I am not a SCSP guy, but maybe I can help get an answer for you. Can you be more specific? Are you asking if the software can be uninstalled after a detection/lock down that produces unacceptable behavior?

Best,

Thomas

Hi Roobmore

Are you asking if Agent can be revived after machine lockdown? If not please be more specific.

Regards

Vikrant

Hi Guys

Sorry for the delay in replying - off sick now back and raring to go !!...

The scenario is that a 'software' has been installed onto a server, within policy, then deemed to be unacceptable, and roling back to Before it was installed...

Looking at the replies I think that AMoss covers it;

Policy perspective: A more likely scenario would be that a policy change was made that was later deemed unacceptable.  As long as your policy maintenance strategies are effective (you're keeping backups or accurate documentation), rolling back to a previous policy is quick and easy and achieved directly from the management console.

Brilliant.

Thanks again guys

Rob

Lets roll back on this and take a look at this information, as it sounds like this isnt a solution quite yet. And this information is important for customers to know.

I also think you are getting confused by Policy as in by an authorized user/action vs. Policy which is the term for CSP's "signatures" or in IPS case its behavior control "lock down" policy/script thats applied to a system.

Rob are you reffering to a Change management solution where an entire image is taken of a machine and can be snapp'ed back to the previous image if say someone comes in and misconfigures an entire web application, as an authorized user?

The purpose of CSP is not to "roll-back" changes to a system (thats not proactive and defeats the purpose of the prevention part), it is to lock it down to begin with (least privilege access usage for procs and users, monitoring critical system components, etc...). It sounds like you are speaking of a change management solution which is an after the fact aspect and not really in the same technology-area.

Yes CSP can be used to "manually" roll back some changes, such as if you use it on a *nix system, specify a configuration file you want monitored, enable file diff'ing, and if that file changes to an unacceptable change, then you can track back that change via the event, then revert manually. Other scenarios exist where we have rolled back many mistaken "changes" However this technology is not meant for the area of change management software that snapshots the OS before install and basically keeps snapshots on set intervals to revert back to in case of unauthorized changes. Technically in a Utopian world there would be no such thing as authorized users making unauthorized changes.

This question has come up before, mostly spawned by auditors, the industry should remind them that "roll-back" actions and technology is meant for the backup/availability portion of security, not the proactive lockdown/response/monitoring activities. If a piece of software breaks something that was installed a good backup and restore plan should be in place to protect the machine. If that is not in place then  a large piece of the security pie is missing in the environment.