<< PREVIOUS NEXT >>

 

 

HMM

 

HMM is responsible for process monitoring and library monitoring on the host. It also enforces ACPs and Protection Actions.

 

HMM CONFIGURATIONS

 

HMM is highly configurable to meet the needs of the high variance in deployments:

  1. All configurations can be viewed using:

    1. vsp-cli config hmm view -–options

       

       

    2. Each configuration shows a description explaining what the configuration controls.

 

The most useful configurations are:

  1. fswalkProcesses – The number of processes to spawn during the host File System walk (FS-walk) to determine all the binary files

  2. eventMonitorThreads – The number of threads to spawn in parallel to handle the incoming HMM agent messages

  3. fsExclusionList – A list of paths to exclude during FS-walk

  4. logLevel – The desired log level for the component

  5. regexExclusions – A list of regex strings of incidents not to be reported to CMS

  6. trustedInstallers – A set of trusted installers/publishers. Process/libraries that belong to these installers/publishers are not reported to CMS

 

OBTAIN BLOCKED/SUSPENDED PROCESSES

  1. To obtain the current list of blocked/suspended processes, execute:

    1. vsp-cli host get-blocked-procs

       

       

 

OBTAIN THE CURRENT ALLOWLIST

  1. To export a current copy of the allowlist stored in memory, execute:

    1. vsp-cli host export ./vsp_host_allowlist.json

       

       

 

HOSTS NOT IN SYNC OR LEGITIMATE PROCESSES REPORTED

 

Symptom: VSP-Host is out-of-sync with CMS allowlist or legitimate processes are reported as incidents

 

Recommended Actions: Follow the steps below:

  1. Stop all the VSP services

  2. Delete the files located in the directory: $VSP_VAR_HOME/hmm/fswalk/

  3. Start the VSP services

NOTE:

If the out of sync issue occurs during the initial profile creation, ensure that the profile is deleted on CMS after stopping the VSP services and before restarting the probe

 

 

<< PREVIOUS NEXT >>