Help Documentation

Safeguard Configuration

What is Symbient Safeguard?

Symbient Safeguard is an enterprise-grade security monitoring solution that provides comprehensive detection of modern cyber threats. Through continuous system surveillance, Symbient Safeguard alerts you and your organization to suspicious activities and potential security breaches, enabling rapid incident response.

Comprehensive Monitoring and Protection

Symbient Safeguard employs advanced monitoring capabilities across multiple security vectors.

System Monitoring

• Process activity monitoring detects suspicious applications and unusual process relationships.
• File system surveillance identifies potentially malicious files and suspicious folder activities.
• Registry monitoring alerts on system modifications.
• Resource usage tracking detects unusual system resource consumption.

Network Monitoring

• Network traffic analysis for both inbound and outbound connections.
• Detection of port scanning activities.
• Bandwidth monitoring for potential data exfiltration.
• Network connection monitoring for unauthorized communications.

Access Monitoring

• User activity surveillance for unauthorized access attempts.
• Privilege escalation detection.
• User account creation and modification tracking.

Security Infrastructure Monitoring

• Security application status monitoring.
• Antivirus update status tracking.
• Log file analysis for security event correlation.

Cloud-Powered Intelligence with Symbient Uptime

Symbient Safeguard integrates with Symbient Uptime, our cloud-based Security Information and Event Management (SIEM) platform, providing:

• Cross-system event correlation for attack pattern detection.
• Network-wide threat analysis.
• Advanced detection of persistent threats.
• Security analytics and reporting.
• Real-time alerting for incident response teams.

Business Benefits

Early threat detection through comprehensive monitoring helps businesses prevent costly data breaches and system compromises before they impact operations. The automated, round-the-clock surveillance provided by Symbient Safeguard reduces the burden on IT teams while providing better security coverage than manual monitoring could achieve. By integrating with Symbient Uptime’s cloud-based analysis, businesses gain network-wide visibility into security threats without needing to maintain complex on-premise security infrastructure. The detailed logging and reporting capabilities also help businesses demonstrate compliance with security regulations and standards, potentially avoiding costly fines and penalties.

Enhanced Security Awareness

• Comprehensive threat detection across systems.
• Real-time visibility into security events.
• Early warning of suspicious activities.
• Detailed security landscape monitoring.

Operational Efficiency

• Automated security monitoring reduces manual oversight.
• Centralized security event management.
• Streamlined incident response through early detection.
• Reduced security monitoring burden on IT teams.

Compliance and Governance

• Detailed audit trails for compliance requirements.
• Comprehensive security event logging.
• Evidence collection for regulatory assessments.
• Security incident documentation.

Cost Management

• Early detection helps minimize incident impact.
• Consolidated security monitoring platform.
• Efficient resource allocation through automation.
• Enhanced risk management through early awareness.

What Symbient Safeguard is NOT?

While Symbient Safeguard provides comprehensive security monitoring and alerting capabilities, it’s important to understand what the solution does not do to ensure appropriate deployment and security planning.

Not an Antivirus Solution

Symbient Safeguard does not replace your antivirus software. While it monitors for suspicious activities that might indicate malware, it does not:

• Scan files for known virus signatures
• Quarantine infected files
• Remove malware from your system
• Provide real-time protection against malware execution

Not an Active Defense System

Symbient Safeguard is a monitoring and alerting solution, not an active defense system. It does not:

• Block suspicious processes from running
• Terminate potentially malicious connections
• Prevent unauthorized access attempts
• Stop data exfiltration in progress
• Take automated actions to mitigate threats

Not a Complete Security Solution

While Symbient Safeguard is a powerful security monitoring tool, it should be part of a larger security strategy. It is not:

• A replacement for firewalls
• An intrusion prevention system (IPS)
• A vulnerability scanner
• A patch management solution
• A security configuration management tool

Not a Network Security Appliance

Although Symbient Safeguard monitors network activity, it is not:

• A network firewall
• A network intrusion detection system (IDS)
• A network packet analyzer
• A network access control solution
• A VPN or encryption solution

Not an Automated Incident Response Platform

While Symbient Safeguard helps detect security incidents, it does not:

• Automatically remediate security issues
• Execute incident response playbooks
• Isolate compromised systems
• Roll back malicious changes
• Restore affected systems

Understanding these limitations is crucial for maintaining a comprehensive security posture. Symbient Safeguard should be deployed alongside other security tools and solutions to create a robust defense-in-depth strategy.

Future Capabilities

While Symbient Safeguard currently focuses on monitoring and alerting only, many of the capabilities mentioned above are planned for future releases. Our product roadmap includes expanding into active defense, automated incident response, and deeper integrations with other security tools. As we continue to evolve the solution, we remain committed to providing enterprise-grade security solutions that meet our customers’ growing needs.

How Does It Work?

Symbient Safeguard runs as a non-intrusive background service, continuously monitoring all aspects of your systems to detect patterns that are commonly associated with suspicious or malicious activity.

As events are detected, our Safeguard Desktop Agent displays popup notifications at the bottom-right of your screen that alert you to the goings-on happening behind the scenes. All events are displayed in the Safeguard Desktop Agent app on the “Events” tab, and are also sent to Symbient Uptime where they are cross-referenced and correlated with other events from the same device and across your entire network, intelligently identifying large-scale and slow-burn attacks.

Symbient Safeguard comes with dozens of out-of-the-box monitoring capabilities, and others can be included, such as monitoring log files, with a simple configuration in the included settings.conf file. See Log Files below for examples and usage.

Furthermore, Symbient Safeguard has the ability to detect suspicious activities that occur outside of normal business hours, such as the installation of new software, new users being added to the system, unusual or exhaustive process performance, user privilege escalation, and so much more!

Why Choose Symbient Safeguard?

In today's rapidly evolving threat landscape, businesses need more than just basic security tools. Symbient Safeguard provides enterprise-grade insight through its comprehensive monitoring capabilities and cloud-powered intelligence. By detecting and alerting on suspicious activities across your entire network, Safeguard helps alert you to security breaches before they can impact your business.

Furthermore, the seamless integration with Symbient Uptime ensures that your organization benefits from advanced threat correlation and analysis, providing a complete security analysis solution that evolves with emerging threats. Whether you're a small business or a large enterprise, Symbient Safeguard offers the security insight and peace of mind you need to focus on growing your business.

Don't wait for a security breach to impact your business. Choose Symbient Safeguard for comprehensive security monitoring that keeps your systems safe and your business running uninterrupted.

Safeguard Desktop Agent

Safeguard Desktop Agent is the essential endpoint component that powers the broader Symbient Safeguard security monitoring solution. Running quietly in the background of your devices, this sophisticated monitoring application serves as your local sentinel, continuously collecting and analyzing critical system data to detect potential security threats.

Safeguard Desktop Agent provides real-time visibility into your system’s vital signs through its comprehensive and user friendly interface, where you can view everything from detailed information about your device, performance metrics, network connections, suspicious activity, and much more.

What makes Safeguard Desktop Agent particularly powerful is how it functions as the eyes and ears of the Symbient Safeguard ecosystem on your local machine. By maintaining constant vigilance over your system’s activities and providing granular control over monitoring parameters through its intuitive interface, Safeguard Desktop Agent ensures that the broader Symbient Safeguard solution has the precise, real-time data it needs to effectively monitor your digital assets and maintain system security.

As an example, through its detailed network monitoring capabilities, Safeguard Desktop Agent helps you discover and identify processes you might not have known were installed or running on your device, shining a light on applications that may be quietly establishing connections to third-party systems without your awareness or consent. This level of transparency empowers you to make informed decisions about the software and connections running on your systems, enhancing your overall security posture.

System Information

The Info tab provides various information about the current system, including the device manufacturer, device ID, operating system, drive information, IP & MAC addresses, any installed antivirus or malware detection tools and whether or not they are enabled, and more. This information is provided to Symbient Uptime where it can be compared with events from similar systems for detecting device or hardware specific attacks.

Settings

The Settings tab allows you to control what Symbient Safeguard monitors. Since Safeguard is a non-intrusive application, it is recommended to have Safeguard run monitors for everything it provides, but the ultimate decision is yours.

Processes

Safeguard Desktop Agent employs advanced pattern recognition t identify suspicious processes, including relationships between processes, and detects unusual behaviors that might indicate potential security threats, such as processes spawning unexpected child processes or establishing abnormal communication patterns with other applications.

Default Suspicious Process Patterns

• mimikatz
• pwdump
• wce
• psexec
• powershell.*hidden
• powershell.*encode
• cmd.*/c.*http
• reg.*delete
• net.*user.*/add
• net.*localgroup.*administrators.*/add
• vssadmin.*delete.*shadows
• bcdedit.*recoveryenabled.*no
• wbadmin.*delete.*systemstatebackup
• icacls.*/grand.*everyone
• netsh.*advfirewall.*set.*allprofiles.*state.*off

Default Unusual Process Relationships

• cmd.exe: winword.exe, excel.exe, powerpnt.exe
• powershell.exe: winword.exe, excel.exe, powerpnt.exe
• svchost.exe: cmd.exe, powershell.exe

Default Trusted Services

• svchost.exe
• System
• wuauclt.exe
• MsMpEng.exe

Disk

Safeguard Desktop Agent maintains vigilant oversight of your disk drives, monitoring for unusual file system activity that could indicate potential security concerns, such as ransomware encryption attempts or unauthorized data access.

Default Directory Patterns

• \temp\
• \windows\temp\
• \programdata\microsoft\windows\start menu\programs\startup\

Default Suspicious File Extensions

• .exe
• .dll
• .scr
• .bat
• .cmd
• .ps1
• .vbs
• .js

Default Sensitive Registry Paths

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKLM\SYSTEM\CurrentControlSet\Services
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Network

Network monitoring can be enabled or disabled using the checkboxes in the “Network” group on the Settings tab of Symbient Safeguard Desktop Agent. Here you can instruct Safeguard to monitor things like:

• Outbound IP scanning
• Outbound port scanning
• Inbound port scanning
• Excessive bandwidth usage
• Unknown inbound connections
• Unknow outbound connections

Scan Patterns

• Unknown
• Sequential
• Random
• Adaptive

Scan Types

• Port Scan = 1
• IP Scan = 2
• Vulnerability Probe = 4
• Service Discovery = 8
• Version Scan = 16

Connection Types

• None
• Established
• Listening
• TimeWait
• CloseWait
• SynSent
• SynReceived
• FinWait1
• FinWait2
• Closing
• LastAck
• Closed

Default Vulnerable Ports

• 21 - FTP
• 22 - SSH
• 23 - Telnet
• 25 - SMTP
• 53 - DNS
• 139 - NetBIOS
• 445 - SMB
• 1433 - MSSQL
• 1521 - Oracle
• 3306 - MySQL
• 3389 - RDP
• 4444 - Common malware
• 5432 - PostgreSQL
• 5900 - VNC
• 6379 - Redis
• 8080 - Alternative HTTP
• 27017 - MongoDB

Default Scanner Ports

• 2000 - Nmap default source
• 4444 - Metasploit default
• 31337 - Common hacker port
• 47001 - Common scanner source
• 61000 - Masscan default source

Default Monitored Protocols

• RDP
• SMB
• HTTP
• HTTPS
• LDAP
• DNS
• FTP
• SSH
• TELNET

Default Scanner User Agents

• nmap
• masscan
• zgrab
• dirbuster
• nikto
• burp
• sqlmap

Default Malicious IP Ranges

• 185.147.0.0/16
• 194.156.0.0/16
• 45.134.0.0/16

System

Safeguard Desktop Agent carefully analyzes system activity, monitoring for telltale signs of suspicious behavior like unusual command line arguments or unexpected system modifications that could indicate malicious intent.

Default Suspicious Command Arguments

• -encodedcommand
• -enc
• -windowstyle hidden
• -w hidden
• -nop
• -noprofile
• -noninteractive
• iex
• invoke-expression
• downloadstring
• downloadfile
• bypass
• -exec bypass

Users and Accounts

Safeguard Desktop Agent maintains constant surveillance over user activity on your system, alerting you to critical changes like the creation of new user accounts, changes to security groups, unusual login patterns, or modifications to user privileges that could signal a security breach.

Antivirus / Malware

Along with Symbient Safeguard, it is advised to have at least one malware and/or antivirus scanning tool installed, enabled, and kept up-to-date. For those using Windows 10 or newer, Windows Defender is a great starting point, but there are other tools that offer scans and checks not provided by Windows Defender.

Symbient Safeguard Desktop Agent has the ability to check that your system has malware and/or antivirus scanning tools installed, they are running, and they are up-to-date.

To see what malware and AV products are installed on your system, and whether or not they are enabled, check the “AV/Malware Software” group section on the Info tab of Symbient Safeguard Desktop Agent.

Log Files

Log files and accompanying rules are configured in the settings.conf file. Log file monitoring supports monitoring multiple log files, and triggering multiple actions per log file rule. Pattern matching is done using regular expressions. Different types of actions include:

• Firewall blocking (temporary or permanent)
• Service/system commands
• API calls
• Writing to log files

Threshold-based triggering:

• Consecutive events
• Events within a time window

Automatic cleanup of temporary bans.

Permanent banning for repeat offenders.

Generic pattern matching:

• Uses named capture groups in regex patterns.
• Supports tracking any type of event, not just IP addresses.
• Can extract multiple variables from each match.

Multiple actions:

• Each rule can have multiple actions of different types.
• Actions can execute multiple commands.
• Commands can use variables captured from the log entry.

Variable support:

• Variables are defined in the rule configuration.
• Variables are extracted from regex matches.
• Variables can be used in command strings using {varname} syntax.

Action types:

• Command: Run system commands
• Service: Manage Windows services
• API: Make HTTP cals
• Log: Write to log files

Flexible duration:

• Actions can be temporary or permanent
• Support for reversing actions after duration expires
• Option to repeat actions on expiry

Example Use Case Settings

1. Security Monitoring
   • Detect failed login attempts
   • Block IPs using firewall
   • Log security events
   • Send alerts via API
2. File System Monitoring:
   • Track file modifications
   • Create backups
   • Maintain audit logs
   • Multiple commands per action
3. Service Management:
   • Monitor email queue size
   • Restart services
   • Clean up temporary files
   • Send notifications
4. Database Monitoring:
   • Track connection pool usage
   • Automatic service restart
   • Event log cleanup
   • Maintenance logging

Out-of-the-Box Examples

1. Security Log (Security.evtx)
   • Failed login attempts (Event ID 4625)
   • New user account creation (Event ID 4720)
   • Privileged group membership changes (Event IDs 4728, 4732)
   • Registry modifications (Event ID 4657)
   • RDP login attempts (Event ID 4624)
2. System Log (System.evtx)
   • New service installations (Event ID 7045)
   • Service failures and crashes
3. Application Log (Application.evtx)
   • Audit log clearing (Event ID 1102)
   • Application crashes and errors
4. PowerShell Operational Log
   • Suspicious PowerShell commands (Event ID 4104)
   • Download and execution patterns
   • Common malware behaviors
5. Sysmon Log (if installed)
   • Process creation monitoring
   • Command shell abuse detection
   • Network connection monitoring

Key Security Patterns to Watch

1. Authentication

   (?<EventID>4625)|Failed logon attempt for user (?<username>[\w\\]+) from address (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

   • Detects failed login attempts
   • Captures username and IP address
   • Useful for identifying brute force attacks
2. User Management

   (?<EventID>4720)|New user account created: (?<newuser>[\w\\]+) by (?<creator>[\w\\]+)

   • Monitors for unauthorized user creation
   • Tracks who created new accounts
3. Privilege Escalation

   (?<EventID>4728|4732)|User (?<username>[\w\\]+) added to privileged group
   (?<group>[\w\\]+)

   • Detects additions to admin groups
   • Monitors privilege escalation attempts
4. PowerShell Abuse

   (?<EventID>4104)|(?:ExecutionPipeline|ScriptBlock).*(?:Invoke-Expression|IEX|Invoke-WebRequest|wget|curl|Net.WebClient|DownloadString).*(?<command>.+)

   • Detects common malicious PowerShell patterns
   • Monitors for download and execution
5. Service Installation

   (?<EventID>7045)|New service installed: (?<service>[\w\-]+), Path: (?<path>.+)

   • Monitors for new service creation
   • Helps detect persistence mechanisms

Trusted Services

Since it is impossible to know all software that can be installed on a computer, especially and including any custom written software, those software can be added to Safeguard on the Settings tab of Safeguard Desktop Agent under “Trusted Services”. All software listed here will be omitted from all scans and reports performed or generated by Symbient Safeguard.

Whitelisted Ports

Incoming and outgoing ports can be omitted from Symbient Safeguard scans and reports by adding those ports to the “Whitelisted Ports” table found on the Settings tab of Safeguard Desktop Agent.

Whitelisted IPs/Hosts

IP addresses and hostnames known to be non-threatening can be added to Safeguard on the Settings tab of Safeguard Desktop Agent. IPs and hosts added to this list will be ignored for any inbound and outbound connections, including, but not limited to, IP and port scans, remote connections, etc.

Events

The Events tab within Safeguard Desktop Agent serves as your central command center for security monitoring, providing a comprehensive view of all suspicious activities and potential threats detected on your system. This tab consolidates all security events in one place, allowing you to quickly review and respond to concerning activities such as unusual process behaviors, suspicious network connections, unexpected system changes, and potentially malicious user actions, making it easier to maintain oversight of your system’s security posture.

Severity Levels

1. Information
2. Warning
3. Error
4. Critical

Network

Want to know what systems your computer is connected to? The Network tab within Symbient Safeguard Desktop Agent provides a real-time list of all inbound and outbound connections between your computer and third-party systems.

Log

The Log tab within Safeguard Desktop Agent provides complete transparency into the application’s own operations, giving you detailed insight into which security monitors are currently active and which system log files are being tracked. This self-monitoring interface helps you confirm that Safeguard Desktop Agent is functioning as expected, showing you exactly what aspects of your system are being monitored and allowing you to verify that all your chosen security settings are properly enabled and actively monitoring your system.