Installing Protect

Before installing Protect, refer to Requirements.

Import solution

  1. Log into the Tanium Console using an account with Administrator privileges.
  2. From the Main menu, click Tanium Solutions.
  3. Click Import X.X (where X.X is the current module version number) under Protect.
  4. Tanium Protect is a Tanium licensed solution. If it does not appear on the Tanium Modules page, contact your Technical Account Manager (TAM).
  5. If you are prompted, click Proceed with Import. Enter your credentials.

After the Tanium Protect installation and configuration process completes, you see the message Import completed successfully, and Protect appears in the main menu.

Protect Home page

The Protect Home page shows statistics, errors, and initial tasks you need to complete before using Protect. Use the Manage Home Page link at the top right of the page to configure the sections you see at start up. You might not need to see each section once you have completed the initial tasks.

See Reference: Enforcement errors for an explanation of enforcement errors that can appear in the Health section of the Home page.

Set service account

You must set a service account to use Protect.

  1. You see a Required Protect Settings: Set Service Account yellow banner across the top of the Protect Home page if you have not set up a service account. Click Configure Now and enter a Username and Password under Service Account.

  2. Click Save.

Click Settings on the top right of the Home page and go to General Settings > Service Account to change the service account at any time. You also have the option of clicking Set up service account in the Configure Protect section of the Home page.

Upload Anti-malware

In the Configure Protect > Upload Anti-Malware section of the Home page, click Upload anti-malware within Settings. Review these settings to determine if you should modify them.

If Protect has a problem with an anti-malware definition, an Error displays next to the definition under Anti-Malware Definitions Status in the Health section of the Home page. View the error reason from the Anti-Malware Settings page, which you can access by clicking Settings > Anti-Malware Settings.

Microsoft System Center Endpoint Protection (SCEP) Installation

Anti-malware policies require that either SCEP or Windows Defender is installed on endpoints. When SCEP installation is enabled, enforcing an Anti-malware policy automatically installs SCEP on endpoints that do not support Windows Defender.

You can choose one of the following:

  • Disable SCEP Installation: This is the default state in Protect. Leave disabled if you are creating Anti-malware SCEP rules and already have SCEP installed on your endpoints.
  • Enable SCEP Installation: Use this option to automatically install SCEP on endpoints that do not support Windows Defender. Once enabled, click Choose Installer or Update Installer to upload an installer file.
  • Note: The Microsoft System Center Configuration Manager includes the SCEP client installation file. For more help locating the SCEP installer, contact your TAM.

Please refer to Microsoft Technet: Endpoint Protection for more information about SCEP.

Managed Anti-Malware Definitions Download URLs

Windows Anti-malware policies can use Tanium to download and distribute Windows Anti-malware definitions.

You can choose one of the following:

  • Automatically retrieve definitions from Microsoft: This is the default setting. Definitions are downloaded from Microsoft.
  • Download definitions from custom URLs: Use this option if your network cannot reach Microsoft, and you want to host the files on a local server and specify that URL.

The URLs listed under Managed Anti-Malware Definitions Download URLs specify the Microsoft links Protect uses to download definitions.

Please refer to Microsoft Technet: File-Share-Based Definition Updates for more information about Anti-malware settings.

Set defaults for AppLocker

In the Configure Protect section of the Home page, click Set AppLocker rules within Settings on the Set Defaults for AppLocker tab. Review these settings to determine if you should modify them.

AppLocker settings allow you to configure default AppLocker rules, which are included automatically in any AppLocker policy you define. Default AppLocker rules are generally used to exclude trusted system files from AppLocker scans.

Protect allows you to select Whitelist or Blacklist templates for default Allow rules. You can also create a Custom template and define custom default Allow and/or Deny rules.

You can choose a Rule Template and define default Allow and Deny rules in Default AppLocker Executable Rules by clicking settings at the top right of the Protect Home page or by clicking Set Defaults for AppLocker > Set AppLocker rules within Settings in the Configure Protect section of the Home page.

The Blacklist Rule Template has the default All files Allow rule, which allows all executables to run. You can then specify Deny rules to block specific applications.

The Whitelist Rule Template, by default, allows only applications that administrators run, or that are run out of special folders specified as follows:

  • All files located in the Program Files folder: applies to Everyone
  • All files located in the Windows folder: applies to Everyone
  • All files: applies to Administrators

You can expand the allowed applications by adding additional Allow rules or Deny rules to specify exceptions to otherwise allowed applications.

The Blacklist Rule Template is the default template used in Protect for new deployments until you change it.

The Custom Rule Template does not contain any default Allow or Deny rules.

To go back to the original default settings, click Restore to Default.

Add exceptions to default AppLocker rules

With rule exceptions, you can specify files or folders to exclude from a default AppLocker rule.

You can create exceptions for Path and Publisher AppLocker rule types only. You cannot create exceptions for Hash AppLocker rule types.

  1. Click + Add exception next to Exceptions in the Deny or Allow section.
  2. Configure the Exception type.
    1. For Path, provide the full name or path in the Path field.
    2. For Hash, provide the Hash and File Size (bytes).
    3. For Publisher, provide the Publisher, Product Name, File Name, and File Version, indicating if you want earlier or later versions included or only the version you specify. Use the * character as a wildcard in any of these values.
  3. Select the Windows user to which the exception applies. You can choose Everyone or Administrators.
  4. To add more exceptions, click + Add exception.

Deploy Protect tools

Some policies and sensors require Protect tools to be deployed to the endpoint. This is an optional setting, but initial policy enforcements take longer to apply and some sensors do not work without these tools.

  1. Click Settings on the top right of the Home page and go to Tools Settings.
  2. Select one or more computer groups to which you want to deploy tools.
  3. Click Save.

The first time you deploy Protect tools to an endpoint, you must wait four hours for the Tanium Client to restart before an endpoint returns sensor results for sensors that depend on Protect tools.

Change Endpoint Status Report Settings

Click Settings on the top right of the Home page and go to General Settings > Endpoint Status Report Settings to change the following settings that govern how you can use Protect to interact with endpoints:

Question Completion Percentage

This setting specifies what percentage of endpoints must respond to the question before the question is considered complete. If questions take a long time to complete in your Tanium environment, you might want to lower the percentage in this setting. By default, Question Completion Percentage is set to 85%.

Reissue Action Interval

This setting specifies how often Protect enforcement actions are reissued. By default, enforcement actions are reissued every hour. The minimum allowed value for this field is 10 minutes.

Aggregate Results Reissue Action Interval

This setting specifies how often you want report data gathered on endpoints. By default, aggregate results actions are reissued every hour. The minimum allowed value for this field is 10 minutes.

Distribute Over Time

This setting controls whether endpoints apply enforcements the moment they receive the action (Immediate) or at unique moments within the saved action interval (Diffused). Diffusing enforcements over time can help prevent a surge in network traffic in exchange for a slower time to compliance. The default setting for Distribute Over Time is 0 where all enforcements are deployed at once.

Endpoint Status Checking Profile

This setting governs the interval at which updates are retrieved from endpoints. By default, Endpoint Status Checking Profile is set to Production mode. Aggressive mode consumes the majority of Tanium Client resources to provide extremely status updates and, thereby, degrades the responsiveness of other Tanium modules. For best results, do not configure Tanium Protect to run in Aggressive mode in production environments.

Automatically Install EMET Prerequisites

This setting determines if prerequisite EMET software is automatically installed if it is not detected on your system. This setting is enabled by default.

For best results, consult with your TAM before modifying any Protect settings.

What to do next

See Getting started for more information about using Protect.

Last updated: 9/7/2018 3:01 PM | Feedback