CSI-E Computer Security Investigator – Enterprise

Definitions: Agent – This is an individual machine with Prevx CSI installed on Prevx CSI-E Server – This is the central computer which analyses the Prevx CSI Agents PX5 – This is the way Prevx uniquely identifies a file, similar to an MD5 hash MDB – The Master Database (MDB) refers to the storage of data used by Prevx CSI-E Server LDB – The Local Database (LDB) refers to the file which stores the Prevx CSI-E Agents scan log and settings. Determination – This is the decision on whether a file is Good (clean), Bad (infected) or Unknown (undefined)

CSI Agent CSI-E Server Agent performs Scan Verify Agents scan information Any Agents Scanned recently? Infection or blacklisted program found? Set group configurations Set Agent configurations and remediation and execute alert rules Has Scan been processed? Apply Agent configurations and /or remediation CSI-E Scan Flow Diagram Yes No Yes

File Server Internet: (port 80) DeterminationsScan information Prevx CSI-E Server Software MDB CSI Shares Prevx CSI-E Agent CSI-E Agent Scan information sent CSI-E Agent Scan results received plus additional configuration settings CSI-E Agent info picked up by CSI-E Server CSI-E Agent info processed configuration set Alerts : SMS, , Windows Events... Reports : Customized HTML Scan performed/ Remediation enforced Prevx Community DB CSI-E Architectural diagram File Software

Prevx Community Database and Zero-Day Detection Utilising the Prevx Community database and advanced detection rules, we pride ourselves in finding malware before anyone else and consider ourselves as an incremental (value added) and a stand-alone solution. Prevx CSI Detection Technology Based on the Prevx CSI detection software, Prevx CSI-E builds in additional functionality to allow for a truly dynamic powerful detection program to work exactly how you specify it to operate, using remediation policies and alert rules.

Internet independent agents The Prevx CSI-E implementation does not require client machines to have internet connection to get determinations, since the implementation of the CSI-E server will do all the internet communication on the behalf of the agents, thus negating the need to open up ports for internet communications on every client machine. This is possible by having a central file share folder where the client machines transfer their scan logs and configurations (LDB) and await the verified scan results and additional configuration once the Prevx CSI-E server has processed the client’s logs.

Overrides and Master Database Organisations may have in-house developed software which is unknown by the Prevx Community Database, or a standard desktop build where all the files are known to be good, by having the mechanism to import files directories or even Windows installer (MSI, MSP) installations (all the setup files can be analysed prior to installing) into the Prevx CSI-E Master Database (MDB) you can predefine these import determinations locally to the Prevx CSI-E server. This will increase performance as if the files PX5 has been stored in the MDB the will be no need to look online for a determination. The overrides feature can also be used to mark certain files associated with programs as “bad” so you can disallow or be alerted when certain files on you network have been seen, despite the Prevx Community Database marking the files as “good”. The overrides can be grouped together meaning that, for example, after a scan a sales department machine has seen software which should only be used on a development teams machines, the Prevx CSI-E alerts the administrator or run a remediation policy.

Remediation Policies Once a client machine has been detected as being infected, Prevx CSI-E will enforce automatic remediation policies to perform immediate actions on the infection machine, these policies may include:  Auto cleanup – Automatically cleanup an infected machine before it spreads, the user will be alerted prior to this action as a reboot may be required.  Network Access Control (NAC) – Automatically remove the infected machine of your network by disabling all network devices on the infected host.  User notification – Advise the user that their machine is infected and present a customizable message.  Shutdown/Reboot machine – The infected machine can be immediately shutdown to prevent any further infections spreading.  Server side script execution – Execute any type of script or program with any action by writing your own server side scripts

Alert Rules When a user’s machine is infected you will more than likely not be watching the Prevx CSI-E Server console at that very moment, so we have implemented a messaging system to alert the administrator in numerous ways: notification via the Prevx Premium alert system SMS (Short Messaging Service) notification via the Prevx SMS Premium service Notification via your own system Windows Events log, this will work alongside Microsoft Operations Manager (MOM) alert system. Script Alert rule*

Script Alert Rules One of most configurable features of Prevx CSI-E Server is the Script Alert feature, this allows the administrator to write any script or even program to launch under certain conditions, such a client infection, server or client failure and even when a certain file has been seen in your organization, especially useful when you wish to control the use of applications such as MSN Messenger. Also, you can run advanced scripts to perform Active Directory tasks, so if a machine is seen to be infected you can move the machine into a remediation OU (organizational unit) or even remove the machine of the domain therefore preventing further access to domain resources.

Reports Prevx CSI-E can generate reports on demand and customized exactly to an organization needs. The reports are generated from HTML files which can be formatted by taking advantage of the Prevx CSI-E variables and placeholders. Especially useful for organisations wishing to provide audit reports as part of compliance. Each client which communicates with Prevx CSI-E will have its scan history and infection history and a range of other useful information stored in the MDB ready for reporting. The standard reports include “Infected Report” and “Agent Reports” (individual or groups of agents).

Master Database (MDB) By not relying on external proprietary database technologies Prevx CSI-E has an independent super-efficient database that does not rely on having (for example) MS SQL. The MDB enforces data integrity and backup functionality to ensure your organisations Prevx CSI-E data is secure. The MDB is pre-shipped with pre-determined PX5 of core operating system file signatures to ensure that only new (unseen) files are verified, this increases the performance of Prevx CSI-E as there will be less need to communicate with the Prevx Community Database to get determinations. Over time Prevx can provide mass determinations in a single file format for the administrators to import these pre-defined determinations en-mass.