Installing Protect

Before installing Protect, refer to Requirements. The installation of Protect is done from the Tanium Console.

Import solution

  1. Log into the Tanium Console using an account with Administrator privileges.
  2. Select Tanium Solutions from the main menu.
  3. Click Import X.X (where X.X is the current module version number) under Protect.
  4. Tanium Protect is a Tanium licensed solution. If it does not appear on the Tanium Modules page, contact your TAM.
  5. If you are prompted, click Proceed with Import. Enter your credentials.

After the Tanium Protect installation and configuration process completes, you see the message Import completed successfully, and Protect appears in the main menu.

Protect Home page

The Protect Home page shows statistics, errors, and initial tasks you need to complete before using Protect. Use the Manage Home Page link at the top right of the page to configure the sections you see at start up. You may not need to see each section once you have completed the initial tasks.

See Reference: Enforcement errors for an explanation of enforcement errors that can appear in the Health section of the Home page.

Set service account

A service account is required to use Protect.

  1. You will see a Required Protect Settings: Set Service Account yellow banner across the top of the Protect Home page if no service account has been set up. Click Configure Now and enter a Username and Password under Service Account.

  2. Click Save.

Click Settings on the top right of the Home page and go to Service Account under General Settings to change the service account at any time. You also have the option of clicking the Set up service account on the Set up Protect tab in the How to use Protect section of the Home page.

Upload Anti-Malware

In the How to Use Protect section of the Home page, click Upload anti-malware within Settings on the Upload Anti-Malware tab. Review these settings to determine if you should modify them.

If Protect has a problem with an anti-malware definition, you will see an Error next to the definition under Anti-Malware Definitions Status in the Health section of the Home page. Go to the Anti-Malware Settings page and hover over the error to view the pop-up showing the error reason.

Microsoft System Center Endpoint Protection (SCEP) Installation

Anti-malware policies require that either SCEP or Windows Defender is installed on endpoints. When SCEP installation is enabled, enforcing an Anti-malware policy will automatically install SCEP on endpoints that do not support Windows Defender.

You can choose one of the following:

  • Disable SCEP Installation: This is the default state in Protect. Leave disabled if you are creating Anti-malware SCEP rules and already have SCEP installed on your endpoints.
  • Enable SCEP Installation: Use this option to automatically install SCEP on endpoints that do not support Windows Defender. Once enabled, click Choose Installer or Update Installer to upload an installer file.
  • Note: The SCEP client installation file is included in the Microsoft System Center Configuration Manager. For more help locating the SCEP installer, contact your TAM.

Please refer to Microsoft Technet: Endpoint Protection for more information about SCEP.

Managed Anti-Malware Definitions Download URLs

Windows Anti-malware policies can use Tanium to download and distribute Windows Anti-malware definitions.

You can choose one of the following:

  • Automatically retrieve definitions from Microsoft: This is the default setting. Definitions will be downloaded from Microsoft.
  • Download definitions from custom URLs: Use this option if your network cannot reach Microsoft, and you want to host the files on a local server and specify that URL.

The URLs listed under Managed Anti-Malware Definitions Download URLs specify the Microsoft links Protect uses to download definitions.

Please refer to Microsoft Technet: File-Share-Based Definition Updates for more information about Anti-malware settings.

Set defaults for AppLocker

In the How to Use Protect section of the Home page, click Set AppLocker rules within Settings on the Set Defaults for AppLocker tab. Review these settings to determine if you should modify them.

AppLocker Settings allow you to configure default AppLocker rules, which will be included automatically in any AppLocker policy you define. Default AppLocker rules are generally used to exclude trusted system files from AppLocker scans.

Protect allows you to select Whitelist or Blacklist templates for default Allow rules. You can also create a Custom template and define custom default Allow and/or Deny rules.

You can choose a Rule Template and define default Allow and Deny rules in Default AppLocker Executable Rules by clicking settings at the top right of the Protect Home page or by clicking View or change AppLocker settings under AppLocker Settings at the bottom of the Home page under Additional Settings.

The Blacklist Rule Template has the default All files Allow rule, which allows all executables to be run. You can then specify Deny rules to block specific applications.

The Whitelist Rule Template, by default, allows only applications that are run by Administrators, or that are run out of special folders specified as follows:

  • All files located in the Program Files folder: applies to Everyone
  • All files located in the Windows folder: applies to Everyone
  • All files: applies to Administrators

You can expand the allowed applications by adding additional Allow rules or Deny rules to specify exceptions to otherwise allowed applications.

The Blacklist Rule Template is the default template used in Protect for new deployments until you change it.

The Custom Rule Template does not contain any default Allow or Deny rules.

To go back to the original default settings, click Restore to Default.

Add exceptions to default AppLocker rules

With rule exceptions, you can specify files or folders to exclude from a default AppLocker rule.

You can create exceptions for Path and Publisher AppLocker rule types only. You cannot create exceptions for Hash AppLocker rule types.

  1. Click + Add exception next to Exceptions in the Deny or Allow section.
  2. Configure the Exception type.
    1. For Path, provide the full name or path in the Path field.
    2. For Hash, provide the Hash and File Size (bytes).
    3. For Publisher, provide the Publisher, Product Name, File Name, and File Version, indicating if you want earlier or later versions included or only the version you specify. Use the * character as a wildcard in any of these values.
  3. Select the Windows user to which the exception applies. You can choose Everyone or Administrators.
  4. To add more exceptions, click + Add exception.

Deploy Protect tools

Some policies and sensors require Protect tools to be deployed to the endpoint. This is an optional setting, but initial policy enforcements will take longer to apply and some sensors will not work without these tools.

  1. Click Settings on the top right of the Home page and go to Tools Settings.
  2. Select one or more computer groups to which you want to deploy tools.
  3. Click Save.

The first time Protect tools are deployed to an endpoint, you must wait four hours for the Tanium Client to restart before an endpoint returns sensor results for sensors that depend on Protect tools.

Change Endpoint Status Report Settings

Click Settings on the top right of the Home page and go to Endpoint Status Report Settings under General Settingsto change the following settings that govern how Protect interacts with endpoints:

Question Completion Percentage

This setting specifies what percentage of endpoints must respond to the question before the question is considered complete. If questions take a long time to complete in your Tanium environment, you may wish to lower the percentage in this setting. By default, Question Completion Percentage is set to 99%.

Reissue Action Interval

This setting specifies how often Protect enforcement actions are reissued. By default, enforcement actions are reissued every hour. The minimum allowed value for this field is 10 minutes.

Aggregate Results Reissue Action Interval

This setting specifies how often Protect gathers report data on endpoints. By default, aggregate results actions are reissued every hour. The minimum allowed value for this field is 10 minutes.

Distribute Over Time

This setting controls whether endpoints will apply enforcements the moment they receive the action (Immediate) or at unique moments within the saved action interval (Diffused). Diffusing enforcements over time can help prevent a surge in network traffic in exchange for a slower time to compliance. The default setting for Distribute Over Time is 0 where all enforcements are deployed at once.

Endpoint Status Checking Profile

This setting governs the interval at which updates are retrieved from endpoints. By default, Endpoint Status Checking Profile is set to Production mode. Aggressive mode consumes the majority of Tanium client resources to provide extremely rapid status updates and will, thereby, degrade the responsiveness of other Tanium modules. We strongly recommend that production environments do not configure Tanium Protect to run in Aggressive mode.

Automatically Install EMET Prerequisites

This setting determines if prerequisite EMET software is automatically installed if it is not detected on your system. This setting is enabled by default.

Tanium recommends that you consult with your TAM before modifying any Protect settings.

Last updated: 5/23/2018 10:29 AM | Feedback