• Like
Paladin Network Administrators Guide
Upcoming SlideShare
Loading in...5
×

Paladin Network Administrators Guide

  • 409 views
Uploaded on

Network Administrator\'s guide for enterprise-level anti-spyware software offering.

Network Administrator\'s guide for enterprise-level anti-spyware software offering.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
409
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
1
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Table of Contents Welcome ......................................................................................................................................... 6 Understanding Paladin ................................................................................................................. 6 Paladin Server .......................................................................................................................... 7 Client ........................................................................................................................................ 8 System Requirements.................................................................................................................. 9 Paladin Server System Requirements ..................................................................................... 9 Client workstation System Requirements ................................................................................ 9 Using The Admin Console.......................................................................................................... 10 About the Admin Console .......................................................................................................... 10 Toolbar ....................................................................................................................................... 11 Menu bar .................................................................................................................................... 11 File menu................................................................................................................................ 11 View menu.............................................................................................................................. 11 Policy menu ............................................................................................................................ 12 Help menu .............................................................................................................................. 12 Admin Control Panel .................................................................................................................. 12 Installing Paladin ......................................................................................................................... 14 Installation Overview.................................................................................................................. 14 Installing Paladin........................................................................................................................ 14 Running Paladin with SQL ..................................................................................................... 14 Running Paladin with MSDE .................................................................................................. 20 Configuring System Setup ......................................................................................................... 26 About System Setup .................................................................................................................. 26 Registration ................................................................................................................................ 26 License Information and Status.............................................................................................. 26 Configuration.............................................................................................................................. 26 E-mail Server Settings............................................................................................................ 27 Proxy Server Settings............................................................................................................. 27 Communication Prototype ...................................................................................................... 28 Database Cleanup.................................................................................................................. 28 Server/Client Port Settings ..................................................................................................... 28 File Transfer Protocol ............................................................................................................. 29 Updates...................................................................................................................................... 29 Server ..................................................................................................................................... 29 Clients/Definitions................................................................................................................... 29 Setting Up Policies ...................................................................................................................... 31 About Policies ............................................................................................................................ 31 Policy View ............................................................................................................................. 31 Configuration Utility ................................................................................................................ 31 Creating and Managing Policies ................................................................................................ 32 Create a Policy ....................................................................................................................... 32 Delete a Policy ....................................................................................................................... 32 Rename a Policy .................................................................................................................... 33 Copy a Policy.......................................................................................................................... 33 Configuring Policies ................................................................................................................... 33 Paladin Network Administrator’s Guide iii
  • 2. Client Tab................................................................................................................................... 33 Configure Client Settings........................................................................................................ 34 Deploy Client Software Updates ............................................................................................ 35 Deploy Client Database Updates ........................................................................................... 35 Set E-mail Alerts..................................................................................................................... 36 Add an Alert to a Policy .......................................................................................................... 36 Remove an Alert from a Policy............................................................................................... 37 Scan Tab.................................................................................................................................... 38 Schedule Tab ............................................................................................................................. 38 Item Actions Tab ........................................................................................................................ 39 Assign Actions to Items .......................................................................................................... 39 View Spyware Items By Action............................................................................................... 40 Item Action Details ................................................................................................................. 40 Preventions Tab......................................................................................................................... 41 Enable Internet Preventions ................................................................................................... 41 Restricted IP Ranges ............................................................................................................. 41 Restricted Zones .................................................................................................................... 42 Enable System Preventions ................................................................................................... 43 ADS ........................................................................................................................................ 43 Managing Clients and Items ....................................................................................................... 44 Client Management.................................................................................................................... 44 Adding and Deploying Clients ................................................................................................ 44 About Firewalls ....................................................................................................................... 44 Client Firewalls ....................................................................................................................... 44 Manually Deploying Clients .................................................................................................... 45 Client Actions Deployment ..................................................................................................... 45 Removing and Reassigning Clients........................................................................................... 46 Removing Clients from Policies.............................................................................................. 46 Removing Clients from Client Lists ........................................................................................ 47 Reassigning Clients................................................................................................................ 47 Scanning Client Workstations .................................................................................................... 48 Starting, Stopping and Refreshing Clients................................................................................. 48 Refresh Status........................................................................................................................ 48 Start Service ........................................................................................................................... 49 Stop Service ........................................................................................................................... 49 Item Management ...................................................................................................................... 49 Quarantining Items..................................................................................................................... 49 Quarantining Items - By Item.................................................................................................. 49 Quarantining Items - By Client ............................................................................................... 49 Unquarantining Items................................................................................................................. 50 Unquarantining Items - By Item.............................................................................................. 50 Unquarantining Items - By Client............................................................................................ 50 Deleting Items ............................................................................................................................ 50 Delete Items - By Item............................................................................................................ 50 Delete Items - By Client.......................................................................................................... 51 Spyware Library ......................................................................................................................... 51 Paladin Network Administrator’s Guide iv
  • 3. Viewing Spyware Library Details............................................................................................ 51 Viewing Events .......................................................................................................................... 51 Viewing Events By Client ........................................................................................................... 51 Client List................................................................................................................................ 52 Client List Details.................................................................................................................... 52 Viewing Events By Item ............................................................................................................. 53 Items List ................................................................................................................................ 53 Items List Details .................................................................................................................... 53 Monitoring Network Activity....................................................................................................... 55 About Reports ............................................................................................................................ 55 Report Options ....................................................................................................................... 56 Exporting Reports ...................................................................................................................... 57 Network Activity ......................................................................................................................... 58 Spyware Activity......................................................................................................................... 58 Infected Machines - Summary ................................................................................................... 58 Infected Machines - Detail ......................................................................................................... 58 Top Ten Machines – Spyware Detected.................................................................................... 59 Machine History ......................................................................................................................... 59 Threats Found - Summary ......................................................................................................... 59 Threats Found - Detail ............................................................................................................... 59 Executive Summary ................................................................................................................... 60 Paladin Network Administrator’s Guide v
  • 4. Welcome Reliable and robust, Paladin is Aluria’s answer to dangerous and destructive spyware that infiltrates network security. With Paladin you can scan your network for the latest threats, create and assign policy controls, view detailed reports of all found threats, receive automatic or manual updates, and much more. Understanding Paladin How Paladin Works Unlike competitor products, Paladin offers true no-hassle server-side installation and updates. Paladin’s custom communication technology side-steps Windows compatibility issues and avoids the time loss common to corporate solutions that depend on Microsoft Management Console (MMC) technology. The Paladin client/server architecture is shown below: Product Components There are two major components included in the Paladin product that you will install on your computers: Paladin Server Client Note This version of Paladin automatically installs the Active Defense Shield (ADS) driver. ADS is a kernel-level driver and therefore, it is inadvisable that you repeatedly install and uninstall the Paladin Server and Client. Paladin Network Administrator’s Guide 6
  • 5. Paladin Server Before you can run Paladin, you must install its server. The Paladin Server provides centralized management for all computers in your company. Its components are as follows: Service Executable Description AluriaIP AluriaIP.exe Controls the communication between Clients and the Database. Also communicates with the AdminConsole. Admin Console Paladin.exe Provides a graphical user interface (GUI) to manage Paladin in your company. Database/Service Sqlmanager.exe Stores settings, statistics, Client configurations, etc. ADS ADSService.exe Module that actively protects spyware files from installing on the server. ADS is also installed on all Client PCs. Paladin Network Administrator’s Guide 7
  • 6. Client A Client is a service that communicates with the Paladin Server to scan and remove spyware. The Client is installed on an end user’s PC, allowing for spyware scanning and removal even when the user is not logged in. The service runs with administrative rights, providing the Client permission to remove all spyware on a PC. The service has no end-user interaction. This lowers the risk of end-user errors, which often cause spyware to go undetected. The Client service component is as follows: Service Executable Description AEliminator AEliminator.exe Runs as a system service on each client workstation to scan and remove spyware. Communicates results to the Server. Also communicates modifications to Client settings back to the Server. AManager AManager.exe Provides a limited- functionality graphical user interface (GUI) to manage Paladin client-side. ADS ADSService.exe Module that actively protects spyware files from installing on the server. ADS is also installed on all Client machines. Note AEliminator runs as an NT service on Windows XP Professional SP1/SP2, Windows 2000 Professional SP2/SP3/SP4, and Windows NT Workstation 4.0 SP6 machines. On a Windows 98 SE machine, AEliminator will run as a Windows hidden application. Paladin Network Administrator’s Guide 8
  • 7. System Requirements The following are Paladin's Server and Client system requirements. Note Although it’s slated for future release, currently dual live network adapters are not a supported configuration in Paladin. Paladin Server System Requirements Operating System: Windows 2003 Server, Windows 2000 Server SP3/SP4, Windows 2000 Advanced Server, Windows NT Server 4.0 SP6a, Windows XP Professional SP1/SP2.. Processor: Recommended double Pentium IV 2.79 GHz processor. Disk Space: Recommended 4 GB free. Memory: Recommended 1 GB RAM. Monitor: Minimum resolution of 1024 X 768. Internet Connection: Required. Client workstation System Requirements Operating System: Windows XP Professional SP1/SP2, Windows 2000 Professional SP2/SP3/SP4, Windows NT Workstation 4.0 SP6a, and Windows 98 SE. Processor: Recommended Pentium III. Disk Space: Recommended 20 MB free. Memory: Recommended 256 MB RAM. .Net Framework: Required. Paladin Network Administrator’s Guide 9
  • 8. Using The Admin Console About the Admin Console Paladin's Admin Console is a convenient tool, providing centralized management for administrators to easily detect and remove spyware from groups throughout their network. By using a central configuration, the Admin Console decreases the amount of time you will need to learn the product. From the Admin Console you can configure and assign security policies, deploy Client and software updates, control scan scheduling, assign actions to found threats, access comprehensive threat analysis reports to identify problem points within your network, and much more. The components that provide functionality options within the Admin Console include the toolbar, menu bar and the Admin Control panel with its three modules. Admin Console Paladin Network Administrator’s Guide 10
  • 9. Toolbar The Paladin toolbar provides fast access to frequently used features. The toolbar includes the following buttons: Setup. Opens tab-based system setup. Create Policy. Creates a new policy that you can configure and add clients to as desired. Updates. Opens system setup updates screen. Help. Launches product help files to resolve Paladin issues or questions. Spyware Library. Displays the details of every spyware item in the Aluria spyware database. Menu bar Like the toolbar, the menu bar provides easy access to commonly used features. The menu bar includes the following four drop-down menus: File menu View menu Policy menu Help menu File menu File menu options include: Setup. Opens system setup. Exit. Closes the Admin Console. View menu View menu options allow you to view information from the Policies, Events and Reports modules. View menu options include: Registration. Displays the Registration screen. Configuration. Displays the Configuration screen. Updates. Displays the Updates screen. By Client. Displays events sorted by client. By Item. Displays events sorted by spyware item. Paladin Network Administrator’s Guide 11
  • 10. Activity Log. Displays activity log. Error Log. Displays error log. Server Log. Displays server log. Updater Log. Displays updater log. Policy menu Policy menu options include features related to policies, client management, and client deployment. Policy menu options include: Create Policy. Creates a new policy that you can configure and add clients to as desired. Delete Policy. Deletes a policy that you created, but want removed. Rename Policy. Allows you to give a preexisting policy a new, unique name. Copy Policy. Duplicates a policy currently in existence, so that you may use the preexisting configurations for a new policy. Scan Computers. Scans all computers in a policy that you have selected. Add Computers. Adds client workstations to a policy that you have selected. Once added, the Client is pushed down and automatically installed on the workstations. Remove Computers. Removes computers from a policy that you have selected. Deploy Client(s). Deploys Client software onto selected workstations. Help menu Help menu options include: Product Help. Launches product help files to resolve issues or questions. Resources. Directs you to the Aluria Spyware Research Lab. Online Support. Launches the Aluria Software support page. About Paladin. Launches version details. Admin Control Panel The Paladin Admin Control panel is located on the left-hand side of the Admin Console. This panel contains the following three collapsible/expandable modules: Policies. Allows you to create custom security policies to be deployed on client workstations assigned to those policies. Paladin Network Administrator’s Guide 12
  • 11. Events. Allows you to get detailed analysis of client and item activity. Reports. Allows you to view detailed and summary threat analysis reports. Paladin Network Administrator’s Guide 13
  • 12. Installing Paladin Installation Overview There are two major components that must be installed in order to run Paladin. First, you must have installed a server. You can run Paladin with an MS SQL Server, or, if you don’t have a SQL Server, Paladin will install a Microsoft Data Engine (MSDE) Server for you –This database will hold a maximum of 2GB data. Once you have installed the Server, the second component you will install will be the Paladin application. Note Even if you have an MSDE Server already installed, Paladin will reinstall MSDE and create another instance named “Paladin.” Installing Paladin The Paladin application can be installed on any Windows 2000 Server or Windows 2003 Server. To install Paladin on your server/network you must at least have Domain Administrator (for Active Directory networks) or Administrator (for Workgroups) privileges. During the installation you must enter all information requested; Depending on whether or not you have already installed, and choose to use SQL Server with Paladin, your instructions for installation will differ. Please choose the instructions that apply to you below: Note If you do not have a SQL Server currently installed, or if you have a SQL Server installed, but would like to run Paladin with MSDE, please follow the “Running Paladin with MSDE" instructions. Running Paladin with SQL To install Paladin with the SQL Server: 1. Start the installation process by double-clicking Setup.exe. 2. Click Next. Paladin Network Administrator’s Guide 14
  • 13. 3. Select I accept the license agreement and click Next. 4. Enter and select your information, and then click Next. Paladin Network Administrator’s Guide 15
  • 14. 5. Click Next. – You can install the application to another destination by clicking Browse. 6. Click Next. Paladin Network Administrator’s Guide 16
  • 15. 7. Click Finish. 8. Click Next. Paladin Network Administrator’s Guide 17
  • 16. 9. Enter the server computer name and available server port number, and then click Next. – You must enter the requested information into these fields. If you do not properly enter the server computer name and available server port number, Paladin will not function on your system. – We recommend ports 1 to 1023 not be used, as they are reserved for use by the IANA. We also recommend that ports 49152 to 65535 be avoided, because they are dynamic ports that operating systems use randomly. If you choose one of these ports, you risk a potential conflict. 10. Select SQL and click Next. – Select SQL Server ONLY if you have a SQL Server currently installed. If you select SQL Server, you will need to create an instance name. Paladin Network Administrator’s Guide 18
  • 17. 11. Enter your information and click Next. 12. Click Finish. 13. Click Yes. (optional) – Although clicking "yes" is optional, Aluria highly recommends you choose this option. If you do not click "yes" to reboot, you may have some negative experiences. For example, it is possible that, without an immediate reboot, certain displays will not Paladin Network Administrator’s Guide 19
  • 18. update correctly. Thus, if you choose to add a client to a policy, that policy's client list may not update to show the newly added client as "installed." This could be confusing for administrators trying to determine the status of a client installation. Once you have completed these steps, you are ready to configure Paladin to scan your company's workstations for spyware. Launch Paladin from your program menu, and enter your information into the start up screen, and then click log on. The System Setup will automatically launch. Use the Introduction, Registration, Configuration, and Updates tabs to get started. Running Paladin with MSDE 1. Start the installation process by double-clicking Setup.exe. 2. Click Next. 3. Select I accept the license agreement and click Next. Paladin Network Administrator’s Guide 20
  • 19. 4. Enter and select your information, and then click Next. 5. Click Next. – You can install the application to another destination by clicking Browse. Paladin Network Administrator’s Guide 21
  • 20. 6. Click Next. 7. Click Finish. Paladin Network Administrator’s Guide 22
  • 21. 8. Click Next. 9. Enter the server computer name and available server port number, and then click Next. – You must enter the requested information into these fields. If you do not properly enter the server computer name and available server port number, Paladin will not function on your system. – We recommend ports 1 to 1023 not be used, as they are reserved for use by the IANA. We also recommend that ports 49152 to 65535 be avoided, because they are dynamic ports that operating systems use randomly. If you choose one of these ports, you risk a potential conflict. Paladin Network Administrator’s Guide 23
  • 22. 10. From the Database list, select MSDE and click Next. – By selecting MSDE you are prompting the Paladin database wizard to install, or (if already installed) reinstall MSDE on your system. 11. Click Finish. 12. Click Yes. (optional) Paladin Network Administrator’s Guide 24
  • 23. – Although clicking "yes" is optional, Aluria highly recommends you choose this option. If you do not click "yes" to reboot, you may have some negative experiences. For example, it is possible that, without a reboot, certain displays will not update correctly. Thus, if you choose to add a client to a policy, that policy's client list may not update to show the newly added client as "installed." This could be confusing for administrators trying to determine the status of a client installation. Once you have completed these steps, you are ready to configure Paladin to scan your company's workstations for spyware. Launch Paladin from your program menu, and enter your information into the start up screen, and then click log on. The System Setup will automatically launch. Use the Introduction, Registration, Configuration, and Updates tabs to get started. Paladin Network Administrator’s Guide 25
  • 24. Configuring System Setup About System Setup Each time you log on to Paladin, the Setup screen will display. From the Introduction tab you can get a quick overview of what you will need to enter in the Registration, Configuration and Updates tabs. Designed for efficiency, from Setup, you can easily register your product, configure e-mail and proxy server settings, choose a communication prototype, check for server and system updates, and schedule client software and definition file download frequencies. Registration Following your initial product installation, you will use the Registration screen to register your product. The registration key entered will determine if you have purchased the full version of Paladin or are running it in trial mode. To register Paladin: 1. Enter your registration key in the provided field. 2. Click Register. License Information and Status Once a valid registration key is entered and verified with Aluria’s servers, the license and status information for your Paladin software will be displayed. You can return to the Registration screen anytime to review your registration details. From under License Information & Status, you can view: Licenses Expiration Date. Displays the year, month, and day that the Paladin license expires. Client Licenses. Displays the number of licenses authorized by the registration. Total Licenses Installed. Displays the number of Clients that have been assigned to policies and deployed. Status. Displays the version of Paladin currently in use. If running a trial (evaluation) version, your status will show the amount of days left before the trial expires. Note By default, Paladin will allow for 10 client licenses during the 30-day trial period. Once the trial expires, all Clients will be disabled. To purchase Paladin, from the Registration screen, click Buy Now. Configuration The Configuration screen allows you to save five types of system settings: E-mail Server Settings Proxy Server Settings Paladin Network Administrator’s Guide 26
  • 25. Communication Prototype Server/Client Port Settings File Sharing Protocol In addition to saving system settings, from the Configuration screen, you can also delete old scan history records. E-mail Server Settings E-mail settings allow you to receive notifications about found spyware, its location on your network, and its severity. To configure e-mail server settings: 1. From the Admin Console toolbar, click Setup. – You may also access setup by clicking Setup from the File menu. 2. Select the Configuration tab. 3. Under E-mail Server Settings, in the fields provided, enter the e-mail server address, e- mail address from which notifications should be sent, and port. – If applicable, click Advanced. From the Advanced Options dialog, select Requires Authentication, and enter the domain, user name, and password in the fields provided. When you’re finished entering your information, click OK. 4. Click Save. Once you have saved your e-mail server settings you can test them by clicking Send Test E-mail. Proxy Server Settings If you use a proxy server to access the Internet, you will need to enable it to communicate with Aluria's servers. Allowing connection through a proxy will assure that your company receives software updates and new definition files as they become available. To configure proxy server settings: 1. From the Admin Console toolbar, click Setup, – You may also access setup by clicking Setup from the File menu. 2. Select the Configuration tab. 3. Under Proxy Server, select Enable Proxy Server. 4. In the fields provided, enter the address and select the port for the proxy. Paladin Network Administrator’s Guide 27
  • 26. – If applicable, click Advanced. From the Advanced Options dialog, select Requires Authentication, and enter the domain, user name, and password in the fields provided. When you’re finished entering your information, click OK. 5. Click Save. Communication Prototype By default, Paladin's communication prototype is set to TCP, the de facto standard for the Internet. Note Although it’s slated for future release, we currently do not offer UDP communication functionality; only TCP is available for communications between the Server and the Client. Database Cleanup In order that your database does not reach maximum capacity, you can do a scan history cleanup to remove specified records. Once deleted, the selected scan history will be permanently deleted. To perform a database cleanup: 1. From the Admin Console toolbar, click Setup. – You may also access setup by clicking Setup from the File menu. 2. Under Database Cleanup, click Manual. 3. From the displayed dialog, specify the dates of records you want removed. 4. Click Delete. 5. Click Yes. Server/Client Port Settings By default, during installation Paladin selects port 2001 for your Server and Clients. During installation, if necessary, you can change the port or you can change it after installation on the Configuration screen. To change the port for the Server and all Clients: 1. From the Admin Console toolbar, click Setup. – You may also access setup by clicking Setup from the File menu. 2. Under Server/Client Port Settings, in the New Port field, select or enter your desired port. 3. Click Change. Paladin Network Administrator’s Guide 28
  • 27. Note Although it is not recommended, if an error occurs and a particular Client did not get assigned to the same port as the Server, you can change the Client port by expanding the Policy module, and selecting Client Actions and then Change Port from the displayed context menu. Updated Clients will be displayed in the Policy View. File Transfer Protocol By default, File & Printer sharing is enabled -this allows Paladin to effectively deploy Clients. You can also enable Paladin sockets so that files can be transferred between the Server and Client without having the Server logged into remove workstations. Updates The two major Paladin components that need to be regularly updated include: Server Clients/Definitions Routinely, the Paladin Server will check Aluria’s server for updates to be downloaded. If an update exists for the Paladin Server, the file will be downloaded, and the update will be run by the administrator. If an update exists for the Client or Definition files, these files will be downloaded awaiting a push by the Server to client workstations. To check Aluria’s servers for the latest updates, click Check for Updates. Server On the Updates screen, from under Server, you can view the version of the server you currently have installed. If a server update is available, next to Available Version, the number displayed will be one higher than that shown for Installed Version. For example, if the Installed Version is 1 and the Available Version is 2, then an update is available. To update the Server: 1. From the Admin Console toolbar, click Setup. – You may also access setup by clicking Setup from the File menu. 2. Select the Updates tab. 3. From under Server, click Update Now. Clients/Definitions The frequency of updates for Clients and definitions is the same. On the updates screen, you can view installed and available versions of the client application and DAT files. To view installed versions by client, click View by Client. To schedule Client updates: 1. From the Admin Console toolbar, click Setup. – You may also access setup by clicking Setup from the File menu. 2. Select the Updates tab. Paladin Network Administrator’s Guide 29
  • 28. 3. From under Clients, in the Download Frequency list, select the frequency with which you could like Paladin to check for and download available updates. 4. Click Save. Note Policy-specific updates may be invoked by two methods. You can configure policy settings to automatically check for and install Client updates, or you can use push-button updating to update software and definition files for a policy. Paladin Network Administrator’s Guide 30
  • 29. Setting Up Policies About Policies Once the Paladin Server is installed, you have the opportunity to create custom security policies. These policies can be applied to designated client groupings on your network, and will determine how Paladin finds, prevents, and manages spyware on client workstations. Once policies have been created, the Client service is pushed down to all selected PCs on the network. This process uses IP technology for communication, providing a channel for support of WANs, LANs, and VPNs. Policy View Every time you add a policy or update its settings, you can view those changes on the Policy screen. To view your policy settings, from the Admin Control panel, expand the Policies module and click on the policy whose details you want to review. The policy view displays the following: Domain. Displays the domain a client workstation belongs to. Client Name. Displays the computer name associated with the client workstation. Status. Displays the Client status, whether Installed or Not Installed. Last Scan. Displays the date and time of the last workstation scan. Client Ver. Displays the version of the client software that is installed on the workstation. Last Software Update. Displays the date and time of the last Paladin software update. Definition Ver. Displays the version of the threat definition file that resides on the client workstation. Last Definition Update. Displays the last date and time that the threat definitions were updated. Client Port. Displays the port that the client workstation is assigned to. Policy Ver. Displays the incremental number associated with the Client's policy. Configuration Utility Paladin includes a comprehensive, tab-based configuration utility for creating policies. This allows administrators to specify, according to client group, which spyware to detect and what resultant actions should be taken. With the configuration utility, administrators configure settings on the Client, Scan, Schedule, Item Actions, and Prevention tabs to suit network needs. Client. Allows administrators to define client updates, downloads and accessibility. Scan. Allows administrators to set options for full, quick, or custom scanning. Paladin Network Administrator’s Guide 31
  • 30. Schedule. Allows administrators to schedule default or custom scans to be invoked for all client workstations in a given policy. Item Actions. Allows administrators to view and assign actions to a comprehensive list of all spyware items included in the Paladin Spyware Library. Preventions. Allows administrators to set IP, ActiveX, and zone blocking prevention settings. Creating and Managing Policies To accommodate administrator needs for flexibility and customization, Paladin offers several options that can be applied when creating and managing policies. From within Policy screen you can: Create a Policy Delete a Policy Rename a Policy Copy a Policy Note It is highly recommended that servers be assigned their own, uniquely-configured policies separate from those created for workstations. Creating separate policies will provide flexibility in managing system preventions and scheduling workload-sensitive scan times. Create a Policy Before creating a client group, you will need to create the policy for that group. To create a policy: 1. From the Admin Console toolbar, click Create Policy. – You can also, from the Policy menu, select Create Policy. 2. Enter a unique, client-specific, name for the new policy. Delete a Policy To free up licenses, you may decide to delete a policy. Deleting a policy uninstalls client software from all client workstations assigned to that policy. You can delete any policies that you created, however, the Paladin Default policy cannot be removed. To delete a policy: 1. From the Admin Control panel, expand the Policies module, and then select the policy to be deleted. 2. On the Policy menu, click Delete Policy. 3. From the displayed dialog, confirm that you want to delete the policy by clicking Delete. Paladin Network Administrator’s Guide 32
  • 31. – You can also select Reassign. Choosing this option adds all clients from the selected policy to another policy of your choosing. Rename a Policy Rename an existing policy when you wish to change the unique name of a policy, but still retain your configured preferences and assigned client list. To rename a policy: 1. From the Admin Control panel, expand the Policies module, and then select the policy to be renamed. 2. On the Policy menu, click Rename Policy. 3. Enter a new, unique policy name into the provided field. 4. Accept the new policy name by clicking OK. Copy a Policy Copying a policy allows you to derive what you have already created in a preexisting policy, and apply it to a new policy. Once you have copied a policy, the new policy is added to the Policies module, and the configuration can be adjusted as desired. To copy a policy: 1. From the Admin Control panel, expand the Policies module, and then select the policy to be copied. 2. On the Policy menu, click Copy Policy. 3. Enter a new, unique policy name into the provided field. 4. Click OK. Configuring Policies Client Tab Configure settings on the Client tab to determine how Paladin will interact on client workstations in a policy. Client tab settings will determine the frequency with which the server checks for, and downloads updates. Additionally, Client tab settings may be configured to send e-mail alerts when spyware is detected on a workstation. From the Client tab, you may: Configure Client Settings Deploy Client Software Updates Deploy Client Database Updates Set E-mail Alerts Paladin Network Administrator’s Guide 33
  • 32. Configure Client Settings To configure Client settings: 1. From the Admin Control panel, expand the Policies module, and then select the policy to be configured. 2. In the policy configuration utility, click the Client tab. 3. Select each Client setting you want applied to the policy. Options Descriptions Enable Displays the Paladin taskbar icon on client workstations to notify users Client UI that the program is running on their PC. Allow user Gives users at client workstations the ability to start and stop scans. to start and stop scan Detection Provides users with a list of found spyware and related information, I.e. notifications spyware name, action, etc. Automatic Allows administrator to specify that automatic updates should occur. Updates Definitions Automatically pushes DAT file updates to the client computer from the server, as specified during the system set up. – Choose Update Now to manually deploy updates to Client databases. Client Automatically pushes updates to the client software from the server, as Software specified during the system set up. – Choose Update Now to manually deploy client software updates to all clients in the policy. By selecting this option, the server automatically pushes the latest client setup file to all Clients in the selected policy, and executes a silent update install. Paladin Network Administrator’s Guide 34
  • 33. Configure Allows administrators to send e-mail notifications when spyware of a E-mail certain severity is detected on a client workstation. Alerts 4. Click Save. Note When you click Save it applies your specified settings to every Client in the policy. The incremental number associated with those changes is displayed in the Policy view under the Policy Ver column. If a Client's Policy Ver number is lower than the other Clients in the policy, it needs to be updated. To manually update the client settings for an individual Client, expand the Policies module, right-click the Client that needs updated, and from the context menu select Client Actions and then Update Policy. Deploy Client Software Updates To manually update Client software: 1. From the Admin Control panel, expand the Policies module, and then select the policy to be configured. 2. In the policy configuration utility, click the Client tab. 3. Select Updates. 4. Select Client Software. 5. Click Update All. – By selecting this option, the server automatically pushes the latest Client setup file to all Clients in the selected policy, and executes a silent update install. Deploy Client Database Updates To manually update the Client database: 1. From the Admin Control panel, expand the Policies module, and then select the policy to be configured. 2. In the policy configuration utility, click the Client tab. 3. Select Updates. 4. Select Definitions. 5. Click Update All. – By selecting this option, the server automatically pushes definition file updates to all Clients in the selected policy. Paladin Network Administrator’s Guide 35
  • 34. Set E-mail Alerts E-mail alerts provide notification that a spyware threat of a certain severity has been found. For each severity-specific spyware found, a single e-mail is generated. The e-mail alert is sent to all e-mail addresses listed in a policy’s E-mail Alert dialogue box, and uses the SMTP E-mail Server specified during system set up. From the E-mail Alert dialogue box you can: Add An Alert To a Policy Remove An Alert From a Policy Add an Alert to a Policy To accommodate administrator needs for flexibility, Paladin offers several options for e-mail alerts. For administrators, the Consumerware – And Greater option is recommended, because it provides alerts for every item of spyware found on the network, from the benign to the severe. For persons whose job functions do not require extensive knowledge about threats on the network – for example, business executives who need only know when more severe threats infiltrate the network – you can set their alerts to an applicable setting, such as High – And Greater, or Severe – And Greater. To add an alert to a policy: 1. From the Admin Control panel, expand the Polices module, and then select the policy to be configured. 2. In the policy configuration utility, click the Client tab. 3. Click Configure E-mail Alerts. 4. In the field provided, enter the e-mail address of the Client you want alerted. 5. From the Severity drop-down, select a severity. Options Descriptions Consumerware Consumerware is a term that describes advertising or marketing - - And Greater supported software that meets and exceeds Aluria’s strict guidelines for Spyware SAFE Certification. These useful applications, often given away free, provide value to the end-user, pose no spyware risk, and are easily and completely removed through Add and Remove Programs. Low - And Low severity indicates minor adware. There are no real tracking Greater issues or system stability issues for low level threats. Paladin Network Administrator’s Guide 36
  • 35. Guarded - And Guarded severity indicates BHOs and adware. There are some minor Greater aggregate tracking issues. There are no over very minimal security concerns, such as causing lockups or crashes on isolated workstations or unique environments. Elevated - And Greater Elevated severity indicates a high level of Web and usage tracking for aggregate and other purposes. Security risks are increased, and include the silent installation of unsafe code. – Elevated is the default severity. High - And High severity indicates the possibility of personally identifiable Greater tracking and system compromising security concerns, including code that can crash or expose a browser or system to other risks. High severity spyware may also take advantage of current security exploits, if present. Severe - And Severe threats include keyloggers and remote administration tools. Greater Severe spyware has a very big risk of personal information being captured and compromised, including passwords, credit card numbers, and social security numbers. 6. Click Add. Note When you select a severity, you will receive e-mails for items included in that severity level, and also, you will receive e-mails for all items of a greater severity than the selected level. For example, if you select "Elevated - And Greater" you will receive alerts for elevated, high, and severe items. Remove an Alert from a Policy To remove an alert from a policy: 1. From the Admin Control panel, expand the Polices module, and then select the policy to be configured. 2. In the policy configuration utility, click the Client tab. 3. Click Configure E-mail Alerts. 4. From the E-mail Address list, select the e-mail you want removed. 5. Click Remove. Paladin Network Administrator’s Guide 37
  • 36. Scan Tab From the Scan tab, you can choose Full, Quick or Custom, to dictate how Paladin scans client workstations in a policy. These settings will be invoked at the time specified under the policy configuration utility’s Schedule tab, and will also be active when you perform a manual scan of one or more client workstations assigned to that policy. To configure scan settings: 1. From the Admin Control panel, expand the Policies module, and then select the policy to be configured. 2. In the policy configuration utility, click the Scan tab. 3. Select each scan option you want applied to the policy. Options Descriptions Full Scans memory, registry, known spyware hot spots, and (all fixed) disk Scan drives. Quick Scans known spyware hot spots such as memory, registry, services, Scan windows directory, program files, and cookies. Scan Select this option to specify how fast to run a scan on client workstations. Priority – The default is Normal, but you may choose from Lowest, Below Normal, Normal, Above Normal, Highest, and Time Critical. 4. Click Save. Schedule Tab From the Schedule tab, to ensure precision in scanning, you can schedule policy-specific scan times. By specifying the frequency, day, and time of a scan, all clients assigned to a policy will automatically be invoked to scan for spyware at a predetermined time. To schedule scan times: 1. From the Admin Control panel, expand the Policies module, and then select the policy to be configured. 2. In the policy configuration utility, click the Schedule tab. 3. Select each option you want applied to the scheduling of the policy. Paladin Network Administrator’s Guide 38
  • 37. Options Descriptions Frequency Select Daily, Weekly, or Monthly. Day Select one day a week to scan, or select multiple. Days available include Monday through Sunday. Time Type or select the hour and minute. Scan at Prompts an arbitrary scan any time the client computer reboots. Startup 4. Click Save. Item Actions Tab From the Item Actions tab, you can view a comprehensive list of all spyware items included in the Paladin Spyware Library. For each item, there is an associated action that can be modified to reflect administrator preferences. From the Item Actions tab you can: Assign Actions to Items View Spyware Items By Action Assign Actions to Items By default all items in the Paladin Spyware Library are set to Quarantine, and will be detected during scans. Some items Paladin detects as spyware might actually be legitimate tools routinely used by your organization. For example, useful remote access tools like PCanywhere, AdminMagic and RealVNC are detected because they have spyware-like behaviors associated with them. To prevent those useful items, needed within your organization, from being detected in scans, you must trust them. Conversely, items that are patently malicious in nature can be assigned to automatically delete, bypassing the quarantine stage altogether. To assign actions to Items: 1. From the Admin Control panel, expand the Policies module, and then select the policy to be configured. 2. In the policy configuration utility, click the Item Actions tab. 3. From the displayed list of spyware item detections, select the items you wish to assign actions to. Paladin Network Administrator’s Guide 39
  • 38. 4. Use the Quarantine, Delete and Trust buttons to assign actions to the spyware. Options Descriptions Quarantine Removes spyware from its found location and stores it in a quarantine where it can no longer harm the client computer. Delete Deletes specified items at the moment of detection, directly from the client computer. – Please be advised, if you choose Delete, any found spyware that is associated with this action will be immediately and automatically deleted, and its files cannot be restored. Trust Prevents an item from being detected during a scan. This option dictates that no action will be taken. 5. Click Save. View Spyware Items By Action Once you've specified whether items Paladin detects should be quarantined, deleted, or trusted, you view sorted lists of these items according to their action. To view spyware items by action: 1. From the Admin Control panel, expand the Policies module, and then select the policy whose item actions you want to review. 2. In the policy configuration utility, click the Item Actions tab. 3. In the Show ___ Items list, select Quarantined, Deleted, Trusted, or All. Item Action Details Under the Item Actions tab, the list displays the following: Spyware Name. Displays the spyware name. (Gator, About:Blank, BonziBuddy, etc.) Severity. Displays the severity of the spyware. (Consumerware, Low, Elevated, etc.) Category. Displays the category to which the spyware belongs. (Adware, Trojan, Keylogger, etc.) Action. Displays the associated action. (Quarantine, Delete, or Trust.) Paladin Network Administrator’s Guide 40
  • 39. Preventions Tab Paladin’s Internet prevention features provide unparalleled, real-time protection for clients in your network. These features notify end users about Web sites that are malicious in nature, and prevent spyware installation on your network by proactively monitoring the file system and registry for activity. From the Preventions tab you can: Enable Internet Preventions Enable System Preventions Enable Internet Preventions When Internet Preventions are enabled, if a user browses a site that Paladin has tagged as restricted, the Internet Explorer Restricted sites icon (ICON) will display in the user’s task tray. Any actions outside of tagging are based on the user’s Internet Explorer security configurations. For example, if a user wishes to disallow ActiveX applications, this can not be done through Paladin; It must be specified through the Internet Explorer security settings. Note Paladin’s Internet preventions (including restricted IP ranges and restricted zones) only work with Internet Explorer. To enable Internet preventions: 1. From the Admin Control panel, expand the Policies module, and then select the policy to be configured. 2. In the policy configuration utility, click the Preventions tab. 3. Select the Internet Preventions check box. Once you have enabled Internet Preventions, you can further modify your settings by editing restricted IP ranges and restricted zones. Restricted IP Ranges There are many Web sites that secretly host spyware, and while client users may not visit them intentionally, they may be unwillingly redirected by scripts running in the background, misleading textual references, or deceptive pop-ups. Visiting malicious Web sites compromises your network security by allowing client workstations to be attacked by spyware. To prevent spyware infection, Aluria has created a list of Web sites known to engage in malicious activity. As an administrator, you can choose to block any or all of these sites. To block IP ranges: 1. From the Admin Control panel, expand the Policies module, and then select the policy to be configured. 2. In the policy configuration utility, click the Preventions tab. 3. Select the Internet Preventions check box. 4. Click Edit Restricted List. Paladin Network Administrator’s Guide 41
  • 40. 5. Under the Restricted IP Ranges tab, from the Available IP list, select the IP(s) that you want blocked. – You may select the entire list by clicking Select All. 6. Click Add. 7. Click Apply. – Once added, IPs you’ve selected for blocking will appear in the Restricted IP list. To unblock any IPs in the Restricted IP list, select the IPs you no longer want blocked, press Remove, and then press Apply. Restricted Zones Some Web sites provide beneficial content, but run unnecessary, malicious scripts in the background, set unwanted cookies, or put forward harmful ActiveX controls. Aluria has created a list of these Web sites so administrators may block their restricted zones, allowing end users the ability to visit listed Web sites without risking infection. To block restricted zones: 1. From the Admin Control panel, expand the Policies module, and then select the policy to be configured. 2. In the policy configuration utility, click the Preventions tab. 3. Select the Internet Preventions check box. 4. Click Edit Restricted List. 5. Under the Restricted Zones tab, from the Restricted Zones list, select the URLs that you want blocked. – You may select the entire list by clicking Select All. 6. Click Add. 7. Click Apply. – You may also block a URL that is not on Paladin's pre-populated list of zones by typing the URL into the provided field, clicking Add, and then Apply. – Once added, zones you have selected for blocking will appear in the Restricted Zones list. To unblock any zones in the Restricted Zones list, select the zones you no longer want blocked, click Remove, and then Apply. Paladin Network Administrator’s Guide 42
  • 41. Enable System Preventions To enable system preventions: 1. From the Admin Control panel, expand the Policies module, and then select the policy to be configured. 2. In the policy configuration utility, click the Preventions tab. 3. Select the System Preventions check box. Once you have enabled Internet Preventions, you can further modify your settings by enabling ADS. ADS ADS is a kernel-level driver that proactively protects the system from spyware. By including ADS in a policy, the Client will notify you before the spyware is installed, and then automatically quarantine or delete the spyware, depending on your policy settings. Note Some items ADS detects as spyware might actually be legitimate tools routinely used by your organization. Paladin Network Administrator’s Guide 43
  • 42. Managing Clients and Items Client Management Adding and Deploying Clients Once you have created a policy, you can assign workstations to it. After you have assigned workstations to a policy, the Client service is automatically pushed down to those computers where it will install all necessary files needed to run the service. Pending a successful install, the server will send the latest syg.dat definition file to client workstations. Aluria recommends that you configure all policy settings before adding and deploying Clients. This will ensure that all client workstations have properly configured policy settings at the time of deployment. Note File and printer ports must be enabled for successful deployment. Windows XP SP2 users who have the Windows Firewall turned on do not have these ports automatically enabled. You will need to manually enable them in Windows before deploying in Paladin. To manually enable file and print sharing (XP SP2 users): 1. From the Windows taskbar, select Start and then Control Panel. 2. From the Control Panel, click Windows Firewall, and then select Off. 3. On the displayed dialog, click the Exceptions tab. 4. Select File and Printer Sharing. 5. Click OK. About Firewalls To successfully run Paladin, you need to allow traffic to go through the ports you specified during the installation of the Paladin Server. If you have a firewall on your server, you must make the port number associated with the server an "exception" to the firewall, to allow inbound communication. You must also allow both TCP and UDP communication prototypes. Client Firewalls Paladin uses port 2001 on the Client to communicate with the Server. In order for the Client to send messages to the Server, the firewall on the Client system must allow traffic to pass through. The port will be an "exception" to the firewall. You must also allow both TCP and UDP communication prototypes. To add Clients to a policy: 1. From the Admin Control panel, expand the Policies module, and then select the policy you want the Client added to. 2. From the Policy screen, click Add. – You may also, from the Policy menu, select Add Computers. Paladin Network Administrator’s Guide 44
  • 43. 3. Using the Network Browser, select the computers you wish to add to the policy. – If you cannot find a specific computer in the displayed list, you can search for it by entering the computer’s Domain and IP address into the provided fields, and then click Add. 4. Click OK. Manually Deploying Clients If the automatic Client deployment fails, you can manually deploy the Client. Or, if you want to deploy a client on a machine running 98 SE, your only option for installation is manual. There are two options for manual deployment: Client Actions Deployment Create Install Files Deployment Note You can use a policy’s client list to determine if the client install was successful by observing the Status column. If Client software has been successfully deployed on a computer, the status will be “Installed.” If a workstation was added to the policy, but the Client install was unsuccessful, the status will be “Not Installed.” Client Actions Deployment Choose this option for your first attempt at manual deployment. Note this type of deployment will not work for Windows 98. You will need to use the Create Install Files deployment instead. To manually deploy a Client using Client Actions: 1. From the Admin Control panel, expand the Policies module, and then select the policy that contains the workstation that needs client deployment. 2. From the Policy client list, right-click the Client whose status is “Not Installed.” 3. From the context menu, select Client Actions, and then Deploy. – You may also, from the Policy menu, select Deploy Clients. Use the Network Browser to select the workstations you want clients deployed to, – If you cannot find a workstation in the displayed list, you can search for it by entering its Domain and IP address into the provided fields, and then click Add. 4. Click OK. Create Install Files Deployment Choose this option if your Client Actions Deployment fails and/or if you are running Windows 98. Paladin Network Administrator’s Guide 45
  • 44. To manually deploy a Client using Create Install Files: 1. From the Admin Control panel, expand the Policies module, and then select the policy that contains the workstation that needs the Client deployment. 2. From the policy's client list, right-click the Client whose status is “Not Installed.” 3. From the context menu, select Create Install Files. 4. Click Create, Append or Overwrite. Options Descriptions Create Choose this option if the installer file you want to deploy does not exist. Choose this option if there is an existing ClientConfig.ini file and you want to Append add new clients to it. Choose this option if there is an existing ClientConfig.ini file that you do not Overwrite want appended; this option creates a new file. 5. Copy ClientSetup.exe and ClientConfig.ini from C:<paladin server installation directory>Installer”name of policy” to a network share that is accessible to the uninstalled computer. – You can, on the Manual Installer dialog, click the hotlink to take you to the installer directory. 6. Run ClientSetup.exe from each client computer. – Client.ini and the Clientsetup.exe must be in the same directory for the manual install to complete. – Upon successful installation, a message will be sent to the server indicating that the client install has completed. Removing and Reassigning Clients As an administrator, you have the option to delete Clients from policies. You may also reassign Clients from one policy to another. Removing Clients from Policies To remove Clients from a policy: 1. From the Admin Control panel, expand the Policies module, and then select the policy that contains the Client you want removed. Paladin Network Administrator’s Guide 46
  • 45. 2. From the policy’s client list, select the Client for removal. 3. From the Policy screen, click Remove. – You may also, from the Policy menu, select Remove Computers, or you can right- click on a client and then from the context menu, select Remove and then Uninstall Client. 4. Click OK. Note You should choose Remove only for Clients who were successfully deployed. If the deployment was successful, the Client Status will display "Installed." Removing Clients from Client Lists If a workstation was added to the policy, but the Client install was unsuccessful, the status will be “Not Installed.” Removing Clients whose status is "Not Installed" will remove the Client from the policy's client list, thereby freeing up licenses. To remove Clients from a client list: 1. From the Admin Control panel, expand the Policies module, and then select the policy that contains the Client you want removed. 2. From the policy’s client list, right-click the Client for removal. 3. From the context menu, select Remove and then Remove From List. 4. Click OK. Note You should choose Remove From List only for clients whose status is "Not Installed." Additionally, because this version of Paladin automatically installs the ADS kernel-level driver, it is not recommended that you repeatedly uninstall Clients. Reassigning Clients To reassign a Client to another policy: 1. From the Admin Control panel, expand the Policies module, and then select the policy that contains the Client you want reassigned. 2. From the policy’s client list, select the Client to be reassigned. 3. From the Policy screen, click Reassign. – You may also right-click on a client and from the context menu, select Client Actions and then Reassign. 4. In the Policy Reassign dialog, select the policy you want the Client reassigned to. 5. Click OK. Paladin Network Administrator’s Guide 47
  • 46. Scanning Client Workstations A policy’s Scan and Schedule tab settings dictate the extent of, and frequency with which scans will be performed on all workstations in that policy. To scan one or more workstations in a policy, you may do so by performing a manual scan. To manually scan client workstations for spyware: 1. From the Admin Control panel, expand the Policies module, and then select the policy that contains the client(s) you want scanned. 2. From the policy’s client list, select the client workstation(s) to be scanned. 3. From the Policy screen, click Scan. – You may also, from the Policy menu, select Scan Computers, or you can or you can right-click on the workstation(s) and from the context menu, select Client Actions and then Scan.. 4. Select either Quick Scan or Full Scan. 5. Click OK. Starting, Stopping and Refreshing Clients Once you have created a policy and assigned workstations to it, you can perform some miscellaneous troubleshooting-type functions to help administer your Clients. With Client Actions you can: Refresh Status Start Service Stop Service Refresh Status If you want to see the latest status of a particular Client, use Refresh Status. Refresh Status sends a message to the Client service (Aeliminator) to get the most current status, whether Installed or Uninstalled. This information is displayed in the Policy View under the Status column. To refresh status: 1. From the Admin Control panel, expand the Policies module, and then select the policy that contains the Client that needs refreshed. 2. From the policy view, right-click the Client. 3. From the context menu, select Client Actions and then Refresh Service. 4. Click OK. Paladin Network Administrator’s Guide 48
  • 47. Start Service Occasionally a Client service may stop running. You can run Start Service to remotely start the anti-spyware service (Aemliminator) running on the selected client(s). To start service: 1. From the Admin Control panel, expand the Policies module, and then select the policy that contains the Client that needs started. 2. From the policy view, right-click the Client. 3. From the context menu, select Client Actions and then Start Service. 4. Click OK. Stop Service From time to time you may decide to stop the Client service (Aeliminator) from running. You can run Stop Service to remotely stop Aeliminator from running on the selected client(s). To stop service: 1. From the Admin Control panel, expand the Policies module, and then select the policy that contains the Client that needs stopped. 2. From the policy view, right-click the Client. 3. From the context menu, select Client Actions and then Stop Service. 4. Click OK. Item Management Quarantining Items By default, all items included in the Paladin Spyware Library are set to Quarantine. You can choose not to quarantine selected items by setting actions under the policy configuration utility's Item Actions tab. For your convenience, items you have elected not to quarantine may be reset to quarantine, for further review, at any time. Quarantining Items - By Item To quarantine items on an item-by-item basis: 1. From the Admin Control panel, expand the Events module, and then select By Item. 2. From the Items screen, select item you want to manage. 3. From under the Trusted tab, select Quarantine. Quarantining Items - By Client To quarantine items on a client-by-client basis: Paladin Network Administrator’s Guide 49
  • 48. 1. From the Admin Control panel, expand the Events module, and then select By Client. 2. From the Items screen, select item you want to manage. 3. From under the Trusted tab, select Quarantine. Unquarantining Items Paladin allows Administrators to manage quarantined items by providing options to unquarantine those items you want detected in future scans. Depending on your preferences, you may want to unquarantine items on an item-by-item or client-by-client basis. Unquarantining Items - By Item To manage quarantined items on a by item-basis: 1. From the Admin Control panel, expand the Events module, and then select By Item. 2. From the Items screen, select item you want to manage. 3. From under the Quarantined tab, select Unquarantine. Unquarantining Items - By Client To manage quarantined items on a by item-basis: 1. From the Admin Control panel, expand the Events module, and then select By Client. 2. From the Clients screen, select item you want to manage. 3. From under the Quarantined tab, select Unquarantine. Deleting Items Because quality identification and safe removal of deep-rooted, dangerous spyware is critical to network security, you can review and choose to delete malicious items on either an item-by- item or client-by-client basis. Delete Items - By Item To delete items on an item-by-item basis: 1. From the Admin Control panel, expand the Events module, and then select By Item. 2. From the Items screen, select item you want to manage. 3. From under the Quarantined tab, click Delete. - You can also, for items that aren't in quarantine, from under the Trusted tab, click Delete. Paladin Network Administrator’s Guide 50
  • 49. Delete Items - By Client To delete items on a client-by-client basis: 1. From the Admin Control panel, expand the Events module, and then select By Client. 2. From the Clients screen, select item you want to manage. 3. From under the Quarantined tab, click Delete. - You can also, for items that aren't in quarantine, from under the Trusted tab, click Delete. Spyware Library Aluria's massive spyware database is constantly updated to provide administrators with the most up-to-date spyware signatures and profiles. Paladin's Spyware Library provides quick reference about thousands of spyware detections. For each item listed in the Spyware Library, its associated details are also displayed. The Spyware Library screen displays the following: Spyware Item. Displays the spyware name. (Gator, About:Blank, BonziBuddy, etc.) Category. Displays the category to which the spyware belongs. (Adware, Trojan, Keylogger, etc.) Publisher. Displays the publisher of the spyware. URL. Displays the URL that is associated with the spyware. Note The Spyware Library's Profile tab includes additional information for you to distinguish a spyware item's category, severity, recommended actions, publisher and URL. Viewing Spyware Library Details To view items in the Spyware Library: 1. From the Admin Console toolbar, select Spyware Library. 2. From the Items screen, select the spyware whose details you want to view. 3. Review details associated with the spyware by clicking the Profile, Quarantined, Deleted and Trusted Item tabs. Viewing Events Viewing Events By Client Paladin provides several options for viewing spyware activity on your network. From the Client list, you can view all Clients and policies and their associated scan results history. To view the Client list, from the Admin Control panel, expand the Events module and then select By Client. Paladin Network Administrator’s Guide 51
  • 50. Client List The Client list overview displays the following: Policy. Displays the policy the client workstation belongs to. Domain. Displays the domain a client workstation belongs to. Client Name. Displays the computer name associated with the client workstation. Status. Displays the Client status, whether Installed or Not Installed. Last Found. Displays the date and time of the last item found. Client Ver. Displays the version of the client software that is installed on the workstation. Definition Ver. Displays the version of the DAT file that resides on the client workstation. Client List Details To view items found by Client: 1. From the Admin Control panel, expand the Events module, and then select By Client. 2. From the Client list, select the client whose scan results you want to view. 3. Review details associated with scan results by clicking the History, Quarantined, Deleted, Trusted and Exceptions tabs. Tabs Descriptions History Provides a scan history overview with displays for Scan Date, Spyware Item, Component(s), Category, and Action. Quarantined Displays Scan Date, Spyware Item, Component(s) and Category details for items that have been quarantined. Deleted Displays Scan Date, Spyware Item, Component(s) and Category details for items that have been deleted. Trusted Displays Scan Date, Spyware Item, Component(s) and Category details Paladin Network Administrator’s Guide 52
  • 51. for items that have been trusted. Exceptions Displays operational error information including the related Scan Date/Time, Spyware Item, Component, Path, and Possible Cause. Note In addition to viewing details, under the Quarantined and Trusted tabs, you can also unquarantine or delete found spyware on a client-by-client basis. Viewing Events By Item From the Items list you can view all found items and their associated scan results history (whether they were quarantined, deleted, trusted, etc.) To view the Items list, from the Admin Control panel, expand the Events module and then select By Item. Items List The Items list overview displays the following: Spyware Item. Displays the spyware name. (Gator, About:Blank, BonziBuddy, etc.) Category. Displays the category to which the spyware belongs. (Adware, Trojan, Keylogger, etc.) Publisher. Displays the publisher of the spyware. URL. Displays the URL that is associated with the spyware. Items List Details To view found items and their related details: 1. From the Admin Control panel, expand the Events module, and then select By Item. 2. From the Client list, select the item whose scan details you want to view. 3. Review details associated with the item by clicking the Profile, Quarantined, Deleted, Trusted and Other tabs. Tabs Descriptions Profile Provides an item overview with Category, Severity, Recommended Action, Publisher and URL details. Quarantined Displays Scan Date, Client Name, Component(s) and Category details for Paladin Network Administrator’s Guide 53
  • 52. items that have been quarantined. Deleted Displays Scan Date, Client Name, Component(s) and Category details for items that have been deleted. Trusted Displays Scan Date, Client Name, Component(s) and Category details for items that have been trusted. Other Displays operational error information including the related Scan Date/Time, Client Name, Component, Path, and Possible Cause. Paladin Network Administrator’s Guide 54
  • 53. Monitoring Network Activity About Reports With Paladin reporting tools, administrators can easily identify spyware patterns and address specific infection points across a network. Because all Paladin configurations, definitions, and logs are stored on the central server, administrators have the convenience of monitoring spyware threats on the network in real-time. The Paladin Server has the functionality to view log files in many formats, and offers administrators the flexibility to manipulate data to provide custom reports based on specific criteria. Leveraging Active Reports, Paladin provides seven pre-formatted reports including: Network Activity. Provides a list view of machines and includes displays for Scan Type, Start Time, End Time, and Items Found. Spyware Activity. Provides a list view of threats found on the network, and includes displays for Spyware Item, # Components, Date Detected, and Action. Infected Machines - Summary. Provides a list view of all infected machines, and includes displays for Client Name and # Unique Spyware Items. Infected Machines - Detail. Provides a list view of all infected machines, and includes displays for Spyware Item and # Components. Top Ten Machines - Spyware Detected. Provides a list view of the top infected machines, and includes displays for Client Name and # Unique Spyware Items. Machine History. Provides a list view of threats by workstation, and includes displays for Spyware Item, Category, # Components, Date Detected, and Action. Threats Found - Summary. Provides a list view of all found threats, and includes displays for Spyware Item, # Components, and Severity. Threats Found - Detail. Provides a list view of all found threats, and includes displays for Spyware Item, Client Name, # Components, and Severity. Executive Summary. Displays Infected vs. Uninfected, Severity of Spyware Items Found, Number of Spyware Items by Category, Top Ten Spyware Items Found, and Top Ten Infected Clients. Note For every report that you generate, you must specify a date range to run the report against. To specify a date range, from a report screen, in the From and To fields select your desired dates. Paladin Network Administrator’s Guide 55
  • 54. Report Options The Reports screen toolbar offers functionality options that you can use when reviewing your reports. The toolbar includes the following: Options Descriptions Table of Contents. Provides a point of reference for navigating a report. Print. Prints the active report. Copy. Creates a duplicate copy of the active report. Find. Searches the active report. Single Page View. Displays the active report in a single page view. Multiple Page View. Displays multiple pages all at once in the active report. Zoom Out. Decreases the display of a report to show more of the document. Zoom In. Increases the display of a report for closer examination. Zoom drop-down. Modifies the display of the report to either increase or decrease the view as selected. Previous Page. Navigates back one page. Paladin Network Administrator’s Guide 56
  • 55. Next Page. Navigates forward to the next page. Current Page Number. Displays the number of the current page. Backward. Navigates back one page. Forward. Navigates forward to the next page. Exporting Reports Reports help administrators analyze activity on their network. Paladin makes exporting these reports simple. To export a report: 1. From the Admin Control panel, expand the Reports module, and then select the report you wish to export. 2. Specify the date range for the report you wish to view in the From and To fields. 3. Click View. 4. Once the report has displayed, click Export. 5. In the Save As dialog, navigate to the location where you want the report saved. 6. Enter a file name in the provided field. 7. Select a file format type. – You can select from Microsoft Excel (.xls), Rich Text Format (.rtf), TIFF (.tiff), Microsoft Excel Data Only (.xls), and Adobe Acrobat (.pdf) 8. Click Save. Paladin Network Administrator’s Guide 57
  • 56. Network Activity The Network Activity report provides a list of threats found on the network. The information displayed includes Scan Type, Start Time, End Time, and Items Found. To view a Network Activity report: 1. From the Admin Control panel, expand the Reports module, and then select Network Activity. 2. Specify a date range in the From and To fields. 3. Click View. Spyware Activity The Spyware Activity report provides a list of threats found on the network. The information displayed includes Spyware Item, # Components, Date Detected, and Action. To view a Spyware Activity report: 1. From the Admin Control panel, expand the Reports module, and then select Spyware Activity. 2. Specify a date range in the From and To fields. 3. Click View. Infected Machines - Summary The Infected Machines - Summary report provides a list of all infected machines in a policy. The information displayed includes Client Name and # Unique Spyware Items. To view an Infected Machines - Summary report: 1. From the Admin Control panel, expand the Reports module, and then select Infected Machines - Summary. 2. Specify a date range in the From and To fields. 3. Click View. Infected Machines - Detail The Infected Machines - Detail report provides a list of all infected machines within a policy. The information in this report is more detailed than in the Infected Machines Summary report. The information displayed includes Spyware Item and # Components. To view an Infected Machines - Detail report: 1. From the Admin Control panel, expand the Reports module, and then select Infected Machines - Detail. 2. Specify a date range in the From and To fields. Paladin Network Administrator’s Guide 58
  • 57. 3. Click View. Top Ten Machines – Spyware Detected The Top Ten Machines - Spyware Detected report provides a list of all the top infected machines in a policy. The information displayed includes Client Name and # Unique Spyware Items. To view a Top Ten Machines – Spyware Detected report: 1. From the Admin Control panel, expand the Reports module, and then select Top Ten Machines – Spyware Detected. 2. Specify a date range in the From and To fields. 3. Click View. Machine History The Machine History report provides a list of threats by workstation. The information displayed includes Spyware Item, Category, # Components, Date Detected, and Action. To view a Machine History report: 1. From the Admin Control panel, expand the Reports module, and then select Machine History. 2. Specify a date range in the From and To fields. 3. Click View. Threats Found - Summary The Threats Found - Summary report provides a list of all found threats within a policy. The information displayed includes Spyware Item, # Components, and Severity. To view a Threats Found - Summary report: 1. From the Admin Control panel, expand the Reports module, and then select Threats Found - Summary. 2. Specify a date range in the From and To fields. 3. Click View. Threats Found - Detail The Threats Found - Detail report provides a list of all found threats within a policy. The information in this report is more detailed than in the Threats Found -. Summary report. The information displayed in this report includes Spyware Item, Client Name, # Components, and Severity. To view a Threats Found - Detail report: 1. From the Admin Control panel, expand the Reports module, and then select Threats Found - Detail. Paladin Network Administrator’s Guide 59
  • 58. 2. Specify a date range in the From and To fields. 3. Click View. Executive Summary The Executive Summary provides a high level overview of spyware activity on your network. The information displayed includes Severity of Threats Found, Infected vs. Uninfected, Spyware Items by Category, Top Ten Spyware Items, and Top Ten Infected Clients Per Spyware Item. To view an Executive Summary report: 1. From the Admin Control panel, expand the Reports module, and then select Executive Summary. 2. Specify a date range in the From and To fields. 3. Click View. Paladin Network Administrator’s Guide 60