Using Application Deployment Reports

After you have collected application deployment investigation data regarding installed known and unknown applications, you will want to view various reports to aid in the remediation of any product- and policy-related issues. The reports regarding application deployment investigation are located under Analysis > Application Deployment Reports. It is important to note that the reports are located here and not under the Reports menu option. Several reports are available, including the following:

• Antivirus Installations

• Installed Products

• Network Data Flows

• Network Server Applications

• Product Usage

• Unprotected Hosts

• Unprotected Products

The next sections describe each report in more detail.

Antivirus Installations Report

The Antivirus Installations report displays the currently configured antivirus applications. You can also create, delete, or clone Antivirus Installations reports if desired. When config-uring an Antivirus Installations report, you have the following configuration options, as shown in Figure 10-14:

• Name and Description Name and describe the report.

• Verbose Report Check this check box to enable greater detail, such as per-host information for reported data rather than simple summary information for the group.

• Groups and Hosts Matching Choose the groups and hosts the report should include or exclude. Only hosts that have uploaded data display for selection.

• Time Frame Choose the timeframe you want information reported from or check the All Times option.

• Sort By Choose Host or Product for the first and second sort criteria.

• Viewer Type Choose either ActiveX or HTML Frames as with all of the other CSA MC reports.

Figure 10-14. Antivirus Installations Report Configuration

Finally, after configuring this, you can save the report and view the report. Information returned by this report includes the antivirus product installed, the version, the AV engine, the signature version, and the timeframe associated with the information.

NOTE

Only McAfee and Norton antivirus information displays in the report.

Installed Products Report

An Installed Product report can include products that are either installed or not installed for a group or host. You can also create, delete, or clone Installed Product reports if desired. When configuring an Installed Products report, you have the following configuration options, as shown in Figure 10-15:

• Name and Description Name and describe the report.

• Verbose Report Check this check box to enable greater detail, such as per-host information for reported data rather than simple summary information for the group.

• With or Without Dropdown Choose With to report on installed products, or choose Without to report on products that are not installed.

• Products Choose the product or products you want to report. These are products listed in the Product Associations list.

• Groups and Hosts Matching Choose the groups and hosts the report should include or exclude. Only hosts that have uploaded data display for selection.

• Sort By Choose Host or Product for the first and second sort criteria.

• Viewer Type Select either ActiveX or HTML Frames.

Figure 10-15. Installed Products Report Configuration

NOTE

Windows hotfixes display in the Add/Remove Software Configuration Panel on Windows systems and will therefore be reported in addition to your typical applications. This setup enables you to create reports that list which systems have hotfixes installed.

Finally, after configuring this, you can save the report and view it. The Installed Products report is valuable in understanding where discovered applications are deployed and whether they are wanted or unwanted. This report also offers a simple way to see where required applications are not yet installed. Figure 10-16 shows a sample report that includes the list of installed applications on agent-protected systems, per host.

Figure 10-16. Sample Installed Products Report

Network Data Flows Report

A Network Data Flows report can show applications that communicate on the network and specify the ports and peers used during the conversations. You can also create, delete, or clone Network Data Flows reports if desired. When configuring a Network Data Flows report, you have the following configuration options, as shown in Figure 10-17:

• Name and Description Name and describe the report.

• Verbose Report Check this check box to enable greater detail such as hosts, ports, peer and protocol information for reported data rather than simple summary information.

• Local Applications Matching Choose the application or applications used in the report.

• Local Groups and Hosts Matching Choose the groups and hosts the report should include or exclude. Only hosts that have uploaded data display for selection.

• Peer Network Address Sets Matching Limit the peer IP addresses to only report on matching connections.

• Peer Groups and Hosts Matching Choose the peer groups and hosts the report should include or exclude. Only hosts that have uploaded data display for selection.

• Network Services Choose the network service to report (for example, DNS, DHCP, Telnet).

• Number of Distinct Peer Hosts Choose either Less Than or More Than a number of hosts required for a match to be reported.

• Time Frame Choose the timeframe you want information reported from or check the All Times option.

• Sort By Choose Host, Application, or Peer Address for the first and second sort criteria.

• Viewer Type Choose ActiveX or HTML Frames.

Figure 10-17. Network Data Flows Report Configuration

Finally, after configuring this, you can save the report and view it. There are a great number of reasons to run a report on this information. For example, you might want to run the Network Data Flows report on a network service to determine proper use within a specific group.

Network Server Applications Report

A Network Server Applications report includes network server applications that terminate connections from remote systems. You can also create, delete, or clone Network Server Applications reports if desired. When configuring a Network Server Applications report, you have the following configuration options, as shown in Figure 10-18:

• Name and Description Name and describe the report.

• Applications Choose the server application or applications used in the report.

• Groups and Hosts Matching Choose the groups and hosts the report should include or exclude. Only hosts that have uploaded data appear for selection.

• Number of Server Accepts Enter the number of connections the report will match on. This value will either be less than or more than the number specified by setting the appropriate options.

• Time Frame Choose the timeframe you want information reported from or check the All Times option.

• Sort By Choose Host, Application, or Port for the first and second sort criteria.

• Viewer Type Choose ActiveX or HTML Frames.

Figure 10-18. Network Server Applications Report Configuration

After configuring this, you can save and view the report. The Network Server Applications report is most commonly used to locate server (listening) applications are installed on systems but are not often used. This helps you locate software that could be exploited or possible back doors within the network.

Product Usage Report

A Product Usage report includes applications that are installed and whether they are used. When configuring a Product Usage report, you have the following configuration options, as shown in Figure 10-19 and Figure 10-20:

• Name and Description Name and describe the report.

• Verbose Check Verbose if you want to see where the application is used or not used listed by host rather a simple summary report.

• Used or Unused Choose the appropriate option from the drop-down box based on the type of report you want produced.

• Products Choose the applications for the report from the list provided.

• Groups and Hosts Matching Choose the groups and hosts the report should include or exclude. Only hosts that have uploaded data display for selection.

• Time Frame Choose the timeframe you want information reported from or check the All Times option.

• Sort By Choose Host or Product for the first and second sort criteria.

• Viewer Type Choose ActiveX or HTML Frames.

Figure 10-19. Product Usage Report Configuration

Figure 10-20. Product Usage Report

After configuring this, you can save the report and view it. Product Usage reports, as displayed in Figure 10-20, prove useful in determining whether the end systems use the reported application. You might wonder whether that application you cannot identify is being used or lying dormant, for example.

Unprotected Hosts Report

An Unprotected Hosts report provides information regarding IP addresses that were used while collecting network flow information but were not assigned to any CSA agents. This report provides a list of internal IP addresses that might be in need of a CSA installation or might indicate an unknown rogue host. When configuring an Unprotected Hosts report, you have the following configuration options, as shown in Figure 10-21:

• Name and Description Name and describe the report.

• Network Address Sets Limit the view of the report to a subset of network addresses, subnets, or all addresses by specifying that information in a network address set.

• Network Services Limit the scope of the report to display only the unprotected hosts using specific network services (ports) as defined by network service sets.

• Time Frame Choose the timeframe you want information reported from or check the All Times option.

• Sort By Choose Host, Unprotected Address, Operation, or Protocol for the first and second sort criteria.

• Viewer Type Choose ActiveX or HTML Frames.

Figure 10-21. Unprotected Hosts Report Configuration

After configuring this, you can save the report and view it. You might find the Unprotected Hosts report useful when trying to locate remote systems that are connecting to your protected systems. Unrelated hosts here are hosts that have IP addresses that cannot be correlated to systems running CSA software. By limiting the service range within the report, you can focus on the unprotected systems that speak with your agents through Internet Relay Chat (IRC) or Secure Shell (SSH) if desired. Figure 10-22 shows a sample Unprotected Hosts report.

Figure 10-22. Unprotected Hosts Report

Unprotected Products Report

An Unprotected Products report provides information about applications found during the investigation process that are not protected by the specified policy. When configuring an Unprotected Products report, you have the following configuration options, as shown in Figure 10-23:

• Name and Description Name and describe the report.

• Products Choose the applications you want to report.

• Policies Choose the policy from the list that should be run on the host to protect the specified application.

• Groups and Hosts Matching Choose the groups and hosts the report should include or exclude. Only hosts that have uploaded data display for selection.

• Time Frame Choose the timeframe you want information reported from or check the All Times option.

• Sort By Choose Host and Product for the first and second sort criteria.

• Viewer Type Choose ActiveX or HTML Frames.

Figure 10-23. Unprotected Products Report Configuration

After configuring this, you can save and view the report. The Unprotected Products report enables you to quickly see where a known application may be installed and running but the local agent does not have the appropriate protective policies enforced. For example, you might see that a popular FTP server application is run throughout your environment and know that you have developed security policies to prevent its misuse; however, after running the report, you can determine where the server application is running unprotected.