Reputation Checking

Privilege Manager analyzes applications in real-time. This unique feature allows for reputation analysis of any unknown applications that will mitigate endpoint attacks from Ransomware, Zero-day attacks, Drive-by Downloads, and other unknown malicious software.

The monitor approach used here is that all applications that meet a general condition (i.e. executed from a specific directory or directories) will be sent to VirusTotal for a reputation check. For this use case we will perform real-time reputation analysis of unknown applications using VirusTotal.

Privilege Manager supports the following scan engines for use in reputation checking: Symantec, McAfee, TrendMicro, Sophos, and Kaspersky.

First, you will need to integrate Privilege Manager and VirusTotal by following the Integration steps listed in the Setting Up VirusTotal for Reputation Checking topic. That section will walk you how to do the following:

  1. Configure VirusTotal Ratings Provider
  2. Install VirusTotal in Privilege Manager
  3. Create a Security Rating Filter for VirusTotal

For information and setup steps to configure reputation checking using Cylance, see the Cylance Integration topic.

Creating Security Rating Filter

Next you have to create a Security Rating Filter for VirusTotal. Follow these steps:

  1. Navigate to Admin | Filters, the click Create Filter.

  2. Select a platform, then Security Rating Filter as a Filter Type. Name the policy and add a description.

  3. From the Security Rating System drop-down, select Virus Total Rating System.

    Creating the Security Rating Filter

  4. Click Create.

  5. Under Settings, change the Rating Level drop-down to specify Bad.

    Setting the Rating Level to Bad

    The rating level trigger is supposed to match what you want to accomplish with the policy that will be using this filter. A rating level of Bad should be used for Deny policies, and Clean for applications or files that are part of the safe list. A rating level of Suspect can be used in justification and/or learning/discovery policies.

  6. Click Save Changes.

Creating User's Downloads Location, Temp Dir, and Collection Filters

  1. Navigate to Admin | Filters and search for Temp Directory File Specification Filter.

    search

  2. Select the filter User's Temp Directory File Specifications Filter, click Duplicate.

  3. Name the new filter User's Download Directory File Specification Filter, provide a description and click Create.

  4. Change the regular expression in the Path filed to the following: (c:\\users\\[^\\]+\\downloads).

    path

  5. Click Save Changes.

  6. Finally, combine the 2 filters into a single filter to target both directories.

    1. Click More | Duplicate.

    2. Enter the name for the new filter User's Directory Collection File Specification Filter, click Create.

    3. Clear the data in the Path field.

    4. Under Additional Filters, click Add File filters.

    5. Search for User's Download and add the User's Downloads Directory File Specification Filter.

    6. Search for User's Temp Directory and add User's Temp Directory File Specification Filter (this is a default filter).

    7. Click Update.

      collection

    8. Click Save Changes.

Creating a Policy

Next you have to create a Policy and add the filters for VirusTotal:

  1. Using the Policy Wizard, create a controlling policy that allows application execution on endpoints.

  2. Select Existing Filter.

  3. Search for add the previously created VirusTotal Security Rating Filter.

  4. Click Update

  5. Name the policy Allow Applications – VirusTotal Rating, and add a description Deny applications flagged by VirusTotal as bad, click Create Policy.

  6. Click Add Inclusions, search for and add the User's Directory Collection File Specification Filter.

  7. Click Update

    policy

  8. Click Save Changes.

  9. Set the Inactive switch to Active.

This policy will send any application run from the user's Downloads or Temp directory to VirusTotal for a reputation check in real-time. If the application is graded with Bad from VirusTotal, the application will be denied.

Viewing a File Security Ratings Report

To view a File Security Ratings report, search for File Security Rating Details Report. To see details of the applications in the report, click on the file name in the File column.