Overview

SanerNow is a platform for endpoint security and management – a platform that hosts numerous tools to cover various endpoint security and management requirements. SanerNow queries your systems to find aberrations, and helps your systems retain normality.

SanerNow is provided as Software as a Service (SaaS). With no capital expenditure, a pay-as-you-go model allows payment for only services used, based on the number of endpoints being serviced. Having tools to address multiple use cases within one platform helps reduce up to 60% of the investment in endpoint security and management.

The following concepts are embodied within the SanerNow platform and tools.

• Self-provision tools from the cloud, as needed, for specific use cases
• Pay for actual usage and avoid lengthy product procurement process
• Eliminate risk, try out tools to ensure they meet requirements
• Be usable, without the need for training or massive product documentation
• Effectively address endpoint security and management tasks

SanerNow Use Cases

SanerNow addresses the following business cases:

• Vulnerability Management – Continuously assess risks, automated to a daily routine.
• Patch Management – Apply operating system and third-party application patches for Windows, Linux and Mac OS X.
• Compliance Management – Comply with regulatory standards benchmarks and achieve continuous compliance (PCI, HIPAA, NIST 800-53, NIST 800-171).
• Asset Management – Discover and manage assets.
• Endpoint Management – Manage endpoints and ensure their well-being.
• Endpoint Threat Detection and Response – Detect and Respond to Indicators of Attack (IoA) and Indicators of Compromise (IoC).

Getting Started With SanerNow

Introduction

SanerNow^TM is a platform and tools for managing and securing your endpoints. The platform is designed as a SaaS model and provides security and IT management tools on demand.

Please refer to the SanerNow website https://sanernow.com or click on the above

Getting started with SanerNow

There are only a few simple steps to get started with SanerNow.

• Sign Up
  • Select a Plan
  • Provision Tools
  • Update Profile
• Open SanerNow Platform
  • Create Account
  • Create User
  • Deploy Agents
• Use SanerNow Tools

Sign up

On the SanerNow web page https://www.sanernow.com, click “Sign Up” or “Try for free” at the top right.

The first and last name must contain alphanumeric characters. The password needs to have at least one number, one upper case, one lower case and a special character. It must be at least seven characters and no more than 20 characters. The password should only contain these special characters ~ ! @ $ ^ & * ( ) – = _

Click Sign Up to complete registration.

To sign up, enter a valid email address, your name, and password. The email address will be the username for your login.

Note: If you are unable to register, please check your email address to ensure it is valid and that it hasn’t been previously registered.

An email will be sent to you to verify your registration email.

Note: If you don’t receive the email within a few minutes, please check your email spam folder.

Click on the link in the email to finish the verification process. Within a few minutes you should receive a confirmation web page.

You will be redirected to a web page as shown below after email verification. Click Sign In with your email address and password.

Note: Please contact support@secpod.com if you did not receive the registration email or if the Sign Up Confirmation isn’t displayed after clicking the email link. It may take a few minutes for the confirmation to display.

On the SanerNow web page (https://sanernow.com), click Sign In at the top right.

Select Plan (This step is not required if you clicked “Try for free”)

After signing in to SanerNow, you can select a free evaluation or monthly plan.

The Free SanerNow Evaluation plan lets you try out SanerNow tools for up to a month on up to ten endpoints. You can switch to a monthly plan at any time.

The SanerNow Monthly plan includes monthly billing based on tools provisioned and number of endpoints managed. An invoice will be generated after the end of each month, which will be sent to the account registration email address. Please contact support@secpod.com if you will be managing more than 5,000 endpoints.

If you clicked “Try for free”, plan selection is not required. You’ll be taken to “Provision Tools” step.

Select the desired plan and click Next.

Click on next to proceed.

Provision Tools

Select the tools you would like to provision. For the Free Evaluation Plan, you will most likely want to provision all tools. With the Monthly Plan you can then provision specific tools for each account you create. Accounts allow you to segregate endpoints by site and to control user access.

Select the tools to provision and click Next.

Update Profile

Enter billing details to complete the sign up process. Enter your address, state, country, zip code and preferred currency. A valid phone number is required. This information will be used for generating invoices.

Click Save.

Open Saner Platform

Click Open Saner Platform at the top right. You will then be redirected to saner.secpod.com.

Create Account

Create an account or site with a name, organization, valid email address (that will be used for reports and alerts), number of subscriptions and tools to be provisioned.

Once an account or site is created, SanerNow agents will be built. The agents are built specifically for each account or site.

Note: This process takes several minutes. Please be patient.

Note: Later you can create additional accounts or sites by clicking the gear icon at the upper right.

Deploy Agents

SanerNow agents can be deployed to endpoints by using the links on this page. Select the appropriate agent for the endpoint operating system. When using SanerNow, you can also go to Manage > Devices > Deployment and use a URL for downloading agents.

Use SanerNow Tools

Click the icon at the top left corner of the screen to select an account or site to manage.

tools for more detail.

Click Manage > Devices to see device information after agents have been deployed

click on  at the top center to select SanerNow tools.

Note: If you are unable to view all tools by clicking , this could be because some of the tools were not provisioned for this account.

Note: Refer to the SanerNow User Guides in the Documentation section of the SanerNow website for detailed information (www.sanernow.com/documentation).

Note: If you have any issues, please contact Technical Support at support@secpod.com.

Guides

User Guides

• General Settings
• Vulnerability Management
• Asset Management
• Patch Management
• Compliance Management
• Endpoint Detection and Response
• Endpoint Management

Technical Guides

• Saner 4.1.1.0 Websocket
• Saner 4.1.1.0 Software Deployment
• Saner 4.2.1.0 Custom Reports

Release Notes

Release Notes SanerNow 4.6.0.0

July 28, 2020

SanerNow 4.6.0.0 comes out with several enhancements to enrich the product usage experience. . This maintenance release also includes  bug fixes to enhance the performance of the SanerNow platform. 

Release Summary

Patch Management (PM) module improved with new enhancements

1. Enhanced visibility in the Patch Management (PM) Dashboard to understand risks, patches, and the impact of patching at any given time.
2. Added search functionality in PM Dashboard, supporting granular searches on all patch metadata.
3. Ability to view the impact of patching while creating patching tasks. 
4. Added search filters in the PM job status page
5. Added a new policy to automatically delete inactive devices based on specific criteria.

Others:

1. New support introduced to audit SQL based Database Servers

Several bugs have been addressed improving the reliability, performance, and security of the SanerNow platform. 

We hope SecPod SanerNow 4.6.0.0 will ease your endpoint security and management operations to a greater extent. Please mail us at support@secpod.com for any feature request or enhancements you expect in the product.

Release Notes SanerNow 4.5.0.0

May 17, 2020

SanerNow 4.5.0.0 brings several enhancements to the Patch Management (PM) module along with a few product performance improvements. This maintenance release also consists of fixes to bugs, security issues, and enhancements to REST API coverage.

Release Summary

Performance Improvements – Enhanced product performance for better usage

1. Access SanerNow Dashboards more efficiently now: Significant user experience and performance improvements are made to load the dashboard elements faster.
2. Enhanced management for transient devices: Improved support for transient devices changing locations frequently.
3. Introducing custom templates for reports: Ability to create a custom template for reports, which can then be applied to all other Customer Accounts or Sites.

Patch Management (PM) – Patch management improved with new functionalities

1. Included new filters for better visibility: Added filters to identify inactive devices and list devices by their operating system version and build number.
2. Introducing a single click filter: A single-click filter is introduced to list third-party application patches by the operating system family.
3. Test and deploy Firmware and non-security patches now: Firmware and non-security patches are included in the Test and Deploy feature. This would allow users to verify patches in a testbed and then approve for production rollout.
4. Enhancements to save bandwidth usage: The patching jobs are now sent only to the applicable devices in the selected group of devices significantly improving the performance and reducing network bandwidth utilization.

General enhancements and bug fixes

1. Fixed few security issues in the platform.
2. Inconsistency in the SanerNow agent upgrade is addressed considering a fail-over situation.
3. More indicaors are added to show the agent’s remediation progress.
4. Various bugs are resolved on dashboards, reports, and other tools.

We hope SecPod SanerNow 4.5.0.0 will ease your endpoint security and management operations to a greater extent. Please mail us at support@secpod.com for any feature request or enhancements you expect in the product.

Release Notes SanerNow 4.4.0.0

March 19, 2020

At SecPod, we strive towards delivering solution to enhance user experience. SanerNow 4.4.0.0 comes with a bundle of new additions, enhancements and bug fixes to increase efficient product usage. In this release we have brought several enhancements to Patch Management, Endpoint detection and response and Agent Deployment Tool, covering other general enhancements and bug fixes as well.

Patch Management (PM) – Enhancing patch management for better visibility

1. Introducing device view and patch view: A new dashboard element is added to represent a Device view, with the option to switch to Patch view. The Device view shows a list of all applicable patches per device, risks, patch-ability status, etc along with a single click option to create a remediation job.
2. Check patch repository reachability status and resolve issues: Patch repository reachability status added on the dashboard to diagnose issues related to patching.
3. Introducing all new device-based reports: Device-based Report APIs are added in Patch Management (PM) under Reports. The APIs such as Devices with Missing Security Patches, Missing Configuration, Most Critical Patches to give you better insight on effective patching, Patches for Paid-Products or licensed products, Missing Patches of Non-reachable devices.
4. Insightful error messages to resolve patching obstacles: Error codes and reasons are added to better understand Status on Patch Remediation and Automation tasks.
5. Show customized alerts on functional end-user systems before initiating remediation: Reboot alert messages can be provided on fixing missing patches, automation or rollback tasks that notifies logged-in users on endpoints to save their work and prepare for the reboot of endpoints. A similar notification can also be sent before remediation tasks, alerting the user about the scheduled activity.
6. Enhanced Saner agents to comply with Windows Update component: Saner agents are now intelligent to gather any inconsistency with the Windows Update component and resolve issues automatically.

Endpoint Detection and Response (EDR) – Optimizing Endpoint Detection and response for improved performance:

1. Increased scalability to view huge data: EDR performance enhanced to load data for a large number of devices, assisting with scalability.
2. Introducing filters to view only required details: Status filters are also added in EDR for viewing a subset of data from endpoints.

Agent Deployment – Enhanced agent deployment tool to increase efficiency

Analyse, act and deploy agents according to the requirements of end-user computer: Saner Agent Deployment Tool is now smarter to gather pre-requisites and deploy agents with ease. It also allows users to deploy agents with single-sign-on credentials.

General enhancements and bug fixes

1. Microsoft Operating system details are added with a specific release version wherever Operating System names are displayed across the platform.
2. Various bugs are resolved on dashboards, reports, and patch management tasks.
3. Mac OS X agent adheres to the Mac OS X application signing and notarization guidelines.

We hope SecPod SanerNow 4.4.0.0 will ease your endpoint security management to a greater extent. Please mail us at support@secpod.com for any feature request or enhancements you expect in the product.

Release Notes SanerNow 4.3.0.0

February 3, 2020

SanerNow 4.3.0.0 brings several enhancements to Patch Management (PM) tool. This maintenance release also includes fixes to major bugs, security issues and enhances Rest API coverage.

Release Summary

1. Operating System (OS) upgrade, a one-click OS version upgrade is introduced. This feature installs necessary Security KBs, and upgrades the system to the latest version.
2. Reboot Scheduler is introduced to schedule the reboots to a particular time. Reboot jobs are listed in the PM status page to track the reboot progress.
3. Added color scheme to charts in reports.
4. Inconsistency in the ‘Windows Update’ component is automatically resolved.
5. Superseded and older patches are suppressed and only the latest security patches are listed.
6. Non-Security patches are added to the individual device details page, in addition to the security patches.
7. Rest API coverage is enhanced to include newer APIs and improved security validations.
8. Inconsistencies while moving the device from one account to another account is addressed.
9. Upgraded 3rd party dependent libraries to the latest version.

Release Notes SanerNow 4.2.2.1

 June 28, 2019

SanerNow 4.2.2.1 enriches API coverage in custom reports and extends web service support for software deployment.

Introducing new Custom Report APIs for

1. Summary of Patch Aging
2. Detailed Information on Up-To-Date Assets
3. Listing assets without patch released by vendor
4. Vulnerability Metrics that is updated to show total number of vulnerabilities
5. Overall Remediation information
6. Vulnerability Statistics
7. Vulnerability Count of Active and Inactive Devices

Release Notes SanerNow 4.2.2.0

 June 14, 2019

SanerNow 4.2.2.0 provides more control over task scheduling, support for non-persistent desktop virtualization devices and minor bug fixes.

Task Scheduling

Extended the scheduler in PM Automation, EDR Detection and Response, EM Checks and Actions to have flexibility in scheduling patching and other tasks. Specifically, users can now choose selective months, weeks, days or any date to schedule tasks.

Non-Persistent Device Support

Support added for non-persistent desktop virtualized devices – agents are activated when such devices are initiated and are gracefully deactivated when shut down. This will ensure subscriptions are not locked down with an instance that is not running and are available for deploying on live systems.

Release Notes SanerNow 4.2.1.0

 May 06, 2019

SanerNow 4.2.1.0 introduces a unique, easy to use report generation tool with various data export APIs and report builder charts and tables. It also brings support for two new operating systems and further enhances AI driven search assistant.

Custom report generation

A unique and easy to use report generation and customization tool is introduced with 100s of pre-built data export APIs, report builder charts and tables. With this, users will have the facility to create custom reports, export, and schedule periodic backup of those reports. An intuitive user interface allows you to build custom dashboards, save and export these dashboards across SanerNow tools.

1. Create custom reports,
   • Predefined APIs for all SanerNow tools and their functions
   • An intuitive search interface to find or determine the right API
   • Apply filters to extract information of specific interest and plot them as data tables and charts
   • Export created report into PDF or send e-mail
   • Schedule backup of these reports for periodic export and sending e-mails
   • Export each data section into CSV
   • Build reports and set them as Default for periodic viewing
2. The current Default reports are made available as Canned Reports. With this release, you can also customize these reports.
3. The Reports tool is built for high performance.

New platform support

1. Alpine Linux – Alpine Linux is a Linux distribution based on musl and BusyBox, primarily designed for security, simplicity, and resource efficiency. The SanerNow agent is now available to deploy on this platform.
2. Windows Server 2019 – Microsoft Windows Server 2019 is the latest version of the Microsoft server operating system. The SanerNow agent is now available to deploy on this platform.

Enhancements to Plasma

Plasma is a Beta version of an intelligent machine learning based search assistant. This will be continuously enhanced to become smarter. New enhancements include,

• More search suggestions
• Filtering capability to reduce the scope of results
• Minor bug fixes

Other enhancements

1. Patch Management: Dates have been added to show when the remediation/patching task was performed on an individual device.
2. Endpoint Management:
   • USB Mass storage device and USB port blocking support is now supported on all Linux systems.
   • Blocking of devices by Device ID (device instance ID) is now supported in Windows and Linux.
3. Track EOL (End of Life) and EOS (End of Support) products across the platform. Such products are marked as Outdated.
4. Live system metrics on an individual device page (Click on the hostname under Manage -> Devices page to view this feature). This has a control to fetch system metrics only when refreshed, thus helps save network bandwidth.

Release Notes SanerNow 4.2.0.0

March 03, 2019

SanerNow 4.2.0.0 introduces Plasma, a beta version of a smart search assistant. New features are also introduced in Patch Management to further simplify endpoint patching.

Plasma

Plasma is a Beta version of an intelligent machine learning based search assistant. This marks the first release of Plasma which is intended to do smarter, AI (artificial intelligence) powered searches. This will be continuously enhanced to become smarter.

1. User Assist – Searches as you type across 1000+ documents to provide navigational help on the platform.
2. Discover – Search across platform’s rich endpoint data and indicators to discover meaningful information.

Patch Management

1. Test and Deploy – Test patches in a test environment before deployment. Administrators can create a test task and provide automation rules to deploy after validating results of the test task. This is useful to rollout patches in a production environment after testing in an identical test environment.
2. Batch Remediation – Administrators are able to include pre and post scripts to be bundled in a remediation job or rule. Pre-scripts are executed before the remediation task and post-scripts are executed once a remediation task completes. This feature is only available for security patches. Additionally, our content research team will add script-based patching to cover vulnerabilities that do not have vendor patches.
3. Firmware Patching – With an increasing number of attacks targeting the underlying hardware system, firmware patching has become a critical need. Firmware patches can now be applied on Microsoft Windows systems.
4. Reboot Control – Logged-in users are now able to postpone reboots until a specific time.
5. Retry Remediation – The Patch Management Status page now lets you re-attempt already created remediation tasks. A copy of the remediation job is created which can be edited and applied.
6. Detailed Remediation Status – Remediation status now includes Received, Initiated and Done to provide more visibility on tasks being performed.
7. Stop Ongoing Remediation Task – Ongoing remediation tasks can now be stopped to release devices that haven’t yet accepted the task. This will free devices for other remediation tasks.
8. Dashboard changes – A smart Patch Compliance calculator has been added to identify the number of patches required to patch a minimal number of devices to eliminate the maximum number of vulnerabilities. Patch compliance for devices and assets are also shown.
9. Bug Fixes and Performance – Various issues have been addressed.

Endpoint Management

1. Extended support to handle .bat, .sh, .reg, .deb, .rpm, .exe, .msp, .msi via zip file upload section under Software Deployment.

Device Management

1. Users can move Devices across accounts. This is useful when employees move to different locations or move to new projects, etc.
2. E-mail alerts are now provided when Saner agents are uninstalled.

Release Notes SanerNow 4.1.1.0

November 22, 2018

Software deployment

1. Deploy Software packages from array of pre-packaged list of Software applications to Saner enabled systems. We have 100’s of pre-bundled packages to choose from for Windows, Linux and Mac OS X.
2. Create rules to deploy Software packages for new devices while new systems are being provisioned. All your pre-selected Software packages are deployed at one go. This helps making your systems ready to use with all essential software.
3. Create your own deployer package and roll out across all Saner enabled endpoint systems. The deployer packages can be exe, MSI, archived files with script and other installers or it can even be a download URL.
4. Uninstall Software applications across endpoint systems to remove rogue applications, blacklisted applications, license violating applications or unauthorized software at one go across all affected systems.

Real-time communication

• Continuous, real-time visibility is a must for security operations. With new, web-socket based communication between the agents and the server, everything becomes instant. Sending a scan request, performing a query, monitoring system activities, scheduling an Action in response to a security event are all immediate.

Live system health

• System details now include trending graphs showing CPU, RAM, Network and Disk usage. Click on a device to witness live data from an endpoint, the most simple and sophisticated means to monitor system health.

Role based user access

• Introducing Role-based User Access – to delegate users to handle one or more Saner services across multiple accounts.

Password protect Saner agent service

• The Saner agent service is now password protected. Any unauthorized uninstallation of Saner agent is prevented unless configured password is supplied.

Others

1. Account administrators can alter device subscription limit for accounts and extend account expiry date
2. Improved Microsoft patching
3. Endpoint Protection Software displays devices without Anti-Virus software installed in addition to devices that are under risk
4. Performance improvements
5. Saner agent upgrade and scan optimization on agents
6. Bug and security fixes

Release Notes SanerNow 4.1

September 05, 2018

1. Patch Management Automation now supports security and non-security patches. A software patch can fix security vulnerabilities or improve the usability and performance. While creating an automation task, users can select from two options, either apply security patches only or apply both security and non-security patches.
2. Patch Rollback is now available for Linux and Mac operating systems. Saner tracks rollback point for a software asset while applying a patch. This helps revert changes and restores applications or operating systems to the last best-known version/configuration.
3. Saner users can prioritize patches based on severity. Patches are categorized as Critical, High, Medium and Low. A typical use-case would be to allow remediation tasks to qualify only critical patches for Software applications on various devices.
4. All scans now run in “Low” mode by default. This would ensure Saner agents consume minimal resources while a scan is run. A CPU threshold value can also be set to restrict resource utilization. This configuration can be altered using Settings.
5. Simplified Group and Device filtering.
6. Revamped patch automation and Remediation Status interface for better usability, with the ability to filter by Group/Devices and also by the family of Operating System.
7. Saner agents can now recover themselves in case of an abnormal shutdown of a system.
8. Other bugs and usability concerns are addressed.

Release Notes SanerNow 4.0.0.5

1. Updated Code Signing Certificate and signed all executables and binaries.

Release Notes SanerNow 4.0.0.4

1. Fixed cross-site scripting and remote code execution vulnerabilities that existed in update logo feature in Account Management that allows attackers to define potentially untrusted Javascript running within a web browser. Thanks to Sumit Birajdar helping us discover the vulnerability.
2. Integrated support for Fedora 28 operating system.
3. Patch Management supports MSI file format for remediating vulnerabilities in Windows Systems.
4. Fixed configuration file corruption issue on force shutdown/restart of devices using backup mechanism.
5. Minor bug fixes.

Release Notes SanerNow 4.0.0.3

1. Introduced device status on group-based view in Manage page.
2. Fixed Mail settings update for Administrators and Accounts/Sites.
3. Added persistence of task scheduling in Endpoint Management (EM) and Endpoint Detection and Response (EDR).
4. Minor bug fixes.

Release Notes SanerNow 4.0.0.2

1. Fixed host counters in Assets License Section in PDF reports. Fixed detection counters in IoC and IoA Sections under Endpoint Detection and Response (EDR) PDF reports.
2. Fixed Remediation action issues in Compliance Management (CM).
3. Other minor bug fixes.

Release Notes SanerNow 4.0.0.1

1. Fixed scheduling software deployment tasks in Endpoint Detection and Response (EDR).
2. Added hostnames of devices associated to a specific Software/Hardware License in in CSV report of Asset Management.
3. Fixed an update issue in Sensitive Data Detection detection scripts under Endpoint Management (EM) .
4. Fixed scheduler update issue in System Health detection scripts under Endpoint Management (EM) .

FAQ – Frequently Asked Questions

Technical FAQ

How to get started?

Sign Up on www.sanernow.com and select tools required. Go to “Open Console” to create accounts and deploy on agents. Within 10 minutes you should be able to set up 1000 machines and view their reports.

What measures can we take to secure our account?

You can set up a 2-step verification to add an extra layer of security to your account. See section How can we set up two-factor authentication for more details. Adminitrators and Account Administrators can enforce two-factor authentication for all other users.

How is my data secured?

Your data is isolated from others. Multiple techniques are used to ensure data integrity and request/response are verified. Our specialized team ensures that platform passes through multiple layers of security tests. These teams are up-to-date with latest attacks and threats and plays a major role in defining checks for products such as OpenVAS. Your data is secure with us.

How can we set up two-factor authentication?

When you enable two-factor authentication, you add an extra layer of security to your account. You sign in with something you know (your password) and something you have (a code sent to your phone).

To start with, click on ‘turn on’ against two-factor authentication. Open the Google Authenticator app and scan the QR code. You will be provided with 6 digit code in the app. Enter the code in the text box and press Enable button.

On every login, after entering username ans password, you will be promted to enter the code displayed by the Google Authenticator app. These two steps are verified for access to your account.

What is the average size of content downloaded or network utilization by agents from your server during scan?

Though security content download differs depending on the detection of vulnerabilities and configuration issues. An active agent may download an average of 4MB data (only when content requires update/if changed) on Windows machines. Our signatures release cycle is 2-3 times per week. We have devised mechanisms to optimize content download.

How system resources are utilized or how is the CPU performance during scan?

CPU averages at 20-30% in low mode scan. Whereas, in full throttle, scans are speedy and finish within minutes, CPU averages at 50-80% for a few seconds then goes back to 20-30%. Saner service priority is set to normal and operating systems handle it effectively. It will not interfere with your work.

What settings may be required to optimize network during remediation/patching?

Set up a local patch server or a WSUS server in your organization. Agents are designed to detect WSUS server settings and fetch patches from the same. In case, WSUS is not set up on your individual endpoints, you can use EDR section to set up Registry Response. For more details, follow the link, https://support.microsoft.com/en-in/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s

Third party products patches can also be served from a local HTTP/HTTPs/FTP server. Go to Manage> Create Settings > Remediate.

Select Third-party products patch server select Local, a new set of settings will open up to provide server URL. Contact info@secpod.com to get Remediation resource feed for a large setup.

Settings such as buffering patches with bandwidth usage restriction under Manage> Create Settings > Remediate also helps optimize remediation tasks.

How system resources are utilized or how is the CPU performance during remediation?

CPU average is very low during remediation. Patches are queued and taken up sequentially. A scan is performed after remediation job or rule is accomplished. Following graph shows remediation effect on operating system.

Can I configure a time period between which remediation should start and end?

Yes. While setting up remediation job or rule, you can provide remediation timeframe with start and end date-time. For example, in a typical organization, remediation can be set to end at 8:00 a.m in the morning when employees start their day at work. In case, if an automated remediation task is ongoing at 8:00, it will come to its logical end and any reboot and sequential tasks will be taken in the next time interval. However, short-term remediation tasks will end and result will be uploaded.

After configuring a time period between which remediation should start and end, can change it?

In case of remediation automation, we can change the timeframe which takes into effect in the next upcoming time. Short-term remediation tasks cannot be modified.

Can I install a customized patch for remediation or install other applications using Saner?

Yes. You could use Software Deployment in Response section of Endpoint Management. All applications and patches will be installed silently without interfering with users on the endpoints. It is advisable to test your installation and provide appropriate silent option if usual options such as /S is not used.

Can I install a non-security patch also with Saner?

Yes. You could use Software Deployment in Response section of Endpoint Management.

What should I do if a remediation patch is not available?

You could chose to block the application temporarily and unblock later. Go to EDR > Build your own Response > Application Block

How can I remediate commercial licensed products such as Adobe Acrobat or Oracle WebLogic Server?

You could use Software Deployment in Response section of Endpoint Management . Provide a vendor URL to download patch or upload the patch and provide silent option.

Can I find out since how long a vulnerability existed in an organization?

Yes. In VM dashboard, vulnerability patching graph provides insight on how long a vulnerability existed in an organization since its detection on our platform.

What are the next steps to vulnerability detection?

VM gives you a detailed information about existing loopholes making endpoints prone to malware attacks. Next steps would involve strategizing patching activity using PM and ensure endpoint-protection software are up-to-date using EM. Complementary to that, EDR will help realizing any ongoing attack to respond immediately and AM to check if such vulnerable software assets are in regular use or sparingly used.

How can I mitigate vulnerabilities effectively?

You can visualize vulnerability mitigation statistics to prioritze your patching activity. An insight on high fidelity attacks provide you information on tasks that require immediate attention because it is prone to malware attack. Statistics such as vulnerability based on severity scores also aid in determining next steps for vulnerability mitigation.

Can I find out since how long patch was available and not applied in an organization?

Yes. In PM dashboard, patch patching graph provides awareness on when a missing patch was released by vendor and not applied in the endpoints. Patching impact and Configuration Impact are powerful tools to visualize the affect of remediation.

Remediation and Software Patching is a long and tough activity. What if something goes wrong? Is rollback option available?

Our patches are tested by a dedicated team to ensure remediation is accurate and quick. Saner agent has also evolved as part of remediation to ensure speedy ways to achieve patching.

Under any circumstance, a Rollback feature is available for Windows, Linux and Mac operating system patches. Complaince roll back is also in place. Third-party products cannot be reverted but can be reinstalled with the previous version. Go to PM dashboard > click on PM in left panel > Rollback.

Please ensure that you have checked if rollback is possible for a patch before applying remediation because some vendor patches do not support rollback.

Can I know why a particular remediation failed?

Yes. In PM dashboard see ‘Reason for Failure’. You can also check individual remediation tasks status using ‘Job Status summary’ section on the dashboard. Click on expand to dig deep into status.

A patch is available and approved in my WSUS server but Saner remediation is failing. Why?

Each setup is different and some initiatives from your end can help speedy resolution of such issues. Consider checking (on one of the endpoints) if system is configured properly to your WSUS server. Click on Windows Update to see if patch appears in the system. If relevant patch appears in the system, then Saner should be able to fetch it. If not, either WUS is not configured properly or a pre-requisite patch may hinder remediation.

Please note: installing a patch may open up other patches in a software asset. Also, Windows Update software itself may require patching. Consider installing it before any other remediation task.

Please log your observations in the mail and contact info@secpod.com for resolving your case. We will be happy to help.

Can I identify software products which are out-of-life? What actions can be taken for out-of-life products.

Yes. Check AM dashboard > Outdated Applications. Consider installing upgrades using Software Deployment in Response section of Endpoint Management. You may also uninstall such applications using Application Management> uninstall option.

Does Saner provide tracking of software licenses?

Yes. In AM, you could track software licenses and cost incurred to an organization. You can also provide external feed to assess software licenses.

Can I blacklist or whitelist software applications?

Yes. In AM, import blacklisted or whitelisted applications feed (in CSV format) and go to dashboard to check violations if any. Currently, we do not automatically uninstall or block applications using this feed. This can be automated using EDR > Build your own Detection and Response to periodically run response script.

What possible response actions can be executed from Saner?

Response actions are widely categorized into Network, Process, Service, Software Deployment, System, Application and Devices, Security, File, Windows Registry, Tuneup, Startup Programs. Kindly check individual categories for more information. Each category in Response section has a set of actions.

Is it possible to automate reponses/actions on detection scripts?

Yes. In EM, it is possible to create actions based on a set of existing detection scripts.

Can we add more detection scripts in EM?

100+ detection scripts are already defined and ready to use. You could add more using EM > Tools section. In case of any issues or requirements, contact info@secpod.com and we will create it for you.

Can I know the system health of all my endpoints?

Yes. Go to EM > Detection > System Health. Click to get real time data. Visualize Disks space used reaching 90% and high CPU and RAM usage.

Can I command my endpoint to scan now or reboot now?

Yes. Go to Manage>Devices>Select device>Click on ‘Scan now’. For reboot, go to EDR/EM > Response> System and select reboot.

What are the common indicators of compromise/attack?

Endpoint protection software is disabled, applications with unknown publisher, firewall disabled, torrent-like downloads, new application in start up program, common operating system libraries having a different MD5sum, unknown processes running or multiple ports open, disk space running out, to name a few.

What are the existing Compliance benchmark supported by Saner?

SecPod Default Compliance, Vendor recommended (such as Microsoft) General Compliance, NIST-800-53, NIST 800-171, PCI, HIPPA, others such as ISO 27001, WMI, ports, process control, service control, device control, anti-virus compliance etc which can be designed as per user requirement.

Can I remove checks from an existing Compliance benchmark?

Yes, if it does not comply to your organization. Simply deselect the rule or category while creating/editing compliance.

Can I take remediation actions on customized Compliance checks?

Yes. Remediation scripts are automatically generated based on compliance created by users. Go to CM dashboard > Remediation actions to know more.

Why some of the compliance checks shows Not selected or Not checked status?

Some checks which are deselected by you will appear as ‘Not selected’ in the report. Compliance checks that require input from user are mostly ‘Not checked’ unless some data is provided by the user. If any issues, please contact info@secpod.com. Appropriate screenshots of reports/dashboard and agent audit logs will definitely help understand the case.

Can I apply rollback on customized Compliance benchmark?

Yes.

Can I see trending reports?

No. Currently you can back up reports using Reports from left panel that will be emailed automatically on scheduled intervals.

Can I export individual endpoint report?

Yes. Go to Manage > Devices > Click on hostname > Click on Export Device Report.

Can I be alerted on certain incidents on endpoints.

A variety of alerts can be issues to notify on any failed actions, incidents in endpoints, critical vulnerabilities issues, configuration issues, new detection on endpoints, etc. Click on Alerts from left panel to know more.

How long does a scan take?

A typical scan takes under 5 minutes in windows and 1-2 minutes in Linux and Mac Machines. Special mechanisms and algorithms on agents help achieve this.

My scan is prolonged. What can I do?

Contact info@secpod.com with endpoint’s audit log that can be received from Manage>Devices>Click on hostname> Click on Audit Logs. You can also change settings > Log to debug, scan and send spsaneragent.log from the endpoint system under SecPod Saner installation directory/log folder in Windows and /var/log/saner in unix based machines.

SanerNow Architecture

SanerNow’s platform-centric approach is designed on the same principles as that of an operating system. The core (‘kernel’) performs the analytical computations required to detect aberrations and deviations. The ‘shell’ provides the ability to query, monitor and make changes. The ‘user/application layer’ helps transform these computations to support various use cases.

SanerNow is built with these four primary concepts:

• Query the system to get visibility
• Monitor for changes and aberrations as they occur
• Analyze the system for risks and threats
• Respond to fix the issues

Key platform features include:

• Continuous monitoring: System controls
• Principle of Self-Healing: Detect and fix vulnerabilities, Identify unwanted/unused assets and uninstall them, Monitor the anti-virus program status, and start it if it is not running, Detect IoC/IoAs and respond to the threats.
• Speed: Deploy SanerNow in minutes, scan 1000s of endpoints in less than 5 minutes
• Scalability
• Multi-tenancy, multi-user and role-based access
• High-performance:Retrieve search results in less than a second
• Agents: Support for Windows, Linux and Mac OS X

SanerNow is a scalable analytics and correlation engine. It works with the SanerNow agent that resides on endpoint devices to collect and transmit data to the SanerNow server. SanerNow server correlates the data from agents on endpoint devices with compliance standards and best practices, and vulnerability and threat intelligence to provide real-time endpoint management and protection capabilities.

Platforms Supported

SanerNow Supported Operating Systems

• Microsoft Windows 7
• Microsoft Windows 8.1
• Microsoft Windows 10
• Microsoft Windows Server 2008
• Microsoft Windows Server 2008 R2
• Microsoft Windows Server 2012
• Microsoft Windows Server 2012 R2
• Microsoft Windows Server 2016
• Microsoft Windows Server 2019
• Mac OS X 10.10
• Mac OS X 10.11
• Mac OS X 10.12
• Mac OS X 10.13
• Mac OS X 10.14
• Ubuntu 14.04
• Ubuntu 16.04
• Ubuntu 18.10
• Ubuntu 18.04
• Debian 7
• Debian 8
• Debian 9
• Amazon Linux
• Amazon Linux 2
• Redhat Enterprise Linux 5
• Redhat Enterprise Linux 6
• Redhat Enterprise Linux 7
• CentOS 5
• CentOS 6
• CentOS 7
• Oracle Linux 5
• Oracle Linux 6
• Oracle Linux 7
• Fedora 27
• Fedora 28
• Fedora 29
• Linux Mint 17
• Linux Mint 18
• Linux Mint 19
• Linux Mint Debian Edition 3 Cindy

SanerNow Feature Map

SanerNow addresses the following business cases:

• Vulnerability Management – Continuously assess risks, automated to a daily routine.
• Patch Management – Apply operating system and third-party application patches for Windows, Linux and Mac OS X.
• Compliance Management – Comply with regulatory standards benchmarks and achieve continuous compliance (PCI, HIPAA, NIST 800-53, NIST 800-171).
• Asset Management – Discover and manage assets.
• Endpoint Management – Manage endpoints and ensure their well-being.
• Endpoint Threat Detection and Response – Detect and Respond to Indicators of Attack (IoA) and Indicators of Compromise (IoC).

Security Content and Intelligence

The security intelligence hosted at our content repository feeding the SanerNow platform.

INDEX

1. SCAP Content Statistics
2. OVAL Definitions Platform Coverage
3. OVAL Definitions Class-wise Distribution
4. OVAL Definitions Family-wise Distribution
5. Application and OS Remediation Coverage
6. Compliance Benchmark Coverage
7. List of Vulnerability to Exploit/Malware Mapping covered in SanerNow
8. List of IoA (Indicators of Attack) covered in SanerNow

SCAP Content Statistics

OVAL Definitions Platform Coverage

OVAL Definitions Class-wise Distribution

OVAL Definitions Family-wise Distribution

Application and OS Remediation Coverage

Compliance Benchmark Coverage

List of Vulnerability to Exploit/Malware Mapping covered in SanerNow

List of IoA (Indicators of Attack) covered in SanerNow

Windows Probes

Access token

An access token used to check the properties of Windows access token as well as in idual privileges and rights associated with it.

Active directory

This is used to check information about specific entries in active directory.

Anti-virus information

This is used to collect information about an installed Antivirus applications.

ARP Cache

This is used to collect various information about address resolution protocol cache table.

Audit Event Policy

This is used to check different types of events the system should audit.

Audit Event Policy Subcategories

This is used to check the audit event policy settings on a Windows system. These settings are used to specify which system and network events are monitored. For example, If Credential validation element has a value of AUDIT_FAILURE, it means that the system is configured to log all unsuccessful attempts to validate a user account on a system. It is important to note that these audit event policy settings are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information on each setting.

Auto Logon Last Logon Last Reboot

This is used to collect auto login is enabled or not, last user logon time and last system restart time.

BIOS Information

This is used to collect various information about BIOS.

Bit Locker Information

This is used to collect bit-locker enabled device information.

Computer Information

This is used to collect various information about computer system.

`

Device information

This is used to collect information about plug and play devices.

DNS cache

DNS cache is used to check the time to live and IP addresses associated with a domain name. The time to live and IP addresses for a particular domain name are retrieved from the DNS cache on the local system. The entries in the DNS cache can be collected using Microsoft’s DnsGetCacheDataTable() and DnsQuery() API calls.

Environment Variables

This is used to check an environment variable for the specified process, which is identified by its process ID, on the system .

Events

This is used to collect information about Security events, System events and Application events.

Family of Operating System

This is used to check the family a certain system belongs to. This test basically allows the high level system types (window, unix, ios, etc.) to be tested.

File

This is used to check metadata associated with files. File path is mandatory for this query while submitting to agents.

File Audit Permissions

This is used to check the audit permissions associated with Windows files. Note that the trustee’s audited permissions are the audit permissions that the SACL grants to the trustee or to any groups of which the trustee is a member. File path is mandatory for this query while submitting to agents.

File Effective Rights

This will collect directories and all Windows file types (FILE_TYPE_CHAR, FILE_TYPE_DISK, FILE_TYPE_PIPE, FILE_TYPE_REMOTE, and FILE_TYPE_UNKNOWN). File path is mandatory for this query while submitting to agents.

filehash58

This is used for a file hash of specific file(s). This only implies on regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. File path is mandatory for this query while submitting to agents.

Firewall

This is used to collect firewall status on private, public and domain profiles and inbound/outbound traffic information.

Group

This collects different users and subgroups that directly belong to specific groups (identified by name). When this collects the groups on the system, it only includes the local and built-in group accounts and not domain group accounts. However, it is important to note that domain group accounts can still be looked up. Also, note that the subgroups of the group will not be resolved to find indirect user and group members. If subgroups need to be resolved, it should be done using the SID query.

Group SID

This defines the specific group(s) identified by SID.

Installed Applications

This is used to collect information about installed application on the system.

Installed Patches

This is used to collect information about installed application on the system.

Network Interfaces

The interface test enumerate various attributes about the interfaces on a system.

Account Lockout Policy

The lockout policy test enumerates various attributes associated with lockout information for users and global groups in the security database.

Operating System Information

This is used to collect various information about installed operating system.

Password Policy

Specific policy items associated with passwords. It is important to note that these policies are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information. Information is stored in the SAM or Active Directory but is encrypted or hidden so the registry and activedirectory are of no use. If this can be figured out, then the password policy is not needed.

Port/Network Connection

Information about open ports and network connections.

Printer Effective Rights

This item stores the effective rights of a printer that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee’s effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.

Process

Information about running processes.

Registry

The windows registry item specifies information that can be collected about a particular registry key. Hive, Key and Name are mandatory fields while submitting to agents.

Registry Key Audit Permissions

The windows registry item specifies information that can be collected about a particular registry key. Hive and Key are mandatory fields while submitting to agents.

Registry Key Effective Rights

This item stores the effective rights of a registry key that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee’s effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api. Hive and Key are mandatory fields while submitting to agents.

Run command history

This is used to collect history of run command.

Scheduled Programs

This is used to collect various information about scheduled task.

Service Effective Rights

This item stores the effective rights of a service that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee’s effective rights are determined by checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.

Services

This is used to collect different metadata associated with a windows service.

Shared Resources

This is used to collect different metadata associated with a windows service.

sharedresourceauditedpermissions

This is used to collect different metadata associated with a windows service.

Shared resource effective rights

This is used to collect different metadata associated with a windows service.

SID

This is used to check properties associated with any shared resource on the system.

SID SID

This is used to check properties associated with any shared resource on the system.

System Autorun

This is used to collect information about startup applications.

System DEP Policy

This is used to collect information about system Data Execution Prevention (DEP) status.

System DHCP Information

This is used to collect system Dynamic Host Configuration Protocol (DHCP) information.

System DNS Information

This is used to collect domain name and domain name system ip information.

System UAC Policy

This is used to collect information about system User Account Control (UAC) status.

Text File Content

This element looks at the content of a text file (aka a configuration file) by looking at in idual lines. File path, pattern and instance are mandatory for this query while submitting to agents.

User SID

This allows collection of different groups (identified by SID) that a user belongs to.

WMI

The wmi57 outlines information to be checked through Microsoft’s WMI interface. Namespace and Windows Query Language(WQL) are mandatory fields while submitting to agents.

WSUS SCCM Information

This is used to collect configuration details about Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM).

WUA Update Searcher

This outlines information defined through the Search method of the IUpdateSearcher interface as part of Microsoft’s WUA (Windows Update Agent) API. This information is related to the current patch level in a Windows environment. Search criteria is a mandatory field while submitting query to agents.

Volume

The volume item enumerates various attributes about a particular volume mounted to a machine. This includes the various system flags returned by GetVolumeInformation(). It is important to note that these system flags are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information.

Wireless Information

This is used to collect various information about wireless connection (WLAN).

User

This is used to check information about Windows users. When this collects the users on the system, it only includes the local and built-in user accounts and not domain user accounts. However, it is important to note that domain user accounts can still be looked up. Also, note that the collection of groups, for which a user is a member, is not recursive. The groups that will be collected are those for which the user is a direct member. For example, if a user is a member of group A, and group A is a member of group B, the only group that will be collected is group A.

User SID

This is used to check information about Windows users. When this check collects the user SIDs on the system, it should only include the local and built-in user SIDs and not domain user SIDs. However, it is important to note that domain user SIDs can still be looked up. Also, note that the collection of groups, for which a user is a member, is not recursive. The only groups that will be collected are those for which the user is a direct member. For example, if a user is a member of group A, and group A is a member of group B, the only group that will be collected is group A.

License

The entity is used to check the content of a particular entry in the Windows registry HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions key, ProductPolicy value. Access to this data is exposed by the functions NtQueryLicenseValue (and also, in version 6.0 and higher, ZwQueryLicenseValue) in NTDLL.DLL. Name is a mandatory field while submitting to agents.

NTUser

This element defines the different metadata associated with a ntuser.dat file. This includes the key, name, type, and value. Key and name are mandatory fields while submitting to agents.

System Metric

This is used to check the value of a particular Windows system metric. Access to this information is exposed by the GetSystemMetrics function in User32.dll.

User right

This entity is used to enumerate all of the trustees/SIDs that have been granted a specific user right/privilege.

Junction

This used to obtain canonical path information for junctions (reparse points) on Windows filesystems. Path is a mandatory filed while submitting to agents.

PE Header

This defines the different metadata associated with the header of a PE file. For more information, please see the documentation for the IMAGE_FILE_HEADER and IMAGE_OPTIONAL_HEADER structures. File path is a mandatory field while submitting to agents.

User Access Control(UAC)

This element specifies the different settings that are available under User Access Control. A user access control test will reference a specific instance of this state that defines the exact settings that need to be evaluated.

XML File Content

This element is used by a xml file content test to define the specific piece of an xml file(s) to be evaluated. This will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. The set of files to be evaluated will be identified with a complete File path. File path and XPath are mandatory fields while submitting to agents.

Software Licenses

This is used to collect information of Software Licenses. It includes software name and license information.

Partition

This is used to check the information associated with partitions on the local system.

Missing Patches

This is used to investigate missing patches and security fixes in a computer system.

Linux Probes

ARP Cache

This is used to collect various information about address resolution protocol(ARP) cache table. It includes host IP address, mac address, interface name from ARP cache table.

BIOS Information

This is used to collect various information about BIOS (basic input/output system). It includes bios name, version, manufacture, serial number, smbios version, and bios status.

Anti-virus information

This is used to collect information about an installed Antivirus applications.

Computer Information

This is used to collect various information about computer system. It includes CPU, RAM, ROM, swap memory, virtual memory, disk, operating system, cache size, host name, model name, serial name etc.

Cron

This is used to collect various information about cron jobs. It includes user name, scheduled job and command.

Device information

This is used to collect information about installed devices on the system. It includes device name, driver, subsystem, device path, class and subclass.

DPKG Information

This is used to check information of a DPKG package.

Environment Variables

This is used to collect system environment variable information. It includes environment variable name, value and process id.

Hosts File(/etc/hosts)

This used to collect various information about hosts from /etc/hosts. It includes host IP address and host name.

Protocols File(/etc/protocols)

This is used to collect various information about protocol from /etc/protocols. It includes protocol name, protocol number and protocol aliases.

Services File(/etc/services)

This is used to collect various information about service from /etc/services. It includes service name, service port, service protocol and service aliases.

Family of Operating System

This is used to collect operating system family standard values being windows, unix or macos(Mac OS).

File

This is used to check metadata associated with files. File path is mandatory for this query while submitting to agents.

Group

This is used to collect various information about the groups. It includes group name and group id.

Interface Listeners

This is used to check what applications such as packet sniffers that are bound to an interface on the system. This is limited to applications that are listening on AF_PACKET sockets. Furthermore, only applications bound to an ethernet interface should be collected.

Inet-Listening Servers (Deprecated)

This is used to collect various information about listening ports. It includes protocol name, local ip address, local port, program name, foreign address, foreign port, process id and user id.

Installed Applications

This is used to collect information about installed applications on the system. It includes application name, version, release, architecture, epoch value.

Network Interfaces

The interface test enumerate various attributes about the interfaces on a system.

IP forwarding status

This is used to collect information about the IP forward settings. It includes IP forwarding status which can be either enabled or disabled.

IP tables rules

This is used to collect various information about IP table rules. It includes chain type, number packets matched to rule, packets size, action to be taken when rule matches (ACCEPT, DROP), pack flow direction, source ip address, destination ip address, rule desc etc.

Kernel Information

This is used to collect various information about loaded kernel. It includes kernel version, kernel image path, kernel on which device/volume and kernel arguments.

Kernel Modules

This is used to collect various information about modules loaded into the kernel. It includes kernel module name, kernel module depending on which module and module status.

Logged-in Users

This is used to collect various information about logged-in users. It includes user name, device tty, remote logged in host name, time when entry made, process id and record type.

Mount points

This is used to collect various information about mounted partitions. It includes disk filesystem name, file system type, disk size, disk space used, available disk space, disk use in terms of percentage and disk mounted path.

Partitions

This is used to check the information associated with partitions on the local system.

Password/User Information

This is used to collect various information about system users. It includes user name, password, user id, group id, user information, user home directory path and login shell.

Port/Network Connection

Information about open ports and network connections.

Process

Information about running processes.

RPC Map Information

This is used to collect various information about rpm program from /etc/rpc. It includes remote procedure call(RPC) program name, program number and program aliases.

RPC Network Connections

This is used to collect various information about RPC connection using rpcinfo. It includes remote procedure call(RPC) program name, program id, program version, transport protocol used, ip address and program owner.

RPM Information

This is used to check the RPM header information for a given RPM package.

RPM file verify

This is used to verify the integrity of the in idual files in installed RPMs. File path is mandatory for this query while submitting to agents.

RPM verify package

This is used to verify the integrity of installed RPMs.

Run level

This is used to check information about which run-level specified services are scheduled to exist at. For more information see the output generated by a chkconfig –list.

SE Linux Boolean

This is used to check the current and pending status of a SELinux boolean.

Services

This is used to collect information about services. It includes service name and status.

Shadow file(/etc/shadow)

This is used to check information from the /etc/shadow file for a specific user. This file contains user’s password, password ageing and lockout information.

Shell History

This is used to collect various information about shell history. It includes user name, used-id, history file path and command from history file.

Sudo Users

This is used to collect sudo users. It includes user name which has sudo access.

System Control

This is used to check the values associated with the kernel parameters that are used by the local system.

System DHCP Information

This is used to collect system Dynamic Host Configuration Protocol (DHCP) information. It includes DHCP enabled, DHCP server ip address, netmask, gateway ip address, interface type, lease time, lease renew/rebind time and interface description.

System DNS Information

This is used to collect domain name and domain name system ip information. It includes domain name and dns server ip address

System Executable shield status

Executable shield status gives information if data memory is executable/non-executable or/and program memory is writable/non-writable.

System Route Information

This is used to collect system route information. It includes destination, ip address, gateway, netmask, flags, metric and interface name.

System ASLR Status

This is used to collect address space layout randomization(ASLR) status. This technique give some protection against buffer overflow attacks by randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.

Text File Content

This looks at the content of a text file (aka a configuration file) by looking at in idual lines. File path, pattern and instance are mandatory for this query while submitting to agents.

Unix name(uname)

This is used to collect various information about operating system. It includes hardware id, operating system name, version, release, processor type, time zone and locale.

Wireless Information

This is used to collect various information about wireless connection. It includes wireless name, state, mac address, SSID, interface description, network is infrastructure or ad hoc, frequency, receiving rate, transmission rate, signal quality and security enabled or disabled.

System unit dependency

This element is used to check the dependencies of the specific units.

Systemd unit property

This element is used to retrieve information about systemd units in form of properties. For more information see the output generated by systemctl show $unit.

App armor status

This is used to check properties representing the counts of profiles and processes as per the results of the “apparmor_status” or “aa-status” command.

Symlink

This is used to obtain canonical path information for symbolic links. File path is a mandatory field while submitting to agents.

Routing table

This is used to check information about the IPv4 and IPv6 routing table entries found in a system’s primary routing table. It is important to note that only numerical addresses will be collected and that their symbolic representations will not be resolved. This equivalent to using the ‘-n’ option with route(8) or netstat(8). Destination is a mandatory field while submitting to agents.

File extended attribute

This is used to check extended attribute values associated with UNIX files, of the sort returned by the getfattr command or getxattr() system call. This will collect all UNIX file types (directory, regular file, character device, block device, fifo, symbolic link, and socket). File path and attribute name are mandatory fields while submitting to agents.

GConf

This is used to check the attributes and value(s) associated with GConf preference keys. This can be used to define the preference keys to collect and the sources from which to collect the preference keys. Key and source are mandatory fields while submitting to agents

Virtual Memory Statistics (vmstat)

Virtual Memory Statistics (vmstat) reports information about processes, memory, paging, block IO, traps, and cpu activity.

System time

This is used to track the current date and time in the system.

SUID bin binary

Retrieves all the files from /bin, /sbin, /usr/bin, /usr/sbin,/usr/local/bin, /usr/local/sbin, /tmp in the target system that are setuid enabled.

SUID bin file

Retrieves all the files from /bin, /sbin, /usr/bin, /usr/sbin,/usr/local/bin, /usr/local/sbin, /tmp in the target system that are setuid enabled.

Grand Unified Bootloader (grub)

GRUB(Grand Unified Boot loader) is the default boot loader for many Linux distributions. Boot loader plays a major role in bring up the system into running state. Infact boot loader is the first program that runs when a computer is switched on. This helps in transferring control to an operating system kernel.

Boot priority policy

This defines the operating system boot priority policy. The Linux boot loader though (called Grub), usually defaults to booting Linux.

SUID bin binary

Retrieves all the files from /bin, /sbin, /usr/bin, /usr/sbin,/usr/local/bin, /usr/local/sbin, /tmp in the target system that are setuid enabled.

XML File Content

This element is used by a xml file content test to define the specific piece of an xml file(s) to be evaluated. This will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. The set of files to be evaluated will be identified with a complete File path. File path and XPath are mandatory fields while submitting to agents.

Missing Patches

This is used to investigate missing patches and security fixes in a computer system.

Mac Probes

Account Information

This is used to collect all users’ information. It includes user name, user ID, group ID, real name, home directory and login shell information.

ARP Cache

This is used to collect various information about address resolution protocol(ARP) cache table. It includes host IP address, mac address, interface name from ARP cache table.

Authorization Database

This is used to check the properties of the plist-style XML output from the security authorizationdb read right-name command, for reading information about rights authorizations on MacOSX. Right name and XPath are mandatory to query the database.

Anti-virus information

This is used to collect information about an installed Antivirus applications.

BIOS Information

This is used to collect various information about BIOS (basic input/output system). It includes bios name, version, manufacture, serial number, smbios version, and bios status.

Computer Information

This is used to collect various information about computer system. It includes CPU, RAM, ROM, swap memory, virtual memory, disk, operating system, cache size, host name, model name, serial name etc.

Core Storage

This is used to check the properties of the plist-style XML output from the “diskutil cs list -plist” command, for reading information about the CoreStorage setup on MacOSX. UUID and XPath are mandatory to query the database.

Cron

This is used to collect various information about cron jobs. It includes user name, scheduled job and command.

Device information

This is used to collect information about installed devices on the system. It includes device name, driver, subsystem, device path, class and subclass.

Disk Utility

This is used to collect various information to verify disks on a Mac OS system. File path and Device are mandatory for this query.

Gatekeeper

This is used to collect information to check the status of Gatekeeper and any unsigned applications that have been granted execute permission.

Hosts File(/etc/hosts)

This used to collect various information about hosts from /etc/hosts. It includes host IP address and host name.

Operating System Information

This is used to collect various information about installed operating system.

Protocols File(/etc/protocols)

This is used to collect various information about protocol from /etc/protocols. It includes protocol name, protocol number and protocol aliases.

Services File(/etc/services)

This is used to collect various information about service from /etc/services. It includes service name, service port, service protocol and service aliases.

Family of Operating System

This is used to collect operating system family standard values being windows, unix or macos(Mac OS).

File

This is used to check metadata associated with files. File path is mandatory for this query while submitting to agents.

Group

This is used to collect various information about the groups. It includes group name and group id.

Inet-Listening Servers

This is used to collect various information about listening ports. It includes protocol name, local ip address, local port, program name, foreign address, foreign port, process id and user id.

Installed Applications

This is used to collect information about installed applications on the system. It includes application name, version, architecture, path, developer and last used.

launchd (unified service-management)

This is used to collect information and status of daemons/agents, applications, processes and scripts running in a system.

Network Interfaces

The interface test enumerate various attributes about the interfaces on a system.

IP forwarding status

This is used to collect information about the IP forward settings. It includes IP forwarding status which can be either enabled or disabled.

Packet filter control(pfctl)

This is used to collect various information about packet filter control. It includes action, direction, interface, protocol source, destination, flags and state information.

Kernel Information

This is used to collect various information about loaded kernel. It includes kernel version, kernel image path, kernel on which device/volume and kernel arguments.

Key chain

This is used to collect various information to check the properties of the plist-style XML output from the ‘security show-keychain-info keychain’ command. File path is mandatory for this query.

Logged-in Users

This is used to collect various information about logged-in users. It includes user name, device tty, remote logged in host name, time when entry made, process id and record type.

Mount points

This is used to collect various information about mounted partitions. It includes disk filesystem name, file system type, disk size, disk space used, available disk space, disk use in terms of percentage and disk mounted path.

Non-volatile random-access memory (NVRAM)

This is used to collect information about Non-volatile random-access memory (NVRAM). It pulls data from the ‘nvram -p’ output. It includes variable and value associated with it.

Partitions

The partition_test is used to check the information associated with partitions on the local system.

Password/User Information

This is used to collect various information about system users. It includes user name, password, user id, group id, user information, user home directory path and login shell.

Property List(plist)

Information associated with property list preference keys. File path, App ID and Key entities are mandatory for this query.

Port/Network Connection

Information about open ports and network connections.

Process

Information about running processes.

Resource Limit

This is used to collect information to check system resource limits for launchd.

RPC Map Information

This is used to collect various information about rpm program from /etc/rpc. It includes remote procedure call(RPC) program name, program number and program aliases.

RPC Network Connections

This is used to collect various information about RPC connection using rpcinfo. It includes remote procedure call(RPC) program name, program id, program version, transport protocol used, ip address and program owner.

Services

This is used to collect information about services. It includes service name and status.

Shell History

This is used to collect various information about shell history. It includes user name, used-id, history file path and command from history file.

Software Updates

This is used to used to access automatic software update information.

Sudo Users

This is used to collect sudo users. It includes user name which has sudo access.

System Control

This is used to check the values associated with the kernel parameters that are used by the local system.

System DHCP Information

This is used to collect system Dynamic Host Configuration Protocol (DHCP) information. It includes DHCP enabled, DHCP server ip address, netmask, gateway ip address, interface type, lease time and lease renew/rebind time.

System DNS Information

This is used to collect domain name and domain name system ip information. It includes domain name and dns server ip address

System Profiler

This is used to check the properties of the plist-style XML output from the system_profiler -xml datatype command, for reading information about system inventory data on MacOSX. Data type and XPath are mandatory to query the database.

System Route Information

This is used to collect system route information. It includes destination, ip address, gateway, netmask, flags, metric, MTU, type and interface name.