SysPatrol Server Security Monitor User Manual Version 2.2 Sep 2013 www.flexense.com www.syspatrol.com 1
Product Overview SysPatrol is a server security monitoring solution allowing one to monitor one or more servers and detect unauthorized changes in the system files, kernel drivers, system services, installed software products and registry database. The user is provided with the ability to learn a reference server configuration, periodically monitor the server configuration, detect all unauthorized system changes, automatically save reports and send E-Mail notifications. SysPatrol Server allows one to send E-Mail notifications, submit error messages to the system event log and/or automatically save HTML, ASCII text, Excel CSV, XML or PDF reports when one or more unauthorized system changes are detected in a server. In addition, the user is provided with the ability to keep a history of system changes in an SQL database. Initially, SysPatrol scans the system configuration and saves a reference state of the system files (including SHA256 signatures), installed kernel drivers and system services, the state of the registry database and the installed software products and Windows updates. During the monitoring stage, SysPatrol periodically scans the current system configuration and compares it with the reference configuration detecting all newly created, modified and/or deleted system files, kernel drivers, system services, registry database entries or software products. By default, SysPatrol applies the most rigorous set of settings capable of detecting all types of changes, but if required, the system configuration may be customized for less secure environments thus minimizing the number of change alerts issued for minor or not important configuration changes. SysPatrol is especially designed to run on production servers using a very small amount of the system memory (6MB-8MB) and intentionally slowing down monitoring operations in order to minimize the performance impact on running production applications. By default, SysPatrol Server is configured to use up to 1%-2% of a single CPU core during the system learning and verification stages, which typically take up to 5 minutes per day. In order to simplify deployment and everyday use, SysPatrol Server provides a very simple web-based management interface allowing one to control, configure and manage the product locally or through the network using a regular web browser. The user is provided with a number of fully automatic configuration wizards allowing one to install SysPatrol Server and configure system monitors within a couple of minutes making it very easy to deploy the product even for novice computer users. 2
Product Installation Procedure SysPatrol Server is especially designed to be as simple as possible. The product does not require any third-party software applications and may be installed and configured within a couple of minutes. A fully functional 30-days trial version of SysPatrol Server may be downloaded from the following page: http://www.syspatrol.com/downloads.html. The installation package is very small, 5MB - 6MB depending on the target operating system, and the product requires just 10MB of the free disk space on the target server. In order to install SysPatrol Server, start the setup program, select a destination directory and press the 'Next' button. Optionally, enter custom server control and/or web access ports. The server control port is used by the SysPatrol command line utility and the web access port is the port for the webbased management interface allowing one to control SysPatrol Server using a standard web browser. If SysPatrol Server should be controlled remotely through the network, make sure one or both of these ports are open in the server's firewall. 3
Initial Product Configuration In order to simplify deployment and everyday use, SysPatrol provides a number of fully automated configuration wizards allowing one to setup and configure the product within a couple of minutes. First of all, login to the SysPatrol Server web-based management console using a standard web browser (default user name and password: admin/admin). After finishing the installation procedure, the product is fully functional, but no system monitors are defined in the product configuration. In the simplest case, in order to initialize the default product configuration, just press the 'Init Default Configuration' button. By default, SysPatrol Server applies the most rigorous set of configuration options making sure that all types of system changes are detected. During the initialization process, SysPatrol will scan the current system configuration and save it as the reference system configuration. By default, SysPatrol Server will save the state of the system files (including SHA256 signatures), installed kernel drivers and system services, installed network protocols, the state of the registry database and installed software products and Windows updates. During the monitoring stage, the saved reference configuration will be used to detect unauthorized system changes. The SysPatrol configuration wizard will create all the required system monitors and setup a daily periodic system test, which will verify the system configuration every 24 hours. If required, the automatically created system monitors and periodic system tests may be customized and tuned for user-specific needs and requirements. 4
Manual System Test In order to test the current system configuration manually, press the 'Verify' button located on the main server status page, select the system monitors to test and press the 'Verify' button. During the verification process, SysPatrol will scan the current system configuration, compare it to the reference system configuration and report all detected changes. When one or more unauthorized changes are detected, SysPatrol saves a report file and sends an E-Mail notification if configured. In order to review detected configuration changes, login into the SysPatrol web-based management interface and click on a system monitor showing unauthorized changes. For each detected configuration change, SysPatrol shows the current value and the reference value, which was saved during the system configuration learning stage. In order to export detected configuration changes to a report file, press the 'Export' button, select a report file format and press the 'Export' button. 5
Periodic Tests and Monitoring SysPulsar Server provides the ability to periodically monitor the system configuration, save reports and/or send E-Mail notifications when one or more unauthorized changes are detected. By default, SysPatrol creates a daily system test, which verifies the system configuration every 24 hours. In order to customize the default periodic system test created by the SysPatrol Server configuration wizard, press the 'Schedule' button located on the main status page. The automatically created daily system test verifies system files, system services, kernel drivers, network protocols, the registry database and installed software packages. In addition, the user is provided with the ability to change periodic tests schedule and/or create new periodic tests configured according to user specific needs. In order to add a new periodic test, press the 'Add' button located on the 'Periodic Tests' page. On the periodic test page, set the time interval to execute the periodic test at, select the system monitors that should be verified and press the 'Save' button. SysPatrol Server will verify the selected system monitors periodically according to the specified time interval, detect all unauthorized system changes, save change reports and send E-Mail notifications if configured. 6
Reports and E-Mail Notifications SysPatrol Server allows one to save HTML, ASCII text, Excel CSV, XML or PDF reports or send E-Mail notifications when one or more unauthorized system changes detected. In order to setup reports and/or notifications, click the 'Settings' link located on the top menu bar and click the 'Reports and Notifications' link located on the settings page. SysPatrol Server provides the ability to configure multiple report and/or notification actions allowing one to generate different types of reports and/or send notifications to multiple destinations addresses. In order to add a new report or notification action, press the 'Add' button located on the reports and notifications page. For report actions, the user is provided with the ability to specify an absolute file name or a directory name to save the report to. If an existing directory is specified, SysPatrol Server will automatically generate file names containing the date and time of the test and save reports to the directory. For notification actions, the user is provided with the ability to specify the destination E-Mail address to send notifications to. In addition, in order to enable E-Mail notifications, the user is required to configure an SMTP server to use to send notifications. 7
Sending E-Mail Notifications In order to configure E-Mail notifications, open the main settings page, click on the 'Reports and Notifications' link and press the 'Add Action' button. On the new action page, select the 'Send HTML E-Mail Notification' action type, enter a destination E-Mail address, enter the number of system changes to trigger the notification and press the 'Save' button. In addition, open the main settings page, click on the 'Configure E-Mail Server' link, enter the host name or an IP address of the SMTP server, E-Mail account name and password to use to send E-Mail notifications. When one or more system changes will be detected, SysPatrol will send an E-Mail notification to the specified E-Mail address. Each E-Mail notification includes the name of the test triggered the notification, the host name of the server, the date and time of the test and the list of detected system changes. 8
SQL Database Integration SysPatrol Server provides the ability to save detected system changes to an SQL database allowing one to keep a history of all changes for future review and analysis. In order to enable SQL database export, click the 'Reports and Notifications' link located on the main settings page, press the 'Add' button to add a new report action, select the SQL database report format and press the 'Save' button. SysPatrol Server exports SQL database reports through the ODBC database interface, which should be configured to operate properly. In order to configure the ODBC database interface, click on the 'Configure SQL Database' link located on the main settings page, enable the ODBC database interface, specify the ODBC data source, ODBC user name and password to use to save reports to the SQL database. 9
System Event Log Integration Another option to send notifications about unauthorized system changes is to submit error messages or warnings to the system event log. In order to add a system event log notification action, click the 'Settings' link located on the top menu bar, click the 'Reports and Notifications' link located on the settings page and press the 'Add' button. On the notification action page, select the 'Send Error to System Event Log' action type, enter an error message to submit to the system event log, enter the number of system changes to trigger the action and press the 'Save' button. During the monitoring stage SysPatrol Server will verify the system configuration and submit the error message to the system event log when the specified number of system changes is detected. 10
Managing System Tests and Monitors In general, the default product configuration created by the SysPatrol Server configuration wizard should be good enough for most users, but sometimes it may be required to tune the SysPatrol Server configuration for user-specific needs and requirements. In order to customize the configuration of a system monitor, press the 'Setup Monitor' button located in the 'Tools' column on the main status page. The 'System Files' test monitors the integrity of the operating system files. By default, the 'System Files' test is configured to monitor executable programs, DLL libraries and configuration files located in the Windows system directory and the 'Program Files' directory. During the learning stage, SysPatrol Server saves the state of the system files (including SHA256 signatures) and during the monitoring state verifies the integrity of all files by comparing file names, attributes, last modification dates and signatures with the reference system configuration. 11
The 'Kernel Drivers' and 'System Services' tests monitor the configuration of Windows kernel drivers and system services. During the learning stage, SysPatrol Server saves the reference configuration of kernel drivers and system services and during the monitoring stage verifies the system configuration by comparing kernel drivers and system services names, startup modes, statuses, attributes, registered executables, etc. In addition, SysPatrol Server detects newly created and deleted kernel drivers and system services. The 'Network Protocols' test monitors and verifies the installed network protocols. SysPatrol Server is capable of monitoring and verifying all types of network protocols including hidden protocols, which are not visible in the Windows control panel. For each network protocol, SysPatrol Server verifies the protocol version, provider flags, service flags, security scheme, etc. In addition, SysPatrol Server detects all newly created and deleted network protocols. 12
The 'Registry Database' test monitors a number of important registry database keys, which are controlling execution of startup programs on the server. In order to add one or more custom registry keys to the SysPatrol configuration, click on the 'Add' link located beside the first registry key and select a root key and a sub key to monitor. By default, SysPatrol Server detects newly created, modified and deleted registry keys and values. In addition, SysPatrol Server detects unexpected changes in registry keys last modification dates and times. The 'Installed Software' test monitors the installed software products and Windows updates. By default, SysPatrol Server detects newly installed, modified or uninstalled software packages and Windows updates. In order to disable detection of changing Windows updates, unselect the 'Detect Changes in Windows Software Updates' option. 13
History Reports By default, SysPatrol Server keeps a history of the last 30 reports showing previously detected configuration changes. In order to access the history reports, press the 'Reports' button located on the SysPatrol Server home page. For each report, SysPatrol shows the test name, the date and time of the test and the number of detected system changes. In addition, the user is provided with the ability to export each report to a number of standard formats including HTML, PDF, Excel CSV and XML. In order to delete a history report, press the report 'Delete' button displayed in the 'Tools' column. In order to delete all history reports, press the 'Delete All' button located below the report list. 14
Updating System Configuration Each time a system administrator installs a new software package or changes the system configuration, SysPatrol will report about one or more detected system changes. In order to update the reference system configuration, the user needs to login into the SysPatrol webbased management interface, press the 'Update' button, select the system monitors to update and press the 'Update' button. During the system configuration update process, SysPatrol will rescan the current system configuration and save it as the reference system configuration. Once the system configuration update process is completed, SysPatrol will resume monitoring with the new reference system configuration and report about all subsequent configuration changes. If required, all previously detected configuration changes may be reviewed in the configuration changes reports history. In addition, in order to automate the system configuration update process, SysPatrol provides the command line utility, which is capable of initializing the default system configuration, updating the reference system configuration and verifying the current system configuration. The SysPatrol command line utility may be used locally or through the network to configure and control one or more SysPatrol servers. 15
Configuring SysPatrol Server SysPatrol Server provides a variety of configuration options allowing one to easily integrate the product into a user-specific network environment. In order to open the main settings page, click on the 'Settings' link located on the top menu bar. The SysPatrol Server web-based management console, requires users to login with a SysPatrol user name and password. The default user name and password is set to admin/admin. In addition, SysPatrol Server provides the ability to set a custom user name and/or password for the SysPatrol web-based management interface and the command line utility, which may be used to automate configuration and management tasks. In order to set a custom user name and password, click on the 'Configure Server Login' link located on the main settings page, enter a new user name and password and press the 'Save' button. 16
SysPatrol Server uses the TCP/IP port 9140 as the default server control port and the TCP/IP port 80 as the default web access port. Sometimes, these ports may be in use by some other software products or system services. If one or both of these ports are in use, SysPatrol will be unable to operate properly and the user needs to change the SysPatrol server control port and/or web access port. In order to set a custom server control port and/or web access port, click on the 'Setup Server Ports' link located on the main settings page, select the 'Use Custom Port' option and enter a custom port number to use. If the SysPatrol server should be controlled through the network, make sure the custom ports are open in the server's firewall. SysPatrol Server provides the ability to send E-Mail notifications when a user-specified number of system changes is detected. In order to configure an SMTP E-Mail server to use to send E- Mail notifications, click on the 'Configure E-Mail Server' link located on the main settings page, enter the SMTP server host name, SMTP server port, SMTP user name, password and the source E-Mail address to use to send E-Mail notifications. 17
Web-Based Interface SysPatrol Server provides a complete web-based management interface, which allows one to fully control, manage and configure one or more SysPatrol servers locally or though the network using a standard Web browser. By default, the web-based interface uses the TCP/IP port 80, which is the default HTTP port web browsers are using to connect to a web server. The SysPatrol web-based interface is a dynamic web application, which shows the current status of the server and the progress of performed operations without reloading the currently displayed web page. In order to operate properly, the web-based interface requires JavaScript to be enabled in the web browser. 18
Using Command Line Utility in the Interactive Mode In addition to the web-based management interface, SysPatrol Server provides a command line utility, which may be used to control, manage and configure one or more SysPatrol Servers locally or through the network. By default, the SysPatrol command line utility is located in the '<Product Dir>\bin' directory. When executed without any command line parameters, the command line utility operates in the interactive mode showing available menus, accepting commands and executing selected operations. The interactive mode is very simple to use, all available commands are displayed in a self-explanatory way making it very easy to setup and configure the product even for a novice computer user. For example, in order to verify the current system status, start the SysPatrol command line utility without any command line parameters, type "1" to enter the "Status" menu and then type "4" to verify the current system status. If any system changes will be detected during the verification process, SysPatrol will save reports and send E-Mail notifications according to the configured report generation and notification actions. 19
Using the Command Line Utility in the Batch Mode In addition to the interactive mode, the command line utility may be executed in the batch mode with a variety of command line parameters and options allowing one to automate control, configuration and management of one or more SysPatrol Servers using batch files or shell scripts. For example, in order to initialize the SysPatrol configuration, learn the current server status and save the reference system configuration, type the following command: syspatrol -init SysPatrol Server will create default system tests, learn the current server status, save the reference system configuration and create a daily periodic system test, which will be executed every 24 hours. In order to verify the current system status, type the following command: syspatrol -verify SysPatrol will scan the current system configuration, compare it with the reference system configuration, save reports and send E-Mail notifications if required. For detailed information about available command line options, execute the command line utility with the '-help' command line parameter. 20
Product Update Procedure Flexense develops SysPatrol Server using a fast release cycle with minor product versions, updates and bug fixes released almost every month and major product versions released every year. New product versions and product updates are published on the product web site and may be downloaded from the following page: http://www.syspatrol.com/downloads.html. Due to the fact that the product is especially designed for servers running in production environments where stability is a major decision factor, SysPatrol Server updates should be manually performed by the user. In order to update an existing product installation, download the latest product version and just start the setup program. The SysPatrol Server setup program will properly shutdown the running SysPatrol Server, update the product and restart the SysPatrol service after finishing the update procedure. All product configuration files, the saved reference system configuration and product registration will remain valid and there is nothing to reconfigure or manage after the update. 21
Product Registration Procedure Within a couple of hours after purchasing a product license, the customer will receive two e- mail messages: the first one confirming the payment and the second one containing an unlock key, which should be used to register the product. If you will not receive your unlock key within 24 hours, please check your spam box and if the unlock key is not in the spam box contact our support team: support@flexense.com. If the computer where SysPatrol is installed on is connected to the Internet, login to the SysPatrol server (default user name and password: admin/admin) using a standard web browser, click on the 'About' link located on the top menu bar, press the 'Register' button, enter your name or your company name, enter the received unlock key and press the 'Register' button. If the computer is not connected to the Internet, press the 'Manual Registration' button, export the product ID file and send the product ID file to register@syspatrol.com as an attachment. Within a couple of hours, you will receive an unlock file, which should be imported in order to finish the registration procedure. 22
OEM Product Version Flexense provides system integrators, value-added distributors and IT service providers with the ability to resell SysPatrol Server and/or provide services based on the product under thirdparty brand names. Resellers and integrators are provided with the ability to change the product name, the product web site address, the product vendor name and the product vendor web site address. In order to be able to set custom OEM product and vendor information, the user needs to register the product using a special OEM-Enabled unlock key, which may be purchased on the product purchase page. Once the product is registered using an OEM unlock key, open the 'About' page, press the 'Set OEM Info' button, specify your custom OEM product and vendor information and press the 'Save' button. Custom OEM product and vendor information will be displayed on all pages of the SysPatrol web-based management interface, in all types of reports generated by the product and all notification E-Mail messages sent by SysPatrol Server. 23
Supported Operating Systems 32-Bit Operating Systems Windows XP Windows Vista Windows 7 Windows 8 Windows Server 2003 Windows Server 2008 Windows Server 2012 64-Bit Operating Systems Windows XP 64-Bit Windows Vista 64-Bit Windows 7 64-Bit Windows 8 64-Bit Windows Server 2003 64-Bit Windows Server 2008 64-Bit Windows Server 2012 64-Bit System Requirements Minimal System Configuration Supported Operating System Single Core 1 GHz or better CPU 512 MB of system memory 25 MB of free disk space Recommended System Configuration Supported Operating System Dual Core 2 GHz or better CPU 1 GB of system memory 25 MB of free disk space * Internet Explorer v9, FireFox v12 or Chrome v17 or newer is required for proper operation of the web-based management interface. 24