Professional Documents
Culture Documents
ABATIS
Do c um e nt His t o r y
Table of Contents
1 Introduction...........................................................................................8
2 Installation, Uninstall and Licence key ................................................10
2.1 Install.................................................................................................... 10
2.1.1 Step 1: Disable User Access Control .................................................... 10
2.1.2 Step 2: Install HDF application............................................................ 12
2.1.3 Step 3: Follow installation wizard prompts ........................................... 13
2.1.4 Step 4: Impor t licence key to Registr y and reboot ................................ 13
2.1.5 Step 5: Resetting UAC control (If desired). .......................................... 14
2.2 Uninstall Please read before uninstallation ........................................ 14
3 Using HDF ............................................................................................16
3.1 GUI Menu Options tray icon application ............................................ 17
3.1.1 Software Install/Update ...................................................................... 17
3.1.2 Start Protection ................................................................................. 18
3.1.3 Settings ......................................................................................... 19
3.1.4 About ............................................................................................ 21
3.1.5 View Log File ..................................................................................... 21
3.1.6 Exit HDFMonitor ................................................................................. 21
4 Features ...............................................................................................22
4.1 Over view ........................................................................................... 22
4.2 Technical Features ............................................................................. 23
4.3 Security Features ............................................................................... 23
4.4 Deployment Platform & Environment .................................................. 23
4.5 What HDF Is Not ............................................................................. 23
5 Using HDF Advanced Edition ...............................................................24
5.1 Over view ........................................................................................... 24
5.2 Operating Mode ................................................................................. 24
5.3 Automated Approval for Authorized Write I/O ...................................... 24
5.4 Runtime Write Control Rules ............................................................... 25
5.5 Syntax .............................................................................................. 26
5.6 Policy Rules ....................................................................................... 27
5.7 HDF Policy - How it works .................................................................. 28
5.8 Policy rules format - Policy.HDF .......................................................... 28
5.9 How to Define HDF Policy Rules .......................................................... 30
5.10 Automated WS US support .................................................................. 31
5.11 Deploy HDF Policy Module in Corporate Environment ........................... 32
5.12 [Policy Definition] .............................................................................. 32
5.13 [Policy Testing].................................................................................. 32
5.14 [Pre-Deployment QA] ......................................................................... 33
5.15 [Production and Monitoring] ............................................................... 33
5.16 Access Control Decision Flow .............................................................. 34
5.17 Command Line Tool ........................................................................... 34
5.18 Use of tool ........................................................................................ 35
5.19 Example use for software patching and system updates ....................... 35
6 Audit Logging.......................................................................................37
6.1 How HDF Performs Audit Logging ....................................................... 37
6.1.1 HDF Main Audit Log ........................................................................... 37
6.1.2 HDF Policy Audit Log.......................................................................... 37
6.2 Log file format ................................................................................... 37
6.3 Log samples, ..................................................................................... 38
The SO F TWA R E PR O DUC T is prot e ct e d by UK copy right la ws a nd int e rna t iona l copy right
t re a t ie s, a s we ll a s ot he r int e lle ct ua l prope rt y la ws a nd t re a t ie s. The SO F TWA R E PR O DUC T is
lice nse d, not sold.
1. GR A NT O F LIC ENSE.
You a re pe rmit t e d t o inst a ll a nd use t he SO F TWA R E in ma chine -re a da ble f orm only a nd
sole ly on a single comput e r prov ide d by y ou, sole ly f or t he purpose s de scribe d in t he
a pplica ble Lice nsor docume nt a t ion. A ny compone nt s of t he SO F TWA R E e x plicit ly de signe d t o
re side a nd ope ra t e f rom a se rv e r, ma y be inst a lle d on a single se rv e r sole ly on y our
pre mise s, a nd a ny clie nt compone nt is t o be inst a lle d on a s ma ny clie nt s a s use r lice nse s
purcha se d a nd de scribe d in t he a pp lica ble Lice nsor docume nt a t ion.
You ma y not re v e rse e ngine e r, de compile , t ra nsla t e, disa ssemble , or ot he rwise a t t e mpt t o
de riv e source code f rom t he SO F TWA R E PR O DUC T, or a ut horize a ny t hird pa rt y t o do a ny of
t he f ore going e x ce pt a nd only t o t he e x t e nt t ha t such a ct iv it y is e x pre ssly pe rmit t e d by
a pplica ble la w not wit hst a nding t his limit a t ion. The SO F TWA R E PR O DUC T is lice nse d a s a
single product . It s compone nt pa rt s ma y not be se pa ra t e d f or use on more t ha n o ne
comput e r. You ma y not re nt , le a se , loa n, or dist ribut e t he SO F TWA R E PR O DUC T or a ny pa rt
t he re of .
Sof t wa re Tra nsf e r. You ma y not t ra nsf e r y our lice nse of t he Sof t wa re t o a t hird pa rt y .
Te rmina t ion. Wit hout pre judice t o a ny ot he r right s, Lice nsor ma y t e r mina t e t his EULA if y ou
f a il t o comply wit h t he t e rms a nd condit ions of t his EULA . In such e v e nt , y ou must de st roy
a ll copie s of t he SO F TWA R E PR O DUC T a nd a ll of it s compone nt pa rt s.
3. C O PYR IGHT.
t he SO F TWA R E PR O DUC T like a ny ot he r copy right e d ma t e ria l. You ma y not copy t he print e d
ma t e ria ls a ccompa ny ing t he SO F TWA R E PR O DUC T.
Lice nse e a gre e s t ha t some of t he imple me nt a t ion me t hods use d in t he SO F TWA R E PR O DUC T
is t he int e lle ct ua l prope rt y of Lice nsor.
A NY USE O F THE SO F TWA R E IS A T YO UR O WN R ISK. THE SO F TWA R E IS PR O VIDED "A S IS, "
"WITH A LL F A ULTS, " WITHO UT WA R R A NTY O F A NY KIND. LIC ENSO R , ITS SUPPLIER S A ND
DISTR IBUTO R DISC LA IM A LL WA R R A NTIES, EXPR ESS, IMPLIED O R STA TUTO R Y, INC LUDING
WITHO UT LIMITA TIO N THE IMPLIED WA R R A NTIES O F NO N -INF R INGEMENT, TITLE,
MER C HA NTA BILITY O R F ITNESS F O R A PA R TIC ULA R PUR PO SE, O R A NY WA R R A NTIES
A R ISING F R O M C O UR SE O F DEA LING, C O UR SE O F PER F O R MA NC E, O R USA GE O F TR A DE.
SO ME J UR ISDIC TIO NS DO NO T A LLO W THE DISC LA IMER O F IMPLIED WA R R A NTIES, SO THE
DISC LA IMER O F IMPLIED WA R R A NTIES A BO VE MA Y NO T A PPLY TO LIC ENSEE, IN WHIC H
C A SE THE DUR A TI O N O F A NY SUC H IMPLIED WA R R A NTIES IS LIMITED TO six t y (60) DA YS
F R O M THE DA TE LIC ENSEE F IR ST INSTA LLED THE SO F TWA R E O N LIC ENSEE'S C O MPUTER ;
PR O VIDED, HO WEVER , THA T LIC ENSEE'S SO LE A ND EXC LUSIVE R EMEDY, A ND LIC ENSO R 'S
SO LE O BLIGA TIO N SHA LL IN A NY C A SE BE TH A T LIC ENSO R WILL, A T ITS O PTIO N, R EPA IR
O R R EPLA C E LIC ENSEE'S C O PY O F THE SO F TWA R E, O R TER MINA TE THIS LIC ENSE
A GR EEMENT A ND R EF UND A MO UNTS A LR EA DY PA ID THER EF O R BY LIC ENSEE.
Lice nsor do e s not wa rra nt t ha t t he f unct ions cont a ine d in t he Sof t wa re will me e t y our
re quire me nt s or t ha t t he ope ra t ion of t he Sof t wa re will be unint e rrupt e d or e rror -f re e. A ny
re pre se nt a t ion, ot he r t ha n t he wa rra nt ie s se t f ort h in t his A gre e me nt , will not bind t he
Lice nsor. You a ssume f ull re sponsibilit y f or t he se le ct ion of t he Sof t wa re t o a chie v e y our
int e nde d re sult s, a nd f or t he buy ing or downloa ding, use a nd re sult s obt a ine d f rom t he
Sof t wa re . Lice nse e a lso a ssume s t he e nt ire risk a s it a pplie s t o t he qua lit y a nd pe rf orma nce
of t he Sof t wa re .
R EGA R DLESS O F WHETHER A NY R EMEDY SET F O R TH HER EIN F A ILS O F ITS ESSENTIA L
PUR PO SE O R O THER WISE, TO THE EXTENT PER MITTED BY THE LA W O F THE J UR ISDIC TIO N
IN WHIC H LIC ENSEE O BTA INED THIS LIC ENSE, LIC EN SO R , ITS SUPPLIER S A ND
DISTR IBUTO R S WILL NO T BE LIA BLE F O R A NY INDIR EC T, EXEMPLA R Y, SPEC IA L,
C O NSEQ UENTIA L, O R INC IDENTA L DA MA GES O F A NY C HA R A C TER , INC LUDING BUT NO T
LIMITED TO DA MA GES F O R C O MPUTER MA LF UNC TIO N, LO SS O F INF O R MA TIO N, LO ST
PR O F ITS A ND BUSINES S INTER R UPTIO N, A ND THE C O ST TO O BTA IN SUBSTITUTE
SO F TWA R E, A R ISING IN A NY WA Y O UT O F THIS A GR EEMENT O R THE USE O F (O R
INA BILITY TO USE) THE SO F TWA R E HO WEVER C A USED A ND WHETHER A R ISING UNDER A
THEO R Y O F C O NTR A C T, TO R T O R A NY O THER LEGA L THEO R Y, EVEN IF LIC ENSO R , ITS
SUPPLIER S DISTR IBUTO R WA S A DVISED O F THE PO SSIBILITY O F SUC H DA MA GES. IN NO
EVENT WILL LIC ENSO R 'S, ITS SUPPLIER S' O R DISTR IBUTO R 'S TO TA L LIA BILITY TO
LIC ENSEE R ELA TING TO THIS A GR EEMENT O R THE USE (O R INA BILITY TO USE) THE
SO F TWA R E EXC EED THE A MO UNT PA ID BY LIC ENSEE TO LIC ENSO R O R LIC ENSO R 'S
DISTR IBUTO R F O R THIS LIC ENSE. SO ME STA TES O R J UR ISDIC TIO NS DO NO T A LLO W THE
EXC LUSIO N O R LIMITA TIO N O F INC IDENTA L, C O NSEQ UENTIA L O R SPEC IA L DA MA GES, SO
THE A BO VE LIMITA TIO NS MA Y NO T A PPLY TO LIC ENSEE. LIC EN SO R , ITS SUPPLIER S A ND
DISTR IBUTO R S SHA LL NO T BE LIA BLE F O R A NY C LA IMS O F THIR D PA R TIES R ELA TING TO
THE SO F TWA R E. LIC ENSO R , ITS SUPPLIER S A ND DISTR IBUTO R S WO ULD NO T PR O VIDE
THE SO F TWA R E TO LIC ENSEE IF LIC ENSEE DID NO T A GR EE TO THE "DISC LA IMER O F
WA R R A NTIES" A ND "LIMITA TIO N O F LIA BILITY" PR O VISIO NS IN THIS A GR EEMENT.
Prot e ct e d by copy right a nd lice nse s re st rict ing use , copy ing, dist ribut ion a nd de compila t ion.
A ba t is (UK) Lt d. , A ba t is a nd HDF a re t ra de ma rks of A ba t is in UK, Swit ze rla nd a nd ot he r
count rie s.
6. C ont a ct ing A ba t is
F or t he la t e st v e rsions of our progra ms, ple a se che c k our we b sit e a t www. a ba t is -hdf .com
1 Introduction
T his document is an intr oductor y guide to the Advanced Edition of Har d Disk
Fir ew all (HDF) fr om Abatis (UK) Ltd. (Abatis). T his guide w ill assist you w ith
the installation of HDF and the maj or featur es of the technology and the
pr ocedur e for de -installation should this be r equir ed. T his guide is one of a
ser ies of guides for the family of Abatis pr oducts w hich include the HDF
S tandar d Edition, HDF Advanced Edition (this guide), HDF for Linux Ad vanced
Edition and the Centr al M anagement Console (CMC).
HDF Advanced Edition is specifically designed to pr otect the system integr ity of
ser ver computer s r unning on Micr osoft Window s S er ver Oper ating S ystems,
fr om Window s NT 4, Window s S er ver 2000 and later (32 bits and 64 bits ). It is
also compatible for other consumer Mic r osoft Window s Oper ating S ystems such
as X P, Vista and Window s 7.
HDF is suitable for deployment on Window s s er ver s per for ming a var iety of
ser ver r oles to safeguar d against inter nal and exter nal malicious intr usion and
hacking attacks . It is par ticular l y effective at pr otecting Inter net facing ser ver s ,
e.g. w eb ser ver s, fr om secur ity compr omises such as w ebsite defacement,
w ebsite hij acking by cyber cr iminals to host malicious contents , Botnet
Command & Contr ol (C&C) and other illegal pur poses .
T he HDF concept is simple: It can be descr ibed as a file I/O access secur ity
gate. Once the gate is closed, all unw anted w r ite access es of 'pr otected files' 1
ar e denied by default. Only author ized staff and system ow ner can open the
secur ity gate w ith authentic ated access to the gate key . In the event of a
successful intr usion attack, an attacker /hacker is blocked fr om
uploading/modifying system and application files, and the hacking attempts ar e
effectively foiled. HDFs unique and effective pr otection ensur es system
integr ity is maintained w ithout complex secur ity policies and administr ative
over heads .
1
'Protected file' refers to all Windows executables (PE files) and user defined files for protection - full file name
and file extensions are supported
HDF st art s blocking as soon as it is inst alled. This means HDF prev ent s
any execut able files and ' prot ected files' being writ t en t o t he
comput er. A ll exist ing applicat ions on t he c omput er operat e as normal
wit hout rest riction.
HDF is a secur ity tool that needs no daily maintenance , has no noticeable
per for mance impact and is secur e against most intr usion attacks. It empow er s a
system ow ner to enfor ce r obust access contr ol to any fil es on the system using
a tr anspar ent and simple to manage appr oach. T his makes r egulator y
compliance much easier as it is easy to demonstr ate system integr ity pr ocesses.
Pr event cyber cr iminals hij acking the company ser ver for distr ibuting
malicious contents such as vir us and w or m
Pr event any unauthor ized modification of system configur ation files and
help maintain system integr ity
T r anspar ent in oper ati on, all existing applications execute as nor mal
w ithout w hite lists or fur ther maintenance tasks
Built-in near -r eal time aler t function and r ule -based r esponse
A ll t his in file size of less t han 100K by t e s.
UAC must be set to disable, this can be per for med via the S tar t Menu:
S elect the above setting for UAC and Reboot the ser ver y ou must r eboot
befor e inst alling HDF.
Alter natively, if the logon user is a member of the local administr ator s gr oup
but not the built-in "Administr ator user ", it is r ecommended to call up a
command shell, e.g. 'cmd.exe', by " Run as administr ator " option and to execute
the installer msi fi le on the command line fr om the command shell.
Executing the HDF installer MS I file and the installation w izar d w ill guide
the installation pr ocess .
Follow the installation w izar d pr ompts to select the HDF application folder .
2.1.4 Step 4: Import licence key to Registry and reboot (only necessary if the
licence key is not bundled in the package)
Navigate to the location of the licence key to import as directed by the installer. We
recommend coping the HDF licence file to the Desktop before running the installer.
We suggest impor ting the supplied licence file at this time befor e the final
step of r ebooting the system (if this has not been done in the pr evious
step). HDF w ill not w or k w ithout a valid licence key.
Not e: If the licence has not been impor ted to the system after the fir st r eboot,
HDFs ker nel module w ill not activate to oper ate. In such a case, make sur e the
licence is impor ted by r unning the tool <HDFsetup .exe> in the HDF application
folder . A r eboot is necessar y .
UAC can be r eset back to the or iginal settings; how ever a r eboot w ill be
r equir ed.
T o uninstall HDF, r un the uninstall w izar d either fr om the HDF application menu
at S t art All P ro g rams Abatis HDF Unin stall HDF, or open the Co n t ro l P an el Add
o r Re mo ve P ro grams and select HDF to r emove.
T he uninstall w izar d r emoves all installed components and delete s HDF r egistr y
entr ies and HDF log file. We endeavour to r estor e the computer to its pr evious
state and r emove all entr ies gener ated by the HDF application including clean -
up of Registr y entr ies. Remember to backup or make a copy of the log file if
r equir ed.
Wit h t he infor mat ion gat her ed in t he log file dur ing ' Lear n mode' ,
suit able policy r ules can be defined in t he policy file, r ef. 5.6 below t o
aut o- allow t hese applicat ions t o wr it e t heir updat es t o t he comput er . If
y ou hav e any difficult ies in defining policy r ule s please cont act A bat is
for suppor t .
3 Using HDF
After installation and system r eboot, HDF is fully functional w ithout fur ther
configur ation being necessar y. HDF r uns in the backgr ound w ithout noticeable
impact on system per for mance. No maintenance is needed on a daily use basis.
HDF is essentially an install and for get application; no patter n file updates
and patches ar e r equir ed. How ever , it w ill be necessar y to suspend HDF for
author ised softw ar e installation and updating.
HDF Icon
On a secur ity sensitive ser ver , w e str ong ly r ecommend that the full GUI
application <HDFMonitor .exe> not be installed in or der to minimize the attack
sur face to bypass HDF pr otection. Instead, HDF should be contr olled and
managed by the command line tool s.
No t e
HDF can r un w ith full functionality on computer s w ithout the GUI component if
company policy dictates that end user should have no know ledge of HDF
pr esence and blocking .
For user to tempor ar ily tur n off HDF blocking pr otection to allow softw ar e
installation, system patching or application update, e.g. anti -vir us softw ar e
updates.
T he fir st time this option is selected, the follow ing dialog is displayed. It is
possible to hide it by checking the box Do not r emind me again.
Dur ing the time HDFs pr otection is tur ned off (non - blocking), the application
tr ay icon animates (RED X) to indicate it is in monitor mode.
After a pr e -set time delay, HDF w ill r emind you that it is oper ating in non-
blocking monitor mode w ith no pr otection (default: 30 seconds, see S ettings
option). HDF r emains in non -blocking mode (no pr ot ect ion) until a user
selects an option and clicks on a button.
Response:
Yes enable HDF pr otection immediately. Default option if user pr esses
the <enter > key.
Cancel dismiss the dialog box and HDF r emains in non -blocking mode
until next r estar t or r e -enable manually using the S tar t Pr otection
context menu option, descr ibed b elow , (only avai lable to user w ith
administr ative r ight).
When HDF is r unning in non -blocking mode, all executable files that ar e saved
and installed on the computer ar e r ecor ded in the log file .
If HDF is tur ned off via the GUI, ther e is a secur ity featu r e that HDF w ill enable
itself after one hour r unning in monitor mode as a safeguar d the user for gets to
tur n on pr otection again. T his featur e is not available to the comman d line tool,
HDFContr ol.exe.
No t e
T he HDF log is a useful tool to audit and tr ack w hat files ar e actually installed
on the system by any application and is useful to tr oubleshoot post - install
pr oblems.
Any time HDF is suspended and befor e the r eminder dialog appear s, the S tar t
Pr otection option immediately enables block ing pr otection. It is useful w hen the
softw ar e install/update action is completed and the user w ants to tur n on
pr otection w ithout w aiting for the r eminder dialog.
3.1.3 Settings
An administr ator can define var ious settings to contr ol user pr ivilege use. Pl ease
note that if UAC is enabled on the available platfor ms, such as Vista, Window s
S er ver 2008 and Window s 7, the logon administr ator account r un in standar d
user pr ivilege and all settings must be modified under tr ue administr ator
pr ivilege, r efer to 2.1.1, for fur ther infor mation. Please not e: t hese set t ing
ar e only av ailable t o t r ust ed administ r at or s.
Options available ar e:
S how r eminder dialog w hen softw ar e install/update option is selected:
Either displays or hides the r eminder w indow that HDF is about to be
suspended w hen selecting the softw ar e install/update option fr om the
menu.
Option to tur n on auto -ar chive of the a udit log file, HDF.log. Default
setting is 2 Mbytes in file size the ar chive log file name is
HDF_yyyymmdd.log. It is also possible to ar chive the log file manually any
time as needed. Option to disable ar chive oper ation er r or message dialog
box.
S oftw ar e install/update option: time delay for HDF pr otection auto r e -
activation pr ompt (in seconds):
S et the per iod in seconds for a pr ompt dialog w indow to r e -star t HDF.
T ime delay to activate HDF pr otection after a user log on (in seconds
defaulted to 0 seco nd):
S et the delay per iod (in seconds) after a user logs on the computer until
HDF activates pr otection of the system. T his option is for system
administr ator to dow nload executable and batch files w hen a user logs on.
T his per iod should be set low unless ther e is a valid r eason to delay the
pr otection of HDF.
S W install/update option for admin only :
Hide the S oftw ar e install/update context menu option fr om non -
administr ator user s. An option to ensur e only administr ator user has the
option to tur n off HDF (nor mal user w ill not see the menu).
Exit HDFmonitor option for admin only :
Hide the Exit HDFmonitor context menu option fr om non -administr ator
user s. An option to ensur e only an administr ator user has the option to
exit HDFMonitor tr ay icon application (has no effect on the
pr otection/blocking functionality w hich is per for med by the HDF dr iver ).
S how menu option to deactivate HDF (tur ned off all HDF functionality -
bypass mode )
Will add a menu option to allow complete bypass of HDF pr otection (Only
for tr oubleshooting. Not r ecommended for nor mal use).
Oper ation mode:
1. Nor mal mode Full pr otection mode w ith logging.
2. Lear n mode Use to check the I/O w r ite oper ation par ameter s for the
pur pose of pr epar ing allow - list for the HDF policy file. Default setting
w hen fir st installed. Common use is to find legitimate w r iting of
executable for auto-allow pur pose, e.g. anti - vir us pr ogr ams. In this
mode, blocking is OFF w ith logging ON.
3. Audit mode Non-block mode and e xtensive logging of all w r ite
oper ations including not only executable but all files w r itten to the disk.
Caution: logging all file w r ites of the system w ill take up a lot of disk
space quickly, so use only if necessar y.
3.1.4 About
Display HDF application ver sioning infor mation that is useful for contacti ng
Abatis for suppor t.
Activate the system default text file view er to display log entr ies. Please see
section 6.2 below for details.
T he option is hidden fr om nor mal user s but not administr ator user s
(configur able via the settings menu option). Exiting the HDF monitor does NOT
ter minate the HDF pr otection.
4 Features
4.1 Overview
Exper ience has show n that complex secur ity implementation often hinder s the
pr oper use of a secur ity tool. HDFs design philosophy is simple management,
tr anspar ent in oper ation and focus on one secur ity obj ective effective system
integr ity pr otection.
HDF unique a ppr oach is that an administr ator user needs only to deter mine
w hat application files r equir e pr otection - these files ar e r efer r ed to as
'pr otected files' , and, optionally, defines simple policy r ules to automate
author ized w r ite and modification access es to the pr otected files .
HDF can be seen as a w r ite I/O secur ity gate. Only a legitimate user w ho has
the gate key to open the gate can w r ite/edit pr otected files . T o pr event high
pr ivilege account abuse s, e.g. buffer over flow compr omises, an adminis tr ator
user has no default access r ight w hen the gate is closed. In the cur r ent
ver sion, the gate key is a command line tool and the system tr ay icon GUI,
w hich ar e used to unlock the gate , and is fur ther complemented by user
defined r ules . S ince the gate key is the guar dian of HDFs secur ity,
authenticated access to the gate key is par amount.
Whilst HDF pr otects w r ite I/O and can be configur ed, once HDF is installed, all
executable code cannot be installed w ithout opening the gate dur ing pr otecti ve
mode, HDF comes w ith this featur e out of the box!
With built in extensive audit log capability, HDF offer s the user an over view as
w ell as contr ol of the file w r ite I/O activities on the pr otected systems. It can
be used as a monitor ing tool or a pr oactive secur ity tool against malw ar e and
intr usion hacking the pr otection is r obust even w hen the attacker has
unlaw fully obtained admin pr ivilege, that is, the attacker cannot bypass HDF
pr otection.
T he HDF application consists of a ker nel dr iver application and suppor ting user -
mode NT S er vices and applications.
HDF is not intended for other secur ity ser vices such as Confidentiality,
Availability and Accountability. Please contact Abatis if additional secur ity
pr otections ar e r equir ed.
HDF oper ates on the secur ity pr inciple of Default Deny w hen it is r unning in
blocking mode . It means if a pr otected file is not allow ed explicitly to be
modified/w r itten, then a w r ite/change access to the file w ill be denied
ir r espective of the r equester s account pr ivilege. In addition, a w r ite appr oval
must be sent to HDF pr ior to the w r ite I/O oper ation occur s; i.e. only pr e-
author ized w r ite action is possible . T he appr oach has been pr oven most
effective at defeating malw ar e and hacking attacks on live pr oduction systems
for year s .
HDF oper ate s in one of thr ee modes; blocking mode (w hich enfor ces the
secur ity policy), Monitor mode (non-blocking) w hich is used to test a
configur ation befor e putting the system into Blocking mode, and Audit mode
(also non- blocking) w hich r ecor ds all system I/O activity in addition to
pr otected files . T hese modes ar e configur able via star t-up configur ation
settings and at r untime.
Blocking mode: denies Wr ite access to executable and user defined files
unless it is allow ed by r untime appr oval or policy r ules .
Audit mode (non-blocking): per mits Wr ite access to executable and user
defined pr otected files that it w ould other w ise deny access, i.e. HDF per mits
the Wr ite I/Os to complete as nor mal . T his setting is for passive
audit/monitor ing pur pose that w ill not affect/pr otect the r unning system in
any manner .
Monitor mode (non-blocking): S imilar to Audit mode except that HDF module
pr ocesses the r untime and policy r ules in the same w ay as in Blocking
mode , w ith the exception that it alw ays allow s a Wr ite oper ation to
complete. It is a special mode for the user to identify files tha t r equir e
integr ity pr otection, and to validate applicable access r ules pr ior to
deployment on pr oduction systems.
When the application uploads the tar get file , the upload oper ation is detected
by the HDF ker nel and it for w ar ds the details to the access contr ol module
w hich then per for ms a matching check against the r untime list. If a match is
found it r etur ns an Allow decision to the HDF ker nel , other w ise it continues to
check w ith the policy r ules , if exist (r efer s to 5.6 below ).
5.5 Syntax
T he syntax for passing a file name to HDF access contr ol module
<HDFGate.exe > follow s the standar d COM calling convention, the HDF s COM
ser ver is <HDF.Gate>. Please contact Abatis for a sample scr ipt
<sample.asp > 2.
T he follow ing sample show s a classic AS P scr ipt pass es a filename to HDF at
r untime w ith tw o lines (the standar d html tags ar e skipped for clar ity) ;
S yntax:
<%
1. HDFGate=S er ver .Cr eateObj ect("HDF.Gate")
2. HDFGate.S how Message Contr ol_code, "File Path", " Caller _id"
%>
Wher e:
HDF.Gate HDF COM ser ver
Contr ol_code 0 to instr uct HDF to allo w a file, 1 to deny fur ther Wr ite I/O
to the file w hen upload completes
File Path File name and path infor mation on the tar get computer
Caller _id An identifier for auditing pur pose
1. Initiate communication w ith HDF .Gate COM ser ver and instr uct HDF to allow
a file upload passing (a) a contr ol code , (b) file path/file name, and (c) the
caller ID;
Set HDFGate=Server.CreateObject("HDF.Gate")
HDFGat e.ShowMessage 0, "C:\inetpub \wwwroot \MySite \
index.asp ", "Sample.asp"
2. T he application uploads the file <index.asp> to the destination path using
the applications nor mal method, e.g.
My_CMC.Uploader(C: \inetpub \wwwroot \MySite\index.asp )
T he upload w ill be allow ed automatically.
3. Update HDFGate w hen the file upload is completed and close the session.
HDFGate.ShowMessage 1, "C:\inetpub \wwwroot \MySite \
index.asp", "Sample.asp"
Set HDFGate=nothing
2
Runtime access control is particularly suitable for Web sites that allow user to upload files to the server and
the Web master gains control to decide what files are allowed to write to the system. Other samples can be
provided as required, e.g. C++ sample.
T he policy r ule for mat is specifically designed to be simple and flexible to meet
anticipated r equir ements in a cor por ate envir onment. T he cur r ent
implementation should meet most se cur ity needs, please contact Abatis if a
par ticular r equir ement is not cover ed or you have questions on policy r ule
definition - instr uction at 5.9 below .
Policy r ules ar e used to enable a fine-gr ained contr ol to allow w r iting and
editing of pr otected files , and the r ules ar e maintained in a master policy file
<MasterPolicy.HDF>. T he Policy engine suppor ts multilevel sub-policies to
pr ovide a simple, str uctur ed and hier ar chical or ganization of policy r ule s. An
administr ator c an define a master policy file for a depar tment and sub -policy
r ules for differ ent business functional units and gr oups w ithin the depar tment.
T he flexibility allow s the administr ator to define separ ate policies for differ ent
user gr oups, business function s and application domains.
T ake an example of an imaginar y softw ar e engineer ing depar tment w hich has a
number of sub-teams; softw ar e ar chitectur e, UI gr aphic design, system
pr ogr amming team, UI pr ogr amming team, Web application team, QA sub-
teams. T he policy r ule str uctur e may be or ganized in a w ay that the
<MasterPolicy.HDF> defines the rules for the common applications used by the
whole department, and level-2 policies for each of the teams. A further level-3 policy
may define rules for specific applications used only on the computers by the QA sub-
teams etc.
Each r ule line contr ols the w r ite access of one pr otected file to the destination
path (w ildcar d file name is suppor ted). S ample policy file s ar e included in the
package.
T he policy engine gener ates tw o audit log files in the HDF application log folder
w hen in oper ation. T he fir st log file r ecor ds the I/O decision of the policy
engine as defined in the r ule files and the second policy audit log file is to tr ack
the policy r ules in use as w ell a s r epor ting any policy files and r ules er r or s.
Fur ther details at 6.4 below .
Once HDF is in pr ot ect ion mode, it will not allow any execut able t o be
wr it t en t o disk unless it has been allowed wit hin t he policy . This
pr ev ent s execut able code get t ing ont o a comput er sy st em wit hout t he
knowledge of t he owner i.e. known or unknown hacker t ools; ma licious
code t hus maint aining sy st em int egr it y .
T he policy file can be located on any accessible path and is loaded automatically
w hen HDF policy module ser vice <HDFGate> star ts up. When changes ar e made
to the policy file it is necessar y to r estar t the HDFGate S er vice for the updated
policy r ules to take effect. T his does not r equir e a r eboot of the machine. All
policy files ar e pr otected by HDF fr om unauthor ized modification. T her efor e, it
is necessar y to tur n off HDF blocking befor e saving a policy file . S ince the
default location of the policy file is in the HDF application dir ector y and is
system pr otected, the admin user must have also the Window s 'w r ite access'
pr ivilege to the HDF application dir ector y.
T he administr ator can define policy r ule files w ith any filename (must have a
* .HDF extension) except the master policy file <MasterPolicy.HDF>. A
built-in secur ity is that additional policy file s must be declar ed and added
thr ough the master policy file <Master Policy.HDF >, ther efor e the administr ator
is alw ays clear w hat policy files ar e in oper ation, and no unauthor ized policy
r ules can be intr oduced to the system via a back door .
A r ule begins w ith a mar ker = follow ed by the file specification (file path/file
name). T he cur r ent ver sion suppor ts five var iations of policy r ules (in the or der
of descending secur ity) :
1) Allow a specific named pr ocess ( the only process ) to w r ite a specific file to
the specific destination path (most secur e the 3 conditions must be met)
=process_name.exe&=n:\destination_path \file_name .ext
2) Allow any pr ocess to w r ite a specific file to the specific destination path (2
conditions)
=n:\destination_path \file_name .ext
3) Allow any pr ocess to w r ite any pr otected file to the specific destination path
(1 condition)
=n:\destination_path \ or =n:\destination_path \*.*
4) Allow any ar bitr ar y pr ocess to w r ite a specific file to any path (1 condition)
=\file_name.ext
5) Allow a specific pr ocess to w r ite any pr otected file to any path (1 condition)
=process_name.exe (r efer s to secur ity implication s below )
Sy nt ax Not e:
A valid r ule entr y begins w ith a ' = ' mar ker . A line that does not begin w ith the
= mar ker is tr eated as a comment line .
A separ ator mar ker ' \ ' is used for :
Path name - must begin and end w ith a ' \ ' mar ker , e.g.
=n:\destination_path\ same as =n:\destination_path \*.*
File_Name - must begin w ith a mar ker ' \ ' but w ithout ending ' \ ', e.g.
=n:\destination_path\file_name .ext and =\file_name .ext
Pr ocess_name - w ithout mar ker ' \', e.g. =process_name.exe
Wildca r ds '* ' and '* .* ' ar e suppor ted, e.g. * . HT M, MyApp.* and * .* .
Fr om Ver sion 3, HDF policy engine suppor ts a special instr uction tags, e.g.
"POLICYFILE=" - this is the dir ecti ve to instr uct the HDF Policy engine t o add a
sub-level policy file. Advanced Edition suppor ts up to 5- levels deep and 50
policy files. S yntax:
POLICYFILE=<absolute_path_to_sub -level_policy_file.HDF>
e.g. POLICYFILE=C: \Pr ogr am Files (x86) \Abatis \HDF \Window sUpdates.hdf
T he above r ule adds <Wind ow sUpdates.hdf> as a second level policy.
And;
"INS T ALLER=" - this special dir ective causes the policy engine to tr eat the
allow ed I/O as 'tr usted' w ith a <4> code in the policy log file, and the
executables dow nloaded by the tr usted pr ocess becomes also a 'tr usted
pr ocess'. S yntax:
e.g. INS T ALLER=ser vices.exe&=\WINDOWS \S OFTWAREDIS T RIBUT ION\* .*
T he r ule instr ucts the policy engine to tr eat any executable w r itten by the
system pr ocess <ser vices.exe> to the folder and sub -folder s of
\WINDOWS \S OFT WAREDIS T RIBUT ION\ as tr usted pr ocess.
When HDF oper ate s in pr otection mode (block), this instr u cts HDF policy engine
to allow w r ite I/Os of pr otected-files that w ould be blocked and captur e/r ecor d
applications ' I/O patter n for the pur pose of policy definition, i.e. HDF is
effectively r unning in non-block mode. When r unning in this mode, i t is not
necessar y to configur e HDF to non - block mode to captur e I/O.
When the instr uction is active, the HDF pol icy log file and audit log file indica te
HDF is in non- block mode.
As a r ule of thumb, w e r ecommend not using the 5 t h r ule var iation - this r ule
effective ly defines the pr ocess as a 'tr usted pr ocess' w ith unr estr icted access to
the w hole system . T he same r ule applies to applications that ar e commonly
tar geted by malw ar e w r iter s and hacker s, e.g. Inter net br ow ser , multimedia
player s , decoder s and PDF r eader s.
By default HDF Policy engine r ej ects these common high r isk system pr ocesses
and vulner able applications pr ocesses. e.g. iexplor er .exe, fir efox.exe,
chr ome.exe to be defined as 'tr usted pr ocess'. T hese pr ocesses should be
r estr icted to w r ite only to intended folder s/files.
Because the list of vulner able applica tions is changing all the time, it is
impossible to pr ovide a complete listing, please consult Abatis if secur ity
consultancy advice is r equir ed.
It is impor tant to note that the ver y natur e of an exception list inevitably
cr eates a potential secur ity gap in HDF pr otection. We str ongly r ecommend the
administr ator to cr itically r eview using policy as an automated I/O appr oval
scheme. While this is a suitable appr oach to facilitate secur ity tools automatic
update needs, in other scenar ios a mor e secur e appr o ach is usually possible.
Please contact Abatis if help is r equir ed in this ar ea .
Not e: This manual may not include t he lat est enhancement t o HDF
policy , please r efer t o t he Mast er Policy .HDF for lat est feat ur es.
2) "C: \WINDOWS \S YS T EM32\" is the tar get dir ector y of the Wr ite tar get, and
lastly
HDF , being par t of the OS ker nel , alw ays r e cor ds the I/O details in <HDF.log>
and HDF policy decision log in <HDFPolicy__ computer_name .log>. Fr om the
log, an administr ator has the necessar y infor mation to define secur e policy r ules
accor ding to oper ational needs.
It is r ecommended the admin user consider s the using the above 3 I/O
components w hen defining allow -w r ite cr iter ia of a pr otected file. HDF policy
allow s you to define any combination of the 3 elements as conditions (cr iter ia)
to auto-allow an I/O. For example, you can contr ol (1) w hat pr ocess is allow ed
to w r ite (2) to w hich dir ector y and (3) the file must be as defined, (3 cr iter ia
must be met for an allow ed w r ite I/O).
In situations w her e the 3 w r ite elements cannot be pr edeter mined, you can
define a valid policy r ule w ith a combinations of any the 3 I/O components, e.g.
T he above policy r ule r estr icts 'svchost.exe' can only w r ite DLL files to the
Window s WS US dir ector y BUT now her e else . While this r ule allow s w r iting of
DLL files, mor e r estr ictive r ules can be defined by r efer encing the actual
filenames fr om HDF's logs in some cir cumstances . T his r ule w ill not allow
svchost.exe to save * .EX E file.
T he cur r ent WS US initiates the Window s update pr ocess by dow nloading the
patches to a specific dir ector y, e.g.
C:\Windows\SoftwareDistribution \Download \patch_id .When the
patching files and tools ar e dow nloaded, the WS US pr ocess installs the patches
as r equir ed, sometime a r eboot is necessar y to complete the pr ocess. T his
document does no t discuss WS US details w hich ar e available fr om Micr osoft and
other user community for ums.
S ince HDF blocks w r ite I/O of pr otected -files out-of-the-box (i.e. existing or
new executable and user defined files), a policy is used to automate the
appr oval of expected/r equir ed file dow nload w ithout a user 's manual inter action
- it can be view ed as an exception list; the pr otected -files in the list ar e al low ed
to w r ite/update on the computer w hen the r untime conditions meet the cr iter ia
defined in policy r ules.
T her e ar e four r ecommended steps to deploy HDF policy in a cor por ate
envir onment:
Once the applications I/O patter n is captur ed, it is a str aightfor w ar d exer cise
for the admin user to r eview and define I/Os suitable for automated w r ite
appr oval. T he expected Wr ite activities ar e enter ed in a policy file (a plain text
file) accor ding to the desir ed secur ity r equir ements , r efer 5.9 above .
T his step validates the policy w ill not inter fer e w ith the standar d functionality of
the business applications .
T ypically, the fir st tw o steps ar e per for med in a testing envi r onment, w her e
many cor por ate per for m standar d application softw ar e and compatibility testing.
S tep 1 and step 2 may be r epeated to discover the business applications Wr ite
patter ns.
T he policy audit log clear ly identifies any r ule omission; in effect, a par ticular
I/O could have been blocked in enfor cement mode but allow e d in dur ing
'monitor mode '. T he policy under examination can then be adj usted accor dingly
if necessar y. When HDF is in non-block mode, the HDF policy log adds a tag
[NON_BLOCK_MODE] to the end of the log line to indicate the fact that the I/O
could have be en blocked if HDF is in pr otection/ blocked mode.
T he time per iod to r un ' monitor mode ' var ies accor ding to the system cor e
functionality and configur ation. If a system oper ates in a stable configur ation
w ith little anticipated system changes, r unning HDF i n ' monitor mode ' for one to
tw o w eeks ar e adequate. For systems exper ience r egular changes, it is likely
one month to tw o months r unning in ' monitor mode ' w ill captur e any expected
Wr ite I/O of 'pr otected files' .
In the unlikely situation a system is comp r omised dur ing ' monitor mode ', the
HDF audit logs pr ovide an invaluable tool to aid for ensic investigation and
speedy system r ecover y - the logs r eveal all malw ar e payloads including ker nel
r ootkit attacks , w hich ver y often ar e 'hidden' fr om other secur ity tools. Hacking
compr omises and backdoor tools ar e equally clear ly r evealed in HDF log files .
For a cor por ate envir onment, HDF has an extr a optional m odule called the
Centr al Management Console (CMC). HDF CMC is a monitor ing and management
tool for HDF -pr otected computer s w ithin the company/or ganization. It is a w eb -
based application w ith a combination of functionality such as log collection,
log analys is, log quer y (r epor t), r eal-time monitor ing and management.
IT admin can view r eal -time HDF log infor mation, though a w eb br ow ser ,
show ing the status of HDF clients, secur ity alar m, and can inter r ogate the HDF
oper ating par ameter s as w ell as system and har dw ar e infor mation.
T he common use of the command line tool is to contr ol HDF centr ally for
automated system patching and softw ar e distr ibution. T o pr ovide the gr eatest
flexibility, the tool suppor ts a number of r untime sw itches for secur e and
flexible system patching and softw ar e distr ibution tasks .
T he tool r equir es a configur ation file <HDFConf__ custid .HDF>. T he file contains
oper ating and configur ation options for sever al HDF modules. It also ser ves as
an authentication 'ticket' that contr ols the access to HDF Contr ol tool.
HDFContr ol tool checks this ticket ever y time befor e it executes. If the check for
user -defined conditions fails, e.g. US B only or invalid passw or d, th e application
w ill not execute.
Not e: This manual may not include t he lat est enhancement a nd opt ions
t o HDFCont r ol t ool, please r efer t o t he < HDFConf__ cust id .HDF> for
lat est feat ur es.
H DF co nt ro l /C :1
block a nd log (de f a ult blocking mode )
H DF co nt ro l /C :0
a udit log only but not t o block a ny f ile a udit mode a nd monit or mode
H DF co nt ro l /C :2
Block e x e cut a ble st a rts f rom re mov a ble de v ice s, e . g. USB a nd ne t worke d sha re s,
(Ex t e nde d blocking mode )
Additional management functionality is r egular ly incor por ated into the tool.
Please contact Abatis w ith any featur e r equest.
Alter natively, ther e is a tr usted pr ocess setting w her e HDF allow s a tr usted
pr ocess to w r ite all files . Use of this featur e is to suppor t automatic softw ar e
update, e.g. anti -vir us pr ogr am. Other uses of tr usted pr ocess is discour aged
because of secur ity consider ation s. Run time, r efer 5.4 above and policy r ules ,
r efer 5.6 above pr ovide a higher degr ee of pr otection and contr ol.
Secur it y Not e: HDF automatically allow s a tr usted pr ocess to w r ite any files ,
ther efor e, an administr ator must test and validate a pr ocess befor e defining it
as tr usted. It is not r ecom mended to tr ust system pr ocesses w hich ar e
common tar gets for hacker s and malw ar e attacks. T he cur r ent ver sion suppor ts
defining tr usted pr ocess by dir ect Registr y editing via most system
management and softw ar e deployment tools or simply a Registr y file impor t.
Please r efer to Registr y details for Allow ed Pr ocesses in section 8 below .
Not e : HDF pr otects its par ameter s in the Registr y fr om unauthor ized
tamper ing, it is necessar y to disable the pr otectio n pr ior to changing the HDF
Registr y settings, i.e. by r unning the command line: HDFcontrol /C:9 .
Modifying the r untime par ameter s by the tool w ill not update the r espective
HDF oper ating par ameter s in the HDF Registr y . T hey must be updated
separ ately if configur ation setting per sistence is necessar y.
It is most impor t ant t o keep t he gat e key fr om unaut hor ized access.
Ther e ar e a number of secur e appr oaches av ailable. It is r ecommended
t o assess t he deploy ment env ir onment and select t he appr op r iat e
met hods. The t ool is not included in t he st andar d inst aller package.
Please cont act A bat is for det ails.
6 Audit Logging
6.1 How HDF Performs Audit Logging
6.1.1 HDF Main Audit Log
HDF is a secur ity tool and audit logging is an essential integr ated featur e. By
default, HDF audit log r ecor ds all monitor ed w r ite I/O oper ations to a local text
log file as r aw log data . T he r aw log data is gener ated fr om HDF ker nel and the
data is suitable for fur ther analys is by exter nal log management and r epor ting
tools as r equir ed. HDF enfor ces the pr inciple of ' factual' r epor ting, w hich means
ever y single I/O event including duplicated I/O incidents ar e audit logged.
NOTE: At time of w r iting, HDF logs have alr eady been integr ated into T ier 3s
Huntsman tool and Pr oteus GRC tool.
We suggest the user examine the log file < HDF.log> r egular ly to deter mine if
the system has been under malicious attack and pr evented by HDF . T he location
of the file is defined at installation time and is r ecor ded in HDF r egistr y,
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Services\HDF\Par
ameters\LogPath] . T he default location on 64 bits platfor m is C:\PROGRAM
FILES (x86)\ABATIS\HDF\LOG\, and on 32 bits platfor m C:\PROGRAM
FILES\ABATIS \HDF\LOG\. T he path can be modified by configur ation update
or r untime, using the command line tool. T he location of the log file must be
valid and accessible in or der for HDF ker nel to w r ite log entr ies to the log file.
T he log data could be optionally for w ar ded to named administr ator user s via
email notification ser vices. T he user is able to define conditions for the
notification such as the fr equency of aler t and type of I/O incidents to r epor t,
e.g. only denied w r ite I/Os.
Optionally, the HDF Policy module gener ates tw o additional audit log files. T he
fir st policy log tr acks the r ules I/O decision outcome, and the second log show s
the active r ules in use, and highlights any policy anomaly such as r ule syntax
er r or s or policy file er r or s. T he log files details at 6.4 below .
Da t e & t ime <C > C onf igura t ion: (indica t e blocking a nd non -blocking mode )
Da t e & t ime <C > Ex t e nsions: (a list use r -de f ine d prot e cte d f ile s)
Da t e & t ime <C > A llowe dProce sse s: (a list of t rust e d proce sse s)
Da t e & t ime <C > LogP a t h: (t he log pa t h whe re HDF ke rne l writ e log e nt rie s)
HDF ker nel gener ates the above entr ies on system star t up and w hen any of the
par ameter s ar e changed at r untime .
F ie ld 1: Da t e
F ie ld 2: Time
F ie ld 3: I/O de cision code ; <1> f ile blocke d, <0> f ile not blocke d (writ t e n t o
disk), a nd <4> t rust e d proce ss writ e ope ra t ions.
F ie ld 5: Use r Sid (a ccount priv ile ge ) of t he writ e ope ra t ion. To ide nt if y t he a ccount
unde r which t he proce ss ma ke s t he writ e a cce ss; t y pica lly t he login use r or sy st e m
proce ss. Not e t he log shows a use r SID (so t ha t we know e x a ct ly who pe rf orms t he
writ e ope ra t ion) a nd not t he Group SID (not t oo he lpf ul f or a na ly sis in ma ny ca se s).
T he log show s HDF blocked the w eb defacement attack w hen the attack scr ipt
attempted to upload some common w eb files to launch a w ebsite defaceme nt
attack the code <1> indicates the I/Os w er e blocked . T he log r eveal s that the
attacker successfully executed a buffer over flow attack on the IIS system
pr ocess <w3wp.exe> r unning under the high pr ivileged LOCAL_S YS T EM
account (S id is S-1-5-20), and <w3wp.exe> w as then dir ected to upload the
malicious files all w er e blocked in this example .
2010/ 12/ 30 03: 54: 02 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ DEF A ULT .HTM
2010/ 12/ 30 03: 54: 02 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ DEF A ULT .HTM L
2010/ 12/ 30 03: 54: 03 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ M AI N.HT M
2010/ 12/ 30 03: 54: 03 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ M AI N.HT ML
2010/ 12/ 30 03: 54: 0 4 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ I NDEX.PHP
2010/ 12/ 30 03: 54: 04 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ DEF A ULT .PHP
2010/ 12/ 30 03: 54: 05 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ HO ME.PHP
T he fir st log file r ecor ds the I/O decision outcome accor ding to policy r ules. For
simple par sing pur pose s, it has the same fields and for mat as the HDF main log,
as descr ibed in 6.2 above . HDF policy r ule decision audit log filename is
<HDFPolicy__ computername .log>. One exception is the policy log does not
r ecor d duplicate I/O events as the HDF main log does.
Another featur e is that HDF Policy log suppor ts the policy deployment
pr ocedur es as descr ibed at 5.11 above Deploy HDF Policy Module in Cor por ate
Envir onment. A system administr ator is encour aged to thor oughly test r un the
policy r ules to ensur e they ar e defined accor ding to the cor por ate secur ity
policy and oper ational r equir ements pr ior to pr oduction deployment.
When HDF is r unning in monitor /non -block mode (as r ecommended for 'Pr e -
Deployment QA' step) , the log entr ies of ar e a ppended w ith a mar ker
[NON_BLOCK_MODE] to show the fact HDF is in non -block mode. If any I/O has
not been defined in the policy and ther efor e w ould have been blocked, the log
entr y has a <1> code, w hile the main HDF log <HDF.log> r ecor ds a <0> code
to show the actual I/O status as allow ed - because it is r unning in non -block
mode.
2.) 2014/ 01/ 24 03: 24: 24 < 1> 1232: i neti nfo.ex e S - 1- 5- 18
3.) 2014/ 01/ 24 03: 24: 28 < 1> 1652: s vc host.ex e S - 1- 5- 18 C: \ INET PUB\ TEM P\ A PPPOOL S\ ASP.NET V 4.0 \ ASP.NET
V 4.0.C O NF I G
4.) 2014/ 01/ 24 03: 24: 28 < 1> 1652: s vc host.ex e S - 1- 5- 18 C: \ INET PUB\ TEM P\ A PPPOOL S\ ASP.NET V 4.0 \ ASP.NET
V 4.0.C O NF I G.T M P
5.) 2014/ 01/ 24 03: 26: 26 < 0> 1232: i neti nfo.ex e S - 1- 5- 18
T he fir st and the last log lines above show the w r ite I/Os ar e allow ed w ith a
code <0> because of the effective policy r ule. T he other s w ould have been
blocked, e.g. code <1>, if HDF is not r unning in ALLOW_IO_AND_RECORD
mode - because of no effective policy defined.
In this example, the administr ator can easily deter mine if he w ants to auto -
allow the w r ite I/Os w ith code <1> in futur e, and r evises the policy file.
S imilar ly, he may w ant to r emove obsolete and inappr opr iate r ules fr om the
policy by checking the code <0> entr ies.
T he policy log also r ecor ds the time stamp w hen the HDF Policy module s tar ts
and stops, e.g. w hen the system shuts dow n or r eboots.
T he second policy audit log file is to audit/tr ack the policy r ules in use as w ell
as r epor ting any policy and r ule syntax er r or s. It is a ver y useful tool for an
administr ator to tr oubleshooting and audit policy r ules. T he HDF Policy Audit
filename is <HDFPolicyAudit__ computername .log>.
It is possible to configur e how much log details r equi r ed and if one or tw o audit
logs to gener ate, r efer to Registr y setting " IO _ Lo g Level " at HDFGate Registr y
S ettings 8.2 below .
HDF Advanced ver sion implements an automated log ar chive featur e for an
administr ator user to define the time fr equency to ar chive HDF log. When
defining log ar chive settings , the user may consider factor s such as r ate of I/O
fr equency of the ser ver and oper ational r equir ement.
o 7 = w eekly;
o 10 = ever y 10 days
o 30 = monthly; (default)
o 90 = quar ter ly and
o 360 = annually etc.
Ar chive time (hour s): T he hour in a day to star t log ar chive. S etting is in 24-
hour s clock for mat, ther e is no setting for minutes. For example,
Ar chive file URL: T he path location of the ar chived file. If the field is empty
(default), the ar chived file is saved to the same path of the default log file.
decimal 1 = daily,
7 = weekly,
30 = monthly,
360 = yearly
ArchiveTime(hours) (Hex) 0 Time to perform log archive at set
hours, e.g.
0=00:00 mid-night
1=01:00
18=18:00
ArchiveFormat HDF_YYYYMMDD.log The file name format of the archived
(string) log file
ArchiveFileURL Blank Path to archive log file. Default empty
to archive to same as HDF.log folder
T hese values can be set by editing the Registr y entr ies. A GUI management tool
to edit settings w ill be available in a futur e r elease.
Not e: After auto log ar chive is configur ed via the ArchiveType value in the
Registr y, HDFGate S er vice r egister s the log ar chive task w hen fir st star ts.
S uccessful activation is indicated by adding a value of 0x10000000 , e.g. 0x2
becomes 0x10000002 . If ther e is a need to change and update the log ar chive
settings, the ArchiveType must be r eset to the unr egister ed setting, e.g.
0x2. and r estar t the HDFGate S er vice.
Automatic log archive is implemented as a Windows Schedulers task and it has the
characteristics and limitations of a scheduled task, e.g. if a monthly archive schedule is
activated on the 31st day of the month, the log will only be archived on months that have
a 31st instead of every month.
T o activate email aler t function, the administr ator user defines options for the
Email Aler t Notification S er vices by a configur ation text file
<Email_conf.hdf>. When the notification ser vice options ar e defined, the HDF
administr ator activates the ser vice by setting the configur ation file location in
HDFRemote ser vice par ameter and star ts the ser vice , details at 7.8 below .
FromName = HDFnode
FromMail = system_id@domain.com
T he email subj ect line is for email aler t message classification pur poses.
T he mar ker s ar e the same as the decision code for the log file, i.e.
<0> for allow ed Wr ite I/Os,
<1> for blocked Wr ite I/Os, and
<4> for allow ed Wr ite I/Os by tr usted pr ocesses.
Refer to the table at 6.2 above . A HDF administr ator may specify the I/O of
inter est to monitor , e.g. <1> only r epor ts blocked Wr ite I/Os and ignor ing
other I/Os. T he default is to r epor t on all I/O r esults.
Defined in 24-hour s time for mat. T he default setting is 24 hour s cover age.
It is suggested to set a value accor ding to the specific deployment envir onment
and the likely r ate of I/O fr equency. A low value, e.g. 1 or 2, w ill pr ovide a near
r eal-time aler t but may gener ate many email messages over loading the emai l
system. On the other hand, a high value, e.g. 50 or 100, may not gener ate
many email aler ts but the notification may not be timely. It is suggested that
the administr ator user exper iment and define an optimal value to meet the
oper ational r equir ement.
2010/ 12/ 30 03: 54: 02 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ DEF A ULT .HTM L
2010/ 12/ 30 03: 54: 03 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ M AI N.HT M
2010/ 12/ 30 03: 54: 03 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ M AI N.HT ML
2010/ 12/ 30 03: 54: 04 < 1> 2752: w 3w p.ex e S - 1- 5- 20 C :\ DO MA I NS\_R EA L_SI TE_.C O M\ WWWRO OT\ I NDEX.PHP
T he follow ing table show s the settings and values of the cur r ent ver sion.
0=00:00 - mid-night
1=01:00 01:00 a.m.
18=18:00 06:00 p.m.
ArchiveFormat HDF_YYYYMMDD.log The file name format of the archived log file,
(string) e.g. HDF_20110112.log
ArchiveFileURL Blank Path to archive log file. Default empty to
archive to the same HDF.log folder
Automated WSUS support
AutoEnableTimeLapse (Hex) 1E Default 30 seconds delay, e.g. 30 or 0x1E.
(sec)
9 Troubleshooting
HDF has been tested extensively over the last 7 year s on pr oduction systems
w ith differ ent softw ar e combinations and configur ations. It has pr oven to be
stable, r eliable and fr ee fr om compatibility issues. HDF w or ks concur r ently w ith
most maj or br ands of anti- vir us and anti-spyw ar e pr ogr ams , fir ew alls as w ell as
data encr yption pr oducts.
T o r un in non- blocking mode, use either the system tr ay icon GUI tool or the
command line tool HDFcontr ol.exe w ith the non-block par ameter , e.g.
C:\path> HDFcontro l /C:0
How ever , if tur ning off blocking is insufficient to tr oubleshoot the issue, it may
be necessar y to fully de -activate HDF functionality, w ith the follow ing
command, C:\path> HDFmonitor /C:9
T his command above shuts dow n all HDF functionality, inc luding logging, for
tr oubleshooting pur poses.
Lastly, the uninstall w izar d, if needed, w ill r emove all installed components,
Registr y settings and r etur n the computer to the pr e -install state .