Adding Advanced Rules

Create an advanced rule. The administrator can set the advanced rule and the corresponding rule that is carried when the conditions of the rule are fulfilled. The rule is the common information of the agent. You can create a rule and set a rule depending on the security product.

The following are the key features that can be found in Advanced Rules.

• Add/Edit/Delete Advanced Rules
• Response Settings on Advanced Rules

Operators of Advanced Rules

You can set detailed rules on advanced rules. On Advanced Rules, you can compare the item values using operators or specify a state that includes the text string. When setting more than one time, you can set the AND/OR condition between items. To set the rules, select the target from Common, V3/EDR, and set the detailed rules for the target. The operators used when creating the advanced rules are as follows:

• Greater than (): Does not include the number that is set. E.g. If the last engine update is set to 3, the last engine update date will be 3 days, and the last engine update is not included to the rule when it becomes 3 and it only meets the rule conditions from the 4th day.
• Greater than or equal to(): Includes the set number and the numbers that exceed the set number. E.g. If the last engine update is set to 5, 5 and numbers over 5 meet the rule condition.
• Less than (): Does not include the set number and refers to the numbers that are lower than the set number. E.g. If the last scan date is set to 3, excluding 5 and lower than 2 meets the rule condition.
• Less than or equal to (): Includes the set value and all numbers smaller than the set value. E.g. If the last engine update is set to 5, 5 and numbers below 5 meet the rule condition.
• Equal to (): Includes the set value and the numbers are the same. E.g. If the last engine update is set to 5, 5 and the identical number meet the rule condition.
• Similar to (): Searches data that partially meets the entered text string. E.g. If set to spy Like, all text string that start with spy like spy ware meet the rule conditions.
• Add an AND rule condition( ): If there are multiple conditions within a rule, then all conditions must be satisfied.
• Add an OR rule condition: If there are multiple conditions within a rule, only a single condition needs to be satisfied to satisfy the condition.

Add Advanced Rules

Add an advanced rule. Adding an advanced rule is made up of 4 steps. (1) Basic Settings that set the advanced rule name and the period, (2) Rule Settings that set the detailed rules, (3) Exceptions Settings that set the exceptions to the rule, and (4)Notification/Report for creating the notification upon satisfying the condition and the report. To add an advanced rule, complete the following steps:

1. Log in to the Management Console.
2. Click Policy/Advanced Rules > Advanced Rules.
3. Click Add.
4. In (1) Basic Settings set whether to Enable Advanced rules, policy name, and the search interval, and click Next.

• Name: Enter the name.
• Search Interval: Select the search interval. You can select the interval from daily, weekly, and if the condition match.

5. In (2) Rule Settings set the detailed rule of the advanced settings. You can select the target to apply the rule from Common, V3/EDR,. When creating a rule and you need all the conditions in a rule to be met, click Add AND rule condition () and add the condition. Use the Add OR rule condition if you need at least one condition to be met from multiple rules.

• Common: Set the common advanced rule on the agent.

• Last Connection Date: Set the rule on the time of the last connection to the agent. You can compare the latest connection time using the operator. Greater than, Greater than or equal to, Less than, Less than or equal to, and Equal to operators are supported for setting the rule. Enter the time of the last connection in numbers.
• No License/User Information: There is no license or the user information does not exist on the agent. When setting the rule, Equal to and Like operators are supported.
• Agent Version: Set the rule on the agent version. Enter the agent version in a 4 digit format. (E.g. 5.0.0.1)
• Installed Security Products: Set the rule for each security product installed on the agent. You can check the installed security product in Security Program.
• V3: Set the advanced rule for the V3 product.
• Malware Detection Count: You can set the rule for the number of malware and reputation based detection within the set time. For setting the rule on the detection count, Greater than, Greater than or equal to, Less than, Less than or equal to, and Equal to operators are supported. Enter the Malware Detection Count and the detection time (mins) in numbers. E.g. Detection Count 10, Operator: >, Time: If set to 10 minutes, then the rule is satisfied when the number of detections exceed 10 within 10 minutes.
• Malware Name: Set the rule on the malware name. You can enter up to 128 characters. E.g. Malware Name: spy, Operator: Like, Time: If set to 10 minutes, then the rule is satisfied when a malware is detected with the name “spy” within 10 minutes.
• V3 Not Installed: Set the rule on V3 Not installed. The rule is satisfied if V3 is not installed.
• Last Engine Update Date: Set the rule on the date of the last engine update. When setting the rule, Greater than, Greater than or equal to, Less than, Less than or equal to, and Equal to operators are supported. Enter the date of the last engine update in numbers. E.g. Date of the last engine update: 3, Operator: Set as >, then the rule is satisfied from the day the last engine update becomes 4.
• Real-time Scan Not Running: Set the rule on . If the real-time scan is not is use then the rule condition is met.
• Last Scan Date: Set the rule on the last scan date. For setting the rule on the last scan date, Greater than, Greater than or equal to, Less than, Less than or equal to, and Equal to operators are supported. Only numbers can be entered. E.g. Last scan date: 7, Operator: If set to < , the condition is satisfied if the date of conducting the last scan is less than day 7 (from day 6 and below).
• EDR: Set the advanced rule on EDR.
• Process: Set the rule on the process.
• Process Name: This is the name of the detected process. When setting the rule for the process name, only the Equal to operator is supported.
• Process Path: Shows the file path of the detected process.
• File Hash Value: Shows the hash value of the detected process.
• Registry: Set the rule on the registry. The rule is met if the entered key, value, and data are all satisfied. When setting the rule, the Equal to operator is supported.
• Network URL: The rule is met if the network URL is equal to the entered URL information. When setting the rule, the Equal to operator is supported.
• Network IP Address: The rule is met if the IP address is equal to the entered IP address. When setting the rule, the Equal to operator is supported. Enter the suspicious behavior network IP address in an IPv4 or IPv6 format.

6. In (2) Rule Settings, enter the condition for the Response Settings. You can move the set response list up () or down () to change the priority order of the response.

• Common: Set the response on the common advanced policy.
• Send Notice: Sends notices.
• Import Shared Folder: Imports the information of the agent's shared folder.
• Disable All Shared Folders: Disables all shared folders of the agent.
• V3: Sets the response settings on the V3 advanced rules.
• V3 Manual Update: Conducts the V3 update. Upon conducting the V3 update, you can also update the engine and the patch file.
• Network Block: Completely block the network of the agent.

Caution

Note that if you block the network of the selected target, then the network connection to all agents is lost until the block is disabled.

• Disable Network Block: When the advanced rules is satisfied, disable the block on the network.
• Scan for Malware: Use V3&apos;s malware scan feature to conduct a scan for malware.
• Optimize System: Conduct optimization of the system.
• EDR: Set the response on the EDR advanced settings.
• End Process: End the process that satisfies the information input in the response condition.
• Process Name: This is the name of the detected process.
• Process Path: Shows the file path of the detected process.
• Hash Value: Shows the hash value of the detected process.
• Search File: Enter a file name that satisfies the condition input from the response condition.

• File Name: This is the file name to be searched.
• Hash Value: This is the hash value of the process to be searched.
• File Size: This is the size of the detected file. (Unit: bytes)
• File Path: This is the file of the detected file. Select Include Sub Paths and the folders in the sub paths are included if the file path is a folder.
• File Created: Shows the time that the detected file was created. The file creation time can be added conditionally to the condition.
• File Modified: This is the final time when the file was edited. The file modified time can be conditionally added to the condition.

7. In (3) Exception Settings, set the exception agent to exclude from applying advanced rules. Select the domain or group from the Group list on the left and the agent information is shown on the right. Select the exceptions target from the list and click Exception Settings ().

8. Click Next.
9. In (4) Notification/Report Settings, set whether to create a notification when the rule condition is satisfied and also whether to create a report.

• Re-notification Timeout: A notification is not sent within the specified time period. You can enter numbers between 1 and 1440. A notification is not sent within the specified time period.
• Notification Period Set the period of sending the notification email. If the notification period is not set, a permanent notification is sent.
• Send a notification: The email is sent if the email address of the administrator account of the agent user is set.

Note

To send a notification email, you must configure the email server. You can configure the email settings in Email Server.

• Email Template: When sending the notification email, you can use the already created email templates.

Note

You can create an email template for sending the notification emails in Manage Email Template.

• Recipient: Set the recipient of the email.
• Administrator/Agent: Send the email to the EPP Management administrator and the agent where the notification has occurred.
• Direct Input: Enter the email address of the recipient directly. Separate multiple recipients with a semi-colon. (E.g. 123@ahnlab.com; 456@ahnlab.com)
• Create a Report: If the set advanced settings is satisfied, the administrator creates the report of the set item. Select Create a Report and a report is created when the advanced rule is satisfied. For more information on the items that can create items, see Create a Report.

10. Click OK. Check the advanced rules added from the Advanced Rules screen.

Modify Advanced Rules

To modify the advanced rules, complete the following steps:

1. Log in to the Management Console.
2. Click Policy/Advanced Rules > Advanced Rules.
3. Check the list of advanced rules.
4. Click on the advanced rule to edit.
5. Set the necessary items from (1) Basic Settings, (2) Rules Settings, (3) Exception Settings, and (4) Notification/Report Settings.
6. Click OK.
7. Check the changed detail from the Advanced Rules list.

Delete Advanced Rules

To delete the advanced rules, complete the following steps:

1. Log in to the Management Console.
2. Click Policy/Advanced Rules > Advanced Rules.
3. Check the list of advanced rules.
4. Select the advanced rule to delete and click Delete ().
5. Click OK.

Related Info

• Advanced Rule
• Create a Report