Testing security policies
We recommend that you test your security policies before deploying and implementing them on your pool.
By testing a policy, you will be able to measure the impact of usage restrictions that the policy places, and make adjustments accordingly to the protection rules before putting them into production.
The "Detection mode" and "passive rule" features make it possible to test policies on a pool without holding up the use of workstations, and testing takes place transparently for users. When these features are enabled, SES Evolution agents do not block operations, but instead, generate logs indicating the operations that would have been blocked by a rule.
It is helpful to test policies in the following cases:
When you install SES Evolution for the first time on a pool of machines. In this case, testing a policy would allow you to know, for example, whether essential applications will be blocked, so that you can create suitable exceptions. Testing is transparent for users, so they can continue using their usual applications.
When you expand the pool of machines to protect. You can create a new group of agents, for example, and test the application of the policy that is already implemented in the other groups. In this way, you can check whether the policy suits the new group before implementing it, and make adjustments where necessary.
You need to add a new protection rule set to one of your security policies. Test the rule set first to check whether it blocks legitimate applications before putting it into production.
You can test security policies at various levels on a pool:
the entire policy with Detection mode in the configuration of agent groups,
an entire protection rule set with Detection mode in the configuration of a policy,
a particular rule with the Passive rule mode in the configuration of the rule itself.
Testing an entire security policy assigned to an agent group
You can enable Detection mode in the configuration of an agent group. The configuration applies to all policies assigned to the group (main policy and conditional policies, if any).
By enabling Detection mode on an entire policy, this means that all rules from all protection rule sets will switch to Passive rule mode and the status of rules that filter threats will switch to “Detect only”.
To test policies assigned to an agent group:
Select an agent group in the Agents menu.
In the Policies tab, enable the option Switch policies to Detection mode.
Deploy the environment.
This setting in the configuration of the agent group takes priority over the configuration on rule sets. As a result, if Detection mode is enabled for a group of agents, actions will be detected but not blocked, even if the rule set is in active mode in the policy.
For further information on the configuration of agent groups, refer to the section Creating and configuring agent groups.
Testing a protection rule set
Protection rule sets can be tested before they are put into production, regardless of whether they are private or shared. To test a rule set, you must enable the set's Detection mode in the relevant policy. In a shared rule set, even though Detection mode is enabled on the set to be tested, it will not be enabled on other policies that use the same rule set.
To enable Detection mode in a rule set:
Select the relevant policy in the Policies menu.
Click on Edit in the upper banner.
In the row of the rule set to test, click on the arrow to the right of the shield icon .
Select the icon to switch the rule set to Detection mode.
This setting applies to all agent groups that use this policy.
You can also fully disable a rule set with the switch to the left of the rule. In this case, the rule set will not be deployed on the agent.
For more information on rule sets, refer to the section Understanding the difference between protection rule sets and audit rule sets.
To find out what impact a security rule has without applying a block action, enable Passive rule mode in the options found in the upper banner of the rule.
Likewise, to find out what impact a rule has against threats without applying a block action, select "Detect only" as the status in the configuration of the rule.