syspatrol server manual

7/30/2019 SysPatrol Server Manual

1/20

SysPatrol - Server Security Monitor Flexense Ltd.

1

User Manual

Version 1.6

Jan 2013

Flexense Ltd.www.flexense.com

www.syspatrol.com

SysPatrolServer Security Monitor


2/20


2

Product Overview

SysPatrol is a server security monitoring solution allowing one to monitor one or more serversand detect unauthorized changes in the system files, kernel drivers, system services, installedsoftware products and registry database. The user is provided with the ability to learn areference server configuration, periodically monitor the server configuration, detect all

unauthorized system changes, automatically save reports and send E-Mail notifications.

SysPatrol Server allows one to send E-Mail notifications, submit error messages to the system

event log and/or automatically save HTML, ASCII text, Excel CSV, XML or PDF reports whenone or more unauthorized system changes are detected in a server. In addition, the user isprovided with the ability to keep a history of system changes in an SQL database.

Initially, SysPatrol scans the system configuration and saves a reference state of the systemfiles (including SHA256 signatures), installed kernel drivers and system services, the state ofthe registry database and the installed software products and Windows updates. During themonitoring stage, SysPatrol periodically scans the current system configuration and comparesit with the reference configuration detecting all newly created, modified and/or deleted systemfiles, kernel drivers, system services, registry database entries or software products.

By default, SysPatrol applies the most rigorous set of settings capable of detecting all types ofchanges, but if required, the system configuration may be customized for less secureenvironments thus minimizing the number of change alerts issued for minor or not important

configuration changes.

SysPatrol is especially designed to run on production servers using a very small amount of thesystem memory (6MB-8MB) and intentionally slowing down monitoring operations in order tominimize the performance impact on running production applications. By default, SysPatrolServer is configured to use up to 1%-2% of a single CPU core during the system learning andverification stages, which typically take up to 5 minutes per day.

In order to simplify deployment and everyday use, SysPatrol Server provides a very simpleweb-based management interface allowing one to control, configure and manage the productlocally or through the network using a regular web browser. The user is provided with a

number of fully automatic configuration wizards allowing one to install SysPatrol Server andconfigure system monitors within a couple of minutes making it very easy to deploy the

product even for novice computer users.


3/20


3

Product Installation Procedure

SysPatrol Server is especially designed to be as simple as possible. The product does notrequire any third-party software applications and may be installed and configured within acouple of minutes. A fully functional 30-days trial version of SysPatrol Server may bedownloaded from the following page: http://www.syspatrol.com/downloads.html.

The installation package is very small, 4MB - 5MB depending on the target operating system,and the product requires just 10MB of the free disk space on the target server. In order to

install SysPatrol Server, start the setup program, select a destination directory and press the'Next' button.

Optionally, enter custom server control and/or web access ports. The server control port isused by the SysPatrol command line utility and the web access port is the port for the web-based management interface allowing one to control SysPatrol Server using a standard web

browser. If SysPatrol Server should be controlled remotely through the network, make sureone or both of these ports are open in the server's firewall.


4/20


4

Initial Product Configuration

In order to simplify deployment and everyday use, SysPatrol provides a number of fullyautomated configuration wizards allowing one to setup and configure the product within acouple of minutes. First of all, login to the SysPatrol Server web-based management consoleusing a standard web browser (default user name and password: admin/admin).

After finishing the installation procedure, the product is fully functional, but no systemmonitors are defined in the product configuration. In the simplest case, in order to initializethe default product configuration, just press the 'Init Default Configuration' button. By default,SysPatrol Server applies the most rigorous set of configuration options making sure that alltypes of system changes are detected.

During the initialization process, SysPatrol will scan the current system configuration and saveit as the reference system configuration. By default, SysPatrol Server will save the state of thesystem files (including SHA256 signatures), installed kernel drivers and system services,installed network protocols, the state of the registry database and installed software productsand Windows updates. During the monitoring stage, the saved reference configuration will beused to detect unauthorized system changes.

The SysPatrol configuration wizard will create all the required system monitors and setup adaily periodic system test, which will verify the system configuration every 24 hours. If

required, the automatically created system monitors and periodic system tests may becustomized and tuned for user-specific needs and requirements.


5/20


5

Periodic Tests and Monitoring

In order to customize server monitors created by the SysPatrol Server configuration wizard,click the 'Settings' link located on the top menu bar and click the 'Configure System Tests' linkon the settings page. Each system monitor provides a set of monitor-specific customizationoptions allowing one to optimize and tune SysPatrol Server for user-specific needs.

By default, SysPatrol Server verifies the system configuration every 24 hours. In order tocustomize periodic tests, press the 'Periodic Tests' button. On the 'Periodic Tests' page click onthe default daily periodic test or press the 'Add' button to add a new, custom periodic test.

On the periodic test page, set the time interval to execute the periodic test at, select thesystem monitors that should be verified and press the 'Save' button. SysPatrol Server willverify the selected system monitors periodically according to the specified time interval, detectall unauthorized system changes, save change reports and send E-Mail notifications if

configured.


6/20


6

Reports and E-Mail Notifications

SysPatrol Server allows one to save HTML, ASCII text, Excel CSV, XML or PDF reports or sendE-Mail notifications when one or more unauthorized system changes detected. In order tosetup reports and/or notifications, click the 'Settings' link located on the top menu bar andclick the 'Reports and Notifications' link located on the settings page.

SysPatrol Server provides the ability to configure multiple report and/or notification actionsallowing one to generate different types of reports and/or send notifications to multipledestinations addresses. In order to add a new report or notification action, press the 'Add'button located on the reports and notifications page.

For report actions, the user is provided with the ability to specify an absolute file name or adirectory name to save the report to. If an existing directory is specified, SysPatrol Server willautomatically generate file names containing the date and time of the test and save reports to

the directory. For notification actions, the user is provided with the ability to specify thedestination E-Mail address to send notifications to. In addition, in order to enable E-Mailnotifications, the user is required to configure an SMTP server to use to send notifications.


7/20


7

SQL Database Integration

SysPatrol Server provides the ability to save detected system changes to an SQL databaseallowing one to keep a history of all changes for future review and analysis. In order to enableSQL database export, click the 'Reports and Notifications' link located on the main settingspage, press the 'Add' button to add a new report action, select the SQL database report format

and press the 'Save' button.

SysPatrol Server exports SQL database reports through the ODBC database interface, whichshould be configured to operate properly. In order to configure the ODBC database interface,click on the 'Configure SQL Database' link located on the main settings page, enable the ODBCdatabase interface, specify the ODBC data source, ODBC user name and password to use to

save reports to the SQL database.


8/20


8

System Event Log Integration

Another option to send notifications about unauthorized system changes is to submit errormessages or warnings to the system event log. In order to add a system event log notificationaction, click the 'Settings' link located on the top menu bar, click the 'Reports andNotifications' link located on the settings page and press the 'Add' button.

On the notification action page, select the 'Send Error to System Event Log' action type, enter

an error message to submit to the system event log, enter the number of system changes totrigger the action and press the 'Save' button. During the monitoring stage SysPatrol Serverwill verify the system configuration and submit the error message to the system event logwhen the specified number of system changes is detected.


9/20


9

Managing System Tests and Monitors

In general, the default product configuration created by the SysPatrol Server configurationwizard should be good enough for most users, but sometimes it may be required to tune theSysPatrol Server configuration for user-specific needs and requirements. In order to customizethe configuration of SysPatrol Server, click the 'Settings' link located on the top menu bar and

click the 'Configure System Tests' link on the settings page.

The 'System Files' test monitors the integrity of the operating system files. By default, the

'System Files' test is configured to monitor executable programs, DLL libraries andconfiguration files located in the Windows system directory and the 'Program Files' directory.

During the learning stage, SysPatrol Server saves the state of the system files (includingSHA256 signatures) and during the monitoring state verifies the integrity of all files bycomparing file names, attributes, last modification dates and signatures with the referencesystem configuration.


10/20


10

The 'Kernel Drivers' and 'System Services' tests monitor the configuration of Windowskernel drivers and system services. During the learning stage, SysPatrol Server saves thereference configuration of kernel drivers and system services and during the monitoring stageverifies the system configuration by comparing kernel drivers and system services names,startup modes, statuses, attributes, registered executables, etc. In addition, SysPatrol Serverdetects newly created and deleted kernel drivers and system services.

The 'Network Protocols' test monitors and verifies the installed network protocols. SysPatrolServer is capable of monitoring and verifying all types of network protocols including hidden

protocols, which are not visible in the Windows control panel. For each network protocol,SysPatrol Server verifies the protocol version, provider flags, service flags, security scheme,etc. In addition, SysPatrol Server detects all newly created and deleted network protocols.


11/20


11

The 'Registry Database' test monitors a number of important registry database keys, whichare controlling execution of startup programs on the server. In order to add one or morecustom registry keys to the SysPatrol configuration, click on the 'Add' link located beside thefirst registry key and select a root key and a sub key to monitor. By default, SysPatrol Serverdetects newly created, modified and deleted registry keys and values. In addition, SysPatrolServer detects unexpected changes in registry keys last modification dates and times.

The 'Installed Software' test monitors the installed software products and Windows updates.By default, SysPatrol Server detects newly installed, modified or uninstalled software packages

and Windows updates. In order to disable detection of changing Windows updates, unselectthe 'Detect Changes in Windows Software Updates' option.


12/20


12

History Reports

By default, SysPatrol Server keeps a history of last 30 reports showing previously detectedconfiguration changes. In order to access the history reports, press the 'Reports' buttonlocated on the SysPatrol Server home page.

For each report, SysPatrol shows the test name, the date and time of the test and the numberof detected system changes. In addition, the user is provided with the ability to export eachreport to a number of standard formats including HTML, PDF, Excel CSV and XML.

In order to delete a history report, press the report 'Delete' button displayed in the 'Tools'column. In order to delete all history reports, press the 'Delete All' button located below thereport list.


13/20


13

Configuring SysPatrol Server

SysPatrol Server provides a variety of configuration options allowing one to easily integratethe product into a user-specific network environment. In order to open the main settingspage, click on the 'Settings' link located on the top menu bar.

The SysPatrol Server web-based management console, requires users to login with a SysPatroluser name and password. The default user name and password is set to admin/admin. Inaddition, SysPatrol Server provides the ability to set a custom user name and/or password for

the SysPatrol web-based management interface and the command line utility, which may beused to automate configuration and management tasks.

In order to set a custom user name and password, click on the 'Configure Server Login' linklocated on the main settings page, enter a new user name and password and press the 'Save'

button.


14/20


14

SysPatrol Server uses the TCP/IP port 9140 as the default server control port and the TCP/IPport 80 as the default web access port. Sometimes, these ports may be in use by some othersoftware products or system services. If one or both of these ports are in use, SysPatrol willbe unable to operate properly and the user needs to change the SysPatrol server control portand/or web access port.

In order to set a custom server control port and/or web access port, click on the 'Setup ServerPorts' link located on the main settings page, select the 'Use Custom Port' option and enter acustom port number to use. If the SysPatrol server should be controlled through the network,make sure the custom ports are open in the server's firewall.

SysPatrol Server provides the ability to send E-Mail notifications when a user-specified numberof system changes is detected. In order to configure an SMTP E-Mail server to use to send E-Mail notifications, click on the 'Configure E-Mail Server' link located on the main settings page,

enter the SMTP server host name, SMTP server port, SMTP user name, password and thesource E-Mail address to use to send E-Mail notifications.


15/20


15

Web-Based Interface

SysPatrol Server provides a complete web-based management interface, which allows one tofully control, manage and configure one or more SysPatrol servers locally or though thenetwork using a standard Web browser. By default, the web-based interface uses the TCP/IPport 80, which is the default HTTP port web browsers are using to connect to a web server.

The SysPatrol web-based interface is a dynamic web application, which shows the current

status of the server and the progress of performed operations without reloading the currentlydisplayed web page. In order to operate properly, the web-based interface requires JavaScriptto be enabled in the web browser.


16/20


16

Using Command Line Utility in the Interactive Mode

In addition to the web-based management interface, SysPatrol Server provides a commandline utility, which may be used to control, manage and configure one or more SysPatrolServers locally or through the network. By default, the SysPatrol command line utility islocated in the '\bin' directory.

When executed without any command line parameters, the command line utility operates inthe interactive mode showing available menus, accepting commands and executing selectedoperations. The interactive mode is very simple to use, all available commands are displayed

in a self-explanatory way making it very easy to setup and configure the product even for anovice computer user.

For example, in order to verify the current system status, start the SysPatrol command lineutility without any command line parameters, type "1" to enter the "Status" menu and thentype "4" to verify the current system status. If any system changes will be detected during the

verification process, SysPatrol will save reports and send E-Mail notifications according to theconfigured report generating and notification actions.


17/20


17

Using the Command Line Utility in the Batch Mode

In addition to the interactive mode, the command line utility may be executed in the batchmode with a variety of command line parameters and options allowing one to automatecontrol, configuration and management of one or more SysPatrol Servers using batch files orshell scripts.

For example, in order to initialize the SysPatrol configuration, learn the current server statusand save the reference system configuration, type the following command:

syspatrol -init

SysPatrol Server will create default system tests, learn the current server status, save the

reference system configuration and create a daily periodic system test, which will be executedevery 24 hours.

In order to verify the current system status, type the following command:

syspatrol -verify

SysPatrol will scan the current system configuration, compare it with the reference systemconfiguration, save reports and send E-Mail notifications if required. For detailed informationabout available command line options, execute the command line utility with the '-help'command line parameter.


18/20


18

Product Update Procedure

Flexense develops SysPatrol Server using a fast release cycle with minor product versions,updates and bug fixes released almost every month and major product versions releasedevery year. New product versions and product updates are published on the product web siteand may be downloaded from the following page: http://www.syspatrol.com/downloads.html.

Due to the fact that the product is especially designed for servers running in productionenvironments where stability is a major decision factor, SysPatrol Server updates should bemanually performed by the user. In order to update an existing product installation, downloadthe latest product version and just start the setup program.

The SysPatrol Server setup program will properly shutdown the running SysPatrol Server,

update the product and restart the SysPatrol service after finishing the update procedure. Allproduct configuration files, the saved reference system configuration and product registrationwill remain valid and there is nothing to reconfigure or manage after the update.


19/20


19

Product Registration Procedure

Within a couple of hours after purchasing a product license, the customer will receive two e-mail messages: the first one confirming the payment and the second one containing an unlockkey, which should be used to register the product. If you will not receive your unlock keywithin 24 hours, please check your spam box and if the unlock key is not in the spam box

contact our support team: [email protected].

If the computer where SysPatrol is installed on is connected to the Internet, login to the

SysPatrol server (default user name and password: admin/admin) using a standard webbrowser, click on the 'About' link located on the top menu bar, press the 'Register' button,

enter your name or your company name, enter the received unlock key and press the'Register' button.

If the computer is not connected to the Internet, press the 'Manual Registration' button,export the product ID file and send the product ID file to [email protected] as anattachment. Within a couple of hours, you will receive an unlock file, which should be imported

in order to finish the registration procedure.


20/20


Supported Operating Systems

SysPatrol Server System Requirements

32-Bit Operating Systems

Windows XP Windows Vista Windows 7 Windows 8 Windows Server 2003 Windows Server 2008 Windows Server 2012

64-Bit Operating Systems

Windows XP 64-Bit Windows Vista 64-Bit Windows 7 64-Bit Windows 8 64-Bit Windows Server 2003 64-Bit Windows Server 2008 64-Bit Windows Server 2012 64-Bit

Minimal System Configuration

Supported Operating System 500 MHz or better CPU 256 MB of system memory 25 MB of free disk space

Recommended System Configuration

Supported Operating System 2 GHz or better CPU 512 MB of system memory 25 MB of free disk space

syspatrol server manual

Documents