Web Security - Direct IP Protection for Mimecast Security Agent for Windows

Updated
This article describes how to use Direct IP Protection functionality for Mimecast Web Security for Windows, and is intended for use by Administrators.

Introduction 

Attackers often use a Hardcoded IP address to make Command and Control (C2) calls to execute malware or exfiltrate data instead of a fully qualified domain name, effectively bypassing DNS layer security. For example:

      • A user receives a phishing email with a link in their work or personal mailbox. The link uses an IP address (i.e., xxx.xxx.xxx.xxx.) instead of a domain/hostname (i.e., http://x.x.x.x/malware.exe) to download the malware.
      • Some malware authors will use an IP address instead of a fully qualified domain name for the malware to communicate back.

The Mimecast Security Agent for Windows Direct IP Protection feature prevents unknown communication, further securing the users and devices.

Considerations

      • Direct IP Protection is a feature that is set at the account level. This means that when enabled, all Windows devices with Mimecast Security Agent 1.9 or higher will be protected with Direct IP Protection.
      • You can use a local override where required. See below for details.
      • Direct IP Protection does not apply to Internal / Private IP communication.
      • IP connections, such as Ping, are to be generated by the system process rather than the user process on a Windows RDS Server.
      • Direct IP Protection uses a local IP cache refresh that is aligned to Windows TTL or every 3 hours, whichever is sooner. 

Some installed applications will attempt to connect directly to an IP without a DNS request. To ensure application functionality, it’s recommended that you identify the IP/IP range and add it to the Exceptions page. Direct IP block events can be viewed in the Activity Report.

Prerequisites

You must ensure that the following prerequisites have been met:

Direct IP Protection Modes

Protection

The Mimecast Security Agent for Windows processes every outbound IP connection to a publicly routable address, and only allows those that have been associated with a DNS resolution in accordance with your Mimecast Web Security policies.

Monitoring

The Mimecast Security Agent for Windows uses the same process as the protection mode; however, it does not block the direct IP connection and instead just logs the event in the Activity Report. This provides you with the ability to:

      • View all direct IP connections
      • Collate IPs for the Exceptions list

IP exceptions can be added to the Exceptions page, and IP block or Monitoring events can be viewed in the Activity Report.

Enabling/Disabling Direct IP Protection

To enable/disable Direct IP Protection, use the following steps:

  1. Log on to the Mimecast Administration Console.
  2. Navigate to Web Security | Agent Settings.
  3. Click on the Settings tab.
  4. Enable Direct IP Protection under the Protection option.

Direct IP Protection has three modes: Disabled, Enabled (Protection mode), and Monitoring (Monitoring mode).

Local Override Option

The Local Override option allows administrators to override the Administration Console setting and enable/disable Direct IP Protection, on a per device basis. This is set by installing the agent using command line parameters. 

This is useful if you:

      • Want to evaluate Direct IP Protection on a single device without impacting the whole install base.
      • Want to monitor the activity of a single device and gather a list of IPs that the device connects to from the activity report.
      • Have a device where Direct IP Protection isn't required.

The Mimecast Security Agent for Windows 1.9 installer supports a new configuration value:

      • DIRECTIP=0 is Disabled/Never ON
      • DIRECTIP=1 is Enabled/Always ON
      • DIRECTIP=2 is None (Fall back on Agent Settings)
      • DIRECTIP=3 is Monitor (log/audit only)
      • If unspecified, the agent will honor the Agent Settings value. This is the default.

You can use the following command line during installation:

      • Command to install with DirectIP enabled: 
        MSIEXEC /I "<MSI_PATH>" /quiet DIRECTIP=1 LICENSEFILE="<CUSTOMER_KEY_PATH>"
      • Command to install with DirectIP disabled: 
        MSIEXEC /I "<MSI_PATH>" /quiet DIRECTIP=0 LICENSEFILE="<CUSTOMER_KEY_PATH>"

Once the installation is complete, you can verify the configuration by checking the Basic Diagnostics panel. The Local Override means that the override parameters was used.

Direct IP Protection:

      • Enabled.
      • Disabled.
      • Monitoring.
      • Enabled (Local Override).
      • Disabled (Local Override).
      • Monitoring (Local Override).

To revert back to honouring the agent settings, you must uninstall and reinstall the agent without the DIRECTIP command line.

Troubleshooting

Installation

C:\ProgramData\Mimecast\Security Agent\Logs. Look for latest Mimecast.Api.xxx, when installed with DIRECTIP=1 option.

12-01-2021 14:22:42.989 [17] INFO  UpdateEndpointSettings- DirectIpOverride.enabled. DirectIP is ON. (Api.Services.Environment.ApiEnvironment)

Latest Mimecast.Dns.xxx would have:

12-01-2021 14:41:53.912 [13] INFO  Handle.SettingsUpdated - Message received with valid anti-tamper hash. DirectIP: enabled. IgnoreLocal: True (Dns.Services.Environment.DnsEnvironment)

When installed with DIRECTIP=0 option, latest Mimecast.Api.xxx would have:

 12-01-2021 14:31:49.989 [5 ] INFO  UpdateEndpointSettings - DirectIpOverride.disabled. DirectIP is OFF

Latest Mimecast.Dns.xxx would have:

14:31:50.192 [14] INFO  Handle.SettingsUpdated - Message received with valid anti-tamper hash. DirectIP: disabled. IgnoreLocal: True (Dns.Services.Environment.DnsEnvironment)

When installed without any option, it would obey the Account Settings. When DirectIP is enabled in Settings, the latest Mimecast.Dns.xxx would have:

12-01-2021 14:48:33.920 [16] INFO  Handle.SettingsUpdated - Message received with valid anti-tamper hash. DirectIP: enabled. IgnoreLocal: True (Dns.Services.Environment.DnsEnvironment)

DirectIP is enabled and the actual IP block request:

When IP connection is blocked, latest Mimecast.Dns.xxx would have. To see this, we need to enable the Regkey: EnableTracing under \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mimecast Security Agent

12-01-2021 14:57:16.954 [17] DEBUG SetLog - handleBlockEvent(IP=212.69.63.54,Protocol=tcp,User=Principal[User[User[Domain[OS] Identifier[END-W10X64U-22\Administrator]]]],ProcessName=\Device\HarddiskVolume4\Users\Administrator\AppData\Local\Programs\Python\Python39\python.exe,ProcessId=212) (Dns.Services.Environment.DnsEnvironment)

Related to

Was this article helpful?
0 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.