FAQ (Incident Responder&Phishing Reporter)
Q: Does the incident responder violate the user privacy?
A: No, it does not. Users cannot view the contents of any email in the inbox.
Q: Can we centralise the distribution of add-in?
A: Yes, we can. Many institutions manage the add-in (install, uninstall, enable, disable) with central administration tools, for example, Microsoft SCCM, IBM Bigfix.
Q: Are the emails sent by users for analysis securely stored on the server?
A: The platform generates a random key that is unique for each customer then encrypts all reported emails on disk with AES 256 algorithm
Q: Can an Attacker hijack Outlook Add-in?
A: The platform uses “Code Signing with Microsoft Authenticode” to protect tools against a hacking attempt. For more information, please click here.
Q: Can I integrate this solution with the security products I have?
A: Yes, it is possible to integrate any solution. Sometimes you may need to request support from us; please contact us to discuss this matter support@keepnetlabs.com.
Q: How can our audit teams oversee and control the people and their operations that govern the Keepnet interface?
A: The platform logs all operations in detail and transmits a copy of them to SIEM products in real-time. In this case, you can observe the behaviour of users, create an alert for abnormal situations and take action, or you can use the logs at audit time.
Q: How do you report the incidents analysed, investigated and responded?
A: Keepnet Labs provides in-depth reporting option to various users within its interface.
Q: If the reported email is appeared to be non-malicious, can we send an e-mail the user stating that the email does not contain any threats?
Yes, if you follow the path Incident Response> Task> New Task on the platform interface, you can send an email notification to both user and system administrators and alternate SOC teams.
Q: If the suspicious email analysed is malicious, can we delete this email from the inboxes without any intervention?
A: Yes, you have the feature for an automatic investigation by which and you can detect and remove the suspicious email or any of its variant in any of your users' inboxes, and you can automatically report it.
Q: Does the app have ArcSight integration? (For logging of events such as phishing mail/deletion etc.)
A: Yes, all logs are kept under the C:\Users\Public\KeepnetLabs\AuiditLog directory. You can transfer this to Arcsight with your Syslog tool.
Q: During the installation, we considered one email as suspicious and made an analysis. We would also like to test whether the server resources are sufficient for more than one analysis or in different scenarios. How can we move on?
A: We can test system resources through stress testing. At the same time, there is a queuing mechanism that we use to prevent the blowout. The mechanism operates by putting the notifications in order.
Q: When we search for suspicious mail from the Incident Investigation tab, we have to wait too long. How can we shorten this time?
A: The operation is run in a maximum of 60 + random seconds. But we can shorten this time.
Q: How to a suspicious email is analysed by VirusTotal? Are the file hashes sent to VirusTotal, or does the application has its own file analytics?
A: By default, we ask the file hash; if it has not been scanned before, we send the file itself. If you do not want to send the file under any circumstances, you can prevent this by creating a task in our interface.
Q: How do you analyse the emails? Which tools are used for analysis?
A: We analyse the suspicious email by Header, body and attachment using our third-party engines integrated into our interface. It is possible to add a new analysis service here.
Q: What are the meaning of Active and Passive in the Phishing Reporter Add-in Section?
A: Active: The user who actively use phishing reporter add-in.
Passive: The user doesn't use phishing reporter add-in.
Q: How does the platform store reported suspicious email's attachments?
A: We use 1028 bit AES encryption in order to encrypt the attached file and stores them on the disk.
Last updated