Frequently Asked Questions
How to get started?
Sign Up on www.sanernow.com and select tools required. Go to "Open Console" to create accounts and deploy on agents. Within 10 minutes you should be able to set up 1000 machines and view their reports.
What measures can we take to secure our account?
You can set up a 2-step verification to add an extra layer of security to your account. See section How can we set up two-factor authentication for more details. Adminitrators and Account Administrators can enforce two-factor authentication for all other users.
How is my data secured?
Your data is isolated from others. Multiple techniques are used to ensure data integrity and request/response are verified. Our specialized team ensures that platform passes through multiple layers of security tests. These teams are up-to-date with latest attacks and threats and plays a major role in defining checks for products such as OpenVAS. Your data is secure with us.
How can we set up two-factor authentication?
When you enable two-factor authentication, you add an extra layer of security to your account. You sign in with something you know (your password) and something you have (a code sent to your phone).
To start with, click on 'turn on' against two-factor authentication. Open the Google Authenticator app and scan the QR code. You will be provided with 6 digit code in the app. Enter the code in the text box and press Enable button.
On every login, after entering username ans password, you will be promted to enter the code displayed by the Google Authenticator app. These two steps are verified for access to your account.
What is the average size of content downloaded or network utilization by agents from your server during scan?
Though security content download differs depending on the detection of vulnerabilities and configuration issues. An active agent may download an average of 4MB data (only when content requires update/if changed) on Windows machines. Our signatures release cycle is 2-3 times per week. We have devised mechanisms to optimize content download.
How system resources are utilized or how is the CPU performance during scan?
CPU averages at 20-30% in low mode scan. Whereas, in full throttle, scans are speedy and finish within minutes, CPU averages at 50-80% for a few seconds then goes back to 20-30%. Saner service priority is set to normal and operating systems handle it effectively. It will not interfere with your work.
What settings may be required to optimize network during remediation/patching?
Set up a local patch server or a WSUS server in your organization. Agents are designed to detect WSUS server settings and fetch patches from the same. In case, WSUS is not set up on your individual endpoints, you can use EDR section to set up Registry Response. For more details, follow the link, https://support.microsoft.com/en-in/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s
Third party products patches can also be served from a local HTTP/HTTPs/FTP server. Go to Manage> Create Settings > Remediate.
Select Third-party products patch server select Local, a new set of settings will open up to provide server URL. Contact info@secpod.com to get Remediation resource feed for a large setup.
Settings such as buffering patches with bandwidth usage restriction under Manage> Create Settings > Remediate also helps optimize remediation tasks.
How system resources are utilized or how is the CPU performance during remediation?
CPU average is very low during remediation. Patches are queued and taken up sequentially. A scan is performed after remediation job or rule is accomplished. Following graph shows remediation effect on operating system.
Can I configure a time period between which remediation should start and end?
Yes. While setting up remediation job or rule, you can provide remediation timeframe with start and end date-time. For example, in a typical organization, remediation can be set to end at 8:00 a.m in the morning when employees start their day at work. In case, if an automated remediation task is ongoing at 8:00, it will come to its logical end and any reboot and sequential tasks will be taken in the next time interval. However, short-term remediation tasks will end and result will be uploaded.
After configuring a time period between which remediation should start and end, can change it?
In case of remediation automation, we can change the timeframe which takes into effect in the next upcoming time. Short-term remediation tasks cannot be modified.
Can I install a customized patch for remediation or install other applications using Saner?
Yes. You could use Software Deployment in Response section of Endpoint Management. All applications and patches will be installed silently without interfering with users on the endpoints. It is advisable to test your installation and provide appropriate silent option if usual options such as /S is not used.
Can I install a non-security patch also with Saner?
Yes. You could use Software Deployment in Response section of Endpoint Management.
What should I do if a remediation patch is not available?
You could chose to block the application temporarily and unblock later. Go to EDR > Build your own Response > Application Block
How can I remediate commercial licensed products such as Adobe Acrobat or Oracle WebLogic Server?
You could use Software Deployment in Response section of Endpoint Management . Provide a vendor URL to download patch or upload the patch and provide silent option.
Can I find out since how long a vulnerability existed in an organization?
Yes. In VM dashboard, vulnerability patching graph provides insight on how long a vulnerability existed in an organization since its detection on our platform.
What are the next steps to vulnerability detection?
VM gives you a detailed information about existing loopholes making endpoints prone to malware attacks. Next steps would involve strategizing patching activity using PM and ensure endpoint-protection software are up-to-date using EM. Complementary to that, EDR will help realizing any ongoing attack to respond immediately and AM to check if such vulnerable software assets are in regular use or sparingly used.
How can I mitigate vulnerabilities effectively?
You can visualize vulnerability mitigation statistics to prioritze your patching activity. An insight on high fidelity attacks provide you information on tasks that require immediate attention because it is prone to malware attack. Statistics such as vulnerability based on severity scores also aid in determining next steps for vulnerability mitigation.
Can I find out since how long patch was available and not applied in an organization?
Yes. In PM dashboard, patch patching graph provides awareness on when a missing patch was released by vendor and not applied in the endpoints. Patching impact and Configuration Imapact are powerful tools to visualize the affect of remediation.
Remediation and Software Patching is a long and tough activity. What if something goes wrong? Is rollback option available?
Our patches are tested by a dedicated team to ensure remediation is accurate and quick. Saner agent has also evolved as part of remediation to ensure speedy ways to achieve patching.
Under any circumstance, a Rollback feature is available for Windows, Linux and Mac operating system patches. Complaince roll back is also in place. Third-party products cannot be reverted but can be reinstalled with the previous version. Go to PM dashboard > click on PM in left panel > Rollback.
Please ensure that you have checked if rollback is possible for a patch before applying remediation because some vendor patches do not support rollback.
Can I know why a particular remediation failed?
Yes. In PM dashboard see 'Reason for Failure'. You can also check individual remediation tasks status using 'Job Status summary' section on the dashboard. Click on expand to dig deep into status.
A patch is available and approved in my WSUS server but Saner remediation is failing. Why?
Each setup is different and some initiatives from your end can help speedy resolution of such issues. Consider checking (on one of the endpoints) if system is configured properly to your WSUS server. Click on Windows Update to see if patch appears in the system. If relevant patch appears in the system, then Saner should be able to fetch it. If not, either WUS is not configured properly or a pre-requisite patch may hinder remediation.
Please note: installing a patch may open up other patches in a software asset. Also, Windows Update software itself may require patching. Consider installing it before any other remediation task.
Please log your observations in the mail and contact info@secpod.com for resolving your case. We will be happy to help.
Can I identify software products which are out-of-life? What actions can be taken for out-of-life products.
Yes. Check AM dashboard > Outdated Applications. Consider installing upgrades using Software Deployment in Response section of Endpoint Management. You may also uninstall such applications using Application Management> uninstall option.
Does Saner provide tracking of software licenses?
Yes. In AM, you could track software licenses and cost incurred to an organization. You can also provide external feed to assess software licenses.
Can I blacklist or whitelist software applications?
Yes. In AM, import blacklisted or whitelisted applications feed (in CSV format) and go to dashboard to check violations if any. Currently, we do not automatically uninstall or block applications using this feed. This can be automated using EDR > Build your own Detection and Response to periodically run response script.
What possible response actions can be executed from Saner?
Response actions are widely categorized into Network, Process, Service, Software Deployment, System, Application and Devices, Security, File, Windows Registry, Tuneup, Startup Programs. Kindly check individual categories for more information. Each category in Response section has a set of actions.
Is it possible to automate reponses/actions on detection scripts?
Yes. In EM, it is possible to create actions based on a set of existing detection scripts.
Can we add more detection scripts in EM?
100+ detection scripts are already defined and ready to use. You could add more using EM > Tools section. In case of any issues or requirements, contact info@secpod.com and we will create it for you.
Can I know the system health of all my endpoints?
Yes. Go to EM > Detection > System Health. Click to get real time data. Visualize Disks space used reaching 90% and high CPU and RAM usage.
Can I command my endpoint to scan now or reboot now?
Yes. Go to Manage>Devices>Select device>Click on 'Scan now'. For reboot, go to EDR/EM > Response> System and select reboot.
What are the common indicators of compromise/attack?
Endpoint protection software is disabled, applications with unknown publisher, firewall disabled, torrent-like downloads, new application in start up program, common operating system libraries having a different MD5sum, unknown processes running or multiple ports open, disk space running out, to name a few.
What are the existing Compliance benchmark supported by Saner?
SecPod Default Compliance, Vendor recommended (such as Microsoft) General Compliance, NIST-800-53, NIST 800-171, PCI, HIPPA, others such as ISO 27001, WMI, ports, process control, service control, device control, anti-virus compliance etc which can be designed as per user requirement.
Can I remove checks from an existing Compliance benchmark?
Yes, if it does not comply to your organization. Simply deselect the rule or category while creating/editing compliance.
Can I take remediation actions on customized Compliance checks?
Yes. Remediation scripts are automatically generated based on compliance created by users. Go to CM dashboard > Remediation actions to know more.
Why some of the compliance checks shows Not selected or Not checked status?
Some checks which are deselected by you will appear as 'Not selected' in the report. Compliance checks that require input from user are mostly 'Not checked' unless some data is provided by the user. If any issues, please contact info@secpod.com. Appropriate screenshots of reports/dashboard and agent audit logs will definitely help understand the case.
Can I apply rollback on customized Compliance benchmark?
Yes.
Can I see trending reports?
No. Currently you can back up reports using Reports from left panel that will be emailed automatically on scheduled intervals.
Can I export individual endpoint report?
Yes. Go to Manage > Devices > Click on hostname > Click on Export Device Report.
Can I be alerted on certain incidents on endpoints.
A variety of alerts can be issues to notify on any failed actions, incidents in endpoints, critical vulnerabilities issues, configuration issues, new detection on endpoints, etc. Click on Alerts from left panel to know more.
How long does a scan take?
A typical scan takes under 5 minutes in windows and 1-2 minutes in Linux and Mac Machines. Special mechanisms and algorithms on agents help achieve this.
My scan is prolonged. What can I do?
Contact info@secpod.com with endpoint's audit log that can be received from Manage>Devices>Click on hostname> Click on Audit Logs. You can also change settings > Log to debug, scan and send spsaneragent.log from the endpoint system under SecPod Saner installation directory/log folder in Windows and /var/log/saner in unix based machines.