Monitor what the user executes, and the executed application will be listed. In this mode, all application will be allowed. The user can also add the executed application during audit mode into a new custom application.

The user decide which application can be run on the pc. User will be redirected to the rules page if the option is selected. The application in the rules page is fetched from CYSECA Server.

Automatically allow applications that has been deemed safe to run on user computer.

• Select Audit Mode

  

  The highlighted text box above reminds user that in audit mode, execution of files will be recorded, and the user can manually decide whether to add or not the files recorded in custom application rules.

• When the user execute any application installed in their PC, user can click the Process button in the dashboard to see the execution log of the file.

  

  For this scenario, TeraCopy was used as unknown file to be added into custom rule. When the user clicks on Process button on the right of the user interface, the above menu will appear.

• User can set the rules name and ensure to click Save for the rules to be recorded by CYSECA.

• Saving and editing custom rules can be accessed via App Control > Custom Rules in the menu.

  

• In this menu, user can add files, folders and delete added folders which are whitelisted. User also able to export the rules in .csv format. Saved rules from audit mode will also appear here.

• User can also view file and certificate information, and also check the file whether it is safe or not with VirusTotal.

  

• VirusTotal is a webpage where user can search and upload file information to check whether the file is safe for use or not. VirusTotal is trusted by many parties and organization as one of the best place to identify safe and malicious files.

• Application rules can be used if the user only select the Manual Protection Mode. Otherwise, this menu cannot be used. Figure below shows the menu.

  

• User can search, allow, disallow and refresh the rules list. If the Manage Rules Automatically button is turned on, auto-protection mode will be selected, and these rules will all be allowed automatically. Figure below show how the menu of Application Rules looks like.

  

• User is recommended to refresh the rules by clicking the Refresh button to automatically update the rules.
• If the user made any changes to the rules and not clicking the Save button, user can revert the actions by clicking Revert button. This will undo any changes made.
• Note that all changes made must be Save in order to run otherwise it will still be blocked. Figure below show allowed application that can be run.

  

• In this part, user can manually add individual files to allow the application to be run if it is not listed in the rules provided.

  

• If the files uploaded with certificates, the files will display as the certificate information.
• User allowed to drag and drop the files into the box for upload.

• User can exclude application from being scanned by CYSECA. Note that CYSECA will totally ignore the files, so please do not exclude malicious application. Figure below shows exclusion page.

  

• User can either exclude file or folder. To exclude folder, click on +DIR button and to exclude file, click on +File button.

• Execution log displays all the execution of PE in the agent. User can view, block and allow any file scanned by CYSECA.
• User can also check file information from the log. Figure below shows the execution logs as well as file information.

  

• To Allow or Block an application, simply click the dropdown and choose the options.
• The file informations can also be checked as shown in figure below by just clicking on the app.

  

• Fileless log will display all the execution of scripts/commands in the agent. Note that this will only display pure fileless script. Execution of .vbs, .py, and .ps1 will be shown in file execution logs.
• What is known as fileless threat?

  Fileless threat is a type of threat that does not come in form of file, instead, it uses memory to store its command. Fileless can come in three (3) types, which are:

  • Type 1: No activity performed

    A fully fileless malware can be considered one that never requires writing a file on the disk. A compromised device may also have malicious code hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or in the firmware of a network card. All these examples do not require a file on the disk to run and can theoretically live only in memory. The malicious code would survive reboots, disk reformats, and OS reinstalls. Infections of this type can be particularly difficult to detect because most antivirus products do not have the capability to inspect firmware. In cases where a product does have the ability to inspect and detect malicious firmware, there are still significant challenges associated with remediation of threats at this level. This type of fileless malware requires high levels of sophistication and often depends on hardware or software configuration. It is not an attack vector that can be exploited easily and reliably. While dangerous, threats of this type are uncommon and not practical for most attacks.

    Type 2: Indirect file activity

    There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type does not directly write files on the file system, but they can end up using files indirectly. This can be considered as common attack type, which is the attacker uses legitimate command/scripts which were whitelisted by windows, such as Powershell, mshta, regsvr32 and wscript/script.

    Type 3: Files required to operate

    Some malwares can have a sort of fileless persistence, but not without using files to operate. This type of attack will set certain verb/keyword which will be invoked by the script to open malicious command through legitimate Windows Shell command, such as mshta or wscript.

• Figure below show the example of fileless files being recorded in the logs.

  

• This function can be toggle to turn On or Off.
  • - On: Agent will scan and log execution of file.
  • - Off: Agent will not scan any execution of file.

• This function can be toggle to turn On or Off.
  • - On: Execution of fileless files will be scanned.
  • - Off: Agent will not scan any execution of fileless files.

• This function can be toggle to turn On or Off.
  • - On: Agent will scan Java file. If not whitelisted, it will be blocked.
  • - Off: Agent will ignore the Java files.

• This function can be toggle to turn On or Off.
  • - On: User PC will block any read attempt from the USB devices.
  • - Off: Allow read from the USB devices.

• This function can be toggle to turn On or Off.
  • - On: User PC will block any write attempt from the USB devices.
  • - Off: Allow write from the USB devices.

• This function can be toggle to turn On or Off.
  • - On: Agent will show notification tray when any unknown file is executed.
  • - Off: Disable the tray notification.

• User can set manually the maximum file size for CYSECA to scan. By setting this, CYSECA will only scan file which is less than the maximum size set.

• This function can be toggle to turn On, Notify or Off.
  • - On: Agent will automatically update to the latest version if available.
  • - Notify: User will be notify when new update is available and update manually.
  • - Off: The agent will not be automatically update when new version is available.

• This function will check the version update manually.

• To show license details of the user.

• This will clean all recent files scanned by CYSECA from cache.