Adding Advanced Rule

Create an advanced rule. The admin can set the advanced rule and the corresponding rule that is carried when the conditions of the rule are fulfilled. The rule is the common information of the agent. You can create a rule and set a rule depending on the security product.

The following are the key features that can be found in Advanced Rules.

• Adding, editing, and deleting advanced rules
• Response settings on advanced rules

Operators of Advanced Rule

You can set detailed rules on advanced rules. On Advanced Rules, you can compare the item values using operators or specify a state that includes the text string. When setting more than one time, you can set the AND/OR condition between items. The operators used when creating the advanced rules are as follows:

• Greater than (): Does not include the number that is set. E.g. If the last engine update is set to 3, the last engine update date will be 3 days, and the last engine update is not included to the rule when it becomes 3 and it only meets the rule conditions from the 4th day.
• Greater than or equal to (): Includes the set number and the numbers that exceed the set number. E.g. If the last engine update is set to 5, 5 and numbers over 5 meet the rule condition.
• Less than (): Does not include the set number and refers to the numbers that are lower than the set number. E.g. If the last scan date is set to 3, excluding 5 and lower than 2 meets the rule condition.
• Less than or equal to (): Includes the set value and all numbers smaller than the set value. E.g. If the last engine update is set to 5, 5 and numbers below 5 meet the rule condition.
• Equal to (): Includes the set value and the numbers are the same. E.g. If the last engine update is set to 5, 5 and the identical number meet the rule condition.
• Similar to (): Searches data that partially meets the entered text string. E.g. If set to spy Like, all text string that start with spy like spy ware meet the rule conditions.
• Add an AND rule condition (): If there are multiple conditions within a rule, then all conditions must be satisfied.
• Add an OR rule condition: If there are multiple conditions within a rule, only a single condition needs to be satisfied to satisfy the condition.

Add Advanced Rule

Add an advanced rule. Adding an advanced rule is made up of 4 steps. (1) Basic Settings that set the advanced rule name and the period, (2) Rule Settings that set the detailed rules, (3) Exceptions Settings that set the exceptions to the rule, and (4) Notification/Report for creating the notification upon satisfying the condition and the report. To add an advanced rule, complete the following steps:

1. Click Policy.
2. Click Advanced Rules.
3. Click Add.
4. In (1) Basic Settings set whether to Enable Advanced rules, policy name, and the search interval, and click Next.

• Name: Enter the name.
• Search Interval: Select the search interval. You can select the interval from daily, weekly, and if the condition match.

5. In (2) Rule Settings set the detailed rule of the advanced settings. When creating a rule and you need all the conditions in a rule to be met, click Add AND rule condition () and add the condition. Use the Add OR rule condition if you need at least one condition to be met from multiple rules.

• Common: Set the common advanced rule on the agent.

• Last Connection Date: Set the rule on the time of the last connection to the agent. You can compare the latest connection time using the operator. Greater than, Greater than or equal to, Less than, Less than or equal to, and Equal to operators are supported for setting the rule. Enter the time of the last connection in numbers.
• No License/User Information: There is no license or the user information does not exist on the agent. When setting the rule, Equal to and Like operators are supported.
• Agent Version: Set the rule on the agent version. Enter the agent version in a 4 digits format. (E.g. 5.0.0.1)
• Installed Security Products: Set the rule for each security product installed on the agent. You can check the installed security product in Security Product.
• V3: Set the advanced rule for the V3 product.
• Malware Detection Count: You can set the rule for the number of malware and reputation based detection within the set time. For setting the rule on the detection count, Greater than, Greater than or equal to, Less than, Less than or equal to, and Equal to operators are supported. Enter the Malware Detection Count and the detection time (mins) in numbers. E.g. Detection Count 10, Operator: >, Time: If set to 10 minutes, then the rule is satisfied when the number of detections exceed 10 within 10 minutes.
• Malware Name: Set the rule on the malware name. You can enter up to 128 characters. E.g. Malware Name: spy, Operator: Like, Time: If set to 10 minutes, then the rule is satisfied when a malware is detected with the name “spy” within 10 minutes.
• V3 Not Installed: Set the rule on V3 Not installed. The rule is satisfied if V3 is not installed.
• Last Engine Update Date: Set the rule on the date of the last engine update. When setting the rule, Greater than, Greater than or equal to, Less than, Less than or equal to, and Equal to operators are supported. Enter the date of the last engine update in numbers. E.g. Date of the last engine update: 3, Operator: Set as >, then the rule is satisfied from the day the last engine update becomes 4.
• Real-time Scan Not Running: Set the rule on. If the real-time scan is not in use, then the rule condition is met.
• Last Scan Date: Set the rule on the last scan date. For setting the rule on the last scan date, Greater than, Greater than or equal to, Less than, Less than or equal to, and Equal to operators are supported. Only numbers can be entered. E.g. Last scan date: 7, Operator: If set to < , the condition is satisfied if the date of conducting the last scan is less than day 7 (from day 6 and below).
• HIPS: Set the advanced rule for the HIPS product.
• No. of IPS preventions/detections: You can set the rule for the number of IPS preventions/detections. For setting the rule on the prevention/detection count, Greater than, Greater than or equal to, Less than, Less than or equal to, and Equal to operators are supported. Enter the time (mins) in numbers.
• Name of IPS signature: You can set the rule for the specified IPS signature. For the setting, Greater than, Greater than or equal to, Less than, Less than or equal to, and Equal to operators are supported. Enter the time (mins) in numbers.
• IPS severity: You can set the rule for the number of detections by severity. For the setting, Greater than, Greater than or equal to, Less than, Less than or equal to, and Equal to operators are supported. Enter the time (mins) in numbers.
• No. of applied IPS signatures: You can set the rule for the number of applied IPS signatures. For the setting, Greater than, Greater than or equal to, Less than, Less than or equal to, and Equal to operators are supported. Enter the count in numbers.
• Date of signature update: You can set the rule for the date of signature update. For the setting, Greater than, Greater than or equal to, Less than, Less than or equal to, and Equal to operators are supported. Enter the date in numbers.
• AC: Set the advanced rule for the AC product.
• No. of execution control: You can set the rule for the number of execution control. For the setting, Greater than, Greater than or equal to, Less than, Less than or equal to, and Equal to operators are supported. Enter the count and time (mins) in numbers.
• No. of hash value detections: You can set the rule for the number of hash value detections. For the setting, Greater than, Greater than or equal to, Less than, Less than or equal to, and Equal to operators are supported. Enter the count and time (mins) in numbers.
• No. of file name detections: You can set the rule for the number of file name detections. For the setting, Greater than, Greater than or equal to, Less than, Less than or equal to, and Equal to operators are supported. Enter the count and time (mins) in numbers.

6. In (2) Rule Settings, enter the condition for the Response Settings. You can move the set response list up or down to change the priority order of the response.

• Common: Set the response on the common advanced policy.
• Send Notice: Sends notices.
• V3: Sets the response settings on the V3 advanced rules.
• V3 Manual Update: Conducts the V3 update. Upon conducting the V3 update, you can also update the engine and the patch file.
• Network Block: Completely block the network of the agent.

Caution

Note that if you block the network of the selected target, then the network connection to all agents is lost until the block is disabled.

• Disable Network Block: When the advanced rules is satisfied, disable the block on the network.
• Scan for Malware: Use V3's malware scan feature to conduct a scan for malware.

7. In (3) Exception Settings, set the exception agent to exclude from applying advanced rules. Select the domain or group from the Group list on the left and the agent information is shown on the right. Select the exceptions target from the list and click Exception Settings.

8. Click Next.
9. In (4) Notification/Report Settings, set whether to create a notification when the rule condition is satisfied and also whether to create a report.

• Re-notification Timeout: A notification is not sent within the specified time period. You can enter numbers between 1 and 1440. A notification is not sent within the specified time period.
• Notification Period Set the period of sending the notification email. If the notification period is not set, a permanent notification is sent.
• Send a notification: The email is sent if the email address of the admin account of the agent user is set.

Note

To send a notification email, you must configure the email server. You can configure the email settings in Email Server.

• Email Template: When sending the notification email, you can use the already created email templates.

Note

You can create an email template for sending the notification emails in Manage Email Template.

• Recipient: Set the recipient of the email.
• Admin/Agent: Send the email to the CPP Management admin and the agent where the notification has occurred.
• Direct Input: Enter the email address of the recipient directly. Separate multiple recipients with a semi-colon. (E.g. 123@ahnlab.com; 456@ahnlab.com)
• Create a Report: If the set advanced settings is satisfied, the admin creates the report of the set item. Select Create a Report and a report is created when the advanced rule is satisfied. For more information on the items that can create items, see Create a Report.

10. Click OK. Check the advanced rules added from the Advanced Rules screen.

Modify Advanced Rule

To modify the advanced rules, complete the following steps:

1. Click Policy.
2. Click Advanced Rules.
3. Check the list of advanced rules.
4. Click on the advanced rule to edit.
5. Set the necessary items from (1) Basic Settings, (2) Rules Settings, (3) Exception Settings, and (4) Notification/Report Settings.
6. Click OK.
7. Check the changed detail from the Advanced Rules list.

Delete Advanced Rule

To delete the advanced rules, complete the following steps:

1. Click Policy.
2. Click Advanced Rules.
3. Check the list of advanced rules.
4. Select the advanced rule to delete and click Delete.
5. Click OK.