Comodo Watch Software Version 1.0

Transcription

1 Comodo Watch Software Version 1.0 Administrator Guide Guide Version Comodo Security Solutions 1255 Broad Street STE 100 Clifton, NJ 07013

2 Table of Contents 1.Introduction to Comodo Watch Installation and Activation Configuring cwatch System with Local Network for Monitoring Web Traffic Configuring cwatch System and Mail Transfer Agent for Monitoring Traffic Logging-in to the Administrative Console The cwatch Administrative Console Configuring cwatch Main Configuration Sniffer Configuration Content Analysis Rules Configuring Notifications Checking cwatch System Status Reports HTTP Analyser Reports Analyser Reports Changing Comodo Watch Administrative Console Password Managing Your Account About Comodo Comodo Security Solutions Inc. All rights reserved 2

3 1.Introduction to Comodo Watch Today's network administrators face the unenviable task of making sure employees are kept secure against an ever-rising tide of malware, hacking attacks, social engineering and phishing. It's an unpredictable and poisonous environment which confronts even the best prepared administrators with a unique challenge on a daily basis. Comodo Watch meets this challenge by providing immediate notification and visibility over malware outbreaks over all network and mail traffic. After the application has been installed and configured on a local server, cwatch uses a proprietary combination of cloud and local based virus scans, real-time behavior analysis, automatic file look-up and multiple blacklist checks to quickly and accurately identify known and unknown threats. Once configured, all network traffic will be examined by the following cwatch technologies: Comodo Antivirus - Continuously updated antivirus scanner which provides dependable protection against known malicious files. Cloud-based file look-up service - File reputation service which Instantly checks a files signature against the very latest database to ascertain whether or not it is trusted, malicious or unknown. Comodo Automated Malware Analysis (CAMAS) - A cloud based behavior analysis service which improves detection of zero-day threats by rigorously testing the run-time actions of unknown files ClamAV - ClamAV is designed to scan mail gateways for malicious files and provides another layer of protection on top of Comodo Antivirus Blacklist checking - Real-time checks of whether the domains, URLs and IP addresses visited by your users are flagged as malicious by major blacklisting services. Guide Structure 2014 Comodo Security Solutions Inc. All rights reserved 3

4 This guide is intended to take you through the configuration and use of cwatch and is broken down into the following main sections. Introduction to Comodo Watch Installation and Activation Configuring cwatch System with Local Network for Monitoring Web Traffic Configuring cwatch System and Mail Transfer Agent for Monitoring Traffic Logging-in to the Administrative Console The cwatch Administrative Console Configuring cwatch Checking cwatch System Status Reports Changing cwatch Administrative Console Password Managing Your Account 1.1.Installation and Activation cwatch can be downloaded in ISO format from Activation and use of cwatch is free during the beta-period, but you will need a Comodo Accounts Manager (CAM) account in order to obtain the key required to activate your license. If you do not yet have a CAM account, please create one by clicking the 'Sign Up to Comodo Watch Service' link at If you have a CAM account: Login at Click 'My Account' Click 'Sign Up to Comodo Watch' You will be taken to the purchase page of Comodo Watch. Select the subscription package you want to use from the list displayed Comodo Security Solutions Inc. All rights reserved 4

5 Enter the User Details and Contact Information in the respective fields under 'Customer Information'. If you have already logged-in, the contact details will be auto-populated If you already having an account with Comodo, check 'Yes' box. You will only need to enter your Address/Login ID, Password, and Contact Information. Note: Fields marked with * are mandatory Comodo Security Solutions Inc. All rights reserved 5

6 Select the payment options and fill the credit card details Comodo Security Solutions Inc. All rights reserved 6

7 Select the checkbox in the 'Communication Options' section, if you want to be kept informed about special offers, Comodo products and upgrades. Read the Terms and Conditions and accept to it by selecting the 'I accept the Terms and Conditions' check box. Click 'SIGN UP.' You will receive a confirmation and the license key at the address. You can also get the license key from Comodo Security Solutions Inc. All rights reserved 7

8 You can activate your cwatch product by applying the license key in the My Account interface of cwatch administrative console. Refer to the explanation of activating, upgrading and renewing your License under the chapter Managing Your Account for more details. Minimum Hardware Requirements Processor - Dual core RAM - 4 GB RAM Hard Disk GB CD/DVD drive Installation The cwatch application runs on Ubuntu Linux and should be installed on a local server in your network. Once the.iso file is downloaded and burned to CD or DVD, please follow these installation instructions: Insert the installation disc into the CD/DVD drive of your cwatch server and boot the system from the disc. Click 'Install Ubuntu' 2014 Comodo Security Solutions Inc. All rights reserved 8

9 Keep the 'Download updates while installing' checkbox unchecked. Click 'Continue' Proceed with partitioning as required. Make sure to have enough space for /usr/local directory (>10 Gb depending on traffic). Click 'Install Now' 2014 Comodo Security Solutions Inc. All rights reserved 9

10 Note: Make sure to set the time zone to UTC. If required, you can do this later using the following command in the terminal window: sudo dpkg-reconfigure tzdata Select Etc and then select UTC Click 'Continue'. Select the language from the list and click 'Continue' Comodo Security Solutions Inc. All rights reserved 10

11 The installation progress will be displayed. When completed, remove installation disc and reboot the system. The customized Ubuntu desktop will appear. Login with the following credentials: Logname: comodo Password: cwatchproj Note: The password must be changed after the first login Comodo Security Solutions Inc. All rights reserved 11

12 Enter the new UNIX password and confirm it. The Ubuntu Desktop will be displayed. Click the Comodo Watch icon on the desktop. The Comodo Watch administrative interface will open the Firefox browser. When you are launching the Comodo Watch administrative console for the first time, the browser will display a warning Comodo Security Solutions Inc. All rights reserved 12

13 Click 'I Understand the Risks' Comodo Security Solutions Inc. All rights reserved 13

14 and then click 'Add Exception'. A confirmation dialog will be displayed Comodo Security Solutions Inc. All rights reserved 14

15 Click 'Confirm Security Exception'. The login screen for the administrative console will open. Login to the admin panel with the default credentials: Username - admin Password - cwatch_admin From the next login attempt, you willl not be asked to add connection to cwatch Administrative console to be added to exceptions. You can change the login password in the admin panel in the 'Change Password' section. Note: Make sure to set the timezone to UTC. If you didn't do this during installation, you can do so now using the following command in the terminal window: sudo dpkg-reconfigure tzdata Select Etc and the select UTC Next steps: Configuring cwatch System with Local Network for Monitoring Web Traffic Configuring cwatch System and Mail Transfer Agent for Monitoring Traffic Accessing the Administrative Console 2014 Comodo Security Solutions Inc. All rights reserved 15

16 1.2.Configuring cwatch System with Local Network for Monitoring Web Traffic To be effective, cwatch must be able to monitor all network traffic. This can be done in multiple ways: Parallel Method Transparent Method The parallel method assumes that the local network gateway sends a mirror of all the in <=> out traffic to the cwatch server. The transparent method assumes the cwatch server receives traffic by operating in bridged mode. Note: There are several configuration methods and types available and the administrators can use whichever is convenient to them. The main objective is that the cwatch system should be able see the web traffic in the network that the administrators want to monitor the clients. Parallel Method Traffic can be mirrored to the cwatch server using via hardware or software methods. Hardware Solution There are several possible solutions to mirror traffic at the hardware level: HUB - This requires no configuration at all, just plug the cwatch server into one on the HUB's ports. Configure one SWITCH port to be a traffic mirror - This is a good and flexible solution. Many modern switches and hardware routers have the ability to dedicate one of their NICs for traffic mirroring. For more information about this method, please visit Use special hardware (Network TAP) - This is the best solution for traffic mirroring. A network tap is a 'bump-in-thewire device' designed only to copy traffic passing through it to a monitor port. Software Solution The method explained below shows how to configure a gateway powered by Linux to copy all its passing traffic to cwatch server. Other *NIX like operating systems may have similar solutions. Please refer to corresponding manuals for that. IPtables have been the simplest version of firewalls in the NIX world for years. They allow you to apply NAT to traffic, reconstruct your TTL, drop and/or log and even duplicate interface traffic. Setup example: Gateway = cwatch server = LAN = /8 Run the following commands on the Gateway: iptables -t mangle -I PREROUTING -p tcp -j TEE --gateway iptables -t mangle -I POSTROUTING -p tcp -j TEE --gateway Now all TCP traffic coming from LAN /8 will be *copied* to cwatch server with IP Note: cwatch server and local GW must belong to the same network 2014 Comodo Security Solutions Inc. All rights reserved 16

17 Transparent Method - Bridge Solution A bridge is a method to connect two Ethernet segments together that is protocol independent. Packets are forwarded based on Ethernet address, rather than IP address (like a router). Since forwarding is done at Layer 2, all protocols can go transparently through a bridge. The bridge solution requires the cwatch server to have two physical NICs. The cwatch server needs to be configured appropriately (i.e. NetworkManager should be disabled). Administrators can use script /etc/network/if-up.d/bridge. At least one option should be set:... # Set IP of bridge for ssh access ifconfig br netmask broadcast Before running the script, make it executable and un-check the box "Enable Networking" in NetworkManager. For more details about Linux Bridging, please visit Configuring cwatch System and Mail Transfer Agent for Monitoring Traffic Both cwatch and your Mail Transfer Agent (MTA) must be configured in order for the solution to monitor mail traffic. Configuring cwatch Login to the Administrative Console. Click Configuration and then Main Configuration. Select the checkbox beside 'Enable SMTP analysis server' Comodo Security Solutions Inc. All rights reserved 17

18 Select the network service IP address that is used for network services, including SMTP analysis service. Click the 'Update' button. Configuring MTA The company MTA must be configured to send a blind carbon copy (BCC) of messages to cwatch. Click the following for more details: Postfix Exim Sendmail Microsoft Exchange Server Windows MDaemon Postfix Edit the /etc/postfix/main.cf file and create a /etc/postfix/sender_bcc file. Make sure to take a backup of the files before editing, in case something goes wrong! (cp /etc/postfix/main.cf /etc/postfix/main.cf.old) Edit the /etc/postfix/main.cf file and add the following line: sender_bcc_maps = hash:/etc/postfix/sender_bcc Create the file /etc/postifx/sender_bcc # s from #BCC to suspect@domain.com detective@domain.com You then need to run the following commands: postmap /etc/postfix/sender_bcc postfix reload For example, BCC address will look like given below, ctp_bcc@[ ] where is the address of cwatch server 2014 Comodo Security Solutions Inc. All rights reserved 18

19 For more details, please visit Exim Edit /etc/exim4/exim4.conf and add near the top the following commands: system_filter = /etc/exim4/mail.filter system_filter_user = Debian-exim Restart Exim Edit /etc/exim4/mail.filter as per the documentation creating something like : # Exim filter logfile /tmp/mail.log logwrite "$tod_log $h_to $h_from $h_subject " if $header_x-loop-systemfilter contains 'ok' then logwrite "Mail loop?" finish endif headers add "X-Loop-SystemFilter: ok" if $sender_address contains "@test.com" and $h_to contains "destination@example.org" then logwrite "$tod_log Mail to: $h_to from: $sender_address subject: $h_subject bcc'ed to bcc_address@example.org" unseen deliver bcc_address@example.org endif So, mail sent from someone to destination@example.org will be bcc'ed to bcc_address@example.org. Changing destination@example.org to would obviously catch everything going to the example.org domain through the server. Sendmail For sendmail, administrators have to use 'mailforward' or 'mimedefand' filter. Please visit or for details on how to configure Sendmail. Microsoft Exchange Server Please visit for more details. Windows MDaemon Please visit for more details. 1.4.Logging-in to the Administrative Console After logging-in to the cwatch, click the 'COMODO WATCH' icon on the left hand side menu or double click the 'COMODO WATCH' desktop icon on the Ubuntu desktop Comodo Security Solutions Inc. All rights reserved 19

20 The cwatch admin console login interface will be displayed in Mozilla Firefox browser. Enter the username and password in the respective fields and click the 'LOGIN' button. If this is the first time you are logging-in to the interface, then enter the default credentials: Username: admin Password: cwatch_admin The default credentials can be changed in the 'Change Password' screen. Refer to the section 'Changing cwatch Administrative Console Password' section for more details Comodo Security Solutions Inc. All rights reserved 20

21 2.The cwatch Administrative Console The cwatch Administrative Console is the nerve center of cwatch monitoring system, allowing administrators to configure and monitor web and traffic on networked computers. cwatch monitors all incoming and outgoing web traffic, uses multiple detection technologies to identify malware and features instant notifications when suspicious events occur. The interface also features a constantly updated reports section which contains details on the name, location, time and severity of any malware outbreaks. Main Areas: Configuration - Allows you to configure cwatch to monitor web and traffic for unsafe content. Clicking on any of the configuration icons will open a dedicated settings screen. See Configuring cwatch for more details. System Monitoring - Enables you to view a summary of the overall operating health of the cwatch environment. Any faults will be displayed here and, if configured, you will also receive an alert. Refer to the section Checking cwatch System Status for more details. Reports - View and export lists of discovered malware, suspicious files, unsafe domains and unsafe IPs. Refer to the section Reports for more details. My Account - Allows you to view license and update license details. You can also login to Comodo Accounts Manager (CAM) where you can view and modify account details. Refer to the section Managing Your Account for more details. Change Password - Allows administrators to change the current password to a new one. Refer to the section Changing cwatch Administrative Console Password for more details. 2.1.Configuring cwatch The cwatch system configuration screen allows you to configure various monitoring settings such as network IP address, enable /disable SMTP analysis server, clients network to be monitored, content analysis rules and notifications Comodo Security Solutions Inc. All rights reserved 21

22 Click the following links for more details on each of the configuration: Main Configuration Sniffer Configuration Content Analysis Rules Configuring Notifications Main Configuration In the Main Configuration screen, you can select the network IP address of the cwatch server as well as enable or disable the option to monitor s. To access the Main Configuration screen, click Configuration > Main Configuration 2014 Comodo Security Solutions Inc. All rights reserved 22

23 Local IP - Select the network IP address of the cwatch server. Enable SMTP analysis server - Select this option to enable the cwatch monitoring system to analyze the traffic that is sent to it as BCC. Refer to the section Configuring cwatch System and Mail Transfer Agent for Monitoring Traffic for more details. Enable web content checking - Select this option to enable the cwatch monitoring system to analyze the content of web pages visited by clients in the network. Refer to the section Sniffer Configuration for more details on specifying the network of clients to be monitored. Click the 'UPDATE' button Sniffer Configuration In the Sniffer Configuration screen, you can enter the network of clients that are to be monitored. You can add multiple client networks in this screen and configure other sniffer configuration settings. For the monitoring service to work, you should have configured the local network to send traffic to cwatch. Refer to the section Configuring cwatch System with Local Network for Monitoring Web Traffic for more details. To access the Sniffer Configuration screen, click Configuration > Sniffer Configuration 2014 Comodo Security Solutions Inc. All rights reserved 23

24 Sniffer Configuration - Table of Parameters Configuration Parameter Description Clients network Enter the clients network IP address or CIDR notation that cwatch server should monitor for web traffic. Multiple addresses can be entered here separated by comas. For example, /25, Listening network filter Enter the TCP ports or ranges that should be monitored for web traffic. Multiple ports can be entered separated by comas. For example, 80, Listening network interface Choose the network interface that cwatch server should listen to. The options available are eth0 and lo. Debug level Enter the debug level (0-10). Higher the value means more extensive log files will be created (only useful for debugging the application). Default value is 1. You can view the log file in the 'cwatch' folder in the cwatch system. Max number of dump files in the queue cwatch extracts key information from web traffic and creates dump files which are then queued for malware analysis. Normally, malware analysis of web traffic will take place in real-time and the dump files will be queued only during peak load time when the analysis engine is busy. The value entered here determines how many dump files can be queued at a time. If the dump files are not analyzed within the time set in the next option, 'Interval of dumping files rotation (mins)', then the older files will be cleared without analysis and new ones will be added in the queue. Comodo recommends to set the value between 3 and 10. Default value is 10. Interval of dumping files rotation The value entered here determines how long dump files should be queued for analysis 2014 Comodo Security Solutions Inc. All rights reserved 24

25 (mins) before they are discarded and replaced with new ones. The value you enter here will depend on the volume of web traffic and disk space. The value should be decreased if the network traffic is high and vice-versa. Default value is 5. Click the 'UPDATE' button Content Analysis Rules Content analysis rules determine the composition and configuration of the cwatch malware analysis engine. The more scanning components you enable, the better the analysis of traffic and detection of malware. To access the Content Analysis Rules screen, click Configuration > Content Analysis Rules Content Analysis Rules - Table of Parameters Configuration Parameter Max number of analyser processes Description Enter the maximum quantity of analyser processes that should run concurrently. The value entered here will depend on the amount of traffic being analyzed and on the hardware resources of the system on which cwatch is installed (CPU, memory etc). Default value is 20. analyser sleep timeout Enter the time in seconds after which the analyser will enter sleep mode if no traffic is available for monitoring Comodo Security Solutions Inc. All rights reserved 25

26 Debug level Enter the debug level (0-10). Higher the value means more verbose log files will be created (only useful for debugging the application). Default value is 1. You can view the log file in the cwatch folder in the cwatch system. Perform a remote scan files with Comodo Automated Malware Analysis Comodo Automated Malware Analysis (CAMAS) is a cloud based virus scanning and behavior monitoring system. Files with the security status 'unknown' are submitted and tested on CAMAS to check whether they perform malicious actions when they are run or opened. By default this setting is enabled. Comodo Automated Malware Analysis response waiting limit (sec.) If there is no response from CAMAS, the cwatch analyser will stop the checking. Enter the time in seconds after which cwatch will terminate the remote scan process. Default time is set to 450 seconds. Perform a local scan with Comodo AV Comodo Antivirus (CAV) is an industry recognized virus scanner that, if enabled, will run a local virus scan on all files passing through your network. The CAV signature database is updated daily. This setting is enabled by default. Comodo AV response waiting limit (sec.) If there is no response from Comodo AV, the cwatch analyser will stop checking. Enter the time in seconds after which cwatch will terminate the local scan process. Default time is set to 60 seconds. Perform a remote scan with ClamAV ClamAV - An open source antivirus engine designed for detecting malware on mail gateways. By default this setting is enabled. ClamAV response waiting limit (sec.) If there is no response from ClamAV, the cwatch analyser will stop checking. Enter the time in seconds after which cwatch will terminate the remote scan process. Default time is set to 60 seconds. Perform a remote scan with Comodo Comodo's File Look-up service contains the very latest database of known malware File Look-up signatures. If enabled, cwatch will create signatures of unknown files on your network and check for their presence in this database in real-time. By default this setting is enabled. Comodo File Lookup response waiting limit (sec.) If there is no response from Comodo File Look-up server database, the cwatch analyser will stop checking. Enter the time in seconds after which cwatch will terminate the remote scan process. Perform domains black-list checking If enabled, cwatch will also pass external requests from your network through a locallystored database of blacklisted domains, IP addresses and URLs. cwatch will regularly Perform IPs black-list checking download updates to this database to ensure you receive the very latest protection. By default, all the three settings are enabled. Perform URLs black-list checking Click the 'UPDATE' button Configuring Notifications cwatch will issue alerts if suspicious events occur on your network or if any problem is found with the cwatch system configuration. Notifications are sent to the address configured in the ' Notifications' screen. To access the Notifications screen, click Configuration > Notifications Comodo Security Solutions Inc. All rights reserved 26

27 address notifications sender - Enter the address from which notifications should be sent. address to receive notifications - Enter the address to which notifications should be sent. Sendmail - Enable this option if Sendmail MTA is used for sending mails. SMTP Server - Once you select this option, the fields to enter SMTP details will be displayed. SMTP server address - Enter the server address from which the notifications will be sent. SMTP server port - Enter the SMTP server port number. SMTP client login - Enter the username of the notification sender. SMTP client password - Enter the password used for the client. Click the 'UPDATE' button. 2.2.Checking cwatch System Status The 'System Status' screen provides at-a-glance information about the status of hardware and software on the cwatch server. Clicking on any item will reveal more details about the component in question. A notification will be sent to administrators if any 2014 Comodo Security Solutions Inc. All rights reserved 27

28 errors are found. The recipient of these notifications is configured in the Notifications screen. To access the 'System Status' screen, click 'System Monitoring' If all components are working normally then 'OK' will be displayed at the top of the screen. 'Warning' text is displayed next to any problems: Click the item with the warning to show more details: 2014 Comodo Security Solutions Inc. All rights reserved 28

29 In the example above, the main cwatch analyser daemon has stopped running and needs to be restarted. 2.3.Reports cwatch generates comprehensive reports for both web and traffic that are monitored and determined as unsafe or malicious. The HTTP analyser reports provides details of host IPs from which the web traffic originated, number of scanned sessions, number of malicious files detected and so on. The analyser reports provides details of from where the unsafe mail was sent, the date and time it was sent and so on. Click the following links for more details on each report: HTTP analyser Report analyser Report 2014 Comodo Security Solutions Inc. All rights reserved 29

30 HTTP Analyser Reports The HTTP Analyser report provides details of suspicious actions that have occurred on your network. This includes any malicious or untrusted files which have been downloaded and any blacklisted domains, URLs or IPs that have been visited by your users. The threats are color coded according to severity categorized. For example, red indicates high risk. To access the HTTP Analyser Report screen, click Reports > HTTP Analyser The reports screen for all scanned hosts will be displayed: The Reports interface displays the total number of hosts monitored, numbers of hosts identified with malicious and suspicious items and number of new hosts monitored as a summary at the top and a table containing details of the monitoring results Comodo Security Solutions Inc. All rights reserved 30

31 Scanned Hosts - Table of Parameters Column Description Host IP Displays the IP number of the system from which the web traffic originated. Risk Displays the category of risk whether Safe, Suspicious or High Risk for the scanned sessions. The color code also indicates the risk category: Safe - Green Suspicious - Yellow High Risk - Red Scanned Sessions Displays the total number of scanned sessions by cwatch. Malware Files Displays the total number of downloaded files that were categorized as High Risk. Clicking on the number will display more details such as the source IP number and port from where the file was downloaded and more. Refer to Viewing Report for Individual Host for more details. Suspicious Files Displays the total number of downloaded files that were categorized as Suspicious. Clicking on the number will display more details such as the source IP number and port from where the file was downloaded and more. Refer to Viewing Report for Individual Host for more details. Unsafe Domains Displays the total number of blacklisted domains visited. Clicking on the number will display more details such as the destination IP number and port where the site is hosted and more. Refer to Viewing Report for Individual Host for more details. Unsafe URLs Displays the total number of blacklisted URLs visited. Clicking on the number will display more details such as the destination IP number and port and more. Refer to Viewing Report for Individual Host for more details. Unsafe IPs Displays the total number of blacklisted IPs visited. Clicking on the number will display more details such as the destination IP number and port and more. Refer to Viewing Report for Individual Host for more details. By default, the report will be displayed for the current day. To change the date range, enter the date directly in the fields or click on it and select from the calendar. After selecting the date range, click the 'Show' button. You can filter the entries to display 'All entries', 'High Risk entries' or 'Suspicious entries' by clicking on the filter button on the right Comodo Security Solutions Inc. All rights reserved 31

32 After selecting the date and risk category filters, click the 'Show' button. The report for the selected date range and risk category filter will be displayed: Viewing Report for Individual Host You can view the detailed report for an individual host by clicking on the number under any of the unsafe item such as malware files, suspicious files and so on Comodo Security Solutions Inc. All rights reserved 32

33 Scanned Hosts: Detailed Report for Individual Hosts - Table of Parameters Column Risk Description Displays the category of risk whether Suspicious or High Risk for the scanned sessions. The color code also indicates the risk category: 2014 Comodo Security Solutions Inc. All rights reserved 33

34 Suspicious - Yellow High Risk - Red Destination Displays the destination IP number and port from which the file was downloaded or blacklisted domains, URLs or IPs Detected At The date and time at which the action was detected by cwatch. SHA1 Displays the hash algorithm of unsafe detected by cwatch. Details Displays the URL of the unsafe file that was downloaded and the detection tools that categorized the file as high risk/ suspicious. Click 'Return to IP List' link at the right to go back to main report page. Export Report to CSV File The log report can be exported to a comma separated value (CSV) file. Please note that exported file will display the entries in the same order as in the interface. Click the 'Export to CSV' button. In the ensuing dialog select 'Open' to view the file with an appropriate application or select 'Save file' to save the file to your computer Comodo Security Solutions Inc. All rights reserved 34

35 Click 'OK'. The values in the log report will be separated by commas and this file can be opened with appropriate application such as Excel or Openoffic Calc for easy analysis Analyser Reports The Analyser report is highly informative and provides details such as addresses of senders and recipients. The threats are categorized as high risk and suspicious with different color codes for each. While red color indicates high risk, yellow indicates suspicious mails that were detected. To access the Analyser Reports screen, click Reports > Analyser The reports screen for Checked s will be displayed: By default, the report will be displayed for the current day. To change the date range, enter the date directly in the fields or click on it and select from the calendar Comodo Security Solutions Inc. All rights reserved 35

36 After selecting the date range, click the 'Show' button. You can filter the entries to display 'All entries', 'High Risk entries' or 'Suspicious entries' by clicking on the filter button on the right. After selecting the date and risk category filters, click the 'Show' button. The report for the selected date range and risk category filter will be displayed: 2014 Comodo Security Solutions Inc. All rights reserved 36

37 Checked s - Table of Parameters Column Risk Description Displays the category of risk whether Suspicious or High Risk for the scanned s. The color code also indicates the risk category: Suspicious - Yellow High Risk - Red From Displays the from address of the sender To Displays the address of the recipient Proto Displays the protocol used for the mail transfer. Created At The date and time at which the report was created for the checked entry. Action Clicking the 'Show details' link for an entry will display the full details such as message ID, nature of threat detected and which component(s) of cwatch engine detected the threat. Refer to Viewing Report for an Individual for more details. Viewing Report for an Individual You can view the detailed report for an individual by clicking on the 'Show details' link under the 'Action' column. The individual report provides details such as message ID number, the addresses of the sender and recipient, category of risk, when the was detected as a threat, the hash algorithm of the attached malware file and which component(s) of cwatch detected it as a threat Comodo Security Solutions Inc. All rights reserved 37

38 Checked s: Detailed Report for Individual - Table of Parameters Column Risk Description Displays the category of risk whether Suspicious or High Risk for the checked . The color code also indicates the risk category: Suspicious - Yellow High Risk - Red Detected At The date and time at which the was detected by cwatch as a threat. SHA1 Displays the hash algorithm of unsafe attachment detected by cwatch. Details Displays the detection components that categorized the file as high risk/ suspicious. Click 'Return to List' link at the right to go back to main report page. Export Report to CSV The log report can be exported to a comma separated value (CSV) file. Please note that exported file will display the entries in the same order as in the interface. Click the 'Export to CSV' button Comodo Security Solutions Inc. All rights reserved 38

39 In the ensuing dialog select 'Open' to view the file with an appropriate application or select 'Save file' to save the file to your computer. Click 'OK' The values in the log report will be separated by commas and this file can be opened with appropriate application such as Excel or Openoffic Calc for easy analysis. 2.4.Changing Comodo Watch Administrative Console Password You can change your cwatch admin console password at any time from the Change Password screen. To change your password, click Change Password at the top: 2014 Comodo Security Solutions Inc. All rights reserved 39

40 Enter your current password in the first text field. Enter the new password in the second text field and confirm it in the next text field. Click the 'UPDATE' button. The Password was successfully changed message will be displayed. 2.5.Managing Your Account The 'My Account' interface displays your licenses and their validity and allows you to upgrade or renew your license. You can also purchase new licenses from the interface for activation, upgrade or renewal. The following sections provide more explanations on: Purchasing a new license for upgrade or renewal 2014 Comodo Security Solutions Inc. All rights reserved 40

41 Activating, Upgrading or Renewing your license To purchase a new license for upgrade or renewal Click Manage Account from the My Account interface. You will be taken to the login page of Comodo Accounts Manager (CAM) at If you already have an account with CAM, login to your account and click 'Sign Up to Comodo Watch' at the bottom of the page. If you are a new customer, click Create New Account and click 'Sign UP to Comodo Watch' Service. You will be taken to the purchase page of Comodo cwatch. Select the subscription package you want to use from the list displayed. Enter the User Details and Contact Information in the respective fields under 'Customer Information'. If you have already logged-in, the contact details will be auto-populated If you already having an account with Comodo, check 'Yes' box. You will only need to enter your Address/Login ID, Password, and Contact Information. Note: Fields marked with * are mandatory Comodo Security Solutions Inc. All rights reserved 41

42 Select the payment options and fill the credit card details. Select the checkbox in the 'Communication Options' section, if you want to be kept informed about special offers, Comodo products and upgrades Comodo Security Solutions Inc. All rights reserved 42

43 Read the Terms and Conditions and accept to it by selecting the 'I accept the Terms and Conditions' check box. Click 'SIGN UP.' You will receive a confirmation and the license key at the address. You can also get the license key from To Activate, Upgrade or Renew your license Paste the license key from the page into the text field in the 'My Account' interface and click 'Update'. The entered license key will be checked and after successful validation, a confirmation message will be displayed Comodo Security Solutions Inc. All rights reserved 43

44 About Comodo The Comodo companies are leading global providers of Security, Identity and Trust Assurance services on the Internet. Comodo CA offers a comprehensive array of PKI Digital Certificates and Management Services, Identity and Content Authentication (Two-Factor - Multi-Factor) software, and Network Vulnerability Scanning and PCI compliance solutions. In addition, with over 10,000,000 installations of its threat prevention products, Comodo Security Solutions maintains an extensive suite of endpoint security software and services for businesses and consumers. Continual innovation, a core competence in PKI and a commitment to reversing the growth of Internet-crime distinguish the Comodo companies as vital players in the Internet's ongoing development. Comodo, with offices in the US, UK, China, India, Romania and the Ukraine, secures and authenticates the online transactions and communications for over 200,000 business customers and millions of consumers, providing the intelligent security, authentication and assurance services necessary for trust in on-line transactions. Comodo Security Solutions, Inc Broad Street STE 100 Clifton, NJ United States Tel : EnterpriseSolutions@Comodo.com For additional information on Comodo - visit Comodo Security Solutions Inc. All rights reserved 44