Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1635
Views
0
Helpful
0
Comments

Configuring Kernel-only Protection for an Application in CSA 6.0

Brian Conklin
Level 1
Level 1

‎06-09-2009 10:10 PM - edited ‎03-08-2019 05:58 PM

Configuring Kernel-Only Protection for an Application

Note

The above steps are instructions for configuring kernel-only protection. Once the rules are generated, the configuration is saved and will be downloaded by applicable agents the next time they poll in. If you need the agent(s) to download them immediately, from the host(s) themselves, open the Agent Panel (UI), and perform a fast poll by clicking the 'Poll' button.

Configure

1. Launch the CSA MC, and ensure the view is set to 'Advanced Mode' (top-right, third from right icon).
2. Create an "Outlook" Application Class:

  • Navigate to Configuration > Applications > Application Classes
  • Click 'New' button.
  • Configure the new Application Class with the following parameters: 
Name: Outlook App Class
Description: Outlook App Class
OS: <Windows>
  • Add process to application class when created from one of the following executables: 
**\outlook.exe
  • Click 'Save' button.

3. Create an “Outlook” Rule Module:

  • Navigate to Configuration > Rule Modules
  • Click 'New' button.
  • Configure the new Rule Module with the following parameters: 
Name: Outlook Rule Module
Description: Outlook Rule Module
OS: <Windows>
  • Click 'Save' button.

4. Add a new Application Control Rule to the “Outlook Rule Module”:

  • Click 'Add \/' button (while still editing Rule Module).
  • Click/choose 'Application control'
  • Configure the new Rule with the following parameters: 
Description: Outlook Application Control Rule
Take the following action: “Add New Process to Application Class"
Dynamic Application Class: "<*Processes requiring Kernel Only Protection>" and when
Current applications in any of the following selected classes: "<All Applications>",
But not in any of the following selected classes: "<none>", attempt to run
New applications in any of the following selected classes: "Outlook App Class",
But not in any of the following selected classes: "<none>"
  • Click 'Save' button.

5. Create an "Outlook" Policy :

  • Navigate to Configuration > Policies
  • Click 'New' button.
  • Configure the new Rule Module with the following parameters: 
Name: Outlook Policy
Description: Outlook Policy
Properties, OS: Check the “Windows” check-box.
  • Click 'Save' button.

6. Attach the new Rule Module to the Policy:

  • On that same page, click the 'Modify rule module associations' link (right-side).
  • On the left-side, select (highlight) "Outlook Rule Module", click 'Add>>' button.
  • Click 'Save' button.

7. Create an "Outlook" Group

  • Navigate to Systems > Groups
  • Click 'New' button.
  • Configure with the following parameters: 
Name: Outlook Group
Description: Outlook Group
  • Click 'Save' button.

8. Associate the Policy to the Group:

  • On that same page, click the 'Modify policy associations' link (right-side).
  • On the left-side, select (highlight) "Outlook Policy", click 'Add>>' button.
  • Click 'Save' button.

9. Add the affected host(s) to the new Group:

  • On that same page, click the 'Modify host membership' link (right-side).
  • On the left-side, locate the hosts that are/were experiencing the issue and select them, and click 'Add>>' button.
  • Click 'Save' button.

10. Generate the Rules:

  • Click 'Generate rules' link (near center, bottom of MC interface).
  • Click 'Generate' button.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents