Cyberoam End Point Data Protection User Guidev 3.21.0902

Download as pdf or txt
Download as pdf or txt
You are on page 1of 106

Cyberoam Endpoint Data Protection User Guide

IMPORTANT NOTICE
Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without
warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore
assumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to make
changes in product design or specifications. Information is subject to change without notice.
USERS LICENSE
The Software Product (Product) described in this document is furnished under the terms of Elitecores End User license
agreement.
Please read these terms and conditions carefully before using the Product. By using this Product, you agree to be bound by the
terms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused Product and
manual (with proof of payment) to the place of purchase for a full refund.
LIMITED WARRANTY
Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which the
Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software substantially
conforms to its published specifications except for the foregoing, the software is provided AS IS. This limited warranty extends only
to the customer as the original licensee. Customers exclusive remedy and the entire liability of Elitecore and its suppliers under
this warranty will be, at Elitecore or its service centers option, repair, replacement, or refund of the software if reported (or, upon,
request, returned) to the party supplying the software to the customer. In no event does Elitecore warrant that the Software is error
free, or that the customer will be able to operate the software without problems or interruptions. Elitecore hereby declares that the
Endpoint Data Protection Suite may be powered by its Technology Vendor(s) from time to time, and the performance thereof shall
be under warranty provided by such Technology Vendor(s). It is specified that such Technology Vendor(s) does (do) not warrant
that the Software protects against all known threats to the Endpoint Data, nor that the Software will not occasionally erroneously
report a threat in a title not affected by that threat.
Hardware: Elitecore warrants that the Hardware portion (if applicable) of the Elitecore Products excluding power supplies, fans
and electrical components will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's
sole obligation shall be to repair or replace the defective hardware at no charge to the original owner. The replacement Hardware
need not be new or of an identical make, model or part. Elitecore may, at its discretion, replace the defective Hardware (or any part
thereof) with any reconditioned product that Elitecore reasonably determines as substantially equivalent (or superior) in all
material respects to the defective Hardware.
DISCLAIMER OF WARRANTY
Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without
limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of
dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law. In no event will Elitecore or its
supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential, incidental, or punitive damages
however caused and regardless of the theory of liability arising out of the use of or inability to use the product even if Elitecore or its
suppliers have been advised of the possibility of such damages. In no event shall Elitecores or its suppliers liability to the
customer, whether in contract, tort (including negligence) or otherwise, exceed the price paid by the customer. The foregoing
limitations shall apply even if the above stated warranty fails of its essential purpose.
In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including, without
limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or its suppliers
have been advised of the possibility of such damages.
RESTRICTED RIGHTS
Copyright 1999-2009 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of
Elitecore Technologies Ltd.
CORPORATE HEADQUARTERS
Elitecore Technologies Ltd.
904 Silicon Tower, Off. C.G. Road,
Ahmedabad 380015, INDIA
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.elitecore.com, www.cyberoam.com

Cyberoam Endpoint Data Protection User Guide

Contents
Contents............................................................................................................................................ ii
Technical Support ............................................................................................................................ iv
Chapter 1..................................................................................................................................................1
Introduction of Endpoint Data Protection..............................................................................................1
Cyberoam Endpoint Data Protection .............................................................................................1
Major Functions ................................................................................................................................3
Characteristics of Endpoint Data Protection .....................................................................................4
Chapter 2..................................................................................................................................................5
Endpoint Data Protection Startup.........................................................................................................5
Endpoint Data Protection Console....................................................................................................5
Using Endpoint Data Protection Console .........................................................................................7
Computer and User Operations ......................................................................................................10
Chapter 3................................................................................................................................................18
Statistics .............................................................................................................................................18
Application Statistics .......................................................................................................................18
Chapter 4................................................................................................................................................23
Event Log ...........................................................................................................................................23
Basic Event Log ..............................................................................................................................23
Application Log ...............................................................................................................................24
Document Operation Log................................................................................................................26
Shared File Log...............................................................................................................................28
Printing Log.....................................................................................................................................29
Removable-storage Log..................................................................................................................30
Assets Change Log.........................................................................................................................31
Policy Log .......................................................................................................................................32
System Log .....................................................................................................................................32
Chapter 5................................................................................................................................................34
Policy ..................................................................................................................................................34
Policy Introduction...........................................................................................................................34
Basic Policy.....................................................................................................................................36
Device Control Policy......................................................................................................................38
Application Policy............................................................................................................................41
Logging Policy.................................................................................................................................42
Alert Policy ......................................................................................................................................43
Mail Policy.......................................................................................................................................44
IM File Policy...................................................................................................................................46
Document Operation Policy ............................................................................................................48
Printing Policy .................................................................................................................................50
Removable-Storage Policy .............................................................................................................52
Chapter 6................................................................................................................................................54
Monitoring...........................................................................................................................................54
Instant Message Monitoring............................................................................................................54
Email Monitoring .............................................................................................................................55
Chapter 7................................................................................................................................................57
Assets Management...........................................................................................................................57
Assets Management .......................................................................................................................57
Patches Management .....................................................................................................................66
Vulnerability Check .........................................................................................................................70
Software Deployment......................................................................................................................70
Chapter 8................................................................................................................................................77
Encrypted Disk (Endpoint Security Module).......................................................................................77
Disk Encryption ...............................................................................................................................77
Format Encrypted Disks into Non- encrypted Disks .......................................................................78
Removable-storage Information .....................................................................................................79
Chapter 9................................................................................................................................................82
Database Backup & Data Recovery...................................................................................................82
Database Backup............................................................................................................................82

Cyberoam Endpoint Data Protection User Guide


Chapter 10 .............................................................................................................................................87
Tools ...................................................................................................................................................87
Account Management .....................................................................................................................87
Computer Management ..................................................................................................................89
Alert Message .................................................................................................................................90
Classes Management .....................................................................................................................90
Server Management .......................................................................................................................93
Agent Tools.....................................................................................................................................94
Options............................................................................................................................................96
Chapter 11 .............................................................................................................................................99
Audit Console .....................................................................................................................................99
Logon to Audit Console...................................................................................................................99
Audit Console Interface...................................................................................................................99
Using Audit Console .....................................................................................................................100

Cyberoam Endpoint Data Protection User Guide

Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your
registration status, or similar issues to Customer care/service department at the following address:
Corporate Office
eLitecore Technologies Ltd.
904, Silicon Tower
Off C.G. Road
Ahmedabad 380015
Gujarat, India.
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.elitecore.com
Cyberoam contact:
Email: [email protected]
Web site : www.cyberoam.com
Telephonic Support:
Region
North America
Europe
APAC
Middle East & Africa
India

Toll Free Number


+1-877-777-0368
+44-808-120-3958
+1-877-777-0368
+1-877-777-0368
1-800-301-00013

Non Toll Free Number


+1-973-302-8446
+44-203-355-7917
+1-973-302-8446
+1-973-302-8446
+91-79-66065777

Visit www.cyberoam.com for the regional and latest contact information.

Cyberoam Endpoint Data Protection User Guide

Chapter 1
Introduction of Endpoint Data Protection
Cyberoam Endpoint Data Protection
Overview
Unrestricted data transfer to removable devices like USB and CD/DVD drives, or through web, mail,
IM, P2P applications and more is resulting in rising security breaches. Organizations are struggling
to define their data loss prevention needs comprehensively and Endpoint Data Protection Solution
has emerged as the critical immediate step. Simultaneously, presence of branch offices, rise in
sophisticated attacks and the resultant bugs and vulnerabilities are necessitating centralized,
automated asset management at the end point.
Hence, organizations need security that moves with users in order to protect data and assets in end
point devices. While gateway security solutions secure the organizations perimeter, End Point
Security solutions are needed to secure the weakest link in organizations - the end user.

Cyberoam - Endpoint Data Protection


Available in downloadable and CD form, Cyberoams enhanced Endpoint Data Protection provides
seamless control with logging, reporting, encryption and policy-driven activity. It prevents data loss,
enhances security, employee productivity and efficient management of IT assets while retaining
business flexibility. In addition, organizations can meet regulatory and security compliance
requirements.
Cyberoam Endpoint Data Protection allows centralized policy control for data security based on
activity and context viz., user identity, group, and organizational role definition, meeting regulatory
compliance requirements. It provides real-time alerts and warnings in response to device,
application, file transfer, and activity based on policies, leading to protection of sensitive data. It
takes security beyond the network with encryption policies for removable storage device or file level
encryption, meeting business and security requirements. Automated, centralized IT asset
management delivers security compliance.

Cyberoam Endpoint Data Protection User Guide

Endpoint Data Protection Modules


1. Data Protection and Encryption
Insider access to sensitive documents and accidental or malicious file transfer is the most important
cause of data loss.
Cyberoams Data Protection and Encryption creates logs and reports of access, usage, change,
transfer, deletion of files, allowing organizations to understand the profile of file usage by individual
users. Based on this access-usage profile, it enables administrators to create data protection
policies for removable devices, network sharing, Instant Messengers, emails and printing. Based on
identity-based policies, it blocks file transfer for pre-defined file extensions, allowing control over
data loss through specific document types. It can also specify read and write access to classified
USB storage devices. Customized warning messages to users on unauthorized access to data and
applications enable user education. Creation of shadow copies eliminates the threat of accidental or
malicious deletion of data. Encryption of removable devices or select files offers strict controls over
data on mobile devices when outside the network.

2. Device Management
Removable devices are the most common routes to data leakage because of their small size,
considerable storage capability and lack of trail.
Cyberoam Device Management controls data loss through removable devices like USB drives,
storage devices, CD/DVDs, MP3 players, digital cameras, serial ports, parallel ports, modems,
bluetooth, wireless card, and more. It offers flexible controls for complete or selective blocking of
removable devices for individual users or groups.

3. Application Control
Unrestricted application usage can result in the use of unauthorized, illegal and malware-laden
applications, causing data loss, productivity loss, legal liability and network outages.
Cyberoams Application Control offers granular policy-based controls, enabling organizations to
prevent and control access to web, instant messengers, P2P, gaming, and more. Organizations can
thus, protect sensitive data while enhancing employee productivity.

4. Asset Management
Distributed offices and rise in malware attacks are opening organizations to higher levels of threats,
leaving IT teams in a fire-fighting mode.
Cyberoams Asset Management module for Windows enables organizations to simplify tracking of
their hardware and software asset location, configuration, version tracking, and historical
information, allowing streamlined IT infrastructure management. This results in control over
hardware and software costs, while keeping the operating system, application software and security
solutions up-to-date, lowering malware incidence. By automating patch management, it enables
rapid and correct installation of patches, handling bug fixes across the network irrespective of the
geographic location, allowing organizations to meet security compliance requirements.

Cyberoam Endpoint Data Protection User Guide

Major Functions
Organizations nowadays not only protect their physical resources but intangible assets such as
intellectual property, information, and goodwill all are also important. Endpoint Data Protection
Solution provides effective monitoring and managing capabilities to help organizations minimize
their risks in information security. Endpoint Data Protection is an application to effectively monitor
and manage corporate Endpoint activities.
Some of the activities are stated below:

Running Statistics
Endpoint Data Protection Solution can generate statistics reports on every application process, and
network flow in order to find any suspicious activity and check employees productivity.

Real-time Monitoring
With Endpoint Data Protection Solution, administrator can monitor computer usage, including
application usage, document operation, printing, instant messenger logs, and email contents in real
time.

Policy Control
Computer restrictions include application usage, document operations and printing. The information
can be secured, enhance staff efficiency, and allow corporation to plan resources reasonably.

Asset Management
Endpoint Data Protection Solution gives detailed information about hardware and software assets.
Alert can be sent when there is any change in software or hardware. Asset information can be
searched from custom-built query.

Patch and Vulnerability Management


Endpoint Data Protection Solution frequently checks for Windows operating system patches. It
automatically downloads, distributes, and installs the patches if one is found, to the machines on
which the agents are installed. It scans the end user machines for vulnerabilities with analytical
information and repair suggestions.

Software Deployment
Endpoint Data Protection Solution provides an effortless way to distribute documents and deploy
third party software to internal computers within the organization to lighten the workload of
administrator and improve effectiveness at the same time.

Cyberoam Endpoint Data Protection User Guide

Characteristics of Endpoint Data Protection

1. Powerful data compression, archiving and screening features


Optimized data compression algorithm to ensure high efficiency data access. System administrator
can take a backup of the archived data to backup storage device. Authorized users can search and
view the historical data by selecting the target computer and its recording period.

2. Data Encryption
Data transfer between workstation and server are encrypted using DES algorithm. With this
encryption technology, data is protected from illicit data capture.

3. System Authentication
Authentication is required for communication between server, agent, and console. Agent
workstation can only respond to authenticated server to avoid unauthenticated server connecting to
the network to steal data.

4. Friendly User Interface


Despite powerful monitoring and data management functions, Endpoint Data Protection Solution
has a simple and easy-to-use user interface. All functions are well-organized and visualized in the
graphical user interface.

Cyberoam Endpoint Data Protection User Guide

Chapter 2
Endpoint Data Protection Startup
Endpoint Data Protection Console

Logon Console
Before starting the console, Endpoint Data Protection server must be running.
1.

Go to Endpoint Data Protection default folder and click OConsole3.exe OR Go to Start All
Programs Endpoint Data Protection Endpoint Data Protection Console. The Logon
window can be viewed as shown in the below screen:

Endpoint Data Protection Suite Login Windows

Server

Input IP address, or Computer Name or Dynamic Domain


Name

Account

By default, the account for administrator is admin and the


account for auditor is audit
After logging on to the Console, the administrator can create
different accounts with different access rights (Endpoint Data
Protection ConsoleToolsAccounts)

Password

By default, the password for admin is empty


After logging on to the Console, the administrator can edit the
password from Tools Change Password.

Cyberoam Endpoint Data Protection User Guide


2.

Input correct account and password; click OK to logon to Console.

When Endpoint Data Protection connection is disconnected, or you need to logon to another
Endpoint Data Protection server or you need to use another role to logon Endpoint Data Protection,
please go to Tools Relogin to logout current session and re-login based on your need.

About Service Manager Status


Make sure the server is running properly: The color of the Service Manager should be like this:

1.

If the status of the Service Manager is , it indicates that Endpoint Data Protection server
is still in initial stage and is not running completely. In this case, please wait until the color of
the icon changes to

2.

If the status of the Service Manager is , it indicates that Endpoint Data Protection server
has stopped. In this case, right click Service Manager Service Start to start Endpoint
Data Protection server.

Change Password
You can change password to prevent others from using your account to login to the system and
perform illegal operations.
1.

Logon to the Console. Select Tools Change Password (see Figure 3.2).

2.

In Change Password dialogue box, key in the old password (the password is blank for the first
time). Then, enter New Password.

3.

In Confirm field, re-enter the same new password to make sure the new password is entered
correctly.

User can only change password of the current login account. The new password will be activated
after it is saved in the server module.

Change Windows Password

Cyberoam Endpoint Data Protection User Guide

Using Endpoint Data Protection Console


After logging on to the console, user will see the following user interface (see Figure 3.3). The user
interface consists of menu, tool bar, status bar, and main area. The left side of the main area is the
console tree of computer (group) and user (group) on the network. The right side of the main area is
the data view.

Endpoint Data Protection Console

Endpoint Data Protection Console Panel

1. Toolbar

Includes all system menu

2. Menu bar

Includes the common functions

3. Agent Panel

Displays all installed agents listed under The Whole


Network tree and the corresponding computer groups

4. User Panel

Displays all agents logging information listed under The


Whole Network and the corresponding user groups

5. Navigation Main Menu

Quick access to the main functions: Audit, Events Log,


Basic Policy, Advanced Policy, Monitoring, Maintenance

6. Navigation Sub-menu

Quick access to the specific functions belonging to its


groups

7. Functional Button Panel

Provide different functional buttons e.g. For data sorting,


add/delete/apply policy etc.

Cyberoam Endpoint Data Protection User Guide

8. Data Display Panel

Core view All data is displayed here

9. Chart Panel

For audit functions with statistical data, the corresponding


chart is displayed here

10 Searching Panel / Property


Panel

11. Status Bar

Searching Panel: For searching purpose in audit,


events log, IM and email monitoring

Property Panel: For policy settings purpose

Display current system status


Endpoint Data Protection Console Interface

Color Representations of Agent Icons

Icon

Color

Definitions

Light Blue

Agent is running

Light Grey

The computer agent module is not running. The computer may be turned off or
not connected to the network

Deep Grey

The agent is un-installed

Color Representations of Agent Icons

Color Representations of User Icons

Icon

Color

Definitions

Light Blue

The agent user is running

Light Grey

The agent user is not running. The user might not have logged on to the agent
computer

Color Representations of User Icons

Cyberoam Endpoint Data Protection User Guide


Common Search Conditions

Common Search Panel

Date Range

Specify the date range.Click the start time and end time and all the log data
are searched and displayed as per the the Time and range selected.
Icon

Time

Descriptions
Select the date as the start time from the calendar
Select the date as the end time from the calendar
Restore to default setting

Endpoint Data Protection has several defined time types (All Day, Working
Time, Rest, and Weekend) which can be found in Tools Classes
Management Time Types (see Figure 3.5). System Administrator can
also define new time types for their preferences to facilitate the queries.

Classes Management Time Types


Network Range

Click the
button to select the network range which can be either a
single computer, group or the entire network for query
Descriptions for Common Search Conditions Functions

Cyberoam Endpoint Data Protection User Guide


Common Log
The event log includes every common log, email log, instant messenger log which basically
includes the below mentioned contents:
Time

The time for the detailed log

Computer

The log records belonging to the client machine, the computer name here is
recorded by Endpoint Data Protection showed in the agent panel

User

The log records belonging to the user, the user here is recorded by Endpoint
Data Protection showed in the user panel
Descriptions for Common Log Records

Computer and User Operations


Basic Information
Select from menu StatisticBasic Information to view the basic information of the computer,
computer group, user, and user group (see Figure 3.6). The console displays the running status and
agent of the selected computer.

1. Computer Basic Information

Computer Basic Information

Cyberoam Endpoint Data Protection User Guide

Name

The name displayed in the Computer Tree, in order to facilitate


management, the name can be changed. If not changed, the
name is same as computer name.

Computer

It is a Windows computer name

IP Address

Computers IP address

Status

Agent status: Running, Offline, Uninstalled

Version

Endpoint Data Protection version

OS

Agents OS version

Running Time

Agents startup time. Time is displayed only if the status is


displayed as running. Otherwise, it will not be displayed.
The last communication time between Endpoint Data
Protection agent and server

Last Online

Installed Time

The last active time means the recorded time of the last
activities of the agent done in Windows
The first installed time of agent

IP/MAC

The IP/MAC address of the agents computer

Last Logon User

The last logging user in that agent computer. The status of idle
or lock is also displayed here

Last Active Time

Computer Basic Information Fields Descriptions


Windows server allows more than one concurrent connections which are connected. In this case,
the Basic Information displays all current connections logon user information and the logon time.

Computer Basic Information Concurrent Logon Information

Cyberoam Endpoint Data Protection User Guide

2. Computer Group Basic Information


Selecting a computer group provides you the status information of all computers under the selected
group including computer name, IP address, operating system, and number of user login to the
computer.

Computer Basic Information Computer Group

If The Whole Network is selected, Endpoint Data Protection Console displays all computer groups.
Click the

button can and you can view all computers belonging to that group.

Computer Basic Information Expended Information

3. User Basic Information

User Basic Information

Cyberoam Endpoint Data Protection User Guide

Name

The name displayed in the User Tree. In order to facilitate


management, the name can be changed. If not changed, the
name is same as user name.

User

It is a Windows logon user name. If it is a local user, it displays the


logon name; if it is a domain user, it displays as domain\username

Status

Agent status: Online, Offline etc.

Last Online

The last communication time between Endpoint Data Protection


agent and server

Last Active
Time

The last active time means the recorded time of the last activities
of the logon user done in Windows
User Basic Information Fields Descriptions

If the user logons to different computers using the same account, all information about the logon
computers and logon time will also be displayed.

Same user account logs on to different computers

4. User Group Basic Information


Selecting a user group will display the status of all users under the selected group including user
name, last online time, last active time, and number of computers login.

User Basic Information User Group


If The Whole Network is selected, Endpoint Data Protection Console displays all user groups. Click
the

button and you can view all users belonging to that group.

Cyberoam Endpoint Data Protection User Guide

User Basic Information Expended Information

Grouping
By default, all new installed agents will be grouped into Unclassified group. To facilitate the
computer/user management, System administrator can create some groups and classify them into
target groups.
New Groups
Computers and users are displayed in the console tree. Groups can be set according to the actual
situation. Then, assign users and computers into different groups. Computers and users under the
group can be managed from computer groups and user groups.
Select the whole network or any group. Select FileNew Group and administrator can add a new
group in the console tree and allow administrators to name the new group. Administrator can define
multi-level groups for the organization. The operation of user group is identical.
Assign to group or changing groups
To assign a computer or user to a group, administrator can select the computer or user, select
FileMove to and choose the target group. Then the computer and user will be moved to the
selected group.
Alternatively, mouse drag facility can also be used. Select the target computer or group and drag it
to a group. Then the selected computer will be moved to the destination group.
NOTE
The default group is the Unclassified group for all computers and users. Unclassified group cannot be
deleted, renamed, or a new sub-group cannot be added within.

Find
Administrator can specify a computer or user quickly through the Find function to search related log
data
Search Computer
In the Computer Tree Column, Go to FileFind. Input the search conditions e.g. computer name or
IP address. The matched results gets displayed in the list box and double clicking any one record
will direct you to related log or policy settings

Cyberoam Endpoint Data Protection User Guide


Search User
To search any user, go to FileFind. Input the search conditions e.g. defined user name or
Windows logon user name. The matched results get displayed in the list box and double clicking
any one record will direct you to related log or policy settings.

Delete
Administrator can select File->Delete to delete computer (group) or user (group). Deleting
computer (group) will uninstall the Agents of the selected group or computer as well as update the
license number.
Deleting user (group) will only remove the current basic information.

Rename
Select the computer (group) or user (group) to change the name from FileRename.

Control
Administrator can control the running agents using Endpoint Data Protection Console. The
prerequisite is that the agent must be in running status and all controls can only be done in
Computer mode but not in User mode.

Notification
Endpoint Data Protection can send notification to a computer or a group. Select ControlNotify to
notify the selected computer or group. In Notify dialogue box, enter the message and click Send to
notify the target computer or group.

Lock/Unlock Computer
Endpoint Data Protection can lock the computer or the whole group of computers to prevent users
on the agent computer to use the keyboard and mouse in case of unusual event. Select Control
Lock Computer to lock. The locked computer would be locked with its basic information.
Select ControlUnlock to unlock the computer. The target computer will once again be able to
use the mouse and keyboard.

Log Off, Power Down/Restart Computer


Administrator can turn off / log off / restart any running agent computers. Select Log Of, Restart or
Power Down from the Control menu and the agent will execute the order immediately after the
computer re-started.

Supplementary Functions
In Endpoint Data Protection Console, there are some other common functions that are often
used .The detailed functions and descriptions introduced are mentioned below.

Cyberoam Endpoint Data Protection User Guide

Export and Import


Export Data
In Endpoint Data Protection, the data such as statistics, event logs, policies, instant message
contents, emails and asset management all can be exported and saved as HTML/Excel/Text (csv)
files.
Export Current Page
In any event logs, right click ExportRecords of Current Page and it will export the current page
data. By default there are 20 records in each page. Administrator can adjust the maximum number
of records in Console by going to ToolsOptionsConsole SettingsLogs.
Export All Matched Data
Right click ExportAll Matched Records and it will export all records
Export / Import Policy
Only policy control provides Import function. Endpoint Data Protection facilitates administrator to
export/import policies from one server to other servers.
Export Function
In any policy settings panels, right click and select Export/Export Selected/Export All to save the
policies in XML file. If Exported Selection option is selected, only the selected policy will be
exported and saved.

Export All Policies

Cyberoam Endpoint Data Protection User Guide


Import function
Select specified computer (group) or user (group) from the Network tree first. Right click Import in
the policy setting panel. The File Open Dialogue will popup, select the related XML file and the
to save
import process will be started. To take effect on the imported policies, click the button
the policies.

Import Policies

Save Imported Policies

About Import Policy


The imported type of policies must be as same as exported one; otherwise, the policies cannot be imported
successfully.

Print and Print Preview


All data logs in Endpoint Data Protection Console can be printed out. Select FilePrint to start to
print your target data or select FilePrint Preview to preview the output before printing.

Cyberoam Endpoint Data Protection User Guide

Chapter 3
Statistics
Endpoint Data Protection assists organizations to evaluate the behavior of the staff according to the
collected statistics reports on application usage, and Internet browsing.

Application Statistics
Application statistics provide powerful statistical functions to focus on the computer daily operations
and application usage to provide detailed records and complete analysis report. The statistical data
provides reference to managerial people to assess employees working behavior.
Select Statistic Application to query the application usage of computer (group) or user (group)
in a given period of time. By default, it queries the current statistics of application usage.
The interface of Application Statistics is divided into 4 parts: (1) Computer or User column, (2)
Statistical Data Panel, (3) Chart Panel and (4) Search Panel.

Interface of Application Statistics

Cyberoam Endpoint Data Protection User Guide

Mode Administrator can select different application statistic view mode. Options
include: By Class, By Name, By Detail or By Group
Expand In By Class view mode, if an application class has sub-classes, use this
button to expand and view the sub-classes. For group view, expand button can
expand the computer group or user group to view the computers or users within the
group. This button will turn grey and be disabled in detail view.
Show Controls number of records to display. Options include All, Top 10, Top 20,
and Custom. This button will turn grey and be disabled when selected by class mode
and would expand.
Statistics Functional Buttons
In Application Statistic, the startup time and working time are default collected statistical data.
Startup time means that the agent computer starts running after logging to Windows; the working
time means the operations of mouse and keyboard controlled by agent computer.
There are 4 modes in Application Statistics:

1. By Class
In this mode, System Administrator can query the statistics by class. The application class can be
defined in Tools Classes Management Applications. Using this mode administrator can
facilitate to query defined application usage.
To choose this option, click the Mode button and then select By Class. By default, it shows all
statistics of defined application classes. Each record contains the following details:
Class

The name of application class defined in the Application Class


Management

Time

The total usage time of that particular application class.

Percent

The total percentage used by particular application class.


Statistics By Class

Application Statistics By Class

Cyberoam Endpoint Data Protection User Guide

2. By Name
This mode lists the order of all statistics of application usage with application executable name,
usage of time and its percentage of selected computer (group) or user (group).
To choose this option, click the Mode button and then select By Name.

Application Statistics By Name

3. By Detail
In this mode, it is listed in the order of the details of application, not by process. For example, there
are two different versions of MSN program running in different agents, and the process name are
the same, called msnmsgr.exe. Using By Detail mode, they are counted as two different versions
of MSN. However, if using By Name mode, the usage time of those two versions will be counted
together.
To choose this option, click the Mode button and then select By Detail.

Application Statistics By Detail

4. By Group
In this mode, it analyzes the application and its percentage usage based on selected computer
(group) or user (group). By default, the statistical data are displayed in terms of working time and
running time.

Application Statistics By Group

Cyberoam Endpoint Data Protection User Guide


To query the usage of other application classes, it should be selected from Search Panel
Classes field and click the button

, and the following window will popup.

Application Classes Select Windows


For example (refer to above figure), to get the statistics of IM and Internet Browser application
classes by specified computer (group) and user (group).Through this administrator can select the
target application class from left panel, and click the button
. Click OK to complete the selection.
Finally, click the button Search to get the result in the Data Panel.

Application Statistics By Group by specifying Application Class


Application Statistics not only show the list table but also generate charts to present the statistical
data. There are two types of charts: Bar Chart and Pie Chart.

Application Statistics Bar Chart

Cyberoam Endpoint Data Protection User Guide

Application Statistics Pie Chart

Cyberoam Endpoint Data Protection User Guide

Chapter 4
Event Log
Endpoint Data Protection collects all the operation logs from agent computers including user logon,
logout, application log, document operation log, shared document log, printing log,
removable-storage log, asset changes log etc.
There are some common functions provided in each log. For example, after selecting one of the log
records, right click to select Print, Print Preview, Export, Delete, and Property.
Common Log Function
Print / Print
Preview

Print can be taken of every page log or can be reviewed to preview the output
before printing.

Export

Export the current or selected page logs to HTML / CSV / XLS format. There are
two options: Records of Current Page and All Matched Records

Delete

Right click to select Delete from the log to delete the target log. There are three
options: Selected Records, Records of Current Page and All Matched Records

Property

Double click the selected log to view the details of the log

Common Log Functions

Basic Event Log


Go to LogBasic Events. This basic event log will record the systems startup/shutdown,
login/logoff, dialup, Patch scanning and software distribution related information. Also, the
corresponding Time, Computer, User and Description are also recorded. The following table
summarizes the details of Operating Type:
Operating Type

Startup / Shutdown

The startup and shutdown status of agent computers

Login / Logoff

Every user login / logoff status

Dialup

Every time when the user dialup, the corresponding action will be logged

Cyberoam Endpoint Data Protection User Guide

Patches

When System administrator requests patches installation, the related


patches will be installed automatically. The installation status such as Patch
scanning and Patch installation will be logged, and the details will be showed
in the Description column

Deployment

When System administrator create software distribution task, it will be


executed on target agent computers. Those tasks will be logged.

Basic Event Log Operating Type


Administrator can input time and range, type and description to filter the search result. The input
string also supports wildcard character.
Search Conditions
Time and Range

Input specified date, time and range to filter the search result

Type

By default it is set to All. The specified types can also be selected such as
startup/shutdown, login/logoff, Dialup, Patch or Deployment

Description

Input any content to query the target log, and it also supports wildcard input

Basic Event Log Search Conditions

Basic Event Log

Application Log
To view the application logs Go to LogApplications. Administrator can view all applications
event such as start, stop, window change, and title change login, and logoff event.

Cyberoam Endpoint Data Protection User Guide

Log Types
Start / Stop

Log the start and stop status of application

Windows Changes

When user changes the application, system records the windows changes log

Title Changes

When user uses an application, it may have different windows or titles such as
browser

Application Log Log Type

NOTE
Window / Title changes are not logged by default; the settings can be changed through Basic
PolicyEvent Log to record window and title changes.

Administrator can input time and range, type in path or window title, and enter specific application or
application class to filter the search result. Input string supports wildcard character.
Search Conditions
Path / Title

Input the application path or title for part of query conditions

Application

Input the application name directly or specify the application class for part of
query conditions

1.

2.

Input the application name directly


System administrator can input the application name directly
e.g. qq.exe or *game*.exe
Specify application class
Select the button

to specify the application class

Application Log Search Conditions

Application Logs

Cyberoam Endpoint Data Protection User Guide

Document Operation Log


Select LogDocuments to view all document operation logs of the agents.
Document Operation Types
Includes create, access, modify, rename, copy, move, delete, restore and upload/send

Document Operation Log Document Operation Types


Disk types
Supports Fixed, Floppy, CD-ROM and Removable

Document Operation Log Disk Types


Log Contents
The document operation log content includes document operation Type, Time, Computer, User, Source
Filename, File size, Path, Disk Type, Application and Caption
Source Filename

The file operated by agent computer user

Path

The details of file operation path. When user copies, moves, rename the file, the details
of source and destination of the file path are also displayed.

Disk Type

Specifies the location of the document which may be on the fixed disk, network drive,
removable storage or CD-ROM. When user copies, moves, rename the file, the details of
source and destination of the disk types are also displayed.

Application

The application used to operate the file

Caption

The caption of the document operations

Document Operation Log Log Contents


Backup Document Log
In the document and IM File policies, when policies are invoked with document backup, the backup document
should be retrieved in Document Operation Log.
- This icon represents the log with the backup file inside. A
button Copy will be placed in the dialogue windows on double clicking the log. Click this button to retrieve the
backup document directly.

Document Operation Log Backup Document Log

Document Operation Log Property

Cyberoam Endpoint Data Protection User Guide


Administrator can filter the search results by keying in time and range, select operating type, drive
where the document is located, file name, file size range, and application that opened the file. Input
string supports wildcard character.

Search Conditions
Time and Range

Input specified date, time and range to filter the search result

Operating Type

By default, it is set to All. Specified type can be selected from the drop-down menu
which consists of Create, Copy, Move, Rename, Restore, Delete, Access, Modify and
Upload/Send

Drive

By default, it is set to All. Specified drive can be selected from the drop-down menu
which includes Fixed, Floppy, CDROM, Removable

Filename

Filters the query based on the filename. Supports wildcard input.

Size

Specify the file size to query the target document log

Application

Input the application name directly or specify the application class for part of query
conditions
1.

Input the application name directly

System administrator can input the application name directly e.g. qq.exe or
*game*.exe
2.

Specify application class

Select the button


Has Backup

to specify the application class

Check this option to query the document log with backup only

Document Operation Log Search Conditions

Document Operation Log

Cyberoam Endpoint Data Protection User Guide

Shared File Log


To view logs of shared file, go to LogShares and administrator can view the log of shared files in
the agent that had been operated by others. Logged operations include create, rename, modify,
and delete.
Shared File Operation Types
Includes create, modify, rename, copy, and delete operations. Access, copy and move operations are not
supported.

Shared File Log Operating Types


Log Contents
The shared file log contents include document operation Type, Time, Computer, Remote Host, Source
Filename and Path
Remote Host

Remote Computers IP address

Source Filename

The file operated by agent computer user

Path

The details of file operation path.

Shared File Log Log Contents


Administrator can input time and range, select operating type, file name, and remote computer
name or IP address to filter the search result. Input string supports wildcard character.
Search Conditions
Time and Range

Input specified date, time and range to filter the search result

Operating Type

By default, it is set to All. Specified type can be selected from the drop-down
menu which includes Create, Rename, Delete and Modify

Name

Filters query based on the filename. Support wildcard input

Remote IP / Name

Specify the remote IP or computer name to filter the query

Shared File Log Search Conditions

Shared Files Log

Cyberoam Endpoint Data Protection User Guide

Printing Log
To view the printing logs, go to LogPrinting and administrator can view the printing log of the
agent including usage of local printer, shared printer, network printer, and virtual printer.

Log Contents
The printing log content includes Printer Type, Time, Computer, User, Printing Task, Printer Name, Pages,
Caption and Application
Printing Task

Prints the document name

Printer Name

The printer used to print out the document

Pages

The total number of pages

Caption

The windows caption used when printing

Application

The application used to operate and print out the document

Printing Log Log Contents

Administrator can input time and range, printer type, printer name, computer name, printing task title,
page size range, and application to print to filter the search result. Input string supports wildcard
character.

Search Conditions
Time and Range

Input specified date, time and range to filter the search result

Printer Type

By default, it is set to All. Specified printer type can be selected from the drop-down
menu which includes Local, Shared, Network and Virtual printers

Printer

Specify the printer and filter the query to get the statistics to know the printer usage

Computer

Specify the remote IP or computer name to filter the query

Task

Specify the document name. Supports wildcard input

Pages

Specify the pages to filter the query to monitor the printer usage

Application

Input the application name directly or specify the application class for part of query
conditions
3.

Input the application name directly

System administrator can input the application name directly e.g. qq.exe or
*game*.exe
4.

Specify application class

Select the button

to specify the application class

Printing Log Search Conditions

Cyberoam Endpoint Data Protection User Guide

Printing Log

Removable-storage Log
Select LogRemovable-storage to view the log of all agent computers removable storage plug-in
and plug-off actions.
Log Contents
The removable-storage log content includes Type, Time, Computer, User, Disk Type, Volume ID, Description
and Volume Label.
Volume ID

The volume ID is a unique ID of every removable-storage device. This data can also be
found in Removable-storage class.

Description

Provides detailed information of the removable-storage device

Volume Label

The name of removable drive

Removable-storage Log Log Contents


Administrator can input time and range, removable storage name and operation type to filter the
search result. Input string supports wildcard character.
Search Conditions
Time and Range

Input specified date, time and range to filter the search result

Removable Storage

Specify the removable-storage class for part of query conditions. Select the button
to specify the application class

Operation Type

By default, it is set to All. Specified removable-storage type can be selected from the
drop-down menu which includes Plug-in and Plug-out actions

Removable-storage Log Search Conditions

Cyberoam Endpoint Data Protection User Guide

Assets Change Log


Select LogAsset Changes and administrator can view the asset change log of hardware and
software including add, delete, and change functionalities.

Log Contents
The asset log contents include Operating Type, Time, Computer, Type and Description
Operating Type

Add, Delete and Change of the asset

Type

Identify the change is Software or Hardware

Description

The information of asset change

Assets Change Log Log Contents


Administrator can input time and range and asset description to filter the search result. Input string
supports wildcard character.
Search Conditions
Time and Range

Input specified date, time and range to filter the search result

Type

By default, it is set to All. Specified removable-storage type can be selected from the
drop-down menu which includes Hardware Changes and Software Changes

Operation Type

By default, it is set to All. Specified removable-storage type can be selected from the
drop-down menu including Add, Delete or Change functionalities

Description

Specify the asset description to filter the query. Supports wildcard input.

Assets Change Log Search Conditions

Assets Change Log

Cyberoam Endpoint Data Protection User Guide

Policy Log
Select LogPolicies and administrator can view the entire log triggered by policy settings.

Log Contents
The policy log content includes Alert Level, Time, Computer, User, Policy and Description
Alert Level

There are three alert levels: Low, Important and Critical. The alert level settings can be
done in each policy

Policy

The corresponding policy triggered by agent.

Description

The information of triggered policy

Policy Log Log Contents

Administrator can input time and range, lowest alert level, policy type, and content to filter the
search result. Input string supports wildcard character.

Search Conditions
Time and Range

Input specified date, time and range to filter the search result

Lowest Alert Level

By default, it is set to All. Specified alert level can be selected from the drop-down
menu including Low, Important and Critical alert

Policy Type

By default, it is set to All. Specified policy type can be selected from the drop-down
menu

Content

Specify the policy description to filter the query. Supports wildcard input.

Policy Log Search Conditions

System Log
Select LogSystem and administrator can view the server start and stop status, illegal intrusion,
and agent connection errors.
Administrator can input time and range and content to filter the search result. Input string supports
wildcard character.
NOTE
If any of the agents cannot connect to Endpoint Data Protection server, System administrator can check
the System log to find out the reasons.

Cyberoam Endpoint Data Protection User Guide

System Logs

Cyberoam Endpoint Data Protection User Guide

Chapter 5
Policy
Policy Introduction
Administrator can limit the use of computer and network resource on agent computer by setting
policies to control staffs computer usage and improve productivity.
Common Policy Properties
Name

This is user-defined name to describe the policy. It is irrelevant to the actual


function of the policy. When adding a new policy, the system will add a
default name to the policy and administrator can change it later

Time

This is time range that the policy is effective. It can be self-defined time type.
Time types are set in ToolsTime Types. If no suitable time type is
available, select Custom and set the time range from the popup time matrix.

Mode

There are some modes which can be selected to be executed: Block, Allow,
Inaction and Ignore.
Allow: Allows to perform an operation. According to the hierarchy (user
policy has higher priority than computer policy; self policy has higher priority
than group priority; policy on top has higher priority than the policy below).
When a policy is found in higher priority, it will be executed and the policies
in lower priority will be ignored.
Block: Block an operation. According to the hierarchy, policy in higher
priority is executed and the policies below it are ignored.
Inaction: Neither allows or block an operation, but it can trigger events such
as warning or alert. According to the policy matching principal, once the
current Inaction policy is completed, the following policies will not be
executed.
For example, the first policy is setting the mode for USB device as Inaction
and the second policy is prohibiting USB device. When USB device is
plugged in, the first policy matched. Since the mode is Inaction, it will not be
blocked but the following second policy will not be matched.
Ignore: Neither allows or block an operation, but it can still trigger events
such as warning or alert. According to the policy matching principle, system
continues to search the following related policies.
For example, the first policy is setting all *.doc with Ignore mode and alert;
the second policy is prohibiting copy *.doc files. When accessing the doc
files, the first policy matched (i.e. alert popup) and then the following second
policy will also be matched too (i.e. determine the accessing action is copy
or not. If it is copy, action is prohibited.)

Action

While the policy is in execution, there are 3 types of actions which are also
taking place: alert, warning, and lock computer.

Cyberoam Endpoint Data Protection User Guide


Alert: When a matched policy with alert option is executed, the console can
receive a popup message to alert administrator. The popup alert can be set
from ToolsOptionReal Time AlertPopup Bubble to set rather to have
popup alert bubble. There are three types of alert: Low, Important, and
Critical. Meanwhile, the server will record the alerts and can be viewed from
policy log or alert log.
Warning: When a matched policy with warning option is executed, a dialog
box will pop up on the agent computer. The content of the warning message
can be set in each policy.
Lock computer: When a matched policy with lock computer option is
executed, the agent computer will be locked. To unlock, select from toolbar
ControlUnlock or highlight the target agent from the network tree and then
right click to select from the menu Control Unlock
Expiring
Time

By default, the expiry date is set to Always. In other words, the policy is
always active, and never gets expired.
button to set
A policy will always be effective before its expiry date. Click
the expiry date. In the Setting windows, check the Apply and input the expiry
time. The system does not allow user to set expire date earlier than the
current date. If the policy is expired, the fonts in the policy will be displayed
in dark grey and the Expiring Time will be displayed in red.

Only
Offline

When there is no communications between server and agent since last 3


minutes, it indicates that agent is in offline status. The policy will only be
effective when console determines that the agent is in offline status.
When to apply this option: System administrator may apply different policies
for notebook users when it is for business trip, office & home uses or in case
the network cable is plugged off.
Common Policy Properties

Priority Matching for Policy


Policy adopted mechanism is similar to Firewall. Each goal can be combined from a number of
policies and then matched in accordance with their relationships. At the same time, different
computers (group) or users (group) inherit their parents policies.
Function of Policy Buttons
New, click this button to add a new policy
Up, move up selected policy
Down, move down selected policy
Delete, delete selected policy
Restore, cancel new added policy or any modified settings
Save, click this button to save all new added or modified
settings
Indicates that the policy mode is allow
Indicates that the policy mode is block

Cyberoam Endpoint Data Protection User Guide


Indicates that the policy mode is ignore
Indication that the policy mode is inaction
Indicates the policy with alert setting
Indicates the policy with warning setting
Indicates the policy with lock computer setting
Indicates the policy with expiring time setting
Policy Functional Buttons

Key Concept: Priority Matching for Policy


1. System administrator can apply policies to the whole network, group, computer and user levels.
According to the hierarchical mechanism, their accordance of priorities is: User Policy
Computer Policy Group Policy The Whole Network Policy
2. The inherited policy is indicated as light green color . The property fields related to string input all
support wildcard characters(each string up to 3 wildcards) and multiple inputs separated by ; and ,

Basic Policy
By Using Basic policy, administrator can regulate the computer operation rights, and can also
restrict the end users by not allowing them to change the system settings, thereby preventing
malicious activity and strengthening the security.
To make the Basic policy work is to amend the system registry. Basic policy and Device policy are
different from other policies. They are state keeping policy, not a real-time invoked policy.
Basic policy supports: Control Panel, Computers Management, System, Network, IP/MAC Binding
and ActiveX controls
Control Panel
Control Panel

All Control Panels functions

Modified Display Properties

Restrict users to change the theme, desktop, screen saver and


appearance

Add printers

Restrict user to add printers

Delete printers

Restrict user to delete printers

Fast switching user in XP

Restricted in Windows XP only

Computers Management
Device Manager

Restrict user to use Device Manager

Disk Management

Restrict user to use Disk Management

Local users and groups

Restrict user to use Local users and groups

Service Management

Restrict user to use Service Management

Other computer
Managements

Restrict user to use: Event Viewer, Performance Logs and Alerts and
Shared Folders located in Computer Management

Cyberoam Endpoint Data Protection User Guide


System
Task Manager

Restrict user to use Task Manager

Regedit

Restrict user to use Regedit

CMD

Restrict user to use CMD. For Windows 98, it is command, and for
others it is cmd

Run in registry

If the mode is block for this option, the process under Run will not run
when the OS starts up. Log off or restart is required for
effectiveness.

RunOnce in registry

RunOnce means that the process only run once when OS starts up,
and it will not run again in the next startup. If the mode is block for this
option, the process under RunOnce will not run. Log off or restart is
required for effectiveness.

Network
Modify Network Property

Restrict user to modify the network property. The button Properties will be
disabled in the LAN Status windows

Display Network Places

If the mode is block, My Network Places will be hidden. Log off or restart
is required for effectiveness

Modify Internet Options

Restrict user to modify Internet Options settings

Default Netshare

If the mode is block, the default Netshare will be blocked

Netshare

If the mode is block, the user cannot share folders or files

Add Netshare

If the mode is block, the user is not allowed to add Netshare

IP/MAC Binding
Change IP/MAC Property

1. Use this option to prohibit user to change the IP settings. Once the
prohibited policy is set, the current settings of IP/MAC are saved.
If any changes found, it will be resumed to reserved IP/MAC
settings.
2. If IP is required to change, the prohibited policy should be deleted
first

ActiveX
Chart ActiveX

Restrict user to use chart ActiveX

Media ActiveX

Restrict user to use Media ActiveX. Generally this kind of ActiveX is


applied for playing music or video on Internet. Prohibit this option to stop
user from listening or watching online media

Game ActiveX

Some online games may require installation of ActiveX. Prohibit this option
to stop user from playing online game

Flash ActiveX

This ActiveX is required for playing FLASH. Prohibit this option so that the
FLASH file cannot be played properly

Others
System Restore

To prevent user to restore system back from agent to non-agent state.


Use this option to prohibit the system restore function

Basic Policy

Cyberoam Endpoint Data Protection User Guide

Basic Policy: Example 1


Requirements:
IP settings cannot be changed by end-user. However, it should be allowed when the
computer is out of office for business trip.
Policy (1): Add a policy at The Whole Network level for blocking the Change of IP/MAC
Property
Policy (2): Add another policy at the target computer (group) level to allow Change
IP/MAC Property with option Only offline checked
Result:
According to the policy matching mechanism, the second policy (2) should have higher priority. So, the
second policy will be matched first when the computer determined as offline status, the policy (2) will
be invoked and the user should be able to change the IP settings. However, if the computers status is
determined as, obviously the conditions specified in policy (2) is not satisfied, and another policy (1)
should be matched. As the condition is satisfied, policy (1) is invoked, and the user should not be able
to change the IP settings.

Basic Policy: Functions Only effective for Computer (group) settings


The following functions are only effective for Computer (group) settings: Change IP/MAC Property, System
Restore and Netshare

Device Control Policy


The device control policies support the followings: Storage, Communication Device, Dial, USB
Device, Network Device and other devices.
Storage
Floppy

Floppy Drive Control, Cannot use floppy if it is prohibited

CDROM

DVD/CD-ROM Drive Control

Burning Device

The burning disks action, but the device still can read

Tape

Tape drive Control

Moveable Device

Includes USB Flash drive, removable drive, memory stick, smart card, MO
and ZIP drive control
But does not include the devices with IDE, SCSI and SATA interface

Communication Device
COM

COM Ports Control

LTP

LTP Ports Control

USB Controller

USB Controller Control

SCSI Controller

SCSI Controller Control

1394 Controller

1394 Controller Control

Infrared

Infrared device Control

Cyberoam Endpoint Data Protection User Guide


PCMCIA

PCMCIA Card Control

Bluetooth

Bluetooth device Control

MODEM

Modem device Control

Direct Lines

Direct connection control between two computers using USB cable , COM
port or Serial cables

Dial
Dial-up Connection

Dial-up Connection Control

USB Device
USB Keyboard

USB Keyboard Control

USB Mouse

USB Mouse Control

USB Modem

USB Modem Control

USB Image Device

USB Image Device Control such as Webcam, Digital Camera and


Scanner

USB CDROM

USB CDROM Control

USB Storage

USB Storage Control

USB Hard disk

USB Hard disk Control

USB LAN Adapter

USB LAN Adapter Control

Other USB Devices

Control other USB devices not mentioned as above

Network Devices
Wireless LAN Adapter

Wireless LAN Adapter Control

PnP Adapter (USB,


PCMCIA)
Virtual LAN Adapter

Virtual LAN Adapter Control

Others
Audio

Audio, video and game controller control

Virtual CDROM

Virtual CDROM Drive Control

Any new devices

Any new devices plugged-in. If the mode is block, all new devices cannot
be used

Device Policy

Cyberoam Endpoint Data Protection User Guide

Device Control Policy: Example 1


Requirements:
Some companies have policies such as not allowing staff to listen music or play online game
during office hours. In this case, System administrator can set a policy to prohibit the use of Audio
Policy (1): add a policy to block Audio in Device Policy and set the effective time as Working
Time.

Device Policy Example 1 Property

Device Control Policy: Example 2


Requirements:
To prevent leakage of some important files, System administrator can set a policy to prohibit the
use of Burning devices and removable device
Policy (1): Add a policy to block some Storage (Floppy, CDROM and Moveable Device),
Communication (Bluetooth as File transfer between local computer and Mobile
Phone/PDA may be done through Bluetooth) and USB devices (USB Storage and USB
Hard disk) and set the effective time as All Day

Device Policy Example 2 Property

Cyberoam Endpoint Data Protection User Guide

Application Policy
Many Enterprises prohibit their staff to install their own application software such as BT, chatting
and online games software. Application policy control can limit the use of unwanted applications.
To add a policy, by default, the application is <All>. There are two methods to specify the
application:

Application Policy
1.

Direct Input Application Name

In the Application Setting windows, click the button

to input the application name directly.

For e.g. thunder.exe. If the user changes the application name to thunder123.exe the policy is not
effective anymore because the input only matched with a string. To avoid this problem, use the
following method 2.
2.

Select from Application Class

and the Application Class Selection


In the Application Setting windows, click the button
windows popup. Check the application classes you want to control. If the mode is block, even if the
user changes the application name later, the policy is still effective.

Caution:
Application Policy Warning
Prohibiting all applications will cause many processes to be terminated immediately once the policy is applied.
Warning message will be given before blocking all applications.

Application Policy Warning

Cyberoam Endpoint Data Protection User Guide

Logging Policy
By default, system has a preset policy to log all logs except Windows Title. Depending on different
Enterprises requirements, System administrator can add a policy to uncheck some logs that are not
required to monitor.
Policy Properties:
Mode
Startup/Shutdown
Login/Logoff
Dial
Policy Control
Hardware Changes
Software Changes
Application
Visible
Window
Application
Window Title Change
Application
Document
Disk Type
File Name
Application
Printing
Printer Type
Application
Shared Files
File Name
IP Range
Mail
Sender
Recipients
Mail Size
(>=KB)
Not Record
Attachment
Instant Message
Application Statistics
Web Statistics

Record or Not Record


Startup/Shutdown log (found in Basic Event log)
Login/Logoff log (found in Basic Event log)
Dial log (found in Basic Event log)
Policy alert log
Hardware changes log
Software changes log
Application usage log. System administrator can set a policy for not
recording application usage log
It means the application with windows
System administrator can specify applications, and only the specified
applications will be logged. The defined application classes can be
applied here and it also supports wildcard input.
By default, this is not recorded. System administrator can set a policy to
log the changes based on different applications (optional)
System administrator can specify applications, and only the specified
applications with window title changes will be logged. The defined
application classes can be applied here and it supports wildcard input.
Document log. System administrator can select to record or not record
certain document type logs to make sure that all logs are useful for
future tracing.
Includes: Fixed, Floppy, CDROM, Removable, Network and unknown
disk types. For example, set a policy for not recording any file
operations on fixed disk
Can be set to record or not record specified filename. Supports wildcard
input e.g. not record *.txt ;*.log
Application for file operations
Printing log
Select to record or not record specified printer types
Application for file operations
Shared files log
Shared file name. Supports wildcard input.
IP Range for remote access agents shared files. System administrator
can set a range to not record those IP ranges access operations.
Log the email contents. Control policies can be set to record or not
record the email
Email sender address. Supports wildcard input.
Email recipient address. Supports wildcard input.
If it is set, it means if email is over the specified size, it will not be logged
This option is only enabled under the mode Record. If it is checked, the
email attachments will not be logged. In the Console (Monitoring
Mail), the properties of email will tell you if it has attachments, however,
it cannot be retrieved.
The instant message conversation contents. System administrator can
select the IM applications which are targeted to log
Application usage data
Web browsing data

Cyberoam Endpoint Data Protection User Guide


Traffic Statistics

Network Traffic data


Logging Policy Properties

Logging Policy Example


Requirement:
Only log all incoming and outing emails without attachments
Policy (1): Add a logging policy to not record email attachments.
Policy Name: Not record email attachments
Mode: Record
Mail, Send, Receive and Not Record Attachment: checked

Logging Policy Policy Example

Alert Policy
Alert policy is used to monitor the changes from hardware, software and other system settings, and
if any changes are made in the system, it will give alert to System administrator in real time. This
facilities the System administrator to understand the real time situation of each computer in the
network and make appropriate measures to increase the maintainability.
Alert Policy includes the following alert function: Hardware change, Plug in, Plug off, Plug in Storage
Device, Plug off storage Device, Plug in communication device, Plug off communication device,
Software changes, System service change, Startup change, System time change, Computer name
change and Network configuration change.
Policy Properties
Hardware change
Plug in

Any hardware installed or removed alert


External devices plug-in alert, and also records
the device name

Plug off

External devices plug-off alert

Plug in storage device

External storage device plug-in alert, and also


records the device name

Plug off storage device

External storage device plug-off alert

Plug in communication device

External communication device plug in alert, and


also records the device name

Plug off communication device

External communication device plug off alert

Software changes

Any software installed or removed alert

System service change

Any system services installed or removed alert

Cyberoam Endpoint Data Protection User Guide


Startup change

Any system startup tasks added, deleted or


changes alert

System time change

Any System time changes alert

Computer name change

Any computer name changes alert

Network configuration change

Any network configuration changes alert


Alert Policy Properties

Mail Policy
Mail policy is used to prevent Enterprise internal information/data leakage in the course of sending
email.
Mail policy is used to control outgoing email but cannot control incoming email. Also, Endpoint Data
Protection cannot control webmail and Lotus emails whatever is incoming or outgoing.
Note*- The mail policy is only effective for computer (group) but not user (group)
Policy Properties
Sender

Controls the sender email address. Supports wildcard and multiple inputs,
use , and ; as separators

Recipients

Controls the recipients email address including CC and BCC email


addresses. Input rules are same as Sender

Subject

Controls the email subject. Input rules are same as Sender

Has attachments

Controls the email with/without attachments. If this option is checked, it


means the control is only effective for email with attachment. If this option is
unchecked, it means the control is effective for all emails whether the email
has attachments or not.

Attachment

Controls the email with specified attachment name. Input rules are same as
Sender

Mail size
(>=)

Control the email with specified size. By default, it is set to 0 which


represents all. Input the mail size with >= value for conditional control
Mail Policy Properties

Mail Policy: Example 1


Requirements:
Some enterprises may limit the sender. They only allow staff to use internal email account to send
email, and others will be prohibited
Policy (1): Add a Mail policy to block all emails
Policy Name: Block all emails
Mode: Block

Cyberoam Endpoint Data Protection User Guide

Mail Policy Policy Example 1: 1st policy


Policy (2): Add another Mail policy to allow specified sender to send emails out.
Policy Name: Allow @cyberoam.com only
Mode: Allow
Sender: *Cyberoam.com*

Mail Policy Policy Example 1: 2nd policy

Mail Policy: Example 2


Requirements:
All Enterprises does not allow staff to communicate with competitors. Thus Endpoint Data Protection
can block all outgoing emails in which the recipients are competitors
Policy (1): Add a Mail policy to block all emails in which the recipients are competitors
Policy Name: Block emails to send to competitors
Mode: Block
Alert: [optional]
Warning: [optional]
Recipients: *yahoo*

Cyberoam Endpoint Data Protection User Guide

Mail Policy Policy Example 2

IM File Policy
IM Policy is used to control the communications using IM tools and monitor/control all outgoing files
sent through the IM tools to prevent information leakage through the IM channels.
The following IM tools are supported to limit the outgoing files sent through IM tools: QQ, MSN,
SKYPE, TM, UC, RTX, Yahoo!, POPO, ALI, ICQ etc.
Policy Properties:
File Name

Specifies what files are controlled. Support wildcard input, using ; or , as


separators

Limited Size (>=KB)

Only enabled under the block mode. Used to limit the outgoing file size.
Input range: 0 100000 (KB)

Backup

If checked, all outgoing files will be backup. The backup files can be
retrieved from Event log Document, check the option has Backup and
select the operating type as Upload/Send for faster searching

Minimum Size
(>=KB)
Maximum Size
(<=KB)

If Backup is checked, the file size can specify to decide the file will be
backed up or not. If it is out of the specified range, the file will not be
backed up
IM Policy Properties

IM File Policy: Example 1

Cyberoam Endpoint Data Protection User Guide


Requirements:
Some of the Enterprises allow IM tools to staff for communication. However, they are also afraid
that some information can be sent out through these tools. Hence, using IM policy enterprises
can prohibit user to send files out and take a backup of all trial outgoing files
Policy (1): Add an IM File policy to take a backup all outgoing files
Policy Name: Backup all outgoing files
Mode: Allow

IM Policy Policy Example 1: 1st Policy


Policy (2): Add another IM File policy to block all outgoing files with specified file extensions
Policy Name: Backup all outgoing files with specified file extensions
Mode: Block
Alert: [optional]
Warning: [optional]
File Name: *doc*, *pdf*, *zip*, *rar*, *jpg*

IM Policy Policy Example 1: 2nd Policy

Cyberoam Endpoint Data Protection User Guide

Document Operation Policy


Document Control Policy is used to control and limit the agent users accessing confidential
information or assign different rights to different agent users. Also, the backup function prevents
some important files which are deleted maliciously or by human error
Policy Properties:
Operating Type

Read
Modify
Delete
Disk Type
File Name

Backup before modify


Backup when copy/out
Backup before delete
Minimum Size (>=KB)
Maximum Size (<=KB)
Application

There are 3 kinds of operating types separated: Read, Modify


and Delete
- Allow Modify means it also allows to Read
- Allow Delete means it also allows to Read and Modify
Read files
Includes all operations expect read and delete, i.e. create,
rename, modify, copy, move and restore.
Delete files
By default, it is set to <All>, Press Ctrl + A to select all or none.
- Specify the required control filename, or can also input the
folder path e.g. E:\work\*, it represents all files under this work
folder will the help of particular policy.
- Supports wildcard input, using ; and , as separators for multiple
inputs
- Backup files before modify
- This option is only enabled when Modify is checked
- Backup files when copy/cut to specified disk
- This option is only enabled when Modify is checked
- This option is only enabled when Delete is checked
If the above Backup options are checked, the file size can decide
whether the file will be backedup or not. If it is out of the specified
range, the file will not be backedup
Specify the document operations done on application software
Document Policy Properties

Document Operation Policy: Example 1


Requirements:
Some important files/folders from shared network drive are required to restrict and not all users can
modify or delete the files
Policy Settings:
Policy (1): Add a Document Control policy to block the operating types: modify / delete to specified network
shared drive
Policy Name: Cannot modify / delete \\network_path\*
Mode: Block
Alert: [optional]
Warning: [optional]
Operating types: check modify, delete
Disk type: Network
File Name: \\network_path\*

Cyberoam Endpoint Data Protection User Guide

Document Policy Policy Example 1

Document Policy Policy Example 1 Warning message

Document Policy Policy Example 1 Alert message

Document Operation Policy: Example 2


Requirements:
Similar to the Example Policy 1, however, to facilitate the network shared resources, some staff is
allowed to modify/delete files/folders from shared network drive but System administrator is afraid that
some files are deleted maliciously or by human error. In this case, backup options should be checked in a
document control policy.

Cyberoam Endpoint Data Protection User Guide


Policy Settings:
Policy (1): Add a Document Control policy to allow the operating types: modify / delete to specified
network shared drive
Policy Name: Backup files before delete
Mode: Allow
Alert: [optional]
Warning: [optional]
Operating types: check modify, delete
Disk type: Network
File Name: \\network_path\*
Backup before delete: checked.
All backup files can be retrieved from Event Logs Document

Document Policy Policy Example 2 Document Operation Logs

Caution:

Be careful of Backup Option


If any Backup options are checked, it will cause the volume of backup data quite large. We strongly recommend
the System administrator should be careful when designing their policies with backup options. Enough hard disk
spaces should be ready for storing the data and keeping the backup of the data regularly.

Printing Policy
Printing policy is used to control the use of different kinds of printers such as local, shared, network
and virtual printers to prevent the information leakage.
Policy Properties:
Printer Type

4 kinds of printer types: Local, Shared, Network and Virtual Printer (e.g. PDF
creator)

Printer
description

Set the printer name. System administrator can specify the internal network
printers e.g. \\server\* represents all printers in \\server

Application

Specify the application used for printing out


Printing Policy Properties

Cyberoam Endpoint Data Protection User Guide


Printing Policy: Example 1
Requirements:
Some of the enterprises are afraid that their staff brings their own mini-printers back to office to print
out confidential information/data
Policy Settings:
Policy (1): Add a Printing policy to block all local printers
Policy Name: Block all local printers
Mode: Block
Printer Type: Local Printer

Printing Policy Policy Example 1: 1st Policy


Policy (2): Add another Printing policy to allow specified servers printers
Policy Name: Allow specified servers printers
Mode: Allow
Printer Type: Shared Printer, Network Printer
Printer description: \\192.168.0.72\*

Printing Policy Policy Example 1: 2nd Policy

Cyberoam Endpoint Data Protection User Guide

Removable-Storage Policy
To prevent information leakage through removable devices, System administrator can apply
removable-storage policy to assign different rights to removable storages. Also, the files can be
encrypted when writing to the removable storages. Only authorized computer agents can decrypt
the files.
To manage specified removable storages, go to Tools Classes Management
Removable-Storage to see how to customize the Removable-storage classes
Policy Properties:
- Free to read any files from removable storages
- The following 3 options (i.e. Decrypt when reading, Write and
Encrypt when writing) are enabled when this is checked

Read

Decrypt when reading

- This option is only enabled when Read is checked


- The files are only decrypted using Explorer.exe to copy files
from removable storage to local or network disks. Using other
application programs to read the encrypted files cannot be
decrypted
- Free to write any files to removable storages
- When the action Write is prohibited, any of the files cannot be
copied or saved to removable storages. Also, all files in the
removable storages cannot be deleted or renamed.

Write

Encrypt when writing

Removable Storage

- This option is only enabled when Write is checked


- Prohibit any application programs to copy any files to removable
storages except using Explorer.exe
By default, it is set to <All>.To specify removable storages,
corresponding classes must be selected (Please refer to Section
Removable-storage class management)
Removable-storage Policy Properties

Removable-storage Policy: Example 1


Requirements:
How to control users that only can use companys provided removable devices?
Policy Settings:
Policy (1): Add a Removable Storage policy to block all unclassified devices
Policy Name: Block all unclassified devices
Read: unchecked
Removable Storage: select {Unclassified} class

Cyberoam Endpoint Data Protection User Guide

Figure 5.16 Removable-storage Policy Policy Example 1: 1st Policy


Policy (2): Add another Removable Storage policy to allow approved class removable-devices
Policy Name: Allow Read/Write for approved class device only
Read: checked
Write: checked
Removable Storage: select {approved} class

Removable-storage Policy Policy Example 1: 2nd Policy


Caution:

Priority between Document Control Policy and Removable-storage Policy


If both document control policy and removable-storage policy are applied at the same time, document control
policy will be executed first and then removable-storage policy.
For instance, in removable-storage policy, a policy allows reading/writing from removable storage with encrypt
function; while in document control policy, a policy prohibits all word document to copy to removable disk. The
resulting execution is not allowed copying any word documents to removable disk but other files are allowed
copying to removable storage with encryption.

Cyberoam Endpoint Data Protection User Guide

Chapter 6
Monitoring
Instant Message Monitoring
System administrators are able to monitor Instant Message history of Agent computers by selecting
MonitoringInstant Message. Supported instant message tools include: Tencent QQ, TM, MSN
Messenger, ICQ (Does not support web-based ICQ yet), Yahoo! Messenger, Sina UC, 163 POPO
(outgoing message only), Skype (support both since v3.0.2108), Tencent RTX, Lotus Sametime,
and Alibaba AtiTalk.

Instant Message
The Instant Message log includes: IM tools, Computer, Local user, Contact User, Begin Time, End
Time, no. of Statement and the Instant Message contents
IM Tool

Shows which IM tool is used

Computer

Shows the computer name

Local User

Shows the IM login account

Contact User

Shows the another chatting partys user account

Begin Time

Shows the start time of chat

End Time

Shows the end time of chat

Statement

Shows the total numbers of chat statement

IM Content

Shows the details of IM contents with recorded time


IM Log Contents

Save IM Contents
To save the IM contents, select the desired records (press Ctrl for multiple selections) and then right
click to select Save As HTML File to save the IM contents in htm or html format. If multiple records
are selected, each one will be saved in individual file.

Cyberoam Endpoint Data Protection User Guide

Search conditions
Tool

By default, it is set to All. To specify IM tool, administrator can select from


the drop down menu

User ID or
Nickname

Query the IM contents with specified local user ID (or nickname) or another
partys account ID (or nickname)

Content

Query the IM contents with specified keywords e.g. *mail* The input
contents will be highlight with red color in the results
IM Search Conditions

Email Monitoring
Email contents can be logged from every agent. Support email types: Normal mail, Exchange mail,
Web mail and Lotus mail. Note that only normal and Exchange mail types can log all incoming and
outgoing emails whereas web mail and Lotus mail types can only log the outgoing mail.

Mail Monitoring

Cyberoam Endpoint Data Protection User Guide


Email contents include: Send/Receive, Subject, Sender, Recipients, mail content, attachment and
size.
Send/Receive

represents the mail is outgoing email while


incoming email

Subject

Subject of email

Sender

Senders email address

Recipient

Recipients email address including CC and BCC email address. The details
can be reviewed in the property windows

Attachment

Size

represents the mail has attachment. By default, system will backup all
email attachments (System administrator can add a Logging policy to not
button
backup the attachment.For more details refer Section 6.7). Click
to retrieve the attachments.
Email size

Content

Select one of the email first,and the details will be showed at the bottom part.

represents the mail is

Mail Log Contents

Save emails
To save the email contents, select the desired records (press Ctrl for multiple selections) and then
right click to select Save As EML File to save the email contents in eml format. If multiple records
are selected, each one will be saved in individual file.

Search Conditions
Type

By default, it is set to All. To specify email type, administrator can select


from the drop down menu

Send/Receive

By default, it is set to All. You can either query send or receive only

Email address

Query specified email address

Subject

Query email with specified keywords input about the email subject

Content

Query the email contents with specified the keywords input e.g. *mail*
The input contents will be highlight with red color in the results

Attachment

If this option is checked, all email with/without attachment will be queried.


If this option is not checked, only email with attachment will be queried.

Attachment name:

Query email with specified keywords input about the attachment

Size

Query email with specified email size range


Mail Search Conditions

Cyberoam Endpoint Data Protection User Guide

Chapter 7
Assets Management
Assets Management
Assets Management collects all agent computers software and hardware information to facilitate
enterprise to manage, audit and maintain their computer assets efficiently.
Select AssetsAssets to open the assets management window. The window includes Title bar,
Menu bar, Toolbar, Navigation bar, Data panel and status bar.

Asset Management

Assets Types and Property


Assets Types
Assets types include computer, hardware, software and self-defined types
Summary of agent computers such as logon user, domain and computer
Computer
name etc.
Hardware types such as CPU, memory, hard disk, motherboard, NIC etc.
Hardware
Software types such as Operating System, Application Software,
Software
Anti-virus program, Windows System Software and Microsoft Product
Patches.
Self-defined Self-defined assets types means which are customized by System
administrators and which may not be collected from agents automatically
such as routers, printers, desk, chairs etc.
Asset Types

Cyberoam Endpoint Data Protection User Guide


Assets Property
For every asset such as Memory, there are some properties to mention the details such as slot number,
Max Capacity, Current Capacity, Capacity per Slot and Summary (DDR, SDRAM) etc
There are two types of properties: Classific Property and Instance Property
Classific
Statistical properties of assets.
For example:Memory, a type of attributes such as the Current Installed Number of
Memory, Slot Number, Max Capacity, Current Capacity and Capacity per Slot.

Instance

Instance of asset class. For each memory it has attributes such as Device Locator,
Capacity and Type etc.

- If the asset class is Computer, it has only Classific Property

Cyberoam Endpoint Data Protection User Guide

- If the object is either Hardware or Software, both could have Classific and Instance Properties.
- All custom assets have only Instance properties.

Assets Property

Assets Classes Management


All assets classes and their properties are listed in the assets class management. System
administrator can use the Console to check the properties details or add any properties manually.
In the Assets Management windows, select AssetsAsset Classes Management to open the
management window. In this window, the assets structure tree is placed in the left panel and the
assets properties displayed in the right panel. In the properties list, the black color text represents
Classific property and the blue color text represents Instance property.

Assets Classes Management

Cyberoam Endpoint Data Protection User Guide


Data Types of Property
There are 5 data types in asset properties. The following are related icons to represent
different data types
Text
Integer
Decimal
Date
Yes / No
Data Types of Property
Custom Property
Except the System default asset properties, System administrator can add the property manually.
For example, how to add an Instance property in CPU class called Repair date.
1.

Select CPU in the asset tree in the left panel, then select OperationNew Property or click
the button

2.

to add property.

In the Asset Property window, check the Instance Property option, input Repair date in
Asset Property field and select Date in the Value Type field. Click OK to confirm.

Asset Property
After the Instance Property is added, the property is showed with * symbol and represents that it is a
custom property. All custom properties can be renamed by (OperateRename) or deleted by
(OperateDelete) but the default properties cannot be renamed or deleted.

Cyberoam Endpoint Data Protection User Guide

Asset Properties
Custom Asset
System administrator can customize asset to create a database to save all other assets information.
How to add a custom asset?
E.g. Suppose Office has 3 printers. Then System administrator can add a custom asset called
Printer.
1.

Select OperateNew Asset to input Printer and then also add the corresponding Instance
properties such as Model, Department, Buy Date, Price, Warranty etc.

Custom Asset
For all custom assets, System administrator required to add the property value manually.

Cyberoam Endpoint Data Protection User Guide

Hardware Query
Select AssetsHardware to check all hardware assets of agent computers or input conditions to
filter the query results.
Query Asset Information
By default, all agent computers CPU, Memory, Disk Drive and Network Adapter are listed. Double
click one of the computers in the list to view the details of individual agent.
By default it shows the hardware information in the individual Asset Information windows.. Select
ShowAll or ShowSoftware to view other assets information.
In the asset property, the default property is Brief. This information focuses on the asset Instance
property. While in all classific property, the default property is Summary which shows the summary
of all instances.
NOTE
When viewing the asset information, the custom asset value can be added directly. Select
OperationNew Property to open the Asset Property window and to add the asset property values.

Query Conditions
Click the button
to open the Query Conditions windows. System administrator can set one or
more query conditions to filter the results.
Range

button to specify
By default, it is set to {The Whole Network}. Select
the target group
Clicking this button the Condition windows get opened. Each condition
includes: asset properties and logic e.g. Memory-Number == 2 or CPU-Name
include AMD
Delete existing conditions
View and edit existing condition
Query Conditions

Caution
Query conditions of Instance Property and Classific Property
If a condition includes asset As Instance property first, the following conditions cannot include another
Asset Bs Instance properties (all other Instance properties will be hidden automatically). In this case
only classific property conditions can be added for the following input conditions.

Result List

Cyberoam Endpoint Data Protection User Guide


After keying in required conditions, asset properties are then added to the Result Lists:
Double click the property from the left panel or click this button to add the property
to result list
Double click the property from the right panel or click this button to remove the
property from result list
Result List
Caution
Query conditions of Instance Property and Classific Property
Same as query condition, if a condition includes asset As Instance property first, the following conditions
cannot include another Asset Bs Instance properties (all other Instance properties will be hidden
automatically). In this case only classific property conditions can be added for the followings input
conditions.

Save / Delete Query Settings


To facilitate the query, the settings can be saved after completing the conditions input
In the Query windows, input the Name and click this Save button to
save the current query. Select from the drop-down menu to select the
saved query.
Click Delete button to delete the saved query
Click Set Default button to set the current query as default. Next time
when administrator opens the Asset Management window, the default
query results will be displayed.
Save / Delete Query Settings
Add Custom Property Value
According to the previous example CPU-Repair date, set a query condition: CPU-repair date Not
exist and the result lists include: Computer-Summary, CPU-Brief and CPU-Repair date. The
resulting query shows that the CPU-Repair date is empty. If you want to add the Repair date, click
the CPU-Repair date column, and the field becomes editable. Now you can add the value one by
one.

Hardware Assets
Caution
Add the custom properties
The result list must include CPU-Repair date; also any one of the CPU instance properties must be
included. Otherwise, the property value may not be added. The reason is that CPU-Repair date belongs
to the Instance property, and we cannot add the same value for all instance properties for a computer.

Cyberoam Endpoint Data Protection User Guide

Hardware Change
Hardware Change logs all hardware changes made from agent computers including add, delete
and change. Select AssetsHardware Changes to view the hardware changes log.
Hardware Change Contents
The content includes: Type, Time, Computer, Asset and Description
Type of asset change: Add, Delete or Change
Type
Asset classes such as CDROM, CPU BIOS etc.
Asset
Description More detailed information about the asset is shown in this column
Hardware Change Contents

Hardware Change
Query Conditions
Go to FileNew Query to open the search panel, and System administrator can set different
conditions to filter.
Time &
Range

Common query conditions

Asset Type

By default, it is set to All. Select Asset Type from the drop-down menu to
specify the type to filter the query result.

Content

Specify asset contents. Supports wildcard input.


Hardware Change - Query Conditions

Software Query
Select AssetSoftware to switch to the software asset. By default, the query is Computer and
Operating System. System administrator can set other query condition to query the required results.
The software query method is similar to Hardware Query.

Cyberoam Endpoint Data Protection User Guide

Software Change
Software Change logs all software changes made by agent computers including add, delete and
change. Select AssetSoftware Change to check all software change logs.
The software change log content includes: Type, Time, Computer, Asset and Description which are
similar to Hardware Change.
Query Conditions
Time &
Range

Common query conditions

Asset Type

By default, it is set to All. Select Asset Type from the drop-down menu
to specify the type to filter the query result. It includes Operating
System, Application, Antivirus, Windows and Patches of Microsoft
Products.

Content

Specify asset contents. Supports wildcard input.


Software Change Query Conditions

Other Assets
System administrators are required to key in the asset property values after completing the custom
asset management.

1. Add Custom Asset


According to the previous Printer example, select FileNew Query to open the Query Condition
window. Query conditions are empty and the result includes Printer- Model, Printer-Department,
Printer-Buy date, Printer-Price, and all of these properties will show in the results.
Click the add button

to enter the propertys value one by one to record the Printer information.

2. Query Custom Asset


After adding the asset and its properties, System administrator can create query condition. Select
FileNew Query to set the conditions e.g. Printer-Price >= 1000 and the result list includes:
Printer-Model, Printer-Department, Printer-Buy date, Printer-Price. The resulting query will only
show the printer whose price is above or equal to 1000.

Cyberoam Endpoint Data Protection User Guide

Patches Management
Patch Management function scans patch status of all agent computers and based on the agent
computer requirements it installs patches automatically and manually to enhance the security.

Patches Scanning, Download and Install


The patches updater is running on the Endpoint Data Protection server, and it will automatically
download and update the patch scanning file (wsusscan.cab). This file will be downloaded to agent
computer after the agent program is installed in client computer at the first time.
Select AssetPatches to check the agent computers patches situation. Also, System
administrator requires setting the download policies to download the patches to the server and then
install patches to agent computer. Agent computers stand on the server settings to get the patches
file and process the installation automatically.

NOTE
Combine the use of CTRL and SHIFT keys to set the download policies for multiple patches or computers.

Control functions
System administrator can set the order of download scanning file or patches in the Console
Download Scanning
File

to select the option Download Scanning file,


Click the button
and server will download the latest scanning file immediately.

Download All Patches

to select the option Download All Patches,


Click the button
and server will download the required patch files immediately.

Scan Now

to select the option Scan Now, and all agent


Click the button
computers will scan the patch immediately.

Scan for system


patches

If only one agent computer needs to scan the patch, right click the
computer and select Scan for system patches, then only the
specified computer will be scanned.

Computer Range

to select group or individual computer to check


Click the button
the patch installation situation.
Control Functions

Cyberoam Endpoint Data Protection User Guide

Patch Mode
Patch Log Contents
Under Patch mode, all patches scanned from agent computers will be listed including
Ordinal, Severity Rating, Bulletin ID, Patch ID, Name, Not Installed, Auto downloading
and Download State
Severity Rating

5 different ratings: Low, Moderate, Important, Critical and


Unknown

Bulletin ID

Microsoft Published Bulletin ID

Patch ID

Patch ID

Name

Patch Name with ID

Not Installed

The total numbers of agent computers have not installed the


corresponding patch. Select the patch to check the installed / not
installed patch situation from the bottom panel.

Auto
downloading

System administrator can set the download policy: Download or


Not Download. By default it is set to Not Download and this field
is blank, and server will not download the patch automatically.

Download State

Includes Not Download, Download or Downloaded. When mouse


moves to the column, the download status will be displayed in %.
Complete download will show as 100%

Detailed
Information

Double click the patch or right click to select Details to check


more information about the patch including Download Path, Size
and Description etc.
Patch Log Contents

Patch Download Settings


Under Patch mode administrator can check all agent computer patches list. By default, system
would not install the patches automatically. System administrator is required to set manually.
to represent that patch is set to Download. If set to Not
In the Auto Downloading field, using
Download, this field is empty and the server would not automatically download.
For the coming new agents, System administrator can set the patches download option
automatically or not from the Console. Select ToolsOptionsServer SettingsPatches. There
are two options there: Install patches on new agents automatically and Download new patches
automatically. By default, these two options are not checked.

Cyberoam Endpoint Data Protection User Guide

Options - Patches

Computer Mode
Computer Mode Contents
Under computer mode check all agent computers information and patches installation
situation including Computer, IP address, Operating System, Last Scanned Time and
Auto installing
Agent Computer belonging to group and computer Name
Computer
IP address

Agent computer IP address

OS
Last Scanned
Time

Agent computer Operating System


The last scanned patch time of the agent computer

Auto Installing

Auto install or not


Computer Mode Contents

Cyberoam Endpoint Data Protection User Guide

Patch Management Computer Mode


Computer Patch Install Setting
Under Asset Management, select PatchesComputer Mode. It shows the agent computer list and
the details of patches installation. By default, the patches download and installation are not done
automatically. System administrator are required to set the settings manually.
Select one of the computers and right click to set Install or Not Install. Agents set with Install the
patches will be automatically downloaded and installed while agents set with Not Install will not do
anything.
In the detailed list of patches under computer mode, System administrator can specify patches to
download for individual computer. Select the desired patches (using CTRL key for multiple
selections) and then right click to set Install or Not Install.
For the coming new agents, System administrator can set the patches download option
automatically. Select ToolsOptionsServer SettingsPatches. There are two options there:
Install patches on new agents automatically and Download new patches automatically. By
default, these two options are not checked.

Cyberoam Endpoint Data Protection User Guide

Vulnerability Check
Vulnerability check function automatically scans the internal network computers and process
analysis to help System administrator to check and trace the vulnerability problems. Follow the
resulting suggestion to take timely response measures to enhance the security of all internal
computers.
Under Asset Management, select VulnerabilitiesSystem Vulnerabilities or Computer Mode.
to execute the vulnerability scanning immediately.
Click the vulnerability management button
Click the computer button to view a computer group or individual computer vulnerability information.

Vulnerability Mode
Under vulnerability mode (VulnerabilitiesSystem Vulnerabilities) can check the list of
vulnerability information of corresponding agent computers. The list includes the following
information: Ordinal, Severity Rating, Name, Vulnerability, Pass and other detailed information.
Severity Rating
Name
Vulnerability
Pass
Other detailed
information

3 different ratings: Information, Normal and Critical


Summary of the vulnerability
Total number of agent computers having the corresponding
vulnerability
Total number of agent computers having no vulnerability
Double click any vulnerability from the list to see the details.
Apart from the details of the vulnerability, system also
provides solutions for System administrator to solve the
particular vulnerability problem.
Vulnerability Mode

Computer Mode
Under VulnerabilitiesComputer mode administrator can view and check the agent computer
information and corresponding vulnerability information including Computer, IP Address, OS, Last
Scanning Time and Auto Installing. Double click any vulnerability from the list to see the details and
find out the suggested solutions.

Software Deployment
System administrator can install software, run an application, and deploy files to agent through
Endpoint Data Protection console. Software can be installed to the agent by simply creating a
deploy task. System administrator can view the deployment status from the console. With the
software deployment function, System administrator also can organize and deploy software to the
networked agent computers more efficiently and consistently.
Select AssetsDeployment for software deployment. Deployment is divided into two stEndpoint
Data Protection: packages creation and tasks creation.

Cyberoam Endpoint Data Protection User Guide

Deploy Package

Package Deployment
System administrator requires creating a deployment package first. Deployment package includes
required deployment conditions which can be saved in server and used repeatedly.
to create a new package or right click deploy package list to create a new
Click the new button
one. The deployment conditions include: General conditions, File Conditions, Checkup
conditions and Necessary conditions.
General Conditions Settings
Input basic information: package name, operating system, and language
By default, it is set as New Package. System administrator
Name
can rename it but cannot be empty.
Created and Modified
Time

These two fields will be generated by system and cannot be


edited. They are empty when the deployment package is still
in creating. Once completed, it will show the created time and
name of the System administrator. Any change made to the
deployment task, the modified time will also be updated.

Operating System

By default, all are selected. System administrator can select


the target Operating System for the deployment

Language

By default, it is set to All. System administrator can select the


target language from the drop-down menu.
Package General Condition Settings

Cyberoam Endpoint Data Protection User Guide

Deploy Package General Condition Settings


File Conditions Settings
From the left panel select File to switch to File Conditions Settings
General
Size
Computer
Path
Parameters
Command

Deploy Mode
Install
Execute
(once)
Deploy
File
Run Mode

The size can be checked after successful creation of the deployment


package
The computer used to create the deployment package using Console
The complete file path
This command parameter is used to install software or execute program
during package mode. There are two methods to input this field: 1) Right
click the software installation item from the File List to click Copy to
Command-Line (see the following figure) or 2) Input the name manually.

There are three modes: Install, Execute (once) and Deploy File
Distribute application software installation program to agents and
process installation.
Execute the distributed program once only in agent side.
Deploy file(s) to agent, the default destination path is {sd}\deploy files,
and it can be changed manually.
Notes that {sd} means System Drive. If OS is located in D:\windows, it is
D: For more details please refer to the following table 9.19.
Run mode means there are some interactions required between the

Cyberoam Endpoint Data Protection User Guide


installation process and the user. User should be able to see the
installation and execution interface during installation.
If this option is not checked, it means it is silent installation user cannot
see the installation and execution process. However if the program itself
does not support silent mode installation, it may cause installation
failure.
File List

Click the button


to select required file(s) (or folder). If multiple files
are selected, they must be placed in the same folder.
Every time click the button
to create a new file list which will
automatically override the previous created file list.
The information of the file list includes: File Name, File Size, Modified
and Version
Deploy Package File Condition Settings

Deploy Package File Conditions

Cyberoam Endpoint Data Protection User Guide

Checkup conditions and Necessary conditions

Purposes of Checkup conditions and Necessary conditions


Checkup
conditions

Only enabled under Install mode. The checkup conditions are


used for agent to check the required installation conditions.
Once satisfied, agent will install the program automatically.

Necessary
conditions

Prerequisite checking before distributing programs or files.


Once satisfied, all specified files or programs will be distributed
to agents. Otherwise, no action is taken.

Purposes of Checkup conditions and Necessary conditions

Setting of Checkup conditions and Necessary conditions


There are 5 types in checkup conditions: File, File Version, RegKey, RegValue and
Installed software
Determines the file exists or not, required to input complete path
File
Determines the file and its version, required to input complete
File Version
path
Determines specified register key exists or not
RegKey
Determines specified register value exists or not
RegValue
Normally the installed software means that windows Control
Installed software
Panel Add / Remove Programs
Settings of Checkup conditions and Necessary conditions

Example of Checkup Conditions: Install Office 2003


File
File Version
RegKey
RegValue
Installed
software

Exist "%pf%\Microsoft Office\OFFICE11\EXCEL.EXE"


>= "%pf%\Microsoft Office\OFFICE11\EXCEL.EXE" "11.0.5612.0"
Exist "SOFTWARE\Microsoft\Office\11.0\Access\InstallRoot"
Exist "SOFTWARE\Microsoft\Office\11.0\Access\InstallRoot"
"Path"
Include "Microsoft Office Professional Edition 2003"
Example of Checkup Conditions

NOTE
The followings are the system default shortcut using in condition input:

tmp
win
sys
pf
sd
cf

temp folder (c:\windows\temp)


windows directory (c:\windows)
system directory (c:\windows\system32)
program files (c:\program files)
system drive (c:\)
common files (c:\program files\common
files)
Default Shortcut Conditions Input

Cyberoam Endpoint Data Protection User Guide


Other Operations:

View

Delete package. Only the package with the status can be deleted
Edit packet. Only the package with status can be edited
The basic information includes: Name, Modified, Editor, Size and Status.
Double click to see the details
Other Operations

About Package Task

Make sure all files and folders for the installation package are located in the same folder and
select the required files at once. It is considered as a new file list and replaces the existing on
every click of
.

When deploy mode is install or execute (once) select the main file in command line. When deploy
mode is deploy files, select the destination path for the files to deploy to.

The default run mode is to run on users desktop which will interact with users during the
installation process. User will not be able to see the installation process if this option is
unchecked.

Task Distribution
Except to create distribution packet, tasks distribution is also required to create to specify target
agent computers. Click the button
to create a task.
Task distribution settings include: Task Name, Package Name, Max Retry and Target computers.
Task Name
Package
Name
Max Retry
Target

By default, it is set to New Task. System administrator can edit the name
but it cannot be empty
to select the required package which administrator
Click the button
created in package part
The task will retry if it is failed. By default, it is set to 10. If 0 is input, it
means unlimited retry
Click the button

to select target agent computers

Task Distribution
Clicking OK will start the deploy task immediately. Select the task to view the task status. Task
cannot be deleted during deployment. User can right click on the task and select stop to stop the
task. Right click on a computer and select Cancel to cancel the task on the computer.
Delete task distribution. Task cannot be deleted during deployment. User can right
click on the task and select stop to stop the task. And can then delete the task.
Edit task distribution. Task cannot be edited during deployment. User can right click
on the task and select stop to stop the task. And can then edit the task.
Task Distribution Operations

Cyberoam Endpoint Data Protection User Guide

Task Distribution Properties


Caution
Deploying
If the task status is Deploying, it cannot be deleted or edited. Only delete the distribution tasks and the
corresponding package status would change to Ready.

Deploy Task

Cyberoam Endpoint Data Protection User Guide

Chapter 8
Encrypted Disk (Endpoint Security Module)
By default, the type of all removable storages used in company is unclassified. System administrator
can format non-encrypted disks into encrypted disks through the Removable-Storage windows.
Encrypted disks only can be used in computers with agents installed; therefore it blocks the virus from
entering the LAN through removable storages.

Disk Encryption
Firstly, plug in removable disks which are needed to be encrypted. Secondly, go to Tools Classes
Management Removable-storage to open the Removable-storage Classes windows. Then select
Operation Local removable storage to open Local removable storage disk information windows to
see the connecting devices information.
1. If the icon is
, it represents that the removable storage is not saved in the
removable-storage database.

2.

Refresh local removable storage disk information manually.

3. Classify removable-storages. When a removable storage is plugged into computers with


Endpoint Data Protection agent installed at the first time, Endpoint Data Protection will classify
the removable storage into Unclassified class by default. Click this button to classify them into
self-defined classes.
4.

Click this button to confirm and save the removable-storage information. System
administrator can classify disk, add notes, format and encrypt disk while saving.

Cyberoam Endpoint Data Protection User Guide

5. Click this button to format and encrypt the selected disk. Once the selected disk is formatted
and encrypted, all saved information will be deleted and the disk can only be used in those
computers with agents installed.
Caution
1. Encryption function is only valid for users who registered Endpoint Data Protection with
register IDs. Otherwise, this button is gray and disable.
2. If the disk is successfully encrypted, the icon will be
saved. If saved, the icon will be .

. It represents that the operation is not

Format Encrypted Disks into Non- encrypted Disks


1. Encrypted disks can be normally used in computers with Endpoint Data Protection agents
installed. When they are used in computers without agents installed, a dialogue box will pop
up to prompt the user to format them. If YES is clicked, the user will format them into
non-encrypted disks manually and the inside data will be completely deleted.

2. Plug in any encrypted disks. Then select Operation Local Removable-storage to open
Local removable storage disk information window to see the connecting devices
information. Administrator can format any encrypted disks into non-encrypted disks.

Cyberoam Endpoint Data Protection User Guide


3.

Select an encrypted disk and this button will light up. Click it to format the encrypted disk
into a non-encrypted disk. Once succeeded, the disk icon will be
and its volume ID will be
changed too.

4.

For console computers, encrypted disks can be plugged out safely on the Local
removable storage disk information windows of Endpoint Data Protection console rather
than on the System Tray of Windows.

For agent computers, encrypted disks only can be safely plugged out by this way: Go to My
Computer and right click the encrypted disk to select Eject.

Removable-storage Information
By default, there are two types of removable storage: Encrypted Disk and Non-Encrypted Disk. If
the Disk Type is empty, it represent that the connecting device is non-encrypted.

Account Management
Select from menu bar, Tools Accounts(M),.Select an account on the left pane of Accounts
Management interface, then select Authorities tab to view Manage Encrypted disk and Format
as Encrypt disk options.
Manage Encrypt disk: Limit the operation rights on Managing Encrypt Disk, and it is used in class
management.
Format as Encrypt disk: Format encrypted disks into non-encrypted disks or format non-encrypted
disks into encrypted disks.

Cyberoam Endpoint Data Protection User Guide

Admin account is a super administrator which has the highest rights to use all functions while other
accounts do not have the permission to use these two functions unless they are granted.

Removable-Storage Log
Select Log Removable-storage to view the log of plug-in and plug-out actions of all removable
storages in agent computers. If the Disk Type is empty it represents the removable storage type is
non-encrypted disk.

Removable-Storage Policy
System administrator can apply removable-storage policy to assign different rights to removable
storages, as shown in the following illustration:

Cyberoam Endpoint Data Protection User Guide

By Default, Encrypted Disk Type is All including two types: Encrypted Disk and Non-encrypted
Disk. Select Encrypted Disk in the drop-down list box which indicates that this policy is only
effective for encrypted disks.
System administrator can limit the operation authorities of specified removable storage by checking
the checkboxes of Read, Decrypt when Reading, Write, and Encrypt when Writing. For details,
please refer to Removable-Storage Policy. The use of encrypted disks is the same as
non-encrypted disks.

Cyberoam Endpoint Data Protection User Guide

Chapter 9
Database Backup & Data Recovery
The difference between Main Backup and Data Backup are: The Main Backup can be used to
recover the Endpoint Data Protection server in case of Database crashed or other accidents that
caused the server to not work properly or complete migration. We strongly recommend to do
complete full backup once after the server is in production stage since all computer and user
groupings, classes management, policy settings etc. are settled.
The meaning of Data Backup is to backup the data such as document, mail, printing and key data.
We strongly recommend System administrator backup data regularly to prevent the hard
disk storage getting full. However, only backup data cannot help for server migration or recovery.

Database Backup
Backup Main Database
In order to prevent Database file crashed or other accidents that made the server to not work
properly, we strongly recommend System Administrator to fully backup the database regularly.
How to perform the Database Backup

Stop the Endpoint Data Protection server first and related services (OCULAR V3 SERVER and
OCULAR V3 UPDATE) in System Services.

Stop Endpoint Data Protection Server

Open SQL Server Management Studio and connect to the database.

Cyberoam Endpoint Data Protection User Guide

SQL Server Management Studio

NOTE
SQL Server Management Studio is not available with MSDE.
For Further Details, Download the below link:
http://www.microsoft.com/downloads/details.aspx?FamilyId=C243A5AE-4BD1-4E3D-94B8-5A0F62BF
7796&displaylang=en

In the Object Explorer, expend the Databases. You can see a Database called OCULAR3

Right click the Database OCULAR3. Then select Tasks Back Up to backup the database.

Detach Database OCULAR3

Cyberoam Endpoint Data Protection User Guide

In the Back Up Database OCULAR3 window, add a destination path with backup file
name e.g. Endpoint Data Protection_full_backup.bak. Click the button OK to confirm.

Backup Database

Click the button OK to complete the backup

Complete Database Backup

Cyberoam Endpoint Data Protection User Guide

Right click the Database OCULAR3. Then select Tasks Detach to detach the database.

Detach Database

After detaching the database successfully, System administrator can backup the following files
and save into the backup folder:
File
Extension
*.MDF &
*.NDF
*.INI
*.DAT

Files
Backup all *.mdf and *.ndf files such as:
OCULAR3_Data.mdf, OCULAR3_Log.LDF,
OCULAR3_SCREEN_Data.NDF, OCULAR3_MAIL_Data.NDF,
OCULAR3_DOC_Data.NDF
Backup all *.ini files such as:
Update.ini, OServer3.ini, AssetQuery.ini
Backup all *.dat files such as:
Unins000.dat
Backup Main Files

The database OCULAR has to be attached again after the backup completed in SQL Server
Studio Management:

Cyberoam Endpoint Data Protection User Guide

Attach Database
Backup Other Data
Another data such as emails, and documents can backup easily. System administrators just need to
copy those folders to desired backup storage device.

Backup Data Folders

Cyberoam Endpoint Data Protection User Guide

Chapter 10
Tools
Account Management
Admin account is a super administrator which has the highest rights to use all functions. Using
admin login account he can create other user accounts to access Endpoint Data Protection with
different access rights.
Select from menu bar, ToolsAccounts, and System administrator can view the existing users or
create new users.

Account Management
Create user account, also can input the Description
Delete user account. Notes that Admin account cannot be deleted
Accounts Management has 4 settings including General, Authorities, Computer Groups and
User Groups
General
Authorities
Computer Groups/User
Groups

Specify the type of account and login mode


Specify the functions access rights of the account.
Please read the following table for details.
Either to limit the management range in Computer
Groups or User Groups.
If Computer Group is selected, User Group cannot be
selected or vice versa
If Computer Groups is set to All, User Group is also
set to All by default

Cyberoam Endpoint Data Protection User Guide


Functions Access Rights:
File

Control
Statistic
Log

Policy

Monitoring
Assets Management
Patches
Vulnerability
Deployment
Class

Delete
Backup
Setting
Generate agents confirmed
code
Manage Encrypt Disk
Format as Encrypt Disk

Limit the operation rights on Computer tree or


User tree such as create, move, rename or delete
computers / users. Also, limit the print and export
functions
Limit the agent control rights including
Lock/Unlock, Notify, Log off, Power
Down/Restart, Remote or Uninstall agents
Limit the statistics log enquiries and access rights
including Application Statistics, Web Statistics
and Traffic Statistics etc.
Limit the event log enquiries and access rights
including Basic Event logs, Window Change
Logs, Application Logs, Document Logs,
Shared File Logs, Printing Logs, Asset Changes
Logs, Policy Logs, System Logs, Backup Logs
and Removable-storage Operation Log
Limit the policies enquiries and modification
including Basic Policy, Application Policy, Web
Policy, Device Policy, Printing Policy, Screen
Snapshot Policy, Logging Policy, Remote Control
Policy, Network Policy, Traffic Policy, Mail Policy,
IM File Policy, Document Policy, Alert Policy and
Removable-Storage Policy
Limit the monitoring enquiries and control rights
including Instant Messages and Mail
Limit the operation rights on Assets management
including Query, Define Asset and Edit Asset
Limit the operation rights on Patches including
Query, Parameter Setting and Executing
Limit the operation rights on Vulnerability
including Query and Parameter Setting
Limit the operation rights on Deployment
including Package Query, Package Setting, Task
Query, Task Setting and Tasking Executing
Limit the operation rights on Classes
management including Application Class,
Website Class, Time Type, Network IP Class,
Network Port Class and Removable-storage
Class
Limit the operation rights on Delete including
Delete Logs, Delete Instant Messages and Delete
Mails
Limit the operation rights on Backup including
Backup Logs and Review
Limit the operation rights on Setting including
Agent Search Range and Set exclude range of
the agent
Limit the operation rights on generating agents
confirmed code. Our recommendation is this right
should not assigned to other users who are not
Endpoint Data Protection System Administrator
Limit the operation rights on Managing Encrypt
Disk
Limit the operation rights on Formatting Encrypt
Disk
Account Management

Cyberoam Endpoint Data Protection User Guide

Computer Management
To facilitate System administrator to mange installed agents and query the licenses information
easily, System administrator can use the Computer Management Console (Tools Computers) to
check out the information. The list contains the following information: Name, Computer, Agent ID, IP
Address, MAC Address, Group of Agent, First Appeared Time, Last Appeared Time, Agent Installed
Version Number and Agent Installation Date

Computers Management
List of Computer Information:
Represents a license is granted to the agent.
If this icon does not appear in the highlighted agent, it means that the
licenses range is over. No more available license can be granted to that
agent.
The name of agent displayed in the Console
The computer name of agent
Agent ID generated by Endpoint Data Protection Server
Agents IP address
Agents MAC address
Agents belonging to group

Name
Computer
ID
IP Address
MAC Address
Group of
Agent
The first appeared time of the agent
First
Appeared
The last appeared time of the agent
Last
Appeared
Agents current installed version
Version
Agents installation date
Install Date
Computer Management List of Computer Information

Cyberoam Endpoint Data Protection User Guide


Searching Conditions
All

By default, all agents are listed

By IP address

Search by specifying the IP range

By First
Appeared

Search by specifying the first appeared time range

By Last
Appeared

Search by specifying the last appeared time range

By Agent ID

Search by specifying agent ID

By Name

Search by specifying computer name, Also supports wildcard input


Computers Management Searching Conditions

Operations
Delete
Uninstall

This option includes two actions: uninstall agent automatically and


release the agent license. The agent will not appear in the computer
tree.
Uninstalling the agent does not include releasing the license. The agent
still appears in the computer tree.
Computers Management - Operations

After the above action is selected, click OK to confirm the action. Otherwise, if only Delete or
Uninstall button is clicked no action would take place unless the OK button is clicked.

Alert Message
Select from ToolsAlert, and all real-time invoked policies alert messages are logged in the popup
windows. When some agents invoked some policies and if popup alert bubble is checked in
ToolsOptions,,the alert bubble will popup in the right-bottom corner. Click the alert bubble to see
the details of alert message.
In the alert message windows, the maximum display records are 500. This setting can be set from
ToolsOptionsConsole SettingsAlertAlert Dialog to change the maximum display
records.
Notice that when Console is closed or re-login, these messages will be cleared. To review the
history, go to LogPolicy Logs.

Classes Management
System administrator can set different classes including Application Class, Web Class,
Removable-storage Class, Time Type Class, Network IP Address Class and Network IP Port Class
to facilitate the query, statistics and policy settings.

Cyberoam Endpoint Data Protection User Guide

Application Class
Go to ToolsClasses ManagementApplications to open the Application Classes windows. By
default, there are two classes: Unclassified and Windows Application
Unclassified

Windows
Application

All application programs are collected from agents. The


program is classified into Unclassified when it is first scanned.
System administrator can create other classes and use drag
and drop method to move the program located in Unclassified.
Includes Windows system related applications

Application Classes Management Default Classes

Application Classes
System administrator can create different classes and classify the applications from Unclassified
into customized classes.
New

Select OperationNew or under the Application Classes tree right click


to create New a class. Sub-class can be created under a class

Move to

Select OperationMove to or using drag and drop method to move the


application from Unclassified to specified customized class. Press Ctrl
button for multiple selections

Search

Select OperationSearch can search specified application programs


and class location. Input by application name, file name or descriptions.
Application Classes Management Operations

Caution:
About Unclassified and Windows Applications classes
Unclassified and Windows Applications classes cannot be deleted and sub-classes can be created.

Cyberoam Endpoint Data Protection User Guide

Removable-storage Class
Go to ToolsClasses ManagementRemovable-storage to open the Removable-storage
Classes windows. By default, there is a class called Unclassified, and System administrator is
required to create classes manually.
There are two methods to gather the Removable-storage information:
1. From Agent

2. From
Console

All removable-storages are used by agent computers, all


information is collected and placed in Unclassified class, and
System administrator can move them to another self-defined
classes
System administrator can plug-in any removable storages to a
computer which is installed with Console.
Select OperationLocal Removable-storage or click the button
to open Local removable storage disk information windows
to see the connecting devices information. If the icon is , it
represents that that removable storage is still not saved in the
removable-storage database
Set the removable-storage class.Click this button to classify
the connecting storage to self-defined class. Note that add
remarks information to facilitate System administrator to review
and identify the storage.
Click this button to confirm and save the removable-storage
information.
Removable-storage Classes Management

Removable storage Management

Cyberoam Endpoint Data Protection User Guide

Server Management
Select ToolsServer Management. System administrator can check the server information using
Console including: Basic Information, Database file, Directory and Disk Space.

Server Management
Basic Information

Includes server startup time, running time and real-time bandwidth

Startup Time

The time of server startup time

Running

The total running time after server startup

Communication

The real-time bandwidth flow (send / receive) between server and


agent in KB

Database File

The name , path, size and maximum capacity of Database file

Directory

Includes Backup, Mail, Patches and Deployment folders


information (name, path, number of files and file size)
Server disk space information including volume, type of file
system, capacity, free space and percentage usage.

Disk Space

Server Management

Cyberoam Endpoint Data Protection User Guide

Agent Tools
Confirm-code Generator
In case of any emergency when the agent cannot communicate with server.
Scenario: no Internet connection
Some strict policies such as cannot decrypt presentation PowerPoint or prohibit using USB devices
are still running. In this case, how the System administrator help to release policies or uninstall
agent from the client computer is using Confirm-code generator. The following are the procedures to
release all policies or uninstall agent under approval.

On the agent machine, click StartRun and type agt3tool to open the agent tool.

Agent Tool

Select Clear all policies and then click the Generate button

A window Check confirm code will popup, and the agent user is required to report the
Operate Code to System administrator

Check confirm code

System administrator is required to login Console and select ToolsAgent


ToolConfirm-code generator to input the operate code reported from agent user and click
Parse button to analyse the agent information.

Cyberoam Endpoint Data Protection User Guide

Confirm-Code Generator

System administrator is required to click Generate button to get the code generated by system

Confirm Code Information

System administrator tells the generated confirm code to agent user and ask him/her to input
the confirm code.

Agent user clicks OK to confirm.

Cyberoam Endpoint Data Protection User Guide

Options
Select ToolsOptions, and System administrator can check or amend existing Console and Server
settings. The following tables show all default values

Server Options

Console Settings
Log
The max records shown in logs on each page is set to 20
Option for user to quit console program or minimize windows
to system tray area

Search logs
Quick
Settings
Information
Monitor
Maintenance

Remote control

The interval of tracing frames (seconds) is set to 2


The interval of auto-cycle (seconds) is set to 8
- The interval to refresh application list (seconds) is set to 2
- The interval to refresh process list (seconds) is set to 2
- The interval to refresh performance information (seconds) is
set to 2
Default to lock remote computers keyboard and mouse
Default not to operate remote computer

Alert
Alert Dialog
Settings

The max number (item) of showing logs in alert dialog is 500


- The option popup alert bubble is checked and the lowest
alert level of popup bubble is set to Low
- If this option is enabled, real-time alert bubbles are popped
up in the Console when policies are invoked
Options Console Settings

Cyberoam Endpoint Data Protection User Guide

Server Settings
Patch
Default
Settings

Data-Removal

Range

1. Install patches on new agents automatically


If this option is checked, all new agents will install all
downloaded patches. Otherwise, no patches will be installed on
new agents
Default is unchecked
2. Download new patch automatically
If this option is checked, all new scanned patches will be
downloaded automatically. Otherwise, the new scanned
patched will not be downloaded
Default is unchecked
- Input the number of Days for keeping the data(range: 5 180
days). The data will be only kept till the latest specified days,
and the older data which is out of the specified days will be
deleted automatically
- The data types include: Basic Event logs, Document
Operations Logs, Application Logs, Assets Change Logs,
Printing Logs, Policy Logs, System Logs, Shared Files Logs,
Removable Storage Operation logs, Instant Message, Mail,
and Application Statistics.
- Default is all unchecked which means no data will be deleted
automatically
1. Search Range
- The following two cases may cause agents to not
communicate with server and/or not appearing in the network
tree:
Not specified server IP address when packing agent
Change of server IP address
In these cases, the search ranges should be set
- To make the input search range to become effective, the
option Apply Active Polling must be checked too in Server
Settings Connection. Otherwise, the search range input is
not effective
- When target agents are found and appear in the network tree
properly, the search range can be removed.
2. Exclude Range
- All agents in the specified exclude ranges cannot
communicate with server. If the agent currently is
communicating with server, once the exclude range is applied,
the agent will become grey color after 3 minutes.
- Note that all applied policies are still effective for excluded
agents
- Restart server is required after keying in the exclude range to
make it effective

Connection

No range is set by default.


1. Bandwidth settings between server and agent
- The range is limited from 1 to 102400kb/s
- If server is in LAN environment, this setting is not required.
However, it may apply in VPN environment
2. Active Polling
- By default, this option is checked because some agents do
not know server IP address and cannot communicate with
server normally. Make sure this option is enabled.
- When no search range is set in Search Range and this option

Cyberoam Endpoint Data Protection User Guide

Directory

is checked, it means server will only scan local network


- When search range is set and this option is checked, it means
server will scan local network and also the specified input
search range.
- If this option is not enables, some agents may never
communicate with server as they are missing server
information
By default, all directories are located under Endpoint Data
Protection installation path. System administrator can change
the patches and backup paths including: deployment, Backup
email, Screen history, Document Backup and Microsoft Product
Patches.
If any directory path changes the data will not automatically
move to new directory. Endpoint Data Protection server must
be stopped and then move the data to new directory as
required.
Restart server is required after changing any paths.
Select target object and then click this button to open the
Directory Settings. Select the new path. Click OK button to
save the setting. The new path setting becomes effective
after server restarted.

Performance

Error-Report

Click this button to restore to default directory settings. The


restore path setting becomes effective after server restarted.
1. Fixed Mode
- If this option is selected, it means the number of agents
specified is handled by server
- The range is available from 0 to 100.
2. Dynamic Mode
- This option is selected by default
- If Normal is selected, it represents the average usage rate of
sqlserver used by oserver3 is 30%. If High is selected, the
upper limit is 50% while if Low is selected, the upper limit is
10%
- Generally speaking, the higher performance of the server
under dynamic mode is the higher number of agents that can
be handled by server
- The agent verification error messages will only be logged
when this option is enabled and can be found in Event Log
System Logs.
- The detailed description of report levels are as following:
All: Report all errors
Low: The results returned from agent are not expected by
server
Moderate: over license
Important: Serial number or checkcode error
Critical: Communication between agent and server corrupted
caused by exclude range is set
Options Server Settings

Cyberoam Endpoint Data Protection User Guide

Chapter 11
Audit Console
Logon to Audit Console
Audit Console major audits all Endpoint Data Protection Console. System Administrators/Users logs
all operations done by them in the Console such as Account Login/Logoff; when they
create/modify/delete policies etc. operations. The Audit administrator can easily view that
information in the Audit Console.
How to logon to Audit Console
1. Open the Endpoint Data Protection Console from Start All Programs Cyberoam Endpoint
Data Protection Suite Cyberoam DPMS Console.
2. Logon into audit console using audit as logon name. By default, the password is blank.

Login Audit Console

Audit Console Interface


Audit console includes: the title bar, menu bar, the Toolbar, the administrator column, the data panel,
searching panel and the status bar.

Cyberoam Endpoint Data Protection User Guide

Audit Console Interface

The administrator panel lists all administrators, Endpoint Data Protection Console users, and the
corresponding operation logs displayed in the data panel once the user selected from the
administrator panel.
Endpoint Data Protection Audit Console provides print and export functions to reserve the useful
logs, and also provide delete function to delete the audit data
Print / Print
Preview
Export
Delete

Select from File Print / Print Preview to print the current log page
Select from File Export to export the audit log or right click from the
Data Panel to select Export 1) Records of Current Pages 2) All
Matched Records
Select from File Delete to delete the audit log or right click from the
Data Panel to select Delete 1) Selected Records 2) Records of
Current Page or 3) All Matched Records
Audit Console Common Functions

Using Audit Console


Audit Log
Time

Recorded time for corresponding operation

Computer

Logon Computer Name

IP Address

Logon Computer IP Address

Manager

Administrator Account Name

Description

Descriptions of the operations done in Endpoint Data Protection Console by


Administrator

Audit Log

Cyberoam Endpoint Data Protection User Guide

Audit Query
Date Range

For the designated date range, the default start time and end time are not clicked,
that is, all log data are searched and display as results. To specify the date range,
click the start time and end time:
Icon

Manager Name
Description

Descriptions
Select the date as the start time from the calendar
Select the date as the end time from the calendar
Restore to default setting
Search with specified administrator
According to the description of the audit log information to query specified logs

Audit Query

You might also like