0% found this document useful (0 votes)
317 views32 pages

Sangfor Endpoint Secure V6.0.4 Agent User Manual

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
317 views32 pages

Sangfor Endpoint Secure V6.0.4 Agent User Manual

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Sangfor Endpoint Secure V6.0.

4 Agent User Manual

Sangfor Endpoint Secure


Agent User Manual

Product Version 6.0.4

Document Version 01

Released on Nov. 04, 2024

Version 01 (Mar.24, 2021) Confidentiality: Public in Company 1


Sangfor Endpoint Secure V6.0.4 Agent User Manual

Copyright © Sangfor Technologies 2024. All rights reserved.

Unless otherwise stated or authorized, Sangfor Technologies (hereinafter referred to


as "Sangfor") and its affiliates reserve all intellectual property rights, including but not
limited to copyrights, trademarks, patents, and trade secrets, and related rights to text,
images, pictures, photographs, audio, videos, charts, colors, and layouts as presented
in or concerning this document and content therein. Without prior written consent of
Sangfor, this document and content therein must not be reproduced, forwarded,
adapted, modified or displayed or distributed by any other means for any purpose.

Disclaimer

Products, services or features described in this document, whether wholly or in part,


may be not within your purchase scope or usage scope. The products, services or
features you purchase must be subject to the commercial contract and terms as
agreed by you and Sangfor. Unless otherwise provided in the contract, Sangfor
disclaims warranties of any kind, either express or implied, for the content of this
document.

Due to product version upgrades or other reasons, the content of this document will
be updated from time to time. Unless otherwise agreed, this document is used for
reference only, and all statements, information, and recommendations therein do not
constitute any express or implied warranties.

Version 01 (Nov.04, 2024)


Sangfor Endpoint Secure V6.0.4 Agent User Manual

Technical Support
For technical support, please visit: https://www.sangfor.com/en/about-
us/contact-us/technical-support

Send information about errors or any product related problem to


[email protected].

Version 01 (Nov.04, 2024) 1


Sangfor Endpoint Secure V6.0.4 Agent User Manual

About This Document


This document is the agent user manual of Sangfor Endpoint Secure.

Intended Audience
This document is intended for:
⚫ All

Note Icons
English Icon Description

Indicates an imminently hazardous situation which, if not avoided,


will result in death or serious injury.

Indicates a potentially hazardous situation which, if not avoided,


could result in death or serious injury.

Indicates a hazardous situation, which if not avoided, could result


in minor or moderate injury.

Indicates a hazardous situation, which if not avoided, could result


in settings failing to take effect, equipment damage, or data loss.

NOTICE addresses practices not related to personal injury.

Calls attention to important information, best practices, and tips.

NOTE addresses information not related to personal injury or


equipment damage.

Change Log
Date Change Description

Nov. 04, 2024 This is the first release of this document.

Version 01 (Nov.04, 2024) 2


Sangfor Endpoint Secure V6.0.4 Agent User Manual

Contents
Technical Support ................................................................................................................... 1
Change Log .............................................................................................................................. 2
1 Agent Installation ................................................................................................................. 4
2 Security.................................................................................................................................. 6
3 Virus Scan ............................................................................................................................. 7
4 Vulnerability Remediation .................................................................................................. 9
5 Realtime Protection ........................................................................................................... 10
6 Tools..................................................................................................................................... 12
7 Settings................................................................................................................................ 13
7.1 Virus Scan ................................................................................................................. 15
7.2 System Protection ................................................................................................... 17
7.3 General Settings ...................................................................................................... 19
7.4 Advanced Threat Protection .................................................................................. 20
7.5 Ransomware Protection......................................................................................... 20
7.6 Network Protection................................................................................................. 22
7.7 Web Protection ........................................................................................................ 22
7.8 Notification .............................................................................................................. 23
7.9 Others ....................................................................................................................... 24
8 Logs...................................................................................................................................... 24
9 Quarantine/Trust ............................................................................................................... 26
10 Taskbar Tray ..................................................................................................................... 28
11 FAQs................................................................................................................................... 29
11.1 How to use the Agent for Linux and macOS? ................................................... 29

Version 01 (Nov.04, 2024) 3


Sangfor Endpoint Secure V6.0.4 Agent User Manual

1 Agent Installation
To install the installation package, ensure you run it with administrator
privileges. Right-click the file and select Run as administrator from the drop-
down menu, as shown below.

Version 01 (Nov.04, 2024) 4


Sangfor Endpoint Secure V6.0.4 Agent User Manual

Click Start Protection.

The last step of the installation is to register the endpoint asset information,
and the installation is complete.

Version 01 (Nov.04, 2024) 5


Sangfor Endpoint Secure V6.0.4 Agent User Manual

2 Security
After the agent is installed, you can view the endpoint protection duration, last
detection time, real-time protection trend, etc. on the home page, as shown in
the figure below.

Version 01 (Nov.04, 2024) 6


Sangfor Endpoint Secure V6.0.4 Agent User Manual

3 Virus Scan
The Virus Scan page allows you to perform Quick scan, Full scan, and
Custom scan on the endpoint, as well as view the logs after virus scanning.

Version 01 (Nov.04, 2024) 7


Sangfor Endpoint Secure V6.0.4 Agent User Manual

Version 01 (Nov.04, 2024) 8


Sangfor Endpoint Secure V6.0.4 Agent User Manual

4 Vulnerability Remediation
If the administrator enables Hot Patching for vulnerabilities in the Endpoint
Secure Manager settings and prohibits the agent users from modifying it by
themselves, the agent will enable the hot patch repair function by default, as
shown in the figure below.

Version 01 (Nov.04, 2024) 9


Sangfor Endpoint Secure V6.0.4 Agent User Manual

5 Realtime Protection
The Realtime Protection includes Ransomware Protection, System
Protection, Advanced Threat Protection, Network Protection, and Others.

Click System Protection to view system protection details, which include


Realtime File Protection and Trusted Processes. The administrator can
revoke the endpoint user's configuration permissions. If the administrator does
not allow the endpoint to modify the configuration, the endpoint will prompt
"Changes are prohibited by the admin", as shown below.

Version 01 (Nov.04, 2024) 10


Sangfor Endpoint Secure V6.0.4 Agent User Manual

Click Ransomware Protection to view ransomware protection details,


including Ransomware Honeypot and Ransomware Backup, as shown
below.

Click Network Protection to view network protection details, including RDP


Brute-Force Attack Protection, SMB Brute-Force Attack Protection, and
MSSQL Brute-Force Attack Protection, as shown below.

Click Advanced Threat Protection to view advanced threat protection details,


including protection against fileless attacks and residual malware.

Version 01 (Nov.04, 2024) 11


Sangfor Endpoint Secure V6.0.4 Agent User Manual

Click Others to view other protection details, including self-protection and


endpoint peripheral management, as shown in the following figure.

6 Tools
This page provides common tools such as Ransomware Decryption Query,
Memory Scan Tool, and False Positive Analysis.

Version 01 (Nov.04, 2024) 12


Sangfor Endpoint Secure V6.0.4 Agent User Manual

7 Settings
Click the Settings icon in the upper right corner of the agent to enter the
settings center, as shown below.

Version 01 (Nov.04, 2024) 13


Sangfor Endpoint Secure V6.0.4 Agent User Manual

The settings center includes Virus Scan, System Protection, Advanced


Threat Protection, Network Protection, and Notifications settings. Each
function has the same configuration items as the manager, and the
administrator can revoke the endpoint user's configuration rights on the agent.
There is a Lock icon on the right side of each policy in the manager's policy
center. If the Lock icon is displayed, the administrator does not allow the
endpoint user to configure it separately. At this time, the agent will display a
prompt stating "Changes are prohibited by the admin", as shown below.

Version 01 (Nov.04, 2024) 14


Sangfor Endpoint Secure V6.0.4 Agent User Manual

7.1 Virus Scan


The Virus Scan page includes settings for scan mode, scan engines, scan files,
and remediation methods.

The scan mode can be selected as High CPU, Adaptive, or Low CPU:

High CPU: This type of scanning consumes the most CPU resources, but the
scan speed is the fastest.

Adaptive: Dynamically adjust CPU resources based on the CPU usage. It


optimizes the scan speed by leveraging ample CPU resources when the CPU
usage is low and minimizing resource consumption when the CPU usage is
high, thus ensuring smooth service operations.

Low CPU: Scanning with low CPU usage consumes no more than 10% of CPU
resources, but the scan speed is the slowest.

Engines: Four engines are available, including Sangfor Engine Zero, Gene
Analysis Engine, Behavioral Analysis Engine, and Cloud-Based Engine. They
are grouped into five modes: Standard, Low False Positives, High Detection
Rate, Low Resource Usage, and Custom. Select a mode that aligns with your
business scenario, as shown in the following figure.

Version 01 (Nov.04, 2024) 15


Sangfor Endpoint Secure V6.0.4 Agent User Manual

File Scan defines the size of the scanned file and the maximum compression
level for scanning, with a maximum of 10 levels.

Disposal method: Set the disposal method after the threat file is found.

Action: You can specify the response to a detected malicious file. The options
are Auto Fix - Business First, Auto Fix - Security First, and No Action -
Report Only. The default action is Auto Fix - Business First.

Auto Fix - Business First: Automatically fix or quarantine confirmed malicious


files based on the default virus detection settings; do not automatically fix or
quarantine suspicious files, but report them to Endpoint Secure Manager,
allowing endpoint users to fix them.

Auto Fix - Security First: Automatically fix or quarantine all malicious files and
allow endpoint users to manually restore files from the Quarantine area. This
option is suitable for scenarios with enhanced protection requirements.

No Action - Report Only: Report malicious files to Endpoint Secure Manager,


but do not automatically fix or quarantine them. This option suits scenarios
where an on-duty security professional is responsible for fixing threats.

Version 01 (Nov.04, 2024) 16


Sangfor Endpoint Secure V6.0.4 Agent User Manual

7.2 System Protection


The System Protection page allows you to configure Realtime File
Protection by setting the protection level, scan engines, file types, file scan,
and remediation methods.

Protection Level: Three protection levels are available against malicious files,
with the following differences:

⚫ High: Monitor all file actions (higher impact on system performance).

Version 01 (Nov.04, 2024) 17


Sangfor Endpoint Secure V6.0.4 Agent User Manual

⚫ Medium: Monitor execution and write actions on files, and prevent virus
intrusion and execution (lower impact on system performance).

⚫ Low: Monitor file execution and prevent virus execution (no impact on
system performance).

File Type: Available options include Documents, Script, Executable,


Compressed, and Low Risk.

Engines: Four engines are available, including Sangfor Engine Zero, Gene
Analysis Engine, Behavioral Analysis Engine, and Cloud-Based Engine. They
are grouped into four modes: Low Resource Usage, Low False Positives,
Strict Protection, and Custom. Select a mode that aligns with your business
scenario, as shown in the following figure.

Action: You can specify the response to a detected malicious file. The options
are Auto Fix - Business First, Auto Fix - Security First, and No Action -
Report Only. The default action is Auto Fix - Business First.

⚫ Auto Fix - Business First: Automatically fix or quarantine confirmed


malicious files based on the default virus detection settings; do not
automatically fix or quarantine suspicious files, but report them to Endpoint
Secure Manager, allowing endpoint users to fix them.

Version 01 (Nov.04, 2024) 18


Sangfor Endpoint Secure V6.0.4 Agent User Manual

⚫ Auto Fix - Security First: Automatically fix or quarantine all malicious files
and allow endpoint users to manually restore files from the Quarantine area.
This option is suitable for scenarios with enhanced protection requirements.

⚫ No Action - Report Only: Report malicious files to Endpoint Secure


Manager, but do not automatically fix or quarantine them. This option suits
scenarios where an on-duty security professional is responsible for fixing
threats.

Trusted Processes: Protect paths or processes on agents by whitelisting paths


or processes to enhance endpoint security and prevent them from virus
attacks.

It applies after the lT admin configures settings on the manager. The setting is
not configured yet.

7.3 General Settings


The General Settings page contains the Quarantine Management and
Intelligent Identification of Development Environment functions. You can
choose whether to back up the original file to the Quarantine area after
repairing the file.

Version 01 (Nov.04, 2024) 19


Sangfor Endpoint Secure V6.0.4 Agent User Manual

7.4 Advanced Threat Protection


The Advanced Threat Protection page includes Fileless Attack Protection
settings, where you can choose what actions to take for detected fileless tools.

7.5 Ransomware Protection

Version 01 (Nov.04, 2024) 20


Sangfor Endpoint Secure V6.0.4 Agent User Manual

Ransomware Honeypot: The most important feature of ransomware


protection, using honeypots to detect suspicious behavior.

Ransomware Backup: This feature is available only when the Ransomware


Honeypot is enabled. You can choose whether to enable the Ransomware
Backup feature on the manager.

You can click Restore Encrypted Files to restore the backup files if
ransomware is detected.

Snapshot-Based Ransomware Recovery: A snapshot of the endpoint is


captured at noon daily. The snapshot size cannot exceed the predefined value,

Version 01 (Nov.04, 2024) 21


Sangfor Endpoint Secure V6.0.4 Agent User Manual

typically set at 10% of the disk space by default. You can choose whether to
enable the Snapshot-Based Ransomware Recovery feature on the manager.
When the ransomware encrypts files on the endpoint, you can click Restore All
Files on Endpoint Secure Agent to restore all files from the latest snapshot
captured at noon.

The Snapshot-Based Ransomware Recovery feature is only supported on Windows Server

agents.

7.6 Network Protection


The Network Protection settings include detection thresholds for RDP brute-
force attacks, SMB brute-force attacks, and MSSQL brute-force attacks.

Trigger: You can specify the threshold for identifying a quick brute-force attack.
A brute-force attack is identified as a quick attack if the number of consecutive
attempts exceeds the specified value within a minute. For RDP and SMB quick
brute-force attacks, you can specify an integer in the range of 1 to 100 and an
integer in the range of 20 to 1,000, respectively. Slow and distributed brute-
force attacks are identified based on an intelligent algorithm.

7.7 Web Protection

Version 01 (Nov.04, 2024) 22


Sangfor Endpoint Secure V6.0.4 Agent User Manual

For Windows Server, you can view the configuration of Webshell Protection.

Method: Available options for scan method include Realtime and Scheduled.

Realtime: Scan new files on the endpoint in real time.

Scheduled: Scan all files on the endpoint as scheduled.

Action: You can specify the action for detected web shells. Supported options
include Auto fix and No Action - Report Only.

You can only assess the Web Protection page from the Windows Server agent.

7.8 Notification
The Notification page includes settings for Virus scan notifications,
Realtime file protection notifications, Hacktool protection notifications,
and PowerShell fileless attack notifications. Endpoint users can customize
the configurations to choose whether to allow pop-up prompts based on their
actual needs.

Version 01 (Nov.04, 2024) 23


Sangfor Endpoint Secure V6.0.4 Agent User Manual

7.9 Others
You can view the configuration related to USB Control.

8 Logs
Click the Menu icon in the upper right corner of the agent to view the logs, as
shown below.

Version 01 (Nov.04, 2024) 24


Sangfor Endpoint Secure V6.0.4 Agent User Manual

The Logs page contains logs for Virus Scan and Realtime Protection.

Realtime Protection logs are security logs generated when threat files are
detected after enabling real-time file monitoring.

Virus Scan logs refer to the operation logs after virus scans are performed.
Click View in the Details column for detailed information about the virus scan,
as shown in the figure below.

Version 01 (Nov.04, 2024) 25


Sangfor Endpoint Secure V6.0.4 Agent User Manual

9 Quarantine/Trust
Endpoint Secure detects threat files and moves them to the Quarantine area
after processing. You can view these quarantined files. You can add false
positive files to the Trust zone. Files added to the Trust zone will automatically
bypass virus scanning and real-time file monitoring.

Click the Menu icon in the upper right corner of the agent to open the
Quarantine area and Trust zone, as shown below.

Version 01 (Nov.04, 2024) 26


Sangfor Endpoint Secure V6.0.4 Agent User Manual

After entering the Quarantine area, you can Restore, Delete, or Clear the files
in the quarantine, as shown in the figure below.

You can enter the Trust zone and add trusted files, directories, and processes,
as shown below.

Version 01 (Nov.04, 2024) 27


Sangfor Endpoint Secure V6.0.4 Agent User Manual

10 Taskbar Tray
The tray in the lower right corner of the operating system taskbar provides
some quick operations for the Endpoint Secure Agent. Right-click the icon to
display the menu, as shown in the following figure.

Uptime: X Days: Check the time the endpoint has been protected.

The tray offers shortcuts to functions like Security, Virus Scan, Realtime
Protection, Asset, Quarantine, and Logs.

Mute Notifications: If the Mute Notifications mode is enabled, Endpoint


Secure will not pop up alerts when it detects threat files. This feature can be
configured by the endpoint user individually or by the administrator in the
manager.

Version 01 (Nov.04, 2024) 28


Sangfor Endpoint Secure V6.0.4 Agent User Manual

Admin Remote Control: This determines whether the manager's


administrator is allowed to access the endpoints remotely.

Admin: Click Admin to view the manager's administrator information.


Endpoint Secure users who need assistance can easily find the administrator's
contact information.

11 FAQs
11.1 How to use the Agent for Linux and
macOS?
1. For Linux endpoints, an agent with a UI is not available yet.

2. For Mac endpoints, the page functions are relatively brief. Please refer to
the agent usage instructions for Windows.

Version 01 (Nov.04, 2024) 29


Sangfor Endpoint Secure V6.0.4 Agent User Manual

Version 01 (Nov.04, 2024) 1

You might also like