1. Overview

The IT Administrator's view of Secunia is via the "Secunia CSI" Console.   There are two subcomponents available.  

  • Deploying Secunia CSI Agents (Scan systems for software vulnerabilities)
  • Deploying Secunia PSI Agents (Scan systems for software vulnerabilities, provide some automatic patching and give reporting to end user).

1.1 Notes

  • UAB has a site license (currently through Fall 2013) for this software though there are license counts associated with the software and administrator accounts.
  • Secunia PSI can only have 1 linkID per reporting subaccount!
  • Secunia PSI can be configured to report to a CSI instance or be standalone. Personally owned devices should generally use the non-reporting PSI.
  • UAB IT's initial deployment does not include pushing patches via WSUS. How to accomplish this on top of our existing WSUS processes and coming Forefront-based processes is being examined.

2. PSI Usage

If you are only worried about one or two systems (like a workstation), use the end user install of secunia PSI.

3. CSI Usage

Full documentation is available at http://secunia.com/vulnerability_scanning/corporate

  • Establishing Subaccounts. Each subaccount is a unique set of reporting views and licensing counts. Accounts can either be subordinate or they can be a "shadow" of an existing account.
  • Reporting (AdHOc or Scheduled Email); Several are available including static URLs that you can include in existing webpages as a dashboard for system status.
  • Integration with Secunia PSI;
  • Patch deployment Integration with WSUS or SCCM; This requires your own WSUS infrastructure. UAB IT is currently examining how to offer third party patches beyond Microsoft.

3.1 Getting Started with CSI

  1. Contact AskIT@uab.edu and request an account. Please indicate an approximate number of systems and other administrators you will need.
  2. You will receive an email with your account username and password from Secunia int_esm@secunia.com.
  3. Download and install the CSI Management console from http://secunia.com/vulnerability_scanning/corporate
  4. Login to the CSI Console with your assigned username and password. You can change your password at anytime.

3.2 Downloading CSI Agent

Please note that a csia.exe download is bound to an account.  If you end up with multiple accounts, please make sure to keep your csia.exe unique.

  1. Go to Scan > Scheduled Scanning > Download Agent; There is also a manual available on this screen.
  2. Choose an installation methodology. At the end of this document is an example script that will run csia.exe using the -NAME of the hostname as the "group" .

3.3 Downloading a Linked PSI Agent

PSI agents are nice for situations where end users take some responsibility for the software they install and keep up to date.   Please refer to end-user documentation for dealing with some of the caveats associated with PSI, especially with Java.

  1. Go to Scan > PSI Integration > Download Custom PSI
  2. Create a unique LinkID for your area. This cannot be changed.
  3. Save the custom installer as PSISetup!.exe; The name of the installer should not be changed.

3.4 Creating a shadow account

This is an account with the same reporting scope as an existing account.

  1. Navigate to User Management > Shadow Accounts
  2. Click New Shadow Account
    • Name: Real Name
    • UserName: blazerid@Uab.edu
    • Email: blazerid@uab.edu
    • Click "Generate Password"
    • Select the level of access they need to have to your main account
      • Read/Write (Can make changes/delete hosts/regroup systems)
      • Read (Can view reports/system status)

3.5 Creating a subaccount

This is an account with a new reporting scope.  This will not roll up into your main set of reports.  This is useful for delegated responsibility situations such as labs.  If you want someone else to have the same rights as you, create a shadow account!

  1. Navigate to User Management > Accounts
  2. Click New Account

4. Secunia CSI Login Scripts

This script is suitable for being used as a login script or as a scheduled task.   Please share any suggested changes to this script.

'==========================================================================
'
' NAME: runsecunia.vbs
'
' AUTHOR: Chris Green cmgreen@uab.edu
' AUTHOR: Aaron Blum    ablum@uab.edu
' DATE  : 2/2/2011
' DATE  : 5/1/2012 (updated)
'
' COMMENT:
'
'  Runs the Secunia csia agent (different visibility scopes per user) and
'    sets the site to the active OU|
'  
' CHANGES:
'     5/1/2012 - Updated Script to work with Secunia 5.0 Agent
'     2/2/2011 - Made csia execute in background.
'
' This default configuration assumes that the csia.exe file is
'   in the "C:\Secunia\" folder and that logs are to be placed
'   in the "C:\Secunia\logs" folder.
'
' It also configures the agent to check-in every two days
'  This can be modify by adjusting the flag after the -i in SecuniaCmd
'
' Change these values where needed.
'
'==========================================================================
' SEC (AKA Chris Green) Login Script

 'On Error Resume Next

'' full path to CSI Program
''const CsiaPath = "%ProgramFiles%\Secunia\csia.exe"
const CsiaPath = "C:\Secunia\csia.exe"
'' Output log directory, Log will be username.sec
''const LogPath = "%ProgramFiles%\Secunia\logs\"
const LogPath = "C:\Secunia\logs\"
'' Run in foreground?
const bInteractive = False

Set objNetwork = CreateObject("WScript.Network")
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
' Overwrite the last instance of the logs
Dim objLogPath, ouGuess, idxDash, secuniaCmd
objLogPath = LogPath & objNetwork.UserName & ".sec"
Set objLog = objFSO.OpenTextFile(objLogPath,2,true)

TimeStamp = Year(now) & "-" & Month(now) & "-" & Day(now) & "-" & Hour(now) & Minute(now)
ouGuess = "ADLogonScript"
idxDash = InStr(1,objNetwork.computername, "-", 1) - 1

If idxDash > 0 Then
   ouGuess =  Mid(objNetwork.computername, 1, idxDash)
End If  

objLog.WriteLine("[*] Secunia " & objNetwork.UserName & "@" & objNetwork.computername & " on " & Now)

secuniaCmd = CsiaPath & " -i 2D -L -g " & ouGuess & " -v --skipwait -d " & LogPath & TimeStamp & "_csia.log"
objLog.WriteLine("[*] Secunia Executing with " & secuniaCmd)

If bInteractive Then
                set oExec = objShell.Exec(secuniaCmd)

                ' Wait for the scan to complete
                Do While Not oExec.StdOut.AtEndofStream
                                strText = oExec.StdOut.ReadLine()
                                objLog.WriteLine(strText)
                Loop

                objLog.WriteLine("[*] Secunia Exited with " & oExec.Status & " on " & objNetwork.UserName & "@" & objNetwork.computername & " on " & Now)

Else
    '' Close the output file, hide csia in the background
                objLog.Close
                objShell.Run "cmd /c " & secuniaCmd & ">>" & objLogPath, vbHide
End If

If you experience any issues with PGP, please report them to the help desk, AskIT, by email at AskIT@uab.edu, or by phone at 205-996-5555.  Please be sure to provide the following information:

  • Issue/symptoms
  • Error messages
  • Computer make and model
  • Internet connection type
  • PGP installer version
  • Estimated time of occurrence (if possible)

Common Solutions to Installation Issues

  1. Verify that you are an administrator of the system on which you are attempting to install PGP. 
  2. Open your web browser and ensure that you have Internet connectivity by opening a website.
  3. Be sure that you have a current installation package for PGP Desktop.  Visit www.uab.edu/it/software for the latest installation files.
  4. Ensure that you are using your BlazerID and strong password for the PGP Enrollment credentials.

Common Solutions to Password Related Issues

  1. Verify that Caps Lock is not on while authenticating.
  2. If you recently changed your account password, you may have to provide the old password until you log in to the system with your new password.
  3. If the previously mentioned steps do not resolve your issue, you should call the AskIT Help Desk to request a PGP recovery token for the system or portable device.  A recovery token is a one-time password that will allow you to bypass PGP, but it will not bypass the operating system password; you are still required to log in.

Common Solutions to Boot/Startup Related Issues

  1. Ensure that a keyboard is connected to the system.  Systems such as tablets without physical keyboards will not be able to authenticate on the PGP boot screen.
  2. Remove any CDs, DVDs or USB drives from the system.  Many of these devices have features that allow them to start before the system hard drive.
  3. Does the system have multiple operating systems or Dell Media Direct?  If so, then you will need to contact your support personnel to assist you with the recovery of your hard drive.  Please note that PGP should never be installed on systems with multiple operating systems, as it will render the system inoperable.
  4. See the PGP Recovery documentation for further support.

Although rare, situations have occurred where a hard drive encrypted with PGP does not boot.  To assist in recovery of these drives, the creation and use of a PGP Boot Disk is highly recommended.

Please note that each version of PGP requires a boot disk unique to the particular version in use on the client.  For example, if you attempt to use a 9.6 recovery disk to decrypt a disk protected with PGP Whole Disk Encryption 9.9 software, any data on the PGP Whole Disk Encrypted 9.9 disk will be unrecoverable.

Note:  If you do not remember the recovery passphrase, please contact the help desk, AskIT, by email AskIT@uab.edu, or by phone, 205-996-5555.

Create a Recovery Boot Disk

  1. Download the appropriate ISO file from the Symantec archives:
    a) Version 10.x: http://www.symantec.com/business/support/index?page=content&id=TECH152604
    b) Version 9.X: http://www.symantec.com/business/support/index?page=content&id=TECH148915
  2. Burn the ISO to a CD, label it appropriately and store it in a safe place.

Using a Recovery Boot Disk

  1. Insert your Recovery CD into the computer's CD drive.
  2. Reboot the computer and boot to the CD.
  3. When the login screen appears, enter the recovery passphrase for the encrypted drive and press Enter to begin decryption.  This operation can take many hours and the system should not be powered off.
  4. Once the process is complete, the system should start as normal.  If the operating system still does not boot, proceed with your operating system repair or data migration process.

Using a Recovery Workstation

If you have the resources or equipment available, the hard drive from the system that will not boot can be accessed by a workstation that has PGP installed on it.  Simply connect the device using a USB hard drive bay or adapter, and enter a passphrase associated with the drive.  Once the hard drive is mounted to the recovery system, files can be recovered by moving them or by decrypting the hard drive.

Requirements

NOTE:  If your system is dual-boot or features a utility partition (recovery or Dell Media Direct) it is not compatible for PGP Whole Disk Encryption. If you have a Dell Inspiron M1210, Dell E5400 or Dell XPS please call AskIT at 205-996-5555 before attempting to encrypt your machine with PGP.

Please review the list of devices that are incompatible with PGP.

To successfully install and configure PGP, you will need the following:

  • Administrative privileges
  • An active connection to the Internet
  • A physical keyboard - tablets without keyboards are unable to use the software
  • One of the following operating systems: Windows 7, Windows Vista, XP Home or Professional 32-bit (SP2/SP3), XP Pro 64-bit (SP2), XP Tablet 2005, Windows 2000 (SP4)
  • 512MB RAM
  • 64MB hard disk space

Prepare Your Computer

  1. Back up your data - Prior to downloading or installing any encryption software such as PGP, be sure to back up your data to a trusted source.  Devices such as external drives, CDs, DVDs and network drives are recommended for storage of important documents.  it would also be a good idea to ensure that your have the ability to reinstall any important software if any data loss should actually occur.
  2. Defragment - Prior to encryption, you may wish to defragment your computer to speed up the encryption process.  To do so, click the Start menu.  Point to Programs>Accessories>System Tools, and then click Disk Defragmenter.  Click the Analyze button; a report will appear telling you whether or not defragmentation is recommended.  If it is, click the Defragment button to begin; if not, close Disk Defragmenter and proceed to the next step. 
  3. Check the disk for disk errors - Under normal operation, many hard drives do not exhibit any signs of corruption or flaws, but when the data on the drive is encrypted, those issues can present a greater problem leading to file corruption, and in some cases complete loss of the operating system.  In order to identify and correct these issues before any loss is incurred, SpinRite was purchased for the campus and is available on the IT Software Library site for faculty and staff.  The software will assist you in creating a bootable CD that will scan and correct any disk errors.  This step is optional, but is also highly recommended.
  4. Check power and network connections - Before installing, be sure your computer is plugged into a wall outlet and has an active network connection.

Download and Install PGP Software

  1. Go to the UAB Software Library, located at www.uab.edu/it/software.  Locate the appropriate PGP software and click to begin downloading.
  2. Prior to installation, be sure to close all running programs and save anything you are working on.
  3. Navigate to where you saved the software and launch the PGP installer.  In the PGP Desktop window, select English.
  4. Read the licensing agreement, select "I Accept" the licensing agreement, and click Next.
  5. Click Nextagain.

  6. The installer will start copying files into place.
  7. Click Yes to reboot.  When the computer has rebooted and you log in, the PGP Setup Assistant should automatically appear.
  8. When prompted for domain credentials, enter your BlazerID and password.

  9. Select "I am a new user", and click Next.

  10. Click Next.
  11. The next box to pop up will be a prompt to create a passphrase user.  Enter the username and password you use to log into your system.  In many areas of campus, this is also your BlazerID and password with a domain of UAB.
  12. The program should begin to automatically encrypt the disk in the background while you go about your normal work.  Note:  Encryption may take up to eight hours.  If necessary, you can shut down the computer (Start>Shutdown>Turn off computer), but DO NOT abruptly power off the system.

  13. When the encryption of the boot drive is complete, the lower icon will become a solid padlock.
  14. From this point on, prior to booting Windows, you will receive a gray PGP boot screen in which you are prompted to enter the passphrase that you entered during setup.  Entering a correct passphrase permits access to the machine and will log you into the Windows operating system through the single sign-on feature.