Keepnet Phish Diag (Add-in Monitoring) Service

What is Phish Diag Service?

In a standard windows, the MS Outlook service does not offer support for monitoring and reporting the functionality of the add-ins installed on it. This service has been developed in order to monitor and report whether Keepnet Outlook add-in functions properly or not.

Using this service, system administrators will be aware of the potential errors related to Keepnet Outlook Phishing Reporter add-in and are able to take action.

The service periodically retrieves certain information from the client computer and transmits it to the Keepnet server set on the client's own network (if on-premise version in is used) or to the dashboard.keepnetlabs.com server (if cloud version is used).

In the light of this information, it is ensured that the system administrator monitors the Outlook add-in and makes improvements

Installation Requirements

Keepnet outlook monitoring service requires from the client the minimum following features for an healthy operation:

  • The monitoring service must be installed and run with administrator rights.

  • ‌There are no time intervals for the application to run by default, it is recommended to scheduling it to run every 60 minutes in accordance with the corporate policy.

  • ‌If the Keepnet is used on-premise, in order to send the report, the application must have access to http(s)://yourkeepnetserver /.

  • ‌The .NET Framework 4.5.2 or later must be installed.

Supported Operating Systems

Keepnet Outlook add-in monitoring service supports a minimum of 32 and 64 bit all Windows 7 and above operating systems for client computers.

Installation Types

Phish Diag supports installation in two different ways. Normal Installation is the direct installation on a computer, while Silent Installation is the type that is installation is made on hundreds of thousands of systems using centralized software distribution tools.

Normal Installation

This section describes the installation of the Phish Diag service. You can get your Phish Diag service by contacting support@keepnetlabs.com.

After downloading the application, you can start the installation process by double clicking on it and clicking Next button.

Figure 1. Installation of Phish Diag Service

Continue with the default settings by clicking Next.

Figure 2. Installation of Phish Diag Service

Click Next to allow installation.

Figure 3. Confirming the Installation

In the last step, approve installation by clicking on Yes.

Figure 4. Approving the Installation

Now, Phish Diag service has been successfully installed in the system.

Figure 5. Successful Installation of the Service

Silent Installation

For silent installation and removal, the following commands are available.

Silent installation process

C:\Windows\System32\msiExec.exe -i "KeepnetPhishDiagInstaller.msi" /QN /norestart

Silent removal

C:\Windows\System32\msiExec.exe -x "KeepnetPhishDiagInstaller.msi" /QN /norestart

Product Guid to detection

get-wmiobject Win32_Product | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

Silent removal with Product Guid

C:\Windows\System32\msiExec.exe -x {product-guid} /QN /norestart

Understanding Configuration Options

After the application is installed, the configuration file path is C:\Program Files (x86)\Keepnet Labs\KeepnetLabs Phishing Reporter Diagnostic Service\KeepnetPhishDiag.exe.config

Sample configuration file

<?xml version="1.0" encoding="utf-8" ?>

<configuration>

<startup>

<supportedRuntime version="v4.0" sku=".NETFramework, Version=v4.5.2" /> </startup> <appSettings> <add key="KeepnetApiUrl"

value="https://dashboard.keepnetlabs.com/api/OutlookAddInV1/CreateAddInDiagnostic" />

<add key="IsProxyActive" value="false" />

<add key="CompanyId" value="324b6c74-9690-4068-96e5-d031495038EA" />

</appSettings>

</configuration>

The configuration file contains the address to which the application sends information, the company ID, and the options to enable proxy support if required for communication.

Understanding the Log File

The logs for the application are located on each user computer on which the application is installed.n the C:\Program Files (x86)\Keepnet Labs\KeepnetLabs Phishing Reporter Diagnostic Service\Log.txt.

Sample output,

19:05:31.8654|INFO|KeepnetPhishDiag.Logger|HostName:WIN-U476PGRNF1D|CompanyId:324b6c74-9690-4068-96e5-d031495038ba|Os:Microsoft Windows 7 Ultimate 64-bit Version (Build 7601)|OsLanguage:en-US|OutlookVersion:16.0.11901.20176|OutlookArchitecture:x64|IsOutlookRunning:True|OutlookLastStartupTime:10/28/2019 6:36:33 PM|IsAddInInstalled:True|AddInVersion:2.0.2.12|AddInLoadLoadBehaviorValue(HKLM):3|AddInBootTime:172|LastDisabledTime:|ThresholdTime:|TimeTaken:|DisableReason:

2019-10-28 19:05:31.8654|INFO|KeepnetPhishDiag.Logger|SId:S-1-5-21-840305792-373996970-2194471766-1000|LoadBehaviorValue:|IsAddInInDisabledItems:False|LogonName:test|Email:bob@keepnetlabs.com|EmailServiceName:MSEMS

Post-Installation Review

The Phish Diag (add-in monitoring service) has been successfully installed, operated and can communicate with the keepnet portal (cloud or on-premise) to help you obtain status information in the following 6 different scenarios.

Scenario 1: Monitoring the Situations where Add-in is not installed

If Phishing Reporter Outlook Desktop add-in is not installed on a user's computer, it is reported as “Not Installed".

Figure 6. Not Installed

Scenario 2: Which Users Add-in Installed and Active

If Phishing Reporter Outlook Desktop add-in is installed on a user's computer, running and communicating with the Keepnet portal, it is reported as “Online".

Figure 7. Online

Scenario 3: Add-in Disabled

If the Phishing Reporter Outlook Desktop add-in is installed but disabled, it will be reported as "Disabled".

Figure 8. Disabled

Scenario 4: Inactive Add-ins

If the Phishing Reporter Outlook Desktop add-in is installed but disabled by the user, it appears in the list of inactive add-ins and is reported as “Deactivated" in the Keepnet portal.

Figure 9. Deactivated

Scenario 5: Outlook is Offline

If the Phishing Reporter has successfully installed the Outlook Desktop add-in, but the Outlook Desktop application is closed, then the user will appear as “Offline".

Figure 10. Offline

Scenario 6: Disabling or Deleting User Accounts

When a Windows user account in Active Directory is disabled or deleted, it is reported as "User Unavailable" because the user is no longer in Active Directory.

Figure 11. User Unavailable

Downloading the User List

By downloading the entire user list as an Excel report, you can perform various filtering and reporting operations. When you click on “Download Excel Report” button, the report will be ready to download.

Figure 12. Downloading Excel Report

Like in the screen shot below, the report will be ready to be downloaded.

Figure 13. Downloading Excel Report

When you download the report, the report contains all the details as follows.

Figure 14. Details within Report

Creating a Scheduled Report

You can receive Excel reports by email at certain times. For this, click on the Schedule Report button, type in the email addresses you want to send your scheduled report and determine how often it will be sent.

Figure 15. Scheduling Report

The email will look like this.

Figure 16. The Report Email