Jump to content

LabTech Geek Month 2 (ish) Digest

Recommended Posts

Gavsto here again, for month two (ish) of the LabTechGeek monthly digest! What's new and happening this month?

We're now approaching 2700 users in our Slack channel - an absolutely amazing achievement. A big thank you to all the members who continue to flock in and to the day to day Admin team who do a great job behind and in-front of the curtains.

Automate 12 - Patch 5
Released at the end of April, there have been no reported issues as of yet. This release is the first release that has the public release of the new Automate Web App! Contact support for instructions on how to safely install if you have 2FA. ConnectWise have been hard at work designing a new Web App from scratch that is more in-line with what we have come to expect from modern, functional websites. The team at LabTechGeek have all been involved in providing input on it, and we are all beyond impressed with the work that has been done on this. ConnectWise Management - please take the person leading this and give them a pay rise! I am sure you will all agree that this is a remarkable piece of work. A credit to the team that is making that come true. Within the LabTechGeek Slack we have been referring to this as "Automate Web App" or AWA; if anyone in ConnectWise Marketing is reading this, feel free to steal the name ;)

Automation Nation
Coming again this year on June 18-20th this year in Orlando, Florida. If you haven't registered yet then get registering - like in previous years, there is sure to be a large LabTech Geek presence and there are sessions galore across the three-day event.

Enhancement Requests
Thank you all for the weight you put behind the Enhancement requests last month - a few enhancement requests have been added to the roadmap, my personal favourite being persistent TCP connections - a game changer! You can find the enhancement requests at https://product.connectwise.com/communities/5-automate-enhancements

ConnectWise Control Blunders
We polled a few Automate partners this month to see how many have had problems recently with the Control button in the UI connecting to completely the wrong agent, and a staggering 2/3rds of all partners had experienced this. We nearly lost a client over this last week at my MSP when this happened - people don't take engineers remoting into their PC for no reason well. ConnectWise - please get this sorted!

Plugin Review!
As part of the monthly digest, we are going to be reviewing plugins and giving our honest opinion on their functionality, the pros and cons and how well they actually work. The first ever plugin review is going to be of the "Third Wall" plugin http://www.third-wall.com/, a plugin designed exclusively for use in Automate that allows security baselines and more to be set at a client, location and computer level. To be clear, this review was completely unsolicited and was picked because I have actually used this recently! If any plugin creators out there have a plugin they want reviewing then please send me a message on Slack (@gavsto) and we will consider it the next time round. We are always going to pick plugins to review that have the potential for the biggest impact on the community. Some of its core features that really stood out for me:

- Force password policy on non-domain joined machines for complexity, length and age
- Restrict local admin tools from running
- Prevent software installations
- Cryptolocker prevention (more on this in a second)
- Disable read and/or write to USB/Optical Media
- Disable access to common cloud storage
- Whitelist only authorized USB sticks with USB Wall
- Schedule Secure Free-Space deletion
- Uninstall all Automate blacklisted applications
- Prevent access to public webmail
- Disable office macros
- Disable lots of common points of security vulnerability, SMB V1 etc
- Log all logon and logoff events
- Setup monitor thresholds for failed logins
- Ability to Isolate a machine (more on this in a second), Screen Lock, Lock Out and Annihilate a machine (yes, the button is called Annihilate and its usage can be locked down :D)

There's a lot more than what I've listed there, but these are the features that stand out. I've actually tested nearly all the above and for me at least they all worked flawlessly.

Cryptolocker Prevention
It is rare that I run something that causes me to stand back and think wow, how well did that work?! In my multiple tests of this feature, the plugin detected within a mere second that one of the canary files had been modified and within the next second the machine was completely isolated off the network. The cool thing, isolated from EVERYTHING but your Automate server and ScreenConnect/Control, so you still have the ability to manage the endpoint remotely. This functionality is also available on each machine with the Isolate button.

The UI is functional and easy to use. It is easy to see when a policy is on for a location and when it was enabled. You can save profiles of your settings so you don't have to repeat them at each location, simply load the profile and apply.

Support and Updates
I did have to ask a few questions to the plugin creators, they were always responsive, well informed, and quick to respond. There wasn't a support issue raised that wasn't answered with reasonable speed and detail. Updates are frequent and regular and feedback I have given back to the plugin creators has been taken on-board and they have received it well!

In the MSP sector, where every company feels they are out to cause you thousands of dollars of pain, Third Wall was a refreshing change. 10 cents USD per endpoint, and an extra 5 if you want the USB-Wall whitelist functionality. You also don't have to license all your agents, just pay for the locations where you have it enabled. Given the price and the features this was a no brainer for us, and at the MSP I work for we decided to roll this out across all our clients.

I am not a fan of how the policy applies. To get this turned on you need to turn on these items at a location level for everyone, and then block them at an individual agent level if you want to exempt individual machines. Third wall actually recommend doing the blocking first on individual agents and then enabling at the location level. I would have preferred to be able to turn these ON on individual machines as opposed to block them, it just makes more sense. I'd also love to see some customisation for the Cryptolocker monitor, being able to specify the name of the canary files and put in custom content within the actual files that get put on the machine, coupled with being able to set a custom script to execute on this event would be amazing (it does raise a ticket already). I've had a few people mention they have had issues with the earlier versions but a lot of these problems appear to be fixed in the version I tested.

Very impressed and I think this is well worth the small cost per agent. Third Wall offer an unlimited trial for a month, I'd highly recommend giving them a try - http://www.third-wall.com/requestatrial2

EDIT 5th November 2018
Having used this now for a number of months, though I still think there it's worth the small price per agent the product definitely has improvements that need to be made in a number of areas. Ticketing and flapping states is a weakness at the moment, as is date formatting in none US formats which can affect things like ransomware detection.

  • Like 2
Link to post
Share on other sites

I'm interested to know more about the Cryptolocker Prevention you mentioned. Can you provide some links or direction where I can find this? Is this the Cryptoprevent tool from Foolish IT that I see elsewhere on the forum or is this a different product/tool.

Link to post
Share on other sites

Hi Vandeal,

Our documentation can be found here with the Ransomware Monitor explained in detail on page 29.  To save you the click, here's the overview:

This isn't a tool from Foolish IT, it is a policy wholly built and maintained by Third Wall.  When you enable the policy, Third Wall will write four ‘A Third Wall…’ files to each user’s ‘My Documents’ folder.  We then put a watcher on all four files, watching for any changes to those files.  The idea is to catch ransomware encrypting files.  If any one of those four files are changed, your assigned ‘Detection Action’ will immediately run and you will receive an alert.

‘Detection Action’ is one or more of these options that will run if the Ransomware Monitor sees a change to one of those files: Disable VSS, Isolate (removes network connectivity to everything, except for your LabTech server and your Screen Connect server), AV-Scan.  You can also select 'Shutdown' or 'Ticket Only'.

Let me know if you've any other questions here, I'm happy to help.


Edited by LabTechRob
Link to post
Share on other sites

I've been using Third Wall since the beginning of the year and I stand behind @gavsto's words. The ransomware detection is is beyond incredible. We actually had a tech that was out when we first implemented and changed the honey pot files when he came back to work. After reinstalling the network drivers and even putting in a brand new NIC, he still wasn't able to access anything on the LAN. He was to the point of reformatting before we filled him in on the issue 😉. If the ransomware protection is tech proof, then it's definitely customer proof. It does it's job and it does it's job well. 

There are a lot of features in Third Wall that you're probably already implementing elsewhere like password ages and complexity requirements, disabling macros, event logs, etc. We tested them and they worked well, but we really don't have a need for them. If your technical level isn't quite at the level that you feel comfortable implementing these items on your own, then it's nice to know that there is a product that does it for you. Be careful though, because it does exactly what it says it will do and can cause more harm than good if you're careless.

When it comes to USB-Wall, you need to know exactly what it is and what it isn't. At this time USB-Wall restricts mass storage devices from running on a machine with the exception of specific devices that you have whitelisted. It does not protect you against all USB devices. It doesn't prevent Universal P&P devices from being recognized, so it will not protect you from malicious devices (e.g. a rubber ducky). We tested several models of Yubikey U2F and it didn't have much success finding them. I don't remember off-hand all of the devices that we tried, but I know that we at least tried Yubikey 4, the NEO, and the Security Key and the security key was the only device that was recognized. The point is that USB-Wall is geared towards data protection, not towards security. 

It's a great product all around, especially for the price. Be careful, take your time, ask questions, and be amazed at how well the product works.

  • Like 3
Link to post
Share on other sites
  • 5 months later...

A word of caution regarding the ransomware detection. Although it's great at detecting when the contents are changed I found it unreliable in its detection of deletion or renaming of the honeypot files. To cut a long story short, having worked with the developer (How many companies can you do that with?) it turns out that ThirdWall is a bit casual in the way they deal with internationalisation, something I noticed in the log files as dates flipped between UK & US format. This issue with the date format impacted on the ability of the software to detect a change and prevented it from activating on a change to the files.

Overall I'm very impressed with the software but cautious about its abilities and reliability outside of a US date zone.

Link to post
Share on other sites
  • 6 months later...
  • 8 months later...

I have had nothing but issues with ThirdWall.  It's caused us hundreds of hours of grief at this point.   If you're on a domain, stick with GPO.    If you don't have a domain (you should), but it may be better than nothing.  Just be ready to constantly fight with the product at every turn and troubleshoot for days/weeks issues that it causes (even after you "remove" the policies). 

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...