Query Management with Saner Endpoint Security Solution
Contents
Query Management with Saner Endpoint Security Solution .................................................................................. 3
Create a Custom Query: ............................................................................................................................................. 6
Create a Query to List Windows Startup Programs Present in the Endpoints: ......................................................... 8
Create a Query to List Windows Visual Effects Settings Value: ................................................................................. 9
Create a Query to List Unwanted Programs: ........................................................................................................... 11
Create a Query to List Unwanted Processes: ........................................................................................................... 13
Create a Query to List Threats Present in the Endpoints:........................................................................................ 15
Title Page No.
Query Management with Saner Endpoint Security Solution
3
Query Management with Saner Endpoint
Security Solution
A query is a request for information from a database or live data from endpoints where the Saner agent is installed.
SecPod Saner Business supports natural language-based queries, related to processes, services, users, registry,
network, and device configurations on the endpoint. The Saner platform’s metadata model makes it easy to search
using unstructured natural language-based queries. This is the only platform that is fully compliant with well-
established standards, such as SCAP, STIX/TAXII
Query results are fetched in microseconds, to help make quick decisions around endpoint activities. Complex queries
can be created or multiple queries can be cascaded with AND and OR combinations. The scalable architecture of
Saner allows responses to IoCs in seconds without impacting the network or systems.
Queries are categorized into two types:
1) Default Queries - The Saner solution provides default queries that can fetch information such as anti-virus
information, hosts that have disabled the firewall, hosts that have disabled Bit locker protection, etc.
2) Custom Queries - Users can create custom queries.
• Select an account you want to manage. The menu expands. Click Queries on the menu.
Figure 1 highlights the Queries pane on the dashboard. To create a custom query, click the question mark icon on the
menu. A query contains two options:
i) Add Rule, to select supported probes. Multiple rules can be selected with AND or OR operations.
ii) Add Group, to join rules based on conditions. Multiple rules can be joined into one group.
Fig.1
Query Management with Saner Endpoint Security Solution
4
Fig.2
The Run option displays the query results fetched from the database. The Edit and Delete buttons allow you to edit or
delete the queries.
Fig.3
The ( ) icon lists possible values of the selected attributes.
The ( ) icon lists attributes of a file probe.
The ( ) icon indicates that the probe will take time to execute and collect response from the agents.
Query Management with Saner Endpoint Security Solution
5
In figure 3, the probe is File. File Path is a mandatory field attribute for the file probe. It sends a query to the agent
systems.
Define a Scope restricts the query to a particular group. When an administrator clicks the submit button the query is
sent only to the selected groups.
Total number of supported probes in Viser based on the OS
OS Total No. of Probes Special Probes
Windows 60 13
Linux 58 10
MAC 54 16
Note: When a query with mandatory attributes is created with a special probe, it is auto broadcast to the agents. For
a typical query, you must click the Submit button.
Query Management with Saner Endpoint Security Solution
6
Create a Custom Query:
1. Specify the Name, Category, Severity and Operating System Family details.
2. Select the AND operation.
3. Select Registry Key Effective Rights probe and specify Hive and Key as the parameters.
4. Click Add Rule. Add a rule and file and the file path.
5. Click Create.
Fig.4
Figure 4 displays a query with multiple rules to check for Locky malware. Once the query is created or updated it
displays the result in real-time. Figure 5 displays details of the host infected with Locky malware.
Query Management with Saner Endpoint Security Solution
8
Create a Query to List Windows Startup Programs Present in the Endpoints:
1. Click Queries > Create Query.
2. Specify the details -
Select the registry probe.
Specify the registry which lists all the startup programs present in the system.
3. Click Update.
Fig.7
Figure 7 displays a query for listing the Windows startup programs present in the endpoints.
Fig.8
Figure 8 displays the result of the above query.
Query Management with Saner Endpoint Security Solution
9
Create a Query to List Windows Visual Effects Settings Value:
This query lists endpoints Visual Effects Settings Value which is an assessment parameter for the system performance.
To create this query,
1. Click Queries > Create Query.
2. Create 2 groups with each group containing 2 rules, AND and OR.
The group with AND operation contains 2 rules with registry probe specifying the path for ‘Key’ and value for the
‘Name’ attribute.
The group with OR operation contains 2 rules with HIVE attribute. This query searches in HKEY CURRENT USER or
HKEY LOCAL MACHINE.
3. Click Create.
Fig.9
Figure 9 shows a query to list Windows Visual Effects Settings.
Fig.10
Figure 10 shows the query results. To know more about the instances, click More.
Query Management with Saner Endpoint Security Solution
10
Fig.11
Figure 11 shows the query result in detail. The value of the field ‘value’ is ‘1’ which indicates the result for best
appearance. The values can range from 0 to 2.
The default value of 0 is Let Windows choose what’s best for my computer.
Change the value to 1 for Adjust for best appearance.
Change the value to 2 for Adjust for best performance.
Note: If the host has a value ‘1’, the administrator needs to change the value to 2 for best performance by using the
CMD & Ctrl action:
CMD & Ctrl > Registry > Modify Registry > With the value ‘2’
Query Management with Saner Endpoint Security Solution
11
Create a Query to List Unwanted Programs:
1. Click Queries > Create Query.
2. Specify the details -
Select the registry probe -
Specify the registry which lists all the unwanted programs present in the system.
3. Click Update.
Fig.12
Figure 12 displays a query for listing unwanted programs.
Fig.13
Query Management with Saner Endpoint Security Solution
12
The table in figure 13 lists the name of the unwanted programs present in the endpoints with the number of affected
instances. IT administrators can use this query to list the unwanted programs that consume a lot of memory.
Note: To delete or block the listed unwanted program, go to
CMD & Ctrl > Software Deployment > Application Management > Uninstall and select the unwanted program name
OR
CMD & Ctrl > Application Control > Application Block and select the unwanted program name from the list.
Query Management with Saner Endpoint Security Solution
13
Create a Query to List Unwanted Processes:
1. Click Queries > Create Query.
2. Specify the details -
Select the registry probe.
Specify the registry which lists all the unwanted processes present in the system.
3. Click Update.
Fig.14
Figure 14 displays a query for listing unwanted processes, for example,
armsvc.exe - This process stands for Adobe Acrobat Update Service.
jusched.exe - This process stands for Java Update Scheduler.
NeroCheck.exe - This is a process from hardware manufacturers that searches for drivers that could trigger conflicts
with Nero Express, Nero, and NeroVision Express.
OSPPSVC.exe - This is a software process that comes with Microsoft Office 2010.
winampa.exe - This is a software process that places Winamp to the right at the bottom of the taskbar and ensures
that no other programs with media content are linked.
Sidebar.exe - This is a Windows process that consumes a lot of memory.
These processes consume a lot of system memory and are better stopped or removed.
Fig.15
Query Management with Saner Endpoint Security Solution
14
The table in figure 15 lists the name of the unwanted processes present in the endpoints with the number of affected
instances. IT administrators can use this query to list the unwanted processes that consume a lot of memory.
Note: To delete or block the unwanted processes, go to
CMD & Ctrl > Process > Process Block or Stop Process by Name and select the unwanted process name from the list.
Query Management with Saner Endpoint Security Solution
15
Create a Query to List Threats Present in the Endpoints:
1. Click Queries > Create Query.
2. Specify the details -
Select the registry probe.
Specify the registry which lists the malware present in the system.
3. Click Update.
Fig.16
Figure 16 displays a query for detecting the presence of the Cryptoshield malware in the endpoints. This query
contains four groups with AND OR operators that will search for a particular string present in a file and a registry
entry with specified keys. In the registry, it searches for the name Windows SmartScreen.
Query Management with Saner Endpoint Security Solution
16
Fig.17
The table in figure 17 lists the path of the malware file and the registry entry.
Note: To delete the malware, go to
CMD & Ctrl > Security > Quarantine and specify the path of malware file. Remove the listed registry by going CMD &
Ctrl > Registry > Delete Registry.
About Us
SecPod Technologies creates cutting edge products to ensure endpoint security. Founded in 2008 and headquartered in
Bangalore with operations in USA, the company provides computer security software for proactively managing risks and
threats to endpoint computers.
Contact Us
Web: www.secpod.com Tel: +91-80-4121 4020
Email: [email protected] +1-918-625-3023
© SecPod Technologies