Administrator Guide-HDF Advanced Edition (V2.4.9)

HDF ADMINISTRATOR ONLY
ABATIS
Hard Disk Firewall (HDF)

User Guide
Advanced Edition
For Microsoft Windows Servers (32 and 64 bits)
Doc Ver sion: 2.4.8 Januar y 2014
Abatis HDF ADMINISTRATOR ONLY

HDF ADMINISTRATOR ONLY
Do c um e nt His t o r y
Version Date Author QA Remark

1.0 16/01/2008 WR SL First release
2.0 25/11/2010 WR SL 64-bits release
2.1 27/12/2010 WR SL Add runtime and policy rules
2.2 12/01/2011 WR SL Add email alert notification
Auto log archive
2.3 10/10/2011 WR KD WSUS support via policy
2.4 06/09/2012 WR KD Enhanced Policy support
2.4.6 02/10/2012 WR KD Format amendments, typos, etc.
2.4.7 22/11/2012 WR KD Add new Policy audit function
2.4.8 20/01/2014 WR KD Update install instruction
2.4.9 24/01/2014 WR KD Update HDF Policy features
Abatis HDF ADMINISTRATOR ONLY page 2 / 49

Hard Disk Firewall HDF ADMINISTRATOR ONLY
(HDF) User Guide
Advanced Edition
Table of Contents
1 Introduction...........................................................................................8
2 Installation, Uninstall and Licence key ................................................10
2.1 Install.................................................................................................... 10
2.1.1 Step 1: Disable User Access Control .................................................... 10
2.1.2 Step 2: Install HDF application............................................................ 12
2.1.3 Step 3: Follow installation wizard prompts ........................................... 13
2.1.4 Step 4: Impor t licence key to Registr y and reboot ................................ 13
2.1.5 Step 5: Resetting UAC control (If desired). .......................................... 14
2.2 Uninstall Please read before uninstallation ........................................ 14
3 Using HDF ............................................................................................16
3.1 GUI Menu Options tray icon application ............................................ 17
3.1.1 Software Install/Update ...................................................................... 17
3.1.2 Start Protection ................................................................................. 18
3.1.3 Settings ......................................................................................... 19
3.1.4 About ............................................................................................ 21
3.1.5 View Log File ..................................................................................... 21
3.1.6 Exit HDFMonitor ................................................................................. 21
4 Features ...............................................................................................22
4.1 Over view ........................................................................................... 22
4.2 Technical Features ............................................................................. 23
4.3 Security Features ............................................................................... 23
4.4 Deployment Platform & Environment .................................................. 23
4.5 What HDF Is Not ............................................................................. 23
5 Using HDF Advanced Edition ...............................................................24
5.1 Over view ........................................................................................... 24
5.2 Operating Mode ................................................................................. 24
5.3 Automated Approval for Authorized Write I/O ...................................... 24
5.4 Runtime Write Control Rules ............................................................... 25
5.5 Syntax .............................................................................................. 26
5.6 Policy Rules ....................................................................................... 27
5.7 HDF Policy - How it works .................................................................. 28
5.8 Policy rules format - Policy.HDF .......................................................... 28
5.9 How to Define HDF Policy Rules .......................................................... 30
5.10 Automated WS US support .................................................................. 31
5.11 Deploy HDF Policy Module in Corporate Environment ........................... 32
5.12 [Policy Definition] .............................................................................. 32
5.13 [Policy Testing].................................................................................. 32
5.14 [Pre-Deployment QA] ......................................................................... 33
5.15 [Production and Monitoring] ............................................................... 33
5.16 Access Control Decision Flow .............................................................. 34
5.17 Command Line Tool ........................................................................... 34
5.18 Use of tool ........................................................................................ 35
5.19 Example use for software patching and system updates ....................... 35
6 Audit Logging.......................................................................................37
6.1 How HDF Performs Audit Logging ....................................................... 37
6.1.1 HDF Main Audit Log ........................................................................... 37
6.1.2 HDF Policy Audit Log.......................................................................... 37
6.2 Log file format ................................................................................... 37
6.3 Log samples, ..................................................................................... 38
2005-2012 Abatis HDF ADMINISTRATOR EYES ONLY Page 3/ 49

(HDF) User Guide
Advanced Edition
6.4 HDF Policy Audit Log.......................................................................... 39

6.5 Additional audit log requirement ......................................................... 40
6.6 Automated Log Archive ...................................................................... 40
6.7 Log archive settings ........................................................................... 41
7 Email Alert Notification Services .........................................................43
7.1 Email Alert Configuration File .............................................................. 43
7.2 Email alert notification recipient list..................................................... 43
7.3 Email source identifiers ...................................................................... 43
7.4 Email Subject line text........................................................................ 43
7.5 I/O result to monitor and notify recipients ........................................... 43
7.6 Email alert coverage time period ......................................................... 44
7.7 Occurrence frequency of I/O events for each email alert ...................... 44
7.8 Enable Email Alert Notification Services ............................................... 44
7.9 Activate and Update Email Alert Options ............................................. 44
7.10 Email Alert Notification Message Format .............................................. 45
8 Configuration and Registry Settings....................................................46
8.1 HDF kernel driver Registr y Settings ..................................................... 46
8.2 HDFGate Registry Settings ................................................................. 46
8.3 HDFRemote Registry Settings ............................................................. 47
9 Troubleshooting ...................................................................................48
Annex A. List of Application Files .........................................................49
Table of HDF application files ....................................................................... 49

(HDF) User Guide
Advanced Edition
The license agreement

END-USER LIC ENSE A GR EEMENT F O R M
END-USER LIC ENSE A GR EEMENT F O R HA R D DISK F IR EWA LL (HDF ) SO F TWA R E
IMPO R TA NT-R EA D C A R EF ULLY BEF O R E O PENING, INSTA LLING, USING, A C C ESSING, O R

MA NIPULA TING THE SO F TWA R E:
This End-Use r Lice nse A gre e me nt ("EULA ") is a le ga l a gre e me nt be t we e n y ou (e it he r a n

indiv idua l or a single e nt it y ) ("y ou", "y our", or "Lice nse e ") a nd A ba t is (UK) Lt d .
("Lice nsor") f or t he sof t wa re product ide nt if ie d a bov e , which include s comput e r sof t wa re
a nd ma y includ e a ssocia t e d me dia , print e d ma t e ria ls, a nd "online " or e le ct ronic
docume nt a t ion ("SO F TWA R E PR O DUC T" or "SO F TWA R E"). By inst a lling, copy ing, or
ot he rwise using t he SO F TWA R E PR O DUC T, y ou a gre e t o be bound by t he t e rms of t his EULA .
If y ou do not a gre e t o t he t e rms of t his EULA , y ou ma y not use t he SO F TWA R E PR O DUC T.
SO F TWA R E PR O DUC T LIC ENSE
The SO F TWA R E PR O DUC T is prot e ct e d by UK copy right la ws a nd int e rna t iona l copy right
t re a t ie s, a s we ll a s ot he r int e lle ct ua l prope rt y la ws a nd t re a t ie s. The SO F TWA R E PR O DUC T is
lice nse d, not sold.
1. GR A NT O F LIC ENSE.
You a re pe rmit t e d t o inst a ll a nd use t he SO F TWA R E in ma chine -re a da ble f orm only a nd
sole ly on a single comput e r prov ide d by y ou, sole ly f or t he purpose s de scribe d in t he
a pplica ble Lice nsor docume nt a t ion. A ny compone nt s of t he SO F TWA R E e x plicit ly de signe d t o
re side a nd ope ra t e f rom a se rv e r, ma y be inst a lle d on a single se rv e r sole ly on y our
pre mise s, a nd a ny clie nt compone nt is t o be inst a lle d on a s ma ny clie nt s a s use r lice nse s
purcha se d a nd de scribe d in t he a pp lica ble Lice nsor docume nt a t ion.
2. DESC R IPTIO N O F O THER R IGHTS A ND LIMITA TIO NS.
You ma y not re v e rse e ngine e r, de compile , t ra nsla t e, disa ssemble , or ot he rwise a t t e mpt t o
de riv e source code f rom t he SO F TWA R E PR O DUC T, or a ut horize a ny t hird pa rt y t o do a ny of
t he f ore going e x ce pt a nd only t o t he e x t e nt t ha t such a ct iv it y is e x pre ssly pe rmit t e d by
a pplica ble la w not wit hst a nding t his limit a t ion. The SO F TWA R E PR O DUC T is lice nse d a s a
single product . It s compone nt pa rt s ma y not be se pa ra t e d f or use on more t ha n o ne
comput e r. You ma y not re nt , le a se , loa n, or dist ribut e t he SO F TWA R E PR O DUC T or a ny pa rt
t he re of .
Sof t wa re Tra nsf e r. You ma y not t ra nsf e r y our lice nse of t he Sof t wa re t o a t hird pa rt y .
Te rmina t ion. Wit hout pre judice t o a ny ot he r right s, Lice nsor ma y t e r mina t e t his EULA if y ou
f a il t o comply wit h t he t e rms a nd condit ions of t his EULA . In such e v e nt , y ou must de st roy
a ll copie s of t he SO F TWA R E PR O DUC T a nd a ll of it s compone nt pa rt s.
3. C O PYR IGHT.
A ll t it le a nd copy right s in a nd t o t he SO F TWA R E PR O DUC T (inc luding but not limit e d t o a ny

ima ge s, phot ogra phs, a nima t ions, v ide o, a udio, music, t e x t , a nd "a pple t s" incorpora t e d int o
t he SO F TWA R E PR O DUC T), t he a ccompa ny ing print e d ma t e ria ls, a nd a ny copie s of t he
SO F TWA R E PR O DUC T a re owne d by Lice nsor or it s supplie rs. The SO F TWA R E PR O DUC T is
prot e ct e d by copy right la ws a nd int e rna t iona l t re a t y prov isions. The re f ore , y ou must t re a t

(HDF) User Guide
Advanced Edition
t he SO F TWA R E PR O DUC T like a ny ot he r copy right e d ma t e ria l. You ma y not copy t he print e d
ma t e ria ls a ccompa ny ing t he SO F TWA R E PR O DUC T.
Lice nse e a gre e s t ha t some of t he imple me nt a t ion me t hods use d in t he SO F TWA R E PR O DUC T
is t he int e lle ct ua l prope rt y of Lice nsor.
4. DISC LA IMER O F WA R R A NTIES.
A NY USE O F THE SO F TWA R E IS A T YO UR O WN R ISK. THE SO F TWA R E IS PR O VIDED "A S IS, "
"WITH A LL F A ULTS, " WITHO UT WA R R A NTY O F A NY KIND. LIC ENSO R , ITS SUPPLIER S A ND
DISTR IBUTO R DISC LA IM A LL WA R R A NTIES, EXPR ESS, IMPLIED O R STA TUTO R Y, INC LUDING
WITHO UT LIMITA TIO N THE IMPLIED WA R R A NTIES O F NO N -INF R INGEMENT, TITLE,
MER C HA NTA BILITY O R F ITNESS F O R A PA R TIC ULA R PUR PO SE, O R A NY WA R R A NTIES
A R ISING F R O M C O UR SE O F DEA LING, C O UR SE O F PER F O R MA NC E, O R USA GE O F TR A DE.
SO ME J UR ISDIC TIO NS DO NO T A LLO W THE DISC LA IMER O F IMPLIED WA R R A NTIES, SO THE
DISC LA IMER O F IMPLIED WA R R A NTIES A BO VE MA Y NO T A PPLY TO LIC ENSEE, IN WHIC H
C A SE THE DUR A TI O N O F A NY SUC H IMPLIED WA R R A NTIES IS LIMITED TO six t y (60) DA YS
F R O M THE DA TE LIC ENSEE F IR ST INSTA LLED THE SO F TWA R E O N LIC ENSEE'S C O MPUTER ;
PR O VIDED, HO WEVER , THA T LIC ENSEE'S SO LE A ND EXC LUSIVE R EMEDY, A ND LIC ENSO R 'S
SO LE O BLIGA TIO N SHA LL IN A NY C A SE BE TH A T LIC ENSO R WILL, A T ITS O PTIO N, R EPA IR
O R R EPLA C E LIC ENSEE'S C O PY O F THE SO F TWA R E, O R TER MINA TE THIS LIC ENSE
A GR EEMENT A ND R EF UND A MO UNTS A LR EA DY PA ID THER EF O R BY LIC ENSEE.
Some St a t e s, Prov ince s, or ot he r jurisdict ions do not a llow f or e x clusions of impl ie d

wa rra nt ie s or limit a t ions on how long a n implie d wa rra nt y la st s, so t he a bov e e x clusion or
limit a t ion ma y not a pply t o Lice nse e . Lice nse e ma y ha v e ot he r right s which v a ry f rom st a t e
t o st a t e , Prov ince t o Prov ince , or in ot he r jurisdict ions.
Lice nsor do e s not wa rra nt t ha t t he f unct ions cont a ine d in t he Sof t wa re will me e t y our
re quire me nt s or t ha t t he ope ra t ion of t he Sof t wa re will be unint e rrupt e d or e rror -f re e. A ny
re pre se nt a t ion, ot he r t ha n t he wa rra nt ie s se t f ort h in t his A gre e me nt , will not bind t he
Lice nsor. You a ssume f ull re sponsibilit y f or t he se le ct ion of t he Sof t wa re t o a chie v e y our
int e nde d re sult s, a nd f or t he buy ing or downloa ding, use a nd re sult s obt a ine d f rom t he
Sof t wa re . Lice nse e a lso a ssume s t he e nt ire risk a s it a pplie s t o t he qua lit y a nd pe rf orma nce
of t he Sof t wa re .
5. LIMITA TIO N O F LIA BILITY.
R EGA R DLESS O F WHETHER A NY R EMEDY SET F O R TH HER EIN F A ILS O F ITS ESSENTIA L
PUR PO SE O R O THER WISE, TO THE EXTENT PER MITTED BY THE LA W O F THE J UR ISDIC TIO N
IN WHIC H LIC ENSEE O BTA INED THIS LIC ENSE, LIC EN SO R , ITS SUPPLIER S A ND
DISTR IBUTO R S WILL NO T BE LIA BLE F O R A NY INDIR EC T, EXEMPLA R Y, SPEC IA L,
C O NSEQ UENTIA L, O R INC IDENTA L DA MA GES O F A NY C HA R A C TER , INC LUDING BUT NO T
LIMITED TO DA MA GES F O R C O MPUTER MA LF UNC TIO N, LO SS O F INF O R MA TIO N, LO ST
PR O F ITS A ND BUSINES S INTER R UPTIO N, A ND THE C O ST TO O BTA IN SUBSTITUTE
SO F TWA R E, A R ISING IN A NY WA Y O UT O F THIS A GR EEMENT O R THE USE O F (O R
INA BILITY TO USE) THE SO F TWA R E HO WEVER C A USED A ND WHETHER A R ISING UNDER A
THEO R Y O F C O NTR A C T, TO R T O R A NY O THER LEGA L THEO R Y, EVEN IF LIC ENSO R , ITS
SUPPLIER S DISTR IBUTO R WA S A DVISED O F THE PO SSIBILITY O F SUC H DA MA GES. IN NO
EVENT WILL LIC ENSO R 'S, ITS SUPPLIER S' O R DISTR IBUTO R 'S TO TA L LIA BILITY TO
LIC ENSEE R ELA TING TO THIS A GR EEMENT O R THE USE (O R INA BILITY TO USE) THE
SO F TWA R E EXC EED THE A MO UNT PA ID BY LIC ENSEE TO LIC ENSO R O R LIC ENSO R 'S
DISTR IBUTO R F O R THIS LIC ENSE. SO ME STA TES O R J UR ISDIC TIO NS DO NO T A LLO W THE
EXC LUSIO N O R LIMITA TIO N O F INC IDENTA L, C O NSEQ UENTIA L O R SPEC IA L DA MA GES, SO
THE A BO VE LIMITA TIO NS MA Y NO T A PPLY TO LIC ENSEE. LIC EN SO R , ITS SUPPLIER S A ND
DISTR IBUTO R S SHA LL NO T BE LIA BLE F O R A NY C LA IMS O F THIR D PA R TIES R ELA TING TO
THE SO F TWA R E. LIC ENSO R , ITS SUPPLIER S A ND DISTR IBUTO R S WO ULD NO T PR O VIDE

(HDF) User Guide
Advanced Edition
THE SO F TWA R E TO LIC ENSEE IF LIC ENSEE DID NO T A GR EE TO THE "DISC LA IMER O F
WA R R A NTIES" A ND "LIMITA TIO N O F LIA BILITY" PR O VISIO NS IN THIS A GR EEMENT.
(c)A ba t is (UK) Lt d . A ll right s re se rv e d.
Prot e ct e d by copy right a nd lice nse s re st rict ing use , copy ing, dist ribut ion a nd de compila t ion.
A ba t is (UK) Lt d. , A ba t is a nd HDF a re t ra de ma rks of A ba t is in UK, Swit ze rla nd a nd ot he r
count rie s.
F or que st ions conce rning t his A gre e me nt , ple a se cont a ct A ba t is (UK) Lt d. a t :
inf o@a ba t is -hdf .com
6. C ont a ct ing A ba t is
F or t he la t e st v e rsions of our progra ms, ple a se che c k our we b sit e a t www. a ba t is -hdf .com
Q ue st ions ca n be e -ma ile d t o us a t support @a ba t is -hdf. com . We a lwa y s t ry t o a nswe r a ll

e ma ils a s quickly a s possible .
You ca n a ls o cont a ct us by post using t he cont a ct a ddre ss a t our home pa ge :

ht t p://www. a ba t is-hdf. com/a bout _us.html.
Te le phone support a nd f urt he r se curit y consult a ncy a dv ice is a v a ila ble .

(HDF) User Guide
Advanced Edition
1 Introduction
T his document is an intr oductor y guide to the Advanced Edition of Har d Disk
Fir ew all (HDF) fr om Abatis (UK) Ltd. (Abatis). T his guide w ill assist you w ith
the installation of HDF and the maj or featur es of the technology and the
pr ocedur e for de -installation should this be r equir ed. T his guide is one of a
ser ies of guides for the family of Abatis pr oducts w hich include the HDF
S tandar d Edition, HDF Advanced Edition (this guide), HDF for Linux Ad vanced
Edition and the Centr al M anagement Console (CMC).
HDF Advanced Edition is specifically designed to pr otect the system integr ity of
ser ver computer s r unning on Micr osoft Window s S er ver Oper ating S ystems,
fr om Window s NT 4, Window s S er ver 2000 and later (32 bits and 64 bits ). It is
also compatible for other consumer Mic r osoft Window s Oper ating S ystems such
as X P, Vista and Window s 7.
HDF is suitable for deployment on Window s s er ver s per for ming a var iety of
ser ver r oles to safeguar d against inter nal and exter nal malicious intr usion and
hacking attacks . It is par ticular l y effective at pr otecting Inter net facing ser ver s ,
e.g. w eb ser ver s, fr om secur ity compr omises such as w ebsite defacement,
w ebsite hij acking by cyber cr iminals to host malicious contents , Botnet
Command & Contr ol (C&C) and other illegal pur poses .
T he HDF concept is simple: It can be descr ibed as a file I/O access secur ity
gate. Once the gate is closed, all unw anted w r ite access es of 'pr otected files' 1
ar e denied by default. Only author ized staff and system ow ner can open the
secur ity gate w ith authentic ated access to the gate key . In the event of a
successful intr usion attack, an attacker /hacker is blocked fr om
uploading/modifying system and application files, and the hacking attempts ar e
effectively foiled. HDFs unique and effective pr otection ensur es system
integr ity is maintained w ithout complex secur ity policies and administr ative
over heads .
T he system ow ner deter mines the application-specific files that r equir e

pr otection and HDF enfor ces r obust integr ity pr otection on these files
(pr otected files ). T he safeguar d pr otection is effective ir r espective of the
account pr ivileges of the access r equests. T his means administr ative staff can
per for m their duties but cannot change the pr otected files unless this has been
allow ed explicitly by the system ow ner /contr oller . Fur ther mor e , administr ative
staff cannot install any executable w hich may contain malicious code w ithout an
author ised per son opening the HDF gate. T his simple appr oach ensur es the
secur ity contr ols cannot be bypassed w ith pr oven successful r esults of
defeating r eal hacking attacks on business cr itical computer s .
1
'Protected file' refers to all Windows executables (PE files) and user defined files for protection - full file name
and file extensions are supported

(HDF) User Guide
Advanced Edition
HDF st art s blocking as soon as it is inst alled. This means HDF prev ent s
any execut able files and ' prot ected files' being writ t en t o t he
comput er. A ll exist ing applicat ions on t he c omput er operat e as normal
wit hout rest riction.
HDF is a secur ity tool that needs no daily maintenance , has no noticeable
per for mance impact and is secur e against most intr usion attacks. It empow er s a
system ow ner to enfor ce r obust access contr ol to any fil es on the system using
a tr anspar ent and simple to manage appr oach. T his makes r egulator y
compliance much easier as it is easy to demonstr ate system integr ity pr ocesses.
T he main featur es include:

Pr oactive pr evention of malw ar e infection no signatur e update
Pr otection against hacker s attempts to deface an or ganisations w ebsite

or install hacker tools to steal data and unauthor ized backdoor access .
Pr event cyber cr iminals hij acking the company ser ver for distr ibuting
malicious contents such as vir us and w or m
Pr event hacker s taking over a w eb ser ver as a Botnet Command and

Contr ol (C&C) and as a pr oxy computer for malicious pur poses
Pr event any unauthor ized modification of system configur ation files and
help maintain system integr ity
T r anspar ent in oper ati on, all existing applications execute as nor mal
w ithout w hite lists or fur ther maintenance tasks
Minimum per for mance impact
Built-in audit logging
Built-in near -r eal time aler t function and r ule -based r esponse
A ll t his in file size of less t han 100K by t e s.

(HDF) User Guide
Advanced Edition
2 Installation, Uninstall and Licence key

2.1 Install
T he installer package r equir es the user to have full administr ator account
pr ivilege to install softw ar e. On Vista, Window s 7 and Window s S er ver 2008 and
later platfor ms, i t is necessar y to disable User Ac count Contr ol (UAC) befor e
star ting the installation pr ocess .
Installation is activated by r unning the installer MS I package either thr ough the
Window s file explor er or fr om a command line. Befor e the fir st r eboot, it is
necessar y to impor t the supplied li cence key w ith a licence file selection dialog
box. Licence key infor mation can also be supplied in a for mat suitable for dir ect
impor t by centr alized system management and softw ar e distr ibution tools.
Please contact Abatis for fur ther details .
Installing Har d Disk Fir ew all (HDF) Advanced ver sion is a simple 3 step pr ocess
w hich takes only a few minutes:
1. Run the installer ;
2. Impor t the licence file, and
3. Restar t the computer .
T he installation w izar d copies the application files to a user -selected folder
(default: C: \Program Files \Abatis\HDF on 32 bits platform and
C:\Program Files (x86) \Abatis\HDF on 64 bits platform ) on a
Window s S er ver computer , set up default configur ations (for an IIS w eb ser ver
as an example, see below ) and finally r eboot to load and r un H DF. T he only
user action is to copy the pr ovided licence key file to the computer and impor t
into the system.
T he HDF engine is less than 100Kbytes and r equir es moder ate system
r equir ements but it is r ecommended to have 2 Mbytes fr ee disk available for
logging, etc. It suppor ts Micr osoft Window s S er ver oper ating systems fr om
Micr osoft Window s NT 4, S er ver 2000 and new er (32-bits and 64-bits systems).
T her e is no specific r equir ement for patch level.
S tep-by-step install pr ocedur es ar e given below .
2.1.1 Step 1: Disable User Access Control
A full administ r at or access t oken is r equir ed to per for m the installation

tasks.
T his step applies to the follow ing oper ating systems:
Window s Vista, Window s 7, Window s S er ver 2008 , Window s S er ver 2010,

Window s S er ver 2012 (var i ous ver sions) and later oper ating systems.
UAC must be set to disable, this can be per for med via the S tar t Menu:
Click S tar t and type 'UAC' in the S ear ch Box

(HDF) User Guide
Advanced Edition
S elect the above setting for UAC and Reboot the ser ver y ou must r eboot
befor e inst alling HDF.
Alter natively, if the logon user is a member of the local administr ator s gr oup
but not the built-in "Administr ator user ", it is r ecommended to call up a
command shell, e.g. 'cmd.exe', by " Run as administr ator " option and to execute
the installer msi fi le on the command line fr om the command shell.

(HDF) User Guide
Advanced Edition
2.1.2 Step 2: Install HDF application
Executing the HDF installer MS I file and the installation w izar d w ill guide
the installation pr ocess .

(HDF) User Guide
Advanced Edition
2.1.3 Step 3: Follow installation wizard prompts
Follow the installation w izar d pr ompts to select the HDF application folder .
Confir m install folder location.
2.1.4 Step 4: Import licence key to Registry and reboot (only necessary if the
licence key is not bundled in the package)
Navigate to the location of the licence key to import as directed by the installer. We
recommend coping the HDF licence file to the Desktop before running the installer.

(HDF) User Guide
Advanced Edition
T he installation takes a few minutes, and pr ompts for r eboot to complete

installation.
We suggest impor ting the supplied licence file at this time befor e the final
step of r ebooting the system (if this has not been done in the pr evious
step). HDF w ill not w or k w ithout a valid licence key.
Reboot is necessar y to load and r un the HDF ker nel module.
Not e: If the licence has not been impor ted to the system after the fir st r eboot,
HDFs ker nel module w ill not activate to oper ate. In such a case, make sur e the
licence is impor ted by r unning the tool <HDFsetup .exe> in the HDF application
folder . A r eboot is necessar y .
2.1.5 Step 5: Resetting UAC control (If desired).
UAC can be r eset back to the or iginal settings; how ever a r eboot w ill be
r equir ed.
2.2 Uninstall Please read before uninstallation

It is necessar y to r eset HDF to FULLY DEACT IVAT ED befor e r unning the
uninstall w izar d because of HDFs self-pr otection featur es and the uninstaller
cr eates executable files (blocked by HDF) pr ior to uninstall pr ocedur es. We
r ecommend r unning the command line tool:
HDF cont rol /C :9
pr ior to the uninstallation steps.

(HDF) User Guide
Advanced Edition
T o uninstall HDF, r un the uninstall w izar d either fr om the HDF application menu
at S t art All P ro g rams Abatis HDF Unin stall HDF, or open the Co n t ro l P an el Add
o r Re mo ve P ro grams and select HDF to r emove.
T he uninstall w izar d r emoves all installed components and delete s HDF r egistr y
entr ies and HDF log file. We endeavour to r estor e the computer to its pr evious
state and r emove all entr ies gener ated by the HDF application including clean -
up of Registr y entr ies. Remember to backup or make a copy of the log file if
r equir ed.
WA RNING: When fir st inst alled, HDF is configur ed t o oper at e in

' blocking mode' (nor mal mode ). While t his set t ing secur es t he comput er
out - of- t he -box it may int er fer e wit h some 3r d par t y applicat ions t hat
wr it e execut able files t o t he comput er (per haps as par t of a r egular
updat e). The r esult may be t hat t he affect ed applicat ions display a
Windows or applicat ion failed updat e er r or message. In t his sit uat ion,
we r ecommend t hat y ou set HDF t o ' Lear n mode' (r ef. 3.1.3 below) so
t hat HDF r ecor ds t he I/ O behav iour of t he affect ed applicat ions.
Wit h t he infor mat ion gat her ed in t he log file dur ing ' Lear n mode' ,
suit able policy r ules can be defined in t he policy file, r ef. 5.6 below t o
aut o- allow t hese applicat ions t o wr it e t heir updat es t o t he comput er . If
y ou hav e any difficult ies in defining policy r ule s please cont act A bat is
for suppor t .

(HDF) User Guide
Advanced Edition
3 Using HDF
After installation and system r eboot, HDF is fully functional w ithout fur ther
configur ation being necessar y. HDF r uns in the backgr ound w ithout noticeable
impact on system per for mance. No maintenance is needed on a daily use basis.
HDF is essentially an install and for get application; no patter n file updates
and patches ar e r equir ed. How ever , it w ill be necessar y to suspend HDF for
author ised softw ar e installation and updating.
On HDF Advanced Edition a policy can be implemented for automated disable

blocking as descr ibed in the follow ing sections. T his policy allow s for the
implementation of high secur ity configur ation.
T he HDF application consists of tw o components: a ker nel module HDF.sys, and

user mode HDF contr olling applications. T he fir st GUI user mode application
HDFmonitor .exe is a system tr ay-icon application to manage pr otection by the
ker nel module, and HDFContr ol.exe is the command line ver sion w hich has more
configur ation featur es and is intended for system administr ator .
T he GUI application is accessible by r ight clicking on the system tr ay for user s

to save pr otected files such a s to install and update softw ar e, e.g. anti -vir us
applications, view ing log and edit configur ation settings.
HDF Icon
SECURITY WA RNING: T he system tr ay GUI icon application

<HDFMonitor .exe> is a supplementar y component of HDF , and is only intended
to pr ovide a user inter face for an end -user to contr ol HDF oper ating
par ameter s, i.e. tur n on and tur n off HDF pr otection. It is nor mally deployed on
desktop and notebook computer s but NOT on ser ver computer s due to obvious
secur ity consider ations.
On a secur ity sensitive ser ver , w e str ong ly r ecommend that the full GUI
application <HDFMonitor .exe> not be installed in or der to minimize the attack
sur face to bypass HDF pr otection. Instead, HDF should be contr olled and
managed by the command line tool s.
If the GUI application is r equir ed to install on a ser ver , w e r ecommend

enfor cing an authentication scheme that r estr icts user access to options
pr esented in the GUI context menus. T her e is a cut- dow n ver sion GUI that
allow s only non-secur ity sensitive oper ations. Please contact Abatis for details.
No t e
HDF can r un w ith full functionality on computer s w ithout the GUI component if
company policy dictates that end user should have no know ledge of HDF
pr esence and blocking .
No t e T he ter ms 'non-block mode' and 'monito r mode' ar e use inter changeably to

r efer to HDF allow s w r ite I/O s, w hile 'blocking mode' and 'pr otection/nor mal
mode' indicate HDF is enfor cing blocking pr otection.

(HDF) User Guide
Advanced Edition
3.1 GUI Menu Options tray icon application

3.1.1 Software Install/Update
For user to tempor ar ily tur n off HDF blocking pr otection to allow softw ar e
installation, system patching or application update, e.g. anti -vir us softw ar e
updates.
T he fir st time this option is selected, the follow ing dialog is displayed. It is
possible to hide it by checking the box Do not r emind me again.
Dur ing the time HDFs pr otection is tur ned off (non - blocking), the application
tr ay icon animates (RED X) to indicate it is in monitor mode.
After a pr e -set time delay, HDF w ill r emind you that it is oper ating in non-
blocking monitor mode w ith no pr otection (default: 30 seconds, see S ettings
option). HDF r emains in non -blocking mode (no pr ot ect ion) until a user
selects an option and clicks on a button.
T he dialog is show n below .

(HDF) User Guide
Advanced Edition
Response:
Yes enable HDF pr otection immediately. Default option if user pr esses
the <enter > key.
No dismiss the dialog box and to continue in non -blocking mode. T he

dialog r eappear s after the defined lapse time expir es , e.g. default 30
seconds .
Cancel dismiss the dialog box and HDF r emains in non -blocking mode
until next r estar t or r e -enable manually using the S tar t Pr otection
context menu option, descr ibed b elow , (only avai lable to user w ith
administr ative r ight).
When HDF is r unning in non -blocking mode, all executable files that ar e saved
and installed on the computer ar e r ecor ded in the log file .
If HDF is tur ned off via the GUI, ther e is a secur ity featu r e that HDF w ill enable
itself after one hour r unning in monitor mode as a safeguar d the user for gets to
tur n on pr otection again. T his featur e is not available to the comman d line tool,
HDFContr ol.exe.
No t e
T he HDF log is a useful tool to audit and tr ack w hat files ar e actually installed
on the system by any application and is useful to tr oubleshoot post - install
pr oblems.
3.1.2 Start Protection
Any time HDF is suspended and befor e the r eminder dialog appear s, the S tar t
Pr otection option immediately enables block ing pr otection. It is useful w hen the
softw ar e install/update action is completed and the user w ants to tur n on
pr otection w ithout w aiting for the r eminder dialog.

(HDF) User Guide
Advanced Edition
3.1.3 Settings
An administr ator can define var ious settings to contr ol user pr ivilege use. Pl ease
note that if UAC is enabled on the available platfor ms, such as Vista, Window s
S er ver 2008 and Window s 7, the logon administr ator account r un in standar d
user pr ivilege and all settings must be modified under tr ue administr ator
pr ivilege, r efer to 2.1.1, for fur ther infor mation. Please not e: t hese set t ing
ar e only av ailable t o t r ust ed administ r at or s.
Options available ar e:
S how r eminder dialog w hen softw ar e install/update option is selected:
Either displays or hides the r eminder w indow that HDF is about to be
suspended w hen selecting the softw ar e install/update option fr om the
menu.

(HDF) User Guide
Advanced Edition
Option to tur n on auto -ar chive of the a udit log file, HDF.log. Default
setting is 2 Mbytes in file size the ar chive log file name is
HDF_yyyymmdd.log. It is also possible to ar chive the log file manually any
time as needed. Option to disable ar chive oper ation er r or message dialog
box.
S oftw ar e install/update option: time delay for HDF pr otection auto r e -
activation pr ompt (in seconds):
S et the per iod in seconds for a pr ompt dialog w indow to r e -star t HDF.
T ime delay to activate HDF pr otection after a user log on (in seconds
defaulted to 0 seco nd):
S et the delay per iod (in seconds) after a user logs on the computer until
HDF activates pr otection of the system. T his option is for system
administr ator to dow nload executable and batch files w hen a user logs on.
T his per iod should be set low unless ther e is a valid r eason to delay the
pr otection of HDF.
S W install/update option for admin only :
Hide the S oftw ar e install/update context menu option fr om non -
administr ator user s. An option to ensur e only administr ator user has the
option to tur n off HDF (nor mal user w ill not see the menu).
Exit HDFmonitor option for admin only :
Hide the Exit HDFmonitor context menu option fr om non -administr ator
user s. An option to ensur e only an administr ator user has the option to
exit HDFMonitor tr ay icon application (has no effect on the
pr otection/blocking functionality w hich is per for med by the HDF dr iver ).
S how menu option to deactivate HDF (tur ned off all HDF functionality -
bypass mode )
Will add a menu option to allow complete bypass of HDF pr otection (Only
for tr oubleshooting. Not r ecommended for nor mal use).
Oper ation mode:
1. Nor mal mode Full pr otection mode w ith logging.
2. Lear n mode Use to check the I/O w r ite oper ation par ameter s for the
pur pose of pr epar ing allow - list for the HDF policy file. Default setting
w hen fir st installed. Common use is to find legitimate w r iting of
executable for auto-allow pur pose, e.g. anti - vir us pr ogr ams. In this
mode, blocking is OFF w ith logging ON.
3. Audit mode Non-block mode and e xtensive logging of all w r ite
oper ations including not only executable but all files w r itten to the disk.
Caution: logging all file w r ites of the system w ill take up a lot of disk
space quickly, so use only if necessar y.

(HDF) User Guide
Advanced Edition
3.1.4 About
Display HDF application ver sioning infor mation that is useful for contacti ng
Abatis for suppor t.
3.1.5 View Log File
Activate the system default text file view er to display log entr ies. Please see
section 6.2 below for details.
3.1.6 Exit HDFMonitor
T he option is hidden fr om nor mal user s but not administr ator user s
(configur able via the settings menu option). Exiting the HDF monitor does NOT
ter minate the HDF pr otection.

(HDF) User Guide
Advanced Edition
4 Features
4.1 Overview
Exper ience has show n that complex secur ity implementation often hinder s the
pr oper use of a secur ity tool. HDFs design philosophy is simple management,
tr anspar ent in oper ation and focus on one secur ity obj ective effective system
integr ity pr otection.
HDF unique a ppr oach is that an administr ator user needs only to deter mine
w hat application files r equir e pr otection - these files ar e r efer r ed to as
'pr otected files' , and, optionally, defines simple policy r ules to automate
author ized w r ite and modification access es to the pr otected files .
HDF can be seen as a w r ite I/O secur ity gate. Only a legitimate user w ho has
the gate key to open the gate can w r ite/edit pr otected files . T o pr event high
pr ivilege account abuse s, e.g. buffer over flow compr omises, an adminis tr ator
user has no default access r ight w hen the gate is closed. In the cur r ent
ver sion, the gate key is a command line tool and the system tr ay icon GUI,
w hich ar e used to unlock the gate , and is fur ther complemented by user
defined r ules . S ince the gate key is the guar dian of HDFs secur ity,
authenticated access to the gate key is par amount.
Whilst HDF pr otects w r ite I/O and can be configur ed, once HDF is installed, all
executable code cannot be installed w ithout opening the gate dur ing pr otecti ve
mode, HDF comes w ith this featur e out of the box!
HDF is simple to administer w ith minimum maintenance effor ts. Once it is

configur ed accor ding to the secur ity r equir ement, no r egular maintenance or
update is r equir ed for day- to-day oper ation.
With built in extensive audit log capability, HDF offer s the user an over view as
w ell as contr ol of the file w r ite I/O activities on the pr otected systems. It can
be used as a monitor ing tool or a pr oactive secur ity tool against malw ar e and
intr usion hacking the pr otection is r obust even w hen the attacker has
unlaw fully obtained admin pr ivilege, that is, the attacker cannot bypass HDF
pr otection.
HDF s main functionalities ar e:

1. T o audit log w r ite access of all executables (default) and user -defined
files. Recor d the w r ite I/O oper ations to a text log file, w hich can be
for w ar ded to a r emote log ser ver . It also suppor ts near - r eal time aler t
by email mess ages to author ized admin user s.
2. Optionally to deny I/Os access detected at 1. above ir r espective of the

pr ocess and user account pr ivilege, e.g. local and domain administr ator
user s and other high pr ivilege accounts ar e subj ect to the same level of
contr ol as standar d user s. Unlike Micr osofts User Account Contr ol (UAC)
implementation, HDF does not affect an admini str ator s default account
pr ivilege in per for ming system tasks , except w r iting/modifying pr otected
files on the system. An admin user r equir es additional authenticated
access to w r ite and modify pr otected files. T he authentication
mechanism is fully contr olled by the system ow ner accor ding to secur ity
needs .

(HDF) User Guide
Advanced Edition
T he HDF application consists of a ker nel dr iver application and suppor ting user -
mode NT S er vices and applications.
4.2 Technical Features

A robust and stable kernel module to monitor and access control write I/O
operations on Windows executable and regular files
Deny unwanted write and edit access to protected files even when the request
process has high system privilege, e.g. as a result of a buffer overflow attacks
and application vulnerability exploitation
Existing applications on the protected server computer execute as normal,
without the need for maintaining a separate white list
Automated approval for authenticated clients to upload contents without manual
process policy rule based and runtime rules by scripted control
Audit log all denied and allowed I/Os
Optionally, forwarding of audit logs to remote log servers
Ruled-based near real time intrusion email alert notification services
Implemented by proven techniques (documented and approved by Microsoft) to
achieve minimum system performance impacts
Has been deployed in production computers since 2005
4.3 Security Features

Effective pr otection w hen a hostile pr ocess has high system pr ivilege , e.g.
Administr ator and Local S ystem .
Prevent bypass of the write I/O control
HDF kernel application files are resilient against deletion and modification
Windows kernel protection against unauthorized unload of HDF kernel module
4.4 Deployment Platform & Environment

T his ver sion is designed for the follow in g platfor m a nd OS envir onment:
Microsoft Windows Servers platforms including Windows Server 2000, 2003,

2008, Windows XP, Vista and Windows 7. All service patch levels supported.
32 bits and 64 bits.
4.5 What HDF Is Not

HDF helps pr otect the Integr ity of a Window s ser ver computer using r obust
and documented techniques . S pecifically, HDF enfor ces w r ite I/O access contr ol
to files to pr event unauthor ized modifications. S ystem integr ity is ensur ed
w hen an attacker is pr evented fr om w r iting malicious executable files and
changing the pr otected files.
HDF is not intended for other secur ity ser vices such as Confidentiality,
Availability and Accountability. Please contact Abatis if additional secur ity
pr otections ar e r equir ed.

(HDF) User Guide
Advanced Edition
5 Using HDF Advanced Edition

5.1 Overview
HDF pr ovides audit and w r ite access contr ol to executable and user - defined files
to enfor ce integr ity on a system . It blocks unauthor ized w r ite access and
modification to pr otected files.
HDF oper ates on the secur ity pr inciple of Default Deny w hen it is r unning in
blocking mode . It means if a pr otected file is not allow ed explicitly to be
modified/w r itten, then a w r ite/change access to the file w ill be denied
ir r espective of the r equester s account pr ivilege. In addition, a w r ite appr oval
must be sent to HDF pr ior to the w r ite I/O oper ation occur s; i.e. only pr e-
author ized w r ite action is possible . T he appr oach has been pr oven most
effective at defeating malw ar e and hacking attacks on live pr oduction systems
for year s .
5.2 Operating Mode

HDF s oper ating mode s contr ol how HDF handle s w r ite I/O r equests. T hey ar e
intended to meet differ ent oper ational r equir ements, e.g. using HDF as an
integr ity pr otection secur ity tool or a n audit/monitor ing tool.
HDF oper ate s in one of thr ee modes; blocking mode (w hich enfor ces the
secur ity policy), Monitor mode (non-blocking) w hich is used to test a
configur ation befor e putting the system into Blocking mode, and Audit mode
(also non- blocking) w hich r ecor ds all system I/O activity in addition to
pr otected files . T hese modes ar e configur able via star t-up configur ation
settings and at r untime.
Blocking mode: denies Wr ite access to executable and user defined files
unless it is allow ed by r untime appr oval or policy r ules .
Audit mode (non-blocking): per mits Wr ite access to executable and user
defined pr otected files that it w ould other w ise deny access, i.e. HDF per mits
the Wr ite I/Os to complete as nor mal . T his setting is for passive
audit/monitor ing pur pose that w ill not affect/pr otect the r unning system in
any manner .
Monitor mode (non-blocking): S imilar to Audit mode except that HDF module
pr ocesses the r untime and policy r ules in the same w ay as in Blocking
mode , w ith the exception that it alw ays allow s a Wr ite oper ation to
complete. It is a special mode for the user to identify files tha t r equir e
integr ity pr otection, and to validate applicable access r ules pr ior to
deployment on pr oduction systems.
5.3 Automated Approval for Authorized Write I/O

When it is necessar y to w r ite/update the pr otected files dur ing the cour se of
system maintenance , HDF blocking must be tempor ar ily stopped in or der to
open the gate to allow author ized/authenticated w r ite accesses to the
pr otected files.

(HDF) User Guide
Advanced Edition
HDF pr ovides sever al mechanisms to automate author ized w r ite access to

executable and pr otected files. T o mainta in a high level of secur ity, it is
pr efer able to gr ant w r ite per mission as close as possible to w hen the author ized
w r ite oper ation occur s. T he automated appr oval scheme is focused on secur ity
against abuses and simple r ules definition.
T he thr ee suppor te d mechanisms ar e not mutually exclusive and they ar e

applicable accor ding to the oper ational scenar ios. Available methods and tools
include,
1. Runtime contr ol to automate w r ite access appr oval to pr otected files at

the point w hen the w r ite event occur s. T h is method pr ovides high secur ity
w hen it is necessar y to allow w r iting/modifying of pr otected files . Details at
5.4 below .
2. Policy r ules for situation w hen the file names /destination paths ar e pr e-
defined, and w hen the r untime contr ol appr oach is not the most suitable
method, e.g. r egular application maintenance. Details at 5.6 below .
3. Command line tool this is also a r untime access appr oval scheme w ith
similar secur ity to Runtime contr ol above. A command line pr ogr am is for
either scr ipt-based or manual contr ol to enable and disable HDF blocking
immediately befor e the w r ite oper ation occur s . Details at 5.17 below .
5.4 Runtime Write Control Rules

T o facilitate secur e file upload functionality on a w eb ser ver computer , HDF
pr ovide s a mechanism for a tr usted application, e.g. Content Management
S ystems (CMS ), to per for m file uploads w ithout significant change to the
application. T he only r equir ement is for the tr usted upload scr ipt to
communicate the file name to HDF pr ior to the upload oper ation, other w ise the
upload is blocked by HDF. T his appr oach is suitable for file uploads w hen the
file name is not know n until r untime and it is desir able to gr ant w r ite appr oval
at r untime .
HDF s access r ule pr ocessing module <HDFGate.exe > facilitate s a user

application to pass author ized w r ite r equests and it maintains a list of appr oved
Wr ite I/Os. A tr usted application, e.g. Upload.AS P scr ipt, is r equir ed to pass the
file details to the access r ule pr ocessing module immediately pr ior to uploading
pr otected files. As the application is r esponsible for the actual file upload
function, it updates HDF w hen the upload completes. T his ensur es the highest
level of secur ity; fr om that point onw ar ds fur ther w r ite access to the tar get file
is denied.
When the application uploads the tar get file , the upload oper ation is detected
by the HDF ker nel and it for w ar ds the details to the access contr ol module
w hich then per for ms a matching check against the r untime list. If a match is
found it r etur ns an Allow decision to the HDF ker nel , other w ise it continues to
check w ith the policy r ules , if exist (r efer s to 5.6 below ).

(HDF) User Guide
Advanced Edition
5.5 Syntax
T he syntax for passing a file name to HDF access contr ol module
<HDFGate.exe > follow s the standar d COM calling convention, the HDF s COM
ser ver is <HDF.Gate>. Please contact Abatis for a sample scr ipt
<sample.asp > 2.
T he follow ing sample show s a classic AS P scr ipt pass es a filename to HDF at
r untime w ith tw o lines (the standar d html tags ar e skipped for clar ity) ;
S yntax:
<%
1. HDFGate=S er ver .Cr eateObj ect("HDF.Gate")
2. HDFGate.S how Message Contr ol_code, "File Path", " Caller _id"
%>
Wher e:
HDF.Gate HDF COM ser ver
Contr ol_code 0 to instr uct HDF to allo w a file, 1 to deny fur ther Wr ite I/O
to the file w hen upload completes
File Path File name and path infor mation on the tar get computer
Caller _id An identifier for auditing pur pose
T he follow ing example enables w r iting a pr otected file <index.asp > to

C:\inetpub\wwwroot \MySite \index.asp :
1. Initiate communication w ith HDF .Gate COM ser ver and instr uct HDF to allow
a file upload passing (a) a contr ol code , (b) file path/file name, and (c) the
caller ID;
Set HDFGate=Server.CreateObject("HDF.Gate")
HDFGat e.ShowMessage 0, "C:\inetpub \wwwroot \MySite \
index.asp ", "Sample.asp"
2. T he application uploads the file <index.asp> to the destination path using
the applications nor mal method, e.g.
My_CMC.Uploader(C: \inetpub \wwwroot \MySite\index.asp )
T he upload w ill be allow ed automatically.
3. Update HDFGate w hen the file upload is completed and close the session.
HDFGate.ShowMessage 1, "C:\inetpub \wwwroot \MySite \
index.asp", "Sample.asp"
Set HDFGate=nothing
2
Runtime access control is particularly suitable for Web sites that allow user to upload files to the server and
the Web master gains control to decide what files are allowed to write to the system. Other samples can be
provided as required, e.g. C++ sample.

(HDF) User Guide
Advanced Edition
Fr om this point on the file "C:\inetpub\wwwroot \MySite \index.asp" is

pr otected fr om modification and over w r ite.
5.6 Policy Rules

Fr om a secur ity per spective, it is pr efer able to use the r untime access appr oval
scheme w henever possible. In situations w her e the r untime appr oval scheme is
not suitable, HDF policy is one of sever al methods to automate the appr oval of
Wr ite oper ations of pr otected files w ithout manual inter action. It is suitable in
situations w her e the Wr ite r equests ar e initiated by author ized applications , e.g.
3 rd par ty applications updates such as Micr o soft Office, Micr osoft Window s
Update (WS US ) and secur ity softw ar e update.
T he policy r ule for mat is specifically designed to be simple and flexible to meet
anticipated r equir ements in a cor por ate envir onment. T he cur r ent
implementation should meet most se cur ity needs, please contact Abatis if a
par ticular r equir ement is not cover ed or you have questions on policy r ule
definition - instr uction at 5.9 below .
Policy r ules ar e used to enable a fine-gr ained contr ol to allow w r iting and
editing of pr otected files , and the r ules ar e maintained in a master policy file
<MasterPolicy.HDF>. T he Policy engine suppor ts multilevel sub-policies to
pr ovide a simple, str uctur ed and hier ar chical or ganization of policy r ule s. An
administr ator c an define a master policy file for a depar tment and sub -policy
r ules for differ ent business functional units and gr oups w ithin the depar tment.
T he flexibility allow s the administr ator to define separ ate policies for differ ent
user gr oups, business function s and application domains.
T ake an example of an imaginar y softw ar e engineer ing depar tment w hich has a
number of sub-teams; softw ar e ar chitectur e, UI gr aphic design, system
pr ogr amming team, UI pr ogr amming team, Web application team, QA sub-
teams. T he policy r ule str uctur e may be or ganized in a w ay that the
<MasterPolicy.HDF> defines the rules for the common applications used by the
whole department, and level-2 policies for each of the teams. A further level-3 policy
may define rules for specific applications used only on the computers by the QA sub-
teams etc.
Each r ule line contr ols the w r ite access of one pr otected file to the destination
path (w ildcar d file name is suppor ted). S ample policy file s ar e included in the
package.
T he policy engine gener ates tw o audit log files in the HDF application log folder
w hen in oper ation. T he fir st log file r ecor ds the I/O decision of the policy
engine as defined in the r ule files and the second policy audit log file is to tr ack
the policy r ules in use as w ell a s r epor ting any policy files and r ules er r or s.
Fur ther details at 6.4 below .
Because t he policy rule file is essent ially a way t o open t he gat e

aut omat ically , t he administ rat or user is st rongly adv ised t o rev iew t he
rules before deploy ment on product ion sy st ems . It is recommended t o
run HDF in monit or mode first t o v alidat e t he rules and t o ensure
sufficient rules are defined t o meet securit y and operat ional
requirement s.

(HDF) User Guide
Advanced Edition
5.7 HDF Policy - How it works

When a w r ite oper ation o n a pr otected file occur s, HDF s policy engine per for ms
a sear ch of the policy r ules . If the w r ite oper ation matches the exact 'allow -
conditions' of a policy r ule, the w r ite I/O is allow ed, other w ise a Deny code is
r etur ned to the HDF ker nel.
Once HDF is in pr ot ect ion mode, it will not allow any execut able t o be
wr it t en t o disk unless it has been allowed wit hin t he policy . This
pr ev ent s execut able code get t ing ont o a comput er sy st em wit hout t he
knowledge of t he owner i.e. known or unknown hacker t ools; ma licious
code t hus maint aining sy st em int egr it y .
T he policy file can be located on any accessible path and is loaded automatically
w hen HDF policy module ser vice <HDFGate> star ts up. When changes ar e made
to the policy file it is necessar y to r estar t the HDFGate S er vice for the updated
policy r ules to take effect. T his does not r equir e a r eboot of the machine. All
policy files ar e pr otected by HDF fr om unauthor ized modification. T her efor e, it
is necessar y to tur n off HDF blocking befor e saving a policy file . S ince the
default location of the policy file is in the HDF application dir ector y and is
system pr otected, the admin user must have also the Window s 'w r ite access'
pr ivilege to the HDF application dir ector y.
T he administr ator can define policy r ule files w ith any filename (must have a
* .HDF extension) except the master policy file <MasterPolicy.HDF>. A
built-in secur ity is that additional policy file s must be declar ed and added
thr ough the master policy file <Master Policy.HDF >, ther efor e the administr ator
is alw ays clear w hat policy files ar e in oper ation, and no unauthor ized policy
r ules can be intr oduced to the system via a back door .
5.8 Policy rules format - Policy.HDF

A policy r ule is flexible and simple to define. Each policy r ule entr y r efer s to one
individual file. For added secur ity, it can r estr ict only the named
system/application pr ocess is allow ed to w r ite a specific file. For example, it is
possible to define a r ule that only MyApp.exe can w r ite a file MyApp.conf to
a specific folder w hile all other w r ite attempts to the same file ar e denied,
ir r espective of r equester s account pr ivilege s. T his is a secur e r obust appr oach
to enfor ce system and application file integr ity.
A r ule begins w ith a mar ker = follow ed by the file specification (file path/file
name). T he cur r ent ver sion suppor ts five var iations of policy r ules (in the or der
of descending secur ity) :
1) Allow a specific named pr ocess ( the only process ) to w r ite a specific file to
the specific destination path (most secur e the 3 conditions must be met)
=process_name.exe&=n:\destination_path \file_name .ext
2) Allow any pr ocess to w r ite a specific file to the specific destination path (2
conditions)
=n:\destination_path \file_name .ext
3) Allow any pr ocess to w r ite any pr otected file to the specific destination path
(1 condition)
=n:\destination_path \ or =n:\destination_path \*.*

(HDF) User Guide
Advanced Edition
4) Allow any ar bitr ar y pr ocess to w r ite a specific file to any path (1 condition)
=\file_name.ext
5) Allow a specific pr ocess to w r ite any pr otected file to any path (1 condition)
=process_name.exe (r efer s to secur ity implication s below )
Sy nt ax Not e:
A valid r ule entr y begins w ith a ' = ' mar ker . A line that does not begin w ith the
= mar ker is tr eated as a comment line .
A separ ator mar ker ' \ ' is used for :
Path name - must begin and end w ith a ' \ ' mar ker , e.g.
=n:\destination_path\ same as =n:\destination_path \*.*
File_Name - must begin w ith a mar ker ' \ ' but w ithout ending ' \ ', e.g.
=n:\destination_path\file_name .ext and =\file_name .ext
Pr ocess_name - w ithout mar ker ' \', e.g. =process_name.exe
Wildca r ds '* ' and '* .* ' ar e suppor ted, e.g. * . HT M, MyApp.* and * .* .
Fr om Ver sion 3, HDF policy engine suppor ts a special instr uction tags, e.g.
"POLICYFILE=" - this is the dir ecti ve to instr uct the HDF Policy engine t o add a
sub-level policy file. Advanced Edition suppor ts up to 5- levels deep and 50
policy files. S yntax:
POLICYFILE=<absolute_path_to_sub -level_policy_file.HDF>
e.g. POLICYFILE=C: \Pr ogr am Files (x86) \Abatis \HDF \Window sUpdates.hdf
T he above r ule adds <Wind ow sUpdates.hdf> as a second level policy.
And;
"INS T ALLER=" - this special dir ective causes the policy engine to tr eat the
allow ed I/O as 'tr usted' w ith a <4> code in the policy log file, and the
executables dow nloaded by the tr usted pr ocess becomes also a 'tr usted
pr ocess'. S yntax:
e.g. INS T ALLER=ser vices.exe&=\WINDOWS \S OFTWAREDIS T RIBUT ION\* .*
T he r ule instr ucts the policy engine to tr eat any executable w r itten by the
system pr ocess <ser vices.exe> to the folder and sub -folder s of
\WINDOWS \S OFT WAREDIS T RIBUT ION\ as tr usted pr ocess.
"MODE=ALLOW_IO_AND_RECORD" - T his dir ective must be activated at the

<Master Policy.HDF>. It is specifically for r ecor ding the computer I/O patter n for
HDF policy definition.
When HDF oper ate s in pr otection mode (block), this instr u cts HDF policy engine
to allow w r ite I/Os of pr otected-files that w ould be blocked and captur e/r ecor d
applications ' I/O patter n for the pur pose of policy definition, i.e. HDF is
effectively r unning in non-block mode. When r unning in this mode, i t is not
necessar y to configur e HDF to non - block mode to captur e I/O.
Secur it y Not e: T his dir ective must be commented out o r r emoved on

pr oduction systems, other w ise HDF is in 'simulated' non -block mode w ith no
pr otection.
When the instr uction is active, the HDF pol icy log file and audit log file indica te
HDF is in non- block mode.

(HDF) User Guide
Advanced Edition
Secur it y Not e: T her e ar e a number of system pr ocesses that ar e common

tar gets of malw ar e and hacker attacks ( typically buffer over flow ) because they
r un under a high pr ivileged account, e. g. Local_S ystem. Under no cir cumstance
should these pr ocesses be defined in the 5 t h r ule var iation above (unr estr icted
w r ite). S ome of these system pr ocesses ar e S vchost.exe, Winlogon, Csr ss.exe,
Dw m.exe, RunDLL32.exe, S poolsv.exe , Cmd.exe, Msiexec.exe and other s.
As a r ule of thumb, w e r ecommend not using the 5 t h r ule var iation - this r ule
effective ly defines the pr ocess as a 'tr usted pr ocess' w ith unr estr icted access to
the w hole system . T he same r ule applies to applications that ar e commonly
tar geted by malw ar e w r iter s and hacker s, e.g. Inter net br ow ser , multimedia
player s , decoder s and PDF r eader s.
By default HDF Policy engine r ej ects these common high r isk system pr ocesses
and vulner able applications pr ocesses. e.g. iexplor er .exe, fir efox.exe,
chr ome.exe to be defined as 'tr usted pr ocess'. T hese pr ocesses should be
r estr icted to w r ite only to intended folder s/files.
In most deployment scenar io s ther e ar e nor mally no r equir ements to gr ant

unr estr icted w r ite access to the system . It is pr efer able fr om a secur ity
consider ation to use the r estr ictive 1 s t r ule var iation for mat, e.g. the named
pr ocess can only w r ite to a specific file instead of unr estr icted w r ite access , or
as appr opr iate the other less r estr ictive for ms .
Because the list of vulner able applica tions is changing all the time, it is
impossible to pr ovide a complete listing, please consult Abatis if secur ity
consultancy advice is r equir ed.
It is impor tant to note that the ver y natur e of an exception list inevitably
cr eates a potential secur ity gap in HDF pr otection. We str ongly r ecommend the
administr ator to cr itically r eview using policy as an automated I/O appr oval
scheme. While this is a suitable appr oach to facilitate secur ity tools automatic
update needs, in other scenar ios a mor e secur e appr o ach is usually possible.
Please contact Abatis if help is r equir ed in this ar ea .
Not e: This manual may not include t he lat est enhancement t o HDF
policy , please r efer t o t he Mast er Policy .HDF for lat est feat ur es.
5.9 How to Def ine HDF Policy Rules

T he HDF policy engine makes a 'Deny' or 'Allow ' decision based on examining
thr ee elements of a Wr ite oper ation, i.e.
1) T he pr ocess that initiates the Wr ite oper ation on a pr otected file ;

2) T he destination path of the w r ite I/O, and
3) T he tar get file name , i.e. the pr otected file .
T ake the follow ing actual HDF log line as an example;
2012/0 9/23 20:13:37 <0> 0340:Smc.exe S -1-5-18

C : \WINDOWS\SYSTEM32\WPSHELPER.SYS
1) "S mc.exe" is the S ymantec end point pr otection update pr ocess
2) "C: \WINDOWS \S YS T EM32\" is the tar get dir ector y of the Wr ite tar get, and
lastly

(HDF) User Guide
Advanced Edition
3) "WPS HELPER.S YS " is the filename.
HDF , being par t of the OS ker nel , alw ays r e cor ds the I/O details in <HDF.log>
and HDF policy decision log in <HDFPolicy__ computer_name .log>. Fr om the
log, an administr ator has the necessar y infor mation to define secur e policy r ules
accor ding to oper ational needs.
It is r ecommended the admin user consider s the using the above 3 I/O
components w hen defining allow -w r ite cr iter ia of a pr otected file. HDF policy
allow s you to define any combination of the 3 elements as conditions (cr iter ia)
to auto-allow an I/O. For example, you can contr ol (1) w hat pr ocess is allow ed
to w r ite (2) to w hich dir ector y and (3) the file must be as defined, (3 cr iter ia
must be met for an allow ed w r ite I/O).
In situations w her e the 3 w r ite elements cannot be pr edeter mined, you can
define a valid policy r ule w ith a combinations of any the 3 I/O components, e.g.
=svchost.exe&=C: \WINDOWS \S OFT WAREDIS T RIBUT ION\* .DLL
T he above policy r ule r estr icts 'svchost.exe' can only w r ite DLL files to the
Window s WS US dir ector y BUT now her e else . While this r ule allow s w r iting of
DLL files, mor e r estr ictive r ules can be defined by r efer encing the actual
filenames fr om HDF's logs in some cir cumstances . T his r ule w ill not allow
svchost.exe to save * .EX E file.
Note: Many applications, including Window s update, save r andom filenames to

the computer , w e r ecommend using w ildcar d filename to handle such situation.
5.10 Automated WSUS support

With the default policy r ule s, HDF suppor ts Window s S er ver Update S er vices
(WS US ) and Micr osoft S ecur ity Essentials anti -malw ar e scanner updates
automatically w ithout the need to 'open the gate' manually.
T he cur r ent WS US initiates the Window s update pr ocess by dow nloading the
patches to a specific dir ector y, e.g.
C:\Windows\SoftwareDistribution \Download \patch_id .When the
patching files and tools ar e dow nloaded, the WS US pr ocess installs the patches
as r equir ed, sometime a r eboot is necessar y to complete the pr ocess. T his
document does no t discuss WS US details w hich ar e available fr om Micr osoft and
other user community for ums.
T o suppor t automated patching by WS US , HDF allow s the WS US pr ocesses to

w r ite update files destined for the Window s patching dir ector ies. T o indicate to
HDF the WS US w r ite r equests should be allow ed to pass thr ough, it is necessar y
to define r ules in the policy file to the effect. A special r ule mar ker ,
INSTALLER= , is used to pr efix a standar d policy r ule line.
T o identify the system pr ocesses of WS US and the locatio n of the patching
dir ector ies on a client computer , it is r ecommended to fir st r un HDF in monitor
mode (non-blocking) to r ecor d such infor mation. T he follow ing r ules ar e
applicable to the cur r ent WS US pr ocess,
INSTALLER=svchost.exe&=C:\WINDOWS \SOFTWAREDIST RIBUTION \

INSTALLER=update.exe&=C: \WINDOWS \$NTUNINSTALL\

(HDF) User Guide
Advanced Edition
T w o sample policy file s <MasterPolicy.HDF> and <WindowsUpdates.HDF>

ar e included in the installer package. T hese policy files can be used as
templates for additionally r ules as necessar y.
When the WS US pr ocess is changed and updated, it is necessar y to update the
patching r ule s in the policy file . Abatis w ill pr ovide updated ver sion of
<WindowsUpdates.HDF> if r equir ed. As discussed befor e, the
<Window sUpdates.HDF> policy must be activated thr ough the master policy
<MasterPolicy.HDF >.
5.11 Deploy HDF Policy Module in Corporate Environment

HDF's policy module is desi gned for secur e automated 'open -gate' featur e to
suppor t author ized file w r ites. It is totally differ ent to Application Whitelisting
softw a r e - w hich contr ols w hat application pr ogr ams/pr ocesses ar e allow ed to
execute on a computer and not to contr ol these 'w hitelisted' pr ocesses to w r ite
to the computer . T her e is a potential secur ity exposur e w hen a 'w hitelisted'
pr ocess is hij acked to w r ite malw ar e payload and after a hacking compr omise
that Application Whitelisting cannot pr otect. HDF blocking is effective even
w hen a high pr ivileged system pr ocess is hij acked to w r ite to the computer .
S ince HDF blocks w r ite I/O of pr otected -files out-of-the-box (i.e. existing or
new executable and user defined files), a policy is used to automate the
appr oval of expected/r equir ed file dow nload w ithout a user 's manual inter action
- it can be view ed as an exception list; the pr otected -files in the list ar e al low ed
to w r ite/update on the computer w hen the r untime conditions meet the cr iter ia
defined in policy r ules.
T her e ar e four r ecommended steps to deploy HDF policy in a cor por ate
envir onment:
5.12 [Policy Def inition]

T he admin user w ill discover and define file s that ar e r equir ed to w r ite to disk
automatically. T his step is done either by defining
"MODE=ALLOW_IO_AND_RECORD" in <Master Policy.HDF> if HDF is in
pr otection mode (r efer to 5.8 above )or setting HDF to Monitor Mode (non-block)
and exer cise business applications on the computer as nor mal daily oper ation.
HDF w ill not inter fer e w ith the business applications I/O activity, and it r ecor ds
the Wr ite I/O of 'pr otected files ' in an I/O policy log file ,
HDFPolicy__ computer_name .log>.
Once the applications I/O patter n is captur ed, it is a str aightfor w ar d exer cise
for the admin user to r eview and define I/Os suitable for automated w r ite
appr oval. T he expected Wr ite activities ar e enter ed in a policy file (a plain text
file) accor ding to the desir ed secur ity r equir ements , r efer 5.9 above .
5.13 [Policy Testing]

When a policy is defined fr om the above step, the next step is to exer cise and
test the policy to validate the defined r ules w ill meet the r equir ement, by
r unning the applications in step 1, and HDF in pr otection (blocking) mode.
T his step validates the policy w ill not inter fer e w ith the standar d functionality of
the business applications .

(HDF) User Guide
Advanced Edition
T ypically, the fir st tw o steps ar e per for med in a testing envi r onment, w her e
many cor por ate per for m standar d application softw ar e and compatibility testing.
S tep 1 and step 2 may be r epeated to discover the business applications Wr ite
patter ns.
5.14 [Pre-Deployment QA]

Pr ior to r oll out on the pr oduction computer s , it is r ecommended to deploy HDF
policy either in "MODE=ALLOW_IO_AND_RECORD" configur ation or configur e
HDF in 'monitor mode ' (non-block) as a quality assur ance validation check.
When HDF r uns in non- block mode the HDF policy engine r ecor ds the I/O r esult
of each policy r ule, but no Wr ite I/O is blocked - ther efor e not affecting the
business pr oduction computer s in any w ay.
T he policy audit log clear ly identifies any r ule omission; in effect, a par ticular
I/O could have been blocked in enfor cement mode but allow e d in dur ing
'monitor mode '. T he policy under examination can then be adj usted accor dingly
if necessar y. When HDF is in non-block mode, the HDF policy log adds a tag
[NON_BLOCK_MODE] to the end of the log line to indicate the fact that the I/O
could have be en blocked if HDF is in pr otection/ blocked mode.
T he time per iod to r un ' monitor mode ' var ies accor ding to the system cor e
functionality and configur ation. If a system oper ates in a stable configur ation
w ith little anticipated system changes, r unning HDF i n ' monitor mode ' for one to
tw o w eeks ar e adequate. For systems exper ience r egular changes, it is likely
one month to tw o months r unning in ' monitor mode ' w ill captur e any expected
Wr ite I/O of 'pr otected files' .
In the unlikely situation a system is comp r omised dur ing ' monitor mode ', the
HDF audit logs pr ovide an invaluable tool to aid for ensic investigation and
speedy system r ecover y - the logs r eveal all malw ar e payloads including ker nel
r ootkit attacks , w hich ver y often ar e 'hidden' fr om other secur ity tools. Hacking
compr omises and backdoor tools ar e equally clear ly r evealed in HDF log files .
5.15 [Production and Monitoring]

With the successful validation of step 3, HDF can be activated to r un in
enfor cement pr otection mode. After HDF goes lives to pr otect systems in an
or ganization and business, it is necessar y to have a 24X 7 over view of any
thr eats to the system integr ity, e.g. w her e and w hen a malw ar e infection
spr eads or how an intr uder attempts to compr omise the secur ity. With
extensive file system activity audit logs, HDF has a number of monitor ing and
notification/aler ts functions to ensur e the admin user has continuous contr ol
and status over view of the HDF pr otected systems in the envir onment.
For a cor por ate envir onment, HDF has an extr a optional m odule called the
Centr al Management Console (CMC). HDF CMC is a monitor ing and management
tool for HDF -pr otected computer s w ithin the company/or ganization. It is a w eb -
based application w ith a combination of functionality such as log collection,
log analys is, log quer y (r epor t), r eal-time monitor ing and management.
IT admin can view r eal -time HDF log infor mation, though a w eb br ow ser ,
show ing the status of HDF clients, secur ity alar m, and can inter r ogate the HDF
oper ating par ameter s as w ell as system and har dw ar e infor mation.

(HDF) User Guide
Advanced Edition
T he CMC suppor ts sending r untime commands to clients, such as tur n -

on/off pr otect mode, set the allow ed pr ocesses etc. Full details of the CMC
pr oduct ar e contained in the CMC User Guide. For fur ther infor mation please
contact Abatis.
5.16 Access Control Decision Flow

HDF handles file Wr ite I/O oper ations differ ently depending on the active
oper ating mode, e.g. blocking or non-blocking mode. When HDF is r unning in
Monitor mode or Audit Mode , the Wr ite I/O is alw ays allow ed. If it is in bloc king
mode, HDFs access r ule pr ocessing module consults the user defined r untime
and policy r ules, w hen they exist and ar e activated, as follow :
1 T he I/O r equest is checked against the r untime r ules. If a matching r ule is
found an Allow decision is made (de cision is final);
2 If no applicable r ule is found the Wr ite r equest is fur ther checked against
the policy r ules in <MasterPolicy.HDF> and any sub-policy r ules. If a
matching r ule is found an Allow or Deny decision is made accor dingly
(decision is final);
3 If ther e is no matching r ule, HDF denies the Wr ite I/O; T his means no
executable code can be w r itten to disk r egar dless of file extension.
4 T he I/O decision is r ecor ded in a log file, and ,optionally, a policy
pr ocessing audit log;
5 (Optionally) S end the I/O details by email aler t messages to named
administr ator user s
Not e: When HDF is r unning in monitor mode, the email aler t message
indicates the Wr ite I/O is blocked w hen in fact HDF has not blocked the I/O.
T his is an intended and expected behaviour . T he m onitor mode is intended
only for testing and r ule evaluation pur poses. T he r aw log file <HDF.log>
how ever r ecor ds the allow ed I/O to r eflect the file w r ite I/O is allow ed.
5.17 Command Line Tool

A HDF command line pr ogr am <HDFControl.exe > is to enable an
administr ator user to contr ol the active oper ating par ameter s of HDF at r untime
dynamically. It can also be integr ated into a system management fr amew or k or
customised system management scr ipts. T he <HDFControl.exe > is an
optional tool intended for system administr ator s .
T he common use of the command line tool is to contr ol HDF centr ally for
automated system patching and softw ar e distr ibution. T o pr ovide the gr eatest
flexibility, the tool suppor ts a number of r untime sw itches for secur e and
flexible system patching and softw ar e distr ibution tasks .
T he tool r equir es a configur ation file <HDFConf__ custid .HDF>. T he file contains
oper ating and configur ation options for sever al HDF modules. It also ser ves as
an authentication 'ticket' that contr ols the access to HDF Contr ol tool.
HDFContr ol tool checks this ticket ever y time befor e it executes. If the check for
user -defined conditions fails, e.g. US B only or invalid passw or d, th e application
w ill not execute.
Not e: This manual may not include t he lat est enhancement a nd opt ions
t o HDFCont r ol t ool, please r efer t o t he < HDFConf__ cust id .HDF> for
lat est feat ur es.

(HDF) User Guide
Advanced Edition
5.18 Use of tool

For secur ity r easons, the tool by default can only be executed by a local
administr ator user . Fur ther access contr ol to the tool can be integr ated w ith
other contr ols , e.g. binding the tool to execute only on a US B device the user
is r equir ed to pr esent his cr edential as w ell as be in possession of the US B
device (tw o factor authentication) . Please contact Abatis for other possible
levels of access contr ol.
Executing HDFContr ol.exe w ithout par ameter s displays the help message. S ome
common HDFcontr ol par ameter examples :
H DF co nt ro l /A :
t o displa y t he curre nt ope ra t ing pa ra me t e rs
H DF co nt ro l /C :1
block a nd log (de f a ult blocking mode )
a udit log only but not t o block a ny f ile a udit mode a nd monit or mode
Block e x e cut a ble st a rts f rom re mov a ble de v ice s, e . g. USB a nd ne t worke d sha re s,
(Ex t e nde d blocking mode )
Additional management functionality is r egular ly incor por ated into the tool.
Please contact Abatis w ith any featur e r equest.
5.19 Example use for software patching and system

updates
An administr ator user can use the command line tool in a centr al contr ol
envir onment to per for m automated patching, softw ar e r olling out, AV updates
etc., by using scr ipting tool s such as VB scr ipt or batch file, for example:
R em : B eg in p at chi ng /S W up da te p roc es s
H DF Co nt ro l /C :0 ; t hi s li ne t ur n o ff b lo ck in g an d a ll ow i ns ta ll a nd
k ee p on l og gi ng
[ .. Up da te A nt i- vir us /a nt i- sp yw ar e t oo ls . .. ]
[ .. In st al l so ft war e, s ys te m pa tc hin g/ WS US . .. ]
H DF Co nt ro l /C :1 ; r es um e HD F bl ock a nd l og gi ng
R em : e xi t no rm all y
Alter natively, ther e is a tr usted pr ocess setting w her e HDF allow s a tr usted
pr ocess to w r ite all files . Use of this featur e is to suppor t automatic softw ar e
update, e.g. anti -vir us pr ogr am. Other uses of tr usted pr ocess is discour aged
because of secur ity consider ation s. Run time, r efer 5.4 above and policy r ules ,
r efer 5.6 above pr ovide a higher degr ee of pr otection and contr ol.
Secur it y Not e: HDF automatically allow s a tr usted pr ocess to w r ite any files ,
ther efor e, an administr ator must test and validate a pr ocess befor e defining it
as tr usted. It is not r ecom mended to tr ust system pr ocesses w hich ar e
common tar gets for hacker s and malw ar e attacks. T he cur r ent ver sion suppor ts
defining tr usted pr ocess by dir ect Registr y editing via most system
management and softw ar e deployment tools or simply a Registr y file impor t.
Please r efer to Registr y details for Allow ed Pr ocesses in section 8 below .
Not e : HDF pr otects its par ameter s in the Registr y fr om unauthor ized

(HDF) User Guide
Advanced Edition
tamper ing, it is necessar y to disable the pr otectio n pr ior to changing the HDF
Registr y settings, i.e. by r unning the command line: HDFcontrol /C:9 .
Modifying the r untime par ameter s by the tool w ill not update the r espective
HDF oper ating par ameter s in the HDF Registr y . T hey must be updated
separ ately if configur ation setting per sistence is necessar y.
A s descr ibed abov e, t he t ool < HDFControl.exe > is t he gat e key t o

HDF s pr ot ect ion. In ot her wor d s , whoev er has access t o t his t ool can
pot ent ially affect t he int egr it y of t he whole sy st em. It is par amount
t hat only aut hor ized user s ar e allowed t o r un t he t ool .
It is most impor t ant t o keep t he gat e key fr om unaut hor ized access.
Ther e ar e a number of secur e appr oaches av ailable. It is r ecommended
t o assess t he deploy ment env ir onment and select t he appr op r iat e
met hods. The t ool is not included in t he st andar d inst aller package.
Please cont act A bat is for det ails.
Abatis is available on a consultancy basis to suggest secur e and applicable

appr oaches. Other tools can be pr ovided as r equir ed.

(HDF) User Guide
Advanced Edition
6 Audit Logging
6.1 How HDF Performs Audit Logging
6.1.1 HDF Main Audit Log
HDF is a secur ity tool and audit logging is an essential integr ated featur e. By
default, HDF audit log r ecor ds all monitor ed w r ite I/O oper ations to a local text
log file as r aw log data . T he r aw log data is gener ated fr om HDF ker nel and the
data is suitable for fur ther analys is by exter nal log management and r epor ting
tools as r equir ed. HDF enfor ces the pr inciple of ' factual' r epor ting, w hich means
ever y single I/O event including duplicated I/O incidents ar e audit logged.
NOTE: At time of w r iting, HDF logs have alr eady been integr ated into T ier 3s
Huntsman tool and Pr oteus GRC tool.
We suggest the user examine the log file < HDF.log> r egular ly to deter mine if
the system has been under malicious attack and pr evented by HDF . T he location
of the file is defined at installation time and is r ecor ded in HDF r egistr y,
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Services\HDF\Par
ameters\LogPath] . T he default location on 64 bits platfor m is C:\PROGRAM
FILES (x86)\ABATIS\HDF\LOG\, and on 32 bits platfor m C:\PROGRAM
FILES\ABATIS \HDF\LOG\. T he path can be modified by configur ation update
or r untime, using the command line tool. T he location of the log file must be
valid and accessible in or der for HDF ker nel to w r ite log entr ies to the log file.
T he log data could be optionally for w ar ded to named administr ator user s via
email notification ser vices. T he user is able to define conditions for the
notification such as the fr equency of aler t and type of I/O incidents to r epor t,
e.g. only denied w r ite I/Os.
6.1.2 HDF Policy Audit Log
Optionally, the HDF Policy module gener ates tw o additional audit log files. T he
fir st policy log tr acks the r ules I/O decision outcome, and the second log show s
the active r ules in use, and highlights any policy anomaly such as r ule syntax
er r or s or policy file er r or s. T he log files details at 6.4 below .
6.2 Log f ile format

T he log file consists of tw o types of infor mation , HDF configur ation and log data .
T he fir st type is the applications active oper ating par ameter s, e.g. Blocking/non -
blocking mode and user -defined pr otection file types (extensions ) etc. T he
infor mation is indicated by a mar ke r <C>. S ome example s ar e,
Da t e & t ime <C > C onf igura t ion: (indica t e blocking a nd non -blocking mode )
Da t e & t ime <C > Ex t e nsions: (a list use r -de f ine d prot e cte d f ile s)
Da t e & t ime <C > A llowe dProce sse s: (a list of t rust e d proce sse s)
Da t e & t ime <C > LogP a t h: (t he log pa t h whe re HDF ke rne l writ e log e nt rie s)

(HDF) User Guide
Advanced Edition
HDF ker nel gener ates the above entr ies on system star t up and w hen any of the
par ameter s ar e changed at r untime .
T he fields of a log entr y ar e:
F ie ld 1: Da t e
F ie ld 2: Time
F ie ld 3: I/O de cision code ; <1> f ile blocke d, <0> f ile not blocke d (writ t e n t o
disk), a nd <4> t rust e d proce ss writ e ope ra t ions.
F ie ld 4: Proce ss ID a nd Proce ss na me t ha t a t t e mpt s t o writ e a n e x e cut a ble a nd

prot e ct e d f ile .
F ie ld 5: Use r Sid (a ccount priv ile ge ) of t he writ e ope ra t ion. To ide nt if y t he a ccount
unde r which t he proce ss ma ke s t he writ e a cce ss; t y pica lly t he login use r or sy st e m
proce ss. Not e t he log shows a use r SID (so t ha t we know e x a ct ly who pe rf orms t he
writ e ope ra t ion) a nd not t he Group SID (not t oo he lpf ul f or a na ly sis in ma ny ca se s).
F ie ld 6: F ull pa t h a nd f ile na me of t he e x e cut a ble a nd prot e ct e d f ile , e it he r de nie d or

a llowe d.
Sa mple log f ile be low:
6.3 Log samples,

T he follow ing log entr ies ar e extr acted fr om a commer cial live pr oduction IIS 6
w eb ser ver after it w as under a w eb-defacement attack. T he timestamps
(almost w ithout time gap) suggest the attack w as likely to be scr ipted. T he tr ue
site name is obscur ed to pr otect t he identity of the site ow ner .

(HDF) User Guide
Advanced Edition
T he log show s HDF blocked the w eb defacement attack w hen the attack scr ipt
attempted to upload some common w eb files to launch a w ebsite defaceme nt
attack the code <1> indicates the I/Os w er e blocked . T he log r eveal s that the
attacker successfully executed a buffer over flow attack on the IIS system
pr ocess <w3wp.exe> r unning under the high pr ivileged LOCAL_S YS T EM
account (S id is S-1-5-20), and <w3wp.exe> w as then dir ected to upload the
malicious files all w er e blocked in this example .
2010/ 12/ 30 03: 54: 02 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ DEF A ULT .HTM
2010/ 12/ 30 03: 54: 02 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ DEF A ULT .HTM L
2010/ 12/ 30 03: 54: 03 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ M AI N.HT M
2010/ 12/ 30 03: 54: 03 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ M AI N.HT ML
2010/ 12/ 30 03: 54: 0 4 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ I NDEX.PHP
2010/ 12/ 30 03: 54: 04 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ DEF A ULT .PHP
2010/ 12/ 30 03: 54: 05 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ HO ME.PHP
Contr ar y to popular belief, attack attempts similar to the example ar e common

and r egular events exper i enced by most w ebsite ow ner s.
6.4 HDF Policy Audit Log

T he HDF Policy engine gener ates tw o optional audit log files in the HDF
application log folder - the same folder as the HDF main log file , HDF.log. Both
Policy audit log filenames ar e suffixed w ith the computer_name as an identifier
to the sour ce computer of the audit log.
T he fir st log file r ecor ds the I/O decision outcome accor ding to policy r ules. For
simple par sing pur pose s, it has the same fields and for mat as the HDF main log,
as descr ibed in 6.2 above . HDF policy r ule decision audit log filename is
<HDFPolicy__ computername .log>. One exception is the policy log does not
r ecor d duplicate I/O events as the HDF main log does.
Another featur e is that HDF Policy log suppor ts the policy deployment
pr ocedur es as descr ibed at 5.11 above Deploy HDF Policy Module in Cor por ate
Envir onment. A system administr ator is encour aged to thor oughly test r un the
policy r ules to ensur e they ar e defined accor ding to the cor por ate secur ity
policy and oper ational r equir ements pr ior to pr oduction deployment.
When HDF is r unning in monitor /non -block mode (as r ecommended for 'Pr e -
Deployment QA' step) , the log entr ies of ar e a ppended w ith a mar ker
[NON_BLOCK_MODE] to show the fact HDF is in non -block mode. If any I/O has
not been defined in the policy and ther efor e w ould have been blocked, the log
entr y has a <1> code, w hile the main HDF log <HDF.log> r ecor ds a <0> code
to show the actual I/O status as allow ed - because it is r unning in non -block
mode.
An alter native w ay to captur e w r ite I/Os is using the dir ective

MODE=ALLOW_IO_AND_RECORD. When the ALLOW_IO_AND_RECORD mode is
activated, the HDF policy engine w ill auto -allow the w r ite I/O of pr otected -files.

(HDF) User Guide
Advanced Edition
In the follow ing example ALLOW_IO_AND_RECORD mode is active w ith a policy

r ule defined as,
=INETINFO.EXE&=C: \WINDOWS\SYSTEM32 \INETSRV \METABASE*.XML
and the HDF Policy log show ,

1.) 2014/ 01/ 24 03: 24: 23 < 0> 1232: i neti nfo.ex e S - 1- 5- 18 C :\ WI NDOWS\ SYST EM 32\ INET SRV \ MET AB ASE.X M L
2.) 2014/ 01/ 24 03: 24: 24 < 1> 1232: i neti nfo.ex e S - 1- 5- 18
C : \ WI NDO WS\ SY STEM 32\ I NETSR V\ HI STO RY \M B SCHEM A _0000000092_0000000000.X M L
3.) 2014/ 01/ 24 03: 24: 28 < 1> 1652: s vc host.ex e S - 1- 5- 18 C: \ INET PUB\ TEM P\ A PPPOOL S\ ASP.NET V 4.0 \ ASP.NET
V 4.0.C O NF I G
4.) 2014/ 01/ 24 03: 24: 28 < 1> 1652: s vc host.ex e S - 1- 5- 18 C: \ INET PUB\ TEM P\ A PPPOOL S\ ASP.NET V 4.0 \ ASP.NET
V 4.0.C O NF I G.T M P
5.) 2014/ 01/ 24 03: 26: 26 < 0> 1232: i neti nfo.ex e S - 1- 5- 18
C : \ WI NDO WS\ SY STEM 32\ I NETSR V\ HI STO RY \M ET AB ASE_0000000093_0000000000.X M L
T he fir st and the last log lines above show the w r ite I/Os ar e allow ed w ith a
code <0> because of the effective policy r ule. T he other s w ould have been
blocked, e.g. code <1>, if HDF is not r unning in ALLOW_IO_AND_RECORD
mode - because of no effective policy defined.
In this example, the administr ator can easily deter mine if he w ants to auto -
allow the w r ite I/Os w ith code <1> in futur e, and r evises the policy file.
S imilar ly, he may w ant to r emove obsolete and inappr opr iate r ules fr om the
policy by checking the code <0> entr ies.
T he policy log also r ecor ds the time stamp w hen the HDF Policy module s tar ts
and stops, e.g. w hen the system shuts dow n or r eboots.
T he second policy audit log file is to audit/tr ack the policy r ules in use as w ell
as r epor ting any policy and r ule syntax er r or s. It is a ver y useful tool for an
administr ator to tr oubleshooting and audit policy r ules. T he HDF Policy Audit
filename is <HDFPolicyAudit__ computername .log>.
Both audit logs indicate if HDF is r unning in ALLOW_IO_AND_RECORD mode

w ith a tag [RUNNING NON- BLOCK MODE].
It is possible to configur e how much log details r equi r ed and if one or tw o audit
logs to gener ate, r efer to Registr y setting " IO _ Lo g Level " at HDFGate Registr y
S ettings 8.2 below .
6.5 Additional audit log requirement

T her e ar e a lar ge number of log management and GRC fr amew or ks on the
mar ket to meet the needs of differ ent secur ity and compliance r equir ements . It
is impr actical for Abatis to pr ovide tools to suppor t the vast ar r ay of audit log
r equir ements . Please contact Abatis to discuss your specific l og management
and r epor ting r equir ements .
6.6 Automated Log Archive

HDF ker nel, in default settings, r ecor ds all monitor ed I/O activities to a log file
<HDF.log >, the file may gr ow to huge size over time. It is advisable to
per iodically make a backup and ar chiv e the log file either for log management
or legal/r egulator y compliance pur poses .

(HDF) User Guide
Advanced Edition
HDF Advanced ver sion implements an automated log ar chive featur e for an
administr ator user to define the time fr equency to ar chive HDF log. When
defining log ar chive settings , the user may consider factor s such as r ate of I/O
fr equency of the ser ver and oper ational r equir ement.
6.7 Log archive settings

T he cur r ent ver sion suppor ts the follow ing settings for the automated log
ar chive ;
Ar chive by type: Activate log ar chive function. S uppor ted options ar e no

ar chive (disabled) and time -based, i.e. daily, w eekly etc. Mor e options may
be included in futur e r elease s if r equested.
Ar chive fr equency: T he log ar chive function is tr igger ed w hen the time

fr equency condition is met. T he setting (in decimal) is number of days
inter val, 30 days and multiple s of 30 days that defines a schedule of
monthly or mor e log ar chive cycle . T he follow ing day values ar e sample
settings,
o 7 = w eekly;
o 10 = ever y 10 days
o 30 = monthly; (default)
o 90 = quar ter ly and
o 360 = annually etc.
Ar chive time (hour s): T he hour in a day to star t log ar chive. S etting is in 24-
hour s clock for mat, ther e is no setting for minutes. For example,
o 0 = at 00: 00 mid- night (default)

o 1 = at 01: 00 1: 00 a.m.
o 12 = at 12: 00 12: 00 p.m.
o 13 = at 13: 00 1: 00 p.m.
o 22 = at 22: 00 10: 00 p.m.
Ar chive file for mat: T he file name for mat of the ar chived log file. It is
r ecommended to name the ar chive d file in some for m of date for mat for
easier log management, e.g. setting of HDF_YYYYMMDD.log w il l gener ate an
ar chived file HDF_201101 12.log (for ar chive date on 12/01/2011).
Ar chive file URL: T he path location of the ar chived file. If the field is empty
(default), the ar chived file is saved to the same path of the default log file.
T he automated log ar chive settings ar e stor ed in the HDF S er vice Registr y

entr ies as follow ;
Automated Log Archive - HDF Registry Settings

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\HDFGate\Parameters]
Key name Value Meaning
ArchiveType (DWORD) 0x0 0= no archive;
(DWORD) 0x2 2= archive by time frequency
0x10000000 is added to indicate
archive task is registered, e.g.
0x10000002. To reset the setting with
a 0x2.
ArchiveTimeFrequency(day) (Hex) 1E 30 in n = number of days, e.g.

(HDF) User Guide
Advanced Edition
decimal 1 = daily,
7 = weekly,
30 = monthly,
360 = yearly
ArchiveTime(hours) (Hex) 0 Time to perform log archive at set
hours, e.g.
0=00:00 mid-night
1=01:00
18=18:00
ArchiveFormat HDF_YYYYMMDD.log The file name format of the archived
(string) log file
ArchiveFileURL Blank Path to archive log file. Default empty
to archive to same as HDF.log folder
T hese values can be set by editing the Registr y entr ies. A GUI management tool
to edit settings w ill be available in a futur e r elease.
Not e: After auto log ar chive is configur ed via the ArchiveType value in the
Registr y, HDFGate S er vice r egister s the log ar chive task w hen fir st star ts.
S uccessful activation is indicated by adding a value of 0x10000000 , e.g. 0x2
becomes 0x10000002 . If ther e is a need to change and update the log ar chive
settings, the ArchiveType must be r eset to the unr egister ed setting, e.g.
0x2. and r estar t the HDFGate S er vice.
Automatic log archive is implemented as a Windows Schedulers task and it has the
characteristics and limitations of a scheduled task, e.g. if a monthly archive schedule is
activated on the 31st day of the month, the log will only be archived on months that have
a 31st instead of every month.

(HDF) User Guide
Advanced Edition
7 Email Alert Notification Services

HDF has built in a near r eal -time email aler t featur e to notify named
administr ator user s of Wr ite I/O attempts on pr otected files . T his is pr ovided by
HDF Remote.
T o activate email aler t function, the administr ator user defines options for the
Email Aler t Notification S er vices by a configur ation text file
<Email_conf.hdf>. When the notification ser vice options ar e defined, the HDF
administr ator activates the ser vice by setting the configur ation file location in
HDFRemote ser vice par ameter and star ts the ser vice , details at 7.8 below .
7.1 Email Alert Conf iguration File

T he cur r ent ver sion suppor ts the follow ing email aler t settings in the email aler t
configur ation file <Email_conf.hdf>. A sample configur ation file is included.
7.2 Email alert notif ication recipient list

To = admin1@domain.com;admin2@domain.com
Multiple r ecipients ar e separ ated by a semi- colon ; mar ker
7.3 Email source identif iers

T w o email data fields can be used to identify the r epor ting computer .
FromName = HDFnode
FromMail = system_id@domain.com
7.4 Email Subject line text

Subject = "HDF notification"
T he email subj ect line is for email aler t message classification pur poses.
7.5 I/O result to monitor and notify recipients

Marker = <0>:<1>:<4>:
T he mar ker s ar e the same as the decision code for the log file, i.e.
<0> for allow ed Wr ite I/Os,
<1> for blocked Wr ite I/Os, and
<4> for allow ed Wr ite I/Os by tr usted pr ocesses.
Refer to the table at 6.2 above . A HDF administr ator may specify the I/O of
inter est to monitor , e.g. <1> only r epor ts blocked Wr ite I/Os and ignor ing
other I/Os. T he default is to r epor t on all I/O r esults.

(HDF) User Guide
Advanced Edition
7.6 Email alert coverage time period

Period = 00:00-23:59
Defined in 24-hour s time for mat. T he default setting is 24 hour s cover age.
7.7 Occurrence frequency of I/O events for each email

alert
Frequency = 10
It is suggested to set a value accor ding to the specific deployment envir onment
and the likely r ate of I/O fr equency. A low value, e.g. 1 or 2, w ill pr ovide a near
r eal-time aler t but may gener ate many email messages over loading the emai l
system. On the other hand, a high value, e.g. 50 or 100, may not gener ate
many email aler ts but the notification may not be timely. It is suggested that
the administr ator user exper iment and define an optimal value to meet the
oper ational r equir ement.
7.8 Enable Email Alert Notif ication Services

After the notification options ar e define d, edit the follow ing HDF Registr y
setting to activate the email aler t featur e .
HDF Registry Settings

EmailAlertService 0x1 Enable email alert services
(DWORD) 0x0 Disable email alert services
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\HDFRemote\Parameters]
MailConfiguration C:\Email_conf.hdf The email configuration file
(string)
7.9 Activate and Update Email Alert Options

When any update and modification to the email aler t options is made, the HDF
S er vices HDFGate and HDRemote have to be r estar ted to take effect, e.g. using
either the Ser v ice s Cont r ol Manager s Ser v ices GUI tool <s ervic es .msc> or
the follow ing commands ,
C:>net stop HDFGate

C:>net start HDFGate
C:>net stop HDFRemote
C:>net start HDFRemote

(HDF) User Guide
Advanced Edition
7.10 Email Alert Notif ication Message Format

T he for mat of an email aler t message is similar t o a log entr y w ith the addition
of the sender s identifier s and computer name for identification pur pose. Aler t
email for mat:
Log From: ComputeName
Date,Time,<I/O decision code>,Pid:ProcessName ,Sid,
Full_Pathname.
T he follow ing email aler t setting is configur ed to send one email aler t message
for ever y five I/Os events . T he example show s a buffer over flow attack w as
successful against the IIS 6 pr ocess <w3wp.exe>. T he <w3wp.exe > pr ocess
w as compr omised to over w r ite w eb files in a w eb defacement attempts. HDF
blocked the Wr ite attempts and the w ebsite w as pr otected fr om the attack.
Lo g F ro m : We b F arm _ IIS 1
2010/ 12/ 30 03: 54: 02 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ DEF A ULT .HTM
2010/ 12/ 30 03: 54: 02 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ DEF A ULT .HTM L
2010/ 12/ 30 03: 54: 03 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ M AI N.HT M
2010/ 12/ 30 03: 54: 03 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ M AI N.HT ML
2010/ 12/ 30 03: 54: 04 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ I NDEX.PHP

(HDF) User Guide
Advanced Edition
8 Configuration and Registry Settings

HDF oper ation is contr olled via settings defined in the system Registr y, and
dynamically at r untime using the command line tool, HDF Contr ol.exe. T he
ker nel module loads its settings dur ing system boot up and w ill not be affected
by subsequent changes to the Registr y entr ies until the next r eboot.
T he follow ing table show s the settings and values of the cur r ent ver sion.
8.1 HDF ker nel dr iv e r Regist r y Set t ings

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\HDF\Parameters]
Configuration Ops code Settings for
(DWORD) 1) Blocking and logging
2) Only logging Audit mode & Monitor mode
3) Only blocking no logging
Extensions Depending to Server User-defined file extensions to protect. The
roles and may vary; default is a list of common file extensions that
Default for IIS web
are associated with an IIS web server and
server -
should be protected. The list is not complete
.GIF;.PNG;.JPG;.JPEG;
.BMP;.SWF;.ASP;.ASPX and the user is advised to validate the list
;.HTM;.HTML;.PHP;.CF covers the protection profile required. Please
M;.CONFIG;.EXE;.DLL; contact Abatis for discussion.
.SYS;.BAT;.CMD;.OCX;
.COM;.VBS;.VBE;.PIF;. The list of file types/extensions may be
SCR;.CHM;.DRV;.HTA; different depending on the computer roles.
.SHS;.WMA;.WSF;.WS For example, we deny unauthorized writes to
H;.CPL;.CAB;.JSE;.MH
*.HTML file for an IIS web server and may
T;
not when it is an Exchange or file server.
Sids Blank List of group sids to white-list, separated by
; (default: none)
UserSids Blank List of user sids to white-list, separated by ;
(default: none)
AllowedProcesses Blank List of trusted process to white-list, separated
by ; (default: none)
LogPath C:\Program Default path of log file (must be a valid path)
Files\Abatis\HDF\Log
8.2 HDFGat e Regist r y Set t ings
Runtime Rule Control Setting
IO_RunTimeRuleActiva (Hex) 0x1 0x1 = Enable
ted (Hex) 0x0 0x0 = Disable
Set 0x1 for Blocking/Monitor mode

Set 0x0 for Audit mode the
IO_PolicyActivated value must be set to 0x0.
Policy Rule Setting
IO_PolicyActivated (Hex) 0x1 0x1 = Enable
(Hex) 0x0 0x0 = Disable
Set 0x1 for Blocking/Monitor mode and

Set 0x0 for Audit mode mode the
IO_RunTimeRuleActivated value must be set
to 0x0 also.
IO_PolicyFileURL Blank Path location for the policy file

(HDF) User Guide
Advanced Edition
<MasterPolicy.HDF>. If the value is empty

(default), HDFGate Service seeks the policy
file in the application path.
IO_LogLevel (Hex) 0x0 0x0 = Disable
(Hex) 0x1 0x1 = Log entry denied by HDF policy
(Hex) 0x2 0x2 = Log entry allowed by HDF policy
(Hex) 0x3 0x3 = Log all denied and allow entry
(Hex) 0x4 0x3 = Log entry of trusted process only
(Hex) 0x10 0x10 = Generate policy rules audit log
(Hex) 0x11 0x11 = Generate activated policy rules audit
log and denied I/O log
(Hex) 0x17 0x17 = Generate activated policy rules audit
log and policy decision log, e.g. 0x10 + 0x07
Email Alert Notification Setting
EmailAlertService (Hex) 0x1 0x1 = Enable
(Hex) 0x0 0x0 = Disable
Automated Log Archive Setting
ArchiveType (Hex) 0x0 0= no archive;
(Hex) 0x2 2= archive by time period frequency only
option for current release.
0x10000000 is added to indicate a task is

registered, e.g.0x10000002. To reset the
setting with a 0x2.
ArchiveTimeFrequency( (Hex) 1E or 30 in n = number of days, e.g.
day) decimal 1 = daily,
7 = weekly,
30 = monthly, (default)
360 = yearly
ArchiveTime(hours) (Hex) 0 Time to perform log archive in 24-hours
format.
0=00:00 - mid-night
1=01:00 01:00 a.m.
18=18:00 06:00 p.m.
ArchiveFormat HDF_YYYYMMDD.log The file name format of the archived log file,
(string) e.g. HDF_20110112.log
ArchiveFileURL Blank Path to archive log file. Default empty to
archive to the same HDF.log folder
Automated WSUS support
AutoEnableTimeLapse (Hex) 1E Default 30 seconds delay, e.g. 30 or 0x1E.
(sec)
8.3 HDFRemot e Regist r y Set t ings

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\HDFRemote\Parameters]
MailConfiguration APP_FOLDER Path location of the email configuration file

(HDF) User Guide
Advanced Edition
9 Troubleshooting
HDF has been tested extensively over the last 7 year s on pr oduction systems
w ith differ ent softw ar e combinations and configur ations. It has pr oven to be
stable, r eliable and fr ee fr om compatibility issues. HDF w or ks concur r ently w ith
most maj or br ands of anti- vir us and anti-spyw ar e pr ogr ams , fir ew alls as w ell as
data encr yption pr oducts.
Because of the infinite number of combinations of system configur ations and

softw ar e components, it is impossible to test ever y configur ation. In the unlikely
situation HDF is suspected of causing a compatibility issue, a few simple
tr oubleshooting ste ps ar e r ecommended and it is not necessar y to uninstall
HDF.
T he common scenar io is HDF blocks a user application w hen it attempts to w r ite

a pr otected file type (expected HDF behaviour ), and the user is not aw ar e of
it. T ypically, setting HDF to oper ate in non-blocking mode can help to identify
potential pr oblems. If the pr oblem is r esolved w hen HDF is r unning in non -
blocking mode, the HDF.log show s w hat files have been blocked and the cause
of the pr oblem can be r esolved simply by allow ing the file w r ite, by one of the
automated access appr oval schemes discussed ear lier in this guide .
T o r un in non- blocking mode, use either the system tr ay icon GUI tool or the
command line tool HDFcontr ol.exe w ith the non-block par ameter , e.g.
C:\path> HDFcontro l /C:0
How ever , if tur ning off blocking is insufficient to tr oubleshoot the issue, it may
be necessar y to fully de -activate HDF functionality, w ith the follow ing
command, C:\path> HDFmonitor /C:9
T his command above shuts dow n all HDF functionality, inc luding logging, for
tr oubleshooting pur poses.
Lastly, the uninstall w izar d, if needed, w ill r emove all installed components,
Registr y settings and r etur n the computer to the pr e -install state .
Not e: Befor e uninstall HDF , it is necessar y to configur e HDF t o bypass mode to

fully de -activate HDF r esilient pr otection.

(HDF) User Guide
Advanced Edition
Annex A. List of Application Files

Table of HDF application files
Inst alled file Default Dir ect or ies Funct ion
HDF .sys %SYSTEMROOT% \system32\drivers HDF cor e ker nel dr iver
HDFGate.exe Application folder HDF S er vice

applications: Access
r ules pr ocessing
module
Automated log ar chive
HDFRemote.exe Application folder HDF S er vice

applications: Email
aler t notification
HDF.log Application folder\Log\ HDF r aw log data
Master Policy.HDF Application folder or User Access r ules policy file

defined
Window sUpdates.hdf Application folder or User S ample policy file for

defined WS US and MS E
HDFPolicy__ Application folder\Log\ HDF Policy decision

computerName . log log
HDFPolicyAudit__ Application folder\Log\ HDF Policy r ules audit

computerName . log log
Email_conf.hdf Application folder or User Email aler t notification

defined configur ation file
HDFConf_ custid .hdf Application folder Configur ation file

r equir ed by var ious
HDF modules

Administrator Guide-HDF Advanced Edition (V2.4.9)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Administrator Guide-HDF Advanced Edition (V2.4.9)

Uploaded by

Copyright:

Available Formats

HDF ADMINISTRATOR ONLY

Hard Disk Firewall (HDF)

Doc Ver sion: 2.4.8 Januar y 2014

Abatis HDF ADMINISTRATOR ONLY

Version Date Author QA Remark

Abatis HDF ADMINISTRATOR ONLY page 2 / 49

2005-2012 Abatis HDF ADMINISTRATOR EYES ONLY Page 3/ 49

6.4 HDF Policy Audit Log.......................................................................... 39

Abatis HDF ADMINISTRATOR ONLY page 4 / 49

The license agreement

END-USER LIC ENSE A GR EEMENT F O R HA R D DISK F IR EWA LL (HDF ) SO F TWA R E

IMPO R TA NT-R EA D C A R EF ULLY BEF O R E O PENING, INSTA LLING, USING, A C C ESSING, O R

This End-Use r Lice nse A gre e me nt ("EULA ") is a le ga l a gre e me nt be t we e n y ou (e it he r a n

SO F TWA R E PR O DUC T LIC ENSE

2. DESC R IPTIO N O F O THER R IGHTS A ND LIMITA TIO NS.

A ll t it le a nd copy right s in a nd t o t he SO F TWA R E PR O DUC T (inc luding but not limit e d t o a ny

Abatis HDF ADMINISTRATOR ONLY page 5 / 49

4. DISC LA IMER O F WA R R A NTIES.

Some St a t e s, Prov ince s, or ot he r jurisdict ions do not a llow f or e x clusions of impl ie d

5. LIMITA TIO N O F LIA BILITY.

Abatis HDF ADMINISTRATOR ONLY page 6 / 49

(c)A ba t is (UK) Lt d . A ll right s re se rv e d.

F or que st ions conce rning t his A gre e me nt , ple a se cont a ct A ba t is (UK) Lt d. a t :

inf o@a ba t is -hdf .com

Q ue st ions ca n be e -ma ile d t o us a t support @a ba t is -hdf. com . We a lwa y s t ry t o a nswe r a ll

You ca n a ls o cont a ct us by post using t he cont a ct a ddre ss a t our home pa ge :

Te le phone support a nd f urt he r se curit y consult a ncy a dv ice is a v a ila ble .

Abatis HDF ADMINISTRATOR ONLY page 7 / 49

T he system ow ner deter mines the application-specific files that r equir e

Abatis HDF ADMINISTRATOR ONLY page 8 / 49

T he main featur es include:

Pr otection against hacker s attempts to deface an or ganisations w ebsite

Pr event hacker s taking over a w eb ser ver as a Botnet Command and

Minimum per for mance impact

Built-in audit logging

Abatis HDF ADMINISTRATOR ONLY page 9 / 49

2 Installation, Uninstall and Licence key

2.1.1 Step 1: Disable User Access Control

A full administ r at or access t oken is r equir ed to per for m the installation

T his step applies to the follow ing oper ating systems:

Window s Vista, Window s 7, Window s S er ver 2008 , Window s S er ver 2010,

Click S tar t and type 'UAC' in the S ear ch Box

Abatis HDF ADMINISTRATOR ONLY page 10 / 49

Abatis HDF ADMINISTRATOR ONLY page 11 / 49

2.1.2 Step 2: Install HDF application

Abatis HDF ADMINISTRATOR ONLY page 12 / 49

2.1.3 Step 3: Follow installation wizard prompts

Confir m install folder location.

Abatis HDF ADMINISTRATOR ONLY page 13 / 49

T he installation takes a few minutes, and pr ompts for r eboot to complete

Reboot is necessar y to load and r un the HDF ker nel module.

2.1.5 Step 5: Resetting UAC control (If desired).

2.2 Uninstall Please read before uninstallation

pr ior to the uninstallation steps.

Abatis HDF ADMINISTRATOR ONLY page 14 / 49

WA RNING: When fir st inst alled, HDF is configur ed t o oper at e in

Abatis HDF ADMINISTRATOR ONLY page 15 / 49

On HDF Advanced Edition a policy can be implemented for automated disable

T he HDF application consists of tw o components: a ker nel module HDF.sys, and

T he GUI application is accessible by r ight clicking on the system tr ay for user s

SECURITY WA RNING: T he system tr ay GUI icon application

If the GUI application is r equir ed to install on a ser ver , w e r ecommend

No t e T he ter ms 'non-block mode' and 'monito r mode' ar e use inter changeably to