<< PREVIOUS NEXT >>

 

 

HMM

 

HMM is responsible for process monitoring and library monitoring on the host. It also enforces ACPs and Protection Actions.

 

HMM CONFIGURATIONS

 

HMM is highly configurable to meet the needs of the high variance in deployments:

  1. All configurations can be viewed using:

    1. vsp-cli config hmm view -–options

       

       

    2. Each configuration shows a description explaining what the configuration controls.

 

The most useful configurations are:

  1. fswalkProcesses – The number of processes to spawn during the host File System walk (FS-walk) to determine all the binary files

  2. eventMonitorThreads – The number of threads to spawn in parallel to handle the incoming HMM agent messages

  3. fsExclusionList – A list of paths to exclude during FS-walk

  4. logLevel – The desired log level for the component

  5. regexExclusions – A list of regex strings of incidents not to be reported to CMS

  6. trustedInstallers – A set of trusted installers/publishers. Process/libraries that belong to these installers/publishers are not reported to CMS

 

OBTAIN BLOCKED/SUSPENDED PROCESSES

  1. To obtain the current list of blocked/suspended processes, execute:

    1. vsp-cli host get-blocked-procs

       

       

 

OBTAIN THE CURRENT ALLOWLIST

  1. To export a current copy of the allowlist stored in memory, execute:

    1. vsp-cli host export ./vsp_host_allowlist.json

       

       

 

HOSTS NOT IN SYNC OR LEGITIMATE PROCESSES REPORTED

 

Symptom: VSP-Host is out-of-sync with CMS allowlist or legitimate processes are reported as incidents

 

Recommended Actions: Follow the steps below:

  1. Stop all the VSP services

  2. Delete the files located in the directory: $VSP_VAR_HOME/hmm/fswalk/

  3. Start the VSP services

NOTE:

If the out of sync issue occurs during the initial profile creation, ensure that the profile is deleted on CMS after stopping the VSP services and before restarting the probe

 

 

HOSTS NOT AUTO-ASSOCIATED WITH PROFILES AFTER UPGRADE

 

Symptom: Hosts are not auto-associated with the profiles after VSP upgrade in cases where the Probe is in connected state and profiles are imported with tags

 

Recommended Actions: Restart the Probe to ensure that the auto-association is successful

 

 

PERSISTENCE OF SCAN ERROR ON CMS AFTER PROBES RECOVERY

 

Symptom: When Probes are in maintenance mode for a certain period of time and stopped, a scan is initiated. If the VSP-Manager is stopped/restarted during the scan, an error is displayed on CMS. This persists even after VSP-Manager restarts

 

Recommended Actions: Disassociate and associate the probe instance to recover from the scan error

 

 

<< PREVIOUS NEXT >>