< Day Day Up > |
After you have collected application deployment investigation data regarding installed known and unknown applications, you will want to view various reports to aid in the remediation of any product- and policy-related issues. The reports regarding application deployment investigation are located under Analysis > Application Deployment Reports. It is important to note that the reports are located here and not under the Reports menu option. Several reports are available, including the following:
The next sections describe each report in more detail. Antivirus Installations ReportThe Antivirus Installations report displays the currently configured antivirus applications. You can also create, delete, or clone Antivirus Installations reports if desired. When config-uring an Antivirus Installations report, you have the following configuration options, as shown in Figure 10-14:
Figure 10-14. Antivirus Installations Report ConfigurationFinally, after configuring this, you can save the report and view the report. Information returned by this report includes the antivirus product installed, the version, the AV engine, the signature version, and the timeframe associated with the information. NOTE Only McAfee and Norton antivirus information displays in the report. Installed Products ReportAn Installed Product report can include products that are either installed or not installed for a group or host. You can also create, delete, or clone Installed Product reports if desired. When configuring an Installed Products report, you have the following configuration options, as shown in Figure 10-15:
Figure 10-15. Installed Products Report ConfigurationNOTE Windows hotfixes display in the Add/Remove Software Configuration Panel on Windows systems and will therefore be reported in addition to your typical applications. This setup enables you to create reports that list which systems have hotfixes installed. Finally, after configuring this, you can save the report and view it. The Installed Products report is valuable in understanding where discovered applications are deployed and whether they are wanted or unwanted. This report also offers a simple way to see where required applications are not yet installed. Figure 10-16 shows a sample report that includes the list of installed applications on agent-protected systems, per host. Figure 10-16. Sample Installed Products ReportNetwork Data Flows ReportA Network Data Flows report can show applications that communicate on the network and specify the ports and peers used during the conversations. You can also create, delete, or clone Network Data Flows reports if desired. When configuring a Network Data Flows report, you have the following configuration options, as shown in Figure 10-17:
Figure 10-17. Network Data Flows Report ConfigurationFinally, after configuring this, you can save the report and view it. There are a great number of reasons to run a report on this information. For example, you might want to run the Network Data Flows report on a network service to determine proper use within a specific group. Network Server Applications ReportA Network Server Applications report includes network server applications that terminate connections from remote systems. You can also create, delete, or clone Network Server Applications reports if desired. When configuring a Network Server Applications report, you have the following configuration options, as shown in Figure 10-18:
Figure 10-18. Network Server Applications Report ConfigurationAfter configuring this, you can save and view the report. The Network Server Applications report is most commonly used to locate server (listening) applications are installed on systems but are not often used. This helps you locate software that could be exploited or possible back doors within the network. Product Usage ReportA Product Usage report includes applications that are installed and whether they are used. When configuring a Product Usage report, you have the following configuration options, as shown in Figure 10-19 and Figure 10-20:
Figure 10-19. Product Usage Report ConfigurationFigure 10-20. Product Usage ReportAfter configuring this, you can save the report and view it. Product Usage reports, as displayed in Figure 10-20, prove useful in determining whether the end systems use the reported application. You might wonder whether that application you cannot identify is being used or lying dormant, for example. Unprotected Hosts ReportAn Unprotected Hosts report provides information regarding IP addresses that were used while collecting network flow information but were not assigned to any CSA agents. This report provides a list of internal IP addresses that might be in need of a CSA installation or might indicate an unknown rogue host. When configuring an Unprotected Hosts report, you have the following configuration options, as shown in Figure 10-21:
Figure 10-21. Unprotected Hosts Report ConfigurationAfter configuring this, you can save the report and view it. You might find the Unprotected Hosts report useful when trying to locate remote systems that are connecting to your protected systems. Unrelated hosts here are hosts that have IP addresses that cannot be correlated to systems running CSA software. By limiting the service range within the report, you can focus on the unprotected systems that speak with your agents through Internet Relay Chat (IRC) or Secure Shell (SSH) if desired. Figure 10-22 shows a sample Unprotected Hosts report. Figure 10-22. Unprotected Hosts ReportUnprotected Products ReportAn Unprotected Products report provides information about applications found during the investigation process that are not protected by the specified policy. When configuring an Unprotected Products report, you have the following configuration options, as shown in Figure 10-23:
Figure 10-23. Unprotected Products Report ConfigurationAfter configuring this, you can save and view the report. The Unprotected Products report enables you to quickly see where a known application may be installed and running but the local agent does not have the appropriate protective policies enforced. For example, you might see that a popular FTP server application is run throughout your environment and know that you have developed security policies to prevent its misuse; however, after running the report, you can determine where the server application is running unprotected. |
< Day Day Up > |