ViRobot Management System 4.0

USER GUIDE As this document is the property of HAURI Inc., Unauthorized distribution or leaking of this document is prohibited.

Copyright c HAURI Inc 2

Contents 1. ViRobot Management System 4.0... 5 1.1 Overview... 5 1.2 Check Points for Installation... 5 1.3 System Requirements... 6 2. Key Features... 8 2.1 ViRobot Management System Server... 8 2.1.1 VMS Server Log Viewer... 8 2.1.2 VMS Server Settings... 11 2.1.3 VMS Server Updates... 19 2.2 ViRobot Management System Console... 20 2.2.1 VMS Console Login... 20 2.2.2 VMS Console Monitoring... 21 2.2.3 Management Menu... 22 2.2.4 Policy Management... 43 2.2.5 Console Configuration... 88 2.3 ViRobot Management System Agent... 91 2.3.1 Settings... 91 2.3.2 Log Viewer... 95 2.3.3 View Notice... 98 2.3.4 Update... 99 2.3.5 Check Server Connection... 100 2.3.6 Virus Scan... 101 2.3.7 Display ViRobot... 102 2.3.8 Stop Real-Time Monitoring... 103 2.3.9 Information... 103 3. Potential issues and troubleshooting methods on using ViRobot Management System 4.0... 105 3.1 How to troubleshoot the issues... 105 3.1.1 Potential issues on installation... 105 3.1.2 Potential errors on using VMS4.0... 105 Copyright c HAURI Inc 3

Chapter 1 ViRobot Management System 4.0 Introduction Copyright c HAURI Inc 4

1. ViRobot Management System 4.0 1.1 Overview ViRobot Management System 4.0 is a total management tool of HAURI with client vaccine management as major function. As this user guide is to correctly operate ViRobot Management System 4.0, please refer to the contents in this guide for effective operation. 1.2 Check Points for Installation 1) Communication Port Product Port Function VMS Server 18600 18604 18607 18632 18639 As one of the service ports that configures VMS 4.0 server, VMS Server is communications channel to Agent for policy distribution. As one of the service ports that configures VMS 4.0 server, it is a communications channel to process commands by connecting data received from VMS Agent with database system. As a port to receive local or remote administrator command, it receives and performs functions related to VMS server settings and management. One of the VMS server communications channels that collects and records suspicious files as virus, proactive blocked files, and disinfected files, and automatically sends them to Hauri Collection Server. A communications channel to distribute VMS module, ViRobot module, Hauri common module, and engine module sent by request of VMS Agent. VMS Agent 18605 A communications channel to transmit/receive data from VMS Agent Service to VMS Console, VMS Server, and Socket. Copyright c HAURI Inc 5

1.3 System Requirements Minimum hardware/software requirements for running VMS Server, VMS Console, and VMS Agent are as follows. VMS Server VMS Console VMS Agent CPU Pentium 4 1.5 GHz or higher Pentium 4 1.5 GHz or higher Pentium 3 1GHz or higher Memory 1GB or higher 1GB or higher 512MB or higher HDD 5GB of free disk space or more 2GB of free disk space or more 500M of free disk space or more OS Windows Server 2000 SP3 or higher Windows Server 2003 Windows Server 2008 Windows XP Pro Windows Vista/7 (32bit/64bit) Windows Server 2003 Windows Server 2008 Windows XP Pro Windows Vista/7 (32bit/64bit) Windows Server 2000 SP3 or higher Windows Server 2003 Windows Server 2008 Windows 2000 Pro Windows XP Pro Windows Vista/7 (32bit/64bit) SW MS SQL 2005 Winsock 2.0 or upper version Net FrameWork 3.5 Winsock 2.0 or upper version Windows 2000 Internet Explorer 6.0, Winsock 2.0 or upper version Copyright c HAURI Inc 6

Chapter 2 ViRobot Management System 4.0 Key Features Copyright c HAURI Inc 7

2. Key Features 2.1 ViRobot Management System Server 2.1.1 VMS Server Log Viewer It provides user with a function to check database (logs) information from VMS Server. VMS Server system information and logs information saved in DB can be checked. 1 System Information Screen It consists of Server information, Database information, Service status, and Update information. The system information can be checked as below. [Fig. 1] VMS Server System Information I. Server Information Server type: Primary server or secondary server is displayed. Center server: SUS (Signature Update Server) connected to Hauri is displayed. Authentication status: License status of VMS server is displayed. Collecting service: Collect service status information is displayed. HDD Free Size: Available hard disk capacity is displayed. HDD Total Size: Total hard disk capacity of System is displayed. Install Path: VMS Server 4.0 installed path is displayed. II. DataBase Information DataBase Type: Type of DBMS connected to VMS server is displayed. DataBase IP: DBMS IP address is displayed. DataBase backup ratio: DB backup ratio is displayed. DataBase Mdf Size: MS SQL database actual data file size is displayed. DataBase Ldf Size: MS SQL database log data file size is displayed. III. Service Status Copyright c HAURI Inc 8

Management service: Management service status is displayed. Data collecting service: Data collecting service status is displayed. Policy service: Policy service status is displayed. File service: File service status is displayed. Update service: Update service status is displayed. Collecting service: Collecting service status is displayed. Log service: Log service status is displayed. ViRobot Management System 4.0 IV. Update Information Module name: Installed module name is displayed. Module version: The latest version information of each module is displayed. Engine version: The latest engine version information is displayed. 2 Log Information It provides a function that checks logs by service of VMS server via database. [Fig. 2] VMS Server Log Information I. Manager Server Log of management service s start/stop and VMS server setting changes is displayed. II. Data server Process results for data from VMS agent can be checked. III. Policy server Policy results and process results that produced from VMS console can be checked. IV. File server File distribution process result of VMS module, ViRobot module, common service module, and engine module that are transmitted by request of sub server or VMS agent can be checked. V. Update VMS Agent process and update process results by manual update can be checked. Copyright c HAURI Inc 9

VI. Scheduler Scheduler task process results of VMS Agent can be checked. VII. Collecting server Process results for the collected files from VMS server can be checked. Copyright c HAURI Inc 10

2.1.2 VMS Server Settings VMS Server is provided as server type service, and Windows system tray icon is shown after installation. [Fig. 3] VMS Server Main Screen 1 Settings VMS server type and notification function can be set. I. Select server type A. Main server If VMS Server is at the top place, it can be applied to main server. If main server is selected, UI will be inactivated. If subserver is selected, server address setting will be enabled. B. Subserver Change the role of VMS Server to subserver. Add: Input IP address of VMS upper server. [Fig. 4] Addition server address Edit: Change existing IP address of VMS upper server. Delete: Delete existing IP address of VMS upper server. Copyright c HAURI Inc 11

Check: Check connection to specified VMS server. Subserver option: Set for subserver options. Policy: Set to synchronize the organization chart and policy information from upper server. If this option is selected, policy data is synchronized from upper server so that they can t be operated separately. In other words, if the option is selected, user can t use policy management function nor can t configure a group on access to subserver via VMS console, neither. (Default: Enable) [Fig. 5] VMS Secondary Server Options [Fig. 6] Subserver console when subserver policy synchronization option is enabled Copyright c HAURI Inc 12

[Fig. 7] VMS server console on synchronizing subserver policy File sending: Select the suspicious files to report from subserver to upper server. (Default: Enable) II. Notice Select automatic notification function by setting below options. (Default: Disable) A. HDD size limit (1GB) B. Send a notification if viruses are detected as the following criteria. Set the time limit and number of virus infection that will be applied. Time limit can be input by minute, and number of virus infection is based on the cases of detected virus. C. Daily virus status Based on date, virus infection status is sent by email. D. Administrator mail setting: E-mail address, SMTP, account name, and password are necessary information. E-mail address: Set email address specified in mail server Sending e-mail(smtp): Input server address for use at email transmission Account name: Input registered account in mail server. Password: Input password for e-mail account. [Fig. 8] Administrator email setting of notification Function 2 Update Set for all VMS server update functions such as update cycle, update module, and update via proxy. Copyright c HAURI Inc 13

[Fig. 9] VMS server update I. Update cycle A. Update cycle Update cycle is specified to update VMS server latest patterns and engine files by connecting to Hauri SUS (Signature Update Server). If schedule is set for 0, update cycle will be disabled. (Available range: 0~86400, Default: 14,400 seconds) B. Schedule update Make VMS server to perform update by setting update time. [Fig. 10] VMS Server Scheduled Update Update restricted settings: Make the server start to update after the specified time. (Default: Do not set) Do not set: No limit for update starting time Settings: It restricts the server from attempting update until the specified time. Update cycle setting: Specify the cycle at scheduled update. (Default: Do not set) Do not set: Unspecified update cycle. Daily: Attempt to update daily as specified number of times. The number of times can be set from 2 to 99. Weekly: Attempt to update according to the specified day. II. Update module Select the module to update from server of Hauri. For selecting update module, click check box twice, then it will be set/cancelled. (Default: Enable all) A. Module Type Copyright c HAURI Inc 14

ISMS 3.5: Previous product of VMS 4.0 (Total Security Management Solution of Hauri). If selecting this option, update runs for ISMS 3.5 module. VMS4.0: Module for controlling ViRobot. If selecting this option, update runs for VMS module. VRIS2011: Module for ViRobot Internet Security 2011. If selecting this option, update runs for ViRobot module for PC. VRSP2011: Module for ViRobot Server Protection 2011. If selecting this option, update runs for ViRobot module for server. III. Proxy Settings User can run correct update in content-filtering proxy server as well as general proxy server. For general proxy server, just input values in IP address/port fields respectively. For content-filtering proxy server, check in Activation check box and enter user account/password. (Default: Disable) [Fig. 11] VMS Server Proxy Settings A. IP Address: Input IP address of proxy server. B. Port: Input available access port via proxy server. (Default: 8080 Port) C. Activation: Set this field for content-filtering proxy server. If checking in the check box, user account and password fields are activated. User Account: Input user account for available proxy server. Password: Input password for the user account. VMS Server Updates run with either automatic updates or manual updates. Automatic updates are divided into update by access cycle of VMS server and update by scheduled task wizard. If scheduled task wizard is set, update runs when reaching VMS server access cycle after the starting time. 3 Performance log User can set available simultaneous access number by service provided by VMS server and log information checked from VMS console. Copyright c HAURI Inc 15

[Fig. 12] VMS Server Performance/Log I. Performance A. Simultaneous access numbers of server service can be set. The access numbers can be set between 1 and 999. Agent information: Agent data collection session (Default: 2000) Policy service: Agent policy session (Default: 2000) Update file service: Update session to provide files to secondary server or agent when updated. (Default: 2000) File collecting service: Collectible session from agent (Default: 2000) II. Send to console A. Set logs that can be checked from VMS console. (Default: Enable all) Agent connection information: Agent information and property logs are transmitted to console. Virus infection information: Virus infection logs are transmitted to console. Update information: Update access logs are transmitted to console. Network infection information: Network infection logs are transmitted to console. File collection information: File collection logs are transmitted to console. 4 DataBase By specifying DBMS system which is connected with VMS server, VMS Database log management function is provided. Copyright c HAURI Inc 16

[Fig. 13] VMS Server DB Settings I. DB server settings A. Server type: Select MS SQL DB connected to VMS server. DB supported by VMS 4.0 can support MS SQL 2005 ~2008. B. Server: Input accessible IP address for DBMS. C. Port: Input access port for DBMS. D. Account: Input account registered in DBMS. E. Password: Input password for the access account. F. Check: Confirm the access to DBMS specified by an authorized manager. When clicking [Check] button, DB backup, deletion, and log transmission will be done. II. DB Backup A. It sets to automatically back up major data such as virus logs, property data in VMS database. Auto-backup cycle can be set daily, weekly, or monthly by specified time, day, and date. (Default: Monthly, 1st, 01:00 AM) III. Delete DB A. It sets to automatically delete old task logs before specified date from VMS database. It can be set between 1 and 999. Default setting is to delete old task logs before 31. IV. Send to DB A. Send logs to DB by checking/unchecking log types in the box below. (Default: Enable all) Property information: Transmit agent software and hardware data to DB. Virus infection information: Transmit received virus infection data to DB. Update information: Transmit update related logs to DB. Network infection information: Transmit virus infection data spreading via network to DB. 5 Install induction It specifies to use installation guide server for VMS Agent - VRIGIS (ViRobot Installation Guide System). If checking in check box, installation guide server is activated for registration, and user can add, edit, or delete the information. (Default: Disable) Copyright c HAURI Inc 17

[Fig. 14] VMS Server Installation Guide Settings I. Add: Installation guide server data can be input. [Fig. 15] Addition of Installation Guide Server A. Server address: Input VRIGIS server IP address. B. Server: Input VRIGIS server details. II. Edit: Existing VRIGIS server data can be edited. III. Delete: Existing server data can be deleted. 6 Property Setting VMS Server property can be set. Default shows the data input at the time of VMS server installation. Server name, company name, and division name must be input. When clicking Apply button below, changed property is applied. Copyright c HAURI Inc 18

[Fig. 16] VMS Server Properties I. Server name: Input VMS server name. II. Company name: Input company name. III. Division name: Input group information. IV. User name: Input VMS server administrator name. V. Telephone number: Input contact number. VI. Others: Input additional information. 2.1.3 VMS Server Updates Latest engine and signature are downloaded from SUS (Signature Update Server) via server update menu. When user can t normally update or urgent update exists, administrator can manually update with this function. [Fig. 17] VMS Server Module Update Copyright c HAURI Inc 19

2.2 ViRobot Management System Console VMS Console provides various agent management functions as well as the role of counting and displaying virus status. When VMS server collects data, console can remotely perform various commands to agent using the collected data. 2.2.1 VMS Console Login [Fig. 18] VMS Console Logon Screen If account login to VMS console fails activation five times, account is locked for security reason, and user must try login after five minutes. If user input wrong password for manager account, error message displays. If user fails login five times consecutively, error message displays even if correct password is input on 6th attempt. User can try to log in again five minutes later. Copyright c HAURI Inc 20

2.2.2 VMS Console Monitoring [Fig. 19] VMS Console Main Screen 1 Action User starts or stops monitoring action. (Default: Start) 2 Item User checks real-time monitoring information from main screen. Information for the monitoring items is as below. - Server System Resources: Display VMS server hardware (CPU, Network, HD, Memory, etc.) use in real time. - Real-Time Infection Status: Display total number of infection for files, spyware, and network virus. - File Collecting from Quarantine: Display total number of suspicious files as malware or misdiagnosis by scanning collected files. - Server Service: Display VMS server service status in order to monitor remotely. Available services for display are updates, data collection, logs, policies, schedules, files, management, and collect service. - Agent Status: Display number of agent that simultaneously accesses to VMS server service. - Server Information: Display server type, server address, number of management node, use of misdiagnosis detection, use of automatic collection, and use of proactive quarantine for business that are being monitored from VMS console. - Data Base: Display address, type, Ldf size, Mdf size, backup date, and backup frequency setting data for the database that is being used in VMS. - Module version: Display engine version for ViRobot products that are interworking with VMS server. - New Malware information: Display the latest malware information such as virus, spyware, suspicious program, and etc. Copyright c HAURI Inc 21

2.2.3 Management Menu [Fig. 20] VMS Console Management Menu Screen 1 2 Group information It is hierarchical node management window for VMS Server. Low servers or agents connected to related VMS server are hierarchically managed. If administrator select group for task and command, all nodes below the selected group perform the command. Management Menu All status information for management node can be checked from console. I. Node classification All: It shows a list of all currently active agents. Normal: It shows only normal agents after performing Check network. Failure: It shows only abnormal agents after performing Check network. Error: It shows only agents determined as fault due to long-term disconnection. Duplicated: It shows only agents connected with same IP. II. Node type Agent: It shows only agent nodes in node info window. Server: It shows only server nodes connected to VMS server in node info window. Group: It shows only group information connected to VMS server in node info window. III. Policy Distribution status: It shows application of policy distributed from VMS server. IV. ViRobot Remote scan result: It shows remote virus scan result in task info window. V. Virus Log All: It shows all detected malware logs. Virus: It shows only file related virus logs. Copyright c HAURI Inc 22

Spyware/Adware: It shows only spyware related logs. Network virus: It shows only memory scan related logs. VI. Security management Shared folder: It shows shared information that is set in agent system. Worm vulnerability: It shows worm vulnerability information that is existed in agent system. VII. Property management Hardware: It shows agent hardware information after running hardware data in data update. Software: It shows agent software information after running software data in data update. VIII. False positive Collected information: it shows information for root kit, dll injection, run reg, host file modification, and files with network traffic threshold collected from agent. IX. Log Console command: It shows task information processed via console. X. Remote Command It can be used by clicking right mouse button from group information or node information. If performing group remote command, it is equally applied to all low nodes in the group. If performing node remote command, it can perform task by node. A. Group remote command Group settings: It performs to add, edit, or delete group in group information. Add agent: User can manually add agent in selected group. To add agent, specify starting IP or IP band. Manually added agents become unknown node status ( ) until connection to VMS server is confirmed. [Fig. 21] VMS Console - Add Agent Add server: User can manually add VMS server node in selected group. Copyright c HAURI Inc 23

[Fig. 22] VMS Console - Add Server Check network: User can see network connection for the selected group. Network connection check is based on reply for echo request using ICMP protocol. In the event of connection failure, node status becomes unchecked network connection status ( ). Check agent: User can see connection with system agent of the selected group node. Agent check can be done by connecting agent service port. In the event of failure, node status is changed to Failure node status ( ). Restart agent: VMS agent service for selected group node restarts. Induce update: Engine and module updates for group node are performed. Induce apply policy: Assigned policies by group are guided for application. Applicable policies can be checked through assignment status, and the assigned policies may be cancelled in task information window. Please refer to policy assignment below for further information about policy assignment & cancellation. ViRobot: ViRobot is controlled via VMS console. Administrator can perform virus scan remotely, and the scan results can be checked in ViRobot-Remote scan results of management menu. In addition, real-time virus monitoring and real-time network security for agent system, control (start/stop) of Hauri self-defense service status can be performed. Update information: Hardware, software, worm vulnerability, and shared information can be checked through VMS console, security and property management can be checked by agents after running command. Change agent group setting: Agent group setting can be changed. [Fig. 23] Change VMS Agent group setting Set group Copyright c HAURI Inc 24

User defined group name: VMS console administrator can select agent group through VMS server registered group map. [Fig. 24] Change VMS console administrator defined agent group name Change Workgroup name to group name. Register agent group information as a Workgroup, the default value of VMS console. Change user name to computer name: Change agent node name to user s computer name. At this time, the group information that has agents is reset. Server connection cycle: Change VMS server connection cycle that is set in agent. Change server list Add: Add VMS server that connects from agent to the server list. [Fig. 25] Add VMS console agent server Delete: Delete VMS server address that exists in the server list. Request to modify user information Copyright c HAURI Inc 25

[Fig. 26] Request for user information change Notice: VMS console administrator can set a notice to show to agent. User information: Request to change the user information that is registered in agent. The user can change it directly: Agent user can change it by inputting the new name directly. It changes the user name to the computer name: Set agent registered name as same as the computer name. [Fig. 27] Request to change VMS agent user information name Group name Copyright c HAURI Inc 26

It changes to Admin s defined group name: VMS console administrator selects agent s department by searching the registered group map in VMS server. It changes the Workgroup name to the group name: Register agent group information as Workgroup, the default value of VMS console. The user can change it directly. The user selects the group and changes it: Agent system user can select a group from the registered group information in VMS server. [Fig. 28] Change user defined agent group Change telephone number: Change telephone number that is used for agent user settings. Change mobile phone number: Change mobile number that is used for agent user settings. Change user description: Change description that is used for agent user settings. Change other contact: Change the registered contact information that is used for agent user settings. Assign policy: Set the policy of agent, window, deploy, ViRobot, subserver to assign. Display the list that is created by policy type on assigning policy. Once a policy assigned, it is marked separately, so administrator can assign or recall the policy. Copyright c HAURI Inc 27

[Fig. 29] Assign VMS agent policy Recall policy: Recall all assigned policies from groups. Administrator can check the recalled policies from the assign policy information window. Empty Recycle Bin: Delete node information that exists in group information s recycle bin. Deleted node information cannot be restored. Restore all items: Restore all node information from the recycle bin. 3 Node Information Administrator can check the detailed node information from the console. Modify column information: Select a column to printout to node information. [Fig. 30] Modify the column of node information All<<: For printing out deselect column information to console, move all to the selected column information. All>>: Move all to the unselected column information. For this, a column information must be registered, at least. [Fig. 31] Error when there is no selected column information >>: Move some parts to the selected column information <<: Move some parts to the unselected column information. Default: Reset the value to default. : Move columns by ascending order. : Move columns by descending order Copyright c HAURI Inc 28

[Fig. 32] Display the selected column information only Column information that can search VMS4.0 console Column name Node name Division name Local address Recently connected time User name Version Server address OS name OS version Computer name ViRobot version ViRobot installation info ViRobot engine Realtime monitoring Realtime network protection Self-defense(Process) Self-defense(File) Self-defense(Registry) Self-defense(DLL Injection) OS type Explanation OS edition ID number Others Entire division name IP integer type OS language Mobile phone Node ID Node type Organization ID OS service pack OS shell name Status Telephone number Agent group name ViRobotReserverd8 Description Agent node name Assigned division name Agent IP Recently connected time to VMS server User name that is provided on interlocking with HR DB Agent product version Connected VMS server IP address Agent OS name Agent OS version Agent system computer name ViRobot product version Agent system ViRobot installation information ViRobot engine version Agent ViRobot Realtime monitoring status Agent ViRobot network protection status Agent ViRobot process protection status Agent ViRobot file protection status Agent ViRobot registry protection status Agent ViRobot DLL Injection status Agent system s platform information Agent s additional information Agent OS edition information ID number on interlocking HR DB Other phone number information on interlocking HR DB Entire division name from VMS server registered agents Display IP as integer type Agent OS language information Agent registered mobile phone number Agent MAC address Agent type information VMS server registered group ID Agent OS s service pack information Agent OS s Shell information VMS server registered agent connection status information Agent registered phone number Agent registered group name Other reserved column(enable by user definition) A. Node remote command Copyright c HAURI Inc 29

[Fig. 33] VMS console node remote command menu Register search: Register search keyword to agent management environment, and search the node information by preset option. User can input the search keyword by using logical operator(and, or) and comparison operator(=, Like, >, <, >=, <=). After completing keyword registration, register search from node information changes to search mode. [Fig. 34] VMS console keyword register Check network: Check network connection for the selected group. It works by Echo request reply via ICMP protocol, and if the connection is failed, node status changes to network connection unchecked status ( ). Check agent: Check the selected group node s agent connection. It works by connecting to agent service port, and if it fails, node classification changes to failed node status ( ). Restart agent: Restart the selected group node s VMS agent Service. Induce update: Induce engine and module update for group node. Induce Apply policy: Induce to apply the assigned policy per group. The applied policy can be checked thru policy assign window and the assigned policy can be recalled, too. For more information, refer to policy assignment section. ViRobot: Control ViRobot by VMS console. Administrator can analyze the virus remotely, and the result is displayed in ViRobot-Remote analysis result from the Copyright c HAURI Inc 30

management menu. Also, it makes to control the agent system s Realtime virus analysis, Realtime network protection, HAURI self-defense service Update information: Hardware & Software information, Network vulnerability information, Security patch information, Worm vulnerability information, Shared information can be checked by agent. Remote Command: User can run remote command as below in real time via VMS agent. Send message: Message to agent is transmitted. Message can be checked from agent system. [Fig. 35] VMS Console Send message [Fig. 36] VMS Agent Received Message Send files and execute: Files are transmitted to agent system and executed. Administrator can add files to file list and safely transmit files by specifying location. Copyright c HAURI Inc 31

[Fig. 373] VMS Agent File transfer and Run Execute program: Administrator can run program by specifying application program paths and executable files of agent system. [Fig. 38] VMS Agent Run agent application End Windows: Windows Shutdown, power off, and rebooting in agent system can be performed. [Fig. 39] VMS Agent End Windows Block malicious process: By specifying unwanted process in agent, specific Copyright c HAURI Inc 32

process can be terminated. [Fig. 404] VMS Agent Harmful process block [Fig. 41] VMS Agent Setup/Add the harmful process files Agent Settings: It changes agent group settings. Copyright c HAURI Inc 33

[Fig. 42] VMS Agent group setting Change [Fig. 43] VMS Agent - Request for User Information Change Policy Assignment: Agent, Windows, distribution, ViRobot, and secondary server policy are set for assignment by selecting them. It shows a list by policy type created when assigning policy. As assigned policies are separately indicated, administrator can assign or cancel policies after checking assigned policies. Copyright c HAURI Inc 34

[Fig. 44] VMS Agent Policy Assignment Policy Cancellation: All policies assigned to group are cancelled. Cancelled policy can be checked through assignment status. Empty Recycle Bin: Node data existed in recycle bin of group information is removed. Removed node data is not restored. Restore Recycle Bin: Node data existed in recycle bin is restored. B. Node Remote Command [Fig. 45] VMS Console Node Remote Command Menu Keyword Registration: In the environment that multiple agents are managed, it searches node information for specified conditions by keyword registration. Keyword registration can be done selecting keyword registration and condition by clicking button. Keywords can be input for by selecting node data column and by using logical operators (and, or) and comparison operator (=, Like, >, <, >=, <=). When keyword registration is completed, search registration for node information is changed to search mode. Copyright c HAURI Inc 35

[Fig. 46] VMS Console Keyword Registration Network Check: User can see network connection for the selected group. Network connection check is based on reply for echo request using ICMP protocol. In the event of connection failure, node status becomes unchecked network connection status ( ). Agent Check: User can see connection with system agent of the selected group node. Agent check can be done by connecting agent service port. In the event of failure, node status is changed to Failure node status ( ). Agent Restart: VMS agent service for selected group node restarts. Update Guide: Engine and module updates for group node are performed. Policy Application Guide: Assigned policies by group are guided for application. Applicable policies can be checked through assignment status, and the assigned policies may be cancelled in task information window. Please refer to policy assignment below for further information about policy assignment & cancellation. ViRobot: ViRobot is controlled via VMS console. Administrator can perform virus scan remotely, and the scan results can be checked in ViRobot-Remote scan results of management menu. In addition, real-time virus monitoring and realtime network security for agent system, control (start/stop) of Hauri self-defense service status can be performed. Information Updates: Hardware, software, network vulnerability, security patch, worm vulnerability, and shared information can be checked by agents for node in real time. Remote Commands: User can run remote command as below in Realtime via VMS agent. Send message: Message to agent is transmitted. Message can be checked from agent system. Copyright c HAURI Inc 36

[Fig. 47] VMS Console Message Transmission Send files and execute: Files are transmitted to agent system and executed. Administrator can add files to file list and safely transmit files by specifying location. [Fig. 48] VMS Agent File transfer and execution Execute program: Administrator can run program by specifying application program paths and executable files of agent system. Copyright c HAURI Inc 37

[Fig. 49] VMS Agent application execution End Windows: Windows shutdown, power off, and reboot in agent system can be performed. [Fig. 50] VMS Agent Windows end Block malicious process: By specifying harmful process in agent, specific process can be terminated. [Fig. 51] VMS Agent malicious process blocking Copyright c HAURI Inc 38

[Fig.52] VMS Agent harmful process files setting Remote Registry: It runs registry editor in agent system. Edit function for remote registry can be run only when agent system user accept it. Remote Explorer: It runs explorer which is Windows file management tool. Remote explorer can be run only when agent system user accept it. Remote Process Manager: It runs Windows process management tool. Remote process manager can be run only when agent system user accept it. Remote Control: It runs remote desktop tool in Windows system. Remote desktop tool can be run only when agent system user accept it. Agent Settings: Modify group setting, user information, settings change request, and user information change request. Group setting: Agent division information and VMS server connection settings can be changed. [Fig. 45] VMS agent group information change Copyright c HAURI Inc 39

It changes the Workgroup name to the dept. name: Register agent group information to Workgroup, the default value. It changes the user name to the computer name: Change agent node name to user computer name. At this time, agent dept. name is reset. Server connection interval: Change VMS server connection interval. Change server list Add: Add list of VMS server from agent. [Fig. 46] Add VMS console agent server Delete: Delete VMS server address from server list. User Information Setting: User information for VMS agent is changed. [Fig. 475] VMS Agent User Information Settings Name: Change agent user name. Group name: Change agent group information. Telephone: Change agent registered phone number. Mobile phone: Change registered mobile number. Management number: Change registered management number. Description: Change agent registered description. Request environment setting: Request settings information for VMS agent. Copyright c HAURI Inc 40

[Fig. 48] Request VMS agent environment settings Request to modify user information: Request to change the agent user information. [Fig. 48] VMS Agent Settings Change Notice: Notice to display to agent. User information: Request agent registered user information. The user can change it directly: Agent user can change it by inputting the new name directly. It changes the user name to the computer name: Set agent registered name as same as the computer name. Copyright c HAURI Inc 41

Send to Recycle Bin: Selected agent is removed from the node information window. Removed node data can be restored from recycle bin in group information window. C. Server Remote Command Check network: Network connection status can be checked through Ping in VMS server node. Check server: Service port for VMS server node can be checked. Synchronize Server: VMS primary server policy, VMS, ViRobot module, engine and signature are synchronized, or VMS console subserver policy is assigned and applied. Assign server policy: Subserver policy is assigned. Copyright c HAURI Inc 42

2.2.4 Policy Management [Fig. 49] VMS Console Setting Menu Screen 1 VMS Policy Information It shows a list of policies for agent, Windows, distribution, ViRobot, and subserver. 2 Policy Settings By selecting New Policy, user can add policies. If policy is added and saved by inputting items in Add Policy window below, policy list is updated in VMS policy information window. [Fig. 50] Policy Addition Settings I. Policy Name Input policy name when adding policy. II. Parent Policy If changing specific setting in existing policy, select existing policy and reset only desired setting. III. Details Input additional descriptions for newly created policies. Copyright c HAURI Inc 43

[Fig. 6] Policy Information IV. Policy Name It shows created policies. V. Policy Name It shows a selected policy as parent policy. VI. Administrator ID It shows account name that creates policy. VII. Policy Version It shows version information for created policies. 3 Distribution Status It shows distribution status for VMS agent by policies. It displays distribution status for each policy with graphs, and shows distribution results by policies. 2.2.4.1 Agent Policy Settings Interface [Fig. 52] VMS Agent Policy General User can change VMS server connection frequency and server address for agent. Copyright c HAURI Inc 44

[Fig. 53] VMS Agent Policy General Menu I. Connection interval Set the interval to connect from agent to server. Unit is second. If connection interval is short, access to sever is increased, thus it may overload server equipments. It is recommended to use default value assigned when installed. (14,400 seconds = 4 hours) II. Server Settings Add/Delete server address that agent connects. (Default: Disable) By setting Delete the server address in agent option, existing server address can be deleted. Server address is input value basically when installed, and user can t change. If user doesn t know server address, please contact administrator. [Fig. 54] VMS Agent Policy General Server Addition III. Agent Settings Set socket communication time value between VMS server and agent by seconds. (Default: 3 seconds) Send the critical file to the server: Set option to send critical file to VMS server when it is found in agent installed system. Restrict Policy Copyright c HAURI Inc 45

[Fig. 55] VMS Agent Restriction Policy Menu I. Ability to change of settings for VMS agent Ability to change: Following options can be selected. - Enable to change all (Default) - Unable to change all - Unable to change user settings tab - Unable to change name/division - Unable to change general tab II. Password settings to uninstall agent If user removes agents from system without discretion, the system can t be protected from virus infection. Therefore password is assigned for agent removal. (Default: Disable) III. Password settings to stop agent service Set password to prevent user from stopping agent service manually. Password function for agent service suspension supports Windows XP, NT, 2000, and 2003. (Default: Disable) IV. Alert settings Set user notification. A. Display update window If VMS agent downloads engine and signature files, or if policy is automatically updated from VMS server, user sets Show update window option. (Default: Disable) B. Display notice message Set not to appear agent message window to user. (Default: Enable) Error check Copyright c HAURI Inc 46

[Fig. 56] VMS Agent error check menu I. VRDT (Interlocking product) agent error report Report update errors by setting specified period of time. (Default: 14 days) II. Agent s HDD size If the size is below the relevant setting value on the basis of HDD availability in agent system, it reports as fault. (Default: 60 MB) Worm Vulnerability Collection. [Fig. 57] VMS Agent Policy Worm Vulnerability collecting menu I. Checking mode of vulnerability password: Select one of scan modes as below. Do not check: Do not check vulnerable password. (Default: Do not check) Check all: Check vulnerable password for all accounts in agent system. Check only NULL password: Check only accounts without specifying password. Check by the set value of administrator: Check only vulnerable password registered by administrator. Administrator can define the setting by adding vulnerable password data, and it is applied for Check all or Check by the set value of administrator options when collecting worm vulnerability data. Copyright c HAURI Inc 47

[Fig. 587] VMS Agent Policy - Vulnerable Password Information Additional Settings II. Operating option on detecting of vulnerable account: When detecting vulnerable account during collection of worm vulnerability data, it performs actions as below. Do nothing: When detecting vulnerable account, it maintains existing settings. With notification to user: If detecting vulnerable account, it sends message and guides to change the password for the account. (Default: Enable) Option for shared folder s privilege change: If password for vulnerable account is not changed, it cancels the permissions for all shared folders. (Default: No change) Without notification to user: If detecting vulnerable account, it does not send message to user cancels the permissions for all shared folders. Schedule [Fig. 59] VMS Agent - Schedule Menu I. Task Type: Agent updates and worm vulnerability check can be selected. II. Operation cycle: Select the cycle to act as below according to task types. Perform on agent starting Perform once on connecting cycle (Do not perform on next cycle) Do nothing III. Operation limit time settings: Set the time for running tasks by specifying restriction time. Do not change the existing setting: Apply existing time-out setting. Release limit: Cancel existing time-out setting. Time limit settings: Set new time-out setting. Copyright c HAURI Inc 48

2.2.4.2 Windows Policy Settings Interface [Fig. 60] VMS Windows Policy 1 General Control some functions provided by Windows operating system [Fig. 61] VMS Windows Policy General Menu Activate firewall Do not change: Leave existing firewall setting. (Default setting) Activate firewall: Set firewall to protect user PC. Deactivate firewall: Disable firewall to access to user PC from outside sources. Control screen saver Copyright c HAURI Inc 49

Control screen saver settings in agent OS. I. Control administrator Screen saver settings: Set screen saver at the time agent OS is not being used. Password settings: Set password on resume from screen saver. II. Maintain user settings: Maintain the value set by user. (Default setting) Control Autorun.inf Control Autorun.inf that runs when inserting removable devices. Reboot is needed after applying policy. I. Do not change existing settings: Leave existing auto-run settings. (Default setting) II. Activate all drives auto-execution: Enable auto-run setting for all drives for user convenience such as program installation or device execution. III. Deactivate all drives auto-execution(recommended): Disable auto-run setting for all drives to prevent the drives from virus spreading by removable device. Activate system recovery It controls System Restore that restores system to previous backup point. I. Do not change: Leave currently set system restore function. (Default setting) II. Activate system recovery: Set the system to restorable status. III. Deactivate system recovery: Set the system to do not recovery. 2 Windows Updates [Fig. 62] VMS Windows Policy Update Menu Windows Update If Agent OS is Windows XP or higher, user enable or disable automatic updates function from Windows-Control Panel-Automatic Updates. I. Do not change II. Automatic: User can choose day and time for update. III. Download updates, but install on user defined time. IV. Select to be notified new updates, but do not download or install them. V. Do not use automatic update. Copyright c HAURI Inc 50

2.2.4.3 Distribution Policy User can distribute files by grouping through distribution policy. When clicking Add, distribution package setting starts. [Fig. 63] VMS Distribution Policy General User can newly create or edit file package. Copyright c HAURI Inc 51

[Fig. 64] VMS Distribution Policy General Menu I. Package Information: User can include existing distribution package or create new package. Package name: Input package name to create. Package details: Input additional description for distribution package. II. Distribution Type: User can set distribution type by selecting general files or installation software. Normal file: Specify distribution paths transmitted on distribution of file package. Installed software: Select the name displayed from program add/remove when distributing installation software. Copyright c HAURI Inc 52

[Fig. 65] VMS Distribution Policy Installation Software Name Selection III. Distributing File List: By selecting file or installation software, register it in distributing file list or remove it Add: Files are added through Import file window. File addition is restricted to maximum 30 MB. Delete: Files registered in distribution file list are removed. IV. Execution option after Distribution: Set this option for running distributed files. Executable files: Specify executable files for running distribution files. Executing options: Specify executable file options and execute the files. Hide window on executing: Hide action set in execution options. Distributing Time User can distribute the policy package by setting period, time, and frequency. Copyright c HAURI Inc 53

[Fig. 66] VMS Distribution Policy Distribution Time Menu I. Distributing period settings No limits: Distribute regardless of period. (Default setting) Distribute only when the assigned period: Specify start date and end date. II. Distributing time settings No limit: Distribute regardless of time. (Default setting) Distribute only in the assigned time: Specify start time and end time. III. Distribution cycle settings Every day: Distribute every day. (Default setting) Once: Distribute only once regardless of period, time, and frequency. Once per a week: Distribute once per a week on the basis of specified day. Distributing target s limits Specify the targets for distribution policy. Copyright c HAURI Inc 54

[Fig. 67] VMS Distribution Policy Distribution Restriction Menu I. Distributing target OS: User can limit target OS for distribution by specifying the targets. Windows 2000 Professional (Default setting) Windows Server 2000 Windows XP (Default setting) Windows Server 2003 Windows Vista (Default setting) Windows Server 2008 Windows 7 (Default setting) II. Target IP range for distribution: Limit distribution targets by specifying IP address. No limit: Apply distribution policy to all systems set in target OS for distribution. (Default setting) IP range s limits: Distribute only if IP address is in the range of start IP address and end IP address. Copyright c HAURI Inc 55

[Fig. 68] VMS Distribution Policy - Add IP Range for Distribution Restriction Result of Package Saving It shows result for created package. When clicking OK for package saved results, package creation is processed and message for package saved results is displayed. Execution program type of package files is converted to Hauri s unique compressed file type, and the files are safely saved in C:\Documents and Settings\All Users\Application Data\Hauri\VMS\Server\Pcy\FilePackage folder, then they are distributed. [Fig. 69] VMS Distribution Policy - Package Saved Result Menu Copyright c HAURI Inc 56

[Fig. 70] VMS Distribution Policy Package Saved Results 2.2.4.4 ViRobot Policy Scan Settings General Setting Interface User can set scan setting, disinfection setting, advanced setting, and scan startup setting for malware detection by custom scan and scan with right mouse button in ViRobot Internet Security. Copyright c HAURI Inc 57

[Fig.71] ViRobot Policy Scan Settings - General Menu Scan I. All files: Scan all files on general scan. (Default setting for scan on creation of new policy) II. Major files scanned by extension: Scan user-defined extensions defined in detailed settings on custom scan. A. Detailed Settings User can set extensions for scanning major files by dividing to executable file extension, document file extension, and user-defined extension. If choosing default setting, executable file and document file are added and user-defined extension can be added by typing extensions in extension input field. The extension items for this setting are as below. Executable files: EXE, BAT, COM Document files: DOC, PDF, TXT, HTM, HWP, HTML, BAK, MBD, PPT, XLK, PPTM, XLS, XLSX Copyright c HAURI Inc 58

[Fig. 72] ViRobot Policy - Set main infection file details III. Use scan size limit: File size for scan can be limited by setting. The size can be set within 1GB or 100MB. If size limit is not needed, cancel the option. (Default: 1GB). IV. Scan speed setting: Scan speed on general scan can be controlled. Speed control levels are divided to maximum, medium (recommended), and minimum. Set appropriate scan speed according to system performance. Add settings I. Use compressed file scan: Files inside compressed file can be scanned. (Default setting) A. Detailed settings: Compression level, size limit for scanning compressed files, and scan type for compressed files can be specified in advanced settings [Fig. 73] ViRobot Policy - Compressed File Scan Details Settings II. Use scan skip list: Apply scan exclusion items for malware general scan. (Default setting) A. Detailed setting: Scan exclusion items can be set according to advanced settings by specifying folders, files, and extensions for exclusion. Copyright c HAURI Inc 59

[Fig. 73] ViRobot Policy - Set Scan Skip List [Fig. 74] ViRobot Policy - Add Scan Skip List [Fig. 75] ViRobot Policy - Added Scan Skip Folder Copyright c HAURI Inc 60

[Fig. 76] ViRobot Policy - Added Scan Skip File [Fig. 77] ViRobot Policy - Added Scan Skip Extension III. Start scan setting (Default: check all) A. Running memory scan: Run scan for currently loaded memory on general scan. Memory scan is processed first on general scan. B. Running boot section scan: Run scan for boot area on general scan. It is processed after memory scan on general scan. C. Running process scan: It is processed for currently running process. D. Self-infection: It is processed for major files and execution process of VRIS. Repair Settings I. Reparable Keep intact: It doesn t disinfect automatically detected malware, and is processed by selecting Disinfect in malware scan window. Auto-repair: If detecting malware, it automatically disinfects the malware without user Copyright c HAURI Inc 61

interaction. Automatically disinfected files are saved in backup storage. (Default setting on creation of new policy) Auto-delete: If detecting malware, it automatically deletes the malware without user interaction. Automatically deleted files are moved to backup storage. II. Repair failed/irreparable Keep intact: It shows only scan information for infected files with malware. Auto-delete: If detecting malware, it automatically delete the malware without user interaction. Automatically deleted files are moved to quarantine storage. (Default setting on creation of new policy) Copyright c HAURI Inc 62

2.2.4.5 ViRobot Policy Scan Settings Quick Scan Interface Applicable policy for quick scan in ViRobot Internet Security is set. Scan Settings [Fig. 78] ViRobot Policy Scan Settings - Quick Scan Menu I. Malicious program scan: It performs scan for potentially unwanted programs first. (Default setting) II. Virus scan for my document folder: If relevant box is checked, My Documents folder path is automatically input in the field of target folders for quick scan below. (Default setting) III. Virus scan for Windows folder: If relevant box is checked, Windows folder path is automatically input in the field of target folders for quick scan below. (Default setting) IV. Quick scan target folder: It performs scan by adding user-defined paths on quick scan. In additional settings window, Windows folder, System folder, My Documents folder, and C Drive folder have been defined and can be selected. User can input userdefined path manually [Fig. 798] ViRobot Policy Scan Settings - Add Quick Scan Path V. Delete: Select and remove existing folders for quick scan. VI. Default: Scan for potentially unwanted programs, scan for virus in My Documents folder, and scan for virus in Windows folder have been set. 2.2.4.6 ViRobot Policy Scan Settings Real-time Interface Copyright c HAURI Inc 63

[Fig. 80] ViRobot Policy Scan Settings - Real-Time Monitoring Menu Auto-run upon Windows start-up Real-time monitoring auto-run at Windows startup: It automatically runs real-time monitoring when Windows boots. (Default setting) Use real-time monitoring It enables user to configure scan settings and disinfection settings at the time when scanning malware on real-time scan. (Default setting) General Settings I. All files: It monitors malware by monitoring I/O for all files in user PC. (Default) II. Main infected files (Based on extension): It monitors malware by monitoring I/O for executable files in user PC. Detailed Settings User-defined extension: User can add or delete extensions of files for real-time monitoring. Supported executable files for scan Executable files: EXE, BAT, COM Document files: DOC, PDF, TXT, HTM, HWP, HTML, BAK, MBD, PPT, XLK, PPTM, XLS, XLSX Copyright c HAURI Inc 64

[Fig. 81] ViRobot Policy - Main infected files III. Run as hidden mode: According to disinfection setting for real-time monitoring, when detecting malware, it runs in background mode without security warning window or alarm to user. (Default) Add Settings I. Use scan skiip list: Apply scan exclusion items in real-time monitoring. (Default) A. Detailed setting: Scan exclusion items can be set according to detailed settings by specifying folders, files, and extensions for exclusion. (No default setting) [Fig. 82] ViRobot Policy - Real-Time Scan Skip List [Fig. 83] ViRobot Policy - Add Real-Time Scan Skip Folder Copyright c HAURI Inc 65

[Fig. 84] ViRobot Policy - Added Real-Time Scan Skip Extension I. Detect/scan USB drive: It blocks removable media such as USB interface from being used in system. (Default: Enable) II. Use heuristic scan: Enable the heuristic engine to detect the various viruses. Repair Settings I. Reparable Keep intact: It shows only scan information for infected files with malware. Auto-repair: If detecting malware, it automatically disinfects the malware without user interaction. Automatically disinfected files are saved in backup storage. (Default setting on creation of new policy) Auto-delete: If detecting malware, it automatically deletes the malware without user interaction. Automatically deleted files are moved to backup storage. II. Repair failed/irreparable Keep intact: It shows only scan information for infected files with malware. Auto-delete: If detecting malware, it automatically delete the malware without user interaction. Automatically deleted files are moved to quarantine storage. (Default setting on creation of new policy) 2.2.4.7 ViRobot Policy Scan Settings Malicious Process Copyright c HAURI Inc 66

[Fig. 85] ViRobot Policy - Malicious Process Menu General Settings I. Use Spyware/Adware Scan: Followings can be optionally selected. (Default setting) Spyware: It scans software that covertly gathers private information got on to user PC. (Default setting) Adware: It scans software that automatically displays advertisements after installing specific software or when running the software. (Default setting) Key logger: It scans software that tracks and logs the keys struck on a keyboard with malicious intention. (Default setting) Joke: It scans fake computer virus or program that arouses emotional anxiety and agitation without malicious intention. (Default setting) Remote control programs: It scans program that activates specific port or performs remote command by gaining permission of user system such as Trojans, IRQ, and Remote Control. (Default setting) Others (Malicious): It scans other predefined potentially unwanted programs. (Default setting) II. Greyware: It scans greyware that is installed without user consent or knowledge. (Default setting) III. Stealth rootkit finder: It finds the rootkit virus which can make the deadly problem in OS. Additional Settings Use customized folder scan: It enables scan for potentially unwanted programs by specifying specific folder path. (Default setting) Detailed setting Add: It adds path for unwanted program scan. Windows folder, System folder, My Documents folder, and C Drive folder have been defined and can be selected. User can input user-defined path manually. Copyright c HAURI Inc 67

[Fig. 86] ViRobot Policy - Add Customized Folder_1 [Fig. 879] ViRobot Policy - Add Customized Folder_2 Delete: It deletes malicious program scan path that is registered in user-defined folder list. Repair Settings I. When malicious programs are found. Keep intact: It enables user to check detected program directly in the scan window. Auto-repair: If detecting unwanted program, it automatically disinfects the malware without user interaction. (Default setting) If internet start page change is required on repairing infection files: If internet start page is modified due to infection of potentially unwanted program, this setting prevents secondary infection through internet website. (No default setting) 2.2.4.8 ViRobot Policy Scan Settings Scheduled Scan Copyright c HAURI Inc 68

Scheduled Scan List [Fig. 88] ViRobot Policy - Scheduled Scan Setting Menu It enables VRIS to scan malware by the schedule specified in scheduled scan settings. (No default setting) I. Add: When clicking Add, user can specify scheduled scan. Scheduled scan name: Scheduled scan name is specified. Elapsed time User can select the options with Daily, Weekly, Monthly, Only once, or Run the scan when screensaver is activated. (Default: Daily) - If selecting Daily, Time and Items to scan are activated. - If selecting Weekly, Day, Time, and Items to scan are activated. - If selecting Monthly, Date Time, and Items to scan are activated. - If selecting Only once, Date Time, and Items to scan are activated. - If selecting screensaver, Items to scan is activated. Day: Specify any day of the week from Monday to Sunday. Date: Specify any date from 1 to 31. Time: Specify time to scan daily, weekly, or monthly. (Default: Current time) Items to scan: Specify items to scan Windows folder, C:\ Drive, and Local drive. (Default: C:\) Run as hidden mode: Scheduled scan runs in background mode. Copyright c HAURI Inc 69

[Fig. 8910] ViRobot Policy - Add Scheduled Scan I. Modify: Existing scheduled scan items can be edited. II. Delete: Existing scheduled scan items can be deleted Compressed file scan property for messenger protection is based on ViRobot policy-scan settings- Generals-Scan setting for compressed file-detailed settings. For compressed file scan size limit, multiple compress scan level, and compressed file type, see General scan-advanced-compressed file settings. 2.2.4.9 ViRobot Policy Network Security Internet Protection Copyright c HAURI Inc 70

[Fig. 90] Virobot Policy Network Security - Internet Security Menu 1 Block Phishing sites Use Anti-Phishing for sites It blocks phishing websites for access to safe websites. If user try to access to a phishing site URL that has been collected, it blocks the internet access, then displays blocking page. (Default: Enable) Use Anti-Phishing Exception List Add: When user access to a website, it excludes to scan the website for phishing. It is input by URL in numerical order when registering it in permission list. Delete: Registered exclusive websites for phishing are deleted from the list Copyright c HAURI Inc 71

[Fig. 91] ViRobot Policy Network Security - Add Exception Site for Anti-Phishing 2 Block websites Use user-defined website blockage Add: It prevent VRIS user from accessing to the websites registered in policy. Except for restriction on access to the URLs defined as phishing websites, access to website may be restricted by administrator policy. [Fig. 92] ViRobot Policy Network Security - User Defined Blocked Site Delete: Registered user-defined websites are deleted from the list. 2.2.4.10 ViRobot Policy Network Security Firewall [Fig. 93] ViRobot Policy Network Security - Firewall Menu 1 Use of Network protection Copyright c HAURI Inc 72

Use network protection VRIS network intrusion prevention function is enabled. Use personal firewall VRIS personal firewall function is enabled. I. Add: Add IP address, port number, and network access rule for process specified according to the firewall rule. General settings: Specify firewall rule name, protocol type, and network control. Specify direction for network packet for TCP/UDP protocol and rule. [Fig. 94] ViRobot Policy Network Security - Firewall Rule General Settings Source IP: Specify source IP address for the rule. User can specify the options; All IP addresses and specific IP address. [Fig. 9511] ViRobot Policy Network Security - Firewall Rule Source IP Settings Copyright c HAURI Inc 73

Source Port: Specify source port number for the rule. User can specify the options; All ports and specific port. [Fig. 96] ViRobot Policy Network Security - Firewall Rule Source Port Settings Destination IP: Specify destination IP address for the rule. User can specify the options; All IP addresses and specific IP address. [Fig. 97] ViRobot Policy Network Security - Firewall Rule Destination IP address Settings 2.2.4.11 ViRobot Policy Data Protection File Wipe Copyright c HAURI Inc 74

[Fig. 98] ViRobot Policy Data Protection - Permanent Deletion of Files Menu 1 File wipe File wipe security level settings By specifying security level for permanent deletion in data protection, it makes user unable to recover the deleted files when deleting files permanently in VRIS. Algorithm for permanent deletion of file Generally, it is unable to recover software in level 1 ~ 2, and it is unable to recover both software and hardware in level 3 ~ 6. Algorithm for permanent deletion of file by each security level is as below. Security Times Delete method Level Level 6 35 Overwritten 35 times by Guttmann wipe algorithm. Level 5 13 Overwritten 13 times by DoD5220-22-M Recommendations. Level 4 7 Overwritten 7 times by DoD5220-22-M Recommendations. Level 3 3 Overwritten 3 times with random number, 0, and 1 by NIS Guides. Level 2 1 Overwritten once with random number. Level 1 1 Overwritten once with 0. 2.2.4.12 ViRobot Policy System Optimization System Cleanup Copyright c HAURI Inc 75

[Fig. 99] ViRobot Policy System Optimization - System Cleanup Menu 1 System Cleanup Reservation I. Internet use history It enables user to search following data left in system for internet browsing. Internet Cookies: It searches internet cookies stored by user s web browser. File auto-completion: It searches list by predictive input setting. IE History: It searches access history in internet explorer. URL history: It searches web page list opened by user. Internet temp file: It searches temporary internet files that are saved to open internet home page quickly. II. Records Management using Windows It enables user to search following files after using Windows. Search computers and files: It searches the computers and files. Records management using program: It searches the using programs. Remote Desktop: It searches connection list for remote desktop. Windows temp files: It searches temporary files left in user profile. Recycle Bin: It searches items existed in recycle bin. Unnecessary registry files: It removes registry area in the table below. III. Record Management using program It enables user to search following files left after using Windows applications. WordPad: It searches used files of WordPad (Windows basic text editor). Copyright c HAURI Inc 76

Windows Media Player: It searches playable files of Windows Media Player. Paint: It searches used files of Paint (Windows paint editor tool). My Recent Documents: It searches recent opened files. Microsoft Office Word: It searches recent used files of Microsoft Word. Copyright c HAURI Inc 77

2.2.4.13 ViRobot Policy Other Settings [Fig. 100] ViRobot Policy Other Settings Menu 1 Self-defense Settings I. Hauri products protection settings (Recommended): It enables VRIS Self-defense function such as protection for file, process, and registry to run. (Default: Enable) File protection: It protects files in installation path of Hauri products. (Default: Enable) Registry protection: It protects registry data used in Hauri products. (Default: Enable) Process protection: It protects execution process of Hauri products from being terminated. (Default: Enable) 2 Easy Robot Settings II. Easy Robot List Settings When running EasyRobot from VRIS Security Center, following actions are performed according to checked options. Quick scan: EasyRobot quick scan runs according to [Chapter 2.2.4.5 ViRobot Policy-Scan Settings-Quick Scan Interface] Policy Setting. System optimization: EasyRobot system optimization runs according to [2.2.4.12 ViRobot Policy-System Optimization-System Cleanup] Policy Setting. 3 PC Usage Control I. PC usage control: It starts/stops VRIS PC usage control service. (Default: Enable) II. PC usage blocking: PC usage is blocked according to specified schedule. (Default: Enable) III. Network usage blocking: Network usage is blocked according to specified schedule. Copyright c HAURI Inc 78

(Default: Enable) IV. Administrator password setting: Set password to unblock PC usage. (Default: Enable) V. Default: Enable all options for PC usage control on policy screen. 4 Quarantine Settings I. Backup before disinfection (except for compressed files): Set VRIS to backup disinfected/deleted files to quarantine after malware scan. (Default: Enable) II. Quarantine after deleting old quarantine data: If backup item number limit exceeds, backup files in quarantine are removed. (Default: Enable) III. Backup/quarantine item number limit: Set capacity of quarantine. Default is 1,000 items, and it stores up to 10,000 items. IV. Default: Quarantine settings are changed to default. 5 Log Settings I. Save malware log: Set it to record log on malware detection. (Default: Enable) II. Save task log: Set it to record VRIS task log. (Default: Enable) III. Save network log: Set it to record network security log. (Default: Enable) IV. Save error log: Set it to record VRIS module error log. (Default: Enable) V. Delete log by frequency: Set it to delete saved logs by frequency options with Do not delete, 1 day, or 15 days. (Default: Do not delete) VI. Delete log by file size: Set it to delete saved logs by file size options with 4MB, 10MB, 50MB, or 100MB. 6 Advanced Settings I. Settings protection: Set password to prevent settings from being changed. (Default: Disable) II. Engine performance: Set engine mode (dual or single) for VRIS malware scan. For dual engine, set it to enhance malware detecting performance on in combination with Bitdefender scanning engine and ViRobot engine. (Default: Dual engine) III. Default: Settings protection is changed to default. 7 Other Settings I. Hide all notification function in full screen mode: If graphic mode of application program is in full screen mode, set it not to create notify message from VRIS. (Default: Enable) IV. Support scan with right mouse button: It adds VRIS scan menu to Windows explorer menu that appears when clicking right mouse button on files and folders. (Default: Enable) 2.2.4.14 Sub Server Policy Settings Copyright c HAURI Inc 79

[Fig. 101] Sub Server Policy Menu 1 Sub Server Options Settings: Set synchronization option for sub server. Copyright c HAURI Inc 80

[Fig. 10212] Sub server Option Settings I. Policy It is synchronized with VMS policy of primary server. (Default: Enable) II. File Transfer It is automatically synchronized when high level server is updated. (Default: Enable) Suspicious files as virus 2 Alert Hard disk space is not enough (1GB): Set sub server to send notification mail if free HDD space of sub server system is 1GB. (Default: Enable) When virus outbreaks more than designated counts in time limit: Set sub server to send notification mail by specifying time limit and count of virus infection. (Default: Notify when virus infection counts 1,000 cases in 30 minutes) Daily virus infection status: Set sub server to send notification mail for daily virus infection status. (Default: Enable) Settings Email address: Set mail address to receive notification mail from sub server. Send mail(smtp): Set SMTP mail server address. Account name: Set mail server account. Password: Set password for mail account. Copyright c HAURI Inc 81

2.2.4.15 Sub Server Policy Update [Fig. 103] Sub Server Update Menu 1 Update Interval Interval: Connection frequency from sub server to primary server with second Schedule update setting: Update schedule for sub server Copyright c HAURI Inc 82

[Fig. 104] Subserver Update Schedule I. Update Restriction Do not set: Update time is not limited. Settings: Update starts after the time specified. (Default: After 03:40 PM) II. Update interval No use: Update frequency is not specified. (Default) Daily Once only: Update is limited to once a day. Specific time as designated: Update is performed as frequently as specified number of time. Weekly: Update is performed on specified day of the week. Update module: Update is performed for selected modules below. (Default: Enable all) I. ViRobot Management System 4.0 II. ViRobot Internet Security 2011 III. ViRobot Server Protection 2011 Proxy settings: Set proxy server connection information at the time when sub server performs update through proxy. I. IP address: URL for proxy server II. Port number: Connection port for proxy server at the time of update III. Use authentication: Account and password setting for authentication request from proxy server User account: Set account name of proxy server. Password: Set password for proxy server account. Copyright c HAURI Inc 83

2.2.4.16 Sub Server Policy Performance Logs 1 Performance [Fig. 105] Sub Server Performance Log Menu Set simultaneous access number by service driven in sub server. Agent information collect: Request for connection of VMS server collect service is limited. (Default: 100) Update file service: Number of update service connection for VMS server is limited. (Default: 100) Policy service: Request for connection of VMS policy service is limited. (Default: 100) File collection service: Request for connection of VMS server file service is limited. (Default: 100) 2 Send to console If company that has many nodes for management is concerned about server overload due to log reception, it can reduce server and network loads by using selective log reception. If connecting to sub server via VMS console, this option limits information below that can be checked from console. (Default: Enable all) Agent connection Virus infection Update Network infection File collection Copyright c HAURI Inc 84

3 Send to upper server By selecting options below, it transmits logs to high level VMS server of sub server. (Default: Enable all) I. Agent connection II. Virus infection III. Update IV. Network infection Copyright c HAURI Inc 85

2.2.4.17 Sub Server Policy DBMS [Fig. 106] Sub Server DBMS Menu 1 DB Backup Set backup option for DBMS connected with sub server. Use automatic backup: Set frequency, day, and time to back up major data automatically. (Default: Daily, 12:00 AM) 2 Delete DB Set to delete previous task logs automatically from DB. Use automatic delete: Task logs are deleted on the basis of specified date. (Default: 30 days) 3 Send to DB Logs for checked items below are transmitted to DB. (Default: Enable all) Assets management Network infection Virus infection Update 2.2.4.18 Sub Server Policy Installation Guide Copyright c HAURI Inc 86

[Fig. 107] Sub Server Installation Guide Menu 1 Use installation guide Register ViRobot installation induction server of sub server. If installation induction server information below is synchronized with high level server, separate registration for installation induction server is not needed. Add: It can be added only after confirming connection by inputting IP address for installation induction server. [Fig. 108] Sub Server Installation Guide Menu Delete: Delete data from registered installation induction server list. Edit: Change server settings set from registered installation induction server list. Copyright c HAURI Inc 87

2.2.5 Console Configuration [Fig. 109] Console General Configuration 1 General Settings I. Collecting method of group information Collect from agent: It shows agent group information in node information window when connecting to VMS server from agent. (Default: Enable) Collect by IP bands of group: It shows agent group information based on IP range of group information in node information window when connecting to VMS server from agent. Collect by employee ID: By assigning Employee ID No. to agent, it shows node group information based on authenticated employee ID no. when connecting to VMS server. II. Agent error check Report an error if agent is not connected with server for: Specify the period for disconnection that will be classified as fault node in node information window. (Default: Reported as agent fault for 17 days disconnection) III. Initial information for main console Screen name: User can select one of following items as initial screen for task information in management tab at the time of login via VMS console. A. Software information (Default: Enable) B. Hardware information Copyright c HAURI Inc 88

C. Virus logs D. Shared information E. Virus scan results F. Worm vulnerability information G. Console command H. Distribution status I. Collection information log 2 Console Log Settings I. Console main receiving log setting Set number of logs displayed in log information in VMS console management menu. A. Operating logs (Default: 500) B. Virus logs (Default: Disable) C. Collecting information logs (Default: Disable) 3 Console Network Settings I. Port settings Server connection port no.: Port number connected in VMS console Agent connection port no.: Port number for agent connection check in VMS console. Remote control port no.: Port number to connect for remote control in VMS console II. Database settings Set DB latency time for VMS console. Default value of latency time is 30 seconds. III. Communication settings Ping s waiting time: Set ICMP latency time for console process by second. (Default: 30 seconds) It is recommended to set the time longer than 1 minute in slow network. Connection s waiting time: Set access time for console communication by second. (Default: 30 seconds) It is recommended to set the time longer if VMS server is physically away from console. 4 Console User Management I. Add: Add authorized user to access to VMS server and console. User ID: Type user ID to be added. User name: Type user name for new administrator. Password: Type password for user ID Confirm Password: Confirm the specified password. A. Manager group System manager: Assign permission for all functions in VMS server and console. Monitoring/Report/Log Administrator: Assign limited permission for policy settings and security management. B. Management settings Authority management: Select the functions that user-defined administrator can use. Console accessing IP settings: Assign applicable IP for added administrator s console connection. Copyright c HAURI Inc 89

[Fig. 110] Console User Management II. Delete: Select and delete registered administrator. Delete can be performed by only administrator who has permission. III. Edit: Edit user management information by selecting registered administrator. 5 Console User Group Management I. Add: User group is added. System management group and Monitoring/Report/Log administrator group are registered as basic group, and the basic group is not deleted. It is useful if permission is assigned by checking option on permission option screen after creating administrator group for each division. [Fig. 111] Console User Management I. Delete: Registered user group except for basic group is deleted. II. Edit: Registered user group except for basic group is edited. III. Save: Contents of VMS console settings are saved. The contents saved in the settings are applied when running console again. Copyright c HAURI Inc 90

2.3 ViRobot Management System Agent Agent program is installed in personal PC, and plays a role in relaying VMS policy application and central management function through periodical connection to VMS server and in running VRIS. It is usually shown as a Windows system tray icon. [Fig. 112] Agent Tray Icon Menu 2.3.1 Settings This menu is settings for VMS server connection. Settings consist of generals, user information settings, and other settings. Only if permission is assigned to change settings for VMS agent restriction policy, the settings can be changed. [Fig. 113] VMS Agent - Before applying Restriction Policy If permission is not assigned to change settings for VMS agent restriction policy, it is operated with the status of inactivated function for agent settings as below. Copyright c HAURI Inc 91

[Fig. 114] VMS Console Agent Restriction Policy [Fig. 115] VMS Agent - After applying Restriction Policy General Connection server settings - Add: VMS server address for access is added. - Edit: Address for registered VMS access server is edited. - Delete: Address for registered VMS access server is deleted. - Check: Access to VMS server registered in agent settings is checked. - Connection order: Access order for VMS server registered in settings is set. Server connection cycle - Cycle: Cycle that periodically connects to VMS server is configured by second. (Default: 4 hours) Copyright c HAURI Inc 92

[Fig. 116] VMS Agent User Information Settings User information settings Division name - Select: Select group that agent belongs to. it shows divisions that agent can select based on group information in VMS server. - Search: It searches division names, and shows divisions that can be selected. Name: Agent user name is set. The name of agent settings is registered as management node name in VMS console. Telephone: Agent user s phone number is set. Mobile phone: Agent user s mobile phone number is set. Management: It brings group information from VMS server by typing employee ID number. It is a group information collecting method for VMS server, and is valid only for authentication of employee ID number. For activation of management number, name, phone number, and mobile phone number are automatically input. Details: Additional description for agent user is set. Other settings Language settings: Language for VMS agent is specified. Korean, English, and Spanish are supported for language settings. Copyright c HAURI Inc 93

[Fig. 117] VMS Agent Other Settings Copyright c HAURI Inc 94

2.3.2 Log Viewer It is a menu for checking VMS agent logs. Log viewer is divided into real-time log that shows log in real time and log check that shows only log on selected date. [Fig. 118] VMS Agent Real-Time Log Information [Fig. 119] VMS Agent Log search information Log information: Type, time created, and details are shown. Real-time log: It shows created log on the basis of current date in the system. (Default: Real-time log) Log searched: It shows created log on the basis of the selected date for log check. Copyright c HAURI Inc 95

[Fig. 120] VMS Agent Virus Real-Time Log [Fig. 121] VMS Agent Search Virus Log Virus information: Virus log information shows time recorded, location detected, threat factor name, status, diagnosis pattern, detection, user account, and computer name. Real-time log: It shows created virus log on the basis of current date in the system. (Default: Real-time log) Search log: It shows created virus log on the basis of the selected date for log check. Copyright c HAURI Inc 96

[Fig. 122] VMS Agent System Information Agent: It shows VMS agent and system information. Device control: It shows a status of controlling devices such as portable memory disk and HDD. ViRobot: It shows information for VMS agent and installed ViRobot product which is interlocked. Copyright c HAURI Inc 97

2.3.3 View Notice This menu shows notice of system administrator transmitted via VMS console. [Fig. 123] VMS Console - Send Notice [Fig. 124] VMS Agent - View Notice Received message: Received administrator notice message is checked. Copyright c HAURI Inc 98

2.3.4 Update It performs update request from VMS server. Generally, agent update is performed by attempt for VMS server connection frequency, and performs policy application from VMS server, engine and signature file update, and agent data transmission when updated. If update is required due to an emergency situation, manual update can be performed by the update function from system tray. [Fig. 125] VMS Agent Access Server Settings Copyright c HAURI Inc 99

2.3.5 Check Server Connection Connection to VMS server is checked. Connection check tries connecting to VMS server registered in VMS agent connection server setting. User can see VMS server address that can be connected if multiple VMS servers are registered. [Fig. 126] VMS Agent Access Server Settings [Fig. 127] VMS Agent Server Connection Success Copyright c HAURI Inc 100

2.3.6 Virus Scan It calls VRIS interlocked to VMS agent. [Fig. 128] VMS Agent VRIS 2011 [Fig. 129] VMS Agent VRSP 2011 Copyright c HAURI Inc 101

2.3.7 Display ViRobot User can set the status for show/hide VRIS system tray icon. If setting Show, VRIS icon ( ) is created in system tray area, and Display ViRobot in agent system tray menu changes to Display ViRobot. If setting Hide, system tray icon in VRIS is hidden. [Fig. 130] VMS Agent - Show ViRobot Setting Copyright c HAURI Inc 102

2.3.8 Stop Real-Time Monitoring User can set start/stop status for VRIS real-time monitoring. If setting Start, it changes to Stop real-time monitoring in agent system tray menu. If real-time monitoring is in stop status, it changes to Stop real-time monitoring in the tray menu. 2.3.9 Information Check VMS Agent version information. [Fig. 13113] VMS Agent Information Copyright c HAURI Inc 103

Chapter 3 ViRobot Management System 4.0 Potential Issues & Troubleshooting Copyright c HAURI Inc 104

3. Potential issues and troubleshooting methods on using ViRobot Management System 4.0 3.1 How to troubleshoot the issues 3.1.1 Potential issues on installation 1 When VMS Database installation via install menu is failed Please check if input account, password, and port information are correct on installing Database. If Database system exists in remote place, please install Database via install menu from remote system. Database installation basically works in local system, so in that case, network communication between VMS server and Database server must be set up before installing Database. 2 When VMS 4.0 Server, Console, Agent are not installed If VRIS 2011 and VRSP 2011 were already installed in user PC, please uninstall them first. After uninstallation, Window system must be rebooted for normal procedure further. 3.1.2 Potential errors on using VMS4.0 1 When VMS4.0 Server works abnormally due to lack of free disk space System administrator must check free disk space by using VMS Server alert function. If disk space is run of use, VMS Log Service cannot write server log anymore. In that case, administrator can delete unnecessary files or add HDD physically. Eg.) How to use Disk Cleanup - Start-All programs-accessories-system tools-disk Cleanup, select files to delete 2 When log cannot be searched via VMS Server log viewer If Cannot connect to DB. Error message comes out; administrator must check network connection between VMS DB Server and VMS Server. Generally, MS SQL Database is activated through Port no.1433, and it is the VMS Server communication port, too. Refer to the following orders; please check the connection to Database. ⑴ Please check VMS 4.0 Database system s MS SQL communication port. If the default port(1433) is changed, VMS Server settings also must be changed. ⑵ Check if DB communication port is blocked by firewall or intrusion blocking system. ⑶ Check VMS Server Management Server and SQL Server Service from Windows Server Management Console. If service is stopped, connection to Database is unavailable. 3 When update through VMS 4.0 Server is not working properly The latest engine version can be checked from HAURI Website(www.hauri.net). If update is not working properly, please check if VMS Server Settings-Update Cycle Settings is 0 or not, and VMS Server Update Service is stopped or not. If there is problem to communicate between HAURI Update Server and VMS 4.0 Update Server, please request technical service to HAURI. 4 When connection to VMS4.0 Server via Console tools is failed VMS 4.0 Server provides accessible system account and restricts IP bandwidth. If connection IP is not working, please check the IP restriction settings with system administrator. Copyright c HAURI Inc 105

Please check if you are already connecting to other system with the account via VMS 4.0 Console. Console tools are designed by providing a management session per an account. Therefore, if user tries to connect another system with already connected account, logon is failed. For terminating the connected admin session forcibly, please restart VMS Server Management Service from Windows Server Management Console Copyright c HAURI Inc 106