HMM
HMM is responsible for process monitoring and library monitoring on the host. It also enforces ACPs and Protection Actions.
HMM CONFIGURATIONS
HMM is highly configurable to meet the needs of the high variance in deployments:
-
All configurations can be viewed using:
-
vsp-cli config hmm view -–options
-
Each configuration shows a description explaining what the configuration controls.
-
The most useful configurations are:
-
fswalkProcesses – The number of processes to spawn during the host File System walk (FS-walk) to determine all the binary files
-
eventMonitorThreads – The number of threads to spawn in parallel to handle the incoming HMM agent messages
-
fsExclusionList – A list of paths to exclude during FS-walk
-
logLevel – The desired log level for the component
-
regexExclusions – A list of regex strings of incidents not to be reported to CMS
-
trustedInstallers – A set of trusted installers/publishers. Process/libraries that belong to these installers/publishers are not reported to CMS
OBTAIN BLOCKED/SUSPENDED PROCESSES
-
To obtain the current list of blocked/suspended processes, execute:
-
vsp-cli host get-blocked-procs
-
OBTAIN THE CURRENT ALLOWLIST
-
To export a current copy of the allowlist stored in memory, execute:
-
vsp-cli host export ./vsp_host_allowlist.json
-
HOSTS NOT IN SYNC OR LEGITIMATE PROCESSES REPORTED
Symptom: VSP-Host is out-of-sync with CMS allowlist or legitimate processes are reported as incidents
Recommended Actions: Follow the steps below:
-
Stop all the VSP services
-
Delete the files located in the directory: $VSP_VAR_HOME/hmm/fswalk/
-
Start the VSP services
NOTE:
If the out of sync issue occurs during the initial profile creation, ensure that the profile is deleted on CMS after stopping the VSP services and before restarting the probe