- Set up Anti-Malware by following the Online Help article, Enable and configure Anti-Malware.
- On your Windows machine, create a text file and copy the following string.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Reference: Eicar.org: Anti Malware Testfile
- Save the file.
- To verify if the file has been detected, go to Events & Reports > Events > Anti-Malware Events on your Cloud One - Endpoint and Workload Security console. There should be a malware detection named Eicar_test_file.
Refer to the Online Help article, Set up the Cloud One Workload Security Firewall.
Test the remote access RDP rule:
- Try to establish an RDP connection to the computer. If the firewall is enabled and the Remote Access RDP rule is not enabled, the connection will be denied. Go to Events & Reports > Firewall events to view the denied event.
- Go to Computer or Policy editor > Firewall. Under Assigned Firewall Rules, click Assign/Unassign.
- Search for Remote Access RDP and enable the rule. Click OK and Save.
- Try to establish an RDP connection to the computer. The connection should be allowed.
- Enable Integrity Monitoring.
- Check "Enable real-time scan" option.
- Under Assigned Integrity Monitoring Rules, click Assign/Unassign to verify if IM Rule 1002773 - Microsoft Windows-'Hosts' file modified is already assigned. If not, assign it manually.
- Click Rebuild Baseline under Baseline.
- After the Rebuild Baseline process is completed, modify the C:\windows\system32\drivers\etc\hosts file of the computer. You can add a line like: “# this is a test.” and save the hosts file.
- Verify the generated Integrity Monitoring event under Events & Reports > Events > Integrity Monitoring Events.
- Enable Log Inspection.
- Go to Advanced tab, then change the Store events at the Agent/Appliance for later retrieval by DSM when they equal or exceed the following severity level to "Low (3)". Click Save.
- Under Assigned Integrity Monitoring Rules, click Assign/Unassign to verify if the rules below are already assigned. It not yet, assign them manually.
- 1002792 - Default Rules Configuration – This is required for all other Log Inspection rules to work.
- 1002795 - Microsoft Windows Events – This logs events every time the Windows auditing functionality registers an event.
- Open services.msc on the machine then change Windows Audio Service from "Automatic" to "Manual".
- Verify the generated Log Inspection event under Events & Reports > Events > Log Inspection Events.
- Enable Web Reputation.
- Navigate to Security Level then set it to "High"
- From a protected computer, open a browser and access the URL, http://wrs49.winshipway.com/.
A message denying the access should appear on the client machine. - Go to Events & Reports > Events > Web Reputation Events to verify if the website blocking is recorded.
- Enable Intrusion Prevention.
- Assign the rule 1005924 - Restrict Download of EICAR Test File Over HTTP.
- Download the EICAR file on the protected machine. It should be blocked.
- Go to Events & Reports > Events > Intrusion Prevention Events to verify the event.
- Turn on Application Control.
- Set Enforcement to "Block unrecognized software until it is explicitly allowed".
- Wait for the "Application Control Inventory Scan" to be completed.
- Create a file named test.ps1. Open the file, copy the following characters then save it.
echo "Hello World"
- Open Windows Powershell then change the directory to the location of the test.ps1 file.
- Run the test.ps1 file by running the command below. The file execution should be denied.
.\test.ps1
- Go to Events & Reports > Events > Application Control Events > Security Events to verify that the file was blocked.
- Highlight the Application Control event, click Change Rules then choose "Create 'allow' rule in ruleset". A rule to allow the file hash will be created under Policies > Common Objects > Rules > Application Control Rules > Software Rulesets > Machine Name > Rules.
- Run the test.ps1 file in Powershell again to verify that it is no longer blocked.
Before testing this module, make sure you have already followed the article Integrate Workload Security with Trend Vision One.
- Turn-on the Device Control Feature.
- Under Protocol, set USB Mass Storage to "Block" then click Save.
- Insert the USB storage to your Windows Computer.
- Expected result for the USB to be blocked and event generated under Events & Reports > Events > Device Control Events.