FAQ (All Modules)

Q: Can I add new training to the current training list?

A: Yes, you can create and upload your own training in multiple formats like PowerPoint, HTML5, mp4 or others to the platform. Contact our Team for more information.

Q: Does the Incident Responder violate the user's privacy?

A: No, it does not. No one, including our team or Company Admins who manage the platform dashboard, cannot view the contents of any email.

Q: Is it possible to centralize the distribution of Phishing Reporter add-in?

A: Yes, it is. Many institutions manage the add-in (install, uninstall, enable, disable) with central administration tools-for example, Microsoft SCCM, IBM Bigfix.

Q: Are the emails sent by users for analysis securely stored on the server?

A: The platform generates a random key which is unique for each customer, then encrypts all reported emails on disk with AES 256 algorithm.

Q: Can an Attacker hijack Outlook Add-in?

A: We use “Code Signing with Microsoft Authenticode” to protect tools against hacking attempts. For more information, please click here.​

Q: Can I integrate this solution with the security products I have?

A: Yes, it is possible to integrate any solution. Currently, we have many platforms like DNS Firewall, Sandbox, exploitation tools and platforms. See the integrations here. Please contact us for more information from support@keepnetlabs.com.​

Q: How can our audit teams oversee and control the people and their operations that govern the platform interface?

A: We log all operations in detail and transmits a copy of them to SIEM products in real-time. In this case, you can observe the behaviour of users, create an alert for abnormal situations and take action, or you can use the logs at audit time.

Q: How do you report the incidents analyzed, investigated, and responded to?

A: Yes, you have the feature for an automatic investigation by which and you can detect and remove the suspicious email or any of its variants in any of your users' inboxes, and you can automatically report it.

Q: If the reported email appeared to be non-malicious, can we send a notification to the email the user stating that the email does not contain any threats?

Yes, if you follow the path Incident Response> Task> New Task on the dashboard, you can send an email notification to both user and system administrators and alternate SOC teams.

Q: When we search for suspicious mail from the Incident Investigation tab, we have to wait too long. How can we shorten this time?

A: The operation is run in a maximum of 60 + random seconds. But we can shorten this time.

Q: How to a suspicious email is analysed by VirusTotal? Are the file hashes sent to VirusTotal, or does the application has its own file analytics?

A: By default, we ask for the file hash; if it has not been scanned before, we send the file itself. If you do not want to send the file under any circumstances, you can prevent this by creating a task in our interface.

Q: How do you analyze the emails? Which tools are used for analysis?

A: We analyze the suspicious email by Header, body and attachment using our third-party engines integrated into our interface. It is possible to add a new analysis service here.

Q: What do you need to run Email Threat Simulator (ETS)?

A: An email address with its password will be enough to start ETS. Therefore, we recommend to create a test account for the usage of this service.

Outlook Versions: Outlook 2007/2010/2013/2016

Q: If the suspicious email analyzed is malicious, can we delete this email from the inboxes without any intervention?

A: Yes, you have the feature for an automatic investigation by which and you can detect and remove the suspicious email or any of its variant in any of your users' inboxes, and you can automatically report it.

Q: Does the app have ArcSight integration? (For logging of events such as phishing mail/deletion etc.)

A: Yes, all logs are kept under the C:\Users\Public\KeepnetLabs\AuiditLog directory. You can transfer this to Arcsight with your Syslog tool.

Q: During the installation, we considered one email as suspicious and made an analysis. We would also like to test whether the server resources are sufficient for more than one analysis or in different scenarios. How can we move on?

A: We can test system resources through stress testing. At the same time, there is a queuing mechanism that we use to prevent the blowout. The mechanism operates by putting the notifications in order.

Q: Keepnet System will be used on PC's (Windows 7-10, No Windows 8), Mobile (Android/iOS) and iPads. Are there any platform dependencies or incompatibility?

A: All modules except add-in works everywhere. On the other hand, add-in works with MS outlook everywhere.

Q: What are the dependencies of the plugin? Java, Flash or something else.

A: Nothing except .net 2.5 or higher versions.

Q: Are separate licenses required for group emails?

A: No.

What is the resource utilization of the plugin and incident responder? How will it affect the limited bandwidth?

A: Minimum Computer Specifications:

  • Outlook Versions: Outlook 2007/2010/2013/2016

  • CPU Usage: 0%to 5%of CPU

  • RAM Usage: 120~MB of RAM

  • Disk Usage: 3MB disk space

  • Network Traffic: payload size + http requests size = Approx. 230kbps

Q: What is the technical detail of the plugin? Is it an add-in to the application (browser) or the OS?

A: It is an add-in for Microsoft Outlook Desktop and Office 365.

Q: Can the plugin be disabled by individual users?

A: It depends on your company policy. If a user has a right to disable it, then the user can disable it. Many organizations handle this process by GPO.

Q: When this tool is running, it will be using a certain port. What port will it be?

A: Add-in connect to the server through HTTPS (port 443)

Q: Do we need to add this to our antivirus exclusions, or it will be installed straight away.

A: No, you don't. It will be installed directly.

Q: Will the programming can be shared? How to provide technical specifications to the technical department make them aware of how this works, e.g. what ports open, what data is being transmitted, and access to the email address book.

A: Yes, if it is demanded, Keepnet can share every detail.

Q: How the patches are being deployed?

A: New .msi file shared by keepnet.

Q: Do we need AD to deploy it via policies? How will this affect the patching? Is there anything protocol-specific to be aware of?

A: Please contact with Keepnet team to get an on-premise requirement document.

Q: Currently upgrading to Windows 2016 and SQL 2016. How will this affect?

A: We support MS SQL 2016. Therefore, it won't affect us

Q: How to organize monthly reports from an independent provider? What are the certifications we can provide for auditing purposes?

A: ISO 27001 audit report as well as pentest reports.

Q: Keepnet Labs On-Premise Requirements: Can a different MQ service model be used by our organization?

A: We do all queuing services with RabbitMQ for now. We don't have any other application support. If you can share with us the applications that are used and supported by your organization, we add them to our support list for the future.

Q: The Platform's On-Premise Requirements: Can you use MSSQL database?

A: Yes, we can use the instance allocated from the corporate MSSQL database to us.

Q: The Platform's On-Premise Requirements: Does the database need special authorization?

A: No, it does not. The owner will be enough.

Q: The Platform's On-Premise Requirements: Can we use our organizations Proxy to manage and control the internet access of the application?

A: We have Proxy support for accessing the services on the Internet. By configuring the Proxy on the interface, you can manage all Internet traffic of Keepnet.

Q: What is the meaning of Active and Passive in the Phishing Reporter Add-in Section?

A: - Active: The user who actively uses phishing reporter add-in.

- Passive: The user doesn't use the phishing reporter add-in.

Q: What is the validity period of OAuthKey that we will get from you with Company API Key and OAuth ID values? Is there any character and case sensitivity in the Name and Surname parameters we will send to you in the second step?

A: The Company API Key and OAuth value are valid as long as the company is active in our system.

There is not any character problem and case sensitivity issue.

Q: How does the Platform store report suspicious email's attachments?

A: Keepnet uses 1028 bit AES encryption in order to encrypt the attached file and store them on the disk.

Q: What happens when clients want to deactivate an employee as a target user, but they may not deactivate him/her in AD. Should they create an OU in AD that is Deactivated or leave of Absence?

The system relies on AD integration; therefore, if the user is still active on the AD, they will also be active in the target group.

Q: What does happen when someone is deleted from AD, are they deleted or deactivated in the platform?

The system automatically deletes the user from the related target group on the platform if the user is deleted from AD. Also, for future reference, the system adds deleted or disabled users to the "Deleted/Disabled Users" group.

Q: Are the IPs and Domains are shared resources across the customer?

A: The IP addresses are dedicated to the platform, and the domains are owned by us. Customers do share the resources; however, they cannot send emails to other customers from their instance of Keepnet. If they tried, it would be blocked.

Q: If we whitelist, is there any risk of bypassing security checks, so email flooding, script download, and malware infiltration from the mentioned IPs will be open without mitigation.

A: Technically, yes, but these IP addresses are only used for phishing simulation or sending the training, and it is under your control; plus, we have security controls and mitigation on our side as well. Without whitelisting, you will very likely experience deliverability issues as your email security should identify our emails as phishing and block them - obviously, using the platform is not a malicious act, but your security systems will not know this without being told to 'whitelist' or allow this sender in. However, if you are concerned about this, you can use your own SMTP server - it's easy to configure this; please just let us know.

Q: Can other companies send phishing emails to our users?

A: Only you can send emails from these IP addresses to your own users, as explained above. If someone tried to use their instance of Keepnet to send phishing emails to your (or anyone else's) users, the Keepnet system would block this action.

Q: Does the Keepnet Labs application have a database? If so, can you give information about the management of the database? Can you share the database IP information?

A: Yes, it does. MSSQL Express version comes as default in on-premise solutions. However, according to the customer's request, their own MSSQL database can be used. MSSQL Express is self-administered in the client's local network. For detailed information on database storage conditions, see: https://doc.keepnetlabs.com/compliance#data-at-rest-encryption-for-database

Keepnet Labs undertakes the database management for cloud solutions. The cloud database environment is stored in London. However, there are also some local centres changes according to regulations. For more information, send your email to contact@keepnetlabs.com.

In the on-premise version, IP information is available in the customer's own environment and varies according to the environment in which it is located. However, in the cloud version, IP information is not shared under any circumstances.

Q: Can Keepnet specify the privileged users on the Keepnet Labs application? (Exclusive user: Admin Users, e.g.: root@keepnetlabs.com)

A: The only privileged user is root@keepnetlabs.com. However, it is only used by the support team for support purposes. All activities of this account are recorded on the system.

Q: Are measures such as IP restriction, log-on trigger applied for users with privileged authority?

A: Although IP restriction is not used by default, it can be configured on-demand. There is no log-on trigger feature in the current interface, but in the new interface, companies are able to activate this feature.

Q: Are privileged users only used when necessary?

Yes, it is used only when necessary.

Q: Are logs kept when accounts are created/deleted for privileged users?

There is only one privileged user; no other privileged user is created.

Q: Do you keep logs for privileged users who have attempted incorrect login?

A: Yes, we do.

Q: Do you share the passwords of privileged users with the clients?

A: We do not share privileged user information with any customer. Since all license definitions, company information, and application configurations are performed through this account. The account is highly restricted.

Q: What is the difference between Keepnet Labs and email gateway technologies?

A: Keepnet is not an email gateway technology like Mimecast, ForcePoint, Avanan or Cisco Ironport and does not compete with them.

Keepnet Labs does not scan all emails that pass in and out of the organisation, applying rules and blocking known bad - this is an important solution that we would recommend having as part of your email defence solution.

Keepnet Labs' Incident Responder module, for instance, is a complementary product and helps to secure your business when a malicious email bypasses an email gateway, like Mimecast, Proofpoint, Barracuda, etc. Many companies use our IR module's capability to technically analyse these suspicious emails that bypass the email gateway against 60+ integrated products, then investigate all inboxes and removing the threat before it damages the organization. Rules can then be updated on the email gateway (e.g. Mimecast), in order to block this attack in the future. This is all part of layered defence to email-based attacks.

Last updated