Sangfor Endpoint Secure V6.0.4 Agent User Manual
Sangfor Endpoint Secure V6.0.4 Agent User Manual
Document Version 01
Disclaimer
Due to product version upgrades or other reasons, the content of this document will
be updated from time to time. Unless otherwise agreed, this document is used for
reference only, and all statements, information, and recommendations therein do not
constitute any express or implied warranties.
Technical Support
For technical support, please visit: https://www.sangfor.com/en/about-
us/contact-us/technical-support
Intended Audience
This document is intended for:
⚫ All
Note Icons
English Icon Description
Change Log
Date Change Description
Contents
Technical Support ................................................................................................................... 1
Change Log .............................................................................................................................. 2
1 Agent Installation ................................................................................................................. 4
2 Security.................................................................................................................................. 6
3 Virus Scan ............................................................................................................................. 7
4 Vulnerability Remediation .................................................................................................. 9
5 Realtime Protection ........................................................................................................... 10
6 Tools..................................................................................................................................... 12
7 Settings................................................................................................................................ 13
7.1 Virus Scan ................................................................................................................. 15
7.2 System Protection ................................................................................................... 17
7.3 General Settings ...................................................................................................... 19
7.4 Advanced Threat Protection .................................................................................. 20
7.5 Ransomware Protection......................................................................................... 20
7.6 Network Protection................................................................................................. 22
7.7 Web Protection ........................................................................................................ 22
7.8 Notification .............................................................................................................. 23
7.9 Others ....................................................................................................................... 24
8 Logs...................................................................................................................................... 24
9 Quarantine/Trust ............................................................................................................... 26
10 Taskbar Tray ..................................................................................................................... 28
11 FAQs................................................................................................................................... 29
11.1 How to use the Agent for Linux and macOS? ................................................... 29
1 Agent Installation
To install the installation package, ensure you run it with administrator
privileges. Right-click the file and select Run as administrator from the drop-
down menu, as shown below.
The last step of the installation is to register the endpoint asset information,
and the installation is complete.
2 Security
After the agent is installed, you can view the endpoint protection duration, last
detection time, real-time protection trend, etc. on the home page, as shown in
the figure below.
3 Virus Scan
The Virus Scan page allows you to perform Quick scan, Full scan, and
Custom scan on the endpoint, as well as view the logs after virus scanning.
4 Vulnerability Remediation
If the administrator enables Hot Patching for vulnerabilities in the Endpoint
Secure Manager settings and prohibits the agent users from modifying it by
themselves, the agent will enable the hot patch repair function by default, as
shown in the figure below.
5 Realtime Protection
The Realtime Protection includes Ransomware Protection, System
Protection, Advanced Threat Protection, Network Protection, and Others.
6 Tools
This page provides common tools such as Ransomware Decryption Query,
Memory Scan Tool, and False Positive Analysis.
7 Settings
Click the Settings icon in the upper right corner of the agent to enter the
settings center, as shown below.
The scan mode can be selected as High CPU, Adaptive, or Low CPU:
High CPU: This type of scanning consumes the most CPU resources, but the
scan speed is the fastest.
Low CPU: Scanning with low CPU usage consumes no more than 10% of CPU
resources, but the scan speed is the slowest.
Engines: Four engines are available, including Sangfor Engine Zero, Gene
Analysis Engine, Behavioral Analysis Engine, and Cloud-Based Engine. They
are grouped into five modes: Standard, Low False Positives, High Detection
Rate, Low Resource Usage, and Custom. Select a mode that aligns with your
business scenario, as shown in the following figure.
File Scan defines the size of the scanned file and the maximum compression
level for scanning, with a maximum of 10 levels.
Disposal method: Set the disposal method after the threat file is found.
Action: You can specify the response to a detected malicious file. The options
are Auto Fix - Business First, Auto Fix - Security First, and No Action -
Report Only. The default action is Auto Fix - Business First.
Auto Fix - Security First: Automatically fix or quarantine all malicious files and
allow endpoint users to manually restore files from the Quarantine area. This
option is suitable for scenarios with enhanced protection requirements.
Protection Level: Three protection levels are available against malicious files,
with the following differences:
⚫ Medium: Monitor execution and write actions on files, and prevent virus
intrusion and execution (lower impact on system performance).
⚫ Low: Monitor file execution and prevent virus execution (no impact on
system performance).
Engines: Four engines are available, including Sangfor Engine Zero, Gene
Analysis Engine, Behavioral Analysis Engine, and Cloud-Based Engine. They
are grouped into four modes: Low Resource Usage, Low False Positives,
Strict Protection, and Custom. Select a mode that aligns with your business
scenario, as shown in the following figure.
Action: You can specify the response to a detected malicious file. The options
are Auto Fix - Business First, Auto Fix - Security First, and No Action -
Report Only. The default action is Auto Fix - Business First.
⚫ Auto Fix - Security First: Automatically fix or quarantine all malicious files
and allow endpoint users to manually restore files from the Quarantine area.
This option is suitable for scenarios with enhanced protection requirements.
It applies after the lT admin configures settings on the manager. The setting is
not configured yet.
You can click Restore Encrypted Files to restore the backup files if
ransomware is detected.
typically set at 10% of the disk space by default. You can choose whether to
enable the Snapshot-Based Ransomware Recovery feature on the manager.
When the ransomware encrypts files on the endpoint, you can click Restore All
Files on Endpoint Secure Agent to restore all files from the latest snapshot
captured at noon.
agents.
Trigger: You can specify the threshold for identifying a quick brute-force attack.
A brute-force attack is identified as a quick attack if the number of consecutive
attempts exceeds the specified value within a minute. For RDP and SMB quick
brute-force attacks, you can specify an integer in the range of 1 to 100 and an
integer in the range of 20 to 1,000, respectively. Slow and distributed brute-
force attacks are identified based on an intelligent algorithm.
For Windows Server, you can view the configuration of Webshell Protection.
Method: Available options for scan method include Realtime and Scheduled.
Action: You can specify the action for detected web shells. Supported options
include Auto fix and No Action - Report Only.
You can only assess the Web Protection page from the Windows Server agent.
7.8 Notification
The Notification page includes settings for Virus scan notifications,
Realtime file protection notifications, Hacktool protection notifications,
and PowerShell fileless attack notifications. Endpoint users can customize
the configurations to choose whether to allow pop-up prompts based on their
actual needs.
7.9 Others
You can view the configuration related to USB Control.
8 Logs
Click the Menu icon in the upper right corner of the agent to view the logs, as
shown below.
The Logs page contains logs for Virus Scan and Realtime Protection.
Realtime Protection logs are security logs generated when threat files are
detected after enabling real-time file monitoring.
Virus Scan logs refer to the operation logs after virus scans are performed.
Click View in the Details column for detailed information about the virus scan,
as shown in the figure below.
9 Quarantine/Trust
Endpoint Secure detects threat files and moves them to the Quarantine area
after processing. You can view these quarantined files. You can add false
positive files to the Trust zone. Files added to the Trust zone will automatically
bypass virus scanning and real-time file monitoring.
Click the Menu icon in the upper right corner of the agent to open the
Quarantine area and Trust zone, as shown below.
After entering the Quarantine area, you can Restore, Delete, or Clear the files
in the quarantine, as shown in the figure below.
You can enter the Trust zone and add trusted files, directories, and processes,
as shown below.
10 Taskbar Tray
The tray in the lower right corner of the operating system taskbar provides
some quick operations for the Endpoint Secure Agent. Right-click the icon to
display the menu, as shown in the following figure.
Uptime: X Days: Check the time the endpoint has been protected.
The tray offers shortcuts to functions like Security, Virus Scan, Realtime
Protection, Asset, Quarantine, and Logs.
11 FAQs
11.1 How to use the Agent for Linux and
macOS?
1. For Linux endpoints, an agent with a UI is not available yet.
2. For Mac endpoints, the page functions are relatively brief. Please refer to
the agent usage instructions for Windows.