Installation
Introduction
Capture consists of the Capture server and Capture client. We describe how to install these two in this section. They can be installed on one or multiple physical machines.
Server
The Capture server runs both on Linux or Windows. Prior to installing the Capture server, the following prerequisites need to be met though:
- Java 1.6 (other version might work, but have not been tested)
- VMWare VIX (comes with VMware Server 1.x, which is available at http://www.vmware.com/download/server/)
The Capture server communicates to the VMware server that hosts the Capture clients via a simple TCPIP network connection on the vmware port (default 902). It communicates with the Capture client components via a simple TCPIP network connection on port 7070. Ensure that the firewall has been configured accordingly.
Installing the VMware API modules
Install VMware server and ensure that the VMWare VIX path is in the LD_LIBRARY_PATH. If not, add a path that points to the VMware VIX location (e.g. "C:\program files\vmware\vmware vix")
Installation of the Capture Server
Unpack the capture-server release to a directory.
Configuring the Capture Server
Configuring the server component is requires editing the config.xml file that was distributed with the capture-server release.
- Open up the config.xml
- Add vmware servers
- Specify the ip address, port, username, and password of the
vmware server that hosts capture clients.- For each vmware server, add virtual machines
- Specify the path to the virtual machine vmx file as well as the
administrator account and password.Example:
<config>
<server address="127.0.0.1" port="902" username="username"
password="pw"><vm path="C:\Virtual Machines\Windows XP Professional.vmx" username="username" password="pw"/>
</server>
</config>
The config file above specifies one vmware server with one virtual machine should be managed by capture.
Client
The Capture client component runs inside of a virtual machine (guest os). This guide will go through the stages of installing VMware server and configuring the virtual machine through to intalling the client on the guest os.
Installing VMware Server
Install VMware server using any means available:
- On Linux, use either you package management software available
on your distribution or download it from here http://www.vmware.com/download/server/- On Windows, download the setup software from http://www.vmware.com/download/server/
Linux requires a little bit of fiddling. The ports must be opened, and the VMware server must be allowed to authenticate with the users on the host machine. On Linux, VMware server uses xinetd to authenticate the incoming connections with users on the host machine. This requires that xinetd be set up to accept remote authentication. Do the following:
- Open up the file /etc/xinetd.conf (Maybe be different depending
on the distribution)- Look for the line labelled only_from and add the IP
addresses you are expecting remote authentication from
- @@only_from = 192.168.0.20;192.168.0.2
On Windows, VMware server should be able to accept incoming connections already. However you may need to open up the port which it listens on (default is 902) in the Windows firewall.
Creating a Virtual Machine
Capture uses Windows XP SP2, thus the virtual machine that is to be created is to be Windows XP SP2.
- Create a virtual machine
- Install Windows XP onto the virtual machine
- Install the VMware tools
Configure the Virtual Machine inside VMware Server
The created VM needs to be configured in a way such that it resumes to the last (clean) snapshot taken when we issue a shutdown command to the VM. First create an initial snapshot (this will be updated once the installation and configuration of the Capture component has been completed). Second, configure the VM to revert to the last snapshot upon a shutdown event:
- Goto the virtual machine settings dialog.
- Goto the options tab
- Goto the Snapshot option panel
- Change the option labelled "When Powering Of"
- Change to Revert to snapshot
- OK the changes
Further, we need to configure the virtual machine to run the Capture client component once the virtual machine resumes. This allows the Capture client to automatically register with the Capture server once its virtual machine has been resumed:
- Open VMware tools config. Control Panel -> VMware Tools
- Goto the scripts tab
- Select the Resume guest OS script and click edit
- Add these lines after VMip --renew
- cd <the directory where the capture client will be located>
- CaptureClient .exe <Capture server ip address>
Installing the Capture Client Component on the Virtual MachineDownload the Capture client component and extract it into the directory specified in the previous section. Open Windows Explorer and navigate to this directory. Right click on the inf files and select install.
Configure Capture Client ComponentThe capture client currently is able to detect changes to the processes running on the system, modifications to the registry and modifications to the file system. Since the system will generate events during normal operation that are not malicious, exclusion lists are provided to exclude these events from causing a malicious classification of the URI. An empty exclusion list would mean that no events are allowed at all. There are three exclusion lists that allow to exclude these three event types respectively: ProcessMonitor.exl, FileMonitor.exl, and RegistryMonitor.exl. Default exclusion list are provided with Capture that exclude events that normally occur when browsing benign web pages.
The ProcessMonitor.exl allows to specify processes that should not be triggering a malicious classification. One process should be listed per line. By default, the client process IEXPLORE is contained in the ProcessMonitor.exl. Without this line item, any URI would be classified as malicious as the IEXPLORE process is created as part of retrieving a URI.
The FileMonitor.exl allows to specify files that should not be triggering a malicious classification. There is the option to specify whether read or write events on specific files should be excluded as well as specifying the process that causes these events. So, for example, one can exclude write and read file events in the temp Internet Cache folder that are caused by Internet Explorer from triggering a malicious classification. However, access by another process on these files would.
The RegistryMonitor.exl allows to specify registry events that should not be triggering a malicious classification. There is the option to specify whether read or write events on specific registry keys or values should be excluded as well as specifying the process that causes these events.
Once the software is installed and configured it is time to create a new snapshot which we call a "safe state". This is the state that the machine is in perfect working order, i.e. no malicious programs are installed and the machine is considered to be clean. This state is reverted back to when a malicious event occurs inside of the virtual machine. When the virtual machine is running Windows XP and is fully booted, click on the Snapshot button in the VMware server to create a snapshot (May take some time so just leave it for a few minutes)
Executing Unit Tests
Capture provides unit tests which provide an automated way to make sure Capture client and Capture server are setup correctly. It is recommended you run these tests after Capture client and Capture server have been installed and configured and before executing either of the server or client components.
To compile the unit tests after you comment out the line //#define UNITTEST 1 in the stdafx.h file. To run the client unit test, simply run the specially compiled version of Capture.exe.
The tests cover the communication between client and server, Filesystem monitor, Process monitor, and the client's ability to correctly determine the state of the machine as malicious or benign.
