Osc 003 PDF

Ovation Security Center 2.
1 User Guide
OSC_003
Version 1
September 2012
Copyright Notice
Since the equipment explained in this document has a variety of uses, the user and those
responsible for applying this equipment must satisfy themselves as to the acceptability of each
application and use of the equipment. Under no circumstances will Emerson Process
Management be responsible or liable for any damage, including indirect or consequential losses
resulting from the use, misuse, or application of this equipment.
The text, illustrations, charts, and examples included in this manual are intended solely to explain
TM
the use and application of the Ovation Unit. Due to the many variables associated with specific
uses or applications, Emerson Process Management cannot assume responsibility or liability for
actual use based upon the data provided in this manual.
No patent liability is assumed by Emerson Process Management with respect to the use of
circuits, information, equipment, or software described in this manual.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form or by any means, including electronic, mechanical, photocopying, recording or otherwise
without the prior express written permission of Emerson Process Management.
The document is the property of and contains Proprietary Information owned by Emerson Process
Management and/or its subcontractors and suppliers. It is transmitted in confidence and trust, and
the user agrees to treat this document in strict accordance with the terms and conditions of the
agreement under which it was provided.
This manual is printed in the USA and is subject to change without notice.
Ovation is the mark of Emerson Process Management. Other marks are the property of their
respective holders.
Copyright © Emerson Process Management Power & Water Solutions, Inc. All rights reserved.
Emerson Process Management
Power & Water Solutions
200 Beta Drive
Pittsburgh, PA 15238
USA
E-Mail: Technical.Communications@Emerson.com
Web site: https://www.ovationusers.com
Contents
1 Introduction to the Ovation Security Center 1

1.1 What is the Ovation Security Center?................................................................................. 1
1.2 Components of the Ovation Security Center ...................................................................... 1
1.3 Functions of the Ovation Security Center ........................................................................... 4
1.4 Terminology for the Ovation Security Center...................................................................... 4
1.5 Improvements for OSC 2.0 Update 1.................................................................................. 7
1.6 IP address and password examples ................................................................................... 8
1.6.1 Vulnerability Scan and Patch Management (VSPM) IP address and password
examples ................................................................................................................ 9
1.6.2 Malware Prevention (MP) IP address and password examples .......................... 10
1.6.3 Security Incident and Event Manager (SIEM) IP address and password examples
............................................................................................................................. 11
2 Vulnerability Scan and Patch Manager (VSPM) appliance 13

2.1 Vulnerability Scan and Patch Manager (VSPM) overview................................................ 13
2.1.1 Vulnerability scan functions.................................................................................. 14
2.1.2 Patch manager functions ..................................................................................... 14
2.2 Performing a clean Install of VSPM on Server 2008 SP2................................................. 15
2.2.1 Install Server 2008 SP2 ....................................................................................... 16
2.2.2 Rename the computer.......................................................................................... 17
2.2.3 Configure the Network adapter ............................................................................ 18
2.2.4 Change the Firewall Settings ............................................................................... 19
2.2.5 Install .Net 3.5 ...................................................................................................... 20
2.2.6 Install Internet Explorer 8 ..................................................................................... 20
2.2.7 Configure Internet Explorer 8 settings ................................................................. 21
2.2.8 Install the latest Adobe Reader............................................................................ 22
2.2.9 Install KB968930 – Windows Management Framework ...................................... 22
2.2.10 Install IIS w/ASP.Net ........................................................................................... 23
2.2.11 Install LEMSS 7.0 SP1......................................................................................... 24
2.2.12 Install LEMSS 7.0 SP1 Update 3 ......................................................................... 26
2.2.13 Update to SQL Server 2008 SP2......................................................................... 27
2.2.14 Install 2008 SQL Management Studio (Recommended) ..................................... 28
2.2.15 Import SQL Scripts............................................................................................... 31
2.2.16 Install the VSPM (LEMSS) Airgap License tool ................................................... 33
2.2.17 Use the OSC 2.x License Request Tool and License LEMSS ............................ 33
2.2.18 Install the Import tool............................................................................................ 35
2.2.19 Login to LEMSS for the first time ......................................................................... 35
2.2.20 Update LEMSS clients to latest levels ................................................................. 36
2.2.21 Install Lumension SCAN ...................................................................................... 38
2.2.22 Set certain user passwords to never expire......................................................... 39
2.2.23 Add the Kaspersky Administration Toolkit to VSPM ............................................ 39
2.2.24 Join the Domain ................................................................................................... 43
2.2.25 Disconnect the monitor, mouse, and keyboard from the VSPM .......................... 44
2.3 VSPM updates and Ovation integration............................................................................ 44
2.3.1 Initial patch organization ...................................................................................... 44
OSC_003 i
Table of Contents
2.3.2 Monthly patch organization .................................................................................. 44

2.3.3 Import patches ..................................................................................................... 45
2.3.4 Download the LEMSS Agent Installer.................................................................. 47
2.3.5 Install LEMSS Agent on Endpoints ...................................................................... 48
2.3.6 Update Lumension SCAN .................................................................................... 50
2.3.7 Update SCAN to the current Emerson Validated Patched Vulnerability set........ 53
2.3.8 Deploy Patches LEMSS Clients........................................................................... 53
2.3.9 To force an endpoint to start patching ................................................................. 54
2.3.10 To monitor the deployment .................................................................................. 55
2.3.11 To verify that the deployments to the devices are complete................................ 55
2.3.12 To install new VSPM Clients ................................................................................ 57
2.3.13 To enable spin animation ..................................................................................... 57
2.3.14 To upgrade VSPM Endpoints clients from OSC1.0 to OSC2.0 ........................... 58
2.4 VSPM user account information and Lumension Update procedures .............................. 58
2.4.1 To create a new user ........................................................................................... 58
2.4.2 To add an existing user........................................................................................ 59
2.4.3 To edit a user profile ............................................................................................ 59
2.4.4 To change a user password................................................................................. 60
2.4.5 To remove a user ................................................................................................. 60
2.4.6 To delete a user ................................................................................................... 60
2.4.7 To log on to Lumension Update........................................................................... 61
2.4.8 To log out of Update............................................................................................. 61
2.5 Navigation bar menu map ................................................................................................. 61
2.6 Exporting data ................................................................................................................... 64
2.6.1 To export data ...................................................................................................... 64
2.7 VSPM Groups ................................................................................................................... 65
2.7.1 Groups and the Directory tree.............................................................................. 66
2.7.2 To create VSPM Network Groups........................................................................ 66
2.7.3 To view Groups .................................................................................................... 66
2.7.4 To search for a Group .......................................................................................... 67
2.7.5 To create Groups ................................................................................................. 67
2.7.6 To add Group Members to a new Group ............................................................. 67
2.7.7 To edit Groups ..................................................................................................... 67
2.7.8 To delete Groups ................................................................................................. 68
2.7.9 To move Groups .................................................................................................. 68
2.7.10 To view Groups .................................................................................................... 69
2.7.11 To add Endpoints to Groups ................................................................................ 69
2.7.12 To remove Endpoints from Groups...................................................................... 70
2.7.13 Device Membership View..................................................................................... 70
2.7.14 To add Device members ...................................................................................... 70
2.7.15 To remove Device members ................................................................................ 71
2.8 Using Endpoints ................................................................................................................ 71
2.8.1 Endpoints page .................................................................................................... 72
2.8.2 Endpoint Information tab ...................................................................................... 72
2.8.3 To view Endpoints................................................................................................ 72
2.8.4 To enable an Endpoint ......................................................................................... 72
2.8.5 To delete an Endpoint .......................................................................................... 73
2.8.6 To deploy content items to endpoints .................................................................. 73
2.9 Patch deployment ............................................................................................................. 73
2.9.1 To deploy patches to VSPM clients ..................................................................... 73
2.9.2 To create groups of devices for patch deployments and vulnerability scans ...... 74
2.9.3 To add groups for patch deployments ................................................................. 74
2.9.4 To assign Devices to a deployment groups ......................................................... 75
2.9.5 To deploy patches to new Groups ....................................................................... 75
ii OSC_003
Table of Contents
2.10 Using the Deployment Wizard........................................................................................... 76

2.10.1 Introduction Page ................................................................................................. 76
2.10.2 Device / Device groups selection page................................................................ 76
2.10.3 To create a Device deployment ........................................................................... 77
2.10.4 To create a group deployment ............................................................................. 77
2.10.5 To select the Available Packages page ............................................................... 77
2.10.6 Associated Vulnerability Analysis Page ............................................................... 78
2.10.7 Deployment Wizard License page ....................................................................... 78
2.10.8 Deployment Information page.............................................................................. 78
2.10.9 To configure Deployment Information.................................................................. 78
2.10.10 Deployment Wizard Schedule Configuration page .............................................. 79
2.10.11 To schedule a one-time deployment.................................................................... 80
2.10.12 To setup a daily recurring deployment................................................................. 80
2.10.13 To setup a weekly recurring deployment ............................................................. 80
2.10.14 To setup a monthly recurring deployment............................................................ 81
2.10.15 Selecting the deployment Start and End functions .............................................. 81
2.10.16 Package deployment Behavior Options page...................................................... 82
2.10.17 Notification Options page ..................................................................................... 83
2.10.18 Deployment Confirmation Page ........................................................................... 84
2.11 Reports for VSPM ............................................................................................................. 85
2.11.1 Report description ................................................................................................ 85
2.11.2 Report descriptions for Lumension SCAN ........................................................... 86
2.11.3 Report descriptions for Lumension Update.......................................................... 87
2.11.4 Reports parameters for VSPM ............................................................................. 88
2.11.5 Generating reports ............................................................................................... 88
2.11.6 To generate a report ............................................................................................ 88
2.11.7 To generate reports on vulnerability scan results ................................................ 89
2.11.8 Searching within reports for VSPM ...................................................................... 89
2.11.9 Displaying time and date in reports for SCAN ..................................................... 90
2.11.10 Exporting Reports for VSPM ................................................................................ 90
2.11.11 To view a report for SCAN ................................................................................... 90
2.11.12 Viewing printable data in reports for VSPM ......................................................... 91
2.11.13 Working with PDF reports .................................................................................... 91
2.11.14 Working with HTML reports.................................................................................. 91
2.12 Email Notifications Page ................................................................................................... 92
2.12.1 To view the Email Notifications page ................................................................... 92
2.13 Downloading the Agent Installer ....................................................................................... 92
2.13.1 To download the Agent Installer .......................................................................... 92
2.14 Using the Dashboard ........................................................................................................ 93
2.14.1 Agent Status widget ............................................................................................. 93
2.14.2 Discovery Scan Results: Agent Widget ............................................................... 94
2.14.3 Endpoints with Unresolved Updates Widget........................................................ 95
2.14.4 Incomplete Deployments Widget ......................................................................... 95
2.14.5 Applicable Content Updates Widget .................................................................... 96
2.14.6 Critical Patch Status by Endpoint Widget ............................................................ 97
2.14.7 Last Five Completed Scan Jobs Widget .............................................................. 97
2.14.8 Latest News Widget ............................................................................................. 98
2.14.9 Mandatory Baseline Compliance Widget ............................................................. 98
2.14.10 Next Five Pending Scan Jobs Widget.................................................................. 98
2.14.11 Offline Agents Widget .......................................................................................... 99
2.14.12 Scheduled Deployments Widget.......................................................................... 99
2.14.13 Server Information Widget ................................................................................. 100
2.14.14 Time Since Last Agent Scan Widget ................................................................. 101
2.14.15 Un-remediated Critical Vulnerabilities Widget.................................................... 101
2.14.16 To preview and print the Dashboard.................................................................. 102
OSC_003 iii
Table of Contents
2.14.17 To edit the Dashboard........................................................................................ 102

2.15 Creating and editing user accounts for SCAN ................................................................ 103
2.16 Preparing VSPM for Full vulnerability scan..................................................................... 103
2.16.1 To prepare VSPM for Full vulnerability scan...................................................... 103
2.16.2 To perform a Full vulnerability scan ................................................................... 104
2.16.3 To perform vulnerability scans (Emerson Validated Patches) ........................... 105
2.17 VSPM SCAN Updating.................................................................................................... 107
2.17.1 To update VSPM SCAN..................................................................................... 107
2.18 Creating a disaster recovery solution for VSPM ............................................................. 108
2.18.1 Preparing your database.................................................................................... 109
2.18.2 To change the database recovery model........................................................... 109
2.19 Creating a database backup ........................................................................................... 110
2.19.1 To create a database backup ............................................................................ 110
2.20 Restoring a database backup ......................................................................................... 111
2.20.1 To restore a database backup ........................................................................... 111
2.20.2 To change the database recovery model OSC 2.x............................................ 113
2.20.3 To create a database backup for OSC 2.x......................................................... 114
2.20.4 To restore a database backup for OSC 2.x ....................................................... 115
3 Malware Prevention (MP) appliance 117

3.1 Malware Prevention (MP) overview ................................................................................ 117
3.1.1 To install Malware Prevention for 2.0 Update 1................................................. 117
3.2 Login basics and Admin Tokens for MP ......................................................................... 125
3.3 Logging in for the first time for MP .................................................................................. 126
3.4 Normal Login procedure for MP ...................................................................................... 126
3.4.1 To generate a password for MP......................................................................... 127
3.4.2 To change your password for MP ...................................................................... 127
3.4.3 To set a password or passphrase length for the MP security group ................. 127
3.4.4 To change your passphrase for MP................................................................... 128
3.4.5 To Logout of MP................................................................................................. 128
3.4.6 To add clients for Windows devices for MP ....................................................... 128
3.5 Generating a whitelist...................................................................................................... 129
3.5.1 To generate a whitelist (one device at a time) ................................................... 129
3.5.2 To autogenerate a whitelist policy...................................................................... 130
3.6 New Installation of Bouncer 5.x....................................................................................... 130
3.6.1 To upgrade OSC 1.x to OSC 2.x ....................................................................... 130
3.6.2 To configure Manager Settings.......................................................................... 131
3.6.3 To create a Security Group/Rollover.................................................................. 132
3.6.4 To configure the Syslog Target.......................................................................... 134
3.6.5 To create Custom Security Configuration Groups ............................................. 136
3.6.6 To configure Security Configuration settings ..................................................... 138
3.6.7 To create System Install file ............................................................................... 140
3.6.8 To update Bouncer............................................................................................. 142
3.6.9 To verify a software update to a Manager: ........................................................ 145
3.6.10 To verify a software update for endpoints:......................................................... 146
3.6.11 To install Clients and deploy via Active Directory .............................................. 146
3.6.12 To install Clients and deploy manually............................................................... 149
3.6.13 To move systems between security configurations ........................................... 149
3.6.14 To create archives (Backups) ............................................................................ 151
3.6.15 To restore backups ............................................................................................ 152
3.6.16 To add Trusted Domain users ........................................................................... 153
iv OSC_003
Table of Contents
3.7 Scrubbing your system.................................................................................................... 156

3.7.1 To scrub your system......................................................................................... 156
3.8 Creating Reports and Logs for MP ................................................................................. 157
3.8.1 To create an Administrator Report for MP ......................................................... 157
3.8.2 To create a Manager Configuration Report ....................................................... 157
3.8.3 To create a Manager software report................................................................. 158
3.8.4 To import a Policy for OSC 2.0 Update 1........................................................... 158
3.9 Backing up the MP appliance.......................................................................................... 159
3.9.1 To backup the Malware Prevention appliance ................................................... 159
3.9.2 To create an archive .......................................................................................... 159
3.9.3 To connect to the Admin Console...................................................................... 160
3.9.4 To connect to the Malware Prevention appliance.............................................. 160
3.9.5 To update system licenses ................................................................................ 161
3.9.6 To verify the license ........................................................................................... 161
3.10 Malware Prevention event reports to SIEM .................................................................... 162
3.10.1 To setup or verify that Syslog is pointing to the SIEM ....................................... 162
4 Security Incident and Event Manager (SIEM) appliance 163

4.1 SIEM appliance overview................................................................................................ 164
4.2 Minimum requirements to login to the SIEM ................................................................... 165
4.2.1 To login to the SIEM........................................................................................... 165
4.2.2 To change the password for SIEM..................................................................... 165
4.3 Upgrade SIEM software .................................................................................................. 166
4.3.1 To upgrade from OSC 2.0 to OSC 2.0 update 1................................................ 166
4.3.2 To upgrade from OSC 2.0 update 1 to OSC 2.1................................................ 169
4.4 Login security information ............................................................................................... 178
4.4.1 To access the Login Security menu................................................................... 178
4.4.2 To enable Active Directory authentication ......................................................... 179
4.5 User accounts and Groups ............................................................................................. 181
4.5.1 To access the Users and Groups window ......................................................... 181
4.5.2 To remove users from the system ..................................................................... 182
4.5.3 To add a user to the system .............................................................................. 182
4.5.4 To edit user account settings ............................................................................. 182
4.5.5 To add a Group to the system ........................................................................... 183
4.5.6 To add a user to a Group ................................................................................... 183
4.5.7 To edit to a Group .............................................................................................. 183
4.5.8 To remove a Group ............................................................................................ 183
4.5.9 To remove users from a Group.......................................................................... 183
4.6 Profile management ........................................................................................................ 184
4.6.1 To access profile management.......................................................................... 184
4.6.2 To add a profile .................................................................................................. 186
4.6.3 To edit a profile .................................................................................................. 187
4.6.4 To remove a profile ............................................................................................ 188
4.6.5 Use with Ovation WMI data sources.................................................................. 188
4.6.6 Use with network discovery................................................................................ 189
4.7 Configuring WMI Data Sources (Windows Devices) for Monitoring ............................... 189
4.7.1 To configure WMI Data Sources (Windows Devices) for Monitoring................. 190
4.8 Configuring Syslog Data Sources (Cisco and *nix Devices) for Monitoring ................... 191
4.8.1 Syslog Configuration to Forward Messages from Solaris, Unix, and Linux OS
Data Sources ..................................................................................................... 191
4.8.2 To add a Syslog data source to a Receiver ....................................................... 192
4.8.3 To set the syslog forwarding address ................................................................ 193
OSC_003 v
Table of Contents
4.9 Generating Reports for SIEM.......................................................................................... 194

4.9.1 To add a Report ................................................................................................. 194
4.9.2 To edit a Report ................................................................................................. 198
4.9.3 To view a Report ................................................................................................ 198
4.9.4 To remove a Report ........................................................................................... 199
4.10 Reviewing Data Sources and Policy Rollout................................................................... 199
4.10.1 To review Data Sources..................................................................................... 199
4.10.2 To roll out the policy automatically..................................................................... 200
4.10.3 To roll out the policy manually ........................................................................... 201
4.11 Batch Data Source Management.................................................................................... 202
4.11.1 To export Data Sources from SIEM ................................................................... 202
4.11.2 To modify the CSV file ....................................................................................... 202
4.11.3 To import Data Sources into SIEM .................................................................... 203
4.12 Updating Rules and Software ......................................................................................... 203
4.12.1 To manually apply Emerson approved Rule updates ........................................ 203
4.13 Views options .................................................................................................................. 204
4.13.1 To automatically refresh Views .......................................................................... 204
4.13.2 To select Default System Views ........................................................................ 204
4.13.3 To select Event Summarize Views .................................................................... 204
4.14 Events, Flows, and Logs ................................................................................................. 204
4.14.1 To automatically check events, flows, and logs ................................................. 205
4.14.2 To manually check events, flows, and logs (method 1) ..................................... 205
4.14.3 To manually check events, flows, and logs (method 2) ..................................... 205
4.14.4 To alter the Auto-retrieval settings ..................................................................... 205
4.15 Inactivity Threshold settings............................................................................................ 206
4.15.1 To set Inactivity Threshold settings.................................................................... 206
4.16 Managing Alarms ............................................................................................................ 207
4.16.1 To create a new alarm ....................................................................................... 207
4.16.2 To edit an alarm ................................................................................................. 211
4.16.3 To copy an alarm ............................................................................................... 211
4.16.4 To delete an alarm ............................................................................................. 211
4.16.5 To add a Watchlist ............................................................................................. 212
4.16.6 To edit a Watchlist.............................................................................................. 213
4.17 Managing Watchlists ....................................................................................................... 213
4.17.1 To delete a Watchlist.......................................................................................... 213
4.17.2 To add a Watchlist ............................................................................................. 213
4.17.3 To edit a Watchlist.............................................................................................. 214
4.18 Managing Recipients....................................................................................................... 215
4.18.1 To access the recipients configuration............................................................... 215
4.18.2 To add an email address.................................................................................... 215
4.18.3 To edit an email recipient ................................................................................... 215
4.18.4 To remove an email recipient............................................................................. 216
4.18.5 To add an email group ....................................................................................... 216
4.18.6 To edit an email group ....................................................................................... 216
4.18.7 To remove an email group ................................................................................. 216
4.18.8 To add an SMS address .................................................................................... 217
4.18.9 To edit an SMS address..................................................................................... 218
4.18.10 To remove an SMS address .............................................................................. 218
4.18.11 To add an SNMP recipient ................................................................................. 218
4.18.12 To edit an SNMP recipient ................................................................................. 219
4.18.13 To remove an SNMP Recipient ......................................................................... 220
4.18.14 To add a syslog recipient ................................................................................... 220
4.18.15 To edit a syslog recipient ................................................................................... 220
vi OSC_003
Table of Contents
4.18.16 To remove a syslog recipient ............................................................................. 220

4.19 Managing Conditions ...................................................................................................... 221
4.19.1 To add a condition.............................................................................................. 221
4.19.2 To edit a condition.............................................................................................. 221
4.19.3 To delete a condition.......................................................................................... 221
4.20 Network intrusion detection installation........................................................................... 222
4.20.1 Intrusion Prevention versus Intrusion Detection ................................................ 222
4.20.2 Traffic Monitoring ............................................................................................... 223
4.20.3 Mirroring Traffic versus Inline............................................................................. 226
4.20.4 Management interface cabling........................................................................... 227
4.20.5 Mirrored traffic cabling........................................................................................ 227
4.20.6 Inline cabling ...................................................................................................... 228
4.20.7 To initial IP address configuration...................................................................... 228
4.20.8 To add NID to SIEM ........................................................................................... 229
4.20.9 To set NID mode ................................................................................................ 232
4.20.10 To set polices ..................................................................................................... 234
4.20.11 MODBUS_CLIENT............................................................................................. 237
4.20.12 To access a variable list through the policy manager........................................ 238
4.20.13 To edit a variable................................................................................................ 240
4.20.14 Useful variables for Ovation ............................................................................... 241
4.20.15 To shutdown the NID ......................................................................................... 244
4.21 Vulnerability assessment ................................................................................................ 244
4.21.1 To configure vulnerability assessment............................................................... 244
4.21.2 OSC Versus module settings ............................................................................. 248
4.22 Backup and Restore........................................................................................................ 249
4.22.1 To automatically backup the system settings .................................................... 249
4.22.2 To manually backup the system settings ........................................................... 249
4.22.3 To backup Event, Log, and Data Source Configuration Data............................ 250
4.22.4 To store a backup in a remote location.............................................................. 250
4.22.5 To perform a full backup ESM Settings and All Data......................................... 250
4.22.6 To restore backup files....................................................................................... 251
4.22.7 To restore a backup from a Local File ............................................................... 251
4.23 Log Management ............................................................................................................ 251
4.23.1 Installation of Log Management (LM) ................................................................ 251
4.23.2 Configuring Log Management............................................................................ 255
4.23.3 To add a storage device..................................................................................... 255
4.23.4 To migrate the database .................................................................................... 257
4.23.5 To add the storage pool ..................................................................................... 259
4.23.6 Log Management data integrity check ............................................................... 261
4.23.7 To enable logging for an individual data source ................................................ 263
4.23.8 To enable logging for multiple data sources ...................................................... 265
4.23.9 Retrieve LM logs ................................................................................................ 266
4.23.10 To access the LM Backup and Restore window................................................ 269
4.23.11 To set backup location ....................................................................................... 270
4.23.12 To take the backup manually ............................................................................. 271
4.23.13 To take the backup automatically ...................................................................... 271
4.23.14 To restore the backup ........................................................................................ 271
4.24 Network discovery and configuration management........................................................ 271
4.24.1 To configure network discovery ......................................................................... 272
4.24.2 To discover network devices.............................................................................. 275
4.24.3 To confirm network discovery ............................................................................ 275
4.24.4 To configure network monitoring........................................................................ 277
4.24.5 Configuration management................................................................................ 277
4.24.6 To run a configuration management scan manually.......................................... 279
OSC_003 vii
Table of Contents
4.24.7 To compare configurations................................................................................. 280

4.25 Using the Security Incident and Event Manager............................................................. 281
4.26 Appendices...................................................................................................................... 281
4.26.1 Cisco model versus Auditing capabilities........................................................... 281
4.26.2 Windows audit polices........................................................................................ 281
4.26.3 Creating Windows user for Active Directory authentication and log collection.. 286
4.26.4 Emerson baseline NID tuning parameters ......................................................... 288
5 Troubleshooting 291
5.1 Windows Blue Screen of Death (BSOD) Diagnostics ..................................................... 291
5.1.1 To configure and read BSOD............................................................................. 291
5.1.2 To troubleshoot the MS Info Tool....................................................................... 292
5.2 Troubleshooting for Lumension OSC 2.x Update 1 ........................................................ 292
5.2.1 To gather events for Bouncer OSC 2.x Update 1 .............................................. 292
5.3 Checking OSC version numbers for 2x Update 1 versions ............................................ 293
5.3.1 To check OSC 2.x Update 1 LEMSS Server versions....................................... 293
5.3.2 To check OSC 2.x Update 1 LEMSS Client versions ........................................ 294
5.3.3 To check OSC 2.x Update 1 Bouncer Manager versions .................................. 295
5.3.4 To check OSC 2.x Update 1 Bouncer Client versions ....................................... 296
5.3.5 To check OSC 2.x Update 1 NitroView versions ............................................... 297
6 Support and Service for your Ovation Security Center 299

6.1 Support for your Ovation Security Center ....................................................................... 299
6.2 Vendor documentation .................................................................................................... 299
6.3 Annual license renewal ................................................................................................... 299
6.3.1 To check Patchlink manager license expiration dates....................................... 299
Index 305
viii OSC_003
S E C T I O N 1
Introduction to the Ovation Security Center
IN THIS SECTION
What is the Ovation Security Center?................................................................................. 1

Components of the Ovation Security Center ...................................................................... 1
Functions of the Ovation Security Center ........................................................................... 4
Terminology for the Ovation Security Center...................................................................... 4
Improvements for OSC 2.0 Update 1.................................................................................. 7
IP address and password examples ................................................................................... 8
1.1 What is the Ovation Security Center?

The Ovation Security Center (OSC) is a suite of hardware and software tools (appliances) that
provide electronic security management functions. The OSC appliances are designed to enhance
and manage cyber security of Ovation Distributed Control Systems (DCS) without disrupting the
controlled process.
Ovation Security Centers operate on all Ovation operating system software platforms.
1.2 Components of the Ovation Security Center

Ovation Security Center consists of the following components (appliances):
Vulnerability Scan and Patch Management (VSPM)
VSPM utilizes software from Lumension Security to scan the Ovation system for security
weaknesses and to distribute patches to remedy these weaknesses.
The VSPM can also be provisioned as the Kaspersky AV Management station.

Malware Prevention (MP)
MP uses a CoreTrace product called BOUNCER to protect the Ovation system.
BOUNCER uses a whitelist approach to detect and prevent malware from executing.
Security Incident and Event Manager (SIEM)
SIEM employs NitroView Enterprise Security Manager with Receiver functionality
(ESMRCV) from NitroSecurity to collect, correlate, and report security events.
OSC_003 1
A typical cabinet configuration consists of the following hardware components:

Cisco router
Primary and secondary CoreTrace Bouncer (MP)
Lumension server supplied by Dell (VSPM)
Nitro Security (USM) Unified Security Management system (SIEM)
Primary and secondary power distribution center
The following graphic illustrates a possible cabinet configuration containing Security Center
components:
2 OSC_003
Figure 1: Typical OSC cabinet configuration
OSC_003 3
1.3 Functions of the Ovation Security Center
1.3 Functions of the Ovation Security Center

Ovation Security Centers performs the following functions:
Supports Windows and Solaris operating systems.
Supports cyber security of multiple Ovation control systems.
VSPM appliance
Identifies and installs operating system software patches and updates.
Discovers vulnerabilities in operating systems, configurations, patches, malware, and other
system software.
Discovers security issues in all network devices, including servers, workstations, laptops,
switches, and routers.
VSPM can be provisioned as the Kaspersky AV management station.
MP appliance
Allows only whitelisted applications to run in workstations.
Verifies file integrity to prevent tampering.
SIEM appliance
Combines and normalizes events from multiple devices.
Correlates events to identify potential security incidents.
1.4 Terminology for the Ovation Security Center
Terminology for Ovation Security Centers
TERM DESCRIPTION
Air gap This is a security measure used for computers and computer networks that must be
extraordinarily secure. An air gap ensures that a secure network is physically,
electrically, and electromagnetically isolated from non-secure networks, such as the
public Internet or from a non-secure local area network.
Blacklist This is a list of software programs considered unsafe to run on your system. A
blacklist uses the standard signature-based, antivirus approach to security by
blocking any known harmful software or users from the system. See also Whitelist.
CIP Critical Infrastructure Protection (CIP) is a set of cyber security standards for Electric
Power Generation, Transmission and Distribution organizations. The North American
Electric Reliability Corporation (NERC) developed CIP standards with oversight from
the Federal Energy Regulatory Commission (FERC).
CIFS Common Internet File System that operates as an application-layer network protocol
used to provide shared access to files, printers, serial ports, and miscellaneous
communications between nodes on a network.
DMZ DeMilitarized Zone (DMZ) is a network that sits between a trusted internal network
such as a corporate private LAN, and an untrusted external network, such as the
public Internet. The purpose of a DMZ is to add an additional layer of security to an
organization's Local Area Network (LAN). An external attacker would only have
access to equipment in the DMZ, rather than the entire network.
Endpoint In a client/server network architecture, an endpoint is any node that is a destination of
two-way communication, whether requesting or responding: (For example: PC's,
4 OSC_003
TERM DESCRIPTION
laptops, and other similar devices).
The term endpoint in the Lumension Endpoint Management and Security Suite is
similar to a computer in your network that can have an agent installed.
ESMRCV Enterprise Security Manager with Receiver functionality.
FERC Federal Energy Regulatory Commission (FERC) is a United States federal agency
that has jurisdiction over and makes rules for interstate electricity sales and other
energy related rates and pricing.
Firewall A Firewall is a security system intended to protect your computer network from
external threats. All communication between the internal computer network and the
outside world is routed through a server that determines if a message is safe to pass
to the internal network.
Guardian Guardian is an Emerson-provided interface that can provide all the available
information about a system, such as system level, software level, loaded patches,
SureService information, site contacts, Emerson contacts, and related knowledge-
based articles.
LEMSS Lumension Endpoint Management and Security Suite (LEMSS)
Malware Malware refers to any software (such as a virus) that has the potential to disrupt a
computer system. Malware is malicious software or executable programs that you do
not want executing on your system.
Management The management console is a defined machine on the DCS that controls
Console administration of your Ovation Security Center.
MP Malware Prevention (MP) is a set of tools that provide centralized control of the
detection agents that reside on the Ovation host workstations. Any detected malware
is quarantined and reported to the SIEM tools.
NERC North American Electric Reliability Corporation (NERC) is an agency that oversees
the reliability and adequacy of bulk power supply in electric utility systems.
Network intrusion Intrusion is a security breach into a computer network.
OSC Ovation Security Center is a suite of hardware and software tools (appliances) that
provide electronic security management functions.
Passphrase A sequence of words used to login to your system. For example: The Performance
Received a Standing Ovation in 2010. Often used in combination with a password.
Root kit Software program that can evaluate the privileges to the root level of your computer.
The program then uses the evaluated information to gain access (access unknown to
the system's owners and legitimate managers) and control of that computer.
Security event An occurrence in the system process related to security. For example: an attempted
network intrusion from an unauthorized source.
SIEM Security Incident and Event Manager (SIEM) is a set of tools used by IT professionals
and system administrators to manage multiple security applications and devices and
to respond automatically to resolve security incidents.
SmartProcess SmartProcess software provides adaptive solutions that achieve optimum
performance for equipment in a power plant. SmartProcess uses fuzzy logic, neural
networks, predictive control, and other tools to offer the most advanced suite of
optimization solutions available.
SMB Server Message Block (SMB), also known as CIFS, is an application-level network
protocol applied to shared access to files, printers, serial ports, and miscellaneous
communications between nodes on a network.
OSC_003 5
TERM DESCRIPTION
SMTP Simple Mail Transfer Protocol (SMTP) is an Internet standard for email transmission
across Internet Protocol (IP) networks.
SNMP Simple Network Management Protocol (SNMP) is a User Datagram Protocol (UDP-
based) network protocol. It is used for network management systems to monitor
network-attached devices for conditions requiring administrative attention. SNMP
consists of a set of standards for network management.
Trojan horse A trojan horse is software which appears to perform a useful and harmless action, but
in fact performs another action that can harm your computer such as transmitting a
computer virus. In terms of Malware Prevention, a Trojan Horse is any virus or trick
that can invite a potential security threat into a securely protected area or space.
VPN Virtual Private Network (VPN) is a type of computer network. In a VPN some of the
links between nodes are carried by open connections and in larger networks, (for
example, the Internet), by virtual circuits instead of by physical wires.
VSPM Vulnerability Scan and Patch Management (VSPM) is a set of tools that scans the
system for any potential security weaknesses and provides patches to correct the
security weakness. This information is reported to the SIEM tools.
Whitelist A list of software programs considered safe to run on your system. Software
programs not on the whitelist are blocked. See also Blacklist.
WMI Windows Management Instrumentation (WMI) is the Microsoft implementation of
Web-Based Enterprise Management (WBEM). It is the primary management
technology for Windows operating systems, permitting management information to be
shared between management applications.
6 OSC_003
1.5 Improvements for OSC 2.0 Update 1
1.5 Improvements for OSC 2.0 Update 1
Note: Due to the complexity of upgrading the SIEM portion for the OSC 2.0 Update 1, Emerson
recommends that you have your OSC updated by an experienced service representative.
Contact your local field support office or sales representative for advice on upgrading your OSC.
VSPM Patching
The Ovation Security Center 2.0 Update 1 introduces Lumension Endpoint Management and
Security Suite (LEMSS) 7.0. The following list identifies new or added features for OSC2.0:
Server 2008 (32-bit) and Windows 7 (32-bit) patch support.
Server 2008 (32-bit) installation platform support.
SQL Express 2008 database support.
Enhanced user interface.
Right-click support feature is used in many areas.
Improved reporting.
Automated Endpoint Discovery.
Active Directory Domain Membership/Login support.
Uninstall protection.
Kaspersky administration and Kaspersky support.
Internet Explorer 7.0 or greater is required.
Backup of server to network share or NAS support (Windows 2008 server only).
VSPM Vulnerability Scanner
Server 2008 (32-bit) and Windows 7 (32-bit) vulnerability scan support.
Server 2008 (32-bit) installation platform support.
SQL Express 2008 database support.
Backup of server to network share or NAS support (Windows 2008 server only).
Malware Prevention
The Ovation Security Center 2.0 Update 1 offers additional enhancements for Malware
Prevention:
CoreTrace Bouncer v5.x.
Server 2008 (32-bit) and Windows 7 (32-bit) whitelisting support.
Kaspersky support.
New user interface enhancements.
Tokenless login support.
Policies and collections removed. User-defined security groups with associated
rights/packages for systems.
Instant trust to a running process; no reboots required.
Trust a running process using manager console.
Better trusted domain user support.
Common Event Format (CEF) support with syslog messages.
OSC_003 7
1.6 IP address and password examples
Automated backup of managers to a network share or NAS.

Automated installation script capable.
Communication over single TCP port.
SIEM
The Ovation Security Center 2.0 Update 1 introduces an updated version of NitroView 8.5.3.
WMI communication is limited to two ports for tighter router control.
Data source configuration can be exported to a remote location so you can modify and import
to a Receiver.
SIEM can read vulnerability data from VSPM SCAN software.
SIEM can create and manage zones that can be used to categorize data sources on the
network.

During installation of the OSC, both IP addresses and passwords need to be entered for each
appliance to bring the OSC into full working order.
IP addresses and passwords should be unique for your Ovation Security Center. Therefore, the
IP addresses and passwords originally used to configure your system must be changed after your
OSC is fully commissioned.
Example passwords and IP addresses are referenced throughout this document and they are
intended to be examples only. Be sure to review site addressing and password requirements and
configure your OSC with proper IP addresses and passwords.
The following IP address and password examples are noted in this section and are used
throughout this document.
8 OSC_003
1.6.1 Vulnerability Scan and Patch Management (VSPM) IP address and

password examples
The VSPM requires configuration of two network adapters:

One adapter for the OSC Regular Scan Network.
One adapter for the Full Scan Network.
The Full Scan Network adapter will be turned off for normal operation.
Note: Once the VSPM software is loaded into the PC, the only way to change PC Name or IP
addressing is to format the PC and start over. IP addressing should be chosen prior to
installation.
VSPM IP address examples
ITEM EX AM PLE USED
VSPM Regular Scan Address 192.168.124.33

VSPM Regular Scan Network Subnet Mask 255.255.255.0
VSPM Regular Scan Network Default Gateway 192.168.124.9
VSPM Full Scan Address 192.168.124.6
VSPM Full Scan Network Subnet Mask 255.255.255.252
VSPM Full Scan Network Default Gateway 192.168.123.5
VSPM password examples
ITEM EX AM PLE USED
Windows Administrator Account Security.4u

clientadmin (Lumension Web Client Account) Security.4u
serviceadmin (Lumension Service Account) Security.4u
Lumension Global Uninstall Password Security.4u
GUARD_ENG Security.4u
Lumension SCAN System Administrator (sa) Security.4u
OSC_003 9
1.6.2 Malware Prevention (MP) IP address and password examples
Typically, MP appliances operate as a redundant pair:
Primary - referred to as MP Manager A.

Secondary - referred to as MP Manager B.
The MP Managers only connect to the OSC Regular Scan Network; therefore, they have no OSC
Full Scan addressing.
MP IP address examples
ITEM EX AM PLE USED
MP Manager A Address 192.168.124.17

MP Manager A Subnet Mask 255.255.255.0
MP Manager A Address Default Gateway 192.168.124.9
MP Manager B Address 192.168.124.18
MP Manager B Subnet Mask 255.255.255.0
MP Manager B Address Default Gateway 192.168.124.9
MP password examples
ITEM EX AM PLE USED
Initial MP Manager Login Password (must be 32 emersonprocessmanagmentsecurityserver

characters long).
MP Manager eToken password (after password Security.4u
length decreased).
10 OSC_003
1.6.3 Security Incident and Event Manager (SIEM) IP address and password
examples
The SIEM only connects to the OSC Regular Scan Network; therefore, it does not have OSC Full
Scan addressing.
SIEM IP Addresses
ITEM EX AM PLE USED
SIEM Address 192.168.124.49

SIEM Subnet Mask 255.255.255.0
SIEM Default Gateway 192.168.124.9
SIEM passwords
ITEM EX AM PLE USED
NGCP Security.4u
OSC_003 11
S E C T I O N 2
Vulnerability Scan and Patch Manager (VSPM)

appliance
IN THIS SECTION
Vulnerability Scan and Patch Manager (VSPM) overview................................................ 13

Performing a clean Install of VSPM on Server 2008 SP2................................................. 15
VSPM updates and Ovation integration............................................................................ 44
VSPM user account information and Lumension Update procedures .............................. 58
Navigation bar menu map ................................................................................................. 61
Exporting data ................................................................................................................... 64
VSPM Groups ................................................................................................................... 65
Using Endpoints ................................................................................................................ 71
Patch deployment ............................................................................................................. 73
Using the Deployment Wizard........................................................................................... 76
Reports for VSPM .............................................................................................................85
Email Notifications Page ................................................................................................... 92
Downloading the Agent Installer ....................................................................................... 92
Using the Dashboard ........................................................................................................ 93
Creating and editing user accounts for SCAN ................................................................ 103
Preparing VSPM for Full vulnerability scan..................................................................... 103
VSPM SCAN Updating.................................................................................................... 107
Creating a disaster recovery solution for VSPM ............................................................. 108
Creating a database backup ........................................................................................... 110
Restoring a database backup ......................................................................................... 111
2.1 Vulnerability Scan and Patch Manager (VSPM) overview

The Vulnerability Scan and Patch Manager (VSPM) appliance combines two related functions:
The Vulnerability Scan portion of VSPM discovers any host and network vulnerabilities
through proactive scanning and passive monitoring of the Ovation control system.
The Patch Manager portion of VSPM provides patch retrieval and patch distribution for all
Ovation system, operating system, and third-party software patches.
OSC_003 13
2.1 Vulnerability Scan and Patch Manager (VSPM) overview
2.1.1 Vulnerability scan functions
The Vulnerability Scan portion of VSPM is a network-based scanning function that performs a
comprehensive scan of the following devices on the Ovation network:
Servers
Workstations
Routers
Printers
Switches
The purpose of the scan is to identify vulnerabilities such as missing patches and malware so that
any vulnerability can be quickly corrected before they can compromise the security of the Ovation
system.
The vulnerability scan captures a baseline of any discovered vulnerabilities and a history of how
those vulnerabilities are corrected for each server, workstation, controller, and network device.
All the information collected by the vulnerability scanner can be integrated into SIEM to provide a
complete picture of the overall risk situation for the Ovation system.
The scan function can also run detailed configuration checks that itemize ports, users, shares,
groups, agents, and services.
Vulnerability databases and scanning software updates are periodically downloaded through the
Emerson’s SureService OSC Support Module.
2.1.2 Patch manager functions
The Patch Manager portion of VSPM provides centralized patch status retrieval and distribution
for all Ovation Windows-based and Solaris-based operating systems, Ovation workstations, and
third-party software patches. The patch management function uses host-based application
software that is installed on each managed workstation to permit the remote installation of
software updates.
Critical security patches are validated through Emerson’s patch validation program within 30 days
of release from the original software vendor.
Patch update downloads are initiated from the Ovation Security Center and retrieved through
Emerson’s SureService Software Update program.
Patch distribution policies determine whether patches are automatically or manually distributed to
Ovation servers, workstations, and network devices. Patch management agents on the servers
and workstations ensure patch delivery and secure communications with the Ovation Security
Center.
14 OSC_003
2.2 Performing a clean Install of VSPM on Server 2008 SP2
Note: Typically, in most VSPM installations, you should not have a monitor, mouse, and
keyboard attached to the manager during normal operation. The VSPM should not be the
interface to the OSC appliances.
During the initial VSPM installation, a monitor, mouse, and keyboard can be connected
temporarily for ease of configuration and setup.
You must perform a clean install to upgrade to 2.0 Update 1.
After you have connected the hardware mentioned in the note above, use the following steps to
perform a clean install of the VSPM on Server 2008 SP2.
1. Install Server 2008 SP2 (see page 16).

2. Rename the computer (see page 17).
3. Configure the Network adapter (see page 18).
4. Change the Firewall Settings (see page 19).
5. Install .Net 3.5 (see page 20).
6. Install Internet Explorer 8 (see page 20).
7. Configure Internet Explorer 8 settings (see page 21).
8. Install the latest Adobe Reader (see page 22).
9. Install KB968930 – Windows Management Framework (see page 22).
10. Install IIS w/ASP.Net (see page 23).
11. Install LEMSS 7.0 SP1 (see page 24).
12. Install LEMSS 7.0 SP1 Update 3 (see page 26).
13. Update to SQL Server 2008 SP2 (see page 27).
14. Install 2008 SQL Management Studio (Recommended) (see page 28).
15. Import SQL Scripts (see page 31).
16. Install the VSPM (LEMSS) Airgap License tool (see page 33).
17. Use the OSC 2.x License Request Tool and License LEMSS (see page 33).
18. Install the Import tool (see page 35).
19. Login to LEMSS for the first time (see page 35).
20. Update LEMSS clients to latest levels (see page 36).
21. Install Lumension SCAN (see page 38).
22. Set certain User’s Passwords to Never Expire (see page 39).
23. Add the Kaspersky Administration Toolkit to VSPM (see page 39).
24. Join Domain (see page 43).
25. Disconnect the monitor, mouse, and keyboard from the VSPM (see page 44)
OSC_003 15
2.2.1 Install Server 2008 SP2
Use the standard Microsoft installation procedures to perform a fresh install of Server Standard
2008 SP2.
Note: Any data on the PC will be lost when performing a clean install; therefore, you may want
to backup any files that you want to save.
1. Insert the Dell System Management Tools and Documentation disk into the DVD drive and
make the following selections.
a) Select the load operating system and answer the questions.
b) Enter Time, date, and time zone.
c) Enter Operating system (2008 SP2 32 bit).
d) Keep the raid configuration.
e) Eject the disk automatically.
2. Insert 2008 SP2 32 bit server disc when prompted and make the following selections:
a) Select a new load not upgrade.
b) Select Single volume (C:).
c) Select Full installation.
d) Next, install Windows.
e) The appliance reboots and completes the Windows server 2008 SP2 installation.
f) Enter the administrator password.
g) Disable Windows Update.
16 OSC_003
3. Select Start > Control Panel > Windows Update > Change settings. The Change settings
window appears.
Figure 2: Change settings window
4. In the Important updates dialog box, select Never check for updates (not recommended).
Check boxes should be unchecked.
5. Click OK.
2.2.2 Rename the computer
Prior to installation of VSPM software, you must rename the computer to ensure proper operation.
1. Select Start > Computer > Properties. A System window appears.

2. Select Change settings under the Computer name, domain, and workgroup settings section.
A System Properties window appears.
3. Select the Computer Name tab, then select the Change button.
4. Change the name to the proper name. Example name is VSPM.
5. Click OK. The appliance will require a restart. Select the OK button on the Computer
Name/Domain Changes open window.
6. Select Close to close the System Properties window.
7. Select the Restart Now button on the system restart window. The appliance will reboot and
log back in as Administrator.
OSC_003 17
2.2.3 Configure the Network adapter

1. Select Start > Control Panel > Network and Sharing Center. The Network and Sharing
Center window opens.
2. Select Manage network connections. The Network Connections window opens.
3. Modify two of the four connections to be used with the OSC – VSPM appliance.
a) Select the current active adapter, right-click and select Properties.
b) Select Internet Protocol Version 4 and then select the Properties button. The
Properties window appears.
c) Configure the adapter with appropriate values.
For example:
IP address : 192.168.124.33
Netmask: 255.255.255.0
Default gateway: 192.168.124.9
d) Click OK to close the Properties window.
e) In the Network Adapter window under the line Connect using: click the Configure
button. The Network Connection Properties window appears.
f) Click the Advanced tab.
g) Click Speed & Duplex.
h) Under the Value field, select 10 Mbps Full Duplex.
i) Click OK to close the Network Connection Properties window.
j) Select the current active adapter, right-click, and select Rename. Rename the connection
to OSC Regular Scan.
4. Select another of the active adapters, right-click, and select Properties.
a) Select Internet Protocol Version 4 and then select the Properties button. The
b) Configure the adapter with appropriate values. For example:
IP address : 192.168.123.6
Netmask: 255.255.255.252
c) Click OK to close the Properties window.
d) In the Network Adapter window under the line Connect using: Click the Configure
button. The Network Connection Properties window appears.
e) Click the Advanced tab.
f) Click Speed & Duplex.
g) Under the Value field, select 10 Mbps Full Duplex.
h) Click OK to close the Network Connection Properties window. Select the same adapter,
right-click, and select Rename. Rename the connection to OSC Full Scan.
5. Select the OSC Full Scan adapter, right-click, and select Disable.
6. Disable the remaining network connections (there should be two).
7. Select one of the remaining unnamed connections, right-click, and select Disable.
18 OSC_003
8. Select the last remaining network connection, right-click, and select Disable.
2.2.4 Change the Firewall Settings

1. Select Start > Control Panel > Administrative Tools> Windows Firewall with Advanced
Security.
2. Click Inbound Rules in the left-hand pane.
3. Click New Rule in the right-hand pane. The New Inbound Rule Wizard window appears.
4. Select Port, and click Next on the Rule Type window.
OSC_003 19
5. Select TCP as the protocol, select the Specific local ports, and enter 205 in the Specific
local ports dialog box and click Next on the Protocol and Ports window
6. Select Allow the connection, and click Next on the Action window.
7. Enable all selections and click Next on the Profile window.
8. Enter SCAN Access as the name and leave the description blank on the Name window.
9. Click Finish.
2.2.5 Install .Net 3.5

1. Launch dotnetfx35.exe from the \LEMSS folder of OSC VSPM 2.0 Update 1 Disc 1. The
Licensing window appears.
2. Accept the terms of the license agreement to continue. The Installation window appears.
3. Click Install. The installation begins and displays an installation progress bar.
4. Click Exit when the progress bar completes.
2.2.6 Install Internet Explorer 8

1. Launch IE8-WindowsVista-x86-ENU.exe from the \LEMSS folder of OSC VSPM 2.0 Update
1 Disc 1.
2. Click Next on the first window. The License Agreement window appears.
20 OSC_003
3. Click I accept to accept the license terms.

4. Uncheck the Install Updates check box.
5. Click Next. Internet Explorer 8 installs.
6. Click Restart Now (recommended) when prompted.
7. When the computer reboots, it will configure updates before you can log into the appliance.
2.2.7 Configure Internet Explorer 8 settings

1. Open an Internet Explorer 8 (IE8) window.
2. Click Tools > Internet Options.
3. Click the Advanced tab.
4. Scroll half way down to the Multimedia section.
5. Check the box for Play Animation on Webpages.
6. Click the Security tab.
7. Click Trusted Sites.
8. Click Sites. Uncheck the option: Require server verification (https:) for all sites in this
zone.
9. Add the VSPM address to the Trusted Sites and click Add. For example:
http://192.168.124.33/
Figure 3: Trusted sites window
10. Click the Privacy tab. On the Pop-Up Block, click Settings.
OSC_003 21
11. Add the VSPM address to the exception list.
Figure 4: Pop-up Blocker Settings window
2.2.8 Install the latest Adobe Reader

1. Launch AdbeRdr1010_en_US.exe from the \Adobe folder of OSC SIEM 2.0 Update 1 Disc 1.
2. A message window appears to begin the installation. The Ready to Install window appears.
3. Click Install.
4. Click Finish after the progress bars complete the installation cycle.
2.2.9 Install KB968930 – Windows Management Framework

1. Launch Windows6.0-KB968930-x86.exe from \LEMSS folder of the OSC VSPM 2.0 Update
1 Disc 1.
2. Click OK. The Licensing window appears.
3. Click I Accept to continue.
4. The Installation begins. An installation progress bar displays.
5. Click Restart Now.
6. The program will run configuring updates before the reboot.
22 OSC_003
2.2.10 Install IIS w/ASP.Net

1. Select, Start > Programs > Administrative Tools > Server Manager to open the Server
manager.
2. Click Roles in the left bar. The Add Roles Wizard opens.
3. Click Add Roles.
Figure 5: Add Roles window
4. Click Next. On the Select Server Roles window, check Web Server IIS. A dialog opens telling
you that you need additional features. Click Add Required Features.
5. Click Next after the dialog disappears. The Introduction to the Web Server window appears.
6. Click Next. The Role Services window appears.
7. Check ASP.NET under Application Development. A dialog box appears.
8. Click Add Required Role Services.
OSC_003 23
9. Check ASP under Application Development, and click Next.
10. Click Install. The installation begins.

11. Click Close when the installation is complete.
Note: You may receive a warning that it cannot reach Windows update. This is expected.
2.2.11 Install LEMSS 7.0 SP1

1. Launch LumensionEMSS_7SP1 from \LEMSS of OSC VSPM 2.0 Update 1 Disc 1. The
Install Wizard opens.
2. Click Next. The License Agreement window appears.
3. Click I Accept to continue.
4. Click Next. A customer name and serial number dialog box appears.
5. Enter the Company Name and Serial Number as found on your license certificate.
24 OSC_003
6. Click Next. The Required IIS Features appear. The Security Features and Performance
Features should have a red X.
7. Click Next to install the missing features. The installation completes.

8. Click Next. On Service Accounts, use Security.4u for all four password fields. Passwords are
case sensitive; remember to use a capital "S". For more information on what these accounts
do, refer to the Lumension documentation on your OSC installation CD.
9. Click Next. Use the defaults on the Install a new SQL Server Instance window.
10. Click Next. The Destination Location window appears.
11. Accept the defaults and click Next. A Proxy Settings window appears.
12. Click Next. The Agent to Server Communication window appears.
OSC_003 25
13. Enter the IP address in the Default server identity dialog box (if it is not already entered for
you). Emerson recommends using the IP address instead of the domain name.
Figure 6: Agent to Server Communication window
14. Click Next. An Installation Ready window appears.

15. Click Install on the Installation Ready window. A progress bar appears and may continue for
several minutes.
16. Uncheck the Launch Lumension EMSS box.
Note: By default, clicking Finish will launch Lumension. If you do not want to launch
Lumension, uncheck Launch the Lumension EMSS check box and click Finish.
17. Click Finish on the Installation Complete window.

18. Click OK.
2.2.12 Install LEMSS 7.0 SP1 Update 3

1. Launch LumensionEMSS_SP1Update3.exe from \LEMSS on OSC VSPM 2.0 Update 1 Disc
1. The InstallShield Wizard opens.
2. Click Next. The license agreement window appears.
3. Accept the license agreement to continue and click Next. The Installation window appears.
4. Click Install on the Ready to Install window.
5. Click OK on the Files in Use list. A progress bar begins. After installation, a dialog appears
prompting you that a reboot is needed.
6. Click OK. The progress bar completes.
7. Click Finish.
26 OSC_003
8. Reboot the computer.
2.2.13 Update to SQL Server 2008 SP2

1. Launch SQLServer2008SP2-KB2285068-x86-ENU.exe from the \LEMSS folder of OSC
VSPM 2.0 Update 1 Disc 1.
2. The first window appears as a self-test. After the test passes, click Next.
3. Check I accept the license terms and click Next.
OSC_003 27
4. On the Select Features Screen, click Next.
5. A Files in Use check begins. After the check completes, click Next.
6. Click Update to begin installation. Once the update completes, click Next.
7. Click Close.
2.2.14 Install 2008 SQL Management Studio (Recommended)

1. Launch SQLManagementStudio_x86_Enu from the LEMSS folder on the OSC VSPM 2.0
Update 1 Disc 1. The SQL Server Installation Center opens.
28 OSC_003
2. Click Installation.
3. Click New SQL Server stand-alone installation or add features to an existing

installation.
4. The SQL Server Setup window opens.
Note: The screen may flash, but eventually the SQL Server 2008 Setup window will display.
5. Click OK. The Supported Files window appears.

6. Click Install. Rules are checked again with possible warnings but no failures.
OSC_003 29
7. Click Next.
8. Select the default Perform a new installation of SQL Server 2008 option.
9. On the Product Key, Click Next. The options will be grayed out.
10. Click Next. The licensing window appears.
11. Accept the license terms to continue. Click Next.
30 OSC_003
12. On Features -> Instance Features, check the Management Tools option and click Next.
13. Click Next on Disc Space Requirement.

14. Click Next on Error and Usage Reporting.
15. Click Next on Installation Rules.
16. Click Install on the Ready to Install window. An installation progress bar displays.
17. Click Next after the progress bar completes. It may take several minutes to complete the
install.
18. Click Close on the Summary Screen.
19. Close the SQL Server Installation Center.
2.2.15 Import SQL Scripts

1. Click Start –> Programs –> Microsoft SQL Server 2008 –> SQL Server Management
Studio.
OSC_003 31
2. The Connect to Server window appears. In the Server name dialog box, make sure the server
name says <servername>\UPC.
3. Click Connect. The SQL Server Management Studio window appears.

4. Click File –> Open –> File.
5. Browse to AirGapScript.sql found on OSC VSPM 2.0 Update 1 Disc 1 in the folder
\LEMSS\SQLScripts.
32 OSC_003
6. Make sure the Available Databases pull-down menu says PLUS, not master
7. Once opened, click the ! Execute button to run the script.
8. Repeat steps 4 - 7 for osdepends.sql.

9. Exit SQL Server Management Studio.
2.2.16 Install the VSPM (LEMSS) Airgap License tool

1. Launch the LicenseRequestTool.exe from \LEMSS on OSC VSPM 2.0 Update 1 Disc 1. The
InstallShield Wizard Launches.
2. Click Next. The Destination Folder window appears.
3. Click Next. The Ready to Install window appears.
4. Click Install. An installation progress bar begins.
5. Click Finish after the progress bar finishes.
2.2.17 Use the OSC 2.x License Request Tool and License LEMSS
1. Launch the License Request Tool from the link on the desktop or from Start > Programs >
PatchLink > License Request Tool. Launching the License Request tool may take several
seconds since the tool is enumerating local SQL Databases.
OSC_003 33
2. After launching, the Connect to Server window appears. Select the Windows
Authentication option and enter .\UPC into Server Name field.
3. Click OK. This connects you to the local server database of UPC (default LEMSS database).
The License Update Tool appears.
34 OSC_003
4. Click Import. The Import License Data window appears.
5. Click Open. Browse to the license text file provided by software licensing.
6. Click Open. The text will now appear in the License window.
7. Click Next to import the license. A Import License Data window appears and displays the
licenses that are being imported.
8. Click Finish. Click Yes to confirm the import. A window showing a successful import will
appear.
9. Click OK to close.
10. Click Close to exit the license tool.
2.2.18 Install the Import tool

1. Insert the OSC Version 2.0 Update 1 DVD (Disc 1) into the disc drive.
2. Launch the EmersonUpdateImport.msi from the LEMSS > Import Tool folder. The
Welcome window appears.
3. Click Next. The Licensing window appears.
4. Click I accept to continue.
5. Click Next. The Destination folder window appears.
6. Click Next. The Ready to Install window appears.
7. Click Install. Wait for the installation to complete.
8. Click Finish after the installation completes.
2.2.19 Login to LEMSS for the first time

1. Open the Lumension Web site using the desktop link or by opening Internet Explorer and
entering the IP address into the address bar. For example: http://192.168.124.33
OSC_003 35
Note: If the Web site does not open, make sure the address is a Trusted Site in IE - Internet
option - Security.
2. Login with the original setup credentials. This is the account you were using when installing
LEMSS. The Web site opens (this may take a few minutes).
3. Enter the First name, Last name, and Company name of the primary contact under the
Customer Info tab.
4. Click on the Uninstall Password tab and configure an uninstall password. The uninstall
password is necessary to uninstall the LEMSS agent.
5. Click the Email Notifications tab. Enter the mail server IP address in the SMTP Host line,
and enter the correct email address in the ‘From’ email address. Confirm the domain (part
after the @) is correct for the site.
6. Click Apply, then Close. The LEMSS main screen appears.
7. Logout and close Internet Explorer.
2.2.20 Update LEMSS clients to latest levels

1. Open Explorer. Navigate to the \LEMSS\EndpointComponents folder of OSC VSPM 2.0
Update 1 Disc 1.
36 OSC_003
2. Select all items in this directory and copy/paste them to the C:\Program
Files\Lumension\EMSS\Content\00000000-0000-0000-0000-
000000000000\EndpointComponents directory on the VSPM. Overwrite all files.
3. Double-click ActivateManifestTool.exe. A command prompt window opens and disappears

after a few seconds.
4. Verify that the Policy pushes out the newest client by logging into the LEMSS console. Then
click Manage –> Agent Policy Sets.
5. Click the Edit icon to the left of the Global System Policy.
OSC_003 37
6. Under Agent Version, verify it is set to Newest available. If not, click the current value and
select Newest available from the drop-down.
7. When finished, click Save in the bottom-right side to save the Policy set. The active clients
will begin to update automatically.
8. Click Tools –> Options to verify that the installations use the newest client available.
9. Click the Agents tab and scroll to the bottom of the list to find Agent Versions. Both values
should read Newest available. If not, use the drop-down selections and change both clients
to Newest available.
10. Once completed, click Save.
2.2.21 Install Lumension SCAN

1. Launch ScanSQL2k8_6.4.8_92a.exe from the \Scan folder of OSC VSPM 2.0 Update 1 Disc
1. The InstallShield Wizard opens.
2. Click Next. The System Requirements window appears.
38 OSC_003
3. Click Next. The License agreement window appears.

4. Accept the license agreement to continue.
5. Click Next. A Serial Number dialog box appears.
6. Enter the Serial number and Registration Key. These numbers are found in the install
binder or contact Emerson Software Licensing.
7. Click Next. Registration information is displayed with the number of nodes licensed. Confirm
the proper amount.
8. Click Next. The Setup Type window appears.
9. Select Complete and click Next. The System Administrator Password window appears.
10. Enter the account password in both dialog fields. This is the initial password for the Admin
account to scan.
11. Click Next. The Identity of Scan Services window appears.
12. Accept the default of New Guard_Eng on Identity of Scan Services.
13. Click Next. This is the account on the local machine that will run Scan as a system service
and is necessary. The Create Windows Service Account dialog box appears.
14. Enter Security.4u in both dialog fields.
15. Click Next. This sets the password for the Guard_Eng account. The Ready to Install window
appears.
16. Click Install. Several progress bars appear throughout the installation cycle.
17. Click Finish after all progress bars have completed the installation cycle.
2.2.22 Set certain user passwords to never expire

1. Right-click on the computer icon (or from start menu) and select Manage.
2. Open the Configuration container by selecting the + sign.
3. Open the Local Users and Groups container by selecting the + sign.
4. Select the Users container.
5. Double-click on Administrator and select the check box for Password never expires and
click OK.
6. Double-click on GUARD_ENG and select the check box for Password never expires and
click OK.
2.2.23 Add the Kaspersky Administration Toolkit to VSPM

1. Login to the VSPM server with Administrator Privileges.
OSC_003 39
2. Launch kasp8.0.2090_adminkiten.exe from the \Kaspersky folder of OSC VSPM 2.0 Update
1 Disc 1. The InstallShield Wizard starts.
3. Click Next. The Location to save files window appears.
4. Click Next. The Welcome window appears.
5. Click Next. The License Agreement window appears.
6. Click Yes. The Installation Type window appears.
7. Select Custom then click Next. The Destination Folder window appears.
8. Click Next. The Select Features window appears.
9. Configure your selections as displayed in the Kaspersky Administration Kit window and click
Next.
10. Click Next on the Network Size window.

11. On the Administration Server Properties window (Set Server Account), accept defaults.
12. Click Next. The Database Server window appears.
40 OSC_003
13. Select the Microsoft SQL Server (SQL Express) option and click Next.
14. On the Administrator Server Properties window (Set Microsoft SQL Server Parameters)
perform the following:
a) Select Choose existing.
b) Enter the SQL Server Name. Type in or Browse for the {ServerName}\Guardian.
c) In the Database name dialog box, accept the default of KAV.
15. Click Next.
OSC_003 41
16. On the SQL Authentication Mode window, accept the default Microsoft Windows
Authentication Mode and click Next.
17. On the Set Server Shared Folder window, accept the defaults and click Next.
18. On the Set Server Ports window, accept the defaults and click Next.
19. On the Set Administration Server Address window, select the IP address from the pull-down
and click Next.
20. On the Start Copying Files window, click Next.

21. Setup continues with a progress bar.
22. On the Installation Wizard Completed screen, click Finish. The Kaspersky Administration Kit
opens with the Quick Start Wizard. On the Welcome to Quick Start Wizard screen, click Next.
23. On the License screen, select Load from Key File and click Next.
24. On the Choose Key File screen, click Select and browse to the key file (xxxxxxxx.key)
provided by Software Licensing.
25. Once selected, click Next.
26. On the Network Discovery screen, click Next.
27. On the Notifications screen, click Next.
28. On the Update screen, click Next.
29. On the Initial Setup is complete screen, remove the check mark from Start Deployment and
click Finish.
30. Setup continues as normal.
42 OSC_003
Note: Refer to the Using Kaspersky Antivirus Software with Ovation User Guide (CON_38).
Refer to the section called (Configuring the Administration Kit) and follow all the steps. Ensure
the VSPM is placed in Wave 1 as part of the load to be able to download updates. The machine
can be reassigned at a later time.
2.2.24 Join the Domain
Join VSPM to the domain if desired. This practice is recommended practice if the OSC will only
be working on one domain. Use the following procedure to join the VSPM to the domain.
1. Configure both the OSC Standard Scan and the OSC Full Scan network adapters with the
correct DNS settings. When configured this will become the primary DNS server will be the
primary domain controller. Enter a secondary DNS address if there is a backup domain
controller.
2. Go to Start > Control Panel > System. Select Change settings under the Computer name
section.
3. Click Change.
4. Select Domain: Enter the correct domain.
5. Click OK.
6. A prompt for domain credentials appears. Enter domain administrator credentials to join the
domain. The user name will be in the form of <DOMAIN>\Administrator.
7. Reboot when prompted. Login as the domain administrator (in the form of
<DOMAIN>\Administrator) for the rest of the install.
8. Add the domain administrator into the LEMSS software. Login to LEMSS and use the local
credentials. Click Tools > Users and Roles.
a) Click Create.
b) Select the Adding existing local or domain users option.
c) Click Next. The Search for Users page opens.
d) In the Search for the following users field, enter the user name of the domain
administrator; prefix the user name with the domain (DomainName\UserName).
e) Select Login to the domain as.
f) Enter the User name, Password, and Domain name of the domain administrator.
g) Click Next. The Users Found page opens.
h) Select a User Role for the user. The role is Administrator.
i) Click Finish. The Summary page opens. Verify the summary data.
9. Click Close. The Create User Wizard closes.
OSC_003 43
2.3 VSPM updates and Ovation integration
2.2.25 Disconnect the monitor, mouse, and keyboard from the VSPM
Once the initial setup on the VSPM is complete, additional updates and patch deployments can
be done from the OSC UI.
If you have attached a monitor, mouse, and keyboard to assist you in loading the VSPM, they can
be removed at this point, and they can remain off during normal operation.
After you have completed a clean install of VSPM, continue the installation by following the steps
in VSPM updates and Ovation integration (see page 44).

The VSPM requires additional periodic updates and installations. If the VSPM has been freshly
loaded and no patches have been imported yet, you can combine all past patches into one file to
save time. This step is intended to be done once.
After you have organized your patches into a separate file, the best practice for managing your
patches is to create a separate folder for each month to avoid importing the same patch twice. For
information on monthly patch updates, refer to; Monthly patch organization (see page 44).
2.3.1 Initial patch organization

1. Gather all patch CDs provided by software licensing and download any additional patch files
from the OSC Update Web site (http://updates.ovationusers.com/OSC/).
2. Copy the patch files from the patch DVDs and OSC Update Web site to a single directory on
the VSPM appliance – this is done so that the import of the patches into the Lumension
database can be done in one import rather than multiple imports. The import takes a
significant amount of time and can be a function performed overnight.
3. Create a directory on the C:\drive called Emerson Updates.
4. Create a directory under C:\Emerson Updates called initial.
5. Copy all of the .plf files and gss directories into this location.
Note: This should be done from oldest to newest patches so anything new can overwrite older
patches.
6. Proceed to Import patches (see page 45) to complete the patch import.
2.3.2 Monthly patch organization
Emerson releases patch updates monthly. These can be downloaded from the OSC Update Web
site with the correct SureService contract (http://updates.ovationusers.com/OSC/).
1. Copy the patch file to the directory on the C: drive called Emerson Updates.
2. Create a directory under C:\Emerson Updates named for the month in question. For
example: Apr-2012.
3. Extract the patch file to this directory.
4. Proceed to Importing patches (see page 45) to complete the patch import.
44 OSC_003
2.3.3 Import patches

1. Double-click the Emerson Update Import Wizard from the desktop icon. This may take time
to open.
2. Click Next.
OSC_003 45
3. Select Import all the updates for this directory. Use the Browse button to select the folder
(created above) to import the files from.
46 OSC_003
4. Click Import. After the import has completed, the log file’s location will be displayed for you to
view during import.
Note: Depending on how many patches there are, initial import may take time.
5. Click Finish. Review the Log file, linked in blue, if errors are found. (The Log file’s location will
be displayed in the import screen). At this time, the patch updates will be available for
distribution to all clients.
Note: If a green check box window does not display, copy the Log File to investigate the import
failure. The log file may be deleted on reboot.
6. If this is the initial import, Reboot the Server.

7. Upon reboot, login as either the domain administrator (if available) or local administrator.
2.3.4 Download the LEMSS Agent Installer

1. Logon to the target computer as the local administrator (or member of the Local
Administrator's group).
2. Open Internet Explorer.
3. Login to the Lumension Endpoint Management and Security Suite server using the
correct VSPM IP address.
OSC_003 47
4. Select Tools > Download Agent Installer from the toolbar. The Download Agent Installers
dialog displays.
5. Select the endpoint's operating system from the Operating System drop-down list.
6. Select the agent version to download on the endpoint from the Agent Version drop-down list.
7. Click Download. A Download File dialog opens. Save the installer to the local machine as
well as a flash drive for later use. Name the file based on the OS selected, for example,
LMAgent2K8.msi, LMAgentXP.msi, and so on.
2.3.5 Install LEMSS Agent on Endpoints

1. Navigate to where you have the installers previously saved and launch the correct one for the
OS of the machine. The Installation Wizard appears.
2. Click Next to continue. A License window appears.

3. Agree to the license terms and click Next.
4. On the Destination Folder windows, click Next.
48 OSC_003
5. On the Lumension EMSS Server Information windows, enter the IP address of the VSPM into
the Server identity box. Click Next.
6. A summary page displays. Click Install to begin installation.

7. A window appears stating the install is complete. Click Finish.
8. Login to the LEMSS software.
9. Click Manage > Endpoints.
10. The new machine may not appear in the list at first. Refresh the screen, after a few minutes
the machine should appear in the list. There are three statuses for client installation.
The first status is Initializing where nothing can be done with the endpoint.
After the software is finished initializing, the machine is then scanned for patches and is in
Working status.
After the scan is complete, the machine is in Idle status and will be ready for patching.
OSC_003 49
The following figures illustrate three different statuses in the Status column, Initializing,
Working, and Idle.
2.3.6 Update Lumension SCAN
Note: Scan updates come in a form named guardian_vulns_XXX.upd.
1. Load the SCAN update files to a folder on the VSPM if you have not previously done so.
a) Gather all patch CDs provided by Software Licensing and download any additional patch
files from the OSC Update Web site.
b) Copy the patch files from the patch DVDs and OSC Update Web site to a single directory
on the VSPM appliance – this is done so that the import of the patches into the
Lumension database can be done in one import instead of multiple imports.
c) Create a directory on the C:\ drive called Emerson Updates.
d) Create a directory under C:\Emerson Updates called initial.
e) Copy all of the .upd directories into this location.
f) Copy only the newest Emerson Validated Patches.xml file to this folder. The file will be
overwritten every month.
50 OSC_003
2. Open the Lumension Scan (also known as SCAN). The SCAN Login screen appears.
3. Login to SCAN with administrator rights.

Username: sa
4. If prompted for Certificate Verification, select Always Accept.
5. When prompted about automatic updates, choose No.
OSC_003 51
6. Check to see the SCAN update version: Click Help ->About. The third line down is the
Vulnerability Update Version number. Make a note of this version number for later use.
7. Select Tools from the top menu.

8. Select Automatic Updates from the drop-down menu (or by Ctrl-Shift-U).
9. Click the Load Files(s) button.
10. Browse to the location of the upd files.
11. Select a file or multiple files.
Note: Select any and all files above the current version number. If you select a file at or below
the current version number displayed in the About, it will error out.
12. Once selected, choose Open.

13. Select Continue in the Update Now dialog.
52 OSC_003
Note: The update process takes several minutes depending on the number of Updates
selected. The circling arrows is the only indication that the import process is occurring.
You can click the Run in the background button, but no indication of completion will be given.
14. Once completed, the circling arrows disappear. Click Cancel to close the Updates window.
15. Repeat until all SCAN updates are in.
16. Confirm the version number is correct.
2.3.7 Update SCAN to the current Emerson Validated Patched Vulnerability set
1. Click Tools -> Manage Vulnerabilities (or by Ctrl-Shift-V).
2. Click Custom Vulnerabilities tab.
3. Click Import at the top-right.
4. Select Vulnerability Set(s) from the dialog box.
5. Click Next.
6. Browse the Current Month folder for the file Emerson Validated Patches.xml and click
Open.
7. Click Finish. The file imports.
8. Click Save to close the window.
2.3.8 Deploy Patches LEMSS Clients

1. Login to the LEMSS software.
2. Click Review > My Default View.
3. Set the following fields:
Content Type: --- All ---
Applicability: Applicable
State: Enabled
Detection Status: Not Patched
4. Click Update View for a list of all patches required over all machines.
5. Change Rows per page to include all vulnerabilities so they can be deployed together.
6. Place a check box to the left of the Vulnerability Name to select all vulnerabilities for that
deployment wave.
OSC_003 53
7. Unselect the following patches to speed patching:

All but the latest Microsoft Malicious Software Removal Tool. This patch is cumulative so
only the last one needs to be run.
All but the latest Java update. This patch is cumulative so only the last one needs to be
run.
TCPVCON.
8. Select the Deploy button near the top of the page. The deployment wizard appears with the
Available Devices/Groups screen.
9. Click Next. Verify that the number of selected computers match the number in the
deployment group.
10. Click Next. A list of selected vulnerabilities to be deployed displays.
11. Click Next. Select the I ACCEPT for all disclaimers.
12. Click Next. Enter a job name for the deployment.
13. Click Next. The Package Deployment Order and Behavior window displays. This window
shows how the patches chain together and reboot the machines.
14. Click Next. This displays the notification options. The reboot notifications can be changes for
the deployment. Make any modifications.
15. Click Next. This displays the summary screen.
16. Click Finish.
17. Click Close to close the deployment wizard window.
2.3.9 To force an endpoint to start patching

1. Login to the endpoint. Navigate to Control Panel > Lumension Patch Agent.
2. Click the arrow next to Scan.
54 OSC_003
3. Click Check for deployments. The box turns orange indicating that Lumension is deploying
patches. The following picture illustrates an orange box with a message that the deployment
service is running.
2.3.10 To monitor the deployment

1. Select Manage > Deployments.
2. Place a check mark in the Show results on Page Load found in the Options pull down-
menu.
3. Select the deployment job name and expand it by clicking the blue arrow next to the job
name so that the progress of the deployment can be monitored by selecting the Update View
button.
2.3.11 To verify that the deployments to the devices are complete

1. Select Manage > Endpoints.
2. Look at the symbol to the left of the computer name and wait for it to become a monitor
symbol.
A monitor with a clock indicates patches are still waiting to deploy.
OSC_003 55
A monitor with a clock and a green circle indicates patches are being deployed and
can be monitored.
A green circle indicates the machine is scanning itself for what patches it has /
needs.
3. Select the Update View button to refresh the status.
4. Once all the endpoint’s status are Idle, the patch deployment is completely finished.
5. Click Review > My Default View. The list of all patches still required for all machines
appears.
6. Only one patch should remain, TCPVCON, because this patch is always considered
unpatched by design. Old Java version patches may also be present; this is okay.
7. If there are other patches still considered Not Patched, perform the following:
a) Click the Vulnerability Name. A screen detailing this vulnerability’s status is displayed.
The first tab is Not Patched which will show all machines not registering this patch as
being installed.
b) Click the first machine’s Name.

c) Click the Deployments tab.
d) Look for any failed patch deployments that match the patch in question. Failed
deployment will have a symbol. If a failed deployment is the reason for a patch still
requiring deployment, begin troubleshooting the failed deployment.
e) If there is no mention of the patch in the Deployments tab, this is most likely a patch that
is now required due to a previous patch being applied. Go through Steps 3 – 8c again
until all patches are pushed out.
56 OSC_003
f) Repeat Step 7 until all patches are accounted for.
2.3.12 To install new VSPM Clients

1. Log into the client to be patched with installation as a Domain administrator (with all
privileges).
Note: This must be done to any client computers prior to whitelist protection from OSC
Bouncer.
2. Open a Web-browser and navigate to the Update server Web site (http://192.168.124.33).
3. Log into the VSPM appliance using the following:
Username: Administrator
Password : Ovation
4. Select Tools -> Download Agent Installer. The Download Agent Installers window opens.
Note: For XP systems with IE6, click the Download Agent Installer link in the upper-right
corner.
5. From the Agent tab, select the proper Operating System from the drop-down option, (this
will be the local client Operating System). The Agent Version updates accordingly.
6. Click the Download button.
7. Select the Run option. A window displays with the following: Verifying LMAgent.msi from
192.168.124.33. After a few minutes the Internet Explorer - Security Warning window
appears.
8. Select Run. The installation continues. The Welcome to the Lumension EMSS Agent
Wizard window displays.
9. Click Next. The Licensing Agreement window appears.
10. Accept the License Agreement to continue.
11. Click Next. The Destination folder window appears.
12. Click Next. The Lumension EMSS Server Information window appears.
13. Enter the IP address of the Lumension Server in the Server Identity field (for example
192.168.124.33).
14. Click Next. The Installation Ready window displays.
15. Select Install. The installation begins and the Installation Wizard Complete window displays.
16. Click Finish. The installation is complete.
2.3.13 To enable spin animation

1. Open an Internet Explorer 8 (IE8) window.
2. Click Tools > Internet Options.
4. Scroll half way down to the Multimedia section.
5. Check the box for Play Animation on Webpages.
6. Close Internet Explorer 8.
OSC_003 57
2.4 VSPM user account information and Lumension Update procedures
7. Re-open Internet Explorer 8.
Note: You should notice spin animations on the opening Webpage when it draws the graphs.
You should also notice spin animations on machines doing DAU or Deployments and in other
areas such as the Manage Endpoints area.
2.3.14 To upgrade VSPM Endpoints clients from OSC1.0 to OSC2.0

1. Reboot the drop.
2. Remove the Bouncer 4.5.15 server that reboots the endpoint (the box reboots).
3. During reboot, schedule deployment of LEMSS client upgrade.
4. During machine restart, the endpoint converts from OSC1 to OSC2 and checks LEMSS for
patches.
5. Deploy any patches needed with the reboot.
6. After reboot, have the machine check in and verify that all patches are deployed.
7. Login as Admin on the endpoint.
8. Install Bouncer 5.
9. Login as Operator and restore control to the operator.
2.4 VSPM user account information and Lumension Update

procedures
You have two options to create users:
Create a new local user.
Add an existing local or domain user.
Note: Password complexity should be consistent with your organization's password security
policies. Typically, to ensure password strength, Emerson suggests that you use a password
with eight or more characters with a combination of numbers and upper-and lower-case letters.
User names may be between 1-20 characters in length and cannot include any of the following
characters: ‘ \ ” @ ^ % & { } ( ) [ ] ; < > ! # : ? ‘ / * = |
Passwords are case sensitive and must meet the password rules defined by local and/or domain
password policies.
Note: Although a Password Strength indicator is provided to display the strength or weakness of
your password, the actual password policy is defined by Windows.
The Full Name, Office Phone, Cell Phone, Pager, E-mail, and Description fields are not validated
and apply no formatting rules other than maximum length of 25 characters.
2.4.1 To create a new user

1. Click Create in the User Management window. The Create User Wizard opens.
2. Select the Creating a new local user option.
3. Click Next. The Create User page opens.
58 OSC_003
4. Enter the user credentials and contact information for the new user. User Name, Password,
Confirm Password, and Role are required fields.
5. Select a Role (Administrator, Manager, Operator, or Guest) for the user from the drop-down
window list.
6. Click Next. The Confirm User page opens. Confirm the user information.
7. Click Close. The Creation Summary page opens.
8. Click Close to exit the wizard.
9. The new user is created, added to Windows, and granted the appropriate access to the
Update Server.
2.4.2 To add an existing user
Adding a user imports an existing Windows user into the Lumension Update database and access
group and can import a user from an existing domain by logging into that domain as a domain
user.
1. Click Create in the User Management window. The Create User Wizard opens.
2. Select the Adding existing local or domain users option.
3. Click Next. The Search for Users page opens.
4. In the Search for the following users field, enter a user name or enter the beginning
characters of one or more user names. Use semicolons to separate user names. To search
for users within a specific domain, prefix the user name with the domain
(DomainName\UserName).
If searching using the domain, select Login to the domain as.
Enter the User name, Password, and Domain name.
Note: There must be a secure connection between the domain and the Update Servers domain
if not, you are unable to access the Update Server.
5. Click Next. The Users Found page opens.

6. Select a User Role for each of the users found. The No Action value indicates that the user
will not be added to the Update Server. If the user already exists as an Update user, no
changes are made to the user. Confirm the user information.
7. Click Finish. The Summary page opens. Verify the summary data.
8. Click Close. The Create User Wizard closes.
2.4.3 To edit a user profile
Editing user profile information allows you to change the role assigned to a user as well as update
the user’s contact information. If you have the correct Change Password access, you can edit
other user’s passwords using the procedure defined in To change a user password (see page
60).
1. From the Users grid located under Action, click the Edit user details icon associated with the
user profile. The Edit User Wizard opens.
2. Make the necessary modifications as defined in To create a new user (see page 58).
3. Click Finish to exit the wizard when complete.
OSC_003 59
2.4.4 To change a user password
Changing a user password in Lumension Update also changes the user's Windows password on
the (physical) Update Server.
1. Click Users to open the Users page.

2. Select the user requiring the password change.
3. Click Change Password. The Change Password Wizard opens.
4. Enter the new password in the New Password field. The Password Strength indicator
displays the effectiveness of the password you select and displays the Weak indicator when
the first character is typed in the New Password field.
5. When the Password Strength indicator displays the acceptable password strength, reenter
the password in the Confirm Password field.
The Password Strength Meter monitors factors such as the password length, complexity,
variety of characters, and resemblance to common words. Strong passwords usually contain
more than eight characters, and combine capital and lower case letters, numbers, and
symbols. Also, they do not resemble common words or names including words with numbers
in place of letters.
6. Click Finish.
7. The password is changed.
Note: Passwords are case sensitive and must meet the password rules defined by local and/or
domain password policies. Although a Password Strength indicator is provided to display the
strength or weakness of your password, the actual password policy is defined by Windows.
2.4.5 To remove a user
Removing a user from Lumension Update disables their access to the Update Server without
deleting the user’s Windows account. Once removed, the user is deleted from the Update Server
database and is removed from the user list in the User Management page.

2. On the Users page, select the check box for the users to remove.
3. Click Remove. A Remove User warning displays.
4. Click Ok to acknowledge the warning.
5. The user is removed.
Note: You cannot remove or delete a user that has been assigned the Administrator role or a
custom role that has been given the Manage Users access permission. You must first edit the
user, change the user’s role, and then remove or delete the user.
2.4.6 To delete a user
Deleting users from Lumension Update disables their access to the Update Server and deletes
their Windows account.

2. On the Users page, select the check box for the users to delete.
60 OSC_003
2.5 Navigation bar menu map
3. Click Delete. A Delete User warning displays.

4. Acknowledge the warning by clicking OK. A Delete User confirmation window displays.
5. Click Ok in the Confirmation dialog box.
6. The user is deleted.
Note: Deleting a user removes the user's access to Lumension Update and also deletes the
user from the device and/or Active Directory.
2.4.7 To log on to Lumension Update
Note: The Lumension appliance receives periodic software updates. You can access the
Lumension Update application from any Internet browser for update information.
1. Launch a Web browser.

2. Type the Server URL in your Web browser’s Location field.
3. Click Enter. The system displays the Connect to Update Server dialog box.
4. Enter your user name in the Username field.
5. Enter your password in the Password field.
6. Click OK. The Home page opens.
2.4.8 To log out of Update

1. In the Navigation menu, select Log Out. Lumension Update logs you out of the system and
displays the Update Server Log Out confirmation page.
2. Click the here link on the Update Server Logout Screen to reconnect to the system.

The Navigation bar menu map appears on all Lumension Endpoint Management and Security
Suite pages. Use this menu to navigate through the Web console.
This menu organizes product features based on functionality. When you select a menu item (or
sub-menu item), a new page, dialog box, wizard, or window opens. You can access all features of
the system from this menu (that your access rights authorize).
The following table maps to which page a menu (or sub-menu) item opens.
Navigation Menu
MENU MENU ITEM SUB-MENU P AGE (OR DIALOG)
Home The Home page

Discover Assets by IP Address The Discovery Scan Jobs page.
The Assets by IP Address dialog box opens
over the page.
OSC_003 61
Assets by The Discovery Scan Jobs page.

Name/Domain
The Assets by Name/Domain dialog box opens
over the page.
Schedule Ad hoc The Discovery Scan Jobs page.
Discovery Scan
The Schedule Ad hoc Discover Scan Wizard
opens over the page.
Assets and Manage Install Agents The Schedule Agent Management Job - Install
Agents Wizard opens over the currently displayed page.
Uninstall Agents The Schedule Agent Management Job -
Uninstall Wizard opens over the currently
displayed page.
Review My Default View The All Content page with your saved filters.
Vulnerabilities All The Vulnerabilities page, filtered to show only
critical vulnerabilities.
Critical The Vulnerabilities page, filtered to show only
Vulnerabilities critical vulnerabilities that are not superseded.
New The Vulnerabilities page, filtered to show only
Vulnerabilities critical but not superseded vulnerabilities
released in the last 30 days.
Top The Vulnerabilities page, filtered to show only
Vulnerabilities critical but not superseded vulnerabilities sorted
by the greatest number of applicable endpoints
that are not patched.
Software All The Software page, filtered to show all software.
Service Packs The Software page, filtered to show only service
packs.
Software The Software page, filtered to show only
Installers software installers.
Updates The Software page, filtered to show only
software updates.
Other All The Other page, filtered to show all non-critical
content.
Detection Only The Other page, filtered to display Detection
Only content.
Informational The Other page, filtered to display only
Information content.
Packages The Other page, filtered to display only
Packages content.
Policies The Other page, filtered to display only Policies
content.
Recommended The Other page, filtered to display only
Recommended content.
Tasks The Other page, filtered to display only Task
content.
62 OSC_003
Virus Removal The Other page, filtered to display only Virus

Removal content.
Job Results All The Job Results page.
Discovery Scan The Job Results page, filtered to display only
Jobs discovery scan jobs.
Agent The Job Results page, filtered to display only
Management Agent Management jobs.
Jobs
Deployments The Deployments page.
Manage Endpoints The Endpoints page.
Inventory The Inventory page.
Groups The Groups page.
Deployments The Deployments page.
Agent Policy Sets The Agent Policy Sets page.
Reports All Reports The All Reports page.
Configuration The All Reports page with configuration reports
expanded.
Deployments The All Reports page with deployments reports
expanded.
Inventory The All Reports page with inventory reports
expanded.
Management/Status The All Reports page with management/status
reports expanded.
Policy and Compliance The All Reports page with policy and
compliance reports expanded.
Risks The All Reports page with risks reports
expanded.
Vulnerabilities The All Reports page with vulnerabilities reports
expanded.
Tools Users and Roles The Users and Roles page.
Change My Password The Change My Password dialog box.
Download Agent The Download Agent Installer dialog box opens
Installer over the currently selected page.
Subscription Updates The Subscription Update page.
Email Notifications The Email Notifications page.
Options The Options page.
Help Help Topics The Help page.
Help Forums The Lumension message boards.
Knowledge Base The Lumension knowledge base.
New Users Start Here The New Users Start Here page.
Technical Support The Technical Support page.
OSC_003 63
2.6 Exporting data
Product Licensing The Product Licensing page.

About The About window.
Note: Any unavailable or absent menus, menu items, or sub-menu items are due to restricted
access rights. Contact your network administrator if you require access to unavailable features.
2.6 Exporting data

On many system pages, you can export the listed data to a comma-separated value file (.csv)
available for use outside of the Lumension Endpoint Management and Security Suite (Lumension
EMSS). Use this exported data for management purposes (reporting, noting trends, and so on).
You can export data from a variety of Lumension EMSS pages.
Note: The Enhanced Security Configuration feature for Internet Explorer suppresses export
functionality and must be disabled to export data successfully. Pop-up blockers in Internet
Explorer or other supported browsers may also suppress export functionality and should be
disabled.
2.6.1 To export data

1. Select a list page (or dialog box) where you can export information.
2. If necessary, populate the page by defining filter criteria and clicking Update View.
3. Click Export. The File Download dialog box opens.
4. In the File Download dialog box, select from one of the following options:
OPTION DESCRIPTION
Open Creates the file and opens it in your default (.csv) program.
Save Creates the file and saves it to a specified local folder. The file is saved in a
Microsoft Office Excel (.csv) format. The file is named Export.csv, with the exported
file containing data based on list data.
Cancel Cancels the export.
Note: These instructions are intended for Microsoft Internet Explorer users. If you are using
Mozilla Firefox, this procedure differs slightly. All data results, not just the selected results, will
export.
64 OSC_003
2.7 VSPM Groups
2.7 VSPM Groups

A group is a collection of devices organized for managing activities within Lumension Update
Server and contains a listing of all groups registered to it. Within the Lumension Update Server,
groups are organized into nested groups. These related groups, called parent and child groups,
allow you to maintain your Lumension Update Server with minimum maintenance.
The Groups browser lists the names of each custom parent group, child groups, system groups,
and custom groups. From this page, you can access group information by expanding the group in
the directory tree or proceed to the Group Information page by clicking a group name.
The Groups page displays information about a specific group. This information is classified into
the following views:
Group Information.
Group Membership.
Device Membership.
Mandatory Baseline.
Device Group Vulnerabilities.
Device Group Inventory.
Device Group Policies.
Device Group Roles.
Device Group Dashboard.
Device Group Settings.
VSPM provides pre-configured groups. However, you can also create custom groups. Populate
custom groups with desired endpoints. You can only create custom groups within the Group
Browser custom group hierarchy.
Note: Refer to the Lumension User Guide, located on your Ovation Security Center CD, for
additional information about Groups.
OSC_003 65
2.7 VSPM Groups
2.7.1 Groups and the Directory tree
You can view the list of groups using the directory tree. Click the expand icon to view Custom
groups, System groups, and Directory Service groups. By continuing to expand the tree, you can
view the parent group and each child group associated with it. To display detailed group
information, select the Group name. Use the View drop-down list to access the functions within
the Groups page.
Parent and Child Groups
The nesting of groups enables the creation of hierarchical relationships that can be used to define
inherited group membership. Using the policy inheritance feature, you can use parent groups to
apply the same policies to multiple child groups.
A Parent and Child group relationship refers to a group that contains one or more group
hierarchies underneath it. Each group must have one, and only one parent; however, a parent
can have multiple child groups.
As a result of the parent-child relationship, there are hierarchies within groups:

Group Hierarchy - Refers to the entire group hierarchy from the original to the deepest child
group.
Parent Hierarchy - Refers to the entire group hierarchy above a specific group.
Child Hierarchy - Refers to the entire subordinate group hierarchy below a specific group.
Inheritance - Refers to the permissions a group has set. A group must have their inheritance
settings set to True in order to inherit the settings of its parent.
Note: System and Directory Service group hierarchies cannot be modified.
2.7.2 To create VSPM Network Groups

1. Install the Patch Agent if the Agent was not previously installed.
2. Start the Lumension Update Server (from the Client or on OSC Server).
3. Select Groups (top bar).
4. Select Groups Browser - Custom Groups.
5. Select View - Group Membership.
6. Select Create (bottom bar).
7. Enter the Group Name and Description of the New group in the blank entry fields.
8. Select the Save Action icon.
(The new group is added in the Group Browser under Custom Groups.)
2.7.3 To view Groups

1. Select Groups. The Groups main page displays in the window.
2. Select a group type from the directory tree. Information for the selected group displays in the
Groups window.
3. Select the function you need from the View drop-down list. The applicable function displays
on the Groups page.
66 OSC_003
2.7 VSPM Groups
2.7.4 To search for a Group

1. Use the Group Browser search field to search for groups by name, using a Contains search
condition. Wildcards are not supported.
2. Select Groups from the window. The Groups main page displays in the window.
3. In the Group Browser search field, type your search criteria. The results for your search
appear below the Group Browser field as you type.
4. Click the desired Group link. Information for the selected group appears on the Groups page.
2.7.5 To create Groups

1. Navigate to the Group Membership view to create groups.
2. Select Manage > Groups.
3. Select Group Membership from the View list.
4. Select the Custom Group from the directory tree that you want to create a child group for.
5. Click Create. A new row appears on the page.
6. Enter a Name for the group in the Name field.
7. If desired, enter a Description about the group in the Description field.
8. Click the Save icon associated with the new group.
9. The group is saved to the list and is added to the directory tree. A Distinguished Name is
generated for the group.
2.7.6 To add Group Members to a new Group

1. Select Groups Browser -> Custom Groups -> New Group Name.
2. Select View - Device Membership.
3. Select Manage from the bottom bar.
4. Select Drop(s) in the lower devices list.
5. Select Assign. Selected drops move to the top of the Selected Devices list.
6. Select OK.
2.7.7 To edit Groups

1. Navigate to the Group Membership view to edit groups. You can only edit the names and
descriptions for groups within the Custom Groups hierarchy.
4. Select the parent group of the group you want to edit.
5. Click the Edit icon associated with the group you want to edit.
6. If desired, edit the Name field associated with the group.
7. If desired, edit the Description field associated with the group.
8. Click the Save icon. The changes are saved to the group.
OSC_003 67
2.7 VSPM Groups
Note: Within the Group Membership view, you can only edit the group name and description. To
edit group behavior, use the Roles, Policies, Membership, Settings, or Mandatory Baseline view.
The My Groups group Name and Description cannot be edited. Additionally, within the System
Groups and Directory Service Groups hierarchies, only group Descriptions can be edited, not
their Names.
2.7.8 To delete Groups

1. Navigate to the Groups Membership view to delete custom groups. Delete a group when
you no longer need to edit its endpoints. Only custom groups can be deleted. After deleting a
group, there is no way to recover it; you must recreate the group.
4. From the directory tree, select the parent group of the group(s) you want to delete.
Note: Only groups within the Custom Groups hierarchy can be deleted. Deleting a group does
not prevent an endpoint within that group from deploying, rebooting, or scanning; these tasks
occur at the endpoint level.
5. Use one of the following methods to delete the desired group(s).

To delete a single group:
Click the Delete icon associated with the group you want to delete.
To delete multiple groups:
Select the check boxes associated with the groups you want to delete.
Click Delete from the toolbar.
6. A dialog box appears asking you to acknowledge the deletion.
7. Click OK to acknowledge the deletion. The selected groups are deleted.
CAUTION! When a group is deleted, its child hierarchy is deleted as well.
2.7.9 To move Groups
After creating a group, you can change its position within the Group Browser directory tree. You
can only move groups within the Custom Groups hierarchy.

3. From the directory tree, select the parent group of the group you want to move.
4. Select the check box associated with the group you want to move.
5. Click Move. The Move Groups window opens.
6. Select a new parent group.
Note: When moving a group, if the group is configured to inherit agent policies, roles, or
baseline settings, the group inherits those values from its new parent.
68 OSC_003
2.7 VSPM Groups
2.7.10 To view Groups

1. Navigate to the Groups page to work with groups. After navigating to the page, select a
group and a view. You can select this page from the navigation menu at any time.
3. Expand the Group Browser directory tree to the desired group.
4. Select the group. Information for the selected group displays.
5. Select the desired view from the View list.
6. Information for the selected group displays on the main section of the screen. Select a
different view from the View list to change the information displayed.
Note: Additional information about viewing groups can be found in the Lumension Endpoint
Management and Security Suite User Guide located on your OSC CD.
2.7.11 To add Endpoints to Groups

1. Navigate to the Device Membership view to add endpoints to groups. Add endpoints to a
group when those endpoints serve a similar function. Adding endpoints to a group lets you
manage them collectively. You can only add endpoints to custom groups.
3. Select Device Membership from the View list.
4. Select a custom group from the directory tree.
5. Click Manage.
6. Add endpoints to the group using one of the following methods:
To add individual endpoints:
From the Devices list, select the check boxes associated with the endpoints you want to
add to the group.
Click Assign.
To add all endpoints:
Click Assign All.
To add endpoints through importation using a list:
Select the Import Device List option.
If desired, select a group from the Import device list from existing group list. Selecting
a group from this list automatically populates the field with applicable endpoint names.
Type the desired endpoint names in the field. Separate endpoint names with commas (,).
Click Assign All.
7. Endpoints are added to the Selected Devices table according to your input.
8. Click OK. The selected endpoints are added to the group.
9. Click Update View to review the endpoint assignment.
Note: Additional information about endpoints can be found in the Lumension Endpoint
Management and Security Suite User Guide located on your OSC CD.
OSC_003 69
2.7 VSPM Groups
2.7.12 To remove Endpoints from Groups

1. Navigate to the Device Membership view to remove endpoints from groups.
3. Select Device Membership from the View list.
5. Click Manage.
6. From the Selected Devices list, select the check boxes associated with the endpoints you
want to remove from the group.
7. Click Remove.
Note: Typically, when an endpoint no longer fits within the context of a group (for example, it no
longer requires content applicable to the rest of the group), remove it from the group. You can
re-add endpoints at any time.
2.7.13 Device Membership View
This view lists the endpoints that hold membership in the selected group. If the group selected is
a custom group, you can also use this view to add endpoints. Use this view to manage endpoints
assigned to the selected group.
This view also offers a number of features available from the Endpoints page: group deployments,
remote agent installation, endpoint scanning, endpoint rebooting, and so on.
The Device Membership View toolbar contains buttons related to the management of endpoints
within the selected group. This toolbar also offers extensive control over endpoints within the
group.
The Device Membership View list displays the endpoints that hold membership in the selected
group, along with information about their agents, agent statuses, and addresses. This list only
includes endpoints directly assigned to the group.
2.7.14 To add Device members
Add endpoints to a group when those endpoints serve a similar function. Adding endpoints to a
group lets you manage them collectively. You can only add endpoints to custom groups.
1. Navigate to the Device Membership View.

3. From the View list, select Device Membership.
5. Click Manage.
6. Add endpoints to the group. Use one of the following methods.
To add individual endpoints:
From the Devices list, select the check boxes associated with the endpoints you want to
add to the group and click Assign.
To add all endpoints:
70 OSC_003
2.8 Using Endpoints
Click Assign All.

To add endpoints through importation using a list:
Select the Import Device List option.
If desired, select a group from the Import device list from existing group list. Selecting a
group from this list automatically populates the field with applicable endpoint names.
Type the desired endpoint names in the field. Separate endpoint names with commas (,).
Click Assign All. Endpoints are added to the Selected Devices table according to your
input.
7. Click OK. The selected endpoints are added to the group. Click Update View to review the
endpoint assignment.
2.7.15 To remove Device members
When an endpoint no longer fits within the context of a group (for example, it no longer requires
content applicable to the rest of the group), remove it from the group. You can re-add endpoints at
any time. Group endpoint removal takes place from the Device Membership view.
1. Navigate to the Device Membership View.

3. From the View list, select Device Membership.
5. Click Manage.
6. Remove endpoints from the group. Use one of the following methods.
To remove individual endpoints:
From the Selected Devices list, select the check boxes associated with the endpoints
you want to remove from the group.
Click Remove.
To remove all endpoints:
Click Remove All. Endpoints are removed from the Selected Devices table according to
your input.
7. Click OK. The selected endpoints are removed from the group. Click Update View to review
the endpoint assignment.
2.8 Using Endpoints

Lumension Endpoint Management and Security Suite allows you to view and manage the
endpoints on your network by deploying an agent to the endpoint. You can also view the inventory
on each endpoint.
The Endpoints page contains a listing of all devices that have an agent registered with the
LEMSS. From this list of endpoints, you can access the device details. The device details include
device-specific information such as associated vulnerabilities, inventory information, and
deployment history.
The Inventory page provides a way to identify all the operating systems, software applications,
hardware devices, and services installed and running on the devices registered to the LEMSS.
OSC_003 71
2.8 Using Endpoints
2.8.1 Endpoints page
The Endpoints page manages the computers and devices on your network. Endpoint
management describes the process by which the LEMSS server queues commands that will be
sent to the endpoint using the agent. When the agent contacts the server, the commands are
executed.
The Endpoints page performs the following:

Lists all devices registered to the LEMSS.
Displays general information about the device, such as the device name, status, operating
system, and agent version.
The Endpoints page toolbar contains the tasks and functions that are available to manage
endpoints.
The Endpoints page list tracks endpoint identification data, server connectivity, operating
system, and agent information.
The Endpoints page has filters that allow you to customize your view of the computers and
other devices that are managed on your network.
2.8.2 Endpoint Information tab
The Information tab displays important information about the endpoint. The page displays general
information organized into endpoint, agent, group, and policy sections. The Information tab
contains the endpoint assessment tasks and functions that are available for you to perform on
managed endpoints.
The fields that appear in the Endpoint Information section of the Information tab contain identifier
and operating system details.
2.8.3 To view Endpoints

2. Select your filter options.
3. Click Update View. The Endpoints page displays the devices that match the selected filter
options.
Note: To view all devices, select the Include Sub-Groups check box.
2.8.4 To enable an Endpoint

2. In the Devices list, select one or multiple disabled endpoints.
3. In the toolbar, click Enable. The endpoint is enabled.
Note: Enabling an endpoint includes the endpoint in the content management activities of the
LEMSS. An enabled endpoint consumes an agent license.
72 OSC_003
2.9 Patch deployment
2.8.5 To delete an Endpoint
Note: Before an endpoint can be deleted, it must be disabled. Deleting an endpoint removes it
from the list of managed endpoints in LEMSS.

2. In the Devices list, select one or multiple disabled endpoints.
3. Click Delete in the toolbar. A delete confirmation window displays.
4. Click OK to confirm the deletion. The endpoint is deleted from the Devices list.
2.8.6 To deploy content items to endpoints

1. Navigate to the Deployment Wizard. The Deployment Wizard provides step-by-step
instructions to define and distribute security content items to protected endpoints in the
network
2. Click Deploy.
3. Complete the Deployment Wizard process to deploy content items to endpoints.

Deployment initiates the downloading of a patch by the agent to a device for installation. It is the
instruction set for a package that supplies the agent with the rules and conditions for deployment.
A deployment comprises all the necessary information to perform the task(s) associated with the
vulnerability. This includes files and required scripts for installing a patch, stopping a service,
validating a system condition, or changing a database entry. Deployment is the mechanism that
carries and supports a package.
Several key concepts and status indicators are associated with a deployment. These concepts
are used to define deployment behavior.
You can view Deployments on the following pages:

Deployments
Devices
Vulnerabilities and Packages
Groups
2.9.1 To deploy patches to VSPM clients

1. Remote desktop into the VSPM appliance (192.168.124.33).
2. Select the Groups tab at the top of the window.
3. Change view to Vulnerabilities.
4. Select the deployment group that you want to perform a patch deployment - Group browser
-> Custom Groups -> Deployment Wave.
5. Change rows per page to include all vulnerabilities so they can be deployed together.
6. Place a check box to the left of the Vulnerability Name to select all vulnerabilities for that
deployment wave.
7. Select the Deploy button at the bottom of the page.
OSC_003 73
a) The deployment wizard appears with the Available Devices/Groups screen.

b) Click Next.
c) Verify that the number of selected computers match the number in the deployment group.
d) Click Next.
e) A list of selected vulnerabilities to be deployed is displayed.
f) Click Next.
g) Select the I ACCEPT disclaimer.
h) Click Next.
i) Enter a job name for the deployment.
j) Click Next. This displays the Package Deployment Order and Behavior window. This
window shows how the patches chain together and reboots the machines.
k) Click Next. This displays the notification options. The reboot notifications can be changed
for the deployment. Make any modifications.
l) Click Next. This displays the summary screen.
m) Click Finish.
8. To monitor the deployment, select the Deployment tab.
a) Place a check mark in the Show results on Page Load screen.
9. Select the deployment job name and expand it so that the progress of the deployment can be
monitored by selecting the Update View button.
10. Verify that the deployments to the devices are complete.
a) Select the Devices tab.
b) Look at the symbol to the left of the computer name and wait for it to become a monitor
symbol.
c) You may need to select the Update View button.
2.9.2 To create groups of devices for patch deployments and vulnerability scans
1. Remote desktop into the VSPM appliance (192.168.124.33).
2. Startup the Patchlink update interface, login.
3. Verify that all devices that have been installed are in the devices list.
4. Select the Devices tab.
2.9.3 To add groups for patch deployments

1. Select the Groups tab at the top of the window.
2. Change view to Group Membership.
3. Select Custom Groups from the Group Browser.
4. Select Create from the buttons at the bottom of the page.
5. Enter a group name and description at the entry field.
For example: NAME=1st deployment wave.
Description = Patchlink deployment wave one.
74 OSC_003
6. Select Save.
7. Repeat steps 4 - 6 for each group.
Note: Typically, three waves are created.
2.9.4 To assign Devices to a deployment groups

1. Select the Groups tab.
2. Change view to Device Membership.
3. Select the check mark for Show results on Page Load.
4. This updates the view for this page on a load of the page.
5. Select the deployment wave that you are going to add the devices to, from Group Browser -
> Custom Groups -> Deployment Wave.
6. Select Manage from the buttons at the bottom of the page.
7. This shows all devices available to be added to the group.
8. Place a check mark in the box at the left of the device name for all computers to be added to
this deployment group.
9. Select the Assign button.
10. This adds these computers to the currently select deployment group.
11. Select the OK button.
12. Select the next deployment group: Group Browser -> Custom Groups -> Deployment
Wave.
13. Repeat steps 6 - 11.
14. Repeat steps 12 and 13 for the remainder of the deployment groups.
15. Assign the Lumension computer in its own deployment wave (group).
2.9.5 To deploy patches to new Groups

1. Select Groups Browser -> Custom Groups -> New Group name.
2. Select View - Vulnerabilities.
3. Select Patches to deploy.
4. Select Deploy from the bottom bar.
5. Click Next from the Deployment Wizard.
6. Click Next.
7. Click Next.
8. Select I Accept.
9. Click Next.
10. Select a Job Name in the deployment options.
11. Click Next. Review the Deployment Order and Behavior.
12. Click Next. Choose the Notify Options of Deployment and Reboot.
13. Click Next. Review the Deployment Confirmation page.
OSC_003 75
2.10 Using the Deployment Wizard
14. Click Finish.

The Deployment Wizard provides an interface to create or edit deployment schedules for multiple
endpoints and multiple packages. The wizard assists in selecting endpoints, scheduling the
deployment, and if needed, setting recurring deployments.
The following table describes the scenarios for a deployment. These options are selected prior to
starting the Deployment Wizard.
Deployment Actions
DEPLOYMENT SELECTION RESULT
Endpoint The Deployment Wizard deploys only to the selected endpoint.

Security Content The Deployment Wizard automatically selects all the endpoints and packages required for
the content.
Package The Deployment Wizard deploys the selected package to the selected groups or endpoints
selected within the wizard.
Group The Deployment Wizard deploys the applicable packages to the selected group members.
2.10.1 Introduction Page
The Introduction page of the Deployment Wizard explains the purpose and capabilities of the
wizard.
This page can be hidden during future deployments by selecting the Do not display this page in
the future check box.
2.10.2 Device / Device groups selection page
You can use the Available Devices/Groups page of the Deployment Wizard to select devices and
groups to receive a deployment.
This page displays the devices grouped by operating system. Groups are displayed in a directory
tree formatted by user groups, system groups, or directory service groups.
Note: In cases where you initiate the deployment by selecting the content first, and then
selecting devices and groups to add to the deployment, the application evaluates the
applicability of the deployment for the groups or devices that you select.
If an individual device does not meet the conditions required for the deployment for example, (a
device lacks a software prerequisite) then the device cannot be added to the deployment. If all of
a group's device members do not meet the conditions required for the deployment, the group
cannot be added to the deployment. If the content is applicable for a device and the device has
not received the content already, the device is added to the deployment automatically.
76 OSC_003
2.10.3 To create a Device deployment
Device deployments are deployments that are created for individual endpoints, regardless of
group membership.
1. From the Available Devices list, select the Device OS Name required. The list of endpoints
within that operating system display.
2. Select an endpoint from the list. The endpoint(s) are highlighted.
3. Click Next. The Available Packages page opens.
2.10.4 To create a group deployment
You can select single groups, multiple groups, and group hierarchies (groups cascading down
from a parent) using the Available Groups directory tree. This method enables you to select
multiple groups for a deployment without having to create deployments for each individual group.
When selecting a group from the Available Groups directory tree, the following will occur:
If a parent group is selected first, all children groups are also selected. The group selection is
represented by a green check mark.
If any of the children group check boxes are cleared, the green check mark changes to a
green square. This indicates that while the parent group is selected, the entire child hierarchy
is not.
Note: If devices are added to a group after a deployment is created but before the deployment
occurs, the newly added devices will receive the deployment.
1. From the Available Groups directory tree, select the group or groups requiring the
deployment.
2. Click Next.
2.10.5 To select the Available Packages page
You can select the packages to be deployed using the Available Packages page of the
Deployment Wizard.
This page displays the packages (grouped by manufacturer) that apply to the endpoints selected
on the Available Device/Groups page.
1. Select the vendor name required for the deployment. The list of associated packages
displays in the Available Packages window.
2. Select the packages needed. Click the arrows to page through the available packages, if
needed. The packages are selected and highlighted.
Note: Selecting the Package Name check box selects all of the packages available in the list.
3. Click the Package Name link to open the Associated Vulnerability Analysis page. For more
information, refer to the Associated Vulnerability Analysis Page (see page 78).
4. Click Next to proceed to the Licenses page.
When using the Deployment Wizard, the wizard will not install the Service Packs first. Verify that
all relevant Service Packs have deployed successfully before creating deployments using the
Deployment Wizard.
OSC_003 77
2.10.6 Associated Vulnerability Analysis Page
The Associated Vulnerability Analysis page shows the applicability of the security content for the
endpoints associated with the deployment.
The following table describes the fields and their descriptions:
N AM E DESCRIPTION
Name Name of endpoint receiving the deployment.
Platform Info Applicable operating systems.

Results Displays either Yes or N/A depending on whether the selected package applies to
that particular endpoint.
Click Back to return to the Deployment Confirmation page.
2.10.7 Deployment Wizard License page
You can accept the license agreement associated with the selected vendor packages using the
Licenses page of the Deployment Wizard. This is a required step in deploying content.
The Licenses page of the Deployment Wizard displays the end user license agreements
associated with the vendor packages. Any license agreements displayed on the page must be
accepted prior to continuing the deployment.
1. Review the agreement.

2. If you accept the agreement, select the I ACCEPT the terms and conditions of this end user
license agreement option.
3. If there are multiple agreements, repeat the previous steps. All agreements must be accepted
to continue with the Deployment Wizard.
4. Click Next to proceed to the Deployment Information page.
2.10.8 Deployment Information page
You can control the user notification options associated with a deployment using the Deployment
Information page. You can set the deployment job name, start time, manner, and add notes.
Deployment information consists of identifiers for the deployment job and deployment task, timing
of the deployment, and deployment manner.
2.10.9 To configure Deployment Information

1. Type the applicable information in the following fields.
FIELD DESCRIPTION
Job Name This is the job name. The display name of the deployment job.
Note: This field cannot be blank.
Task name The editable display name of the deployment task. The Package Name variable will
be replaced with the name of the package included in the task.
78 OSC_003
2. If desired, edit the Start time. For information on configuring a deployment schedule, refer to
the Deployment Wizard Schedule Configuration page (see page 79).
3. Select the desired Deployment time zone option.
The following table defines the options.
OPTION DESCRIPTION
Agent Local Time Deploys at local time for each individual node.
Agent UTC Time Deploys at UTC time for each individual node.
4. Select a Manner option.

The following table describes the Manner options.
OPTION DESCRIPTION
Concurrent Simultaneous distribution to a specified number of devices. New deployments are

distributed when agents report back after completing the previous deployment. If a
computer takes more than four hours to complete the deployment, it is no longer
counted against the concurrent deployment limit.
Consecutive Creates and distributes all deployments simultaneously. The global deployment limit
will always take precedence over the defined distribution options defined.
Suspend the Suspends all subsequent deployments following any deployment failure.
deployment of this
package if it fails to
deploy to one or
more nodes.
Deploy package Deploys the package to all selected computers regardless of patch status.
even if the
computer has been
previously patched.
5. If desired, type notes and comments in the Notes field.
2.10.10 Deployment Wizard Schedule Configuration page
The Schedule Configuration page of the Deployment Wizard, is used to define whether a
deployment is one-time or recurring and the appropriate options for each.
You can set the timing and frequency of a deployment using the Schedule Configuration page.
Note: If devices are added to a group after a deployment is created but before the deployment
occurs, the newly-added devices will receive the deployment.
The Deployment Wizard allows you to schedule the following deployments:

One-time deployment.
A one-time deployment starts on the selected day at the selected time.
Recurring deployment.
A recurring schedule starts deployments on the selected day at the selected time. The
deployment repeats as scheduled:
Every day
Week
OSC_003 79
Month
And if defined, ends on a specific date.
2.10.11 To schedule a one-time deployment

1. Click Change located in the Start Time option from the Deployment Wizard Schedule
Configuration page.
2. Select One Time. The deployment will start on the selected day at the defined time. If a one-
time deployment is scheduled for a date and time in the past, the agents will start the
deployment the next time they contact the Lumension Endpoint Management and Security
Suite.
3. Select 12 hour or 24 hour to determine 12-hour format or 24-hour format.
4. Select the hour for the deployment from the Hour drop-down list.
5. Select the minute for the deployment from the Minute drop-down list.
6. Select AM or PM using the drop-down list.
7. Click Next. The changes are saved and the Deployment Options page opens.
2.10.12 To setup a daily recurring deployment
You can configure a deployment to occur every day.
1. From the Deployment Wizard - Deployment Information page, click Change, located in the
Start Time section of the page. The Schedule Configuration page opens.
2. Select Recurring.
3. In the Occurs field, select Daily. The Deployment Wizard displays the Daily Deployment
Options field.
4. From the Daily Every X Days drop-down list, select the frequency. The valid options are: 1
through 365.
5. Select the frequency of the deployment.
Occurs once a day at the scheduled start time - the deployment starts at the same time
as scheduled in the Schedule Configuration page.
Occurs every - the valid options are 1 through 60 if minutes are selected and 1 through
24 if hours are selected.
6. Continue to Selecting the Deployment Start and End Functions on page 220 of the
Lumension Endpoint Management and Security Suite 7.0 SP1 User Guide.
2.10.13 To setup a weekly recurring deployment
You can configure a deployment that occurs every week.
Start Time section of the page. The Schedule Configuration page opens.
2. Select Recurring.
3. In the Occurs field, select Weekly. The Schedule Configuration page displays the Weekly
Deployment Options field.
4. From the Every X week(s) on: Mon, Tue, Wed, Thur, Fri, Sat, Sun, select the deployment to
be scheduled every X weeks on the selected days.
80 OSC_003
2.10.14 To setup a monthly recurring deployment
You can configure a deployment that occurs every month.
Start Time section of the page.
2. Select Recurring. The Recurring Deployment window opens.
3. In the Occurs field, select Monthly. The Schedule Configuration page displays the Monthly
Deployment Options fields.
4. Select the frequency of the deployment:
Day X of every X month(s) - Schedules the deployment on a specific date every X
months. Valid date options are 1 through 31, with the ability to choose 1 through 99
months.
The Xth Weekday of every X month(s) - Schedules the deployment to be run on a
specific day every X months.
¾ The valid day options are: 1st, 2nd, 3rd, and 4th.
¾ Last weekday options are: Sunday through Saturday, Day, Week day, or Weekend
day.
¾ Monthly recurrence options are: 1 through 99 months.
2.10.15 Selecting the deployment Start and End functions
Several options are available for you to configure the timing and frequency of a deployment.
The frequency fields specify date and time deployments. Review the table to determine
scheduling needs.
Deployment Start and End Functions
SELECT: TO:
12 hour, 24 hour Set the schedule to either a standard 12-hour format or for a 24-hour format.
Occurs once at Set the deployment to occur once daily at the time defined here.
Note: Agent communication interval and Hours of Operation (HOP) settings modify
the actual deployment time.
Occurs every Set the deployment to occur multiple times on the scheduled day, between the hours
defined in the starting at: and ending at: fields with a delay of the defined hours or
minutes.
Start Date Schedule a recurring deployment to begin at a later date. Defaults to the current date.
No End Date Continue with the defined recurrence schedule and no defined end date.
End Date Activate the end date calendar function and define the date the deployment will no
longer be deployed.
OSC_003 81
Click Next to save the changes and return to the Deployment Options page.
2.10.16 Package deployment Behavior Options page
You can set the behavior options for each of the packages associated with a deployment using
the Package Deployment Behavior Options page of the Deployment Wizard. The package options
are active or inactive, depending on the patch selected.
Note: Modification of a package’s behavior options will cause the package order to be re-
evaluated by the Deployment Wizard, which may result in a change in the package order.
You can attach behavior to package deployments using package flags.
The following table defines flag behavior and their descriptions:
Package Flag Descriptions
DESCRIPTION (FLAG BEHAVIOR) DISPLAY FLAG SELECT FLAG
Perform an uninstall; can be used with -mu or -q. -fd -f
Force other applications to close at shutdown. -yd -y

Do not backup files for uninstall. -nd -n
Do not restart the computer when the installation is done. -zd -z
Use quiet mode no user interaction is required. -qd -q
Use unattended setup mode. -dmu -mu
Install in multi-user mode (UNIX, Linux only). -dsu -su
Restart service after installation (UNIX, Linx only). -drestart -restart
Do not restart service after installation (UNIX, Linux only). -dnorestart -norestart
Reconfigure after installation (UNIX, Linux only). -dreconfig -reconfig
Do not reconfigure after installation (UNIX, Linux only). -dnoreconfig -noreconfig
This package is chainable and will run Qchain.exe (Windows) -dc -c
or (UNIX/Linux).
Suppress the final chained reboot. -dc -sc
Repair permissions. -dr -r
Deploy only. -PLD1 -PLD0
No Pop-up -PLN1 -PLNP
Debug -PLDG -PLDEBUG
Suppress Repair -dsr -sr
Force the script to reboot when the installation is done. -1d -1
Reboot is required. Not applicable -2
Reboot may occur. Not applicable -3
Reboot is required, and may occur. Not applicable -4
82 OSC_003
You can designate how a deployment appears on endpoints when the deployment occurs using
package display options.
Package Display Options
OPTION DESCRIPTION
Notes Displays the expected deployment behavior.
Description Displays the package description.
Click Save to save the changes and return to the Package Deployment Order and Behavior page.
2.10.17 Notification Options page
You can define whether users receive notification of deployments and/or reboots, and if so, what
the notification contains using the Notification Options page of the Deployment Wizard.
Note: When an agent is installed on a server where multiple users are logged in simultaneously,
the deployment manager will provide each user with the ability to snooze or reject the
deployment and/or reboot if snooze or reject is enabled.
You can determine what users can do after they receive a deployment.
Notification Options
OPTION WHEN USED
Use Policies The defined policies for each agent are used. Selecting this option disables all other
deployment notification options.
Do not notify users There will be no user notification for this deployment, and the deployment will occur
of this deployment automatically. Selecting this option disables all other deployment notification options
(except agent policies).
Notify users of this The user will be notified prior to installation of this deployment.
deployment
Message This field contains the message the user will see when notified about this
deployment. The {%Package_Name%} variable will be replaced with the Package
Name, allowing you to enter custom text before or after the package name.
Allow user to cancel The user can cancel the deployment.
Allow user to The user can postpone the deployment.
snooze
Notification on top The deployment notification displays on top of other open windows.
Deploy If selected, the time specified in the fields below is used to start the deployment.
Within You can set the time frame in which the deployment occurs.
By You can specify the specific time at which the deployment will occur. For example:
12/22/2008 5:07 PM.
Reboot Within You can set the time frame in which the deployment occurs.
OSC_003 83
2.10.18 Deployment Confirmation Page
The Deployment Confirmation page of the Deployment Wizard displays a summary of the options
selected for the deployment. This information is provided for your verification before creating the
deployment.
Deployment Confirmation Summary
The Deployment Confirmation page lists the deployment's parameters.
The following items appear in the summary:
Deployment Confirmation Summary Options
SUMM ARY ITEM DESCRIPTION
Job Name Indicates the name given to the deployment job defined in the Deployment Options
page.
Schedule Indicates the schedule for the deployment defined in the Deployment Options page.
Manner Indicates if these deployments are Sequential or Parallel. If the deployment is
Sequential, indicates how many deployments will be distributed at once.
Deployment Indicates if users will receive a deployment notification (as defined under the
Notification Notification Options page).
Reboot Notification Indicates if users will receive a reboot notification, if the deployment must reboot (as
defined under the Notification Options page).
Total Selected Indicates the total number of packages selected for deployment.
Packages
Total Selected Indicates the number of groups selected, if the deployment is a group deployment. If
Devices / Groups the deployment is for individual devices, indicates the total number of devices
selected.
Notes Indicates the creator and the creation date of a deployment.
Selected Packages Summary
COLUMN DESCRIPTION
Order The package deployment order.

Package Name The name of the package being deployed.
Selected Options The selected deployment options.
Reboot The package’s reboot options.
Devices/Groups The number of devices or groups receiving the deployment.
84 OSC_003
2.11 Reports for VSPM

Reports are records that document activity and information pertaining to your network
environment. LEMSS can generate a variety of reports summarizing network conditions. You can
use these reports for vulnerability remediation, internal reporting, and management briefing.
LEMSS offers multiple predefined report templates that list and/or depict data collected during
network management. Data included in these reports range from general (endpoints, packages)
to highly detailed (vulnerabilities specific to a vendor). Reports are created by selecting a report
type and defining its parameters.
Reports cover a range of indicators and can be customized to cover a general category (devices,
packages) or focus on specific elements of your network (for example, vulnerabilities specific to a
particular vendor). Targeted reporting is done through selecting an appropriate report type,
defining the parameters of a report, and by customizing report criteria through the Search feature.
Report formats vary. Some reports are in an HTML (.html) file format, while others are in a PDF
(.pdf) format.
Reports are generated from the All Reports page.
Note: Additional information about reports can be found in the Lumension Endpoint
Management and Security Suite User Guide located on the Ovation Security Center CD.
2.11.1 Report description
The report description summarizes reports selected from the Display list. Read this for a brief
overview of the report you have selected.
The following table describes the fields that appear in the report description, including the header.
Report Description Fields
FIELD DESCRIPTION
Report Description The name of the report currently selected from the Display list.
Header
Type The data source of the report. Report data derives from either agents or network-
based scans (discovery scan jobs).
Category The category of the report.
Format The format of the report (PDF or HTML).
OSC_003 85
2.11.2 Report descriptions for Lumension SCAN
The following table provides a brief description of the reports provided with Scan.
Lumension Scan Report Descriptions
REPORT N AME DESCRIPTION
Compliance: Network- Displays network compliance against user-specified vulnerabilities or vulnerability

based Assessment sets.
Executive Summary Presents a summary of vulnerabilities found, grouped by operating system.
Executive Summary Presents a summary of general network and vulnerability status by resource.
Classic
Frequency Count Risk Displays summary information and frequency of a user-specified vulnerability
Summary type.
Frequency Count Displays detailed information and frequency counts of a user-specified
Detail vulnerability type.
Job Configuration Shows the discovery and management options used by a specific job.
Job Summary Shows a summarized list of vulnerability counts by device.
Local Services Reveals the number of unique services found, including services found on each
device.
Long-term Trending Presents a record of data changes over a user-specified time frame.
Network Inventory Shows network inventory information such as Operating System, MAC Address,
IP Address, NetBIOS Name, and so on.
Ports and Banners Reveals the ports found open.
Scan Summary Shows a list of scans run and the vulnerabilities found, sorted by device.
Short-term Trending Presents a comparison of results between two user-specified scans.

Simple Listing Displays an abbreviated vulnerability list by device and sorted by vulnerability
name.
Top 20 Reveals the “Top 20” Vulnerabilities, High Vulnerabilities, Operating Systems,
Advisory, Bugtraq, CERT, CIAC, SANS, or NIST items.
Vulnerability Detail Presents vulnerability details regarding each device.

Vulnerability Set Reveals the Vulnerability Set configuration.
Configuration
Vulnerability View Displays a listing of all vulnerabilities found by a job.
Agent Configuration Presents a summary view of agent configuration.
Agent Inventory Presents a listing of inventory for the specified agent group.
Agent Patch Status Reveals the current patch status, for the specified agent group, grouped by
device or vulnerability.
Agent-based Reveals the vulnerabilities found within the specified agent group(s).
Vulnerability
86 OSC_003
Compliance: Agent- Displays agent compliance against user-specified vulnerability policies or sets.
Based
Compliance: Displays a combination of the Compliance: Network-Based and Compliance:
Composite Agent-Based reports.
Assessment
Composite Inventory Presents Agent details and inventory within the specified agent group(s) and job.
Deployment History Reveals the deployment details for the specified patch deployments.
Deployment Status Displays the current status for the specified patch deployments.
Job Remediation Displays the vulnerabilities found by a specified job, by the vulnerability reference
ID.
2.11.3 Report descriptions for Lumension Update
The following table provides a brief description of the reports provided with Update.
Lumension Update Report Descriptions
Compliance: Network- Displays network compliance against user-specified vulnerabilities or vulnerability

based Assessment sets.
Agent Configuration Presents a summary view of agent configuration.

Agent Inventory Presents a listing of inventory for the specified agent group.
Agent Patch Status Reveals the current patch status, for the specified agent group, grouped by
device or vulnerability.
Agent-based Reveals the vulnerabilities found within the specified agent group(s).
Vulnerability
Compliance: Agent- Displays agent compliance against user-specified vulnerability policies or sets.
Based
Compliance: Displays a combination of the Compliance: Network-Based and Compliance:
Composite Agent-Based reports.
Assessment
Composite Inventory Presents Agent details and inventory within the specified agent group(s) and job.
Deployment History Reveals the deployment details for the specified patch deployments.
Deployment Status Displays the current status for the specified patch deployments.
Job Remediation Displays the vulnerabilities found by a specified job, by the vulnerability reference
ID.
OSC_003 87
2.11.4 Reports parameters for VSPM
From the Available Reports List, selecting Device Status Report displays the Application
Reporting Device Status Report Parameters page. The report definition page is where you define
the data to include in the report.
The following table describes the parameters used when using reports. Each report includes at
least one parameter.
Report Parameters List
SELECT TO
Devices Choose from a list of all available devices that you have permission to view. All available
devices are shown in the Available Devices list. Click a single device or use the CTRL and
SHIFT keys to select multiple devices.
Note: All access is limited to the users with access to all Devices or with Enable
Administrative Reports access rights.
Groups Choose from a list of all available groups within the Update Server that you have
permission to view. All groups are shown in the Available Groups list and all of the devices
belonging to the selected group and its child groups are included in the report. Click a
single group or use the CTRL and SHIFT keys to select multiple groups.
Note: All access is limited to the users with access to all Groups or with Enable
Administrative Reports access rights.
Deployments Choose a deployment from a list of all available deployment names. All available
deployments are shown in the Available Deployments list. Click a single deployment or
use the CTRL and SHIFT keys to select multiple deployments.
Packages Choose from a list of all available packages. All available packages are shown in the
Available Packages list. Click a package name or use the CTRL and SHIFT keys to select
multiple packages.
Vulnerabilities Choose from a list of all available vulnerabilities identified by the Update Server. All
vulnerabilities are shown in the Available Vulnerabilities list. Click a vulnerability name or
use the CTRL and SHIFT keys to select multiple vulnerabilities.
Date Range Choose from a list of all deployments that occur within the selected dates. You can also
display the time in 12-or 24-hour format and as the Update Server local time or UTC time.
2.11.5 Generating reports
Lumension Endpoint Management and Security Suite provides multiple pre-defined reports.
These reports comprehensively detail your computing environment, reflecting your content and
vulnerability management activities. Generate reports to brief management or to view network
behavior and statistics. Reports are generated from the All Reports page.
2.11.6 To generate a report

1. Select Reports > All Reports.
2. From the Display list, select the report you want to generate.
3. Using one of the following methods, select the required report parameters.
88 OSC_003
Add parameters to the Selected Parameters list using the Include or Include All arrows.
Select parameters from the available drop-down lists, data grids, or list boxes.
Note: Refer to Available Reports on page 418 of the Lumension Endpoint Management and
Security Suite User Guide and the individual report descriptions for details on required and
optional parameters.
4. If desired, select the optional report parameters.

5. Click Generate Report. The report is generated in a new window.
2.11.7 To generate reports on vulnerability scan results

1. Remote desktop into the appliance. (192.168.124.33)
2. Open the Lumension Security Management Console program. This is located on the desktop
of the VSPM. Two windows will appear; the console window and the login screen. Login to the
console.
3. Select View -> Reports -> Graphical Reports. The Graphical Reports page displays.
4. Select the report type from the drop-down menu.
5. Select a previously run job from the job queue at the bottom of the window.
6. Click Generate. A report in pdf format is generated. You can save or print the report as
necessary.
2.11.8 Searching within reports for VSPM
The search feature, within HTML (.html) reports, provides standard searching on a word matching
basis (exact and partial matching). The search is conducted against the Update Server database.
Some general rules include:
Search does not support the use of Boolean search commands (AND, OR, NOT, nesting (),
and so on.)
Search terms are not case sensitive. All letters are treated as lower case. For example, the
search term WIN is treated the same as "win" and generates the same results.
To show all results, remove any content from the Search text box (leave blank).
To search, enter the search term in the Search text box and click Update List. To return to
the pre-search results, click from the list of available options in the Parameters list box.
OSC_003 89
2.11.9 Displaying time and date in reports for SCAN
Some reports generate date range data. For these reports, you have two options to change how
this data is formatted:
Local time (this is the date and time established by the Update Server).
UTC Time (Coordinated Universal Time).
The following table describes the options for reports that generate date and time information.
HTML Report Time and Date Display Options
OPTION DESCRIPTION
Local Time The date and time established by the Lumension Endpoint Management and Security Suite
server.
UTC Time (Coordinated Universal Time), also known as Universal Time, Zulu Time, or Greenwich Mean
Time (GMT).
2.11.10 Exporting Reports for VSPM
Once the report is created, you have the option of switching to a printable view for printing or
exporting the report into another file format.
Reports are presented in standard HTML (.html) and can be exported into several file formats for
your convenience.
Comma Separated Values (.csv).
Microsoft Excel Worksheet (.xls).
XML Document (.xml).
Note: All data results, not just the selected results, will export. However, some of the data may
not import into a readable format.
You can edit this data using other applications. To export the report, select an option from the list
and click Export.
2.11.11 To view a report for SCAN

1. In the main menu, select Reports. The Available Reports page opens in a new browser
window.
2. Select the report to generate in the Available Reports page. The corresponding Report
Parameters page opens.
3. In the Report Parameters page, define the report contents and organization by selecting
parameters.
a) In the Parameters box, select the parameter to use in defining the report contents from
the list of available parameters. This is the left-side pane of the page.
b) In the Available Devices (or Available Options) box, select from the list of available
parameters to include (Devices, Groups, Vulnerabilities) by selecting with your cursor.
Select multiple items using the CTRL or SHIFT keys.
90 OSC_003
You may choose not to define any parameters; in this case, all applicable data for the report
parameters will be returned.
4. With the desired items selected, click the Include arrow.
5. To include all available items, click the Include All arrow.
6. Verify the contents of the Selected Options box.
7. Remove items by clicking the Remove arrow, or to include all available items, click the
Remove All arrow.
8. Click Generate to create the report.
9. The Report Results page opens with the retrieved information.
2.11.12 Viewing printable data in reports for VSPM
After generating an HTML (.html) report, you can format it specifically for printing. Use this feature
before printing a report rather than using your Web browser print feature.
To generate a printed report:
1. Click the Printer-Friendly link. The report refreshes with the data in print preview mode.
2. If desired, click the Send to Printer link to print the report. The Print window opens. Finish
printing your report by completing the Print dialog box.
Note: If you have not established printer connectivity, click Yes when the Print dialog box
appears and use the Add Printer Wizard to select and connect your printer.
2.11.13 Working with PDF reports
After generating a PDF (.pdf) report, you can view it within a PDF reader.
To generate a PDF (.pdf) report, you must have Adobe® Reader® (or another PDF reader such
as Foxit® Reader®) installed on your computer. When reading a generated report, the functions
of these programs help you to view the report.
For more information on using Adobe Reader, see the Adobe Reader 8 User Guide.
2.11.14 Working with HTML reports
After generating an HTML report, the report opens in a new window. Within this window, you can
perform a number of tasks specific to the report, such as:
Displaying Time and Date in HTML Reports.
Exporting HTML Reports.
Previewing and Printing HTML Reports.
Note: All data results, not just selected results, will export. However, some of the data may not
export in a readable format.
OSC_003 91
2.12 Email Notifications Page
2.12 Email Notifications Page

You can configure Lumension Endpoint Management and Security Suite to send email
notifications when certain system events occurs. These emails alert you to system features that
require administration. Email notifications are configured from the Email Notifications page.
You can configure email notification settings, define alert types, and set alert thresholds. Enter the
email addresses that you want to receive notifications, and then select the alert types for each
email address. You can enter an unlimited number of email addresses. Also, use this page to
define alert thresholds, which are data values that initiate email notifications.
Note: Email alerts are activated on a per-project implementation. Additional information about
email can be found in the Lumension Endpoint Management and Security Suite 7.0 SP1 User
Guide (page 85).
2.12.1 To view the Email Notifications page

1. Select Tools > Email Notifications.
2. View the email notifications.
Note: You can access this page at any time from the Navigation menu. Navigate to Email
Notification to define email addresses for notification alerts.
2.13 Downloading the Agent Installer

You can install an agent locally by connecting to the Lumension Endpoint Management and
Security Suite server, downloading the agent installer, and running the installer on the endpoint
that you want to manage.
The agent system requirements and installation procedures vary by operating system. For
complete instructions regarding the installation of agents on supported operating systems, refer to
the Lumension Endpoint Management and Security Suite 7.0 User Guide located on the Ovation
Security Center CD.
2.13.1 To download the Agent Installer

1. Login to the target computer as the local administrator (or a member of the Local
Administrators group).
2. Login to your Lumension Endpoint Management and Security Suite server.
3. Select Tools > Download Agent Installer from the toolbar. The Download Agent Installers
window displays.
4. Select the endpoint's operating system from the Operating System drop-down list.
5. Select the agent version that you want to install on the endpoint from the Agent Version
drop-down list.
6. Click Download. A Download File window opens, prompting you to save or open the installer.
92 OSC_003
2.14 Using the Dashboard

The dashboard displays widgets depicting the activity on your protected network. The dashboard
provides convenient information you can use to ensure that network protection is performing
effectively. You can customize the dashboard to display the widgets most pertinent to your
network environment.
Widget graphs are generated based on the latest data and statistics available from endpoints,
groups, vulnerabilities, packages, and so on.
Note: Additional information about the dashboard can be found in the Lumension Endpoint
Management and Security Suite 7.0 User Guide located on the Ovation Security Center CD.
The following Dashboard widgets are available: The page numbers refer to the Lumension
manual.
The Agent Status Widget on page 53.
The Applicable Content Updates Widget on page 54.
The Discovery Scan Results: Agent Widget on page 56.
The Critical Patch Status by Endpoint Widget on page 55.
The Endpoints with Unresolved Updates Widget on page 57.
The Incomplete Deployments Widget on page 58.
The Last Five Completed Scan Jobs Widget on page 59.
The Latest News Widget on page 59.
The Mandatory Baseline Compliance Widget on page 60.
The Next Five Pending Scan Jobs Widget on page 60.
The Offline Agents Widget on page 61.
The Scheduled Deployments Widget on page 61.
The Server Information Widget on page 63.
The Time Since Last Agent Scan Widget on page 64.
The Un-remediated Critical Vulnerabilities Widget on page 65.
2.14.1 Agent Status widget
The Agent Status Widget depicts all agents in the network. Agents are classified by status, as
depicted in its associated chart.
The following table describes the fields in the Agent Status widget:
Agent Status Widget Fields
FIELD DESCRIPTION
Idle The number of agents that are idle.

Initializing The number of agents that are installing new components and running their first
Discover Applicable Updates task.
Running The number of agents that are working on a deployment task.
Disabled The number of agents that are disabled.
OSC_003 93
FIELD DESCRIPTION
Sleeping The number of agents that are sleeping.

Offline The number of agents that are offline.
Agents The total number of agents in your environment.
Note: Click the pie chart slice to open the Endpoints page. The page that opens is filtered to display the
agents associated with the clicked status.
2.14.2 Discovery Scan Results: Agent Widget
The Discovery Scan Results Agent Widget displays the number of endpoints capable of hosting
agents (agent-compatible) as discovered in the latest discovery scan job.
The endpoints discovered are classified into two groups:

Endpoints with agents.
Endpoints without agents.
The following table describes the Discovery Scan Results Agent widget fields.
Discovery Scan Results Widget Fields
FIELD DESCRIPTION
As of The name of the discovery scan job used to generate the widget graph and statistics.
This job is the job most recently run.
Endpoints with The number of agent-compatible endpoints discovered with agents installed.
agents
Endpoints without The number of agent-compatible endpoints discovered with no agents installed.
agents
Endpoints The total number of agent-compatible endpoints discovered.
Note: Clicking the Discovery Scan Results: Agent widget opens the Job Results page for the most recently
run discovery scan job.
94 OSC_003
2.14.3 Endpoints with Unresolved Updates Widget
The Unresolved Updates Widget displays all managed endpoints with unapplied applicable
content updates, grouped by content type.
View this widget when deciding if a managed endpoint requires deployment. An unresolved
update is an occurrence of an endpoint that has not had an applicable content item installed.
The following table describes each graph bar.
Endpoints with Unresolved Updates widget
BAR DESCRIPTION
Critical The number of managed endpoints in your network that have unresolved critical
content updates.
Recommended The number of managed endpoints in your network that have unresolved
recommended content updates.
Optional The number of managed endpoints in your network that have unresolved software,
informational, and virus removal content updates.
Note: Clicking a widget graph bar opens the Vulnerabilities, Software, or Other page, which is filtered to
display all unapplied applicable content.
The following table describes each widget field:
FIELD DESCRIPTION
Endpoints The number of managed endpoints with applicable updates within your network.
Applicable updates The total number of content items applicable to managed endpoints within your
network.
2.14.4 Incomplete Deployments Widget
The Incomplete Deployments Widget displays all deployments with elapsed start dates and
displays not started or in-progress status.
The following table describes the Incomplete Deployments widget fields:
Incomplete Deployments Widget Fields
FIELD DESCRIPTION
<25% The number of deployments that are less than 25 percent complete. This field includes
deployments that have not started.
25% - 49% The number of deployments that are 25 to 49 percent complete.
OSC_003 95
FIELD DESCRIPTION
>90% The number of deployments that are more than 90 percent complete.
Total The total number of deployments that have a status of in progress or not started with
an elapsed start time.
Total affected The total number of endpoints receiving pending or in-progress deployments.
endpoints
2.14.5 Applicable Content Updates Widget
The Applicable Content Updates Widget displays applicable content updates grouped by content
type. View this widget when determining what content is applicable to endpoints in your network.
The following table describes each graph bar:
Applicable Content Update widget
BAR DESCRIPTION
Critical The number of critical content items that are applicable to the agent-managed
endpoints within your network.
Recommended The number of recommended content items that are applicable to the agent-
managed endpoints within your network.
Optional The number of optional software, informational, and virus removal content items that
are applicable to the managed endpoints within your network.
Note: Clicking the Applicable Content Updates widget graph opens the Vulnerabilities, Software, or Other
page, which is filtered to display all applicable non-patched content.
The following table describes each widget field:
FIELD DESCRIPTION
Applicable updates The total number of content items applicable to managed endpoints within your
network.
Endpoints The total number of managed endpoints with applicable updates within your
network.
96 OSC_003
2.14.6 Critical Patch Status by Endpoint Widget
The Endpoint widget depicts the patch status of all the managed endpoints. Each bar indicates
the number of managed endpoints with applicable vulnerabilities within a given release date
range.
The following table describes the Critical Patch Status by Endpoint widget. Green bars indicate
endpoints that are patched for critical vulnerabilities, while red bars indicate endpoints that are not
patched for critical vulnerabilities.
Critical Patch Status by Endpoint Widget
GRAPH B AR DESCRIPTION
<30 days The number of managed endpoints with applicable critical vulnerabilities less than 30
days old.
30 - 120 days The number of managed endpoints with applicable critical vulnerabilities between 30 to
120 days old.
>120 days The number of managed endpoints with applicable critical vulnerabilities greater than
120 days old.
The following table describes the widget fields:
Critical Patch Status By Endpoint Bars
FIELD DESCRIPTION
Endpoints The total number of managed endpoints with applicable critical vulnerabilities.
Critical The total number of critical vulnerabilities applicable to your environment.
Vulnerabilities
2.14.7 Last Five Completed Scan Jobs Widget
The Last Five Completed Scan Jobs Widget contains information about the last five completed
scan jobs. Each job name is a link to the associated Result page.
The following table describes each column in the Last Five Completed Jobs widget.
Last Five Completed Scan Jobs Widget Columns
FIELD DESCRIPTION
Name The job name. The name is a link to the associated Results page.
Completed Date The date and time of the completed job on the server.
Status The status of the completed job.
OSC_003 97
2.14.8 Latest News Widget
The Latest News Widget displays important announcements and other information regarding
Lumension Endpoint Management and Security Suite. Internet connectivity is a requirement for
this Widget.
Click the Latest News link to view additional details about an announcement in a new window.
2.14.9 Mandatory Baseline Compliance Widget
The Mandatory Baseline Compliance Widget displays the Mandatory Baseline status of all
managed endpoints.
The following table describes the Mandatory Baseline Compliance widget fields.
Mandatory Baseline Compliance Widget Fields
FIELD DESCRIPTION
Compliant The number of agents with all Mandatory Baseline content installed.
In process The number of agents currently downloading Mandatory Baseline content.
No baseline The number of agents with no content assigned to their Mandatory Baseline(s).
Non-compliant The number of agents that do not have all content in their Mandatory Baseline(s)
installed.
Total number of The total number of endpoints with an agent installed.
endpoints
2.14.10 Next Five Pending Scan Jobs Widget
The Next Five Pending Scan Jobs Widget displays information about the next five pending
discovery scan jobs. Each job name is a link to the Scheduled tab of the Discovery Scan Jobs
page Scheduled tab.
The following table describes the Next Five Pending Scan Jobs widget columns:
Next Five Pending Scan Jobs Widget Columns
FIELD DESCRIPTION
Name The job name. Each name is a link to the Scheduled tab of the Discovery Scan Jobs
page .
Scheduled Time The date and time the job is scheduled to run on the server.
98 OSC_003
2.14.11 Offline Agents Widget
The Offline Agents Widget displays all offline agents. These agents are grouped by time ranges
since they last checked in.
The following table describes the fields in the Offline Agents widget:
Offline Agents Widget Fields
FIELD DESCRIPTION
< 48 hours The number of agents offline fewer than 48 hours.

48 - 72 hours The number of agents offline 48 to 72 hours.
> 72 The number of agents offline greater than 72 hours.
The total number of The total number of agents that are offline (since their last scheduled Discover
offline agents Applicable Updates task).
Note: Clicking the Offline Agents widget pie chart opens the Endpoints page, which is filtered to display
offline agents
2.14.12 Scheduled Deployments Widget
The Scheduled Deployments Widget displays endpoints that have not-yet installed applicable
content. These endpoints are divided into two categories: endpoints with deployments scheduled
and endpoints with deployments not scheduled. These categories are further divided into three
categories: endpoints with not-yet applied critical content, endpoints with not-yet applied
recommended content, and endpoints with not-yet applied optional content.
The following table describes the Scheduled Deployments widget graph bars. Orange graph bars
indicate endpoints that are not scheduled to receive applicable content, while blue graph bars
indicate endpoints that are scheduled to receive applicable content.
Scheduled Deployments Widget Graph Bars
Critical The number of managed endpoints scheduled or not scheduled to receive

deployments for critical content.
Recommended The number of managed endpoints scheduled or not scheduled to receive
deployments for recommended content.
Optional The number of managed endpoints scheduled or not scheduled to receive
deployments for optional content.
OSC_003 99
Note: Clicking the Scheduled Deployments widget opens the Deployments page, which is filtered to display
scheduled deployments.
Scheduled Deployments Widget Field
FIELD DESCRIPTION
Endpoint with The total number of endpoints with unresolved updates.

unresolved updates
2.14.13 Server Information Widget
The Server Information Widget lists your serial number, number of licenses available, number of
licenses in use, and information about current license usage and availability for the Lumension
Endpoint Management and Security Suite.
The following table describes the fields in the Server Information widget:
Server Information Widget Fields
FIELD DESCRIPTION
Company The company Lumension EMSS is registered as defined during installation.

Serial number Lumension EMSS license number (serial number) assigned to your server.
Non-expired The total number of active licenses for agents.
licenses
Licenses in use The number of active licenses used by registered endpoints.
Licenses available The number of licenses remaining for endpoint registration. Registered endpoints are
managed by the Lumension EMSS.
Each registered endpoint requires one license.
Last update The most recent date and time Lumension EMSS received a license information
update from the Global Subscription Server (GSS).
License replication The subscription status between Lumension EMSS and the GSS.
Vulnerability / The replication status between Lumension EMSS and the GSS.
Content
Replication
Package The number of packages remaining for replication.
Replication
Auto-download of The indication of whether Lumension EMSS automatically downloads packages for
Critical critical vulnerabilities. Clicking the link opens the Subscription Service Configuration
Packages window. For additional information refer to Configuring the Service Tab on page 82 of
the Lumension Endpoint Management and Security Suite User Guide.
100 OSC_003
FIELD DESCRIPTION
Note: A license expiration notice displays if all available licenses are expired.
2.14.14 Time Since Last Agent Scan Widget
The Time Since Last Agent Scan Widget displays all active agents (not including disabled or
offline) grouped by the amount of time since their last Discover Applicable Updates (DAU) task.
The following table describes the fields in the Time Since Last Agent Scan widget.
Time Since Last Agent Scan Widget Fields
FIELD DESCRIPTION
<24 hours The number of agents that last performed a DAU task and checked in fewer than 24
hours ago.
24 - 47 hours The number of agents that last performed a DAU task and checked in 24 to 47 hours
ago.
48 - 72 hours The number of agents that last performed a DAU task and checked in 48 to 72 hours
ago.
> 72 hours The number of agents that performed a DAU task and last checked in greater than 72
hours ago.
Never Checked in The number of registered agents that have not completed a DAU task.
Note: Clicking the Time Since Last Agent Scan widget pie chart opens the Endpoints page, which is filtered
to display enabled devices.
2.14.15 Un-remediated Critical Vulnerabilities Widget
The Un-remediated Critical Vulnerabilities Widget displays the total number of un-remediated
critical vulnerabilities that are applicable to your environment grouped by age.
The following table describes the Un-remediated Critical Vulnerabilities widget graph bars.
Un-remediated Critical Vulnerabilities Widget Graph bars
FIELD DESCRIPTION
<30 days The number of un-remediated critical vulnerabilities applicable to your environment
fewer than 30 days old.
30 - 120 days The number of un-remediated critical vulnerabilities applicable to your environment
that are 30 to 120 days old.
>120 days The number of un-remediated critical vulnerabilities applicable to your environment
greater than 120 days old.
OSC_003 101
FIELD DESCRIPTION
Note: Clicking the Un-remediated Critical Vulnerabilities widget graph opens the Vulnerabilities page,
which is filtered to display the critical but not superseded applicable vulnerabilities.
The following table describes the Un-remediated Critical Vulnerabilities widget fields.
Un-remediated Critical Vulnerabilities Widget fields
FIELD DESCRIPTION
Critical The number of critical but not superseded vulnerabilities applicable to your
Vulnerabilities environment.
Endpoints The number of managed endpoints with critical but not superseded applicable
vulnerabilities.
2.14.16 To preview and print the Dashboard

1. Select Home from the navigation menu.
2. Click the Print icon. The dashboard print preview opens in a new Web browser window.
3. If desired, use your Web browser controls to print the dashboard.
Note: When viewing the dashboard, you can reformat it for printing purposes. This print preview
omits the Web site's header and footer and reorganizes the dashboard to display only the
selected widgets. View the print preview from the Home page.
2.14.17 To edit the Dashboard
VSPM lets you define how dashboard widgets are arranged and prioritized. You can edit the
dashboard to display only the widgets that are most useful when managing your network
environment.
1. Navigate to the Dashboard Settings dialog box to edit the dashboard.

2. Select Home from the navigation menu.
3. Click the Settings icon. The Dashboard Settings dialog box opens.
4. Choose which widgets that you want to display on the dashboard.
Select the check box associated with the applicable widget to display it.
Clear the check box associated with the applicable widget to hide it.
5. Prioritize the widgets in the desired order.
Click the applicable Increase Priority icon to increase a widget priority.
Click the applicable Decrease Priority icon to decrease a widget priority.
High prioritized widgets will appear in the upper-left corner of the dashboard. Low prioritized
widgets will appear in the lower-right corner of the dashboard.
6. Display or hide widget descriptions.
Click the Display Descriptions icon to display descriptions.
102 OSC_003
2.15 Creating and editing user accounts for SCAN
Click the Hide Descriptions icon to hide description.

7. Choose a widget layout.
Click the Two Column icon to make widgets appear in two columns.
Click the Three Column icon to make widgets appear in three columns.
8. Click OK.
2.15 Creating and editing user accounts for SCAN

Administrators can create or edit users by accessing the Manage Users and Groups window
from the main menu. View and use of this menu item requires an engine login account with
assigned RBAC administrative privileges to Add or Change Users and Groups.
When you are logged on to a user account other than an Administrator, you will have access to
console areas in the network solely based on the account privileges that were assigned and the
preset default or adjusted scope assigned to each privilege.
2.16 Preparing VSPM for Full vulnerability scan

When preparing VSPM for Full vulnerability scan, there are several things that are needed to be
considered for this to be successful:
The design is for the VSPM appliance to perform a full port vulnerability scan on the Ovation
system.
The current OSC router port that the VSPM is connected to is an access controlled interface.
The port will need to be moved to the 0/1/7 port on the OSC router which has relaxed access
control.
This new port is on its own VLAN at an address of 192.168.123.5.
The VSPM appliance will need to either have its IP address changed to 192.168.123.6 or the
second network interface can be set to this address.
2.16.1 To prepare VSPM for Full vulnerability scan

1. Remote desktop into the VSPM appliance. (192.168.124.33).
2. Navigate to the Start menu -> open Network Connections.
3. Navigate to the first interface -> right-click and select Properties.
4. In the Connection Properties window select Internet Protocol (TCP/IP).
5. Select the Properties button.
Verify the IP address for the Standard OSC connection. It should be 192.168.124.33.
If this is not the address, and the address is empty, then select the other interface and
repeat these steps.
If this is the correct address, change the name of the interface.
Cancel the connection properties window.
Navigate to the first interface -> right-click and select Rename.
Change the interface name to OSC Standard Interface.
6. Navigate to the non-renamed interface -> right-click and select Rename.
OSC_003 103
7. Change the interface name to OSC Full Scan Interface.

8. Navigate to the non-renamed interface -> right-click and select Properties.
9. In the Connection Properties window select Internet Protocol (TCP/IP).
10. Select the Properties button.
Select Use the following IP address.
IP address: 192.168.123.6
Subnet mask: 255.255.255.0
11. Select the OK button in the Internet Protocol (TCP/IP) Properties window.
12. Select the OK button in the Connections Properties window.
2.16.2 To perform a Full vulnerability scan

1. Remote desktop into the VSPM appliance. (192.168.124.33).
2. Navigate to the Start menu -> select open Network Connections.
3. Disable the OSC Standard Interface. Select the OSC Standard Interface -> right-click and
select Disable.
4. Enable the OSC Full Scan Interface. Select the OSC Full Scan Interface -> right-click and
select Enable.
5. Move the fast Ethernet cable connections to and from the VSPM appliance.
Move the RJ-45 jack from the currently used port to the unused port on the back of the
VSPM appliance.
Move the RJ-45 jack from the OSC router port 0/1/3 to 0/1/7.
6. Open the Lumension Security Management Console program. This is located on the desktop
of the VSPM. Two windows will appear; the console window and the login screen. Login to the
console.
7. Define the type of scan to be performed:
a) Select the Scan tab.
b) Select the scan group:
Select All – only to be performed during a unit outage. This is very invasive.
c) Ports setup.
Select All – Select all check boxes.
d) Scans setup.
All – Select all check boxes.
8. Name, schedule, and define the targets for the scan:
a) Select the Discovery tab.
b) Name the scan job.
Enter a scan name into the entry field.
c) Select a schedule method.
Typically, this is set to immediate.
104 OSC_003
d) Leave all discovery options selected.

e) Setup the consoles to be scanned:
¾ Utilize IP range or IP with wildcard to define the intended targets for the scan.
¾ After all information is entered in the entry field(s), select the + to add them to the
scan target list.
¾ Repeat until all IP addresses are entered for the desired scan.
f) To initiate the scan, select the Save button.
9. Check the scan statuses:
a) Select the appropriate tab in the Job Queue panel.
Active – for any currently active scan. A percentage complete indication will be
displayed.
Scheduled – for any scan that is scheduled for future activation.
Completed – to review and generate reports on completed scans.
10. To check different information related to a scan job.
a) Select the Completed tab in the Job Queue panel.
b) Select the Scan job that you want to review.
c) The tabs at the top of the panel can display different pieces of information related to the
currently selected scan jobs. For example:
Targets – displays the target that was scanned with summary information.
Vulnerabilities – displays any vulnerability that may have been discovered to exist during
that scan job.
Graphical Reports – interface to generate graphical reports on the selected scan job.
Agents – Agents that exist; not related to the currently selected scan job.
Vulnerabilities – lists all vulnerabilities that the VSPM is made aware of.
2.16.3 To perform vulnerability scans (Emerson Validated Patches)

1. Remote desktop into the VSPM appliance. (192.168.124.33)
2. Open the Patchlink Security Management Console program. This is located on the desktop
of the VSPM. Two windows appear, the console window and the login screen. Login to the
console.
3. Define the scan credentials that will be used in future scans by performing the following steps.
a) Select Scan Job in the Network Scan Panel. The New Scan Job Settings window
appears.
b) Select the Credentials tab.
c) Select the Manage button. The Manage Credentials Set window appears.
d) Select the New button.
e) Enter a name in the entry field for the credential set being created, for example: Ovation.
f) Enter the following information:
¾ Operating System: Windows.
¾ Domain: Fully Qualified Domain Name (plant.ovation.company.local).
OSC_003 105
¾ Username: <username>.
¾ Password: <password>.
¾ Verify Password: <password>.
¾ Description: Ovation scan credentials.
g) Select the Test button. This will test the credentials, to verify that they will work for a
scan.
¾ Enter a Target IP 192.168.2.200 – This is the address used for the credential test.
This needs to be an address of a console on the system.
¾ Select OS as default.
¾ Check the Verify with Ping check box.
¾ Select the Test button.
This should return with a level 3 access; if it does not, something was entered into the
credential set incorrectly.
h) If other operating systems are to be included repeat steps e - g.
Operating System: POSIX or SNMP
POSIX
SNMP
<read community string>
i) Select the Save button.
j) Select that Credential name (Ovation scan credentials) in the Credentials tab.
4. Define the type of scan to be performed using the following steps:
a) Select the Scan tab.
b) Select the Vulnerability Set.
Emerson Validated Patches – periodic scan to determine if any consoles are vulnerable
to the current vulnerability set. This selection is near the bottom of the list.
c) Ports setup
Emerson Validated Patches – set this to none.
Emerson Validated Patches – set this to no check boxes.
5. Name, schedule, and define targets for the scan using the following steps.
a) Select the Discovery tab.
b) Name the scan job.
Enter a scan name into the entry field.
c) Select a schedule method.
Typically this is set to immediate.
d) Leave all discovery options selected.
e) Setup consoles to be scanned.
¾ Utilize IP range or IP with wildcard to define the intended targets for the scan.
¾ After information is entered in the entry field(s), select the + to add them to the scan
target list.
106 OSC_003
2.17 VSPM SCAN Updating
¾ Repeat until all IP addresses are entered for the desired scan.
f) To initiate the scan select the Save button.
6. Check the scan statuses.
a) Select the appropriate tab in the Job Queue panel.
¾ Active – for any currently active scan. A percentage complete indication will be
displayed.
¾ Scheduled – for any scan that is scheduled for future activation.
¾ Completed – to review and generate reports on completed scans.
7. To check different information related to a scan job:
a) Select the Completed tab in the Job Queue panel.
b) Select the Scan job that you want to review.
c) From here, the tabs at the top of the panel can display different pieces of information
related to the currently selected scan jobs.
¾ Targets – displays the target that was scanned with summary information.
¾ Vulnerabilities – shows any vulnerability that may have been discovered to exist
during that scan job.
¾ Graphical Reports – interface to generate graphical reports on the selected scan
job.
¾ Agents – Agents that exist; not related to the currently selected scan job.
¾ Vulnerabilities – lists all vulnerabilities that the VSPM is made aware of.
2.17 VSPM SCAN Updating

The purpose of the scan is to identify vulnerabilities such as missing patches, out-of-date antivirus
signatures, and malware this way vulnerability can be quickly corrected before they can
compromise the security of the Ovation system.
Vulnerability databases and scanning software updates are periodically downloaded through
Emerson’s SureService OSC Module.
2.17.1 To update VSPM SCAN
Note: Scan updates come in a form named guardian_vulns_XXX.upd. These are SQL updates
that need to be imported. The updates are normally subscription based. In the current airgap
installation, they must be manually imported in.
1. Open the Lumension Security Management Console (also known as SCAN).

2. Login to SCAN with administrator rights.
3. Check to verify the version of SCAN:
a) Click Help -> About.
b) The third line down is the Vulnerability Update Version number.
c) A clean install with no updates is version 170.
d) Take note of this version and click OK.
OSC_003 107
2.18 Creating a disaster recovery solution for VSPM
4. Select Tools from the Top menu.

5. Select Automatic Updates from the drop-down menu.
This can be launched by the keystroke Ctrl-Shift-U.
6. Click the Load File(s) button.
7. Browse to the location of the upd files for this month.
8. Select a file. You can make selections one at a time or select multiple files by holding down
the Shift or Ctrl button and clicking them.
Note: If you select a file at or below the current Vulnerability Update Version number displayed
in About, it will error out. Select any and all files above that version number.
For example, if the current version number is 181, select 182 or greater to update.
9. Once selected, choose Open.

10. Select Continue on the Update Now dialog box.
Note: This process may take several minutes depending on how many updates are selected.
Circling arrows is the only indication that the import process is occurring. You can click the Run
in the Background button, but no indication of completion is given.
Do not reboot the machine for at least an hour.
11. Once completed, the circling arrows disappear and the bottom pane of the Automatic Updates
dialog box informs you the version number of the current Vulnerabilities update.
12. Update the current Emerson Validated Patches vulnerability set.
13. Click Tools -> Manage Vulnerabilities.
This can be launched using the keystroke Ctrl-Shift-V.
14. Click the Custom Vulnerabilities tab.
15. Click the Import button at the top-right.
16. Select Vulnerability Set(s) from the dialog box.
17. Click Next.
18. Browse to the Current Month’s folder for the Emerson Validated Patches.xml
19. Click Finish.

The most important part of an effective disaster recovery solution is having a current and valid
backup. You can create backups either manually or as part of a Database Maintenance plan.
Lumension Endpoint Management and Security Suite uses Microsoft's SQL Server to store data
values. Emerson's recommended practice is that you prepare your system for a disaster.
108 OSC_003
2.18.1 Preparing your database
In the event of a disaster, detailed transaction logs are useful when restoring your database. You
can control the level of detail that your logs record.
The installation of Lumension Endpoint Management and Security Suite sets your database to a
recovery model of Simple. To use Transaction Logs, and thus increase the quality of your
disaster recovery solution, you should change the recovery model to Full.
Modify the database recovery model to record more robust details about the events leading to a
disaster.
Database recovery model edits are made in the SQL Server Management Studio. The
Management Studio is available by upgrading to SQL Server 2008 Standard or Enterprise or as a
download from the Microsoft Download Center.
2.18.2 To change the database recovery model

1. Open the Microsoft SQL Server Management Studio
Choose: Start > All Programs > Microsoft SQL Server 2008 > SQL Server Management
Studio).
2. Login to your database server.
3. In the directory tree, expand Server Name\SQL Instance > Databases.
4. Right-click the PLUS database.
5. Select Properties. The Database Properties window opens.
6. Click Options in the Select a Page pane. The Options page opens.
7. Select Full in the Recovery model list.
8. Click OK. The changes are saved and the Database Properties window closes.
9. Repeat the recovery model modification process for the following databases:
PLUS_Staging
UPCCommon
SCM
STAT_Guardian
PLUS_Reports (if it exists)
Note: After completing this task:

You must create a backup of each database before any Transaction logs will be created. To
create a one-time backup of your database, refer to: Creating a Database Backup on page 577
of the Lumension Endpoint Management and Security Suite 7.0 User Guide located on the
Ovation Security Center CD.
OSC_003 109
2.19 Creating a database backup
2.19 Creating a database backup

To prevent data loss, create a database solution and implement it in the event of a disaster.
While a Maintenance Plan will allow you to automate the backup of your databases and
transaction logs, you can also create and restore individual backups using the SQL Server
Management Studio.
Create a backup for the SQL Server instance associated with the Lumension Endpoint
Management and Security Suite to assure minimal system data is lost if a disaster occurs.
Backups are created within the SQL Server Management Studio.
2.19.1 To create a database backup

1. Open the Microsoft SQL Server Management Studio: Start > Programs > Microsoft SQL
Server 2008 > SQL Server Management Studio.
5. Select Tasks > Backup. The Backup Database window opens.
6. Ensure that the Source values are set as follows:
Database: PLUS
Recovery model: Full
Note: If the Recovery model is not set to Full, refer to Changing the Database Recovery Model
on page 575 of the Lumension Endpoint Management and Security Suite 7.0 SP1 User Guide
located on the Ovation Security Center CD.
Backup Type: Full

Backup Component: Database
7. Define the Backup set identification fields.
The following table describes each field:
FIELD DESCRIPTION
Name Name of the backup set.

Description Description of the backup set.
8. Define the backup set expiration date using one of the following methods:
METHOD STEPS
To define an expiration date 1. Select the After option.

based on a set number of days. 2. Enter the desired number in the After field.
To define an expiration date 1. Select the On option.
based on a set date: 2. Select the desired date from the On list.
9. Define your backup Destination settings:

Select either the Disc or Tape option.
110 OSC_003
2.20 Restoring a database backup
Define the destination folder.
Note: For performance reasons, Emerson recommends that you create your database backup
in a directory that is not on the same physical drive as your database.
10. Select Options within the Select a page pane. The Options page displays.
11. Select whether to Backup to the existing media set or Backup to a new media set, and erase
all existing backup sets as is appropriate for your organization.
12. Select the Verify backup when finished option to ensure a valid backup.
13. Click OK.
14. Repeat for the following databases:
PLUS_Staging
UPCCommon
SCM
STAT_Guardian
PLUS_Reports (if it exists)
Note: After completing this task,

You must also backup the Lumension EMSS content directory.
The default location of the content directory is:

<Installation Directory>\Lumension\EMSS\Content. However, if this directory was modified
during installation, you can verify its location by viewing the
\HKEY_LOCAL_MACHINE\SOFTWARE\Patchlink.com\Update\ISAPI\Storage registry key.

Another important part of an effective Disaster Recovery Solution is to define a process to restore
your database backup.
Prerequisites:
Prior to restoring the database backup you must install the Lumension Endpoint Management and
Security Suite server using the same serial number that was used previously.
Note: After installing the Lumension Endpoint Management and Security Suite server, do not
open the user interface until after you have restored the databases.
2.20.1 To restore a database backup

1. Open the Services Management Console:
Choose Start > Settings > Control Panel > Administrative Tools > Services.
2. Right-click the World Wide Web Publishing service.
3. Select Stop to stop the World Wide Web Publishing (IIS) service.
4. Repeat steps 2 and 3 for the following services:
EDS LanPortal.
OSC_003 111
EDS MessageBroker.
EDS Server.
Replication Service.
STATEngine.
5. Restore the backup you made of the content directory over the new content directory
(<Installation Directory>\Lumension\EMSS\Content by default). However, if this directory was
modified during installation, you can verify its location by viewing the
\HKEY_LOCAL_MACHINE\SOFTWARE \Patchlink.com\Update\ISAPI\Storage registry key.
6. Open the Microsoft SQL Server Management Studio:
Choose: Start > Programs > Microsoft SQL Server 2008 > SQL Server Management
Studio.
7. Login to your database server with a user account that has sysadmin rights.
9. Right-click the Databases folder.
10. Select Restore Database. The Restore Database window opens.
11. In the To database field, type or select the PLUSdatabase.
12. Select From device and click the Ellipses button (...). The Specify Backup window opens.
13. Click Add. The Locate Backup File window opens.
14. Locate and select your backup (.bak) file.
15. Click OK.
16. Click OK to return to the Restore Database window.
17. Select the check box associated with your backup within the Select the backup sets to
restore table.
18. Click Options within the Select a page pane. The Options page displays.
19. Ensure the Overwrite the existing database option is selected.
20. Verify, and correct if necessary, the directory path within the Restore the database files as
table.
21. Ensure the Leave the database ready to use option is selected.
22. Click OK to begin the database restoration.
23. After the restore is complete, run the following SQL command against the database.
exec sp_changedbowner 'sa'
24. Repeat steps 9 through 23, restoring each of the following databases:
PLUS_Staging.
UPCCommon.
SCM..
STAT_Guardian.
PLUS_Reports (if it exists).
25. Against the master database run the following SQL command.
112 OSC_003
exec sp_dboption N'PLUS', N'DB CHAINING', N'true'

exec sp_dboption N'PLUS_Staging', N'DB CHAINING', N'true'
exec sp_dboption N'UPCCommon', N'DB CHAINING', N'true'
exec sp_dboption N'SCM', N'DB CHAINING', N'true'
exec sp_dboption N'STAT_Guardian', N'DB CHAINING', N'true'
26. If the computer name, Service account name, or Client account name differs, you must
perform the following steps.
a) Delete the previous Service account and Client account users from each database.
b) Add the new Service and Client account users to the following roles for each database.
¾ PLUS - Update Server,
aspnet_ChangeNotification_ReceiveNotificationsOnlyAcccess.
¾ PLUS_Staging - Update Server.
¾ SCM - SCM Server.
¾ STAT_Guardian - Guardian_Admin.
¾ UPCCommon - UPC Server.
27. If you re-installed the Lumension EMSS server with a different user name than was used
when originally installed, run the following SQL command.
UPDATE AccountContacts SET UserName = 'NewUserName' WHERE UserName =
'OldUserName'
28. If you re-installed the Lumension EMSS server with the content directory in a different location
than the original installation, run the following SQL command.
UPDATE SystemConfig SET SystemConfig_Value = 'NewStorageSystemPath' WHERE
SystemConfig_Name = 'Storage'
29. If you re-installed the Lumension EMSS server with a different installation directory than the
original installation, run the following SQL command.
UPDATE SystemConfig SET SystemConfig_Value = 'NewWebInstallPath' WHERE
SystemConfig_Name = 'InstallPath'
30. Restart the World Wide Web Publishing Service, EDS LanPortal, EDS MessageBroker, EDS
Server, Replication Service, and STATEngine services.
31. Install the Lumension EMSS Agent from the Download Agent Installers page.
2.20.2 To change the database recovery model OSC 2.x

Start > Programs > Microsoft SQL Server 2005 > SQL Server Management Studio.
3. Expand your server group, server, and database folder until you see the PLUS database.
5. Select Properties. The Database Properties window opens.
6. Select Options within the Select a page field. The Options page opens.
7. Select Full in the Recovery model field.
8. Click OK. The changes are saved and the Database Properties window closes.
OSC_003 113
9. Repeat for the PLUS_Staging database (and the PLAMS and PLUS_Reports databases if
they exist).
Note: After completing this task;
You must create a backup of each database before any Transaction logs will be created. See
To create a database backup (see page 114) to create a one-time backup of your database.
2.20.3 To create a database backup for OSC 2.x
While a Maintenance Plan allows you to automate the backup of your databases and transaction
logs, you can also create and restore individual backups using the SQL Server Management
Studio.
The most important part of an effective disaster recovery technique is to have a current and valid
backup.

5. Select Tasks > Backup. The Backup Database window opens.
6. Ensure that the Source values are set as follows:
Database: PLUS
Recovery model: Full
Note: If the Recovery model is not set to Full, see To change the database recovery model
OSC 2.x (see page 113).
7. Backup Type: FullDefine the backup set Name, Description, and when the Backup set will
expire.
Define your backup Destination settings.
Backup Component: Database
8. Under Destination:
a) Select either the Disc or Tape option.
b) Define the destination folder.
Note: For performance reasons, Emerson recommends that you create your database backup
in a directory that is not on the same physical drive as your database.
9. Select Options within the Select a page field. The Backup Database - Options page displays.
10. Select whether to backup to the existing media set or backup to the new media set, and erase
all existing backup sets as is appropriate for your organization.
11. Select the Verify backup when finished option to ensure a valid backup.
12. Click OK.
114 OSC_003
13. Repeat for the PLUS_Staging database (and the PLAMS and PLUS_Reports databases if
they exist).
2.20.4 To restore a database backup for OSC 2.x
Another important part of an effective Disaster Recovery Solution is to have a process defined to
restore your database backup.
1. Open the Services Management Console:

Start > Settings > Control Panel > Administrative Tools > Services.
2. Select and right-click the PatchLink Update service.
3. Click Stop to stop the PatchLink Update service.
4. Select and right-click the World Wide Web Publishing Service.
5. Click Stop to stop the World Wide Web Publishing Service.
9. Right-click the Databases folder.
10. Select Restore Database. The Restore Database window opens.
11. In the To database field, type or select the database you need.
Note: Specifying a new name for the database automatically defines the database files restored
from the database backup.
12. Select From device and click the ellipses button. The Specify Backup window opens.
13. Click Add. The Locate Backup File window opens.
14. Locate and select your backup (.bak) file.
15. Click OK.
16. Click OK to return to the Restore Database window.
17. Select your backup within the Select the backup sets to restore field.
18. Select Options within the Select a page field. The Options page displays.
19. Ensure the Overwrite the existing database option is selected.
20. Verify, and correct if necessary, the directory path within the Restore the database files as
field.
21. Ensure the Leave the database ready to use option is selected.
22. Click OK to begin the database restoration.
23. Repeat for the PLUS_Staging database.
24. Restart the PatchLink Update and World Wide Web Publishing Service services.
OSC_003 115
S E C T I O N 3
Malware Prevention (MP) appliance
IN THIS SECTION
Malware Prevention (MP) overview ................................................................................ 117

Login basics and Admin Tokens for MP ......................................................................... 125
Logging in for the first time for MP ..................................................................................126
Normal Login procedure for MP ...................................................................................... 126
Generating a whitelist...................................................................................................... 129
New Installation of Bouncer 5.x....................................................................................... 130
Scrubbing your system.................................................................................................... 156
Creating Reports and Logs for MP.................................................................................. 157
Backing up the MP appliance.......................................................................................... 159
Malware Prevention event reports to SIEM .................................................................... 162
3.1 Malware Prevention (MP) overview

The Malware Prevention (MP) appliance provides protection against malware or intrusions that
could be introduced into the Ovation system. Typically, two Bouncer appliances (referred to as
Managers), are used redundantly on Ovation systems.
Malware is malicious software or executable programs that you do not want operating on your
control system. When malware is introduced to the Ovation system, it is detected and is not
permitted to operate.
MP uses a proactive security approach called a whitelist. A whitelist is a list of programs you have
identified to be safe programs and are allowed to run on your control system. Programs not listed
on the whitelist are not permitted to operate and are blocked or bounced from operation.
This security approach safely locks down the system applications and operating systems so only
authorized software on the whitelist will operate on your system.
MP logs any applications that have been blocked and provides a scrub option to the system
administrator so the blocked applications can be removed from the client machines.
MP monitors software agents that are installed on Ovation servers, workstations, and network
devices. Any intrusion alerts detected by these agents are sent to the SIEM for correlation,
analysis, and reporting.
3.1.1 To install Malware Prevention for 2.0 Update 1

1. Log into the Primary Bouncer manager.
OSC_003 117
2. Click the Configuration tab.
3. Click the File Transfer button. Accept the following defaults:

File Transfer direction:
Inbound: From external drive to Console
File Type:
Update
4. Click Next on the top-right corner of the screen.

5. Click the Browse button and find the udp file under \coretrace\5312.
118 OSC_003
6. Click Open.
7. Click the Next button at the top-right corner of the window.

8. Click the Finish button at the top-right corner of the window.
a) The file transfer begins without displaying a progress bar.
b) Do not disconnect or close the window during the transfer.
c) When the file transfer is complete, the screen will flash over to the Configuration tab.
d) The Upload time depends on the network connection and speed. This process may take
a few minutes.
OSC_003 119
9. Click the Updates button after the window returns.
10. Select the type of software update, choose Update Manager Software, and click Next on the
top-right corner of the window.
11. Select 5.3.12 from the list of available update files.
120 OSC_003
12. Click Next at the top-right corner of the window.
13. Click Finish at the top-right corner of the window. A dialog box appears informing you that the
manager will be rebooted and you will be logged-out.
14. Click OK and disconnect from the manager.
15. Repeat steps 1 - 14 for the Rollover Bouncer Manager.
16. After both managers are updated and rebooted, log into the Primary Manger, and click the
Configuration tab.
OSC_003 121
17. Click the Updates button.
18. Select Update System software and click Next at the top-right corner of the window.
19. Select 5.3.12 from the list of update files.
122 OSC_003
20. Click Next at the top-right corner of the window.
a) System install files expand out to the manager. (This should only take a few seconds.)
22. Click the Management tab.
23. Select the client you want to upgrade so that it is highlighted in yellow.
OSC_003 123
24. Right-click the selection and select Update System Software.
25. Select 5.3.12 from the Software Version drop-down menu.

27. The machine reboots within 60 seconds.

28. Repeat steps 17- 27 for the remainder of the clients.
29. Import updated packages to the Trusted Package Archive.
a) Information on changes is found in the changelog.
b) Remember to replace the policies being used in your System Configuration with the
updates.
124 OSC_003
3.2 Login basics and Admin Tokens for MP
3.2 Login basics and Admin Tokens for MP

Logging in requires the BOUNCER administrator to use a two-part authentication consisting of an
electronic administrative token that plugs into a USB port on the console and a memorized
passphrase entered in a dialog box.
Note: Hereafter, the electronic administrative token will be referred to as an ‘admin token’.
The digital certificates stored on the admin tokens and the extended length passphrase provide a
strong authentication mechanism.
CoreTrace currently uses the eToken® by Aladdin Knowledge Systems as part of the user
authentication process. The admin token is designed to be inserted into an active USB port on the
console. Each eToken® is uniquely identified by a SmartCardID that is electronically imprinted in
the security chip at the time of production. This SmartCardID is read by the console software and
displayed in the BOUNCER Login Screen during the login process.
The admin token has programmable memory and the ability to generate an RSA public/private
key pair. CoreTrace creates a digital certificate containing manager identification information and
the public key from the admin token. This certificate effectively establishes a one-to-one
relationship between the admin token and the manager. This digital certificate is loaded onto the
admin token at the CoreTrace factory. Each admin token is capable of storing several digital
certificates, providing the owner of the admin token with the ability to login to multiple managers.
This is all transparent to the BOUNCER administrator, which will see a list of managers in the
BOUNCER Login Screen.
Each admin token is shipped on a key ring with a card containing a list of all the managers it can
access. Without an admin token containing a certificate for a specific manager, it cannot be
accessed.
The admin token is designed to be carried in a pocket and is fairly small. Once the shipping
card is removed, all admin tokens look alike. You should place the admin tokens on unique
key rings or mark them with an indelible marker. Without inserting each token into the USB
port of a console and reading the stored information, there is no easy way to identify specific
admin tokens.
You should track the locations of all your admin tokens on paper. Admin tokens that are
actively used on the system can be easily kept track of, but not all admin tokens will be used.
Those admin tokens used as backups, or left unassigned, should be kept under positive
control.
You must insert your admin token into an available USB port to login.
The USB ports on most monitors turn on and off with the monitor power. If you turn off the
monitor as a power-saving measure, power to the admin token is lost and you will be logged-
out of the system.
The admin token should be inserted straight into the USB port. If the token does not slide in
easily, check to see that the plastic guide is aligned properly. A red LED in the admin token will
light when it is inserted properly.
If the admin token is removed from the USB port at any point during the login process or
during an active session, the control center will immediately log you out. This can produce
unexpected results for tasks you may have underway on the system.
OSC_003 125
3.3 Logging in for the first time for MP
3.3 Logging in for the first time for MP

The first time you insert a new admin token and open the BOUNCER Login screen, all the
information from the factory displays. Notice the primary and secondary bouncers (referred to as
managers) and security groups all have the same names, and the IP addresses of the bouncers
are all set to the default values.
Note: Managers, or Bouncers, can be redundant on Ovation Security Centers.
To begin, you must look at the information in the Select Manager list box and determine which
bouncer or manager you want to access. The Serial Number data field contains the serial number
of the manager. This number is shown on both the bottom of the appliance as well as on the label
on the rear of the appliance. By selecting the line item with the matching serial number, you can
be sure you are logging into the correct manager.
After a successful log in, you can change the default name of the manager to an easily
recognized name. This will update the admin token and you probably will not need the serial
number again. Likewise, security group names and IP addresses will automatically be updated on
your admin token following a successful login to the manager.
There are several setup events that take place when you login to a new manager with no
accounts, use a new admin token, attempt to login to a manager that has its IP addresses
changed from those stored on your admin token, or login to a manager for the first time with other
existing accounts. Refer to the Normal Login procedure (see page 126) for information on the
standard process. The following sections describe special setup events when logging in for the
first time.
3.4 Normal Login procedure for MP

The following steps describes the normal login procedure using a control center appliance,
manager, and admin token where an account has already been established and the IP addresses
of all the appliances have been properly set.
1. Turn on the control center appliance CPU unit and display. The control center appliance boots
and displays the Welcome dialog box requesting your admin token.
2. Insert one or more admin tokens. Click Read Token (may need to be done twice for RDP).
The admin token light will flash several times as the control center reads its stored information
and then displays the BOUNCER Login screen.
3. Select an admin token (if more than one) from the Select BOUNCER Token list box in the
upper left of the screen. This displays a list of all managers the selected admin token is keyed
to access.
4. Select a manager from the Select Manager list box in the center of the screen. You may have
a manager you use regularly to access the system, or perhaps another administrator has
already assigned you a manager.
5. Click Login to continue the login process. The control center appliance may be able to
immediately access the manager, or it may take some time to establish a secure connection
to the manager during which an hourglass cursor appears.
6. The Enter Password dialog box opens prompting you to enter your passphrase.
7. After entering your passphrase, click OK and you will be successfully logged in.
126 OSC_003
Note: The Enter Password dialog box is not opened unless the console is able to open a secure
connection to the requested manager.
If you enter an incorrect password, an error message is displayed. Click OK to return to the
Enter Password dialog box.
8. Begin your system management tasks. Once your password is verified by the manager, the
BOUNCER Control Center Dashboard screen opens.
3.4.1 To generate a password for MP
For first-time setup only:

The initial password is 32 to 255 characters long.
The initial password used during testing is: emersonprocessmanagementsecurityserver
The password can be changed inside the UI once the token is initially authenticated. The
minimum password is 8 characters.
Once logged in, the first token/login is the Primary Administrator. This pair must be protected.
If it is lost, the Manager must be shipped back to CoreTrace to be unlocked.
3.4.2 To change your password for MP
A regular or master administrator can change their personal password when they are logged in to
the system. Fail-safe administrators cannot change their own passwords or the password of
another account. The process to change a password is shown below:
1. Navigate to the change password function. Select the Configuration tab and click the
Administrators selection button.
2. Display the account of interest. Select the subgroup or account in the navigation pane to
display the desired administration account in the Administrators control table.
3. Identify the account to change. Click the check box next to the account you want to change
the password for.
4. Select the Change Password option from the drop-down menu under the Administrators
selection button. The Change Password for Administrator dialog box opens.
5. Enter your old password followed by your new password twice.
6. Click OK to change the password. You will be prompted to make corrections if you did not
enter the password properly.
In the event you forget your password, a master administrator can reset your password to a
known value. The process is the same as above except the master administrator selects the
account of the administrator that wants a new password.
Selecting Change Password displays the Change Password for Administrator dialog box, but the
master administrator must first enter his or her password for verification before the new password
can be set.
3.4.3 To set a password or passphrase length for the MP security group

2. Click the Security Group button.
3. Click the Settings tab on the lower part of the right-pane.
OSC_003 127
4. Expand the Configurable Security Group Settings area.

5. Enter the minimum length passphrase allowed by the system in the Minimum Passphrase
Length field.
6. To verify the changed password length, Log out and log back into the system.
Although the password length change goes into effect immediately for anyone new logging in
to the system, your active account is not immediately changed. The system allows you to
change the password in accordance with the new length setting.
Note: The minimum passphrase length is set to 8 by default. The passphrase can be any value
between 8 and 255.
3.4.4 To change your passphrase for MP

2. Click the Administrators button.
3. Select the account in the right-pane for which you want to change the passphrase.
4. Select Modify PassphraseaMy Passphrase from the Administrators button if you are
changing your own passphrase.
5. Select Modify PassphraseaAdministrators if you are changing the passphrase for another
administrator. The Change Passphrase for BOUNCER Admin dialog box appears.
6. Enter your old passphrase in the Old Passphrase field. If you are a master administrator that
is resetting another administrator's passphrase, enter your personal passphrase in this field.
7. Enter your new passphrase in the New Passphrase and Confirm New Password fields.
8. Click OK.
3.4.5 To Logout of MP
There are two recommended options to Logout:

Choose Logout from the menu options under the BOUNCER Control Center button.
OR
Left-click the close window box in the upper right corner of the main screen.
Both of these methods will begin a normal log out which saves all information appropriately and
returns you to the BOUNCER Login screen.
At this point you should remove your admin token from the USB port, and if desired, you can
power down the control center appliance by clicking Shutdown.
3.4.6 To add clients for Windows devices for MP

1. Login to the End Workstation as the administrator.
2. Make sure that any virus protection is turned off.
3. Open a command line. Type in ctsetup 192.168.124.17.
4. Ping 192.168.124.17 (to verify communication).
128 OSC_003
3.5 Generating a whitelist
The ctsetup 192.168.124.17 program begins to generate information to the console and
eventually stops running after a few minutes. The CtSetup.exe program must continue to
run while waiting for approval by the BOUNCER Administrator.
5. Login to the Primary Manager (17).
7. Click the New Systems button.
8. Check mark the system that you want to authorize.
9. Click Authorize at the top of the table or Authorize New Systems under the New Systems
drop-down button.
10. Select the most recent system software from the Authorize software version list.
Check Authorize to use: Rollover Block.
11. Click Next.
12. Select the Inactive policy.
13. Click Finish.
14. Click the Systems button and verify that the system has been imported. This may take 10 to
15 minutes.
15. On the end unit, the command process finishes. This forces a reboot. If an auto reboot does
not occur, Reboot your machine.
16. Once rebooted, the machine will have the Bouncer installed with no whitelisting enforced.
3.5 Generating a whitelist

A whitelist is a list of software programs that are considered safe to run on your system. Software
programs that are not on the whitelist are blocked and not allowed to execute.
Whitelists should only be generated after the workstation has been verified to be free of viruses,
malware, and any other unwanted applications.
3.5.1 To generate a whitelist (one device at a time)

1. Install and authorize the Bouncer Client.
2. Verify that the machine is ready, all software has been installed and configured, and that the
machine is clean (no malware).
3. Make sure all installation files (such as leftover EXEs, MSIs, and so on) are removed from the
system, or they will be added to the whitelist.
4. Login to the Primary Manager.
6. Click the Systems button.
7. Check the system you want to generate the whitelist for (only one system at a time).
8. Click the Systems drop-down menu and select AutoGenerate System File Policy. The
Autogen Client Policy window appears.
9. Depending on how much you want to protect, select either:
All Local drives.
OSC_003 129
3.6 New Installation of Bouncer 5.x
System drive. (The drive where the operating system is installed.)

10. Check with Event Forwarding in the check box so a SYSLOG is generated if these files are
altered.
11. Click Ok to start the scans. The Autogeneration window appears.
12. Click Ok. The system scans the client. After a period of time, a File policy with the name of
the system is created.
13. Click the Policy button to check for the file policy and to view progress of the whitelisting.
14. Look for a policy to appear in the window that has the same name as the Ovation device.
15. Refresh using F5. The new policy will have the System Host Name, recent time, and auto file
policy information displayed.
16. Repeat for all Ovation devices.
3.5.2 To autogenerate a whitelist policy

1. Access the bouncer Control Center by using ctremote.exe
2. Connect to the Primary Manager (192.168.124.17).
3. Select a workstation for whitelist generation. Navigate to the Management tab -> Systems ->
select a workstation with a check box.
4. Select the Systems drop-down menu -> Autogenerate System File Policy
5. Select All Drives.
6. Enable With Event Forwarding.
7. Choose Ok.
8. Verify whitelist creation. Select the Management tab -> Policies.
9. New whitelists are displayed after generation is complete.
10. Press F5 to refresh the Policies screen.

New installations come pre-loaded with Bouncer 5.x. If the new installation is not pre-loaded, refer
to the following section: To update Bouncer (see page 142).
3.6.1 To upgrade OSC 1.x to OSC 2.x

1. Create a backup of the system by referring to Backing-up the MP appliance (see page 159).
2. Remove the currently installed MP software from the system, then begin re-installation of the
current MP software.
3. Login to Prime (A) Manager and create Archive/Backup.
4. Login to Rollover (B) Manager and break the security group.
a) Click the Configuration tab.
b) Click the Security Group button.
130 OSC_003
c) Select Managers -> Leave Security Group from the Security Group button. The Leave
Security Group dialog box appears.
Figure 7: Leave Security Group window
5. Confirm that the proper Manager is leaving the security group. Consider the number of
queued endpoints and the impact on the security group. Click OK to begin the leave process.
Click Cancel to remain part of the security group.
6. The Prime Manager Change dialog box appears and warns you that you will be logged-out of
the Manager. Click OK and you will be logged out of the Manager.
7. Login to the Manager again. The Manager appears in single Manager mode and the security
group name is reset to the default value.
8. Update Manager B to Bouncer 5.x.
Use the steps under To update Bouncer (see page 142).
The Bouncer 5.x update file is under \Coretrace\xxxxx.upd.
9. Remove clients from Manager A.
Manual removal.
Removal from Manager A.
10. Add Clients to Manager B.
Note: Typically endpoints are brought over and rebooted one at a time. The process may take
time since a reboot is required for each endpoint. You can perform the process in mass, all at
one time, or over time at your pace. During this process you will be lacking failover capability
during the transition; therefore, if you intend to bring over endpoints in mass you should
evaluate the amount of risk involved.
11. Once ready to join together, refer to the Security Group Rollover section: To create a Security
Group/Rollover (see page 132).
3.6.2 To configure Manager Settings

2. Click Managers button.
OSC_003 131
3. The Managers appear in the right-pane. Select the Manager you are going to configure (in
this case, there should only be 1 manager):
4. Click the Settings tab, if not already selected.

5. In the Settings area, configure as shown below:
Allow Remote Access – allows Remote Desktop Protocol (RDP) to the manager.
Manager – name of the Manager being configured.
Maximum Bandwidth FROM Manager – the maximum bandwidth the manager is
allowed to use when communicating with an individual client and other manager.
Maximum Bandwidth TO Manager – the maximum bandwidth the manager accepts
when communicating with an individual client or another manager.
Report Server IP – the IP address of the BOUNCER report server with which the
manager is communicating. (This is not used.)
TCP Communications Port – the port over which the manager is communicating to
clients and managers. In default OSC installs, this should be 63159.
Total Bandwidth FROM Manager – the total maximum bandwidth the manager is
allowed to use when communicating with all clients and other managers.
Total Bandwidth TO Manager – the total maximum bandwidth the manager accepts
when communicating with all clients and other managers.
3.6.3 To create a Security Group/Rollover

1. Login to Rollover Manager.
132 OSC_003
4. Select Managers -> Request to join a Security Group from the Security Group button.
5. The Join Security Group dialog box appears.
6. Enter the IP Address of the Prime 5.x Manager. This should be the IP address of the first
machine upgraded to 5.x or one that you have specified if on a new install.
7. Login to the Prime 5.x manager.
8. Click the Authorize New Managers link on the Dashboard.
OSC_003 133
9. The New Managers screen appears. The right-pane shows the Manager that has made the
request to join the security group.
a) To authorize a Manager to join the security group, click the check box next to the
Manager’s listing and click Authorize on the top-right corner of the right-pane.
b) You can also select Managers -> Authorize Manager from the Security Group button.
This may take time until the authorization process is complete and all the information is
displayed.
10. Click the Managers button. The new manager appears on the Managers screen with the
security group once it has been authorized.
11. Once the Second Manager appears, select the Prime Manager in the right-pane.
12. Select the secondary manager from the rollover field using the drop-down menu.
13. Confirm by clicking Yes when prompted.
3.6.4 To configure the Syslog Target

1. Click the Configuration tab on the Bouncer Control Center Main window.
134 OSC_003

3. Click the Syslog tab.
4. Select the top field and enter the IP address of the syslog server in the IP Address field. The
SIEM IP is 192.168.124.49 and should be a Syslog target.
5. Enter the name of the syslog server in the Name field. It may be difficult to keep track of
devices by IP address. Therefore, you can enter a common name, a DNS-type entry, or any
other descriptive information. For example, SIEM for the Nitro box.
6. Click the Settings tab on the lower part of the right-pane to configure syslog settings. There
are several fields that must be configured for event messages to make this syslog compatible.
7. Expand the Configurable Security Group Syslog Settings area.
8. Select the facility that identifies the origination and type of the syslog message in the Facility
field. The default value is 0 – kernel messages. There is a list of 24 standard options
available. You should choose the facility based on how your server will group these messages
together for analysis.
9. Enter the name of the system sending the syslog messages in the Hostname field. This is
generally set to the name of the Prime Manager in the security group as it is forwarding the
messages.
10. Enter the severity assigned to the syslog message for handling on the syslog server in the
Severity field. This is fixed for all syslog messages sent by the BOUNCER system and is not
related to the internal Level settings of BOUNCER events. By default this is set to 5 – Notice:
normal but significant condition.
11. Enter the time used to convert the event time from the Managers to the local time of the
syslog server in the Time Offset in Minutes field. If the Manager time is set to the same time
zone as the syslog server, the offset is 0. This can be a positive or negative number.
12. Return to the Syslog tab, right-click the syslog server entry and select Send Test.
OSC_003 135
13. A confirmation window appears on successful completion of the test.
14. A test message will be sent to that server. Verify that the server received the message. If not,
review the IP address and settings in the BOUNCER system and verify there is an open
network path between the prime manager and the syslog server.
15. Click OK.
3.6.5 To create Custom Security Configuration Groups
There are three standard Security Configuration Groups that machines may belong to:
Whitelisted.
Unsecured.
Learning Mode.
2. Click the Security Configurations button on the Bouncer Control Center window.
3. Select Custom Security Configurations in the left-pane.

4. Select Custom Security Configurations -> Add New Security Configuration from the
menu above the right-pane.
136 OSC_003
5. The Create New Security Configuration window appears.
6. Enter a name for the security configuration in the Security Configuration Name field.
7. From the Security Configuration Folder field, choose whether to place the new security
configuration in the default folder (leave Default Security Folder selected), in an existing
folder, or in a new folder (select <Select and type in folder name to create folder>).
If you choose to create a new folder, the window refreshes and you can enter a name for this
new folder. BOUNCER currently supports one level of security configuration folders.
OSC_003 137
8. Select your new security configuration in the left-pane. The right-pane refreshes to show your
security configuration.
9. Repeat these steps to create all three groups.
3.6.6 To configure Security Configuration settings

1. Click the Management tab on the Bouncer Control Center window.
2. Click the Security Configurations button.
3. Select Custom Security Configurations in the left-pane. Start with the Whitelisted Security
Configuration.
4. Select your security configuration in the left-pane. The right-pane refreshes to show your
selected security configuration.
138 OSC_003
5. Double-click Settings. The Settings window appears.
6. Select an option in the Bouncer Protection Settings area.

Select the Secured option in the Bouncer Protection Settings area to enforce whitelisting.
Select the Unsecured option to leave the client installed, but with no whitelist
enforcement.
Select the Learning Mode option to report violations to the security configuration without
enforcing the whitelist.
7. Configure the remaining protection settings as follows:
OSC_003 139
8. Configure the Trusted Change Settings as shown below:
Select the Enable Remove Programs/Uninstallers in Baseline option if you want the
baseline scan to identify and automatically trust the uninstallers. This allows any user to
run the Add/Remove programs to remove existing programs.
Select the Enable Trusted ActiveX Installation option if you want to allow ActiveX
controls in the Web browsers to be updated automatically. In this mode, any ActiveX
controls signed with digital signatures approved as a part of the trusted digital signatures
section of the security configuration is allowed to install. Any controls not signed by
approved digital signatures fail to install.
Select the Enable Safe Trusted User option if you want to allow trusted users to execute
any digitally signed programs—even if they are not approved by their system’s security
configuration. Disabling this option with Trusted User enabled allows any application,
including those not digitally signed, to be started at your discretion.
Select the Enable Trusted User for All Local Administrators option if you want to allow
local system administrators to be considered trusted users. This is generally
recommended when you have implemented a principle of least privilege, and users are
not typically logged on as local Administrators.
Enter the message in the Custom dialog text for Trusted User warnings text area if
you want to provide a custom message to trusted users when they are about to perform
an operation that changes the baseline.
9. All remaining settings can be left as defaults.
10. Repeat the changes for Unsecured and Learning mode groups making necessary alterations
to the Protection settings.
3.6.7 To create System Install file

140 OSC_003

4. Select the check box for your security configuration in the right-pane.
Note: Do this for the Unsecured Configuration Group.
5. Select Custom Security Configurations -> Create System Install File from the menu
above the right-pane. A new screen appears.
6. Select the security configuration you want to use when creating the system install file from
the Secured with Selected Security Configuration field.
7. Select the version of system software you want to install on endpoints from the Install the
Selected Software Version field.
8. Click Finish on the top-right corner of the window.
OSC_003 141
9. Select the location where you want to save the system install file from the window that
appears and click OK.
Note: The System Install File contains the IP address and unique identifier for the manager that
created the file. It also contains the name of the security configuration to apply on the endpoint
from the manager. You can continue to edit the security configuration on the manager and the
System Install File always installs the latest version.
3.6.8 To update Bouncer

1. Click the Configuration tab on the Bouncer Control Center window.
142 OSC_003
2. Click the File Transfer button. The File Transfer Wizard appears.
3. Choose Inbound: From external drive to Console in the File Transfer Direction area.
4. Choose Update in the File Type area.
5. Click Next. The Inbound Config tab of the File Transfer Wizard appears.
6. Click Browse. Select the update file from the Open dialog box and click Open. The update
file has a .UPD extension.
OSC_003 143
7. Click Next. The Confirm tab of the File Transfer Wizard displays.
8. Click Finish.
9. Click the Updates button. The Update Software wizard appears.

Select Update Manager software to update the Manager software.
Select Update System software to update endpoint software.
144 OSC_003
10. Click Next. The Software Version tab appears.
11. Select the software version to which you want to upgrade the Manager or endpoints,
depending upon your selection in the last step. These updates correspond to the software
transferred from the CD/DVD or USB media to the Manager. If the latest version does not
appear in the list, the transfer was not completed properly.
12. Click Next. The Confirm tab of the Update Software wizard
appears.
13. If everything is correct, you can start the update by clicking Finish. During updates of the
Manager, the appliance reboots and you will need to login again.
Note: Update the software for your appliances when you are reasonably sure there are no
possible power fluctuations or outages. In the event power is lost to the appliance during a
software update, the update may fail and lock the appliance. You will have to re-install from the
original USB recovery drive or possibly send the appliance to CoreTrace for repair.
14. Verify the software update when you log back into the Manager.
3.6.9 To verify a software update to a Manager:

2. Click the Managers button.
3. Select the Manager you just updated in the right-pane.
OSC_003 145
4. Click the Settings tab in the right-pane and verify the version in the Software Version field to
verify the Manager has been correctly updated.
3.6.10 To verify a software update for endpoints:

3. Select the Manager you just updated in the right-pane.
4. Click the Available Products tab in the right-pane and verify that the endpoint software
(Desktop) was uploaded in the list of products.
3.6.11 To install Clients and deploy via Active Directory

1. Click the Management tab on the Bouncer Control Center window..
2. Click the Directory Services button.
146 OSC_003
3. In the right-pane, right-click and select Enter Active Directory Credentials from the pop-up
menu.
4. Enter Active Directory Credentials in the Enter Active Directory Credentials dialog box.
5. Enter a login account for Active Directory in the Active Directory Admin User field.
Note: You should not use a Domain Administrator account. Use an account that has permission
to view Active Directory.
6. Enter the corresponding password in the Active Directory Admin Password field.
7. Enter the TCP/IP address of the server where Active Directory is running in the Active
Directory Server IP Address field.
OSC_003 147
8. Click OK. The right-pane displays all systems listed in the Active Directory, with a collapsible
tree view of all organizational units represented in the left-pane tree view.
9. Select the system(s) to which you want to deploy BOUNCER software, right-click and select
Get IP Address for Selected Systems from the pop-up menu. This allows BOUNCER to find
the current IP address for the destination systems.
148 OSC_003
10. Select the system(s) to which you want to deploy BOUNCER software, right-click and select
Deploy Installer to Selected System(s) from the pop-up menu.
11. Once the BOUNCER software has been deployed and executes, the new system(s) appear in
the Pending Systems folder System tab, and will show a status of Deployed in the Active
Directory view.
3.6.12 To install Clients and deploy manually

1. Copy ctSetup and the SIF file created in To create System Install file (see page 140) to the
local machine.
2. Open a command prompt and browse to the directory.
3. Start the installation with the command ctsetup –F ctSetup.sif where ctSetup.sif is the
filename of the install file you created.
4. The machine contacts the manager and installs the client. Once completed, the machine
becomes part of the Configuration group from where the SIF file was generated.
3.6.13 To move systems between security configurations

1. From the Security Configurations window Drag-and-drop - Drag the system from the
Systems tab in its current security configuration to the folder for the new system configuration
to which it should be moved.
OSC_003 149
2. Select the system on the Systems tab and select Systems -> Move System from the menu
bar above the right-pane.
3. Click your selection and the Move System to Security Configuration window appears.
4. Select the new security configuration in the list and click OK.
Note: When moving into a Secured configuration, Trust is applied and a new whitelist is auto-
generated. No reboot is necessary.
150 OSC_003
3.6.14 To create archives (Backups)

3. Select the Manager you want to archive in the right-pane.
4. Select Archive -> Create On from the Managers button, and choose Local Manager to save
the backup to the Manager itself, or choose Network Share to save the archive to a shared
directory on a network resource.
An hourglass appears while the Manager is ‘locked’ and the archive is being created. A
Manager archive is always identified with the .ARC file extension.
5. Select Network Share, the Create Archive for All Managers dialog box appears.
6. Enter the path to the network share in the UNC Directory Pathname field.
7. Enter your username for accessing this network share in the Username field.
8. Enter the corresponding password in the Password field.
9. Click Test Share Access to test access to the network share.
10. Click Archive Now to save the archive to the network share.
OSC_003 151
When the archive has been created, a confirmation dialog box appears showing the name of
the archive file and the name of the Manager for which it was created.
Note: Do not change the names of the archives on your network share. During an archive
restore, both the filename and the digital signature are checked against the current manager to
ensure the proper archive is being loaded. For this same reason, make sure you create a new
archive if you change the manager’s name.
3.6.15 To restore backups

3. Select the Manager in the right-pane that you want to restore using this archive file.
4. Select Archive -> Restore From from the Managers button. Select Last Archive to restore
the Manager using the last archive that was generated on the local manager or was
transferred in using the file transfer function. Select Network Share to select an archive file
from your network.
152 OSC_003
5. Choose Network Share, the Restore Archive dialog box appears.
6. Enter the path to the network share in the UNC Directory Pathname field.
7. Enter your username for accessing this network share in the Username field.
8. Enter the corresponding password in the Password field.
9. Click Test Share Access to test access to the network share.
10. Click Restore Archive to restore the archive from the network share.
Note: Do not change the names of the archives. During an archive restore, both the filename
and the digital signature are checked against the current manager to ensure the proper archive
is being loaded.
11. When the Manager has been restored with the archive, a confirmation dialog box appears
showing the archive information and warning that the Manager will reboot. Click OK.
12. After the Manager reboots, verify that the systems, administrators, policies, and so forth are
restored to the previous state.
3.6.16 To add Trusted Domain users

OSC_003 153

4. Select your security configuration in the left-pane. The right-pane refreshes to show your
security configuration.
5. Double-click Trusted Users. Select Trusted Users -> Add New Trusted Users or right-click
and select Add New Trusted Users.
154 OSC_003
6. In the Add Trusted Users dialog box, the login credentials appear in the fields at the top. If
you have not yet connected with Active Directory you will need to supply the account and
password and the IP address of the Active Directory, and then click the Query Active
Directory button. The users listed in Active Directory are displayed.
7. Select the user(s) that should be trusted, and click Next.
OSC_003 155
3.7 Scrubbing your system
8. Confirm that these are the trusted users you want to add to the security configuration and
click Finish. When finished, the Trusted Users area appears similar to the following window:
3.7 Scrubbing your system

Once your computer system is in a licensed and authorized configuration from your IT staff, you
can begin to build your first policies to protect the system.
However, over time unauthorized and potentially malicious software may accumulate on the
system. Viruses may be added from email attachments, vulnerabilities exploited and files copied
onto the system, and perhaps even the system user may load on some unauthorized software.
These programs will not run because of the policy you have applied to your system. However, you
should periodically remove them from the system – especially if you want to generate a new
policy. To remove them, you need to scrub the client.
The scrubbing process is similar to the file policy autogeneration process. The client scans the
system and compares the computed pathname, size, and digest of the detected files to the
existing policy. If there is not a match, the executable is deleted.
The scrub client capability works only when there is at least one file policy and a settings policy
with the global execute restrictions enabled in the policy on the client. Any directory policies that
allow write access are ignored (unless there are files in the directory that are write protected).
Information about the deleted file is entered into the client log as a Level 4 event and also
forwarded to the client’s licensing manager.
A dialog box shows you the system and one additional drive for a desktop client, while on a server
client you can select from any of the available drives. By default, the scrub process will NOT
delete the executable files, but will generate events with the files it would delete. If you want to
immediately delete the unauthorized files check the Delete Files selection in this dialog box.
Because the scrub process uses the same routines for automatic file policy generation, the scrub
process will fail if there is an automatic file policy generation in progress on the same client or the
scrub process is already running. In these situations, the system displays an information message
dialog box.
3.7.1 To scrub your system

1. Navigate to the scrub client function.
2. Select the Management tab.
3. Click the Systems Selection button.
4. Display systems of interest.
156 OSC_003
3.8 Creating Reports and Logs for MP
5. Select the appropriate item in the navigation pane to display the desired systems in the
Systems control table.
6. Identify the systems to scrub.
7. Click the check boxes to the systems to be scrubbed.
8. Select the scrub options.
9. Select the Scrub System option from the drop-down menu under the Systems selection
button.
10. Click the check box next to Delete Files if you want to delete the unauthorized files from the
endpoint system.
11. Click OK to start the scrub process.
12. Click OK to close the confirmation dialog box.
The scrub process runs silently to completion, but detected and deleted file information appears in
the event log and scrub system reports.
Note: Do not forget to go back and scan the remaining drives before you autogenerate a new
file policy. All drives should be scrubbed to ensure only authorized executables remain.

You can create reports containing all the information on a manager’s configuration. There are two
types of reports available. One contains the manager’s basic configuration and the second
contains the manager’s installed software (that is, products and product licenses). Each report is
in a tab-delimited format and saved in a folder called Reports on either your local machine or the
manager, depending on your configuration. This report file can be retrieved using the control
center’s file transfer capabilities.
You can also create a report containing all the information on an administrator’s configuration.
This report is in a tab-delimited format and saved in a folder called Reports on either your local
machine or the manager, depending on your configuration. This report file can be retrieved using
the control center’s file transfer capabilities.
3.8.1 To create an Administrator Report for MP

1. Navigate to the administrator screen. Select the Configuration tab and click the
Administrators selection button.
2. Select administrator. Click the check box next to an administrator for which you want to
generate a report. Select Report on Administrator from the drop-down menu under the
Administrators selection button. A Report Configuration dialog box opens.
3. Enter a new report name or leave the default of the administrator name and date.
4. Click OK to create the report or Cancel to exit.
3.8.2 To create a Manager Configuration Report

1. Navigate to the manager screen. Select the Configuration tab and click the Managers
selection button.
2. Click the check box next to a manager for which you want to generate a report. Select
Report on Manager from the drop-down menu under the Managers selection button. A
Report Configuration dialog box opens.
OSC_003 157
3. Enter the new report name or leave the default of manager name and date.
4. Click OK to create the report or Cancel to exit.
3.8.3 To create a Manager software report

1. Navigate to the manager screen. Select the Configuration tab and click the Managers
selection button.
2. Click the check box next to a manager for which you want to generate a report. Select
Report on Software from the drop-down menu under the Managers selection button. A
Report Configuration dialog box opens.
3. Enter the new report name or leave the default of manager name and date followed by _S.
3.8.4 To import a Policy for OSC 2.0 Update 1

3. Select Trusted Packages Archive in the Policy Components menu.

4. Right-click the Canvas on the right side.
5. Select Import in the drop down menu.
6. Browse to the policy files directory Coretrace\Policy.
7. Select a single policy (xxx.pol). Click Open.
8. Repeat until all policy files have been imported.
Note: Several generic policies need to be imported to support various OSC and Ovation
functions.
158 OSC_003
3.9 Backing up the MP appliance

Master administrators can create an archive of the manager database that can be used to restore
a manager in the event of system software or drive failure.
The archive is a snapshot of the manager’s configuration at a specific point in time. This archive
contains all the licenses, software, policies, and so forth on the manager. It does not contain a
backup of the manager’s system software, nor does it contain any of the event logs on the
manager.
In the event of system software or hardware failure, the manager must be shipped to CoreTrace
for repair using the RMA process. Without the manager functioning at a fundamental level you
cannot access it to install the archive. Once the manager is repaired to its factory default state,
the latest archive can be installed to restore it to the status captured in the archive.
WARNING! It is absolutely critical that you periodically create an archive of all your managers.
Keep a copy of your manager archives in a safe, readily available place. Although the
managers have a high degree of reliability, should they fail, the archives are the only way to
return them to their previous working state.
3.9.1 To backup the Malware Prevention appliance

1. Create a backups directory for the appliances on the Management Console (if not already
created).
2. Connect to the Malware Prevention appliance using ctremote.
3. Select the Configuration tab.
4. Select the Archive – drop-down create. A successfully created message appears.
5. Select the OK button to continue.
6. Select the Archive – drop-down Copy from Manager to Console.
Note: This process completes without any indication.
7. Select the File Transfer tab.

8. Select Outbound for file direction.
9. Select Archive for file type.
10. Click Next.
11. Select the File button.
12. Browse to the destination directory: Tsclient\e:\osc\CoreTrace Backup. Highlight the file to
be transferred.
13. Click Next.
14. Click Finish.
3.9.2 To create an archive
To create an archive, you must be logged in as a master administrator.
1. Verify that no other administrators are logged-in.
OSC_003 159
Click the Configuration tab and then the Administrators selection button. Look at the
Manager data field in the Administrators control table and verify that no other administrators
are logged into the manager where you want to create an archive.
2. Select a manager. Click the Managers selection button and click the check box in the
Managers control table next to the manager on which you want to create an archive.
3. Begin archive. Click Archive selection button and select Create from the drop-down menu.
The cursor changes to an hourglass showing the archive is being created.
4. Confirm archive. Once complete, a dialog box containing the name of the archive file and
manager appears. Click OK acknowledging the successful archive.
5. Copy archive to control center. Click the Archive selection button and select Copy From
Manager to Console from the drop-down menu. If you are copying from a manager to a
control center appliance, the cursor changes to an hourglass showing the archive is being
copied. If you are copying to the control center on the same manager, you may not see an
hourglass as it is accomplished quickly.
6. Backup archive. Follow the directions given in the File Transfer section to move the archive
file outbound from the control center to your computer. Archives are always identified with the
.ARC file extension. Store the archive in a safe, but readily available location.
Note: Do not change the format of the archive file’s name once you have transferred it off the
system. The control center checks the format of the file name before allowing you to transfer it
back to a manager for restoration.
3.9.3 To connect to the Admin Console
Note: When connecting a Workstation to the manager, you must check the following items:
1. Use a machine that is Microsoft XP SP2 or greater to connect to the manager.

2. Connect to the manager on a similar switch or crossover using an IP of 10.240.1.100 and
subnet of 255.255.255.0.
3. Verify that the Admin token matches the manager.
4. Verify that the Workstation has the Microsoft Terminal Services Client installed (KB925876).
3.9.4 To connect to the Malware Prevention appliance

1. Insert the CoreTrace USB key into USB port on the management console.
2. Execute the CTRemote.exe file by double-clicking the icon on the desktop.
3. A CoreTrace connection window appears. The window contains entry fields for the IP address
of the Malware Prevention appliance, for example: (10.209.124.17).
4. Enter the IP address and select the drives you would like to share to the appliance. This
would be used for file transfers.
5. Select the OK button. A CoreTrace splash screen appears.
6. Select the Read Token button, the screen may flicker.
7. Select the Read Token button. The CoreTrace Bouncer Login window appears.
8. Select the Login button.
9. Enter the password.
10. Select Ok.
160 OSC_003
3.9.5 To update system licenses
Note: You must be logged in as a Master Admin to update licenses.
1. Upload the license.

2. Select the Configuration tab.
3. Click the File Transfer button. The Welcome Wizard appears.
4. Click Next.
5. Select Inbound.
6. Click Next.
7. Click Browse and find the license keys on the license CD.
8. Click OK.
9. Click Next. Confirm the information.
10. Click Finish.
12. Click Managers.
13. Click the check box next to the manager you are altering.
Make sure only one manager is selected.
14. Click the drop-down menu under the Licensing button and select Update.
15. Click Licenses on the Selected Manager.
16. Once completed, click OK.
17. Verify the licenses.
Click the Configuration tab.
Click the Manager button.
Click the check mark for the Manager you want to view.
In the bottom right-pane, click the Manager Licenses tab.
Verify the dates and number of license.
18. Rename the Manager.
3.9.6 To verify the license

2. Click Managers.
3. Click the check box next to the manager that you are altering.
Note: Make sure only 1 manager is selected.
4. Click the Licensing drop-down menu and select Update Client Licenses on Select
Manager.
5. Click OK and verify the license.
OSC_003 161
3.10 Malware Prevention event reports to SIEM
7. Click the Manager button.

8. Click the Manager you want to view.
9. Click the Manager Licenses tab on the bottom right-pane.
10. Verify the dates and number of licenses.
3.10 Malware Prevention event reports to SIEM

Malware Prevention (CoreTrace) uses Syslog to send events triggered by transgressions to the
whitelist. The events are logged on the endpoint, and then forwarded to the manager.
The manager can forward these events to multiple receivers using Syslog. Only the prime
manager of the CoreTrace pair needs to Syslog.
3.10.1 To setup or verify that Syslog is pointing to the SIEM

1. Login to the Primary manager (192.168.124.17).
4. Click the Syslog tab in the Details pane.
5. If nothing is currently entered, add the following information:
IP Address: 192.168.124.49
Name: Nitro
6. Select F5 or click off the pane after you make your entries.
7. You can send a test message by selecting the Test button, but no current Nitro report shows
that test message.
162 OSC_003
S E C T I O N 4

appliance
IN THIS SECTION
SIEM appliance overview................................................................................................ 164

Minimum requirements to login to the SIEM ................................................................... 165
Upgrade SIEM software .................................................................................................. 166
Login security information ............................................................................................... 178
User accounts and Groups .............................................................................................181
Profile management ........................................................................................................184
Configuring WMI Data Sources (Windows Devices) for Monitoring ............................... 189
Configuring Syslog Data Sources (Cisco and *nix Devices) for Monitoring ................... 191
Generating Reports for SIEM.......................................................................................... 194
Reviewing Data Sources and Policy Rollout................................................................... 199
Batch Data Source Management .................................................................................... 202
Updating Rules and Software ......................................................................................... 203
Views options .................................................................................................................. 204
Events, Flows, and Logs ................................................................................................. 204
Inactivity Threshold settings............................................................................................ 206
Managing Alarms ............................................................................................................ 207
Managing Watchlists ....................................................................................................... 213
Managing Recipients....................................................................................................... 215
Managing Conditions ...................................................................................................... 221
Network intrusion detection installation........................................................................... 222
Vulnerability assessment ................................................................................................244
Backup and Restore........................................................................................................ 249
Log Management ............................................................................................................251
Network discovery and configuration management ........................................................ 271
Using the Security Incident and Event Manager............................................................. 281
Appendices...................................................................................................................... 281
OSC_003 163
4.1 SIEM appliance overview
4.1 SIEM appliance overview

The Security Incident and Event Manager (SIEM) is a database auditing solution that automates
the collection, management, analysis, and visualization/reporting of database access for most
popular database platforms. SIEM provides you with a single view of information across devices
from multiple vendors. The vendor for the SIEM product is McAfee.
SIEM delivers a comprehensive, detailed security auditing solution for web and database
applications vulnerable to insider theft and application-layer attacks. SIEM ensures a proactive
approach to data security by monitoring all access to sensitive corporate and customer data.
SIEM provides continuous, real-time audit trails of all database activity by analyzing the
underlying database application protocols. The SIEM appliance can perform the following:
Monitors logins and logouts.
Monitors failed login attempts.
Alerts on unauthorized access from particular logins or client computers.
Alerts on unauthorized access to specific objects.
Captures data changes originated by users.
Tracks administrator-initiated access control or schema changes.
Provides a complete audit-trail of all requests that can be replayed in a controlled
environment.
The normalized and aggregated data are then correlated. The correlation of the normalized and
aggregated data provides you with an in-depth view into potential security threats.
Note: Due to the complexity of upgrading the SIEM portion from the OSC version 1.x (NitroView
8.2.0j or lower), Emerson recommends that you have your OSC updated by an experienced
service representative.
Contact your local field support office or sales representative for advice on upgrading your OSC.
164 OSC_003
4.2 Minimum requirements to login to the SIEM
4.2 Minimum requirements to login to the SIEM

To connect to the SIEM (McAfee ESMI), your system must meet the following minimum system
requirements:
P4 Intel platform or AMD processor.
Processor: 1GHz or faster.
RAM: 1GB or greater.
Monitor with the minimum of 1024 x 768 resolution.
Internet Explorer 7.x or later (although Internet Explorer 6 has been tested and will work for
most scenarios) or FireFox 1.5.0.4 or later.
Windows OS – Client: Windows 2000/XP/ Vista; Server: 2003 Server/ 2008 Server.
Flash Player - Version 9.0.124.0 or later, or 10.0.12.36 or later.
Several features within NitroView use pop-up windows when uploading or downloading files. If
your Web browser has pop-up blockers enabled, it is recommended that you disable the pop-up
blocker for the IP address or hostname of your ESM.
Note: Emerson recommends the SIEM (McAfee ESMI) to be accessed from a machine that has
a Web browser that supports Flash 10.x or later and Acrobat Reader 9.x or later for viewing
reports. (The best practice is to use a machine that is not the OSC VSPM server, but a machine
that is designated solely for the purpose of connecting to any of the OSC appliances).
4.2.1 To login to the SIEM

1. To login, enter the following URL into the browser’s address bar:
https://<SIEM IP>/Application.html
For example: https://192.168.124.49/Application.html
2. Internet Explorer may present a warning page saying that there is a problem with the Web
site's security certificate. To proceed, click Continue to this Web site (not recommended).
3. Login using the user name and password. Typically, the first time you login to the system,
you need to enter the default credentials.
4. On first login, change the password. It is recommended to change the password at this point
in order to conform to NERC-CIP regulations.
4.2.2 To change the password for SIEM

1. After successful login, refer to the toolbar in the upper-right corner of the main page and click
the user name that you originally used to login with. The Change Username and Password
dialog box appears.
2. The current user name appears in the Username field. Enter a new, unique user name.
3. Type in your current password in the Enter your current password field provided.
4. Enter a new password in the Enter your new password field. Re-enter your new password in
the confirmation field provided.
5. Ensure that the password meets the following password criteria:
Be at least eight characters long.
Include at least one number.
Include at least one punctuation mark or symbol.
OSC_003 165
4.3 Upgrade SIEM software
Include at least one uppercase character.

6. Click OK to save your changes.

Perform the following steps to upgrade an already working SIEM in OSC:
1. If you are running OSC version 1.x (SIEM is running NitroView version 8.2.0, or below),
contact Emerson for support.
2. If you are running OSC version 2.0 or later (SIEM is running NitroView version 8.4.2, or later),
the upgrade path is as follows:
OSC 2.0 (NitroView 8.4.2b) > OSC 2.0 Update 1 (NitroView 8.5.3) > NitroView 9.0.2a >
OSC 2.1 (McAfee ESM Interface 9.1.2).
a) To upgrade from OSC 2.0 to OSC 2.0 update 1, follow the instructions given in the To
upgrade from OSC 2.0 to OSC 2.0 update (see page 166) section.
b) To upgrade from OSC 2.0 update 1 to OSC 2.1, follow the instructions given in the To
upgrade from OSC 2.0 update 1 to OSC 2.1 (see page 169) section.
4.3.1 To upgrade from OSC 2.0 to OSC 2.0 update 1
Perform the following steps to upgrade the SIEM from OSC 2.0 to OSC 2.0 Update 1:
1. Perform a full backup of the SIEM prior to upgrade (Emerson recommendation).

2. Insert the OSC 2.1 SIEM disc 1 into the drive.
3. Click Local ESM under the System Navigation tree, and then click Properties icon from the
SIEM main menu.
166 OSC_003
The Properties window appears:
4. Click ESM Management.

5. Click Update ESM.
OSC_003 167
The Select Software Update File window appears:
6. Click Browse.
168 OSC_003
The File upload window appears:
7. Click Browse. Navigate to the OSC 2.1 SIEM disc 1 and click the
\ESSREC_Update_8.5.3.tgz file. Click Open. Click Upload to upload the file to the SIEM.
Close the File upload window.
8. An Update ESM Software dialog box stating that the ESM will reboot and will cause a loss of
connection for all users appears. Click Yes to continue.
9. Another dialog box asking to close the browser appears, click OK.
10. The update may take a long time to complete depending on the database size. After the
upgrade completes, you may log back into the SIEM through a new browser session, or a
database rebuilding dialog box with a timed check may appear.
11. After you log on to the SIEM main screen, verify the version at the lower-left corner of the
window. It should be 8.5.3.
12. Record the data sources and then the roll out policy. See the Reviewing Data Sources and
Policy Rollout (see page 199) section for more details.
4.3.2 To upgrade from OSC 2.0 update 1 to OSC 2.1
Perform the following steps to upgrade the SIEM from OSC 2.0 Update 1 to OSC 2.1:
The upgrade path is as follows: OSC 2.0 Update 1 > NitroView 9.0.2a > OSC 2.1
1. Perform a full backup of the SIEM prior to upgrade (Emerson recommendation).
OSC_003 169
Note: If a full backup was performed as part of performing an upgrade from OSC 2.0 to OSC 2.0
Update 1, a second backup is not required.
2. Insert the OSC 2.1 SIEM disc 1 into the drive.

3. Click Local ESM under the System Navigation tree, and then click Properties from the SIEM
main menu.
The Properties window appears:

170 OSC_003
The Select Software Update File window appears:
6. Click Browse.
OSC_003 171
The File upload window appears:
\ESSREC_Update_9.0.2a.tgz file. Click Open. Click Upload to upload the file to the SIEM.
Close the File upload window.
8. An Update ESM Software dialog box appears stating that the ESM will reboot and will cause
a loss of connection for all users. Click Yes to continue.
172 OSC_003
9. Another dialog box appears asking you to close the browser. Click OK to close the browser.
10. The update may take a long time to complete depending on the database size. After the
upgrade completes, you may log back into the SIEM through a new browser session, or you
may get a database rebuilding dialog box with a timed check.
11. After you log on to the SIEM main screen, verify the version at the lower-left corner of the
12. Write the data sources and then the roll out policy.
13. From the SIEM main menu, click Local ESM under the Navigation Tree. Click Properties.
OSC_003 173
The Properties window appears as follows:

174 OSC_003
The Select Software Update File window appears as follows:
16. Click Browse.
OSC_003 175
The File Upload window appears as follows:
\ESSREC_Update_9.1.2.tgz file. Click Open. Click Upload to upload the file to the SIEM.
The File upload window closes.
176 OSC_003
18. An Update ESM Software dialog box stating that the ESM will reboot and will cause a loss of
connection for all users appears. Click Yes to continue.
19. Another dialog box asking you to close the browser appears. Click OK to close the browser.
20. The update takes a long time to complete depending on database size. After the upgrade
completes, you may log back into the SIEM through a new browser session, or you may get a
database rebuilding dialog box with a timed check.
21. After you log on to the SIEM main screen, verify the version at lower-left corner of the
22. Record the data sources.

23. Update the rules. A file can be found on the OSC 2.1 SIEM disc 1 under
\RuleUpdates_9001002_2012_08_08_24_10.zip. Alternatively, if available, the latest rule set
can be viewed on the Emerson OSC Updates website.
24. Roll out the policy (see the Reviewing Data Sources and Policy Rollout (see page 199)
section for more details).
OSC_003 177
4.4 Login security information

The Login Security screen allows you to define settings to control the number of allowed
consecutive failed login attempts, session inactivity timeout value, whether or not to display upon
login the name of the last user logged in, and RADIUS server authentication.
Note: The RADIUS option is only available in system administrator mode.
Standard Login Settings
The Standard Login Settings allow you to adjust the settings for standard login procedures. The
Allowed Failed Login Attempts value specifies the number of consecutive unsuccessful logins that
will be allowed in a single session before the user account becomes locked. Once a user has a
locked account, the system administrator must unlock the account before the user will be allowed
to login again. Refer to User accounts and Groups (see page 181). A value of 0 means that
infinite login attempts will be allowed.
Note: A system administrator account can never be locked.
The Timeout Value specifies the amount of time with no activity that is required to occur before
the current session will be forced to the re-login screen. For example, if this value is set to 30
minutes, the application automatically opens the re-login screen after 30 minutes of inactivity. This
action forces users to login before they can resume their activities. The timeout value is specified
in minutes.
Note: Your session will timeout after 60 minutes of inactivity, regardless of the timeout value
setting.
The Show Last User ID upon Login check box will show the username of the last successful login
into NitroView if selected.
The ACL Settings button will display a window that allows you to restrict what IP addresses are
allowed to attempt to login to the SIEM. Leaving this window blank will place no restrictions on IP
addresses.
4.4.1 To access the Login Security menu

1. Navigate to the Security login menu using the System Navigation tree.
2. Left-click the highest item called System located on the left-hand side of the screen.
3. Click the first box for Properties which is located on the small toolbar right above the system
navigation tree (Action pane).
4. Click the Login Security item.
178 OSC_003
4.4.2 To enable Active Directory authentication
Note: After Active Directory Authentication is enabled, all users except for the system
administrator (usually NGCP) authenticate with Active Directory.
Perform the following steps to enable Active Directory authentication:
1. Click Local ESM under the System Navigation tree, and then click Properties icon from the
SIEM main menu.
The Properties window appears.

2. Click the Active Directory tab on the Login Security page of the System Properties window.
3. Select the Enable Active Directory Authentication check box.
OSC_003 179
4. Click Add.
The Active Directory Connection window appears:
5. Enter the fully qualified domain name in ALL CAPS in the Domain Name field.
6. Click Add.
The Active Directory Address Information window appears:
7. For the primary domain controller, select the Administration server check box. Enter the IP
address of the primary domain controller in the IP Address field. If non-standard ports are
used, they may be entered here. Otherwise, click OK to close the Active Directory Address
Information window.
180 OSC_003
4.5 User accounts and Groups
8. Click Add again on the Active Directory Connection window if there is more than one domain
controller on the system’s domain.
The Active Directory Address Information window appears.
9. Make sure the Administration server check box is clear.
10. Enter the IP address of the backup domain controller in the IP Address field. If non-standard
ports are used, they may be entered here. Otherwise, click OK to close the Active Directory
Address Information window.
11. Repeat Steps 7 through 9 until all backup domain controllers are added.
12. Click OK to accept the settings and close the Active Directory Connection window.
13. Click OK to close the System Properties window.
Note: Enabling Active Directory Authentication section contains information that describes how
to enable the Active Directory authentication. More steps need to be performed to allow the
SIEM to use Active Directory users. Refer to the Appendix, Creating Windows User for Active
Directory Authentication and Log Collection (see page 286) for the steps that need to be
performed to ensure log on to SIEM with an Active Directory account.

The SIEM (McAfee ESMI) has two types of user accounts:
System administrator
General user
The system administrator account(s) can grant privileges to general users by creating access
groups and assigning users to these groups. The system administrator is the only user that has
access to all areas of the system, including the Users and Groups area.
Groups contain users that inherit the privileges belonging to the group, including the right to
access the devices and policies associated with the group. When a group is added, devices,
policies, and privileges must be assigned before it becomes useful. You also have the ability to
add and view IP address filters and notifications. The Users and Groups window allows the
system administrator to add, edit, and remove groups.
The Users and Groups dialog box has two sections:

Users are listed in the first section.
Groups added to the system by the system administrator are listed in the second section.
The Users table lists the names of the users, the group(s) of which they are a member, and the
number of sessions that each user has open at the current time. The Groups table lists the group
names and a description of the privileges assigned to each group.
The information on these tables can be sorted by clicking the heading for the Username,
Sessions, or Group Name column, then clicking the arrowhead that appears.
4.5.1 To access the Users and Groups window

1. Click the System node in the System Navigation tree and Properties in the Action pane to
access the System Information screen.
OSC_003 181
2. Click Users and Groups on the System Properties screen. The Enter Password window
appears.
3. Enter the system administrator password.
4. Click OK. The Users and Groups window opens.
4.5.2 To remove users from the system

1. Select the user(s) to be removed in the users section of the Users and Groups window under
System Properties.
2. Click the Remove button. A window appears confirming that the selected user(s) will be
deleted.
3. Click Yes to delete the user.
4.5.3 To add a user to the system

1. Click the Add button in the Users section of the Users and Groups dialog under System
Properties. The Add User window opens.
2. Enter a username for the user.
3. Click Set Password. The Set Password dialog box appears.
4. Enter a unique password for the account and confirm the password.
5. Click OK.
6. If you need to disable the account, select the Disable Account check box. This action blocks
the users from accessing their account in McAfee ESMI.
7. If this user account is going to be used in conjunction with notifications, an e-mail address
should be associated with this user’s account. To associate an e-mail address with a user
account, do one of the following:
If the e-mail address is already on the system, click the drop-down list arrow in the E-mail
Address field and select an entry.
OR
If the address is not on the system, click the E-mail Address link. The Recipients window
opens, allowing you to add an e-mail address to the system. Once it has been added,
select it from the E-mail Address drop-down list.
8. Select the groups the user is to be a member of by clicking the check box located next to the
group name in the User is a member of section. To select all groups or to deselect all
groups, click the Select All or Select None buttons.
9. Click OK. The user is now added to the system with access to the functions designated to the
groups that were selected. The username appears in the Users section of the Users and
Groups screen.
4.5.4 To edit user account settings

1. Select the user name in the Users section of the Users and Groups window under System
Properties > Users and Groups.
2. Make sure you have the correct user selected and then click the Edit button. The Edit User
window appears.
3. Make the desired changes. Refer to: To add a user to the system (see page 182).
4. Click OK to save the changes.
182 OSC_003
4.5.5 To add a Group to the system

1. Click the Add button in the Groups section of the Users and Groups window under System
Properties. The Add Group screen opens.
2. Enter a name and description of this group.
3. Configure the group as desired by adding users, privileges, devices, policies, IP address
filters, and notifications.
4.5.6 To add a user to a Group
Note: This section describes how to add users to a group by editing the group. You can also
change a single user's group membership by referring to: To add a user to the system (see
page 182).
1. Click Users from the Add or Edit Group screen (System Properties > Users and Groups >
Add Group). A list of all available users appears.
2. Select the users you want to add to the group by clicking the check box next to the user
names or by clicking Select All.
3. Click Apply to save your settings and remain in the Add or Edit Group dialog box or click OK
to save your settings and close the window.
4.5.7 To edit to a Group

1. Select the group you want to edit in the Groups section of the Users and Groups window
(System > Properties > Users and Groups).
2. Click the Edit button. The Edit Group window appears. From this window, you can make
changes to the name and description, users, privileges, devices, policies, IP address filters,
and notifications, all of which are explained in the Add Groups section.
3. Click Ok when all changes have been made.
4.5.8 To remove a Group

1. Select the group(s) to be removed in the Groups section of the Users and Groups window
(System > Properties > Users and Groups).
2. Click the Remove button. A window appears confirming that the selected group(s) will be
deleted.
3. Click Yes to delete the group.
Note: When a group is removed from the system, user(s) relying on that group for privileges will
lose those privileges.
4.5.9 To remove users from a Group
Note: This section describes how to remove users from a group by editing the group. You can
also change a single user's group membership by referring to: To edit user account settings
(see page 182).
1. Clear the check box next to the appropriate user, or click Select None.
2. Click OK to save your settings.
OSC_003 183
4.6 Profile management
Note: The system administrator is a member of every group and cannot be removed. Therefore,
the check box next to that user name is disabled.

Profile management allows certain settings to be saved as a profile and used in various other
configurations. This saves time in adding new devices to SIEM or when updating the passwords
to multiple data sources.
The following items can be configured in the Profile Management:

Event Forwarding
Data Source
WMI
Network Discovery
SNMP
Command Line Interface
Telnet
SSH
Vulnerability Assessment
SNMP
SNMP Trap
Remote Share
4.6.1 To access profile management
Perform the following steps to access the Profile Management:
1. Select System Display in the System Navigation tree from the SIEM main screen.
184 OSC_003
2. Select the Properties icon from the Actions toolbar.
The System Properties dialog box appears.

3. Click Profile Management. The Profile Management window appears in the right pane of the
window. This window lists all the profiles that are currently available on the system.
OSC_003 185
4.6.2 To add a profile
Perform the following steps to add a profile:

See the Profile management (see page 184) section.
1. Click Add on the Profile Management window.
186 OSC_003
The Add System Profile dialog box appears as follows:
2. Select a profile type from the Profile Type drop-down list.

3. Select a profile agent from the Profile Agent drop-down list.
4. Type a name for this profile in the Profile Name field.
5. Fill in the remaining fields, which vary based on the profile agent and profile type you select.
6. Click OK to save the profile and close the Add System Profile window.
4.6.3 To edit a profile
Perform the following steps to edit a profile:
1. See the Profile management (see page 184) section.

2. Select the profile that needs to be modified on the Profile Management window.
3. Click Edit.
The Edit Profile dialog box appears.
4. Make the required modifications.
5. Click OK to save the changes and return to the Profile Management window.
OSC_003 187
4.6.4 To remove a profile
Perform the following steps to remove a profile:
1. See the Profile management (see page 184) section.

2. Select the profile(s) that need to be removed on the Profile Management window.
3. Click the Remove button. A message asking for the removal confirmation appears.
4. Click Yes to confirm removal.
4.6.5 Use with Ovation WMI data sources
You can use Profile Management to save which Windows Event Logs to collect data from and the
log on credentials to use. For Event Logs, either one profile can be created for each different
combination of Event Logs (such as one for Domain Controller, Ovation station, non-Ovation
station, and so forth) or one profile can be created with all the Event Logs a given system could
have. This results in fewer profiles to manage. If the target machine does not have one of the
Event Log buckets mentioned in the list below, then the present data is returned.
The following are the Event Logs that can contain information for an Ovation deployment:
Windows-based Logs
Security
System
Application
If Ovation is installed:
Ovation
If OSC VSPM agent is installed:
Lumension
The following settings must be configured on the Edit System Profile window:
Profile Type: Data Source.
Profile Agent: Windows.
Profile Name: Enter a name.
Username: User name used to log on to computers (for example, DOMAIN\User).
Password: Enter the password.
Interval: Between 2 and 5 minutes.
NOTE: The selected user must have permission to read Windows Event Logs.
188 OSC_003
4.7 Configuring WMI Data Sources (Windows Devices) for Monitoring
4.6.6 Use with network discovery
Network discovery requires an SNMP RO (Read Only) profile that allows SNMP messages to
read from the network device. For Ovation, configure a profile as follows:
Profile Type: Network Discovery.
Profile Agent: SNMPv1.
Port: 161.
Community Name: Enter the community string the network segment uses.
To use configuration management features, a Command Line Interface (CLI) profile must be
added to allow the SIEM to log on to the network device to access its configuration. For Ovation,
setup a profile as follows:
Profile Type: Network Discovery.
Profile Agent: CLI.
Port: Port to access either telnet or SSH of the network device.
Method: Telnet or SSH, depending on system configuration.
Username: Enter the user name to log on to the network device (leave blank if no user
exists).
Password: Enter the password for log on.
Enable Password: Enter the password for the higher privileges (it is the same password
used to enable command inside the Cisco device).
4.7 Configuring WMI Data Sources (Windows Devices) for

Monitoring
The first step in configuring a data source device is adding it. To add a data source to a Receiver,
follow the steps below.
OSC_003 189
4.7 Configuring WMI Data Sources (Windows Devices) for Monitoring
4.7.1 To configure WMI Data Sources (Windows Devices) for Monitoring

1. In the System Navigation tree, left-click the Receiver.
2. On the Action Pane above the System Navigation tree, click the Add Data Source button.
The Add Data Source window appears:
3. Fill in the following fields:
Enabled - Indicates whether the data source is enabled or disabled. Events will only be
requested from the WMI provider if the data source is enabled.
Name - A name for the data source.
IP Address - The IP address or host name of the WMI provider.
NetBIOS Name - The NetBIOS identifier for this device.
Username - The username used to connect to the WMI provider. For domain users, enter
username as domain\user.
190 OSC_003
4.8 Configuring Syslog Data Sources (Cisco and *nix Devices) for Monitoring
Password - The password used to connect to the WMI provider.

Event Logs - The default event logs are SYSTEM, APPLICATION, and SECURITY, but
other logs are supported. When entering additional names, keep in mind that they are
case sensitive, must be separated by a comma, and should not have spaces between
them.
Note: You must have Administrator privileges to access Security logs.
Interval - The interval, in minutes, at which the Receiver checks the WMI provider for new
events.
Use RPC - Uses RPC to communicate with the WMI host. Enable this check box.
Note: (Optional) You may select the Use System Profile check box to use any profiles
generated in the Profile management (see page 184) section. Performing this action will grey
out the Username, Password, Event Logs, and Interval fields and fill them as per the settings
chosen in the Profile management (see page 184) section.
4. Click Connect. You will receive a message informing you about successful or unsuccessful
connection. If the connection was unsuccessful, a message appears informing you why the
connection failed.
5. Click the Interface button to view or edit the interface settings. The settings on the Network
Interface Settings configures the ESM connections to the Receiver.
6. Click OK to save the device settings. A window appears explaining that these settings have
not been written to the Receiver and asks you to do so.
7. Click Yes to write the settings to the Receiver. The settings will now be written to the receiver.
8. Rollout the new policy. Refer to: Rolling-out the policy. This enables the SIEM to begin
collecting log files.
4.8 Configuring Syslog Data Sources (Cisco and *nix Devices) for
Monitoring
The Cisco Syslog Data Source requires configuration in order to receive event data from the
security devices that it supports. The following sections explain Cisco syslog configuration.
4.8.1 Syslog Configuration to Forward Messages from Solaris, Unix, and Linux
OS Data Sources
You must configure syslogd on Unix/Linux servers or workstations to forward system message
logs that are generated. Forwarding is defined in /etc/syslogd.conf file. General syntax is:
<Facility> @<IP_Address_of_McAfee_ENMELM>
For example: (assuming the IP address of the NitroView ESM-Receiver Combo is

192.168.124.49):
On the Solaris server / workstation, append the following lines to /etc/syslogd.conf:
# OSC Syslog
*.err;kern.notice;auth.notice;local0.notice;local1.notice;local4.notice @192.168.124.49
*.err;kern.debug;daemon.notice;mail.crit @192.168.124.49
local0.info;local4.info @192.168.124.49
OSC_003 191
It is critical that the whitespace between the messages and @ sign must be a TAB. If a SPACE is
used, messages will not be forwarded to the SIEM. This is due to the nature of the syslog.conf
pre-processor (m4).
You must restart syslogd to make the changes effective.
As root user execute the following:
#/etc/init.d/syslogd restart -- For Linux/Solaris OS
To check that the new entries to forward messages to the SIEM are being processed correctly,
type "syslog-d" as root.
4.8.2 To add a Syslog data source to a Receiver
The first step in configuring a data source device is adding it. To add a data source to a Receiver,
follow the steps below.
1. In the System Navigation tree, left-click the Receiver.
192 OSC_003
2. On the Action Pane above the System Navigation tree, click the Add Data Source button.
The Add Data Source window appears:
3. Fill in the following fields:
Data Source Vendor – Pick the vendor of your product. In the case of Emerson
provided switches and routers, select Cisco
Data Source Model – Pick the model of equipment this data source is. In the case of
Emerson-provided switches and routers, select IOS (ASP).
Enabled - Indicates whether the data source is enabled or disabled. Events will only be
collected if the data source is enabled. Only Parsing should be checked.
Name - A name for the data source.
IP Address - The IP address or host name of the device sending syslog messages.
Mask – IP Mask of the device. Enter 32 in this field.
Time Zone – Set this to the time zone the device is sending messages in. If the device is
physically located in EST but sends messages in GMT, set this to GMT.
4. Click the Interface button to view or edit the interface settings. The settings on the Network
Interface Settings configure the ESM connections to the Receiver.
5. Click OK to save the device setting. A window appears explaining the need to rollout the
policy for this device.
6. Click Yes to continue.
7. A window appears explaining that these settings have not been written to the Receiver and
asks you to write the setting to the Receiver.
8. Click Yes to write the settings to the Receiver.
9. Rollout the new policy. Refer to: Rolling-out the policy. This enables the SIEM to begin
collecting log files.
Note: When configuring additional devices, refer to the McAfee User Guide located on your
OSC CD.
4.8.3 To set the syslog forwarding address
Emerson provides configurations for network switches and routers with the level of debugging
appropriate for the operation of the DCS system. The only required change is to set a syslog
forwarding address of the SIEM.
1. Log into the switch or router.

2. Configure the switch or router by running the following commands in configuration mode:
logging <IP Address>
where <IP Address> is the address of the SIEM.
Note: When configuring additional devices, refer to the McAfee User Guide located on your
OSC CD located in the \InstallCDforCustomers folder.
OSC_003 193
4.9 Generating Reports for SIEM

The Reports option allows you to generate and view reports that are used to show data from
events and flows managed on the SIEM. You can choose to design your own report or run one of
the existing reports. You can also choose the format to send the data in, for example, PDF,
HTML, or CSV. The Reports feature allows you to send the gathered reports as a text file or a
PDF.
Note: A notification is sent with each report.
The Reports feature can be used for different circumstances. The generated reports can be
based on auditing criteria and can be used to show compliance. These reports can be printed or
sent to an auditor as well. The Reports feature is also helpful in checking your network. The
reports allow you to see if you are possibly violating any policy or standards for your network.
The out-of-box reports are divided into different categories (for example, PCI, HIPAA, NISPOM,
BASEL II, and so forth).
The table on the Reports screen (System > Properties > Reports) lists the reports that you have
selected and/or created. It allows you to add, edit, remove, and run reports that are listed, and
enable and disable them. This screen also allows you to manage the conditions, recipients, and
notification settings, as well as view reports that are currently being run and cancel them, if
necessary.
For additional information about Reports, refer to the McAfee ESMI User Guide available on your
Ovation Security Center CD.
4.9.1 To add a Report
Note: You must define the parameters of a report and add it to this table so that it can be
generated as defined. You also need to configure your notification settings before adding a
report.
1. In the System Navigation tree, click the System node and select the Properties icon in the
Actions toolbar. The System Properties window appears.
2. Click the Reports option. The Reports screen opens listing the names of the established
reports, their conditions, and their status (enabled or disabled).
3. Click the Add button (ensure that you have notifications and recipients setup before
proceeding). The Add Report window appears.
4. Enter a name for the new report and a description of the information it will contain.
194 OSC_003
5. In the Condition field (in section 2 of the Add Report window shown above), select when you
want this report to run from the list of options on the drop-down list. If you want to add a
condition to the list of options, click Edit conditions. The Conditions window opens. Refer to
the To add a condition (see page 221) section for information regarding adding a condition.
6. In section 3 of the Add Report window shown above, select the time zone the report queries
should use.
7. Select how you want the report delivered (in section 4 of the Add Report window shown
above). You have three options: (a) send it to users or groups and/or (b) save it to the ESM
and/or (c) send it to the remote storage.
Email sent to users or groups - When you select this option, the Add recipient link will
activate. Click on it to open the Recipients dialog and select the users or groups to whom
the report will be sent. Refer to the E-Mail Recipients or E-Mail Group Recipients sections
for details on this window.
File saved to the ESM - When you select this option, the Prefix field will activate,
showing Report_Log_ as the default prefix for the name of the file that will be generated
and saved on the ESM. Change the prefix, if desired. The file name will include the date
and time that the report is generated.
File saved to remote location - When you select this option, the report file is sent to a
remote storage. Select the location configured for remote storage from the File saved to
remote location drop-down list.
8. Select the format in which you want the report sent or saved. If you are designing a new
report, your options are PDF or HTML. If you will be selecting an out-of-box report, CSV is the
only option. When you select CSV, section 6, at the bottom of the Add Report screen, will
show a list of the available out-of-box reports.
OSC_003 195
9. Section 5 of the Add Report window shown below gives you one of the following two options,
depending on the format you selected in section 3.
If you are designing a new report and, therefore, selected either PDF or HTML format in
section 3, the section 5 of the Add Report window shown above appears as follows:
This table lists layouts that have been created previously for other reports.
To design a new layout, click Add.
To select an existing layout, click the desired layout.
To edit an existing layout, click the layout, then click Edit.
To delete an existing layout, click the layout, then click Remove.
To add a folder under which you can organize your layouts, click the Add Folder button.
Enter a name for the folder on the Enter a new name field, then click OK.
When adding a folder at root level, ensure that an existing folder or a layout in an existing
folder is not selected. If an existing folder is selected, the new folder will be added as a
subfolder. You can also do the following:
To add a new layout to the folder, highlight the folder and click Add. It will be saved in the
folder selected.
To add an existing layout to the folder, click the layout then drag and drop it in the folder.
To add a subfolder to an existing folder, highlight the folder then click Add Folder. Enter
a name for the new folder, and click OK. The new folder will be added as a subfolder to
the existing folder.
196 OSC_003
To move an existing subfolder to root level, select the subfolder then drag it to the
bottom of the layout tree and drop it.
To import one or more layouts, click the Import button and browse to the file(s) to be
imported. If the layout that you are importing includes an image that currently exists on
the ESM, the Import Report Layouts window opens and informs you of this conflict and
offers you the following choices:
¾ Keep Local - Keeps the image on the ESM and deletes the image from the report
layout. The image on the ESM will be used for that layout.
¾ Replace Local - Replaces the image on the ESM with the image in the report layout.
Any layouts that currently use the image that you are deleting from the ESM will now
use the image imported with the layout.
¾ Rename - The image in the report layout will automatically be renamed and the
layout will be imported using the image with the new name.
To export one or more of the layouts listed, click the files and/or folders to be exported
and click Export.
To include a summary of the global and individual component filters defined for this
report, click the Include filter summary in report check box. The filters used in this
report will then be listed at the bottom of the report. This is useful as an indication of the
limits defined for the data included in the report.
If you are generating an out-of-box report and, therefore, selected Query CSV format in
Section 4 of the Add Report window shown above, Section 5 will appear as follows:
When you click the down arrow, a list of all of the available reports will appear. Click the
desired report.
10. In section 6 of the Add Report window, specify the filters to be applied to all of the
components for this report. For example, if you want the report to show only the data that has
a source IP value of 161.122.15.13, you would type that source IP value in the Source IP field.
The stacked-funnel icon, located to the right of each filter field, provides the ability to do global
filtering using existing variables. Clicking on the stacked-funnel icon allows you to select a
specific custom variable, which will be added to the selected field.
You can also filter on a combination of fields in one of the following ways:
To include data of more than one type, enter values in each of the appropriate fields. The
data that matches all of these filters will be shown in the report.
To include some data and exclude other data, enter the filter values that you want to
include and those that you want to exclude in the appropriate fields. Then click the NOT
icon to the right of the field values that you want to exclude. The report will include data
that matches all the entries in the fields where the NOT icon was not selected, and will
exclude the data that matches the values entered in the field where the NOT icon was
selected.
OSC_003 197
To include data that complies with regular and either/or filters, enter the filter values in all
the appropriate fields, then click the OR icon next to the fields that have the either/or
values. The report will include the data that matches all the entries in the fields that were
not marked OR and matches either of the values in the fields marked OR. For example, if
you want to include the data that matches a specific Destination IP and Destination Port,
and either a specific Source Port or a specific Source IP, enter the values in all four fields
and click the OR check box next to Source Port and Source IP.
Keep in mind that at least two fields must be marked OR for the OR filter to work.
By default, the data that is retrieved will have to match the case of the values that you enter in
the fields. If you want data to be included regardless of the case, click the Case-insensitive
icon (Aa) to the right of the filter field.
11. Click Save. The settings will be saved and the name will be added to the list on the Reports
screen. By default, the report will be enabled and the report will be generated based upon the
conditions you selected. If you need to temporarily stop certain reports from running but do
not want to delete them from the system, highlight them on the list of reports (System
Properties > Reports) and click the Enabled check box to remove the check.
The Status column in the table will list the status for those reports as Disabled. When you
want to start running those reports again, just repeat the process to add the check to the
Enabled check box. The Status column in the table will change the status for those reports
back to Enabled.
You can run a report immediately by clicking on the Run Now button. To do so, click one or more
reports (Ctrl + click) and select the Run Now option. The reports you have selected will be
enabled and processed immediately.
4.9.2 To edit a Report

1. Select the report to be modified on the Reports screen (System Properties > Reports).
2. Click Edit. The Edit Report screen appears.
3. Make the desired modifications. Refer to: To add a Report (see page 194) for additional
information regarding this process.
4.9.3 To view a Report
The SIEM can run five notifications, reports, and/or jobs concurrently. Additional requests,
whether they are recurrent or one-time requests, are placed in a queue. If you have notification
rights, the View feature on the Reports screen (System Properties > Reports) allows you to
view the status, updated every 10 seconds, of all of the requests that you initiated that are
currently in this queue. It also allows you to cancel one or more of your requests, if desired.
If you are an administrator or master user, you can view all of the requests that are currently in
the queue and cancel one or more of them. This feature can be useful if the reports that you have
created have not begun to execute. You can access the View Reports screen to see the status of
your reports. If you need to free up system resources in order to allow specific reports that are in
the queue to begin execution, you can cancel some of those that are ahead in the queue.
To delete Reports form the queue:
1. Access the View Reports screen (System Properties > Reports > View).
198 OSC_003
4.10 Reviewing Data Sources and Policy Rollout
2. Select the report(s) to be canceled. You can click the column headers to sort through the
queue and select multiple jobs to cancel.
3. Click Cancel. A confirmation window displays.
4. Click Yes. The selected reports will be deleted from the queue.
To View Report Files
The Files feature on the Reports screen allows you to view a list of the report files that have been
generated on the system and download, upload, or remove them. To use this feature, do the
following:
1. Access the report File List screen (System Properties > Reports > Files).
2. Select one or more of the report file(s) on the list. You can click the column headers to sort
through the queue.
3. Perform the desired actions:
Click Download to save the selected file(s) to another location. You can then view the
file(s).
Click Upload to add a report file to the list. This could be useful if you downloaded a file,
removed it from the system, and then realized that you wanted to keep it on the list of
reports.
Click Remove to delete the selected report file(s) from the system. Keep in mind that
once a file is deleted, it cannot be restored unless it was previously downloaded to a
separate location.
Click Refresh to refresh the list of reports.
4. Click Close to return to the Reports screen.
4.9.4 To remove a Report

1. Click the report(s) you want to remove on the Reports screen (System Properties >
Reports).
2. Click the Remove button. The Remove Reports window appears requesting confirmation.
3. Click Yes to proceed with the removal or No to cancel.

To enable the SIEM to collect data, three steps must always be performed:
Devices must be added or modified with the correct settings.
These settings must be written to the Receiver.
The policy must be rolled out.
4.10.1 To review Data Sources
Perform the following steps to review the data sources:
1. On the main screen, left-click Local Receiver in the System Navigation tree.
2. On the Action pane, click Properties. The Properties window appears.
3. Click Data Sources.
OSC_003 199
4. There will be a table with all the data sources currently configured. To add a new device, click
Add.
5. To edit an existing device, left-click the device in the list and click Edit. The settings for that
device appear.
6. If any changes are made, the Write button will become active. Click Write to write the settings
to the Receiver.
7. When all settings are correct and written, the policy can be rolled out.
Note: To change settings, refer to the following sections: Configuring WMI Data Sources
(Windows Devices) for Monitoring (see page 190) and Configuring Syslog Data Sources (Cisco
and *nix Devices) for Monitoring (see page 191).
4.10.2 To roll out the policy automatically
The SIEM has the ability to automatically check when a policy might need to be ruled out in
certain situations, such as adding or changing data sources. After the changes to the data source
are saved, a Rollout window might appear as follows:
Click OK to update the policy for the data source that requires a change.
200 OSC_003
4.10.3 To roll out the policy manually
Some instances of roll out still require policy to be rolled out manually, such as updating rules and
other policy changes.
Perform the following changes to roll out the policy manually:
1. Click Local ESM from the SEIM main screen.
2. Click Policy Manager.

3. The Policy Editor window appears. Click Rollout from the Operations menu.
4. The full Rollout window appears. Any device that is flagged as requiring a roll out is marked
as Roll this policy out now. Select the Rollout policy to all devices now check box to
force every device to roll out.
5. Click OK to begin the roll out process. After the rollout is completed, the Rollout window
closes.
OSC_003 201
4.11 Batch Data Source Management
4.11 Batch Data Source Management

The Batch export/import feature allows you to add or modify devices in batches rather than
adding or modifying each device separately.
When it becomes necessary to add multiple devices, you may find that batch processing is more
efficient. For example, as in (initial system setup or expansion), or for modification of user
password changes for Windows Logs.
Note: Exporting data sources will obscure passwords with ****.
The following is the recommended process:

Export the current device list.
Modify the list with new / changed device information.
Import the new file into the SIEM.
If the SIEM has no devices, create one or two devices using the following sections: Configuring
WMI Data Sources (Windows Devices) for Monitoring (see page 190) and Configuring Syslog
Data Sources (Cisco and *nix Devices) for Monitoring (see page 191).
4.11.1 To export Data Sources from SIEM

1. Navigate to the System Navigation pane main screen.
2. Click Local Receiver in the main screen.
3. Click Properties on the Action pane.
5. Click Export. A window appears stating that the download is ready.
6. Click Yes. Save the file to a location of choice.
4.11.2 To modify the CSV file

1. It is easiest to import the CSV file in Excel or another spreadsheet application. This will give
each item its own column for easy readability.
Note: Excel may change the rec_id column to scientific notation format. This will truncate the
number resulting in errors upon importing into the SIEM. Make sure to format as either text or a
number with no decimal places.
2. The first column is the operation:

Add – Creates a new device.
Edit – Modifies an existing device.
Leave blank – Will not change the device in any way.
3. Modify fields as needed. Replace **** with the correct password on any device being edited
(if device uses a password field).
4. Save the CSV file as a CSV file. The file is now ready for import.
For additional information on this subject, refer to the User documentation on the OSC 2.1. The
9.1.2McAfeeESMIUserGuide.pdf is located in \NitroSecurity\InstallCDforCustomers.
202 OSC_003
4.12 Updating Rules and Software
4.11.3 To import Data Sources into SIEM

1. Click Local Receiver in the System Navigation pane from the main screen.
2. Click Properties on the Action pane.
4. Click Import. A window appears asking for the file to upload.
5. Click Browse and locate the CSV file to upload.
6. Click Upload. A window appears showing all devices that will be touched by this import.
7. Click OK if everything appears to be correct. If not click Cancel, correct the import file, then
try to import again.
8. Once settings are imported, they must be written to the Receiver and then the policy must be
rolled out. Refer to the section on Rolling-out the policy.
4.12 Updating Rules and Software

The SIEM rule signatures are used to examine security threats are continuously updated by
McAfee's Signature Team and are available for download from the central Emerson OSC Update
server located at http://updates.ovationusers.com/OSC/.
SIEM rule updates can be retrieved automatically through the Web. However, Emerson
recommends using the QA-approved rule updates only. In most cases, OSC SIEM rule updates
should be applied manually.
4.12.1 To manually apply Emerson approved Rule updates
The Manual Update option allows you to download rules without the ESM being connected to the
rule server.
1. Click the System node in the System Navigation tree and select Properties in the Actions
pane to access the System Information screen.
2. Click Rules and Software in the main page of System Information window. The Rules and
Software window opens.
3. Click the Manual Update button. The File Upload window appears.
4. Browse to the rule file by selecting the Browse button.
5. When you have selected the rule file to apply, click Upload in the File Upload window.
6. When the update process is completed, a Manual Update window appears stating that the
rule update was successful.
7. Click OK to close the window.
OSC_003 203
4.13 Views options
4.13 Views options

Views are the graphical representation of the data that the SIEM has collected and is displayed
when logged into the SIEM in the main body of the window.
The Views option in the Options window allows you to specify settings for running views and
queries. It allows you to designate the frequency at which you want the views refreshed and
allows you to designate the view for the default system view, event summarize view, and flow
summarize view.
4.13.1 To automatically refresh Views
The Automatically Refresh Views option automatically refreshes the current view based upon the
designated frequency. To perform this function, use the following procedure:
1. Click the Automatically Refresh Views check box. Doing so activates the Refresh views
every xxxx minutes field.
2. Use the up and down arrows to select how often you want the views to be refreshed. You can
also highlight the field and type in the number of minutes you want the views to be refreshed.
4.13.2 To select Default System Views
By default, the Default Summary view appears every time NitroView is opened. You have the
option of selecting a different view. To perform this function, use the following procedure:
1. Click the arrow in the Default System View drop-down box.

2. Select the desired view from the drop-down list.
4.13.3 To select Event Summarize Views
This option allows you to select a view that appears every time you perform an Event Views drill-
down. To perform this function, use the following procedure:
1. Click the arrow in the Event Summarize View drop-down box.

2. Select the desired view from the drop-down list.
4.14 Events, Flows, and Logs

The ESM can be configured to automatically retrieve event, flow, and log data collected from IPS
and receiver devices. When the SIEM receives a message, it will parse the message into an
event. These events are then stored in the SIEM for further analysis/reporting.
Note: The use of Netflow or other flow data is currently not supported or recommended on the
Ovation DCS network.
204 OSC_003
4.14 Events, Flows, and Logs
4.14.1 To automatically check events, flows, and logs

2. Click Events, Flows, and Logs. The link is found in the main body of the System Information
window. The Events, Flows, and Logs window opens.
3. Click the Auto check every check box.
4. Select the interval at which you want the retrieval to take place. This causes the ESM to
automatically check the events, flows, and logs of the IPS, Receiver, and DBM devices, which
additionally have their individual auto-retrieval settings enabled.
4.14.2 To manually check events, flows, and logs (method 1)

2. Click Events, Flows, and Logs. The Events, Flows, and Logs window opens.
3. Click the Check Now button. A window appears showing the status of the check. When the
check is complete, the window will state Check Completed.
4. Click OK to exit the window.
4.14.3 To manually check events, flows, and logs (method 2)

1. Click the System node in the System Navigation tree.
2. Select Get Events and Flows in the Actions pane. The Events and Flows window appears.
3. Click Start to begin retrieving information.
4. Click Close to exit.
4.14.4 To alter the Auto-retrieval settings
The Show Devices button allows you to alter the auto-retrieval settings for all IPS, Receiver, and
DBM devices on this ESM. Use the following procedure:
2. Click Events, Flows and Logs. The Events, Flows, and Logs window opens.
3. Click the Show Devices button. The Devices window opens.
4. You can individually set the Auto Events, Auto Flows, and Auto Logs settings on a per-
device basis by clicking the appropriate check box. You can also use the Select All and
Select None buttons to turn all the available settings On or Off.
OSC_003 205
4.15 Inactivity Threshold settings
4.15 Inactivity Threshold settings

The Inactivity Settings button on the Events, Flows, and Logs screen (Events and Logs screen for
DBM devices) allows a master user or system administrator to set the inactivity threshold for any
device on the system.
If this threshold is set, the system generates an alert when the device has been inactive for the
period of time designated. This alert displays as a yellow flag next to the device on the System
Navigation tree.
4.15.1 To set Inactivity Threshold settings

1. Click the Inactivity Settings button at the bottom of the following screens:
System Properties > Events, Flows, and Logs screen
Device Properties > Events, Flows, and Logs screen
Receiver Properties > Events, Flows, and Logs screen
DBM Properties > Events and Logs screen
The Inactivity Threshold window opens. The default setting for all devices is 0.
2. Highlight the device for which you want to set a threshold and click Edit. The Edit Inactivity
Threshold window opens.
3. Set the maximum amount of time that this device can be inactive before generating an alert
by clicking the up or down arrows in the Days, Hours, and/or Minutes fields.
4. Click OK. You will be returned to the Inactivity Threshold screen. The device reflects the
change in the Threshold column, as will any child of the device that has the Inherit check box
selected.
5. By default, all devices, data sources, and database servers inherit the threshold set for their
parent. If you want to break this inheritance for a specific child:
a) De-select the check box in the Inherit column for the child. The Edit Inactivity Threshold
window opens.
b) Set the new threshold for the child.
c) Click OK.
6. Click OK on the Inactivity Threshold screen to save your settings and return to the Event and
Logs screen.
206 OSC_003
4.16 Managing Alarms

The Alarms feature allows you to provide real-time alarms when a condition that you define
occurs (These were known as Notifications in older versions of SIEM software.) When an alarm is
triggered, it automatically is added to the Alarms log, which is located in the pane under the
System Navigation Tree pane. You can configure an Alarm action to log an event to the ESM,
provide a visual and auditory alert, create a case for a specific person or group, execute an SSH
script, update a Watchlist, send an event to remedy, or send a text or email. Alarms are no longer
sent through syslog or SNMP.
A Simple Mail Transfer Protocol (SMTP) or email server is not provided as part of an Ovation
system. If this notification method is preferred, contact Emerson’s SureService department to
discuss the optimal configuration for securely transmitting alarms outside the Ovation Security
Center Demilitarized Zone (OSC DMZ).
The ability to add an alarm is available to users with administrator privileges and any user
belonging to an access group with the Alarm Management privilege.
4.16.1 To create a new alarm
Perform the following steps to create a new alarm:
1. Select the System node on the System Navigation tree and click the Properties icon in the
Actions Toolbar.
The System Properties window appears.
2. Click Alarms on the System Properties window. All the existing alarms on the system
appears on the right pane of the window.
3. Click Add. The Alarm Settings window that shows the Summary, Condition, Actions, and
Escalation tabs appears.
4. Click the Summary tab and enter the name for the alarm in the Name field. Select the person
or group to whom this alarm is assigned from the Assignee drop-down list. This drop-down
contains the users and groups that have alarm management privileges. Select the severity of
the alarm, which determines the priority given to the notification it generates in the Alarm log.
The alarm is enabled by default. If you want to disable the alarm, clear the Enabled check
box.
5. Click Next or the Condition tab. Conditions are the triggers that cause an alarm to be
generated when a specified criterion is met. Select the type of alarm from the Type drop-down
list. When you select the type of alarm, you are asked to provide further details of that alarm.
Select any of the following device(s) that you want this alarm to monitor from the Type drop-
down list:
Deviation from Baseline: This condition allows you to specify a percentage threshold to
check above baseline and/or a different percentage below baseline.
The following settings need be made when you select Deviation from Baseline:
¾ Select the type of data that you need to query in the Query field.
¾ Click the Filter icon and select the values to filter the data for this alarm.
¾ Select whether you want SIEM to query the data for the last or the previous period of
time from the number and type in the Time Frame field.
¾ Select how far above and/or below the baseline you want the deviation to be before
an alarm is triggered in the trigger when the value is section.
OSC_003 207
¾ Select how often the system should check to see if this type of condition exists in the
Check Rate section.
Device Failure: This condition generates an alarm when the SIEM is unable to
communicate with one or more SIEM devices (not data sources).
The following settings need be made when you select Device Failure:
¾ Select how often the system should check to see if this type of condition exists in the
Check Rate section.
¾ The events can be experienced on a sustained basis. Therefore, select the amount of
time to allow between each condition to prevent a large number of notifications from
being sent using the Maximum Condition Trigger Frequency section.
Device Status Change: This condition generates a message anytime any device
(including data sources) changes status.
The following settings need be made when you select Device Status Change:
¾ Select the types of device status changes about which you want to be notified in
Health Monitor Status. For example, if you select only Critical, you are not be notified
if there is a health monitor status change that is at the Warning level.
time to allow between each condition to prevent a flood of notifications from being
sent using the Maximum Condition Trigger Frequency section.
FIPS Failure: This condition generates an alarm when there is a FIPS failure. The OSC
SIEMs are not in FIPS mode, therefore, this does not apply.
Field Match: This condition generates an alarm when a selected SIEM field matches a
value.
The following settings need be made when you select Field Match:
¾ Select the Use Watchlist check box if you have to configure a Watchlist that contains
all of the values on which you want this alarm to notify you.
¾ If you do not select Use Watchlist, select the type of data that this alarm monitors
from the Field drop-down list.
¾ In the Value(s) field, enter the specific values of the types that you selected in the
Field drop-down list. For example, if you selected Source IP in Field list, enter the
actual source IP addresses on which you want this alarm to trigger.
HA Failure: This generates an alarm when there is a failure in High Availability
Receivers. The OSC SIEMs do not use HA at this time; therefore, this does not apply.
Specified Event Rate: This generates an alarm if a set of criteria are met at a given
frequency.
The following settings need be made when you select Specified Event Rate:
208 OSC_003
¾ Enter the number of events that need to occur before an alarm is generated in the
Event Count field under Event Rate. Click the Filter icon and select the values to filter
the data for this alarm. Values containing commas must be used inside a Watchlist to
work properly. Select the amount of time in which the number of events you selected
must occur for an alarm to be generated in the Time Frame field. The rate data for an
event includes a sharp increase at the end created by aggregation. Therefore, select
the amount of time by which you want the time frame offset in the Offset By field so
that it does not include that sharp increase. For example, if the SIEM pulls events
every five minutes, the last one minute of the events retrieved contain the aggregated
events. Therefore, offset the time frame by that period of time so that the last 1
minute does not include in the data measurement. If you do not perform this action,
the values in the aggregated data are included in the event count, causing a false
positive value.
6. Click Next or the Actions tab. Select the type(s) of action(s) to be taken when an alarm is
triggered by the condition you defined on the Condition tab. You can select more than one
action. The options are as follows:
Log event - This is selected by default. When this option is selected, an event is logged
on the ESM.
Visual alert - If you select this option, when the alarm is triggered, the following message
box appears at the bottom right of the window. When you select the Visual Alert check
box, you are allowed to select whether or not you want an audio to be played when the
message appears. A list of the audio files on the system is available. Select the audio that
you want to associate with the visual alert.
Create a case for - When you select this option, a case is created for the person or group
that you select from the drop-down list. The case displays the severity and associated
event, and the alarm event is added so that the user can trace the case back to its
source. The alarm summary is the name/summary of the case created. This feature
cannot be used when escalating an alarm.
Execute script - Provides you with the ability to execute a script on any device that
accepts SSH connections. This could then initiate actions on other software applications.
When you click the Setup button, the Execute Script Configuration dialog box appears.
Complete the Host, Port, Username, and Password fields. To enter the command string,
click the Insert Variable icon to select the desired variables.
Update Watchlist - This option is only available if Field Match is selected as the condition
type. It allows you to modify Watchlists by adding or removing values based on the
information contained in up to 10-alarm triggering events. When you click the Manage
button in the Update Watchlist field, the Update Watchlist dialog box appears. You can
configure the following settings on that dialog box:
¾ Action - Select whether you want the value to be appended to or removed from the
Watchlist.
OSC_003 209
¾ Field - Select the field from which you want the data retrieved in the triggered alarm.
¾ Watchlist - Select the Watchlist to which you want to append or remove the data.
¾ Add New Watchlist - Allows you to add a new Watchlist to the system. You can add
up to five actions per alarm. To add more than one, click Add Action. To delete an
action, click Delete at the right of the action to be deleted. When a Watchlist is
modified as a result of these settings, the Actions tab of the triggered alarm displays
as Added SrcIP to "Bad IPs" Watchlist or Removed DestIP from "Clean IPs"
Watchlist.
Send to Remedy – Emerson does not provide a Remedy system. This action is not used
at this time.
Send Message - If this option is selected, a text or email message is sent to the
recipient(s) that you select (you do not see syslog or SNMP). Perform the following steps
to choose the recipients:
¾ Click Add recipient. The Recipients dialog box appears.
¾ Select the email, email Groups, Users, or SMS items on the left-hand side of the
window.
¾ Select the check box(es) of the recipient(s) to whom you want this message to be
sent or click Select All or Select None.
¾ Click OK. This dialog box also allows you to add, edit, or remove recipients. Refer to
the Recipients (see page 215) section for more details.
Generate reports, views, and queries - Select this alarm to generate a report, view, or
query. To perform this action, click the Add button. The Add Report editor opens. For
details regarding filling out the editor, start at Step 7 of the To add a Report (see page
194) section. When you click Save on the Add Report dialog box, the report type and
layout are added to the list of reports on the Actions tab.
7. Click Next or the Escalation tab. The Escalation window appears. You can make the
following settings on the Escalation window:
Select the Escalate after check box if you want to escalate the alarm if it is not
acknowledged within a specified period of time.
Select the number of hours and/or minutes after which the alarm should be escalated if it
is not acknowledged.
Select the person or group who should receive notification in the Escalated assignee
field.
Select the severity that this alarm should have when it has been escalated. Default is 50.
Select the action that should be taken when the alarm has been escalated. Refer to Step
6 for details regarding these options.
Note: You cannot use the Update Watchlist, Send to Remedy, or Create a Case actions on the
Escalation tab.
8. Click Finish. The name, condition, and status of the alarm are added to the table of alarms on
the Alarms dialog.
210 OSC_003
4.16.2 To edit an alarm
Perform the following steps to edit the settings on an alarm:
Actions Toolbar.
2. Click the Alarms option on the System Properties menu.
The list of all the existing alarms in the system appears on the right pane of the window.
3. Select the alarm that needs to be changed.
4. Click Edit. The Alarm Settings dialog box appears that shows the current settings for this
alarm.
5. Make the desired changes to the settings (refer to the Create New Alarm (see page 207)
section).
6. Click Finish to save the changes.
4.16.3 To copy an alarm
Perform the following steps to copy an existing alarm and rename it:
Actions Toolbar.
2. Click Alarms on the System Properties menu.
3. Select the alarm that you want to copy.
4. Click Copy. The Alarm Name dialog box appears that shows the name of the current alarm
followed by _copy.
5. Make the desired changes to the name.
6. Click OK. The copied alarm is added to the list of existing alarms.
7. If you require changes to the settings, highlight the copied alarm and click Edit. The Alarm
Settings dialog box appears. You can then make the desired changes (refer to the Create
New Alarm (see page 207) section).
4.16.4 To delete an alarm
Perform the following steps to delete an alarm:
Actions Toolbar.
2. Click Alarms on the System Properties menu.
3. Select the alarm to be deleted.
4. Click Remove.
OSC_003 211
5. Click Yes on the confirmation message. The alarm is deleted. Any triggered alarms that
resulted from this alarm remains in the system. However, some of their data, such as the
alarm name, does not appear.
4.16.5 To add a Watchlist
Perform the following steps to add a Watchlist:
1. Click Watchlist on the System Properties menu. The Watchlists dialog box that lists the
existing Watchlists in the system appears on the right pane of the window.
GTI Malicious IPs and GTI Suspicious IPs are present on the list. However, they do not
contain data.
2. Click Add.
The Add Watchlist window appears.
3. Enter a name for the Watchlist in the Name field.
4. Select either the Static or Dynamic check box. A static Watchlist consists of values that you
specify; a dynamic Watchlist consists of values that result from a regular expression or string
search criteria that you define.
5. If you select Dynamic, perform the following steps:
a) Select the source against which the search should be run: the StringMap table or rules.
b) Enter the regular expression or string search criteria in the Search field. Searches are
case insensitive by default. To perform a case sensitive search, surround your search
string/regular expression with forward slashes (/). For example, /Exploit/.
c) Select the frequency with which the search should be performed. The existing values list
is replaced every time the search is run.
6. Select the type of data this Watchlist needs to watch for from the Type drop-down list.
7. Select the assignee for this Watchlist. Select All for a global Watchlist, a group for a group of
users, or an individual user's name.
Note: A user with administrator privileges can assign a Watchlist to anyone or any group on the
system. If you do not have administrator privileges, you can only assign Watchlists to yourself
and groups of which you are a member.
8. If you select Static in Step 4, add the values for the Watchlist in one of the following ways:
Click the Import button and select the file to be imported if you want to import a file of
values. This file must be in new-line-separated values format. The list of values are added
to the Values text box.
Type the values in the Values text box. Make sure to type only one value per line.
The maximum number of values is 10,000. If you import a file containing more than
10,000 lines, you are not allowed to create the Watchlist.
9. If you have selected Dynamic in Step 4 and you want to run the query now, click Run Now.
The results populate the Values box.
10. Click the Create Alarm button if you want to receive an alarm when an event is generated
that contains any of the values on the Watchlist. You are asked if you want to save it. Click
Yes to save it. The Alarm Settings dialog box appears.
Refer to the Alarms section for details regarding this dialog box.
212 OSC_003
4.17 Managing Watchlists
11. When you click Finish on the Alarm Settings dialog box, you are returned to the dialog box
that lists the Watchlists on the system.
4.16.6 To edit a Watchlist
If you have administrator privileges, you can edit any Watchlist. However, if you do not have
administrator privileges, you can edit any Watchlist on which you are an assignee.
Perform the following steps to edit a Watchlist:
2. Click the Watchlist that needs to be edited.
3. Click Edit.
4. The Watchlist window appears that allows you to change the settings. Refer to the To add a
Watchlist (see page 212) section for details.

The Watchlists feature allows you to group specific types of information that can be used as
filters or an alarm condition. Therefore, you are notified when they occur in an event. They can be
global or specific to a user or a group and can be static or dynamic. A static Watchlist consists of
specific values that you enter. A dynamic Watchlist consists of values that result from a regular
expression or string search criteria that you define.
Alarm and filter values that contain commas must be the part of a Watchlist to work properly. You
can edit, delete, or append values to an existing Watchlist.
4.17.1 To delete a Watchlist
If you have administrator privileges, you can delete any Watchlist. However, if you do not have
administrator privileges, you can delete any Watchlist on which you are an assignee.
Perform the following steps to delete a Watchlist:
2. Click the Watchlist that needs to be deleted.
3. Click Remove and then click Yes on the confirmation message. The Watchlist is deleted.
4.17.2 To add a Watchlist
Perform the following steps to add a Watchlist:
GTI Malicious IPs and GTI Suspicious IPs are present on the list. However, they do not
contain data.
2. Click Add.
The Add Watchlist window appears.
OSC_003 213
3. Enter a name for the Watchlist in the Name field.

4. Select either the Static or Dynamic check box. A static Watchlist consists of values that you
specify; a dynamic Watchlist consists of values that result from a regular expression or string
search criteria that you define.
5. If you select Dynamic, perform the following steps:
a) Select the source against which the search should be run: the StringMap table or rules.
b) Enter the regular expression or string search criteria in the Search field. Searches are
case insensitive by default. To perform a case sensitive search, surround your search
string/regular expression with forward slashes (/). For example, /Exploit/.
c) Select the frequency with which the search should be performed. The existing values list
is replaced every time the search is run.
6. Select the type of data this Watchlist needs to watch for from the Type drop-down list.
7. Select the assignee for this Watchlist. Select All for a global Watchlist, a group for a group of
users, or an individual user's name.
Note: A user with administrator privileges can assign a Watchlist to anyone or any group on the
system. If you do not have administrator privileges, you can only assign Watchlists to yourself
and groups of which you are a member.
8. If you select Static in Step 4, add the values for the Watchlist in one of the following ways:
Click the Import button and select the file to be imported if you want to import a file of
values. This file must be in new-line-separated values format. The list of values are added
to the Values text box.
Type the values in the Values text box. Make sure to type only one value per line.
The maximum number of values is 10,000. If you import a file containing more than
10,000 lines, you are not allowed to create the Watchlist.
9. If you have selected Dynamic in Step 4 and you want to run the query now, click Run Now.
The results populate the Values box.
10. Click the Create Alarm button if you want to receive an alarm when an event is generated
that contains any of the values on the Watchlist. You are asked if you want to save it. Click
Yes to save it. The Alarm Settings dialog box appears.
Refer to the Alarms section for details regarding this dialog box.
11. When you click Finish on the Alarm Settings dialog box, you are returned to the dialog box
that lists the Watchlists on the system.
4.17.3 To edit a Watchlist
If you have administrator privileges, you can edit any Watchlist. However, if you do not have
administrator privileges, you can edit any Watchlist on which you are an assignee.
Perform the following steps to edit a Watchlist:
2. Click the Watchlist that needs to be edited.
3. Click Edit.
214 OSC_003
4.18 Managing Recipients
The Watchlist window appears that allows you to change the settings. Refer to the To add a
Watchlist (see page 212) section for details.

The Recipients option allows you to define a list of persons who can receive reports and alarms,
and the format in which you want the reports and alarms to be sent. The reports can be sent
through email, to a group of email addresses, to individual users on the system, in SMS format
through the SNMPv1 protocol, and in syslog format. However, the alarms can only be sent using
email, email groups, specific users, and SMS.
4.18.1 To access the recipients configuration
The following are the three ways to access the recipients menu:
1. Click Local ESM on the main SIEM screen. Click Properties. The System Properties window
appears. Select Email Setting in the left pane of the window. Click Configure Recipients in
the right pane of the window. The Recipients window appears.
appears. Select Alarms in the left pane of the window. Click Recipients in the right pane of
the window. The Recipients window appears.
appears. Select Reports in the left pane of the window. Click Recipients in the right pane of
the window. The Recipients window appears.
4.18.2 To add an email address
Perform the following steps to add an email address:
1. Click Add on the Recipients window (See the To access the recipients configuration (see
page 215) section).
The Add Email Recipient dialog box appears.
2. Enter the desired email address.
3. Click OK.
The email address is added to the Email Recipients list and the Add Email Recipient dialog
box closes.
4.18.3 To edit an email recipient
Perform the following steps to edit an email recipient:
1. Click the email address to be modified on the Recipients window (See the To access the
recipients configuration (see page 215) section).
2. Click Edit.
The Edit Email Recipient window appears.
3. Make the necessary modifications to the address.
4. Click OK to save the changes and close the Edit Email Recipient window.
OSC_003 215
4.18.4 To remove an email recipient
Perform the following steps to remove an email recipient:
1. Highlight the address(es) you want to remove on the Email Recipients list.
2. Click the Remove button.
A Remove Email Recipient message appears.
3. Click Yes to proceed with the removal or No to cancel the removal.
4.18.5 To add an email group
The Email Group option on the Recipients window allows you to group email addresses. This is
useful when sending an email to several people multiple times a week. By including more than
one email address in an email group, you can send mail messages to all members of this group
by simply attaching the group to the message instead of attaching each email address
individually.
Perform the following options to add an email group:
1. Click the Email Groups option on the Recipients window (see the To access the recipients
configuration (see page 215) section).
2. Click Add.
The Add Email Recipient Group dialog box appears.
3. Type in the name of the new group in the Email Group Name field.
4. Select the email addresses you want to include in the group. You can also use the Select All
and Select None buttons to select all or none of the email addresses. If you need to add email
addresses to the system, refer to the To add an email address (see page 215) section.
5. Click OK to save your settings. The new group is added to the list of the Email Recipient
Groups on the Recipients window.
4.18.6 To edit an email group
Perform the following steps to edit an email group:
1. Click the group you want to modify on the Email Groups screen of the Recipients window (see
the To access the recipients configuration (see page 215) section).
2. Click Edit.
The Edit Email Recipient Group dialog box appears.
3. Make the necessary changes.
4.18.7 To remove an email group
Perform the following steps to remove an email group:
1. Click the group(s) you wish to remove on the Email Groups screen of the Recipients window
(see the To access the recipients configuration (see page 215) section).
2. Click Remove.
A message for the removal confirmation appears.
216 OSC_003
4.18.8 To add an SMS address
The SIEM provides you with the option to send SMS (text) messages.
Perform the following steps to add an SMS address:
1. Click SMS on the Recipients window (see the To access the recipients configuration (see
page 215) section). The SMS Recipients dialog box that list all the SMS addresses currently
on the system appears.
2. Click Add.
The Add SMS Recipient dialog box appears.
3. Select the SMS address that you want to add to the system.
Following are the examples for the more common service providers:
Alltel
¾ [10-digit phone number]@message.alltel.com
¾ Example: 1234567890@message.alltel.com )
AT&T (formerly Cingular)
¾ [10-digit phone number]@txt.att.net
¾ [10-digit phone number]@mms.att.net (MMS)
¾ [10-digit phone number]@cingularme.com
¾ Example: 1234567890@txt.att.net
Boost Mobile
¾ [10-digit phone number]@myboostmobile.com
¾ Example: 1234567890@myboostmobile.com
Nextel (now Sprint Nextel)
¾ [10-digit telephone number]@messaging.nextel.com
¾ Example: 1234567890@messaging.nextel.com
Sprint PCS (now Sprint Nextel)
¾ [10-digit phone number]@messaging.sprintpcs.com
¾ [10-digit phone number]@pm.sprint.com (MMS)
¾ Example: 1234567890@messaging.sprintpcs.com
T-Mobile
¾ [10-digit phone number]@tmomail.net
¾ Example: 1234567890@tmomail.net
US Cellular
¾ [10-digit phone number]email.uscc.net (SMS)
¾ [10-digit phone number]@mms.uscc.net (MMS)
¾ Example: 1234567890@email.uscc.net
OSC_003 217
Verizon
¾ [10-digit phone number]@vtext.com
¾ [10-digit phone number]@vzwpix.com (MMS)
¾ Example: 1234567890@vtext.com
Virgin Mobile USA
¾ [10-digit phone number]@vmobl.com
¾ Example: 1234567890@vmobl.com
Refer to http://www.makeuseof.com/tag/email-to-sms/ for further provider formats.
4. Click OK. The address is added to the list of SMS recipients.
4.18.9 To edit an SMS address
Perform the following steps to edit an SMS address:
1. Click SMS on the Recipients window (see the To access the recipients configuration (see
page 215) section). The SMS Recipients dialog box that lists all of the SMS addresses
currently on the system appears.
2. Click Edit.
3. Configure the necessary changes. Refer to the To add an SMS address (see page 217)
section for more details.
4. Click OK to accept the changes.
4.18.10 To remove an SMS address
Perform the following steps to remove an SMS address:
1. Click SMS on the Recipients window (See the To access the recipients configuration (see
page 215) section). The SMS Recipients dialog box that lists all of the SMS addresses
currently on the system appears.
2. Click Remove.
4.18.11 To add an SNMP recipient
The SIEM can send reports through the SNMPv1 protocol. SNMP uses User Datagram Protocol
(UDP) as the transport protocol for passing data between managers and agents. In a typical
SNMP setup, an agent such as the SIEM can event an SNMP server (usually referred to as a
Network Management Station (NMS)) of events using packets of data known as traps. This can
be useful when a system administrator wants to receive event reports from the SIEM in the same
way notifications are received from other agents in the network.
Due to size limitations of the SNMP trap packets, each line of the report is sent in a separate trap.
Perform the following steps to add an SNMP recipient:
1. Select SNMP on the Recipients window (See the To access the recipients configuration (see
page 215) section). The SNMP Recipients list appears.
218 OSC_003
2. Click Add.
The Add SNMP Recipient dialog box appears.
3. Enter the correct values for the following fields to direct the packet to its destination and
provide information useful to system administrators using SNMP:
Host IP - The IP address of the machine to which the trap is sent.
Port - The port on which the SNMP trap is to be received.
Community - The SNMP trap's community string.
Trap Type - The specific trap type (the general trap type is always set to 6, enterprise
specific).
Enterprise OID - The full enterprise OID for the trap to be sent: everything in the trap's
OID from the first 1 to the enterprise number, including any sub-trees within the
enterprise.
Verbosity - When Include Informative Data Bindings is selected, the trap contains
variable bindings with extra information, including the line number of the report being
processed, a 'McAfee' string identifying the source of the trap, and the ID of the ESM
sending the trap. When Include report data only is selected, these extra variable
bindings are not included in the trap.
Formatting - Each SNMP trap generated from a report contains one line of data from that
report. When you select Send each report line as is, the data from the report line is sent
as is in a single variable binding, with the data binding OIDs being constructed by
concatenating the Enterprise OID, the specific trap type, and an auto-incrementing
number beginning at 1. When Parse results and use these binding OIDs is selected,
the report line is parsed and each field is sent in a separate data binding. Selecting this
option allows you to specify custom data binding OIDs. If you do not specify enough
variable OIDs for all the data fields in the report, the ESMI begins incrementing from the
last OID specified in the list.
After the values are added, click Add. The Binding OID dialog box appears.
4. Enter the binding OID value and click OK. The binding OID number appears on the Binding
OID list.
5. Click OK. The SNMP recipient is added to the SNMP Recipients list.
4.18.12 To edit an SNMP recipient
Perform the following steps to edit an SNMP recipient:
1. Click on the recipient you want to modify on the Recipients > SNMP Recipients window (see
the To access the recipients configuration (see page 215) section).
2. Click Edit.
The Edit SNMP Recipient dialog box appears.
3. Make the necessary changes (see the To add an SNMP recipient (see page 218) section for
details).
OSC_003 219
4.18.13 To remove an SNMP Recipient
Perform the following steps to remove an SNMP recipient:
1. Click on the SNMP recipient(s) you want to remove on the Recipients > SNMP Recipients
window (see the To access the recipients configuration (see page 215) section).
2. Click Remove.
4.18.14 To add a syslog recipient
Syslog is a standard for forwarding log messages in an IP network. The reports generated by the
SIEM can be sent using syslog. They are sent one line per syslog message with the data of each
line of the query results arranged in comma-separated fields.
Perform the following steps to add a syslog recipient:
1. Click the Syslog option on the System Properties > Reports > Recipients window. The list
of the syslog recipients appears.
2. Click Add.
The Add Syslog Recipient window appears.
3. Enter the recipient’s host IP and the port.
4. Click the down arrows to specify the facility and the severity.
5. Click OK to add the information to the syslog recipient list.
4.18.15 To edit a syslog recipient
Perform the following steps to edit a syslog recipient:
1. Click the Syslog option on the System Properties > Reports > Recipients window. The list
of the syslog recipients appears.
2. Click Edit.
The Edit Syslog Recipient window appears.
3. Modify the required information.
4. Click OK to update the information to the syslog recipient list.
4.18.16 To remove a syslog recipient
Perform the following steps to remove a syslog recipient:
1. Click the syslog recipient(s) you want to remove on the System Properties > Reports >
Recipients window.
2. Click Remove.
The Remove Syslog Recipient message appears.
220 OSC_003
4.19 Managing Conditions
4.19 Managing Conditions

The Conditions are the triggers that cause a report to be generated when a specified criterion is
met. There are set of conditions that come with the system. However, you can define new
conditions on the Add Condition window.
4.19.1 To add a condition
Perform the following steps to add a condition:
1. Click the Conditions button that is located at the bottom of the System Properties >
Reports window or on the Edit conditions section of the Add Report window.
The Conditions dialog box appears.
2. Click Add.
The Add Condition window appears.
3. Type in a name for the condition.
4. Select the condition type from the Type drop-down list.
The options are:
Daily at Specified Time - Same time on a daily basis.
Every So Many Minutes - Every number of minutes specified.
Hourly at Specified Minute - Once an hour at the specified minute.
Weekly at Specified Time - Same time on a weekly basis.
Monthly at Specified Day/Time - Same time on a monthly basis.
Yearly at Specified Month/Day/Time - Same time on a yearly basis.
5. Specify the trigger time properties of the condition in the Properties section. These property
options change based on the condition type selected.
6. Click OK to save the changes and the new condition appears on the Conditions window.
4.19.2 To edit a condition
Perform the following steps to edit a condition:
1. Select the specific condition to be modified from the list of conditions on the System
Properties > Reports > Conditions window.
2. Click Edit.
The Edit Condition window appears.
3. Make the required modifications to the settings.
4.19.3 To delete a condition
Perform the following steps to delete a condition:
1. Select one or more conditions on the System Properties > Reports > Conditions window.
2. Click Remove.
OSC_003 221
4.20 Network intrusion detection installation
The Remove Condition message appears.


Network Intrusion Detection (NID) functionality is provided through separate NID equipment in the
Ovation Security Center (OSC). NID is managed by the Security Information Event Manager
(SIEM) component of the OSC.
4.20.1 Intrusion Prevention versus Intrusion Detection
NID can support two modes of operation:

Intrusion prevention
Intrusion detection
Intrusion detection - Is a monitor only mode. Intrusion detection watches for malicious traffic and
reports its findings to the SIEM. However, intrusion detection does not stop any traffic from
moving through the NID. When you are using intrusion detection, under the section Mirroring
Traffic versus Inline, intrusion detection mode is supported both with traffic mirroring and inline
configurations.
Intrusion prevention - Is an active prevention mode. It watches for malicious traffic and report its
finding to the SIEM. It stops traffic from moving through the NID depending on the setting for that
specific event. Each packet is assigned a rule in the NID, and each rule can be configured
independently. Some traffic can be programmed to alert only; however, not block (much like
intrusion detection). While others can be programmed to alert and block. When you are using
intrusion prevention, under the section Mirroring Traffic versus Inline, intrusion prevention mode is
only supported both with inline configuration.
The recommend use of intrusion detection capabilities is to limit the possibility of false positives
interrupting the operation of the Ovation system. This also gives more monitoring ports Mirroring
Traffic versus Inline (see page 226). If intrusion prevention is a consideration at a later point,
consider running the NID inline but in intrusion detection mode. At this point, switching to intrusion
prevention mode would not require cabling to be changed.
222 OSC_003
4.20.2 Traffic Monitoring
One of the first considerations when using the NID is what traffic to monitor.
The NID can monitor traffic at the perimeter of a network to see data flow, in and out. In Ovation,
this would be any FieldLAN or PlantLAN interface. Two examples are shown below and the pros
and cons are explained for each. This is not all inclusive. Other configurations may be generated
depending on security needs at each specific system.
The NID has a number of IP-less monitor ports, depending on the model selected, that will have
traffic sent to (or through) it. Those connections will be shown as dashed lines in the following
figures. The NID has a management port with an IP address that connects to the OSC network so
the SIEM can manage the NID as well as receive events from it.
Example 1
The first example is configured to monitor traffic on the inside (or the Ovation facing-side) of the
Ovation network equipment. The Ovation network equipment has an Access Control List (ACL)
built-in to only allow certain traffic through. The Access Control List is similar to a whitelist and
controls what traffic has access to the network.
Therefore, the only traffic that the NID would then see is traffic that made it past the ACLs from
the outside of Ovation coming in and any traffic from inside Ovation heading out. Assuming the
outside is less secure, the amount of malicious traffic the NID would see in this configuration
would be lower than watching the outside due to ACLs blocking traffic. This results in less event
data being reported to the SIEM so reports would be easier to read. It will not show all the
malicious traffic that is targeting the Ovation system from the outside that may indicate a
potentially growing problem.
OSC_003 223
Figure 8: Monitoring Ovation Facing Network Traffic
224 OSC_003
Example 2
The second example is configured to monitor traffic on the outside (or the outside facing side) of
the Ovation network equipment. This configuration monitors all traffic coming into the Ovation
network equipment before any ACLs are applied and before any Ovation-side traffic that passed
through the ACLs of the network equipment. If there is an attack from an outside network, the NID
reports this traffic as targeting the Ovation network. This does not necessarily mean this traffic is
making it to Ovation due to ACLs in the network equipment. This can increase the amount of data
sent to the SIEM to review but provides a more accurate picture of what is targeting the Ovation
system.
Figure 9: Monitoring Outside Network Facing Traffic
OSC_003 225
4.20.3 Mirroring Traffic versus Inline
There are two ways to add an NID to an Ovation system:

Mirroring Traffic (see page 226)
Inline (see page 227)
Note: Each NID can only support one method at time. If one connection uses the mirrored
approach, then all connections must use the mirrored approach. The same applies for Inline
mode. Mixing is not allowed.
Mirroring traffic
Mirroring traffic involves configuring network equipment to mirror or copy traffic from one port of
the switch or router to another port. This mirrored port is then plugged into the NID. The benefits
here is having the ability to aggregate traffic to lower the number of ports consumed on the NID.
In the cases above, only one port on the NID would be required for each dotted line. Since this
traffic is mirrored, the NID cannot interfere with the flow of traffic.
After you determine what traffic the NID monitors, you need to consider what limitations are there
in mirroring traffic and how many ports are consumed on both Ovation network equipment and the
NID. This helps you to determine the size and number of the NIDs to be placed in a system.
Only traffic on an HWIC switch module can be mirrored. Ovation routers cannot mirror traffic from
or to a routed interface. This applies to the following ports:
FastEthernet 0/0, 0/1 on a Cisco 2801 or 2811 series router.

GigabitEthernet 0/1, 0/2, and 0/3 on a 2900 series router.
The following configuration information is applicable for the following routers:

Cisco 2800 series routers, G02 or G03 configuration, one physical port will be required for the
router and one port will be consumed on the NID.
Cisco 2800 series router G04 configuration, two physical ports will be required, one on each
E-HWIC and two on the NID.
Cisco 2900 series router, either G05 or G08 only, requires one port on one of the HWICs and
one port on the NID.
Ovation switches can mirror traffic from any number of ports to any port on the switch as long as
there is a free port available. However, do not mirror too many ports if network traffic is heavy. For
example, if the baseline bandwidth of a system is 30 Mbps, mirroring three ports to one port
results in 90 Mbps. If you then mirror four ports, this results in 120 Mbps, which now exceeds a
100 Mbps port.
226 OSC_003
Inline
The NID can also be placed inline on a network connection. Instead of mirroring traffic from
network equipment, this configuration requires no changes in the network equipment. This can be
useful if the network equipment cannot support mirroring such in the case of routed interfaces or
lack of available ports.
Because the connection is inline, two ports will be consumed on the NID per connection. One port
on the NID is required for one side of the connection, and another is required for the other side of
the connection. The NID will now sit in-between the network devices.
Note: When the NID is inline, if the NID loses power or loads certain rule changes, a loss of
traffic may be noticed for a few seconds before recovering. It occurs until NIC is enabled on
Startup/Shutdown.
The cabling is specific for each configuration; refer to the following cabling sections:
Management interface cabling (see page 227).
Mirrored traffic cabling (see page 227).
Inline cabling (see page 228).
4.20.4 Management interface cabling
The management interface is like a normal PC connection. One straight through cable is required
to tie into network equipment that has a network path to the SIEM. The standard would be to
place it in the OSC network. If distance is an issue, the NID’s management interface may be tied
into an Ovation switch in an IP traffic port.
4.20.5 Mirrored traffic cabling
The NID requires mirrored traffic to be sent to it on a separate connection. This connection only
requires a straight through Ethernet cable from the mirrored port to the NID. Although any port
can be used, start with the right-most port and move left as more ports are required. No regard is
needed for the ports saying trusted or untrusted. This is only for inline mode.
OSC_003 227
4.20.6 Inline cabling
To cable an NID inline without interrupting traffic requires it to be cabled treating the NID as if it
were a crossover cable.
If a connection without an NID requires a straight through cable, then one of the cables to the NID
would have to be straight through and the other would have to be a cross over. The order does
not matter; either side could be the cross over or straight through cable.
Straight through + NID (cross over) + cross over = straight through
If a connection without an NID requires a cross over cable, then both of the cables to the NID
would have to be cross over cables.
Cross over + NID (cross over) + cross over = cross over
Looking at the back of the NID, the monitoring NICs are paired for inline mode. Starting from the
far right, the first port in the pair is untrusted. Next to it is the trusted port of the connection. Tie
the untrusted port into the network device on the side of the network that is not the side you are
trying to protect. In this case, this would be the non-Ovation side. The Ovation side of the
connection would go into the trusted port. Then, the next pair would be for another connection
point, and so forth.
4.20.7 To initial IP address configuration
Perform the following steps to configure the initial IP address:
1. Supply power to both power supplies on the back of the NID. Otherwise, an alarm will sound.
2. If the device does not power on automatically, click and hold the green check button on the
front panel of the IDS until the device powers on.
3. Wait for the device to load. The front LCD should read McAfee twice.
4. Click the red X button on the front of the IDS and wait for the menu to load.
5. Select IPS Info using the up and down arrows. Click the green check button.
6. Use the right arrow to scroll through the items until you find the software version. It should go
in this order:
a) McafeeSecurity
b) IDS Model Number (like IPS 1225)
c) Machine ID (like ABCD:1234)
d) Software Version (like 9.0.2 20120417134359a)
e) Serial Number (like 1234-5678910)
7. Ensure the software version is 9.1.2 20120822162535. Otherwise, contact Emerson for
assistance.
9. Click the down arrow button and go to the MGT IP Conf menu item on the LCD. Press the
green check button.
10. After the menu loads, select Mgt1 using the up and down arrows.
11. Click the green check button to select it.
228 OSC_003
12. The menu will load and the Active menu item will appear. If there is not a check next to the
menu item, click the green check button to check it.
13. Use the down arrow button to select IP Address menu item.
14. Click the green check button.
15. Set the desired IP address by using the up and down arrows to change the value of the
current digit and use the left and right arrow buttons to switch between digits.
16. After the desired IP address is set, click the green check button.
17. Use the down arrow key to select the Netmask menu item. Click the green check button.
18. Set the desired netmask in the same way the IP address was set. See steps 6 and 7.
19. Use the down arrow key to select the Done menu item.
21. Click the down arrow key to select the Gateway menu item.
23. Set the desired gateway address in the same way the IP address was set. See steps 6 and 7.
24. Click the green check button to accept this address.
25. Use the down arrow key to select the Done menu item.
27. Use the down arrow key to select the Save Changes menu item.
28. Click the green check button to save the changes.
4.20.8 To add NID to SIEM
Perform the following steps to add NID to SIEM:
1. Select the system or group to which you wish to add the device in the System Navigation
Tree from the SEIM main screen.
OSC_003 229
2. Click on the Add Device icon in the Actions Toolbar.
The Add Device Wizard opens.

3. Select McAfee Nitro IPS.
4. Click Next. The second dialog box of the Add Device Wizard opens.
5. Enter a name that is unique in this group for the NID device in the Device Name field.
6. Click Next. The third dialog box of the Add Device Wizard opens.
230 OSC_003
7. Enter a target IP address or URL in the Target IP Address or URL field. Enter the target SSH
port number. Ensure that it is valid to be used with the specified IP address. The default port
is 22.
8. Click Next. The fourth dialog box of the Add Device Wizard opens.
9. Click Key Device. The fifth dialog box of the Add Device Wizard opens.
OSC_003 231
10. Enter and re-enter a password for this device.

11. Click OK.
a) The ESM will test the device communication and report on the status of the connection.
b) After the test is successful, the System Display then shows the NID as a device.
12. After an NID is added, the variables being passed to the NID be must checked/modified, and
then rolled out to the device. Refer to Variables for further details.
4.20.9 To set NID mode
Perform the following steps to set the NID mode:
1. Click the NID you want to configure from the SIEM main screen.
2. Click the Properties icon. The NID Properties window appears.
232 OSC_003
3. Click Device Configuration from the left-hand menu.
OSC_003 233
4. Click Interfaces. The Network Interfaces window appears.
5. Under the Mode drop-down list:

a) Select IDS if you are using this NID in traffic mirroring mode.
b) Select IPS if you are using this NID in inline mode.
6. If you select IPS mode, make sure the Use Bypass NICs and Bypass During
Startup/Shutdown boxes are selected. Otherwise, loss of traffic will be noticed during
shutdown, startup, or loss of power. This setting was chosen based on wanting to perform
intrusion detection only. If intrusion prevention is desired, these boxes may remain cleared.
7. Click OK to accept the changes and close the Network Interface Settings.
4.20.10 To set polices
This section describes how to turn On and Off Alerts Only Mode. This is only useful when using
an inline configuration. The following applies to Alerts Only Mode:
On will make the NID act in intrusion detection mode.

Off will enable intrusion prevention mode.
234 OSC_003
The other setting to note in this section is Over-subscription mode. Over-subscription mode
defines what to do when the NID has too much data passing through the wire which may happen
from time to time under proper configuration or if the NID is configured to watch more traffic than it
should.
There are two options of Over-subscription mode:

drop - If you configure the NID to drop, when more data enters the NID than it can handle, the
data is dropped and a log message is generated stating this.
pass - A setting of pass allows the NID to pass traffic but without checking it. Therefore, bad
traffic may pass but traffic is not interrupted.
This can be performed on a per NID basis or globally for every NID in a given system. The steps
below show the global method with a note on making the selection on a per NID basis.

2. Click the Policy Manager icon. The Policy Editor window appears.
Note: The top bar in the window. It shows where you are in the system’s policy. Default Policy is
the highest level which all downstream devices can inherit from. Clicking the arrow next to
Default Policy reveals a pull-down menu to drill down to a specific device’s policy. At this point,
keep it on Default Policy.
OSC_003 235
3. Click the Settings button on the left hand-side of the top bar.
The Settings window appears:
4. Select On or Off from the Alerts only mode drop-down list.

5. If at a specific device level, there will be a third option to Inherit from the Default Policy.
236 OSC_003
6. To change the Oversubscription Mode, click Update. The Modify Variable window appears:
7. Enter the drop to have the NID drop packets in the value field. Set the value to pass to allow
to pass packets during over-subscription.
8. Once set, click OK to close the Modify Variable window.
9. Click OK to accept the changes and close the Settings window.
10. Roll out the policy. Refer to the SIEM manual on rolling out policy.
4.20.11 MODBUS_CLIENT
For a system using MODBUS protocol in its environment, MODBUS_CLIENT variable is used to
define what IP addresses take part in that communication. This variable defines the client side of
the communication. It should be defined in a similar way to HOME_NET. For example,
[192.168.150.45/32] for a single client, [192.168.150.45/32,192.168.150.60/32] for multiple single
clients, and [192.168.150.0/24] for a range of clients.
OSC_003 237
4.20.12 To access a variable list through the policy manager
The NID works by using rules to check for certain conditions much like an antivirus. One way to
make definitions more generic is to use variables to define items like IP addresses and ports. A
change in a variable would in turn change a whole set of rules. Variables are used throughout the
system by putting a $ symbol in front of the variable name, such as a variable called HOME_NET
is called using $HOME_NET. Improperly set variables can result in false positives and poor
overall NID tuning. Variables can be defined either at the System level so all NIDs use the same
ones or variables can be defined per NID in the cases where necessary. This manual describes
modifying the variables at the System level.
Perform the following steps to access the variable list through the policy manager:

2. Click the Policy Manager icon. The Policy Editor window appears.
Note: The top bar in the window shows where you are in the system’s policy. Default Policy is
the highest level which all downstream devices can inherit from. Clicking the arrow next to
Default Policy displays a pull down menu that allows you to navigate to a specific device’s
policy. At this point, keep it on Default Policy.
238 OSC_003
3. Click Variable under Rule Types. The main window now shows all the variables for the
Default Policy.
4. From here, variables can be added, deleted, or modified. This document focuses mainly on
modifying variables. The McAfee manual provided on the OSC 2.1 SIEM Disc 1 provides
additional information about variables.
OSC_003 239
4.20.13 To edit a variable
Perform the following steps to edit a variable:
1. Locate the variable that you want to edit from the Policy Editor window (see To access a
variable list through the policy manager (see page 238)).
The following example illustrates HOME_NET (see Useful variables for Ovation (see page
241)). Our example system has an Ovation address of 192.168.2.0/23 and a DMZ
aggregation subnet address of 192.168.160.0/24.
2. Select and double-click HOME_NET. The Modify Variable window appears.
240 OSC_003
3. Enter the value in the proper format in the Value text box. In this example, network segments
are comma separated and enclosed in [ ] brackets. The Description box describes the syntax.
4. Click OK to accept the changes. This closes the Modify Variable window.
5. Modify other variables as needed.
6. After all variable changes are made, the policy must be rolled out for the changes to take
effect. Refer to the instructions in the SIEM User manual on rolling out policy.
4.20.14 Useful variables for Ovation
The following list is not all inclusive. However, it lists some of the more important variables when
using Ovation software.
HOME_NET and EXTERNAL_NET
The HOME_NET variable defines the network segments that are protected. In the case of Ovation
systems, this would be the Ovation network and any third NIC aggregation subnets. The variable
EXTERNAL_NET is the other side. It refers to network addresses that are considered not trusted.
By default, this variable is defined as !$HOME_NET. The ! means the mathematical not;
therefore, EXTERNAL_NET is any address not defined by HOME_NET by default. This value can
be set to specific ranges or left as !$HOME_NET.
OSC_003 241
DNP3_CLIENT
For a system using DNP3 protocol in its environment, the DNP3_CLIENT variable is used to
define what IP addresses take part in that communication. This variable defines the client side of
the communication. It should be defined in a similar way to HOME_NET.
For example:
[192.168.150.45/32] for a single client.
[192.168.150.45/32,192.168.150.60/32] for multiple single clients.
[192.168.150.0/24] for a range of clients.
DNP3_PORTS
For a system using DNP3 protocol in its environment, this variable is used to define what ports
are used for DNP3 communication. Be aware that there is no standard port (20000 is de facto
standard), and some devices (such as SEL boxes) may use multiple ports for DNP3.
Either defined as:

single port (such as, 20000).
multiple single ports (such as, 20000, 20001, 20002).
range of ports (such as, 20000:20100).
DNP3_SERVER
For a system using DNP3 protocol in its environment, this variable is used to define what IP
addresses take part in that communication. This variable defines the server side of the
communication. It should be defined in a similar way to HOME_NET.
For example:
[192.168.150.45/32] for a single server.
[192.168.150.45/32,192.168.150.60/32] for multiple single servers.
[192.168.150.0/24] for a range of servers.
ENIP_SERVER
For a system using Allen Bradley protocols in its environment, this variable is used to define what
IP addresses take part in that communication. This variable defines the server side of the
For example:
242 OSC_003
ICCP_CLIENT
For a system using ICCP protocol in its environment, this variable is used to define what IP
addresses take part in that communication. This variable defines the client side of the
For example:
[192.168.150.45/32] for a single client.
[192.168.150.45/32,192.168.150.60/32] for multiple single clients.
[192.168.150.0/24] for a range of clients.
ICCP_PORT
For a system using ICCP protocol in its environment, this variable is used to define what ports are
used for ICCP communication.
Either defined as:

ICCP_SERVER
For a system using ICCP protocol in its environment, this variable is used to define what IP
For example:
MODBUS_PORT
For a system using MODBUS protocol in its environment, this variable is used to define what
ports are used for MODBUS communication. The standard port is 502 but certain PLCs or
environments may use other ports.
Either defined as:

OSC_003 243
4.21 Vulnerability assessment
MODBUS_SERVER
For a system using MODBUS protocol in its environment, this variable is used to define what IP
For example:
ROCKWELL_PORTS
For a system using Allen Bradley protocols in its environment, this variable is used to define what
ports are used for this communication. Most of the standard Allen Bradley ports are called out by
default.
Either defined as:

4.20.15 To shutdown the NID
Perform the following steps to shut down the NID:
2. Select Shutdown using the up and down arrows. Click the green check button.
3. Select Power Off using the up and down arrows. Click the green check button.
4. The NID begins the shutdown process.

The SIEM has the ability to poll vulnerability information from various sources. This allows a user
to view an asset’s vulnerabilities from the SIEM GUI instead of polling different GUIs or reports.
NID also views the bad traffic on the network and sends it to SIEM. The SIEM has the ability to
correlate events that it views with known vulnerabilities of machines. Then, it logs an event at the
Local ESM level stating an event a target is vulnerable to has been detected.
4.21.1 To configure vulnerability assessment
Perform the following steps to configure vulnerability assessment:
1. Click the Asset Manager icon from the upper-right corner of the SIEM main menu.
244 OSC_003
The Asset Manager window appears as follows:
OSC_003 245
2. Click the Vulnerability Assessment tab.
3. Click Add.
246 OSC_003
The Add Vulnerability Assessment Source window appears as follows:
4. Make sure the Enable VA source check box is selected.

5. Enter all the correct information for the vulnerability scanner you are using. Refer to the OSC
Versus module settings (see page 248) section to find the OSC Vs. module uses.
6. Select the required interval from the Schedule VA data retrieval down-down list. The interval
should closely match the rate at which you want the vulnerability scanner to run the scans.
Make sure to add extra hours because a scan can take time depending on the size of the
system and the depth of the scan.
7. Click OK to save the settings and close the Add Vulnerability Assessment Source window.
8. Click Write on the Asset Manager window to save the vulnerability scanner settings to the
SIEM.
OSC_003 247
A Writing changes to devices window appears. After it reaches to the Success status, click
Close to close the window.
9. Click OK on the Asset Manager window to close the Asset Manager window.
4.21.2 OSC Versus module settings
The settings that need to be made with the OSC Vs. Module in OSC 2.0 through OSC 3.0 are as
follows:
VA source type: Lumension
VA source name: Enter a name
Zone: None
Priority: 1
IP Address: IP Address of the VS module
Port: 205
Username: username to logon to VS engine
Password: Enter password
Use HTTP Proxy: Unchecked
Proxy IP Address: greyed out
Proxy Port: greyed out
Proxy Username: greyed out
Proxy Password: greyed out
Time out: 2 minutes
248 OSC_003
4.22 Backup and Restore

The Backup and Restore window allows you to save current settings, which in turn can be
restored in case of system failure or data loss. Backup and Restore includes all configuration
settings, including policy and event and log data. It is optional to backup event, flow, and log data,
but the system settings will always be backed up. You can select to have it done automatically or
manually.
SIEM backups can be incremental. The information in this section applies to incremental backups
only. The first backup of event or log data will only backup data from the start of the current day.
Subsequent backups will backup data starting at the time of the last backup.
Incremental backups only start from the first backup ever performed on the system, and that
backup only will ever contain data from that day. Also, all future backups must be preserved as
they are incremental only.
You can backup the entire SIEM with all its data for a snapshot of everything inside the SIEM.
This must be saved to a remote location only (you cannot save this backup directly to the SIEM).
Note: The SIEM will go offline while performing its backup. If the SIEM has a lot of data stored,
the outage could take time. Therefore, only do a full backup when the system is in outage so
you do not lose important information during the backup process.
Best practice is to perform a first backup immediately upon delivery of the system, and to archive
all future backups in case a future restore is needed. Full backups can be performed as part of a
plant backup policy and can act as a starting point for a new set of incremental backups.
However, do not forget that the SIEM will go offline during a full backup.
If you choose to backup event and log data to the ESM, you should regularly move the backup
files to another location to avoid exhausting the drive space on the ESM.
4.22.1 To automatically backup the system settings

2. Click Backup and Restore. The Backup and Restore window opens.
3. Click the Auto backup every check box.
4. Select the interval at which you want the system to backup the settings. This causes the ESM
to automatically backup the settings at the specified interval.
4.22.2 To manually backup the system settings

3. Click the Backup Now button. The Backup Progress window appears informing you about
the progress of the backup.
Once the backup is complete, a message appears about downloading the backup. If you want
to download the backup, perform the following:
a) Click Download.
OSC_003 249
b) Browse to the location and save the file. The option to delete the file locally from SIEM
will be given.
c) If the backup is to remain on SIEM only, click Close.
4. Click OK when the backup is complete.
4.22.3 To backup Event, Log, and Data Source Configuration Data

3. Click the check box(es) by the Events and/or Event Logs option(s). You are allowed to
single and multi-select. If you do not want to backup event and log data, do not select any of
the check boxes. Refer to: To manually backup the system settings (see page 249).
4. Select the location where you want the backup stored. If you select Remote Location, you
must select the desired share type and provide information in the required fields. Refer to: To
store a backup on a remote location (see page 250).
5. Click Apply to save your settings and remain on the Backup and Restore screen or OK to
save your settings and close the screen.
6. Click OK and the SIEM automatically performs incremental backups to either local SIEM
storage or remote storage.
OR
You can manually preform a manual backup with data by following the manual backup
process starting at Step 3.
4.22.4 To store a backup in a remote location

3. Click the Remote Location option located in the Backup Location section to enable the
remote location fields.
4. Choose the share type you want to use, CIFS or NFS.
5. Enter the necessary information in the required fields.
Note: Selecting the NFS share type does not require entering a remote username and
password.
6. To save your changes, click Apply.
4.22.5 To perform a full backup ESM Settings and All Data

1. Click the Remote Location radio button in the Backup Location field.
2. Fill in the Remote Location fields refer to: To backup Event, Log, and Data Source
Configuration Data (see page 250).
3. Click the Full Backup Now button. To proceed with the backup, click Yes. You will be logged
out and informed on the progress of the backup.
250 OSC_003
4.23 Log Management
CAUTION! When you perform a full backup, the ESM will go offline. Depending on the size of
your database, the ESM could be offline for an extended period of time.
4.22.6 To restore backup files
The Restore Backup button allows you to select one or more files off the ESM, a local machine, or
a remote location to revert all of your settings and data back to a previous state. If you perform
this function, you will lose all changes made to the settings after the backup was created. To
restore a backup file(s):
3. Click the Restore Backup button. The Select Restore File window opens, showing a list of all
backup files currently residing on the ESM.
4. Select the file(s) you want to restore and click OK.
4.22.7 To restore a backup from a Local File

3. Click Restore Backup. The Select Restore File screen opens.
4. Click the Browse button. An upload window appears, where you can upload the file you want
to restore from. Follow the instructions in the window to complete the restore backup.
5. Click OK to exit the window.
6. The file appears in the Select Restore File window. Select the file and click OK to start the
restore.
4.23 Log Management

In the Ovation Security Center (OSC), the Log Management (LM) functionality is part of the
Security Information Event Manager (SIEM) component of the OSC. Therefore, no specific LM
machine is required to enable this functionality.
4.23.1 Installation of Log Management (LM)
If you purchase OSC 2.1 or above, the SIEM is available with the LM functionality. However, if
you upgrade the previous version of OSC to OSC 2.1 and the SIEM is registered with Emerson,
you need to perform a one-time upgrade to enable the LM functionality. Otherwise, a new SIEM is
required to enable the LM functionality.
To ensure LM functionality is enabled properly, make sure the following are available and fully
configured before performing the upgrade:
OSC SIEM at OSC 2.1 level (NitroView Version 9.1.2)
OSC NAS
LM License Key (Managed by Emerson Power and Water Solutions)
OSC_003 251
4.23 Log Management
One time upgrade
Perform the following steps to upgrade the SIEM for adding LM:
1. Insert approved media, such as USB flash drive or CD, with the LM license into the drive. File
should be the SIEM machine ID, for example, 1234_ABCD.upk.
2. Open Internet Explorer (IE).
3. Log on to the OSC SIEM by entering the following address in the address bar:
https://<SIEM IP Address>/Application.html
Where <SIEM IP Address> is the IP address of the OSC SIEM. For example,
https://192.168.124.49/Application.html.
4. Expand the Local Receiver item in the System tree.
252 OSC_003
4.23 Log Management
5. Click the Properties icon.
The Receiver Properties window appears.

6. Verify that the machine ID on the Properties screen matches the LM key file name. If not,
contact Emerson support.
7. Click Receiver Management.
OSC_003 253
4.23 Log Management
8. Click ELM Upgrade.
A dialog box appears asking for a file to upload.

9. Click Browse and search for the provided LM upgrade file. Click Upload.
10. The Receiver starts the upgrade process.
a) A pop-up appears that shows the process has started.
b) After the upgrade process is completed, a window appears stating that the database
should be moved off the Local SIEM.
11. Click OK to close this window.
254 OSC_003
4.23 Log Management
4.23.2 Configuring Log Management
Whether the SIEM is preconfigured with LM functionality or the SIEM is upgraded to add LM
functionality, perform the following steps to ensure the LM is ready for use:
1. To add a storage device (see page 255).

2. To migrate the database (see page 257).
3. To add the storage pool (see page 259).
4.23.3 To add a storage device
Perform the following steps to add a storage device:
1. Enter the following url into the Web browser’s address bar to log on to the SIEM:
2. Internet Explorer may display a warning page saying that there is a problem with the Web
site's security certificate. Click Continue to this Web site (not recommended) to proceed.
3. Log on using the user name and password. Typically, the first time you log on to the system,
4. Change the password if you are logging on the SIEM for the first time. Emerson
recommends changing the password at this point to conform to NERC-CIP regulations.
5. Click Local Receiver on the main screen of the SIEM. Click Properties. The Receiver/ELM
OSC_003 255
4.23 Log Management
6. Click Storage Pools.
256 OSC_003
4.23 Log Management
7. Click Add under Define a storage device to be used with a storage pool for data
retention. The Add Storage Device window appears:
8. Configure the storage, for example:

a) Device Type: CIFS
b) Name: LMStorage
c) Max Size: 3572 GB
d) IP Address: 192.168.124.66
e) Remote Share Name: LM
f) Path: Blank
9. Click OK to add storage. The SIEM attempts to connect to the storage. If it successfully
connects with the storage, the device is added to the LM. A window stating "the device was
added successfully" appears. Click Close to confirm.
4.23.4 To migrate the database
Perform the following steps to migrate the database:
1. Enter the following URL into the Web browser’s address bar to log on to the SIEM:
OSC_003 257
4.23 Log Management
3. Log on using the user name and password. Typically, the first time you login to the system,
recommends changing the password at this point to conform to NERC-CIP regulations.
5. Click Local Receiver on the main screen of the SEIM. Click Properties. The Receiver/ELM
6. Click Receiver Configuration.
7. Click Migrate DB. The Select database location window appears.
258 OSC_003
4.23 Log Management
8. Select the storage pool that was created from the Data Storage Devices down-down list. For
example, ELMStorage.
9. Click OK to close the database location window.

A window may appear stating that the SIEM is retrieving a file from device. This can take
some time. It is copying 500 GB of information.
You must wait for the whole database to migrate before moving forward. This can be checked
by opening the Windows Explorer on the OSC UI and navigating to the location of the LM files
on the NAS (such as, \\xxx.xxx.xxx.xxx\LM\). For the management database, this file is called
as MGTDB_ALLOCATION. Press the <F5> key to refresh the Explorer window showing the
files are growing. After they grow to their full size (the files stop updating size), they are ready
for use. 500 GB of data can take more than 24 hours to transfer fully.
NOTE: While LM is migrating the database or allocating storage pool space, there should not be
any interruption in power or network connectivity.
10. Click OK to close the Command Execution Complete window.
4.23.5 To add the storage pool
Perform the following steps to add a storage pool:
OSC_003 259
4.23 Log Management
recommends changing the password at this point in order to conform to NERC-CIP
regulations.
6. Click Storage Pools.
7. Under the Add a storage pool to hold data. Pools can be made of both local or network
storage devices section, click Add. The Add Storage Pool window appears.
8. Configure the storage pool. For example:

a) Storage Pool Name: LMStore
b) Data Retention Time: 3 years (this is common for NERC).
c) Click the Add button to access the Choose Storage Device window.
d) Select the device LMStore from the pull-down menu and allocate space to this pool.
260 OSC_003
4.23 Log Management
Note: You can only allocate 1 TB of storage each time you perform this (you can add up to 1024
GB). Keep clicking Add and adding 1 TB slices of data storage allocation until all the storage
configured in the Add Storage Device section is used up.
You must wait for the whole storage pool to allocate before moving forward. This can be
checked by opening the Windows Explorer on the OSC UI and navigating to the location of
the LM files on the NAS (such as, \\xxx.xxx.xxx.xxx\LM\). The data storage files are called as
Alloc_xxxxxxxxxx_1. Press the <F5> key to refresh the Explorer window showing that the files
are growing. After they grow to their full size (the files stop updating size), they are ready for
use. 500 GB of data can take more than 24 hours to transfer fully.
9. Click OK to accept this device.
10. Click OK to close the Add Storage Pool window.
11. The LM is added to the pool.
12. When the process is complete, a window stating that the creation was successful appears.
Click Close to close the window.
13. Allow time for the data to become allocated to the pool.
4.23.6 Log Management data integrity check
The LM has the ability to hash logs and later recheck the hashes of the logs to verify that the logs
have not been altered since they were recorded. The results of this check show the items that
have been changed/altered. This alerts you to unauthorized modification of the critical system or
content files. If none of the files has been changed/altered, you are notified that the check was
successful. For performance, restrict the integrity check to the time frame or devices you are
trying to pull LM logs for. This is not required; however, it improves the run time of the integrity
check.
1. Enter the following URL into the browser’s address bar to log on to the SIEM:
4. Change the password if you are logging on to the SIEM for the first time. Emerson
regulations.
6. Click Data.
OSC_003 261
4.23 Log Management
7. Click the Integrity Check tab.
8. Select the correct time frame from the Time frame drop-down list to perform the check. The
same can be performed for Device and Device Type drop-down lists. Otherwise, leave these
fields blank.
9. Click the Search button to schedule the integrity check. The Search Results dialog box
appears. The State column shows the progress of the scan.
262 OSC_003
4.23 Log Management
10. After the search is completed, the Failed column reports the items that failed their integrity
check in the search.
a) A result of 0 reports that no issues occurred and that all logs in that time frame or device
are valid.
b) If this number is not 0, you can click the search job under Search Results. Clicking View
displays the LM integrity results window to review all the failed items. The Export option
allows a text file to be saved for review or documentation.
4.23.7 To enable logging for an individual data source
After the LM is enabled and initially configured, the unparsed data from the SIEM receiver's data
sources can be sent to the LM. The availability of the LM does not state that all data sources
have to be linked to the LM. In the case of Ovation equipment, every device should log to the LM.
Perform the following steps to add a new data source or to enable logging one device at a time:
1. Follow the instructions from the Configuring WMI Data Sources (Windows Devices) for
Monitoring (see page 189) and Configuring Syslog Data Sources (Cisco and *nix Devices) for
Monitoring (see page 191) sections on adding or editing a single data source.
OSC_003 263
4.23 Log Management
2. Click Logging on the Add Data Source or Edit Data Source window.
The ELM Logging Options window appears.

3. Select the storage pool from the Storage Pool drop-down list to store logs for the data
source.
264 OSC_003
4.23 Log Management
4. Click OK to close the ELM Logging Options window.

5. Make sure the Logging check box is selected on the Add Data Source or Edit Data Source
window.
6. Click OK to save changes.
7. Follow the OSC SIEM manual instructions for writing settings to the ESM, then roll out the
policy.
4.23.8 To enable logging for multiple data sources
Perform the following steps to enable logging for multiple devices at once:
1. Enter the following URL into the browser’s address bar to log on to the SIEM :
regulations.
OSC_003 265
4.23 Log Management
7. Left-click on the first item in the list. Hold the <SHIFT> key and left-click on the last item in
the list to highlight all data sources, or hold the <CTRL> key and only select the items that
need LM logging enabled.
8. In the Logging column header, select the check box. The ELM Logging Options window
appears.
9. Select the storage pool to send the logs. For example, LM Logs (3Y).
10. Click OK to close the ELM Logging Options window.
11. All items highlighted in the list should be checked.
12. Click Write.
13. Follow the OSC SIEM manual instructions for rolling out the SIEM policy.
4.23.9 Retrieve LM logs
You can retrieve logs from the LM using the following two methods:
Graphical User Interface (GUI) - This method is used when you want to view the data.
Text-based - This option is used when you know the exact time frame/devices to retrieve data
for.
266 OSC_003
4.23 Log Management
Graphical Interface-based (Enhanced ELM search)
Perform the following steps to make the Graphical interface-based Enhanced ELM search:
regulations.
6. Select Enhanced ELM Search.
OSC_003 267
4.23 Log Management
This loads the Enhanced ELM Search View.
From here, you can type in the search phrase to look for. This can be in normal text (like "fail") or
a regular expression. The time period is selected from the View down-down list. Click Search to
perform the search and to display the results on the screen.
The Data Source Results and Device Type Results provide a breakdown of what and where
messages came from for the given search. Left-click one of the bars to enable the Apply Filters
button. Click this button to perform a new search; however, it narrows the search based on the
prior selection made.
Text-based
Perform the following steps to perform the text-based ELM search:
1. Enter the following URL into the browser’s address bar to log on to the SIEM:
2. Internet Explorer may present a warning page saying that there is a problem with the Web
regulations.
268 OSC_003
4.23 Log Management
6. Click Data.
From here, you can type in the search phrase to look for. This can be in normal text (like "fail") or
a regular expression. Make sure to select a proper time period; larger time frames result in larger
search times. Click Search to schedule the search, and the job appears in the Search Results
table.
The searched data can be viewed using the View button, exported to a text file using the Export
button, or deleted from the SIEM using the Delete button.
4.23.10 To access the LM Backup and Restore window
The LM backup allows you to save the current settings of the LM device, which can be restored in
case of system failure or data loss. The Backup and Restore window contains all configuration
settings, including the ELM logging database.
Note: The LM backup does not include the actual logs that are stored by the LM. The LM
configuration backups can be used to restore the connection to the Network Attached Storage
(NAS). However, the backup procedure does not backup the data on the NAS.
Perform the following steps to access the LM backup and restore window:
1. Click Local Receiver-ELM on the main screen of the SIEM.
OSC_003 269
4.23 Log Management
2. Click the Properties icon.

The Receiver/ELM Properties window appears.
3. Click Backup & Restore on the right pane of the window.
The Backup & Restore window appears.
4.23.11 To set backup location
LM backups can only be made on remote storage.
Perform the following steps to set the backup location:
1. Set the following parameters under the Backup Location section on the Backup & Restore
window:
Share Type: CIFS
Remote IP Address: <IP Address of the NAS>
Example: 192.168.124.66
Remote Share Name: LM
Remote Path: <Folder in LM share for backups>
Example: Leave blank, store backup in root of LM share
Remote Username: <Username to access NAS store>
Example: admin
Remote Password: <Password of above username>
270 OSC_003
4.24 Network discovery and configuration management
Example: netgear1
2. Click Connect to test the connection between the NAS and the SIEM.
3. Click Apply to save the configuration parameters.
4.23.12 To take the backup manually
The manual backup procedure creates a one-time configuration backup.
Note: The manual backup procedure only takes the backup of the configuration settings, not the
log messages.
Perform the following steps to take the backup manually:
1. Click Backup Now on the Backup & Restore window.

2. The SIEM creates a LM configuration backup at the backup location.
4.23.13 To take the backup automatically
The automatic backup procedure schedules the LM to take the backup at a set interval.
Perform the following steps to take the backup automatically:
1. Select the Auto backup every check box on the Backup & Restore window.
2. Set the number of days for which you want to take the backup using the "days at" list box.
3. Set the hour of day to take the backup at a time when network activity is low. For example, 4
for 4 AM.
4. Click Apply to save this setting.
5. The SIEM creates an LM configuration backup at the backup location at the set interval.
4.23.14 To restore the backup
The restore procedure restores the LM configuration in the event of an SIEM restoration.
1. Click Restore Backup on the Backup & Restore window.

A window appears stating that the Backup restoration process started. Click Close to close
this window.
2. Click Cancel to close the Backup & Restore window.
3. The SIEM uses the backup and restores the LM settings.

Network discovery allows the SIEM to discover network components using a seed device in each
Ovation unit and the correct credentials. After the network has been discovered by the network
discovery tool, the tool can poll devices at a set interval checking for device availability.
Configuration management allows the SIEM to log on to the network device, download the device
configuration file, and compare it with the previous versions that need changes.
OSC_003 271
4.24.1 To configure network discovery
Perform the following steps to configure the network discovery:
1. Click the Asset Manager icon in the upper-right corner of the SIEM main menu.
The Asset Manager window appears:
272 OSC_003
2. Click the Network Discovery tab.
3. Click Settings.
The Configure Network Settings window appears:
OSC_003 273
4. Click Add.
The Network Discovery Parameters window appears:
5. Select a network, such as Unit 1, to add all Ovation network segments.

6. Set Discovery Type to Host.
7. Type the IP address, for example the root switch IP address or a router management
interface, in the IP Address field to a seed address to start the discovery process.
8. An SMNP RO profile is required. Select the SMNP RO Profile drop-down list to select the
correct profile for this network segment. If no SNMP RO profiles exist in the drop-down list for
this particular segment, refer to the Use with Network Discovery (see page 189) section to
add the required profile.
9. If the configuration management feature is to be used, select the correct CLI Profile for this
network segment from the CLI Profile drop-down list. If no CLI profiles exist in the drop-down
list for this segment, refer to the Use with Network Discovery (see page 189) section to add
the required profile.
10. Select the CDP check box in the Discovery Methods section.
11. Click OK to close the Network Discovery Parameters.
12. Repeat Steps 6 through 11 for each network segment.
13. After the configuration is complete, click OK to close the Configure Network Settings window.
14. Click Homenet on the Asset Manager window at the Network Discovery tab.
The Homenet window appears. This allows you to enter the networks that need to be viewed.
This can prevent the SIEM from going too far and wide with its search.
274 OSC_003
15. Enter the ranges for each network segment you are trying to map. For example,
192.168.2.0/23 covers the 192.168.2.0 and 192.168.3.0 subnet. Separate each entry with a
comma. After it is completed, click OK to accept the changes and close the Homenet window.
4.24.2 To discover network devices
Any time a change is made to the network, the discovery must be run again to find the new
devices.
Perform the following steps to discover the network devices:
1. After the Network Discovery parameters are set on the Asset Manager window under the
Network Discovery tab, click Discover Network to begin finding devices. A pop-up asking to
confirm the discovery if this is not the first discovery attempt may appear. Click Yes to
continue.
2. The upper section of the Asset Manager window changes the status to Running.
3. Wait until the status changes to Completed. The network discovery process is now complete
and ready to be reviewed.
4.24.3 To confirm network discovery
Perform the following steps to confirm the network discovery:
1. After a network discovery has been completed, view the top section Network Devices on the
Asset Manager window under the Network Discovery tab. The following three sections need
to be reviewed:
a) Number of Network Devices - To view more detailed information about the number of
network devices, click the Number of network devices link and the Network Devices
dialog box appears. This dialog box allows you to view information, such as IP
address, MAC address, SNMP RO and RW, CLI, and current status.
OSC_003 275
Note: You can edit any of these parameters from the Network Devices dialog by selecting a
parameter and clicking on the Edit button.
b) Unknown IP Addresses - To view more detailed information about the unknown IP

addresses, click the Unknown IP addresses link and the Unknown IP Addresses dialog
box appears. This dialog box allows you to view information, such as IP address, SNMP
RO and RW, CLI, and reason for failure.
Note: Select a parameter and click the Edit button to edit any of these parameters from the IP
Addresses dialog box.
c) Devices Without Connections - The Devices without connections option is only enabled if
there is a device on the network that does not have a connection. If this option is enabled,
click the Devices without connections link to view a list of devices without connections.
2. Review the Network Devices and ensure that all devices are accounted for and their current
status is true. A current status of false can indicate either the device is now offline, or the
SNMP or CLI parameters for that specific device are not the same as the network segment it
belongs to. If the parameters are inaccurate, the specific device can be edited to use the
proper parameters. After the proper parameters are set, run the network discovery again and
review to ensure all devices are current.
276 OSC_003
4.24.4 To configure network monitoring
After all the network devices are discovered and accounted for, the SIEM can be configured to
poll those devices at a set interval for their status. Devices that drop off the network generate a
message inside the SIEM at the Local ESM level.
Perform the following steps to configure network monitoring:
1. View the Monitor your network devices with PING or SNMP to verify their up/down state
section.
2. Select the Use PING and Use SNMP check boxes on the Asset Manager window under the
Network Discovery tab.
3. Set the interval to the desired setting.
4. Click OK to save the changes and close the Asset Manager window.
4.24.5 Configuration management
To use the configuration management features of the SIEM, network discovery must be
configured and auto discovery devices is properly performed. Refer to the Network Discovery
section for more details. Configuration management compares the configurations of the network
devices against previous versions that require changes. If a change is found, an event is
generated at the Local ESM level stating a configuration has changed.
Perform the following steps for configuration management:
1. Click the Asset Manager icon from the upper-right corner of the SIEM main menu.
OSC_003 277
The Asset Manager window appears:
278 OSC_003
2. Click the Configuration Management tab.
3. Select the Enable configuration management check box.

4. Set Poll the devices to the desired time period.
5. If network discovery worked properly, this list should be fully populated with all Ovation
network equipments the SIEM can reach. If not, perform the network discovery again and
return to this window.
6. Click the Select All button to enable configuration management on each piece of network
equipment. You can also select the individual devices by using the check boxes next to the
devices.
7. Click OK to save changes and close the Asset Manager window.
8. Click Check Now to download all configuration files from each device using the CLI profile
configured.
If there is an error (the status is displayed as Device Error), check the CLI profile and try
again. Refer to the To confirm network discovery (see page 275) section.
4.24.6 To run a configuration management scan manually

1. Click Check Now to download all configuration files from each device using the CLI profile
configured under the Configuration Management tab on the Asset Manager window.
OSC_003 279
If there is an error (the status is displayed as Device Error), check the CLI profile and try
again. Refer to the To confirm network discovery (see page 275) section.
4.24.7 To compare configurations
Perform the following steps to compare configuration:
1. After a difference is found in the configuration, an event is generated at the Local ESM level
of the SIEM.
2. Under the Configuration Management tab of the Asset Manager window, a device with a
configuration change has the Config Change status.
3. Left-click on the device. A list of saved configurations is available at the bottom of the window.
4. Use the CTRL key to select two configurations in the list that you want to compare.
5. The Compare button is now active. Click the Compare button.
The File Compare Viewer window appears as follows:
6. From the window above, the two configurations can be compared. Click Close to close the
File Compare Viewer window.
280 OSC_003
4.25 Using the Security Incident and Event Manager
4.25 Using the Security Incident and Event Manager

For in-depth information about using the Security Incident and Event Manager, refer to the
McAfee User Guide available on your Ovation Security Center CD.
4.26 Appendices
This section describes the auditing policies and capabilities. Also, it describes how to create
Windows user for AD and log collection, and Emerson baseline NID tuning parameters.
4.26.1 Cisco model versus Auditing capabilities
Not every model of Cisco equipment used in Ovation systems can log the same amount of
information as others. The following table explains what can and cannot be enabled to log.
Note: The Latest SW Used column is the latest software version Emerson has used for that part.
EMERSON CISCO MODEL L ATEST SW LOGONS COMM ANDS PRIVILEGE

PART USED CHANGE
1X00507 WS-C2960-24TC-L 12.2(40)SE Yes Yes No

1X00508 WS-C2960-24TT-L 12.2(40)SE Yes Yes No
1X00511 WS-C3750-24TS-S 12.2(46)SE Yes Yes No
1X00512 WS-C3750G-24TS-S1U 12.2(46)SE Yes Yes No
1X00513 WS-C3750G-12S-S 12.2(46)SE Yes Yes No
1X00474 WS-2801 12.4(25f) Yes Yes Yes
1X00474 WS-2901 15.1(4M1) Yes Yes Yes
1X00480 WS-2811 12.4(25f) Yes Yes Yes
1X00480 WS-2911 15.1(4M1) Yes Yes Yes
1X00093 WS-C2950-24 12.1(22)EA5 No No No
5X00031 WS-2621 12.2(40) No No No
Note: Log ons and commands only work with users logged into the device. Some Ovation
switches do not have users enabled by default.
4.26.2 Windows audit polices
Windows audit polices are best set through Active Directory where possible. This can be achieved
by making the settings in the Default Domain Policy found on the Domain Controller, which are
described in the following sections.
OSC_003 281
4.26 Appendices
Windows Sever 2003/XP
These operating systems are only supported as legacy audit rules. These audit policies are very
broad and do not offer the best granularity that latest versions of Windows offer (known as
Advanced Security Auditing).
LOCATION AUDIT POLICY SETTING
Computer Configuration\Windows Settings\Security Audit account log on events Success,

Settings\Local Policies\Audit Policy Failure
Computer Configuration\Windows Settings\Security Audit account management Success,
Computer Configuration\Windows Settings\Security Audit directory service access Failure
Settings\Local Policies\Audit Policy
Computer Configuration\Windows Settings\Security Audit log on events Success,
Computer Configuration\Windows Settings\Security Audit object access Failure
Computer Configuration\Windows Settings\Security Audit policy change Success
Computer Configuration\Windows Settings\Security Audit privilege use Failure
Computer Configuration\Windows Settings\Security Audit process tracking No auditing
Settings\Local Policies\Audit Policy (Explicitly Set)
Computer Configuration\Windows Settings\Security Audit system events Success
Windows Server 2008/7
While these OSes have support for the legacy audit rules as described in the previous section,
this may cause more events to review because more events now being tracked by Windows. The
advanced security audit policy was introduced to give more control over what events are logged.
To enable the use of advanced security settings over the legacy ones (recommended), make the
following setting in the Active Directory:
LOCATION POLICY SETTING
Computer Configuration\Windows Audit: Force audit policy subcategory Enabled

Settings\Security Settings\Local settings (Windows Vista or later) to
Policies\Security Options override audit policy category settings
If the domain controller is Server 2008 (not R2), the following settings cannot be set through
Active Directory, these have to be set using the auditpol command.
If the domain controller is Server 2008 R2, these settings may be set directly in Active Directory:
Computer Configuration\Windows Settings\Security Audit Credential Validation Success and

Settings\Advanced Audit Policy Failure
Configuration\System Audit Policies\Account Logon
282 OSC_003
4.26 Appendices
Computer Configuration\Windows Settings\Security Audit Kerberos Authentication No auditing

Settings\Advanced Audit Policy Service
Computer Configuration\Windows Settings\Security Audit Kerberos Service Ticket No auditing
Settings\Advanced Audit Policy Operations
Computer Configuration\Windows Settings\Security Audit Other Account Logon No auditing
Settings\Advanced Audit Policy Events
Computer Configuration\Windows Settings\Security Audit Application Group No auditing
Settings\Advanced Audit Policy Management
Configuration\System Audit Policies\Account
Management
Computer Configuration\Windows Settings\Security Audit Computer Account Success and
Settings\Advanced Audit Policy Management Failure
Management
Computer Configuration\Windows Settings\Security Audit Distribution Group No auditing
Settings\Advanced Audit Policy Management
Management
Computer Configuration\Windows Settings\Security Audit Other Account Management Success and
Settings\Advanced Audit Policy Events Failure
Management
Computer Configuration\Windows Settings\Security Audit Security Group Success and
Settings\Advanced Audit Policy Management Failure
Management
Computer Configuration\Windows Settings\Security Audit User Account Management Success and
Management
Computer Configuration\Windows Settings\Security Audit DPAPI Activity No Auditing
Settings\Advanced Audit Policy
Configuration\System Audit Policies\Detailed
Tracking
Computer Configuration\Windows Settings\Security Audit Process Creation Success
Tracking
Computer Configuration\Windows Settings\Security Audit Process Termination No Auditing
Tracking
Computer Configuration\Windows Settings\Security Audit RPC Events No Auditing
Tracking
OSC_003 283
4.26 Appendices
Computer Configuration\Windows Settings\Security Audit Detailed Directory Service No auditing

Settings\Advanced Audit Policy Replication
Configuration\System Audit Policies\DS Access
Computer Configuration\Windows Settings\Security Audit Directory Service Access Success and
Computer Configuration\Windows Settings\Security Audit Directory Service Changes Success and
Computer Configuration\Windows Settings\Security Audit Directory Service Success and
Settings\Advanced Audit Policy Replication Failure
Computer Configuration\Windows Settings\Security Audit File System No auditing
Configuration\System Audit Policies\Global Object
Access Auditing
Computer Configuration\Windows Settings\Security Audit Registry No auditing
Configuration\System Audit Policies\Global Object
Access Auditing
Computer Configuration\Windows Settings\Security Audit Account Lockout Success
Configuration\System Audit Policies\Logon/Logoff
Computer Configuration\Windows Settings\Security Audit IPsec Extended Mode No auditing
Computer Configuration\Windows Settings\Security Audit IPsec Main Mode No auditing
Computer Configuration\Windows Settings\Security Audit IPsec Quick Mode No auditing
Computer Configuration\Windows Settings\Security Audit Logoff Success
Computer Configuration\Windows Settings\Security Audit Logon Success and
Computer Configuration\Windows Settings\Security Audit Network Policy Server Success and
Computer Configuration\Windows Settings\Security Audit Other Logon/Logoff Events Success and
Computer Configuration\Windows Settings\Security Audit Special Logon Success
Computer Configuration\Windows Settings\Security Audit Application Generated No Auditing
Configuration\System Audit Policies\Object Access
284 OSC_003
4.26 Appendices
Computer Configuration\Windows Settings\Security Audit Certification Services No Auditing

Computer Configuration\Windows Settings\Security Audit Detailed File Share No Auditing
Computer Configuration\Windows Settings\Security Audit File Share No Auditing
Computer Configuration\Windows Settings\Security Audit File System Failure
Computer Configuration\Windows Settings\Security Audit Filtering Platform No Auditing
Settings\Advanced Audit Policy Connection
Computer Configuration\Windows Settings\Security Audit Filtering Platform Packet No Auditing
Settings\Advanced Audit Policy Drop
Computer Configuration\Windows Settings\Security Audit Handle Manipulation No Auditing
Computer Configuration\Windows Settings\Security Audit Kernel Object No Auditing
Computer Configuration\Windows Settings\Security Audit Other Object Access Events No Auditing
Computer Configuration\Windows Settings\Security Audit Registry Failure
Computer Configuration\Windows Settings\Security Audit SAM No Auditing
Computer Configuration\Windows Settings\Security Audit Audit Policy Change Success and
Configuration\System Audit Policies\Policy Change
Computer Configuration\Windows Settings\Security Audit Authentication Policy Success
Settings\Advanced Audit Policy Change
Computer Configuration\Windows Settings\Security Audit Authorization Policy Change No auditing
Computer Configuration\Windows Settings\Security Audit Filtering Platform Policy No auditing
Computer Configuration\Windows Settings\Security Audit MPSSVC Rule-Level Policy No auditing
OSC_003 285
4.26 Appendices
Computer Configuration\Windows Settings\Security Audit Other Policy Change Events No auditing

Computer Configuration\Windows Settings\Security Audit Non Sensitive Privilege Use No Auditing
Configuration\System Audit Policies\Privilege Use
Computer Configuration\Windows Settings\Security Audit Other Privilege Use Events No Auditing
Computer Configuration\Windows Settings\Security Audit Sensitive Privilege Use Success and
Computer Configuration\Windows Settings\Security Audit IPsec Driver Success and
Configuration\System Audit Policies\System
Computer Configuration\Windows Settings\Security Audit Other System Events No auditing
Computer Configuration\Windows Settings\Security Audit Security State Change Success and
Computer Configuration\Windows Settings\Security Audit Security System Extension Success and
Computer Configuration\Windows Settings\Security Audit System: System Integrity Success and
4.26.3 Creating Windows user for Active Directory authentication and log
collection
This section describes how to create a user on a Windows Server 2008 Domain Controller
(Ovation releases 3.3.1 and 3.5) that allows log on for the SIEM and privileges to collect logs from
each Windows machine on the Ovation system.
Note: To log on to the SIEM in Windows Active Directory, there must be a group in Windows
Active Directory with the same name as a group in the SIEM configuration.
1. Create a user in the Windows domain. This can be performed from the Ovation Security
Manager or through the Active Directory Users and Groups from the Administrative Tools.
a) Example:
¾ Name: SIEM
¾ First Name: SIEM
¾ Last Name: User
Turn off "User must change password on next log on".
b) Other options to consider (must be done from Active Directory Users and Groups).
286 OSC_003
4.26 Appendices
Check password never expires.

2. In Active Directory Users and Groups, create a Windows domain group under Users.
a) Example:
¾ Name: SIEM Users
¾ Group Scope: Domain Local
¾ Group Type: Security
3. In Active Directory Users and Groups, right-click the user created in Step 1 and click
Properties.
a) Add this user to the Event Log Readers Group to allow it to log on to the Domain
Controller to pull logs.
b) Add this user to the group created in Step 2 to allow it to be used to log on to the SIEM.
4. Log on to SIEM as the administration account. This account is called NGCP when the SIEM is
initially loaded.
5. Use the Section in the User’s Manual to add a Group to the SIEM, create a group with the
same name as created in Step 2. The names must be identical in both the SIEM and Active
Directory.
6. Privileges/devices can be assigned as needed. For full access, all privileges and devices can
be added.
7. Use the Section in the User’s Manual to add a User to the SIEM, create a user with the same
name as created in Step 1. The names must be identical in both the SIEM and Active
Directory.
8. If this account is to be an administrator account, the Administrator Rights check box should
be selected, which overrides most privileges set in Step 6.
9. Log out from the SIEM.
10. Log on as the new user.
Perform the following additional steps (if required):
Perform the following steps to deny the user, created in Step 1 in the previous section, to log on
to the Windows machines:
1. Go to Group Policy Management on the domain controller. Edit Default Domain Policy.
2. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security
Settings -> Local Policies -> User Rights Assignment.
3. Set both Deny log on locally and Deny logon through Remote Desktop Services policies
and add the user created in Step 1 to these policies. Then, this user is not allowed to log on to
any windows machine.
4. Reboot each machine or open a command prompt and execute the gpudate –force
command on each machine to force the settings to take effect.
Perform the following steps to allow user, created in Step 1 in the previous section, to collect logs
from all Windows machines on a system:
1. Locally on each machine, you must add the use, created in Step 1 in the previous section, to
the Event Log Readers Group to allow the user to log on and read the logs.
2. The easiest way to perform this is to open a command prompt and execute the following
command:
OSC_003 287
4.26 Appendices
net localgroup "Event Log Readers" "DOMAIN\USER" /ADD

3. The Profile Management can now be used in the SIEM to use this account instead of a
domain administrator account to poll logs.
4.26.4 Emerson baseline NID tuning parameters
This section describes what changes from a new NID were made to minimize false positive on an
Ovation system and explanations where possible.
On new installations of SIEM, these rules are set during loading. If a SIEM is upgraded, these
rules are not set. Use this guide to help tuning the rules.
Note: This tuning was done in a lab environment and may not capture all configurations of every
Ovation system. Reviews of logs is required and reviews of whether additional rules need to be
disabled or if rules set by Emerson need to be enabled due to the specific environment.
The following table below describes the rules. The Location column is the rule that can be found
under Rule Type in the Policy Manager.
LOCATION RULE RULE N AM E DEFAULT RE ASON EMERSON

NUMBER SETTING SETTING
IPS/Firewall 2000011 ANOMALY alert Ovation should never disabled

InBound Bogons connect to Internet IP
Addresses
IPS/Firewall 2000002 ANOMALY alert High ports may be used, disabled
Inbound High To will cause false positives
High
IPS/Firewall 2000012 ANOMALY Invalid alert, block Causes false positives, may disabled
InBound Packet investigate at specific site
IPS/Firewall 2000027 ANOMALY Invalid alert, block Causes false positives, may disabled
Outbound Packet investigate at specific site
IPS/Firewall 2000019 ANOMALY Large alert Should be off to start, then disabled
Inbound Bytes enable after flows are
collected
InBound Packets enable after flows are
collected
OutBound Bytes enable after flows are
collected
OutBound Packets enable after flows are
collected
IPS/Firewall 2000004 ANOMALY Long alert Should be off to start, then disabled
Connection enable after flows are
Duration collected
IPS/Firewall 2000026 ANOMALY alert Ovation should never disabled
Outbound Bogons connect to Internet IP
Addresses
288 OSC_003
4.26 Appendices

IPS/Firewall 2000024 ANOMALY alert High ports may be used, disabled

OutBound High To will cause false positives
High
IPS/Deep 1010536 Microsoft Windows alert Causes false positives, do disabled
Packet Media Player ASF not use Windows Media
Inspection Heap Overflow - Player
ASF_Marker_Obje
ct - smb-ds
Packet AVI File Chunk not use AVI files in
Inspection Length Integer Windows
Overflow - CIFS 2
Packet AVI File Chunk not use AVI files in
Inspection Length Integer Windows
Overflow - CIFS 1
ASF_Marker_Obje
ct 2 - smb-ds
IndexObject -
smb-ds
IPS/Deep 1021384 Indusoft Web alert Do not use Indusoft disabled
Packet Studio 7.0 DoS software, causes false
Inspection positives
IPS/Deep 1002278 WEB-MISC alert, block, Do not use IRIX OS disabled
Packet handler access reset versions 5.3 through 6.4,
Inspection causes false positives
IPS/Deep 1009116 ORACLE BEA alert, block, Causes false positives, do disabled
Packet WebLogic Server reset not use ORACLE BEA
Inspection Plug-ins Certificate WebLogic
Buffer Overflow - 1
Buffer Overflow - 2
Buffer Overflow - 3
Buffer Overflow - 4
OSC_003 289
4.26 Appendices

Buffer Overflow -
Set 00
Buffer Overflow -
SET 01
290 OSC_003
S E C T I O N 5
Troubleshooting
IN THIS SECTION
Windows Blue Screen of Death (BSOD) Diagnostics ..................................................... 291

Troubleshooting for Lumension OSC 2.x Update 1 ........................................................ 292
Checking OSC version numbers for 2x Update 1 versions ............................................ 293
5.1 Windows Blue Screen of Death (BSOD) Diagnostics

The Blue Screen of Death (BSOD) is the error screen displayed by the Microsoft Windows family
of operating systems upon encountering a critical error of a non-recoverable nature, which causes
the system to crash.
MS Windows creates a snapshot of running processes in the C:\Windows\Minidump directory.
Prior to Blue Screen of Death (BSOD) or testing, you should set the machine to create these files.
For additional information, you can find a Full or Kernel memory dump in the following directory:
C:\Windows\memory.dmp
5.1.1 To configure and read BSOD

1. Open the Control Panel.
2. Open System.
4. Click the Settings button under Startup and Recovery.
5. Change the drop-down to Kernel Memory Dump under Write Debugging Information.
6. Remove the check mark from Automatically Restart (if you want to prevent rolling restarts).
However, this will make the machine freeze with the BSOD, but does let you know initial
information on what happened.
7. Remove the check mark on Overwrite any existing file if you would like to maintain a history of
BSODs. However, if they are frequent, it will take additional space. In normal conditions, the
last memory dump is sufficient and this selection can be left at its default.
8. Click OK to save the settings.
To read the BSOD
You can use Microsoft developer tools to view BSOD using either of the following:
http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx
OSC_003 291
5.2 Troubleshooting for Lumension OSC 2.x Update 1
An alternative program is called BlueScreenView:
http://www.nirsoft.net/utils/blue_screen_view.html
5.1.2 To troubleshoot the MS Info Tool

1. Click Start > Programs > Accessories > System Tools > System Information.
Click Start > Run > MSinfo32.exe.
2. Once the window opens, click File > Save to save a current snapshot.
3. If you want to run the program from the command line without looking at the output, you can
enter msinfo32 /nfo C;\temp\DROPNAME.nfo. Entering this command would make the info
file in C:\temp called DROPNAME.
4. Name the file by drop name (drop210Unit1) and save it to a network share or removable
drive.
5. This file is an .NFO file and can be read by opening MSinfo32 and clicking File > Open.
Extensive snapshots of drivers, services, startup objects, and other system information will need
to be run while the system is running as normal to get a full picture.
Note: Additional information about the MSInfo tool can be found under Microsoft KB308549.
5.2 Troubleshooting for Lumension OSC 2.x Update 1

Event Logs can be found in both the Lumension and Application logs.
Patch Agent:
Found in C:\Program Files\Lumension\Patch Agent
Lumension Detection Agent.log
Lumension Patch Agent.log
LEMSS Agent:
This is the network agent for server communication new to OSC 2.x
Found in C:\Program Files\Lumension\LEMSSAgent
Logs link is found in the directory under Logs.
This link normally takes you to a hidden directory found at C:\Documents and Settings\All
Users\Application Data\Lumension\LMAgent\logs
EPS.log
EPS_stopstartlma.log
EPSDriver.log
The same error codes and other resources apply from OSC1.
5.2.1 To gather events for Bouncer OSC 2.x Update 1

1. Login to the Bouncer UI.
2. Click the Management tab and the Security Configuration the machine resides in.
3. Click the Systems tab and check mark the system you want to get events from.
292 OSC_003
5.3 Checking OSC version numbers for 2x Update 1 versions
4. Right-click the system name and select Retrieve All Events. The UI will pause and request
all events from the endpoint. After a few minutes, a new pop-up window appears with all the
events.
5. To save the events to a text file, select Ctrl-A and right-click the highlighted lines and select
Copy Selection to Clipboard.
6. The entries should now be on your local machine’s Clipboard. You can paste them into a text
file and attach them to an email for analysis.
Note: Page 23-28 of the Bouncer 5.3 User Guide located on the OSC CD explains the event
format.
Note: The Version numbers illustrated in the screen shots are from OSC 1.2.1 and OSC 2.0
Preliminary.
5.3.1 To check OSC 2.x Update 1 LEMSS Server versions

1. Login to LEMSS (Lumension Endpoint Management and Security Suite).
2. Click Help -> About. A window appears displaying a version number.
OSC_003 293
5.3.2 To check OSC 2.x Update 1 LEMSS Client versions

1. Log into the LEMSS UI.
2. Click Manage then select Endpoints.
3. Click the Device Name.
294 OSC_003
4. On the Information tab, there is an Agent Information section which displays the running
version.
5.3.3 To check OSC 2.x Update 1 Bouncer Manager versions

1. Login to the Bouncer UI using CTRemote or RDP.
2. Click the Configuration tab and then the Managers button.
OSC_003 295
3. In the bottom right-pane, click the Settings tab. The Software Version appears in the
settings list.
5.3.4 To check OSC 2.x Update 1 Bouncer Client versions

1. Login to the Bouncer UI using CTRemote or RDP
2. Click Management tab then click All Installed Systems in Security Configurations.
296 OSC_003
3. In the right-pane, the Software Version displays the version number in the column to the
right.
5.3.5 To check OSC 2.x Update 1 NitroView versions

1. Enter the following address into the browser on your OSC client:
https://192.168.124.49/Application.html
2. Login to NitroView. The version is at the bottom-left and should be 8.5.3 or greater:
OSC_003 297
S E C T I O N 6
Support and Service for your Ovation Security

Center
IN THIS SECTION
Support for your Ovation Security Center ....................................................................... 299

Vendor documentation .................................................................................................... 299
Annual license renewal ................................................................................................... 299
6.1 Support for your Ovation Security Center

Support for the Ovation Security Center can be obtained by contacting your Emerson SureService
representative or by contacting your field sales representative.
6.2 Vendor documentation

For additional information about the VSPM , MP, and SIEM products, refer to the applicable user
guide for each security appliance. User documentation is available on your Ovation Security
Center CD. Refer to the following manuals:
Vulnerability Scan and Patch Management appliance, refer to the Lumension Endpoint
Management and Security Suite (LEMSS) User Guide.
Malware Prevention appliance, refer to the CoreTrace user documentation.
Security Incident and Event Manager, refer to the NitroSecurity User Guide.
6.3 Annual license renewal

Ovation Security Centers are renewed annually. A license renewal process is in place by
Emerson to ensure that your licenses are kept current. Typically, the licensing process takes
place without the need for operator involvement.
However, if you want to request a license renewal, contact your SureService representative or
your PWS field sales representative.
When you are ready to renew your license, you must have all the licensing folder information
available that you originally received with your Ovation Security Center.
License expiration dates can be viewed in the Patchlink Licensing Update tool.
6.3.1 To check Patchlink manager license expiration dates

1. Insert the OSC Version 2.0 Update 1 DVD (Disc 1) into the disc drive.
OSC_003 299
2. Launch the License Request Tool from the Desktop Icon or from Start -> Programs ->
PatchLink -> License Request Tool.
The InstallShield Wizard launches. Launching the License Request tool may take several
seconds while the tool enumerates the local SQL Databases.
3. After launching, the Connect to Server window appears. Select the Windows authentication
option and enter .\UPC into Server Name dialog box.
4. Click OK. There may be a pause while the license tool connects to the local database. The
license tool opens.
300 OSC_003
5. Click Import. The Import License Data (License Text) window appears.
OSC_003 301
6. Click Open. Browse to the license text file and select the file.
7. Click Open. The license text file displays.
8. Click Next. The Import License Data (New License Data) window appears. Take note of the
Units (licensed machines that can be installed) and the Expiration date (licensed expiration
date) match what has been ordered.
302 OSC_003
9. Click Finish. A window appears asking you if you are sure that you want to update the license
data.
OSC_003 303
10. Click Yes to update the license data. The update begins.
11. Click Close after completion.
304 OSC_003
Index
Device / Device groups selection page • 76

A Device Membership View • 70
Add the Kaspersky Administration Toolkit to Disconnect the monitor, mouse, and
VSPM • 39 keyboard from the VSPM • 44
Agent Status widget • 93 Discovery Scan Results
Annual license renewal • 299 Agent Widget • 94
Appendices • 281 Displaying time and date in reports for
Applicable Content Updates Widget • 96 SCAN • 90
Associated Vulnerability Analysis Page • 78 DNP3_CLIENT • 242
DNP3_PORTS • 242
B DNP3_SERVER • 242
Download the LEMSS Agent Installer • 47
Backing up the MP appliance • 159
Downloading the Agent Installer • 92
Backup and Restore • 249
Batch Data Source Management • 202 E
C Email Notifications Page • 92
Emerson baseline NID tuning parameters •
Change the Firewall Settings • 19
288
Checking OSC version numbers for 2x
Endpoint Information tab • 72
Update 1 versions • 293
Endpoints page • 72
Cisco model versus Auditing capabilities •
Endpoints with Unresolved Updates Widget •
281
95
Components of the Ovation Security Center
ENIP_SERVER • 242
•1
Events, Flows, and Logs • 204
Configuration management • 277
Exporting data • 64
Configure Internet Explorer 8 settings • 21
Exporting Reports for VSPM • 90
Configure the Network adapter • 18
Configuring Log Management • 255 F
Configuring Syslog Data Sources (Cisco and
*nix Devices) for Monitoring • 191 Functions of the Ovation Security Center • 4
Configuring WMI Data Sources (Windows
G
Devices) for Monitoring • 189
Copyright Notice • 2 Generating a whitelist • 129
Creating a database backup • 110 Generating reports • 88
Creating a disaster recovery solution for Generating Reports for SIEM • 194
VSPM • 108 Graphical Interface-based (Enhanced ELM
Creating and editing user accounts for search) • 267
SCAN • 103 Groups and the Directory tree • 66
Creating Reports and Logs for MP • 157
Creating Windows user for Active Directory H
authentication and log collection • 286 HOME_NET and EXTERNAL_NET • 241
Critical Patch Status by Endpoint Widget •
97 I
D ICCP_CLIENT • 243
ICCP_PORT • 243
Deploy Patches LEMSS Clients • 53 ICCP_SERVER • 243
Deployment Confirmation Page • 84 Import patches • 45
Deployment Information page • 78 Import SQL Scripts • 31
Deployment Wizard License page • 78 Improvements for OSC 2.0 Update 1 • 7
Deployment Wizard Schedule Configuration Inactivity Threshold settings • 206
page • 79 Incomplete Deployments Widget • 95
OSC_003 305
Index
Initial patch organization • 44 Mirrored traffic cabling • 227

Inline • 227 Mirroring traffic • 226
Inline cabling • 228 Mirroring Traffic versus Inline • 226
Install IIS w/ASP.Net • 23 MODBUS_CLIENT • 237
Install .Net 3.5 • 20 MODBUS_PORT • 243
Install 2008 SQL Management Studio MODBUS_SERVER • 244
(Recommended) • 28 Monthly patch organization • 44
Install Internet Explorer 8 • 20
Install KB968930 – Windows Management N
Framework • 22 Navigation bar menu map • 61
Install LEMSS 7.0 SP1 • 24 Network discovery and configuration
Install LEMSS 7.0 SP1 Update 3 • 26 management • 271
Install LEMSS Agent on Endpoints • 48 Network intrusion detection installation • 222
Install Lumension SCAN • 38 New Installation of Bouncer 5.x • 130
Install Server 2008 SP2 • 16 Next Five Pending Scan Jobs Widget • 98
Install the Import tool • 35 Normal Login procedure for MP • 126
Install the latest Adobe Reader • 22 Notification Options page • 83
Install the VSPM (LEMSS) Airgap License
tool • 33 O
Installation of Log Management (LM) • 251
Offline Agents Widget • 99
Introduction Page • 76
One time upgrade • 252
Introduction to the Ovation Security Center •
OSC Versus module settings • 248
1
Intrusion Prevention versus Intrusion P
Detection • 222
IP address and password examples • 8 Package deployment Behavior Options page
• 82
J Patch deployment • 73
Patch manager functions • 14
Join the Domain • 43
Performing a clean Install of VSPM on
L Server 2008 SP2 • 15
Preparing VSPM for Full vulnerability scan •
Last Five Completed Scan Jobs Widget • 97 103
Latest News Widget • 98 Preparing your database • 109
Log Management • 251 Profile management • 184
Log Management data integrity check • 261
Logging in for the first time for MP • 126 R
Login basics and Admin Tokens for MP •
Rename the computer • 17
125
Report description • 85
Login security information • 178
Report descriptions for Lumension SCAN •
Login to LEMSS for the first time • 35
86
M Report descriptions for Lumension Update •
87
Malware Prevention (MP) appliance • 117 Reports for VSPM • 85
Malware Prevention (MP) IP address and Reports parameters for VSPM • 88
password examples • 10 Restoring a database backup • 111
Malware Prevention (MP) overview • 117 Retrieve LM logs • 266
Malware Prevention event reports to SIEM • Reviewing Data Sources and Policy Rollout •
162 199
Management interface cabling • 227 ROCKWELL_PORTS • 244
Managing Alarms • 207
Managing Conditions • 221 S
Managing Recipients • 215
Scheduled Deployments Widget • 99
Managing Watchlists • 213
Scrubbing your system • 156
Mandatory Baseline Compliance Widget • 98
Searching within reports for VSPM • 89
Minimum requirements to login to the SIEM •
165
appliance • 163
306 OSC_003
Index
Security Incident and Event Manager (SIEM) To assign Devices to a deployment groups •
IP address and password examples • 11 75
Selecting the deployment Start and End To autogenerate a whitelist policy • 130
functions • 81 To automatically backup the system settings
Server Information Widget • 100 • 249
Set certain user passwords to never expire • To automatically check events, flows, and
39 logs • 205
SIEM appliance overview • 164 To automatically refresh Views • 204
Support and Service for your Ovation To backup Event, Log, and Data Source
Security Center • 299 Configuration Data • 250
Support for your Ovation Security Center • To backup the Malware Prevention
299 appliance • 159
Syslog Configuration to Forward Messages To change a user password • 60
from Solaris, Unix, and Linux OS Data To change the database recovery model •
Sources • 191 109
To change the database recovery model
T OSC 2.x • 113
Terminology for the Ovation Security Center To change the password for SIEM • 165
•4 To change your passphrase for MP • 128
Text-based • 268 To change your password for MP • 127
Time Since Last Agent Scan Widget • 101 To check OSC 2.x Update 1 Bouncer Client
To access a variable list through the policy versions • 296
manager • 238 To check OSC 2.x Update 1 Bouncer
To access profile management • 184 Manager versions • 295
To access the LM Backup and Restore To check OSC 2.x Update 1 LEMSS Client
window • 269 versions • 294
To access the Login Security menu • 178 To check OSC 2.x Update 1 LEMSS Server
To access the recipients configuration • 215 versions • 293
To access the Users and Groups window • To check OSC 2.x Update 1 NitroView
181 versions • 297
To add a condition • 221 To check Patchlink manager license
To add a Group to the system • 183 expiration dates • 299
To add a profile • 186 To compare configurations • 280
To add a Report • 194 To configure and read BSOD • 291
To add a storage device • 255 To configure Deployment Information • 78
To add a Syslog data source to a Receiver • To configure Manager Settings • 131
192 To configure network discovery • 272
To add a syslog recipient • 220 To configure network monitoring • 277
To add a user to a Group • 183 To configure Security Configuration settings
To add a user to the system • 182 • 138
To add a Watchlist • 212, 213 To configure the Syslog Target • 134
To add an email address • 215 To configure vulnerability assessment • 244
To add an email group • 216 To configure WMI Data Sources (Windows
To add an existing user • 59 Devices) for Monitoring • 190
To add an SMS address • 217 To confirm network discovery • 275
To add an SNMP recipient • 218 To connect to the Admin Console • 160
To add clients for Windows devices for MP • To connect to the Malware Prevention
128 appliance • 160
To add Device members • 70 To copy an alarm • 211
To add Endpoints to Groups • 69 To create a database backup • 110
To add Group Members to a new Group • 67 To create a database backup for OSC 2.x •
To add groups for patch deployments • 74 114
To add NID to SIEM • 229 To create a Device deployment • 77
To add the storage pool • 259 To create a group deployment • 77
To add Trusted Domain users • 153 To create a Manager Configuration Report •
To alter the Auto-retrieval settings • 205 157
To create a Manager software report • 158
OSC_003 307
Index
To create a new alarm • 207 To generate a whitelist (one device at a

To create a new user • 58 time) • 129
To create a Security Group/Rollover • 132 To generate reports on vulnerability scan
To create an Administrator Report for MP • results • 89
157 To import a Policy for OSC 2.0 Update 1 •
To create an archive • 159 158
To create archives (Backups) • 151 To import Data Sources into SIEM • 203
To create Custom Security Configuration To initial IP address configuration • 228
Groups • 136 To install Clients and deploy manually • 149
To create Groups • 67 To install Clients and deploy via Active
To create groups of devices for patch Directory • 146
deployments and vulnerability scans • 74 To install Malware Prevention for 2.0 Update
To create System Install file • 140 1 • 117
To create VSPM Network Groups • 66 To install new VSPM Clients • 57
To delete a condition • 221 To log on to Lumension Update • 61
To delete a user • 60 To log out of Update • 61
To delete a Watchlist • 213 To login to the SIEM • 165
To delete an alarm • 211 To Logout of MP • 128
To delete an Endpoint • 73 To manually apply Emerson approved Rule
To delete Groups • 68 updates • 203
To deploy content items to endpoints • 73 To manually backup the system settings •
To deploy patches to new Groups • 75 249
To deploy patches to VSPM clients • 73 To manually check events, flows, and logs
To discover network devices • 275 (method 1) • 205
To download the Agent Installer • 92 To manually check events, flows, and logs
To edit a condition • 221 (method 2) • 205
To edit a profile • 187 To migrate the database • 257
To edit a Report • 198 To modify the CSV file • 202
To edit a syslog recipient • 220 To monitor the deployment • 55
To edit a user profile • 59 To move Groups • 68
To edit a variable • 240 To move systems between security
To edit a Watchlist • 213, 214 configurations • 149
To edit an alarm • 211 To perform a full backup ESM Settings and
To edit an email group • 216 All Data • 250
To edit an email recipient • 215 To perform a Full vulnerability scan • 104
To edit an SMS address • 218 To perform vulnerability scans (Emerson
To edit an SNMP recipient • 219 Validated Patches) • 105
To edit Groups • 67 To prepare VSPM for Full vulnerability scan
To edit the Dashboard • 102 • 103
To edit to a Group • 183 To preview and print the Dashboard • 102
To edit user account settings • 182 To remove a Group • 183
To enable Active Directory authentication • To remove a profile • 188
179 To remove a Report • 199
To enable an Endpoint • 72 To remove a syslog recipient • 220
To enable logging for an individual data To remove a user • 60
source • 263 To remove an email group • 216
To enable logging for multiple data sources • To remove an email recipient • 216
265 To remove an SMS address • 218
To enable spin animation • 57 To remove an SNMP Recipient • 220
To export data • 64 To remove Device members • 71
To export Data Sources from SIEM • 202 To remove Endpoints from Groups • 70
To force an endpoint to start patching • 54 To remove users from a Group • 183
To gather events for Bouncer OSC 2.x To remove users from the system • 182
Update 1 • 292 To restore a backup from a Local File • 251
To generate a password for MP • 127 To restore a database backup • 111
To generate a report • 88 To restore a database backup for OSC 2.x •
115
308 OSC_003
Index
To restore backup files • 251 Troubleshooting for Lumension OSC 2.x

To restore backups • 152 Update 1 • 292
To restore the backup • 271
To review Data Sources • 199 U
To roll out the policy automatically • 200 Un-remediated Critical Vulnerabilities Widget
To roll out the policy manually • 201 • 101
To run a configuration management scan Update LEMSS clients to latest levels • 36
manually • 279 Update Lumension SCAN • 50
To schedule a one-time deployment • 80 Update SCAN to the current Emerson
To scrub your system • 156 Validated Patched Vulnerability set • 53
To search for a Group • 67 Update to SQL Server 2008 SP2 • 27
To select Default System Views • 204 Updating Rules and Software • 203
To select Event Summarize Views • 204 Upgrade SIEM software • 166
To select the Available Packages page • 77 Use the OSC 2.x License Request Tool and
To set a password or passphrase length for License LEMSS • 33
the MP security group • 127 Use with network discovery • 189
To set backup location • 270 Use with Ovation WMI data sources • 188
To set Inactivity Threshold settings • 206 Useful variables for Ovation • 241
To set NID mode • 232 User accounts and Groups • 181
To set polices • 234 Using Endpoints • 71
To set the syslog forwarding address • 193 Using the Dashboard • 93
To setup a daily recurring deployment • 80 Using the Deployment Wizard • 76
To setup a monthly recurring deployment • Using the Security Incident and Event
81 Manager • 281
To setup a weekly recurring deployment • 80
To setup or verify that Syslog is pointing to V
the SIEM • 162
Vendor documentation • 299
To shut down the NID • 244
Viewing printable data in reports for VSPM •
To store a backup in a remote location • 250
91
To take the backup automatically • 271
Views options • 204
To take the backup manually • 271
VSPM Groups • 65
To troubleshoot the MS Info Tool • 292
VSPM SCAN Updating • 107
To update Bouncer • 142
VSPM updates and Ovation integration • 44
To update system licenses • 161
VSPM user account information and
To update VSPM SCAN • 107
Lumension Update procedures • 58
To upgrade from OSC 2.0 to OSC 2.0
Vulnerability assessment • 244
update 1 • 166
Vulnerability Scan and Patch Management
To upgrade from OSC 2.0 update 1 to OSC
(VSPM) IP address and password
2.1 • 169
examples • 9
To upgrade OSC 1.x to OSC 2.x • 130
Vulnerability Scan and Patch Manager
To upgrade VSPM Endpoints clients from
(VSPM) appliance • 13
OSC1.0 to OSC2.0 • 58
Vulnerability Scan and Patch Manager
To verify a software update for endpoints: •
(VSPM) overview • 13
146
Vulnerability scan functions • 14
To verify a software update to a Manager: •
145 W
To verify that the deployments to the devices
are complete • 55 What is the Ovation Security Center? • 1
To verify the license • 161 Windows audit polices • 281
To view a Report • 198 Windows Blue Screen of Death (BSOD)
To view a report for SCAN • 90 Diagnostics • 291
To view Endpoints • 72 Windows Server 2008/7 • 282
To view Groups • 66, 69 Windows Sever 2003/XP • 282
To view the Email Notifications page • 92 Working with HTML reports • 91
Traffic Monitoring • 223 Working with PDF reports • 91
Troubleshooting • 291
OSC_003 309

Osc 003 PDF

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Osc 003 PDF

Diunggah oleh

Hak Cipta:

Format Tersedia

Ovation Security Center 2.

1 Introduction to the Ovation Security Center 1

2 Vulnerability Scan and Patch Manager (VSPM) appliance 13

2.3.2 Monthly patch organization .................................................................................. 44

2.10 Using the Deployment Wizard........................................................................................... 76

2.14.17 To edit the Dashboard........................................................................................ 102

3 Malware Prevention (MP) appliance 117

3.7 Scrubbing your system.................................................................................................... 156

4 Security Incident and Event Manager (SIEM) appliance 163

4.9 Generating Reports for SIEM.......................................................................................... 194

4.18.16 To remove a syslog recipient ............................................................................. 220

4.24.7 To compare configurations................................................................................. 280

6 Support and Service for your Ovation Security Center 299

Introduction to the Ovation Security Center

What is the Ovation Security Center?................................................................................. 1

1.1 What is the Ovation Security Center?

1.2 Components of the Ovation Security Center

The VSPM can also be provisioned as the Kaspersky AV Management station.

A typical cabinet configuration consists of the following hardware components:

Figure 1: Typical OSC cabinet configuration

1.3 Functions of the Ovation Security Center

1.4 Terminology for the Ovation Security Center

Terminology for Ovation Security Centers

1.5 Improvements for OSC 2.0 Update 1

 Automated backup of managers to a network share or NAS.

1.6 IP address and password examples

1.6.1 Vulnerability Scan and Patch Management (VSPM) IP address and

The VSPM requires configuration of two network adapters:

VSPM IP address examples

ITEM EX AM PLE USED

VSPM Regular Scan Address 192.168.124.33

VSPM password examples

ITEM EX AM PLE USED

Windows Administrator Account Security.4u

1.6.2 Malware Prevention (MP) IP address and password examples

Typically, MP appliances operate as a redundant pair:

Primary - referred to as MP Manager A.

ITEM EX AM PLE USED

MP Manager A Address 192.168.124.17

ITEM EX AM PLE USED

Initial MP Manager Login Password (must be 32 emersonprocessmanagmentsecurityserver

ITEM EX AM PLE USED

SIEM Address 192.168.124.49

ITEM EX AM PLE USED

Vulnerability Scan and Patch Manager (VSPM)

Vulnerability Scan and Patch Manager (VSPM) overview................................................ 13

2.1 Vulnerability Scan and Patch Manager (VSPM) overview

2.1.1 Vulnerability scan functions

2.1.2 Patch manager functions

2.2 Performing a clean Install of VSPM on Server 2008 SP2

You must perform a clean install to upgrade to 2.0 Update 1.

1. Install Server 2008 SP2 (see page 16).

2.2.1 Install Server 2008 SP2

Figure 2: Change settings window

2.2.2 Rename the computer

1. Select Start > Computer > Properties. A System window appears.

2.2.3 Configure the Network adapter

2.2.4 Change the Firewall Settings

2.2.5 Install .Net 3.5

2.2.6 Install Internet Explorer 8

3. Click I accept to accept the license terms.

2.2.7 Configure Internet Explorer 8 settings

Figure 3: Trusted sites window

Automated backup of managers to a network share or NAS.