Add Advanced Rule

Set the common rules for the agents, and advanced rules based on the installed security program.

From Advanced Rule, you can:

• Add/Modify/Delete advanced rules
• Set the response for advanced rules

Advanced Rule Settings

Set the advanced rules - Common, V3/EDR - using operators or AND/OR conditions as below:

• Greater Than (): More than but does not include the set number. e.g.) If the last engine update date is set to 3 >, the rule condition is satisfied from the 4th day, not the 3rd.
• Greater Than Or Equal (): More than and includes the set number. e.g.) If the last engine update date is set to 5 >, the rule condition is satisfied from the 5th day and after.
• Less Than (): Less than but does not include the set number. e.g.) If the last engine update date is set to < 3, the rule condition is satisfied from the 2nd day, not the 3rd.
• Less Than Or Equal (): Less than and includes the set number. e.g.) If the last engine update date is set to < 5, the rule condition is satisfied from the 5th day and before.
• Equal (): The same number as the set number. e.g.) If the last engine update date is set to 5 =, the rule condition is satisfied on the 5th day.
• Like (): Enter parts of words to search. e.g.) If you search for spy Like, the strings starting with "spy", such as spyware, will satisfy the rule condition.
• Add an AND rule condition ( ): Satisfy all the rule conditions.
• Add an OR rule condition: Satisfy any rule condition.

Add Advanced Rule

There are four steps to add an advanced rule - Basic Settings (name and interval settings), Advanced Rule Settings (advanced rule settings), Exclusion Settings (agent exclusion settings) and Alert/Report Settings (alert and report settings). To add an advanced rule:

1. Log in to the web console.
2. Click Policy/Advanced Rule > Advanced Rule.
3. Click Add.
4. In Basic Settings, enable or disable Enable Advanced Rules and set the policy name and scan interval. Click Next.

• Name: Enter the name.
• Scan Interval: Select a scan interval - Everyday, Every Minute or At once when conditions match  .

5. In Rule Settings, set the advanced rules - Common, V3/EDR. To satisfy all the conditions of a rule, click Add an AND rule condition ( ) and add conditions. To satisfy any condition of a rule, click Add an OR rule condition.

• Common: Set the common rules for agents.

• Last Connection Time: Set the rule for last connection time (numbers). Use Greater Than, Greater Than Or Equal, Less Than Or Equal, Less Than or Equal operators.
• No license and user information: Set the rule for agents with no license or user information. Use Equal or Like operators.
• Agent Version: Set the agent version rule. Use four numbers. (e.g.: 5.0.0.1)
• V3: Set the V3 advanced rules.
• Number of Malware Detection: Set the rule for the number of malware detections and time in minutes (numbers). Use Greater Than, Greater Than Or Equal, Less Than Or Equal, Less Than or Equal operators. e.g.) If set to Detection Count: 10, Operator: > and Time: 10 minutes, the conditions are satisfied when there are more than 10 detections within 10 minutes.
• Malware Name: Set the rule for malware name (max 128 characters). e.g.) If set to Malware Name: spy, Operator: Like and Time: 10 minutes, the conditions are satisfied when there is a malware name that starts with spy within 10 minutes.
• V3 Uninstallation: Set the rule for uninstalled V3. The condition is satisfied when V3 is not installed.
• Last Engine Update Date: Set the rule for last engine update date (numbers). Use Greater Than, Greater Than Or Equal, Less Than Or Equal, Less Than or Equal operators. e.g.) If set to Last Engine Update Date: 3 and Operator: >, the conditions are satisfied from the 4th day.
• V3 Real-time Scan Off: Set the rule for Real-time Scan Off. The condition is satisfied when Real-time Scan is not enabled.
• Last Scan: Set the rule for last scan date. Use Greater Than, Greater Than Or Equal, Less Than Or Equal, Less Than or Equal operators. e.g.) If set to Last Scan: 7 and Operator: <, the conditions are satisfied from the 6th day and before on the 7th day.
• EDR: Set the rule for EDR.
• File Hash: Set the rule for file hash value (max 128 characters). The file hash value needs to be the same to meet the condition. Use Equal operator.
• Registry: Set the rule for registry. The key, value and data need to be the same to meet the condition. Use Equal operator.
• Network URL: Set the rule for URL. The URL need to be the same to meet the condition. Use Equal operator.
• Network IP Address: Set the rule for IP address (IPv4 or IPv6 format). Use Equal operator.

6. In Rule Settings, enter the conditions for Response Settings. Move the response down () or up () to set the priority.

• Common: Set the common advanced rules.
• Send Notice: Send notice.
• Import Shared Folder Information: Import the agent's shared folder information.
• Disable All Folder Sharing: Disable all the folder sharing in the agent.
• V3: Set the V3 advanced rules.
• V3 Manual Update: Update V3. Update the engine and patch files.
• Block Network: Block the agent's network.

Caution

If you block the network, the network connection will be blocked until you disable it.

• Disable Network Block: Disable network block is it meets the advanced rule conditions.
• Scan for Malware: Run V3's malware scan. Select the CPU resource usage - Low, Normal or High. Low means low CPU usage and low scan speed, and High means high CPU usage and high scan speed.
• Optimize System: Optimize the system.
• EDR: Set the EDR advanced rules.
• Terminate Process: Terminate the process that meets the response conditions.
• Process ID: The detected process' ID.
• Process Name: The detected process' name.
• Process Path: The detected process' path.
• Hash Value: The detected process' hash value.
• Search for Files: Search for the file that meets the response conditions.

• File Name: The detected file name.
• File Size: The detected file size in bytes.
• File Path: The detected file path. Select Include sub paths to include the sub paths.
• File Created: The detected file's creation time. This condition is optional.
• File Modified: The detected file's last modified time. This condition is optional.

7. Set the agents not to apply the advanced rules in Exclusion Settings. Select a group or domain from the group list on the left. The agent list will show on the right. Select the agents to exclude, and click Exclusion Settings ().

8. Click Next.
9. In Alert/Report Settings, set the conditions to send alerts and create reports.

• Re-notification Limit: Set the time not to send the same notice (1 to 1440 minutes).
• Notification Period: Set the time to send the notification. If not, the notification will keep on being sent.
• Send a notification: Send the notification when the email address for the admin account or agent's user is set.

Note

Set the server to send the notification in Email Server.

• Template: Use an email template for the notification.

Note

Create an email template from Email Template Management.

• Recipient: Set the email recipient.
• Administrator/Agent: Send the email to the EPP Management administrator and agent where the notification situation occurred.
• Email Address: Enter the recipient's email address. If there are multiple recipients, separate each email address with a semicolon. (e.g.: 123@ahnlab.com; 456@ahnlab.com)
• Create a report: When the set advanced rule conditions are met, the following reports are created as specified by the administrator:
• Agent Information: Report on agent information.
• Agent Installation Status: Report on agent installation status.
• Hardware Status: Report on agent's hardware status.
• Software Status: Report on agent's software status.
• OS Status: Report on agent's OS status.
• Agent Installation Progress: Report on agent's installation progress.
• Security Program Information: Report on V3 installation and policy application status.
• V3 Installation Status: Report on agent's software status.
• Security Program Information Summary: Report on V3 summary.
• V3 Installation Progress: Report on V3 installation progress.
• V3 Installation Status: Report on V3 installation status.
• Infection Information: Report on agent's infection information.
• Top Infected Agents: Report on top infected agents.
• Top Detected Malware: Report on top detected malware.
• Malware Detection Progress: Report on malware detection progress.
• Infection Information Summary: Report on infection summary.
• Suspicious Behavior: Report on suspicious behavior.
• Suspicious Behavior Trend: Report on suspicious behavior trend.
• Top Suspicious Behaviors: Report on top suspicious behaviors.
• Top Suspicious Agents: Report on top suspicious agents.
• Top Suspicious Binaries: Report on top suspicious binaries.

10. Click OK. Check the added advanced rules in Advanced Rule.

Modify Advanced Rule

To modify an advanced rule:

1. Log in to the web console.
2. Click Policy/Advanced Rule > Advanced Rule.
3. Check the advanced rule list.
4. Click the advanced rule to modify.
5. Modify Basic Settings, Advanced Rule Settings, Exclusion Settings and Alert/Report Settings.
6. Click OK.
7. Check the modified rul on the advanced rule list.

Delete Advanced Rule

To delete an advanced rule:

1. Log in to the web console.
2. Click Policy/Advanced Rule > Advanced Rule.
3. Check the advanced rule list.
4. Click the advanced rule to delete, and click Delete ().
5. Click OK.