Contents x
    Host Profile
    • 11 Oct 2024
    • 13 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Host Profile

    • Updated on 11 Oct 2024
    • 13 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    About this Article
    This article provides all the required information related to Host Profiles (for VM) and Host Template (for containers) - Creation, Modification, Deletion and Import/Export of Profiles on CMS.


    Create Host Profile (VMs only)

    To create a profile, follow the below steps:

       

    Version 3.1 and Above:

    1. Navigate to Manage > Host > Host Protection in the left navigation pane. Click ADD PROFILE
    2. Provide the below information
      Field NameDescription
      NameName of the profile
      Profile TagTag used during VM Probe auto registration
      Library MonitoringSelect the box to enable Library Monitoring
      Memory Exploit ProtectionEnable it for Memory Exploit Protection functionality
      Auto AllowlistAuto allowlist files with reputation ”SAFE”
      Trust Threshold for Auto AllowlistingFiles of equal and above the configured Trust threshold value are auto allowlisted. Available options are Full, Elevated, High, Medium and Low
      Auto Allowlist Unknown files from Discovery ScanAuto allowlist files with reputation “UNKNOWN”
      Auto Allowlist Unknown files from Discovery Scans and IncidentsAuto allowlist files with reputation “UNKNOWN” and source “INCIDENTS”
      Allow New Publisher/Package

      Auto allowlist any new publisher/package detected due to new software installation OR new instance association with the profile

      • When enabled, the publisher/package is automatically added to the allowlist with the source as “SCAN”. When Maintenance Mode is stopped, the newly added Publishers/Packages are listed in the respective lists. If Maintenance Mode is cancelled, only when the Publishers/Packages are accessed, they are listed in the respective lists with the source as “Incident” without any incidents reported in CMS
      • When disabled and the Maintenance Mode is stopped, the newly added Publishers/Packages are listed in the respective lists. If Maintenance Mode is cancelled, only when the Publishers/Packages are accessed, incidents are reported with the Publishers/Packages listed in the respective lists with the source as “Incident”
      • The user can modify the allowlist as required at any point. The modified list is published to the Probe
      Operating SystemSelect the Operation System – Windows/Linux - from the drop-down list 
      App Control Policy Name(Optional) Select the appropriate App Control policy from the drop-down list
      Default Monitoring ModeSelect the Default Monitoring Mode for
      • Executable Protection: Available options are Protect, Detect or Disable
      • App Control Policy: Available options are Protect, Detect or Disable. Ensure that the App Control Policy Name is provided to set the default monitoring mode
      • Memory Exploit Protection: Available options are Protect, Detect or Disable. Ensure that the Memory Exploit Protection field is enabled to set the default monitoring mode
      Click here for more information about the allowed configurations for Executable Protection and ACP modes
      Protection Profile Name

      (Optional) Select the appropriate Protection profile from the drop-down list. Based on the selected Host OS, Protection Profiles relevant to that OS are populated

      Exclusions for AllowlistThis is the list of directories that need to be excluded from host monitoring. Executables launched from these directories are not reported as incidents. Add the directories individually and press return key. Normal regex syntax can be utilized. This is a local list applicable only to the profile being created. By default, some directories are added to the list. Do not alter them as that can affect normal VSP functioning.
      Exclusions for Memory Exploit ProtectionThis is the list of directories that need to be excluded from Memory Exploit Protection. By default, some directories are added to the list. Do not alter them as that can affect normal VSP functioning.
      Host ProfileVM
    3. Click SAVE
    4. The created profile is listed on the Host Monitoring page

    Version 2.10 to 3.0:

    1. Navigate to Manage > Host > Host Protection in the left navigation pane. Click ADD PROFILE
    2. Provide the below information
      Field NameDescription
      NameName of the profile
      Profile TagTag used during VM Probe auto registration
      Library MonitoringSelect the box to enable Library Monitoring
      Memory Exploit ProtectionEnable it for Memory Exploit Protection functionality
      Auto AllowlistAuto allowlist files with reputation ”SAFE”
      Auto Allowlist Unknown files from Discovery ScanAuto allowlist files with reputation “UNKNOWN”
      Auto Allowlist Unknown files from Discovery Scans and IncidentsAuto allowlist files with reputation “UNKNOWN” and source “INCIDENTS”
      Allow New Publisher/Package

      Auto allowlist any new publisher/package detected due to new software installation OR new instance association with the profile

      • When enabled, the publisher/package is automatically added to the allowlist with the source as “SCAN”. When Maintenance Mode is stopped, the newly added Publishers/Packages are listed in the respective lists. If Maintenance Mode is cancelled, only when the Publishers/Packages are accessed, they are listed in the respective lists with the source as “Incident” without any incidents reported in CMS
      • When disabled and the Maintenance Mode is stopped, the newly added Publishers/Packages are listed in the respective lists. If Maintenance Mode is cancelled, only when the Publishers/Packages are accessed, incidents are reported with the Publishers/Packages listed in the respective lists with the source as “Incident”
      • The user can modify the allowlist as required at any point. The modified list is published to the Probe
      Operating SystemSelect the Operation System – Windows/Linux - from the drop-down list 
      Default Monitoring ModeSelect the monitoring mode as Protect or Detect
      App Control Policy Name(Optional) Select the appropriate App Control policy from the drop-down list
      Protection Profile Name

      (Optional) Select the appropriate Protection profile from the drop-down list. Based on the selected Host OS, Protection Profiles relevant to that OS are populated

      Exclusions for AllowlistThis is the list of directories that need to be excluded from host monitoring. Executables launched from these directories are not reported as incidents. Add the directories individually and press return key. Normal regex syntax can be utilized. This is a local list applicable only to the profile being created. By default, some directories are added to the list. Do not alter them as that can affect normal VSP functioning.
      Exclusions for Memory Exploit ProtectionThis is the list of directories that need to be excluded from Memory Exploit Protection. By default, some directories are added to the list. Do not alter them as that can affect normal VSP functioning.
      Host ProfileVM
    3. Click SAVE
    4. The created profile is listed on the Host Monitoring page

    Version 2.9 and Below:

    1. Navigate to Manage > Host > Host Protection in the left navigation pane. Click ADD PROFILE
    2. Provide the below information
      Field NameDescription
      NameName of the profile
      Profile TagTag used during VM Probe auto registration
      Library MonitoringSelect the box to enable Library Monitoring
      Memory Exploit ProtectionEnable it for Memory Exploit Protection functionality
      Auto AllowlistAuto allowlist files with reputation ”SAFE”
      Auto Allowlist Unknown files from Reference Host ScanAuto allowlist files with reputation “UNKNOWN”
      Auto Allowlist Unknown files from Reference Host Scans and IncidentsAuto allowlist files with reputation “UNKNOWN” and source “INCIDENTS”
      Allow New Publisher/Package

      Auto allowlist any new publisher/package detected due to new software installation OR new instance association with the profile

      • When enabled, the publisher/package is automatically added to the allowlist with the source as “SCAN”. When Maintenance Mode is stopped, the newly added Publishers/Packages are listed in the respective lists. If Maintenance Mode is cancelled, only when the Publishers/Packages are accessed, they are listed in the respective lists with the source as “Incident” without any incidents reported in CMS
      • When disabled and the Maintenance Mode is stopped, the newly added Publishers/Packages are listed in the respective lists. If Maintenance Mode is cancelled, only when the Publishers/Packages are accessed, incidents are reported with the Publishers/Packages listed in the respective lists with the source as “Incident”
      • The user can modify the allowlist as required at any point. The modified list is published to the Probe
      Host NameSelect the name of the host from the drop-down list 
      Default Monitoring ModeSelect the monitoring mode as Protect or DetectThis is applicable for all hosts except the reference host used to create the allowlist. Ensure that the monitoring mode is explicitly set for the reference host once the host scan is complete and the allowlist is published. For subsequent hosts associated with the profile, the default Mode is applied automatically
      App Control Policy Name(Optional) Select the appropriate App Control policy from the drop-down list
      Protection Profile Name

      (Optional) Select the appropriate Protection profile from the drop-down list. Based on the selected Host OS, Protection Profiles relevant to that OS are populated

      Exclusions for AllowlistThis is the list of directories that need to be excluded from host monitoring. Executables launched from these directories are not reported as incidents. Add the directories individually and press return key. Normal regex syntax can be utilized. This is a local list applicable only to the profile being created.
      Version 2.9 : By default, some directories are added to the list. Do not alter them as that can affect normal VSP functioning.
      Exclusions for Memory Exploit ProtectionThis is the list of directories that need to be excluded from Memory Exploit Protection.
      Version 2.9 : By default, some directories are added to the list. Do not alter them as that can affect normal VSP functioning.
    3. Click SAVE
    4. The created profile is listed on the Host Monitoring page
    5. In both Windows and Linux, the mounted folders are auto-excluded during the initial system scan
    6. The below icon is displayed when the scan is in progress. Expand the profile to view more information
    7. Once the scan is complete, click the icon below
    8. The warning message below is displayed
    9. Click Edit AllowList and allow the execution of required files, libraries and scripts 
    10. Click Publish Changes to update the associated host


    Host Profile Workflow (Containers)

    Follow the below workflow to generate Host  Profile:

    1. Create a pod template host profile with the required settings. The created template is used for all new VSP-protected pods/containers that come up
    2. Run the application container through VSP CI and CD tools to enable VSP protection for a given application container
    3. Launch the VSP-protected pod/container
    4. When the VSP controller is launched, it first registers with VSP CMS automatically by sending information about the VSP-protected application containers
    5. A host profile is generated automatically using the pod template as a reference
      1. Applications that share the same pod name (in K8s) OR replicas of the same container are automatically assigned to the same host profile
    6. When the VSP Host Monitoring Module (HMM) is started, it automatically downloads the application container's allowlist generated during the VSP CI phase
    7. VSP HMM uses the application container's allowlist and the host profile settings to determine any unknown executables


    Create Host Template (Containers Only)

    To create a Host template, follow the below steps:

     

    Version 3.1 and Above:

    1. Navigate to Manage > Host > Host Protection in the left navigation pane. Click TEMPLATE
    2. Provide the below information
      Field NameDescription
      NameName of the profile
      Library MonitoringSelect the box to enable Library Monitoring
      Auto Allowlist Unknown files from Reference Host ScanAuto allowlist files with reputation “UNKNOWN”
      Auto Allowlist Unknown files from Reference Host Scans and IncidentsAuto allowlist files with reputation “UNKNOWN” and source “INCIDENTS”
      Allow New Publisher/Package

      Auto allowlist any new publisher/package detected due to new software installation OR new instance association with the profile

      • When enabled, the publisher/package is automatically added to the allowlist with the source as “SCAN”. When Maintenance Mode is stopped, the newly added Publishers/Packages are listed in the respective lists. If Maintenance Mode is cancelled, only when the Publishers/Packages are accessed, they are listed in the respective lists with the source as “Incident” without any incidents reported in CMS
      • When disabled and the Maintenance Mode is stopped, the newly added Publishers/Packages are listed in the respective lists. If Maintenance Mode is cancelled, only when the Publishers/Packages are accessed, incidents are reported with the Publishers/Packages listed in the respective lists with the source as “Incident”
      • The user can modify the allowlist as required at any point. The modified list is published to the Probe
      App Control Policy Name(Optional) Select the appropriate App Control policy from the drop-down list
      Default Monitoring ModeSelect the Default Monitoring Mode for
      • Executable Protection: Available options are Protect, Detect or Disable
      • App Control Policy: Available options are Protect, Detect or Disable. Ensure that the App Control Policy Name is provided to set the default monitoring mode
      Click here for more information about the allowed configurations for Executable Protection and ACP modes.
      This is applicable for all hosts except the reference host used to create the allowlist. Ensure that the monitoring mode is explicitly set for the reference host once the host scan is complete and the allowlist is published. For subsequent hosts associated with the profile, the default Mode is applied automatically
      Protection Profile Name

      (Optional) Select the appropriate Protection profile from the drop-down list. Based on the selected Host OS, Protection Profiles relevant to that OS are populated

      Exclusions for AllowlistThis is the list of directories that need to be excluded from host monitoring. Executables launched from these directories are not reported as incidents. Add the directories individually and press return key. Normal regex syntax can be utilized. This is a local list applicable only to the profile being created.
      By default, some directories are added to the list. Do not alter them as that can affect normal VSP functioning.
    3. Click SAVE
    4. The mounted folders are auto-excluded during the initial system scan

    Version 3.0 and Below:

    1. Navigate to Manage > Host > Host Protection in the left navigation pane. Click TEMPLATE
    2. Provide the below information
      Field NameDescription
      NameName of the profile
      Library MonitoringSelect the box to enable Library Monitoring
      Auto Allowlist Unknown files from Reference Host ScanAuto allowlist files with reputation “UNKNOWN”
      Auto Allowlist Unknown files from Reference Host Scans and IncidentsAuto allowlist files with reputation “UNKNOWN” and source “INCIDENTS”
      Allow New Publisher/Package

      Auto allowlist any new publisher/package detected due to new software installation OR new instance association with the profile

      • When enabled, the publisher/package is automatically added to the allowlist with the source as “SCAN”. When Maintenance Mode is stopped, the newly added Publishers/Packages are listed in the respective lists. If Maintenance Mode is cancelled, only when the Publishers/Packages are accessed, they are listed in the respective lists with the source as “Incident” without any incidents reported in CMS
      • When disabled and the Maintenance Mode is stopped, the newly added Publishers/Packages are listed in the respective lists. If Maintenance Mode is cancelled, only when the Publishers/Packages are accessed, incidents are reported with the Publishers/Packages listed in the respective lists with the source as “Incident”
      • The user can modify the allowlist as required at any point. The modified list is published to the Probe
      Default Monitoring ModeSelect the monitoring mode as Protect or DetectThis is applicable for all hosts except the reference host used to create the allowlist. Ensure that the monitoring mode is explicitly set for the reference host once the host scan is complete and the allowlist is published. For subsequent hosts associated with the profile, the default Mode is applied automatically
      App Control Policy Name(Optional) Select the appropriate App Control policy from the drop-down list
      Protection Profile Name

      (Optional) Select the appropriate Protection profile from the drop-down list. Based on the selected Host OS, Protection Profiles relevant to that OS are populated

      Exclusions for AllowlistThis is the list of directories that need to be excluded from host monitoring. Executables launched from these directories are not reported as incidents. Add the directories individually and press return key. Normal regex syntax can be utilized. This is a local list applicable only to the profile being created.
      Version 2.9 and Above: By default, some directories are added to the list. Do not alter them as that can affect normal VSP functioning.
    3. Click SAVE
    4. The mounted folders are auto-excluded during the initial system scan



    Host Profile List on CMS

    1. Navigate to Manage > Host > Host Protection in the left navigation pane to view the Profile listHost Profile List
    2. To filter the listed profiles, expand the Search option and provide the required information
    3. Search results display the executables matching the provided criteria across profiles. This feature aids the addition or removal of a specific executable from the allowlist that is included in many profiles


    Export/Import Host Profiles

    1. Profiles can be imported or exported with .zip extension
    2. This feature can be used during the scenario below:
      1. When VSP protection is extended to a different environment (Example: Pre-production to Production environment)
      2. To clone an existing entry
    3. Ensure that import/export operations are carried out in the same VSP version. Import/export feature is compatible across various patches in the same major release (Example:  VSP 2.8.x)
    4. Export/Import of Host Profiles does not include Protection Profiles or the associated incidents
    5. Version 2.11 and Above: Export/Import of Host Profiles includes Package/Publisher information also


    Modify Profile/ Profile Template


    1. To modify a host profile (for VM), On the Host Monitoring page, click Edit. Modify as required and click SAVE
    2. To modify the host template (for containers), On the Host Monitoring page, click TEMPLATE. Modify as required and click SAVE



    Delete Profile

    1. For containers/pods, Host Profiles are managed automatically by VSP. In case a Profile associated with a container/pod needs to be deleted, ensure that the Host Profile Template is deleted first
    2. On the Host Monitoring page, click Delete associated with the required Profile. Click YES on the confirmation screen
    3. Once the profile is deleted, a notification is generated



    Was this article helpful?
    Related articles
    What's Next