eguardo Documentation



Introduction


eguardo Smart Defender is a security and intrusion detection software developed to secure many services running on a network. In a broad sense, it browses the event logs of services instantaneously and detects any instrusion possibility, blocks the attempt by configuring the firewall automatically. eguardo doesn't only rely on the event logs, it traces lots of different clues on the system and combines them with the logs to get a more consistent result on the instrusion detection.

Other than dynamically detecting the attackers, eguardo has a unique global black list gather by users all over the world. This helps blocking out attackers even before they can attempt. Preventing attacks on the firewall level has many advantages. Especially during DDoS and brute force attacks, the attackers connection can be cut off directly without using any system resources.

eguardo Smart Defender provides a unique inspection of the Microsoft Internet Informaiton Services (IIS) with its integration on the Url Scan 3.1. It prevents almost every attack from the address bar. With the UrlScan configuration, hunders of different types of attacks are prevented including SQL Injections. Fore more information please follow this link.

It is possible to detect malicious users trying to send emails on your SMTP server. When disabling relay, attacks on your SMTP server are prevented easily with eguardo.

eguardo also detects lots of attacks targeting the Microsoft Server family. The most important of these are; Microsoft Sharepoint Portal Microsoft CRM Micosoft Lync Server

Our goal is to broaden this list in the near future. One of the most important aspects of the eguardo Smart Defender is the custom developed third-party application support. With only five lines of programming, eguardo can protect your own developed applications by using the software library located in the “Developer” folder. It supports all Microsoft .Net based languages, (C#, VB.Net, J#, F#, C++ etc.) Java, PHP, classical ASP and more. For further reading please follow this link. You can also get sample applications from downloads section of our website with codes included.

How It Works

Basic Properties

Supported Operating Systems


eguardo Smart Defender supports the following operating systems, including x32 and x64 platforms, depending on the edition.

Personal Edition Standard Edition Professional Edition
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012

Supported Services

eguardo Smart Defender, protects the following services against network intrusions.

• Remote Desktop Service (RDP)
• Microsoft SQL Server 2005 & 2008 & 2008 R2 & 2012
• Microsoft FTP Server (All Editions)
• Microsoft Internet Information Services (IIS) (All Editions)
• Microsoft Exchange Outlook Web Access (OWA)
• Microsoft SMTP Server (All Editions)
• Microsoft Sharepoint Portal Server (All Editions)
• Microsoft Dynamics CRM
• Microsoft Lync Server
• Third-Party Developed Software (Web-Windows-Mobile)

System Resource Usage

eguardo Smart Defender needs 50 MB of disk space except for Microsoft.NET Framework. Also the approximate memory and processor usage of other applications and services are provided at the table below. Tests were performed on an Intel Core I-7 2630 mobile processor.

RAM Usage CPU Usage
eguardo Windows Service 20 – 35 MB < %0,1
eguardo Update Service 5 – 10 MB < %0,1
eguardo Quick Access Application (Tray) 2 - 4 MB < % 0,01
eguardo Management Application (eguardo Admin) 50 – 100 MB < % 1

eguardo Management Application (eguardo Admin) is only a software for the administrator to observe the processes, when turned off, security services will keep running.

Editions and Features

eguardo Smart Defender has two different editions. The basic properties and differences are provided at the table below.

Personal Edition Standard Edition Professional Edition
Runs on Client Operating Systems (Windows Vista -7-8)
Remote Desktop Protection (RDP)
Microsoft FTP Service Protection
Microsoft SQL Server Protection
Firewall Scheduler
Daily and Weekly Reports
Mapping and Tracerouting Attacks
Local Black List
Local White List
Global Black List
Runs on Server Operating Systems (Windows Server)
Microsoft IIS Protection
Microsoft SMTP Server Protection
Microsoft Sharepoint Portal Protection
Microsoft CRM Protection
Microsoft Lync Server Protection
UrlScan Integration
Audit Only Mode (Don't Block)
Management GUI With Maps and Graphs
Instantaneous Firewall Event Viewer
Drag & Drop GUI Personalization
Heuristic Protection
Third-Party Developed Application Protection

eguardo Smart Defender: Step-by-Step


Installation


eguardo Smart Defender runs on several operating systems depending on the edition to be installed. The supported operating systems are provided here. eguardo Smart Defender checks the current components of your system during setup and installs the necessary ones automatically. These components are;

• Microsoft .Net Framework 4.5
• UrlScan 3.1 (optional)
• LogParser 2.2
• Microsoft SQL Server Compact Edition 4.1
• Microsoft Windows IIS Management Components (if IIS is installed)
eguardo Windows Service
eguardo Automatic Update Service
eguardo Management Application
eguardo Quick Access (Tray) Application
• GUI and Theme Components

The setup file is a compressed 18 MB application. When uncompressed, it takes less than 50 MB's of space. The disk usage may vary depending on Microsoft .Net Framework installation.
The installation path will be set after the license agreement provided above is accepted.
After path selection, the file copying process begins by uncompressing them to the provided location. Then, the main installation software automatically runs. (screenshot below)

The setup doesn't show the already installed components on your system, it just shows the ones to be installed. As seen on the screenshot above, UrlScan 3.1 checkbox is unchecked by default so it's installation is optional. If UrlScan is already active, the checkbox will be shown as checked and it will be unclickable. Also, if Microsoft IIS isn't already installed on your system, this checkbox will be unchecked and unclickable. In order to install UrlScan, Microsoft Internet Information Services (IIS) has to be installed on the system.

You can get information about UrlScan by clicking the “What is UrlScan” link. Also you can get information from here.

During installation, especially after the installation of Microsoft .Net Framework, you might be asked to reboot the system. After the reboot, setup will continue from where it left and after the last reboot the installation will be complete.

Startup

After the installation when the system starts for the first time, eguardo will ask you to enter your license information and will take you to the activation page. You need a valid product key and customer password inorder to start eguardo running. You can follow the instructions at the “Licensing and Activation” section.

After a successful activation, eguardo will take you to the settings screen.
For detailed information, please follow the instructions at the Settings section.

Licensing and Activation

In order to buy eguardo or use the trial, you need to signup by visiting https://crm.eguardo.com/Register.aspx. The information you have provided here will bu used later for product activation and entering the customer portal. To get a 15 day trial edition, check the "Send Me a Trial Key" box on the page. After a successful registration, an email will be sent to the email address you've provided, including your signup information and the product key for your 15 day trial edition. You can also request your trial key from“Customer Portal”

In case you'd like to buy eguardo Smart Defender, you can order any amount you'd like buy choosing the "Personal" "Standard" or "Professional" Editions from our website. When your order is completed, product keys for every individual item you have bought will be sent to the email you have provided.


Copy and paste the product key sent to you to the “Product Key” section. Also enter the password sent to you after your signup to the “Customer Password” box. You can active eguardo by hitting the “Activate Product” button.

By using the customer portal at https://crm.eguardo.com you can;

• See the status of all of your product keys,
• See all of your orders and shopping history.

Important

• Product keys that have expired will not activate on trial editions.
• Only one trial license is provided for each customer.
• A product key can only run on a single computer, it cannot run on several computers simultaneously.
• To move your license to another computer, you either have to “Uninstall License” from the “Info” section of the eguardo Management, or have to uninstall eguardo completely.
• Personal Edition licenses can run only on Windows Vista, Windows 7 and Windows 8. Personal Edition licenses cannot run on server operating systems.
• The protection of your product keys and customer password is very important. In case you cannot secure these information, your licensing can be used by malicious people.

Settings

General





Failure Attempts Allowed

Determines the number of allowed failure attempts from a single IP address. During the time specified in “Failure Attempts Allowed Apart”, if an IP address fails attempts for the number of entrances specified in “Failure Attempts Allowed”, the IP will be added to the local block list. It will remain in the black list depending on the time specified at the “Block IP For” value. When this time exceeds, the IP will be removed from the list automatically.

Block IP For

This value determines the time an IP address will be on the local block list in hours.

Add to Black List After Block

An IP address getting in the temporary block list for the number of times specified as this value will be moved to the local block list. For example, if this value is set to “3”, if an IP address has been in the temporary block list 3 times in a year, it will be moved to the local black list. “0” means the IP address will never enter the local black list.

Failure Attempts Allowed Apart

This is the time that eguardo will reset the timer on an IP addresses failures. In a case where “Failure Attempts Allowed” is set to “3” and “Failure Attempts Allowed Apart” is set to “2 hours”, an IP address failing twice in two hours, will be erased from eguardo's memory after the third hour. So it won't enter the temporary block list if it fails another attempt after the third hour, it will be treated as if it has failed only once.

Audit Only Mode (Don't Block)

When checked, the system will do everything except blocking the IP address. This is not available in the Personal Edition.

Use UrlScan

Determines wether eguardo will use UrlScan or not. It will not affect how UrlScan works. In order to stop UrlScan completely, use the “Uninstall UrlScan” option from the “Settings” sections upper menu. Similarly to install UrlScan on your system, you can use the “Install UrlScan” option from the same menu. This option is not available on the Personal Edition and it may require to restart the eguardo Windows Service.

Auto Start Firewall

Restarts the Windows firewall in case it is stopped for any reason.

Global Black List Enabled

When checked, the global black list is used. eguardo will use information from other eguardo users and protect your system from attackers even before they can attempt. Using this service is highly recommended.

You can allow any individual IP address in the Global Black list by using the “Active IP Blocks” section.

Enable Heuristic Protection

Heuristic Protection is advanced technology for detecting attacks before they start. eguardo Heuristic detectors watches network connections and detects malicious actions over your network. Heuristic detectors catches port scanners also and blocks them automaticaly on firewall.

When checked, Heuristic protection is activated. Using this service is highly recommended.

Clear Fail Logs After

eguardo will clear its statistical log files of failure attempts after the specified value of days. These logs can be manually cleared from the “Failed Requests History” section any time. (Not recommended)

Clear Block Logs After

eguardo will clear its statistical log files of blocks after the specified value of days. These logs can be manually cleared from the “Block IP History” section any time. (Not recommended)

Log Whitlisted IP Events

IP addresses in the white list are not blocked or even logged when they fail an entrance. When this option is checked, fail attempts of IP addresses in the white list will be logged but still not blocked.

Application Listen Port

Necessary for application developers. Also the communication between eguardo Management application and the eguardo service is done via this port. For more details see the relevant section.

Application Security Key

Necessary for application developers. For more details see the relevant section.

Require Password For Admin

Allows you to protect the eguardo Management interface with a password. When this option is checked, the eguardo Management interface will ask for the password provided in the “Admin Password” field.

Show Help Tool Tips

Enables the tips showed when the cursor is over the controls at the graphical user interface.

IP Lists

Local Black List

Apart from getting automatically generated by eguardo, an IP address or range of IP addresses can be entered to the local black list manually. IP addresses or ranges added to the local black list will be blocked out from the firewall indefinitely. You can remove an IP address from the list or uncheck the “Blocked” symbol for temporary allowance. IP address or range definitions can be expressed as stated below:

Single IP Address : 192.168.1.100
IP Address List : 192.168.1.100,192.168.1.101
IP Adress Range : 192.168.1.100-192.168.1.200

Local White List

The local white list is the part where IP addresses or ranges that will never be blocked are defined. IP addresses in this list are never blocked even if they fail entrances. IP address or range definitions can be expressed as stated below:

Single IP Address : 192.168.1.100
IP Address List : 192.168.1.100,192.168.1.101
IP Adress Range : 192.168.1.100-192.168.1.200

Services

In this section, you can see the services protected by eguardo. Protection for specific services can be stopped by unchecking “Guarding” from the list.

Mail & Report Settings

This section is for email settings to get messages from the eguardo service. Values are simple email server settings just like it is done at Microsoft Outlook.

Send Daily Report

Sends daily emails including service statuses, failed entry attempts, blocked IP address information by eguardo and blocked IP address number by the Windows Firewall.

Send Weekly Report

Sends weekly emails including service statuses, failed entry attempts, blocked IP address information by eguardo and blocked IP address number by the Windows Firewall.

Weekly Report Send Day

Determines on which day the weekly report will be sent.

Report Send Time

Determines at which time of the day the daily or weekly reports will be sent.

Send E-Mail When eguardo Service Stopped

Sends email when the eguardo Windows service is stopped unexpectedly.

Send E-Mail When IP Blocked

When each IP address gets blocked, will send an email to the administrator.

SMTP Server

Sets the outgoing email server address, like smtp.gmaili.com

SMTP Port

Sets the outgoing email server port.

SMTP UserName

The username used to login to the outgoing email server.

SMTP Password

The password used to login to the outgoing email server.

Use SSL

Determines if an SSL connection will be established to the outgoing email server.

Mail Sender Name

This value is used as the sender name (such as name, last name or company) for the emails sent by eguardo.

Sender E-Mail Address

eguardo will use this email address to send the warning messages.

Report E-Mail Address

eguardo will send warning emails to the addresses set in this value. Multiple email addresses can be specified using commas.

Send Error Report Feedbacks to eguardo

Errors and bugs in the eguardo system will be reported to the headquarters for automatic identification and maintenance of problems. Selection of this option is highly recommended.

Send Report Feedbacks to eguardo

Uses information of attackers gather from other systems and also provides feedback to other systems aswell. It is highly recommended that this option is used. Only IP address and dates are shared.

Export Settings (Menu Bar)

With the help of this option, you can export your settings and use them as a backup or for migrating the system. Writes the output file on the path provided and can be used again by the “Import Settings” button.

Import Settings (Menu Bar)

Loads the settings from an exported eguardo installation.

Install UrlScan (Menu Bar)

Installs the UrlScan software to your system.

Uninstall UrlScan (Menu Bar)

Removes the UrlScan software from your system.

Install Required Windows Features (Menu Bar)

If IIS doesn't exist on the system during the installation of eguardo, it can't install the necessary components to protect IIS, FTP or use UrlScan etc. If you install IIS after the eguardo installation, you can use this button to install the necessary components to successfully protect IIS, FTP and can use UrlScan.

Main Screen

This section is about the usage of the eguardo Management screen. Some features may vary between “Personal Edition” “Standard Edition” and “Professional Edition”.

Windows

The Status Window

Windows Firewall

This tag shows the number of connections prevented by the firewall.

Remote Desktop Protection

Shows the number of failed login attempts (Fail) and blocked connection numbers (Block) to the RDP service.

MS SQL Server Protection

Shows the number of failed login attempts (Fail) and blocked connection numbers (Block) to the MS SQL Server.

MS FTP Server Protection

Shows the number of failed login attempts (Fail) and blocked connection numbers (Block) to the MS FTP Server.

IIS + SMTP + Sharepoint + Owa Protection (Standard + Professional Edition)

Shows the number of failed login attempts (Fail) and blocked connection numbers (Block) to the Microsoft IIS Server, Microsoft SMTP Server, Microsoft Exchange Outlook Web Access, Microsoft CRM, Microsoft Lync Server.

Application Protection (Standard Edition)

Shows the number of failed login attempts (Fail) and blocked connection numbers (Block) to the third-party developed software..

Total Fail / Block

Shows the number of failed login attempts (Fail) and blocked connection numbers (Block) to all of the services.

Last IP Blocks Window

Shows the last 25 blocked IP addresses ordered by date. By right clicking an item you can perform the following actions on each individual address:

• “Add To Local Black List”
• “Add To White List”
• “Remove From Block List”

Last IP Fails Window

Shows the IP addresses of last 25 failed entry attempts ordered by date. By right clicking an item you can perform the following actions on each individual address:

• “Add to Local Black List”
• “Add to White List”
• “Remove From Block List”
• “Clear Fails”

Last Firewall Blocks Window (Standard + Professional Edition)

Shows the IP addresses of last 50 blocks by firewall ordered by date. By right clicking an item you can perform the following actions on each individual address:

• “Add to Local Black List”
• “Add to White List”
• “Remove From Block List”

Map Query Window (Standard + Professional Edition)

When clicking on an IP address on any list active on the main screen, this window will show the location of the IP address on the World Map. (Opens a new window in the Personal Edition) It also shows the place of the IP address that was last blocked or failed an entrance if the management interface is running by that time.

By using the tools on the window you can perform the following actions:

• Query an IP address manually
• Traceroute an IP address (T)
• Perform a Whois query on an IP address (?)
• See the last 25 failed attempts on the map (F)
• See the last 25 blocked connections on the map (B)

Fails By Country Window

This window shows a bar graphic of IP addresses that failed entrances grouped by countires.

Firewall Blocks By Country Window

This window shows a bar graphic of IP addresses that were blocked, grouped by countires.

Fails By Service Window

Shows a bar graphic of IP addresses that failed entrances grouped by services.

Fails By Time Window

Shows the number of failed entrance attempts for the last 24 hours by analyzing the eguardo system logs.

The Menu Bar

Start eguardo Service

Stars/Stops the eguardo Windows Service. You may use this button to restart the service if it is required by some changes to take effect.

Settings

Opens the Settings window. For more information please see the Settings section.

Blocked IP Addresses

IP addresses currently blocked by eguardo can be seen here. For more information please see this section.

Activate License

Used to activate your trial license. After activation, it will be seen as “License Info” under the “Support” tab.

IP Query

Locates the place of the attacker on the map and performs a traceroute on the IP address.

Firewall Schedules

Opens the window to set a schedule for repeating custom firewall settings.

Reset Layout (Standard + Professional Edition)

Resets the interface and design of the main screen.

IP Block History

Shows the history of IP addresses blocked by eguardo.

Fail Counter (Standard + Professional Edition)

Shows the failed entrance attempts that currently haven't reached the “Failure Attempts Allowed” limit.

Failed Request History

Opens the window which shows all of the failed entrance attempts.

Firewall Block History

Shows the IP addresses blocked out by the firewall. A maximum of 10.000 lines are shown.

Blocked IP Addresses

Provides an interface to search and manage the IP addresses currently blocked by eguardo. This list is consisted of the following lists:

• The global black list
• The local black list
• The temporary block list

Since the list can contain ten thousands of entries, it is not possible to show all of the records. Instead, the search button at the menu bar can be used to check if a certain IP address is blocked or not.

UnBlock
Removes the selected IP address from the temporary block list.

Add to Black List
Adds the selected IP address to the local block list. At any time, the address can be removed from the Settings section.

Add to White List
Adds the selected IP address to the white list. At any time, the address can be removed from the Settings section.



General List Properties and Tools

Lists used in eguardo have a lot of hidden features. Some of these are shown below.

Column Hiding - Showing

Advanced Reporting and Exporting

Advanced Filtering With the Filter Editor

Menu Filtering Using Column Header

Row Filtering

Search Screen

Groupings of Columns

Other Menu Options

IP Query

Firewall Schedules

Opens the window to set a schedule for repeating custom firewall settings.

Lets you set a schedule for repeating custom Windows Firewall settings. For example you can let RDP to be accessible in working hours (between 09:00 and 17:00) or restrict certain IP / port ranges during certain days or hours.

Add New Schedule

Adds a new calender set to the firewall rule. Available options are explained below.

IP Address(es) or IP Range

Defines the IP address or range the rule will be applied to. If left blank, the rule will be applied to all IP addresses. Usage;

Single IP Address : 192.168.1.100
IP Address List : 192.168.1.100,192.168.1.101
IP Adress Range : 192.168.1.100-192.168.1.200

Allow IP Address(es)

Determines if the rule is a block rule or a permitting rule. When checked, it means that the rule is a permitting rule.

Is Rule Enabled

Determines if the rule is active or not. This option is used to disable or enable rules without deleting them. If unchecked, then the rule will be ignored. Also expired rules will be disabled automatically.

Port(s) or Port Range

Specified the port number of port range the rule will be appied to. If left blank, the rule will be applied to all ports. Usage;

Single Port Number : 80
Multiple Ports : 80,443,1433
Port Range : 5000-5100
Multiple Ports and Port Range : 80,5000-5100

Daily Start Time

Sets the time for daily rules to start running.

Daily End Time

Sets the time for daily rules to stop running.

Rule Start Date

Sets the date for the rule to start running. The rule will not run before this date.

Rule End Date

Sets the date for the rule to stop running. The rule will not run after this date.

Rule Active Days

The rule will run on the weekdays selected in this option.

Edit Schedule

Allows editing of an earlier created rule.

Delete Schedule

Deletes a rule created earlier.

eguardo Free XML Black List API

This page is devoted to share information with eguardo customers and the Internet security community. Information provided is more technical in nature, and geared towards IT and system administrators.

The eguardo securty family has filled an important gap in the MS Windows desktop operating systems with it's "Smart Defender" solution approach. Yet, a majority of applications and web sites on the internet are hosted on servers. Also there are a lot of scenarios which technically don't allow running the "eguardo Smart Defender" - like unix based servers.

That's why the eguardo Free XML Black List API was developed in the first place and brought to you for free...

eguardo Free XML Black List API shares information received from thousands of "eguardo Smart Defender" users to protect your system. The integration is very simple and thorough with a few steps. You can find example codes and ready-to-use plug-in's on our web site.

How It Works To access the eguardo Free XML Black List API you need ro register from the Client Area . You can get your customer id from the "My Information" page after registration. This customer id and password will be necessary to use the eguardo Free XML Black List API.

Client Area

eguardo Free XML Black List API has some rules and restrictions. These are,

  • Registration is necessary from Client Area

  • Do not use the eguardo Free XML Black List API service every time a user request is recived, just use it on new user requests. This way, you won't exceed the query limit on small – middle sized web systems. (Ex: ASP.NET -> SessionStart -> Global.asax)

  • Attacker lists are updated hourly.

  • There is a limit of queries that can be done with a customer id. (500 queries per hour, may vary) We recommend you to secure your cusomer id and password.

  • Limited queries can be performed from a single IP address. (500 queries per hour, may vary)

  • Regarding the security of your password, don't use client side technologies like JavaScript to access the server. Instead, use server side technologies such as ASP.net, PHP, JSP, classical ASP.

  • The eguardo Free XML Black List API Web Service itself is protected by “eguardo Smart Defender”. This will cause multiple password entrance errors to block out the customer id's for a certain time.

  • The eguardo Free XML Black List API offers the possibility to search at list if a certain address is an attacker or not. You may decide regarding the result to block the address or not.

  • For a better security we recommend the “eguardo Smart Defender” software.

  • Service access will be granted within 24 hours, approval is subject to eguardo e.RBL usage policies.



  • eguardo provides add-ons for SharePoint, WordPress and for many more platforms on the web. To access this add-ons please follow our project on CodePlex

    Technical Information

    You can access the eguardo Free XML Black List API Web service from here

    Service Address : http://rbl.eguardo.com/GblSvc.asmx

    Method Name : IsIPInBlackList

    Return Type : int32 (numeric – number)

    Input Parameters (Respectively)

  • CustomerId – Integer (The customer id you get after registering from Client Area – you can see it in the picture above.)

  • Password – String (The customer password you'll get after registering from Client Area – it will be sent to your e-mail address.)

  • IPAddress – String (The IP Address to query.)

  • Output :

  • 0 = IP Address is not Black Listed

  • 1 = IP Address is Black Listed

  • 2 = Wrong customer id or password

  • 3 = Hourly query limit for your IP address has exceeded.

  • 4 = Hourly query limit for customer id has exceeded.

  • 5 = Information not available for the queried IP address.

  • 6 = The list is being updated, try again

  • Application Programming Interface and Integration (eguardo Web Logger API)

    eguardo Smart Defender provides a very unique and valuable security mechanism to application developers with its application programming interface available at Professional Edition. During installation, by using the software library (GuardoWebLogger.dll) at the Developer folder, you can protect your custom written applications with eguardo.

    Basicaly, you can call eguardo Web Logger API from your login page, registration page or any input page to protect your system.

    For instance you have a login page for authenticating users. If any user fails during authentication, you can call eguardo Web Logger API to inform that user is failed authentication (AddLoginFail method). eguardo will count this fails. After a specified count and time, eguardo will block user's IP address for a specified time. You can also block user directly without waiting (BlockIPDirectly or BlackListIPDirectly methods). If user successfully authenticates, then you can call eguardo Web Logger API to clear users failed requests(ResetFailCounters method).

    You can find a sample Microsoft C# solution at the Developer folder located in the installation path.

    Along with Microsoft .Net based languages, (C#, VB.Net, J#, F#, C++ etc.) also Java, PHP, classical ASP and many more languages are supported.

    How It Works

    Note:
  • The software to be integrated and eguardo Smart Defender has to run on the same computer. For example, if you want to protect your web site with eguardo, you need to install eguardo Smart Defender Professional Edition on the server where your web site is located.

  • eguardo does not block local IP addresses. Therefore you should run your tests from a different IP address.


  • The access the API references, please follow this link.