<< PREVIOUS  NEXT >>

 

PRISTINE HOST MODE

 

INTRODUCTION

 

Pristine Host Mode treats all the executables and libraries discovered during the initial scan as “Pristine” or trusted. This reduces the time taken to enable Protect/Detect mode on a host associated with a profile. It also enables the profile to define required configurations, independent of the host image

 

NORMAL VS PRISTINE MODE

 

It is recommended that the pristine host mode is chosen to enable fast and easy onboarding of VSP host on any server. The normal mode can be used in more tightly-controlled environments where the user desires to see all unverified files on CMS.

 

The below table highlights the differences between the two modes:

 

Feature

Normal Mode

Pristine Mode

Initial Scan

Contains three steps:

  • Discover the Executables and Libraries on the host
  • Generate Checksums for each file
  • Generate Publishers for each file

Contains only one step (2 other steps are performed in lazy background threads/processes):

  • Discover the Executables and Libraries on the host

Initial Scan – Time taken

More

Less

Incidents after Initial Scan (Protect/Detect Mode)

More chances of generating incidents if the processes/libraries are not allowlisted

 No incidents are generated as all the processes/libraries discovered on the host are allowlisted locally on the host

Allowlist

Populated with all the unverified executables and libraries, updated as per the received incidents

Initially the allowlist is empty. Populated as per the incidents received

Host Profile

One profile must have hosts created from similar images

Hosts can be different images

Checksum Generation

Checksums for each file are generated as a part of the initial scan

Checksums for each file are generated in background processes over time

Publisher Generation

Publishers for each file are generated as a part of the initial scan

Publishers for each file are generated in background processes over time

Threat Intelligence

Threat intelligence is performed on the unverified files sent to CMS after the initial scan

Threat intelligence is performed in the background for all initially-trusted files over time

Table – Normal vs Pristine Mode

 

When hosts with different Operating System versions are associated with the same profile, VSP-Host must be configured in the Pristine Host mode. Follow any one of the two methods to enable the Pristine Host mode:

  1. Utilize the option -P during VSP Probe installation 

    OR

  2. Utilize the command:

    1. vsp-cli config hmm edit pristineHost true

       

       

 

ENABLE OR DISABLE PRISTINE MODE

 

Follow the below steps to enable or disable Pristine Mode on each host:

  1. Stop VSP services using the command:

    1. Windows:

      sc stop vsp

       

       

    2. Linux:

      service vsp stop

       

       

  2. Delete existing profile on CMS

  3. Execute the appropriate command to enable or disable pristine host mode:

    1. Enable Pristine Host Mode:

      vsp-cli config hmm edit pristineHost true

       

       

    2. Disable Pristine Host Mode:

      vsp-cli config hmm edit pristineHost false

       

       

  4. Start the VSP services using the command:

    1. Windows:

      sc start vsp

       

       

    2. Linux:

      service vsp start

       

       

  5. Create a new Host Profile and associate the required Hosts

  6. To view the current VSP-Host settings, use the below command:

    1. vsp-cli config hmm view --options

       

       

 

NOTE:

Ensure that pristine and non-pristine hosts are not included in the same host profile

 

<< PREVIOUS  NEXT >>