisco Security Agent Management Console.
5. Enter your justification under Classify the Application and click Finish.
6. Enter your justification under Allow the Application and click Next.
7. Select "Take into account all similar events" and then click Finish.
You should see the Notepad exception under Notepad_FACL_Test. Note that the exception is global and affects all groups.
7.2.3. Adding Nonrecommended Applications to the Black List
This example adds Wireshark to the black list. Customers may have a list of nonrecommended applications, for instance, BitTorrent applications, that they want to add to the black list.
1. Choose the Simple view and click Home. Under Security Settings, choose Application Trust Levels > New. You should see the following:
2. Enter an application that you want to be prohibited (added to the black list of untrusted applications).
This guide describes the installation of Cisco Security Agent 6.0 and zero-day and acceptable usage policies in a limited deployment scenario.