FAQ (All Modules)

Q: Can I add a new training to the current training list?

A: Yes, you can create and upload your own training in multiple formats like powerpoint, html5, mp4 or other to the platform. Contact Keepnet Team for the detailed information on this subject.

Q: Does incident responder violate the user privacy?

A: No, it does not. No one, including Keepnet team or Company Admins who manage Keepnet interface cannot view the contents of any email in the inbox.

Q: Is it possible to centralise the distribution of add-in?

A: Yes, it is. Many institutions manage the add-in (install, uninstall, enable, disable) with central administration tools. For example, like Microsoft SCCM, IBM Bigfix.

Q: Are the emails sent by users for analysis securely stored on the server?

A: Keepnet generates a random key which is unique for each customer then encrypts all reported emails on disk with AES 256 algorithm. See logging mechanism here.

Q: Can an Attacker hijack Outlook Add-in?

A: Keepnet uses “Code Signing with Microsoft Authenticode” to protect tools against the hacking attempt. For more information please click here

Q: Can I integrate this solution with security products I have?

A: Yes, it is possible to integrate any solution. Currently, Keepnet has many platforms like DNS Firewall, Sandbox, exploitation tools platforms. See the integrations here. Please contact us to discuss this matter support@keepnetlabs.com

Q: How can our audit teams oversee and control the people and their operations that govern the Keepnet interface?

A: Keepnet logs all operations in detail and transmits a copy of them to SIEM products in real time. In this case, you can observe the behaviour of users, create an alert for abnormal situations and take action, or you can use the logs at audit time.

Q: How do you report the incidents analysed, investigated and responded?

A: Yes, you have the feature for an automatic investigation by which and you can detect and remove the suspicious email or any of its variant in any of your users' inboxes, and you can automatically report it.

Q: If the reported email is appeared to be non-malicious, can we send an e-mail the user stating that the email does not contain any threats?

Yes, if you follow the path Incident Response> Task> New Task on Keepnet interface, you can send email notification to both user and system administrators and alternate SOC teams.

Q: When we search for a suspicious mail from the Incident Investigation tab, we have to wait too long. How can we shorten this time?

A: The operation is run in a maximum of 60 + random seconds. But we can shorten this time.

Q: How to a suspicious email is analysed by VirusTotal? Are the file hashes sent to VirusTotal or does the application has its own file analytics?

A: By default, we ask the file hash; if it has not been scanned before, we send the file itself. If you do not want to send the file under any circumstances, you can prevent this by creating task in our interface.

Q: How do you analyse the emails? Which tools are used for analysis?

A: We analyse the suspicious email by Header, body and attachment using our third-party engines integrated to our interface. It is possible to add a new analysis service here.

Q:What do you need to run Email Threat Simulator (ETS)?

A: An email address with its password will be enough to start ETS. Therefore, we recommend to create a test account for the usage of this service.

Outlook Versions:Outlook 2007/2010/2013/2016

Q: If the suspicious email analysed is malicious, can we delete this email from the inboxes without any intervention?

A: Yes, you have the feature for an automatic investigation by which and you can detect and remove the suspicious email or any of its variant in any of your users' inboxes, and you can automatically report it.

Q: Does the app have ArcSight integration? (For logging of events such as phishing mail / deletion etc.)

A: Yes, all logs are kept under the C:\Users\Public\KeepnetLabs\AuiditLog directory. You can transfer this to Arcsight with your syslog tool.

Q: During the installation, we considered one email as a suspicious and made analysis. We would also like to test whether the server resources are sufficient for more than one analysis, or in different scenarios. How can we move on?

A: We can test system resources through stress testing. At the same time, there is a queuing mechanism that we use to prevent the blowout. The mechanism operates by putting the notifications in order.

Q: Keepnet System will be used on PC's (Windows 7-10, No Windows 8), Mobile (Android/iOS) and iPads. Are there any platform dependencies or incompatibility?

A: All modules except add-in works everywhere, on the other hand add-in works with MS outlook everywhere.

Q:What are the dependencies of the plugin? Java, Flash or something else.

A:Nothing except .net 2.5 or higher versions.

Q: Are separate licenses required for group emails?

A: No.

What is the resource utilisation of the plugin and incident responder? How will affect the limited bandwidth?

A: Minimum Computer Specifications:

  • Outlook Versions:Outlook 2007/2010/2013/2016

  • CPUUsage: 0%to 5%of CPU

  • RAMUsage: 120~MB of RAM

  • DiskUsage: 3mb disk space

  • Network Traffic: payload size + http requests size = Approx. 230kbps

Q: What is the technical details of the plugin? Is it an add-on to the application (browser) or the OS?

A: It is an an add-in for Microsoft Outlook Desktop and Office 365.

Q:Can the plugin be disabled by individual users?

A: It depends your company policy. If user have a right to disable it then user can disable it. Many organization handle this processes by GPO.

Q:When this tool is running, it will be using a certain port. What port it will be?

A: Add-in connect to server through https (port 443)

Q: Do we need to add this to our antivirus exclusions or it will be installed straight away.

A: No, you don't. It will be installed directly.

Q: Will the programming can be shared? How to provide technical specification to the technical department make them aware how this works, e.g what ports open, what data is being transmitted, and access to the email address book.

A: Yes, if it is demanded, Keepnet can share every details.

Q:How the patches are being deployed?

A: New .msi file shared by keepnet.

Q: Do we need AD to deploy it via policies? How this will affect the patching?Is there anything protocol specific to be aware of?

A: Please contact with Keepnet team to get on-premise requirement document.

Q:Currently upgrading to Windows 2016 and SQL 2016. How this will affect?

A: We support MS SQL 2016, it won't effect us

Q: How to organise monthly reports from an independent provider? What are the certifications we can provide for auditing purposes.

A:Cyber essentials and ISO 27001 audit report as well as pentest reports.

Q: Keepnet Labs On-Premise Requirements: Can a different MQ service model be used by our organization?

A: We do all queuing service with RabbitMQ for now, we don't have any other application support. If you can share with us the applications that are used and supported by your organisation, we add them to our support list for the future.

Q: Keepnet Labs On-Premise Requirements: Can you use MSSQL database?

A: Yes, we can use the instance allocated from corporate MSSQL database to us.

Q: Keepnet Labs On-Premise Requirements: Does the database need special authorisation?

A: dbowner in enough.

Q: Keepnet Labs On-Premise Requirements: Can we use our organisations Proxy to manage and control internet access of the application?

A: We have Proxy support for accessing the services on the Internet. By configuring of the Proxy on the interface, you can manage the all Internet traffic of Keepnet.

Q: What are the meaning of Active and Passive in Phishing Reporter Add-in Section?

IR Dashboard-Phishing Reporter Add-in

A:

Active: The user who actively use phishing reporter add-in.

Passive: The user doesn't use phishing reporter add-in.

Q: What is the validity period of OAuthKey that we will get from you with Company Api Key and OAuth ID values? Is there any character and case sensitivity in the Name and Surname parameters we will send to you in the second step?

A: The Company API Key and OAuth value are valid as long as the company is active in our system.

There is not any character problem and case sensitivity issue.

Contents
Q: Can I add a new training to the current training list?
Q: Does incident responder violate the user privacy?
Q: Is it possible to centralise the distribution of add-in?
Q: Are the emails sent by users for analysis securely stored on the server?
Q: Can an Attacker hijack Outlook Add-in?
Q: Can I integrate this solution with security products I have?
Q: How can our audit teams oversee and control the people and their operations that govern the Keepnet interface?
Q: How do you report the incidents analysed, investigated and responded?
Q: If the reported email is appeared to be non-malicious, can we send an e-mail the user stating that the email does not contain any threats?
Q: When we search for a suspicious mail from the Incident Investigation tab, we have to wait too long. How can we shorten this time?
Q: How to a suspicious email is analysed by VirusTotal? Are the file hashes sent to VirusTotal or does the application has its own file analytics?
Q: How do you analyse the emails? Which tools are used for analysis?
Q:What do you need to run Email Threat Simulator (ETS)?
Q: If the suspicious email analysed is malicious, can we delete this email from the inboxes without any intervention?
Q: Does the app have ArcSight integration? (For logging of events such as phishing mail / deletion etc.)
Q: During the installation, we considered one email as a suspicious and made analysis. We would also like to test whether the server resources are sufficient for more than one analysis, or in different scenarios. How can we move on?
Q: Keepnet System will be used on PC's (Windows 7-10, No Windows 8), Mobile (Android/iOS) and iPads. Are there any platform dependencies or incompatibility?
Q:What are the dependencies of the plugin? Java, Flash or something else.
Q: Are separate licenses required for group emails?
Q: What is the technical details of the plugin? Is it an add-on to the application (browser) or the OS?
Q:Can the plugin be disabled by individual users?
Q:When this tool is running, it will be using a certain port. What port it will be?
Q: Do we need to add this to our antivirus exclusions or it will be installed straight away.
Q: Will the programming can be shared? How to provide technical specification to the technical department make them aware how this works, e.g what ports open, what data is being transmitted, and access to the email address book.
Q:How the patches are being deployed?
Q: Do we need AD to deploy it via policies? How this will affect the patching?Is there anything protocol specific to be aware of?
Q:Currently upgrading to Windows 2016 and SQL 2016. How this will affect?
Q: How to organise monthly reports from an independent provider? What are the certifications we can provide for auditing purposes.
Q: Keepnet Labs On-Premise Requirements: Can a different MQ service model be used by our organization?
Q: Keepnet Labs On-Premise Requirements: Can you use MSSQL database?
Q: Keepnet Labs On-Premise Requirements: Does the database need special authorisation?
Q: Keepnet Labs On-Premise Requirements: Can we use our organisations Proxy to manage and control internet access of the application?
Q: What are the meaning of Active and Passive in Phishing Reporter Add-in Section?
A:
Q: What is the validity period of OAuthKey that we will get from you with Company Api Key and OAuth ID values? Is there any character and case sensitivity in the Name and Surname parameters we will send to you in the second step?