Monitor Host Protection

There are three ways to monitor Host Protection by VSP:

1. The widgets on the Dashboard provide a high-level view of the health of the associated hosts
2. Detected attacks/threats are reported as incidents in the CMS
3. Reports can be scheduled as and when required for any desired time frequency

Dashboard

1. Widgets like Hosts Process Classification, Host Script Execution and Top-N Affected Hosts provide real-time snapshots from the configured Hosts
2. The dashboard contains the below tiles:
   1. App Control Violation - Depicts the number of ACP (App Control Policy) violations
   2. Files Scanned - Depicts the number of Files Scanned

Host Protection Incidents

1. If one or more incidents are related to a profile or the associated libraries, they are displayed as shown below. Hover over the icon to view detailed information on the detected incidents. A click on the icon displays Monitor > Incidents page with the list of incidents related to the profile
2. The incident can be viewed at the executable level also with the incident icon and the Source as Incident. A click on the icon displays the Monitor > Incidents page with the list of incidents related to the executable
3. On Windows servers, when both Memory Exploit Protection and Library Monitoring are enabled in protect mode, for certain library injection attacks, MEP detects and kills the sourcing process (that is trying to inject a malicious library into a benign process). This attack is reported as a Memory Exploit Protection incident and NOT as a New Library incident
4. All the incidents are reported in the page Monitor > Incidents

Process related Incidents

1. There are two types of process incidents reported by VSP:
   1. New Process – In situations where a new process is detected other than the allowlisted processes
   2. Process Modified – In situations where a process name and path are the same, but a checksum mismatch is detected
2. If any script-hosting processes (like powershell, cscript.exe, wscript.exe, jscript.exe, python) is executed in detect mode, the command will complete its run. But if it is not a part of the allowlist, an incident is reported. It can be added to the allowlist if desired
3. Child Commands: 
   1. Common commands like ls, dir, ping, ipconfig can be executed along with powershell. No incidents will be reported on VSP and no executables need to be allowlisted
   2. Whenever a command that invokes a child process is executed, two incidents – one for the parent process and another for the child process are reported
   3. Commands like: -enc, -noP must be allowlisted before they are executed
4. The below truth table describes various scenarios and the type of incidents reported

Library related Incidents

1. There are three types of library monitoring incidents reported by VSP:
   1. New Library – In situations where a new library is detected other than the allowlisted libraries
   2. Library Modified – In situations where a library is allowlisted, but a checksum mismatch is detected
   3. Library Hijack – In situations where a library is allowlisted, but a path mismatch is detected
2. The below truth table describes various scenarios and the type of incidents reported

ACP Incidents

1. While ACP violations (Fileless and Process Disallowed) are reported in the incident screen, they may not show a visual "warning" symbol in the Host Profile and Edit Allowlist screen
2. The script monitoring incidents are reported as “File-based Application Policy Violation” incidents
3. The various types of ACP incidents are:

Reports

There are two reports that can be configured for Host Protection:

1. Suspended Processes Report – Provides detailed information about the protection actions carried out by VSP Host Monitoring feature on the enabled hosts
2. Host Monitoring Report – Provides detailed information related to all the process and library monitoring attacks along with ACP attacks detected for the configured hosts