cWatch Web Security Administrator Guide · Comodo cWatch Web Security-Domain Administrator Guide • Select the license type, license period and number of domains. • If you already

rat

Comodo cWatch Web Security

Software Version 1.1

Website Administrator GuideGuide Version 1.1.062917

Comodo Security Solutions

1255 Broad StreetClifton, NJ 07013

Comodo cWatch Web Security - Domain Administrator Guide

Table of Contents

1 Introduction to Comodo cWatch Web Security....................................................................................................... 3

1.1 Purchasing a License................................................................................................................................... 4

1.2 License Types.............................................................................................................................................. 6

1.3 Adding Domains........................................................................................................................................... 7

1.4 Logging-in to the Administrative Console.................................................................................................... 17

2 The Main Interface.............................................................................................................................................. 18

3 The Dashboard................................................................................................................................................... 20

4 Domain Data and Settings.................................................................................................................................. 23

4.1 View Alerts.................................................................................................................................................. 24

4.2 Domain Overview....................................................................................................................................... 25

4.3 Comodo Vulnerability Scan Results ........................................................................................................... 28

4.4 Comodo Malware Scan Results.................................................................................................................. 33

4.5 Cyber Security Operation Center Results.................................................................................................... 36

4.6 Content Delivery Network Metrics............................................................................................................... 42

4.7 Viewing and Managing Support Tickets....................................................................................................... 44

4.8 Domain Configuration................................................................................................................................. 49

4.8.1 Configuring the Domain for cWatch Scanning..................................................................................... 50

4.8.2 Configuring FTP Settings.................................................................................................................... 51

4.8.3 Configuring CDN Settings................................................................................................................... 52

4.8.4 Configuring SSL Certificate for the Domain......................................................................................... 54

5 The Settings Interface......................................................................................................................................... 55

6 Upgrading Licenses for Domains......................................................................................................................... 56

7 Managing Your Profile......................................................................................................................................... 57

8 Getting Support................................................................................................................................................... 60

About Comodo........................................................................................................................................................ 65

Comodo cWatch Web Security - Domain Administrator Guide | © 2017 Comodo Security Solutions Inc. | All rights reserved. 2


1 Introduction to Comodo cWatch Web Security

cWatch Web Security is a cloud-based security intelligence service built for website and domain administrators to monitor and secure their web applications from various types of attacks and threats. The console allows administrators to view statistics about attacks and security related incidents which have been monitored and blockedon protected domains

The cWatch service will analyze event logs from your domains in real-time to identify and block attacks based on rules managed by Comodo Cyber Security Operations Center (CSOC). It will also identify vulnerabilities in your domains based on the Open Web Application Security Project (OWASP) top ten list and blocks them automatically.

Log files can also undergo expert analysis by qualified technicians in the Comodo SOC team. You can raise support tickets to attend to security related incidents, malware removal, blacklisting/whitelisting IPs and create custom rules for Attack and Incident reporting.

cWatch runs periodical malware scans on your domains, automatically removes identified malware. The Content Delivery Network (CDN) service accelerates the performance of your website by delivering your website content from a data center closest to the location of a visitor.

cWatch Web Security is available in three different service levels. More details are available in License Types.

This guide explains how to purchase cWatch licenses, set up the service and use the cWatch web console.

Guide Structure:

• Introduction to Comodo cWatch Web Security

• Purchasing a License

• License Types

• Adding Domains

• Logging-in to the Administrative Console

• The Main Interface



• The Dashboard

• Domain Data and Settings

• View Alerts

• Domain Overview

• Comodo Vulnerability Scan Results

• Comodo Malware Scan Results

• Cyber Security Operation Center Results

• Content Delivery Network Metrics

• Viewing and Managing Support Tickets

• Domain Configuration

• Configuring the Domain for cWatch Scanning

• Configuring FTP Settings

• Configuring CDN Settings

• Configuring SSL Certificate for the Domain

• The Settings Interface

• Upgrading Licenses for Domains

• Managing Your Profile

• Getting Support

1.1 Purchasing a LicenseThree types of cWatch license are available:

• Basic

• Pro

• Premium

For more details on the services offered with each, see License Types.

• You can purchase licenses at https://cwatch.comodo.com/pricing.php, or from the cWatch management console after logging in at https://login.cwatch.comodo.com/login.

• Licenses are charged per-domain. You can add any number of domains to a license.

• You can add multiple license types to your account if you wish to implement different protection levels on different domains.

• You can associate domains with licenses in the cWatch interface. Refer to Adding Domains for more details.

• 30 day free trial licenses are available at https://secure.comodo.com/home/purchase.php?

pid=101&license=trial.

To purchase a license:

• Choose a license type at https://cwatch.comodo.com/pricing.php. See License Types for more details aboutthe features of each license.


https://cwatch.comodo.com/pricing.php

https://secure.comodo.com/home/purchase.php?pid=101&license=trial

https://secure.comodo.com/home/purchase.php?pid=101&license=trial

https://login.cwatch.comodo.com/login

https://cwatch.comodo.com/pricing.php


• Select the license type, license period and number of domains.

• If you already have a Comodo account, select 'Existing Comodo User' and enter your username and password.

• If you don't have a Comodo account, select 'New Comodo User'. Enter your email address to create a new account.

• Complete the payment details section.

• Read the 'End User License/Subscriber Agreement' and tick the checkbox to agree.

• Click 'Continue'. After your order has been successfully processed, you will see the following order confirmation screen:



• Your licenses are now active. You will also receive a confirmation email with your order details.

• Existing customers should next login to their cWatch account and start registering their domains.

• New users will first need to activate their Comodo account by following the link in the account verification email.

• Register your domains:

• Login at https://login.cwatch.comodo.com/login

• Click the 'Register New Domain' button at top-right to get started

• See Adding Domains for more help with adding and configuring domains.

1.2 License TypescWatch offers different levels of monitoring, protection and management services to domains depending on the type of license. Three license types are available:

• Basic

• Pro

• Premium

You can purchase different license types for specific domains depending on the level of protection you require for each. For more details on associating domains with respective license subscriptions, see Adding Domains.

The following table shows the features and services that are available with each license type:




Feature/Service Basic Pro Premium

Bandwidth 4GB 10GB 40GB

Daily Malware Scanning

Daily Vulnerability Scanning

Automatic Malware Removal

Website Blacklist Monitoring & Removal Upon request 12 hours 6 hours

Website Phishing Monitoring & Removal Upon request 12 hours 6 hours

Weekly Security Reports

Web Application Firewall

Secure CDN (31 Pops, 100% SLA )

Edge SSL

SIEM Integration

Customer Alert Mechanism

DDOS (10 TB protection)

Application Intelligent Networking

Website Acceleration

Static/Dynamic Content Caching

Fully Managed WAF

Virtual Patch

OWASP Top 10 Blocking

PCI Reporting for WAF

24/7 Incident Handling and Response

FP Removal per Domain

Human Verified Alerting

Manual Malware Removal

1.3 Adding Domains• The cWatch console allows you to add and configure domains for cWatch protection and for acceleration

via the content delivery network (CDN).

• The number of domains that can be added to your account depends on your license. See Purchasing a License for details about license types.

To add a new domain

• Login to cWatch at https://login.cwatch.comodo.com/login with your username and password.

The Dashboard will appear by default

• Click 'Register New Domain' at top-right to start the domain configuration wizard:




The wizard contains seven steps:

• Step 1 - Register your domain

• Step 2 - Configure your CDN Settings (can be skipped and completed later)

• Step 3 - SSL Protection Settings (can be skipped and completed later)

• Step 4 - Vulnerability Scan Settings (can be skipped and completed later)

• Step 5 - Malware Scan Settings (can be skipped and completed later)

• Step 6 - FTP Settings (can be skipped and completed later)

• Step 7 - Finalization

Step 1 - Register your domain

The first step allows you to register your domain and select the license to be associated with the domain.



Domain Registration Form

Parameter Description

Domain Name Enter the name of the domain to be registered. Do not include 'www' at the start.

License Choose the license which you wish to associate with the domain.

The drop-down displays all licenses that you have purchased. cWatch features and CDN traffic limits vary according to the license type. See License Types for more details.

• Click 'Register and Next' to continue.

Tip: Only the first step is mandatory to add a new domain. The remaining steps can be skipped for now and configured later in the cWatch console if you wish.

• Click the 'Next' button to move between steps in the wizard

• After completing step 1 you can close the wizard at any time if desired. Your new domain will be listed on the dashboard.

• To configure the remaining items, click your domain name on the left then select 'Settings'.

Refer to Domain Configuration for more details.

Step 2 - Configure your Content Delivery Network (CDN) Settings

You must configure your domain to use the CDN service in order for domain traffic to be monitored.



Each cWatch license includes the Cybersecure CDN service for your domains. Once configured, the CDN service will:

• Accelerate performance by delivering your website content to your visitors from data centers closest to theirlocation. The amount of CDN traffic available for a domain depends on the cWatch license active on the domain. See License Types for more details.

• Forward event logs to the Comodo CSOC team who will monitor your traffic to identify anomalous behavior and threats.

• Provide Comodo web application firewall protection for your domains. The CSOC team constantly improvesthe Mod Security rules in Comodo web application firewall to provide cutting edge protection for our customers.

Once your domain has been registered (step 1), cWatch will generate a CNAME DNS record in step 2. Add this record to the DNS entry for your domain to route your site traffic through the CDN. Your web host may be able to help you with this step. Guidance is also available at https://support.google.com/a/topic/1615038?hl=en.


https://support.google.com/a/topic/1615038?hl=en


• It may take up to 20 minutes for the CDN to receive the traffic to your domain. Once it has started, you can view traffic statistics on the 'CDN Metrics' page for the domain. See Content Delivery Network Metrics for more details.

• You can get the CNAME record at any time by clicking the domain name on the left then 'Settings' > 'CDN Settings'. See Configuring CDN Settings for more details.

Step 3 - SSL Protection Settings

This step lets you specify the SSL certificate you wish to use to secure traffic on the domain.



• Click 'Create or Update SSL certificate' if you already have a certificate for the domain issued by a trusted Certificate Authority (CA). The form on the next page will allow to to upload the certificate.

• Click 'I do not have a certificate' to apply for a new certificate from Comodo CA.

Tip: This step is optional. You can configure SSL Settings later by clicking your domain on the left then 'Settings' > 'SSL Settings'. See Configuring SSL Certificate for the Domain for more details.



You need to upload the certificate and its private key. You should also upload any intermediary certificates.

SSL Protection Settings - Table of Parameters


Certificate Paste the PEM content of your certificate.



SSL Chain Certificate Paste the PEM content of the intermediate certificate if your certificate chain contains an intermediate certificate. If not, leave this field blank.

Certificate Key Enter the private key of your certificate

• Click 'Create New SSL Certificate' after pasting the certificate content and the key

cWatch will create a new certificate and bind it with the domain for data transfer through the cybersecurityCDN.

• Click 'Next'

Step 4 - Vulnerability Scan Settings

cWatch scans your domain against the types of vulnerabilities published in the Open Web Application Security Project (OWASP) top ten list. It automatically blocks any of these threats that it discovers. You can view the scan results from the Vulnerabilities page for the domain. See Comodo Vulnerability Scan Results for more details.

Step 4 in the domain registration wizard allows you run an on-demand vulnerability scan on your domain.

• To start an on-demand click the 'Start Scan'

The vulnerability scan on the domain will start. Alerts will be generated if any vulnerabilities are found. You can view the details about detected vulnerabilities in the 'Vulnerabilities' interface.

• Click 'Next'

Step 5 - Malware Scan Settings



cWatch uses a scanner file placed on your domain for periodical malware scanning. You can down load the scanner file in .php format and save it in a publicly accessible location on your domain for cWatch to initiate scans and to obtain the results.

Step 5 in the domain registration wizard allows you to download the scanner file.

Tip: This step is optional. You can download the scanner file at anytime from the 'Settings' > 'Scan Settings' interface for the domain. See Configuring the Domain for cWatch Scanning for more details. You can skip this step by clicking 'Next'.

• Click 'Download the php scan' file and save the file

• Place the file in a publicly accessible location on your domain

• Enter the path of the location in the textbox below "We will try to access the file at:"

• Click Next to move to the step 5

Step 6 - FTP Settings



cWatch allows web administrators to create support tickets for various requests like removal of malware from domains, whitelisting/blacklisting IP addresses, whitelisting of items so they are excluded from website scans and more. cWatch technicians from Comodo will attend the requests to resolve the issues.

To allow cWatch technicians to access the files on your domain, you need to provide the FTP server details of your domain.

Step 6 of the Domain Configuration wizard allows you to provide the secure FTP server details.

Tip: This step is optional. You can configure the FTP settings at anytime from the 'Settings' > 'FTP Settings' interface for the domain. See Configuring FTP Settings for more details. You can skip this step by clicking 'Next'.

s/FTP Settings - Table of Parameters


FTP Hostname Enter the hostname of your FTP server



FTP Username/ FTP Password

Enter the username and password of the account to be used by cWatch to access the FTP server

FTP Directory Enter the path to the location of the domain in the FTP server.

FTP Port Enter the port through which the domain can be securely accessed.

• Enter the details and click 'Save FTP Settings'

• Click 'Next'

Step 7 - Completion

The final step indicates the completion of the configuration.

• Click 'Get Started'.

Your new domain will be added to your account and the features will be activated as per the license chosen for the domain.

• Repeat the process to add more domains.

1.4 Logging-in to the Administrative ConsoleYou can login into the cWatch admin console at https://login.cwatch.comodo.com/login using any browser:




• If you are logging-in for the first time, use the username and password given in the cWatch account creationemail. After your first login we strongly recommend you change your password for security reasons.

2 The Main InterfaceThe cWatch dashboard contains an at-a-glance summary of the security of your monitored websites.

Links to all major areas of the interface are shown on the left. The right hand pane displays data for the selected item. Settings, profile options and the logout button are shown at the top-left.

Displays all domains which you have added to cWatch. 'Manage Settings' allows you to configure scan, FTP, CDN and SSL settings. Refer to The Settings Interface for more details.



Displays your profile screen. From here you can change your contact details, alert settings and password. Refer to Managing Your Profile for more details.

Allows you to logout of cWatch.

The left hand menu contains a link to the dashboard and lists all domains added to your account. Click on a domain name to reveal domain options:

• Dashboard - Overall statistics on all domains that are protected and managed.

• Clicking on a Domain name opens the following sub tabs:

• Alert - Shows all notifications about malware and vulnerabilities discovered on the domain. See ViewAlerts for more details.

• Overview - At-a-glance summary of security status and CDN performance. Refer to Domain Overview for more details.

• Vulnerabilities - List all threats in the OWASP top ten that have been blocked by cWatch. You have options to run on-demand vulnerability scans on the domain at anytime. Refer to Comodo Vulnerability Scan results for more details.

• Malware - Summary of the number of files scannedso far and their trust levels. You have options to runon-demand malware scan at anytime on the domain and submit tickets to remove any identified malicious files. See Comodo Malware Scan Results for more details.

• COSC - Shows a real-time analysis of attack patterns on your domain from the Comodo SecurityOperations Center. See Cyber Security Operation Center Results for more details.

• CDN Metrics - Show data about your content delivery network traffic. This includes total usage, data throughput and the locations from which your traffic originated. See Content Delivery Network Metrics to find out more.

• Ticket - Allows you to view, open and manage your support requests for the domain. You can create tickets to request Comodo to whitelist or blacklist items or to clean malware from your domain. See Viewing and Managing Support Tickets to learn more.

• Settings - Displays details about cWatch settings. Refer to Domain Configuration to know more.

Help and Support:

The footer bar contains the copyright details and links and options to get help and support.

• Click the 'Terms and Conditions' link to view the End User License Agreement for cWatch Web Security.

• Click the 'Help' link to view the online help guide for Comodo cWatch at https://help.comodo.com/topic-285-1-848-11000-Introduction-to-Comodo-cWatch-Web-Security.html.


https://help.comodo.com/topic-285-1-848-11000-Introduction-to-Comodo-cWatch-Web-Security.html

https://help.comodo.com/topic-285-1-848-11000-Introduction-to-Comodo-cWatch-Web-Security.html


• Click the 'Live Chat' button to get instant chat support from technicians at Comodo. See Getting Support for more details.

3 The DashboardThe dashboard shows a top-level summary of the security of all protected domains on your account. This allows you to quickly identify issues and effectively track the risks associated with your domains. Further details on each domainare listed underneath the main graphics.

• Click 'Dashboard' on the left to open the dashboard.

• Click 'Simple View' or 'Advanced View' at top-right to change the level of detail shown on the dashboard.



Domain Risk Levels - Shows the combined risk level of all domains added tocWatch. The risk level will change if malware detected and/or attacks are identified. The possible risk levels are:

• Critical (C)

• Very High (VH)

• High (H)

• Low (L)

• Safe (S)

• Place your mouse over a sector to see the percentage of domains in that risk category.

Attacks Blocked - Shows attacks identified and blocked by cWatch for enrolled domains.

• Place your mouse cursor over a section to view the quantity of attacks blocked on a particular domain as a percentage of overall attacks.

• Click on a sector to open the attack details page for that domain. Refer to Cyber Security Operation Center for more info.

Malware - Shows malware identified by cWatch on enrolled domains.

• Place your mouse cursor over a section to view the quantity of malware found on a particular domain as a percentage of overall discovered malware.

• Click on a sector to open the attack details page for that domain. Refer to Cyber Security Operation Center for more info.

Vulnerabilities - Indicates the state of OWASP threats identified and blocked by cWatch on enrolled domains. Refer to Comodo Vulnerability Scan Results for more details.

There are two types of dashboards displayed:

Simple View

The 'Simple View' displays overall statistical information of all domains in terms of 'Risk level', 'License Type' and their 'Latest Scan Date'. The 'Risk Level' column indicates the risk status of the domain whether it is safe, vulnerable,or critical. The 'License Type' column of the simple view indicates the type of license the domain holds. The three types of licenses provided by cWatch are Basic, Premium and Pro. The 'Latest Scan Date' column indicates the last date and time of scan.



You can view the license details of every registered domain by clicking the '+' symbol beside the domain name.

The details of domain license will be displayed. The details will include information on 'Basic' or 'Basic and Pro' if the domain has 'Pro' license type, or all three security statuses if the domain owner has the 'Premium' license type.

Advanced View

The 'Advanced View' displays the security statistics for all types of license. If your domain has the 'Basic' license type, then advanced view will show details of basic security parameters alone. If your domain has the 'Pro' license type, then you can view safety status of the next level security parameters along with the basic security parameters. You can view all the three security parameters if your domain has the 'Premium' license type.



Similar to the Simple view of domain license type, you can view more information of each domain by clicking the plussymbol beside the domain name.

Register New Domain:

Allows you to add a new domain to your website. Refer to section Adding Domains for more details.

4 Domain Data and SettingscWatch displays panoramic data about all events occurring on your domain. These include attacks monitored and blocked, the results of malware and vulnerability scans and attacks identified from event logs based on pre-defined correlation rules. You can also create support tickets to have Comodo support technicians analyze attacks and add IP addresses/files to the whitelist or blacklist. The support team at Comodo will create rules as per your request and apply to your account.

Click a domain on the left to open the following options:



• Alerts - View any alerts generated after cWatch scans on your domains. Refer to View Alerts for more details.

• Overview - Displays statistics about your protected domains and your cWatch environment. This includes tickets, service summary, vulnerability/malware scans, CSOC and CDN Metrics . Refer to Domain Overview for more details.

• Vulnerabilities - Displays a list of vulnerabilities discovered on the domain by vulnerability scans. You can also run new scans from this area. You have the option to submit a ticket to Comodo to request removalof the vulnerabilities. Refer to Comodo Vulnerability Scan results for more details.

• Malware - Displays the results of malware scans on thedomain. You can also run new scans from this area. Before you can run a malware scan you first need to download a PHP file from settings. If required, you can submit a ticket to Comodo to remove malware. Refer toComodo Malware Scan Results for more details.

• CSOC - Displays granular details about attacks identified on your domains. This includes their origin, the trend of attacks over time, attacks blocked by cWatch and top ten target URLs. Refer to Cyber Security Operation Center Results for more details.

• CDN Metrics - Displays information about your traffic usage over CyberSecureCDN (content delivery network). See Content Delivery Network Metrics for more details.

• Tickets - Displays a list of tickets generated for the domain and allows you to create new tickets. Refer to Viewing and Managing Support Tickets for more details.

• Settings - Displays statistics about settings offered by Comodo technicians, such as Scan settings, FTP settings, CDN Settings, SSL Settings. Refer to Domain Configuration section to know more.

4.1 View AlertscWatch alerts will be generated when malware or vulnerabilities are detected on your domains. You have the option to submit a ticket to Comodo to resolve any issues identified in an alert.

To view alert messages:

• Click the <domain name> on the left side of the interface and then 'Alert'.



Alerts are sorted into various categories, including 'Vulnerabilities', 'Malware found', 'Attacks' and 'Ticket details'.

• 'Open a ticket to request this malware is removed.' - Allows you to create and submit a request to have the malware removed by Comodo technicians.

4.2 Domain OverviewThe 'Overview' page summarizes security, traffic and visitor activity on your domain. To open the page:

• Select a domain on the left and choose 'Overview'.



• Visitor Requests - Displays how many requests per second were made to your domain by visitors over the time period chosen on the slider at top right.

• Security Operation Center Tickets - Displays the number of support tickets created for the domain and eachticket's status.

• Service Summary - Displays the following key statistics from your cWatch environment:

• Risk Level - Indicates the overall risk level of the domain. This is derived from identified attacks, vulnerabilities and malware found by website scans. The possible values are:

• Critical

• Very High

• High

• Low

• Safe

• Escalated Alerts - Number of tickets which were assigned to higher ranking technicians by a support team member.

• Managed WAF Operations - Number of tasks in progress by Comodo security technicians working on the web application firewall. Tasks can include updating or optimizing the firewall rules.

• Malware Analysis & Removal - The results of behavior analysis run on unknown files which were placed in the sandbox.

• Virtual Patching - Displays the number of immediate and preventive measures taken to restore the vulnerabilities.

• Reputation Retrieval (Blacklist Removal) - cWatch checks whether your domain is present on a range of website blacklists. If it is listed on such a blacklist, cWatch removes any malware or vulnerabilities that may be causing the listing. The 'Reputation Retrieval' field indicates the number of blacklists from which the domain was released by cWatch.

Cyber Security Operation Center

The 'Cyber Security Operation Center' pane displays key information from cWatch security modules, including 'Web Application Firewall', 'Malware Removal', 'Blacklist Removal' and 'Virtual Patching'. The number of tiles you see depends on your cWatch license.

• - The domain is safe.

• - The domain is at risk. You can open a Security Operations Center ticket to remediate the threat.

• - The domain has not yet been scanned.

Click a red alert icon to view detailed results and open the ticket creation interface. See 'Cyber Security Operation Center Results' for more details.

Malware Scan

The 'Malware Scan' tiles show the results of malware scans on your domain in four tiles: 'Shell & Backdoor', 'Injection and Bot', 'Defacement & Spam SEO' and 'Malware'. The number of tiles you see depends on your cWatch license.






Click a red alert icon to view detailed results and open the ticket creation interface. See 'Comodo Malware Scan Results' for more details.

Vulnerabilities

The 'Vulnerabilities' tiles show the results of scans on your domain for the top 10 OWASP threats. Cwatch automatically blocks any OWASP threats it finds. The number of threats found in each category is shown in a separate tile:




Click a red alert icon to view detailed results and open the ticket creation interface. See 'Comodo Vulnerability Scan Results' for more details.

Content Delivery Network

The 'Content Delivery Network' pane show live data about your service usage. You can configure your domain to usethe CDN service by adding a CNAME to your DNS record.

• If you have not yet configured the CNAME record then no data will be shown here. Click the yellow information icon to start the configuration process.

• The CNAME record for your domain is generated by cWatch and can be found in 'Settings' > 'CDN Settings'. See Configuring CDN Settings for more details.

• See Content Delivery Network Metrics for more details about CDN statistics.



4.3 Comodo Vulnerability Scan Results cWatch scans your domains against the types of vulnerabilities published in the Open Web Application Security Project (OWASP) top ten list. It automatically blocks any of these threats that it discovers.

• The 'Vulnerabilities' page shows the number of threats in each category that were blocked by cWatch on your domain. You can view descriptions on each vulnerability category

• You can view all pages on which vulnerabilities were identified and can submit support tickets to have the offending malware removed (Premium license required).

• The page also allows you to run on-demand vulnerability scans on the domain.

Background. OWASP is an online community that collects critical domain security issues worldwide and periodicallypublishes the top ten vulnerability categories. These categories help to protect websites against against serious web-app security flaws. cWatch checks whether your registered domains are vulnerable to the tests in the OWASP top ten and allows you to take remedial actions on those that fail.

• To open the 'Vulnerabilities' page, click on a registered domain on the left and choose 'Vulnerabilities'.



Attacks Investigation - Column Descriptions

Coulmn Header Description

Threat Name Name of the vulnerability category

Findings Total number of threats identified and blocked in the category. You can also view the webpages and URIs associated with those vulnerabilities. See the description of Viewing Vulnerability Details below, for more details.

Viewing Vulnerability Details

• Click the threat name to see more information about the attack category



• Click 'View Findings' to view the infected webpages and URIs

The 'Vulnerability Detail' pane will appear for the respective category.

• Click the category to expand the pane



The 'Vulnerability Detail' pane displays the list of webpages and URIs affected with the threat and detailed descriptions on the vulnerability category.

• To create a ticket for removal of the threat from an item, click 'Add Ticket' beside it.



A pre-populated 'Add Ticket' dialog will open which allows you to request of removal of the threat from the webpage/URI.

• Click 'Add'

A new ticket will be created and submitted. You can track your submitted tickets from the 'Tickets' interface. Refer to Viewing and Managing Support Tickets for more details.

Note: Manual vulnerability removal feature is only available for domains with a premium license.

On-demand Vulnerability Scans

• To start an on-demand click the 'Start Scan'



The vulnerability scan on the domain will start. Alerts will be generated if any vulnerabilities are found. You can view the details about detected vulnerabilities in the 'Vulnerabilities' interface.

4.4 Comodo Malware Scan ResultsTo configure your domain for cWatch scans, you need to:

• Download a .php configuration file from the cWatch console

• Save it on each registered domain that you wish to protect

See Configuring Domains for cWatch Scanning for more details.

CWatch will then run scheduled scans all files hosted on the domain.

cWatch Web Security uses different malware detection mechanisms in order to scan your website and identify threats and malware:

• Comodo Cloud - Identifies malware using cloud based Comodo File Lookup System (FLS)

• CWW - Uses heuristic technologies to identify malware

• Dynamic - Uses signature based malware detection

The 'Malware Scan' interface displays the last ten scans run on the domain. The interface also allows you to view details about threats identified by each scan. You have the option to submit a support ticket to Comodo for help to remove the selected malware.

Note: The manual malware removal feature is available only for domains with 'Pro' and 'Premium' license types.

• To open the 'Malware Scan' page for a domain, click the domain name on the left and choose 'Malware'.



Malware Scans - Column Descriptions


Scan Date Precise date and time at which the scan was run.

Total Files Scanned The number of files scanned during that malware scan session.

Malware Found The number of malware files identified during that malware scan session.

Status Indicates the infection status of the domain.


• - The domain is infected. You can create SoC tickets to remove identified malware.

• - The domain is not yet scanned.

• To view the malware items identified during a scan, click the '+' icon at its left



Malware Found - Column Descriptions


Detection Indicates whether the item is identified as Malware or Suspicious

Malware Name Displays the name of the item

Path Indicates file path in the web server at which the item was found

Action Allows you to take a remedial action on the item. Refer to the explanation below for more details.

• To take a remedial action on an item click the hamburger icon in the 'Action' column.



• Add to Whitelist - If you think an item is a false positive and can be trusted, choose 'Add to Whitelist'. An 'Add Ticket' dialog will appear, enabling you create a support ticket to add the item to whitelist. Once accepted, the item will be skipped in future scans on the domain.

• Remove Malware - If you want the item to be removed from the domain, choose 'Remove Malware'. An 'Add Ticket' dialog will appear, enabling you to create a ticket to remove the item. cWatch technicians will attend to the issue and remove the malware item manually.

You can track your submitted tickets from the 'Tickets' interface. Refer to Viewing and Managing Support Tickets for more details.

4.5 Cyber Security Operation Center ResultsThe Cyber Security Operation Center (CSOC) is a team of dedicated analysts at Comodo who monitor and remediate threats discovered by Comodo's enterprise security solutions. The CSOC team monitors the event logs of domains registered in cWatch and constantly updates security rules to deliver unrivaled, real-time protection for our users.

The CSOC interface contains a range of charts and tables which show detailed statistics about attacks that were identified and blocked on your domain. You can also create support tickets to block or whitelist IP addresses from which an attack originated.

CSOC generates alerts whenever it identifies and blocks an attack. These can be viewed in the 'Alerts' section. See View Alerts for more details.

• Click a domain name on the left then choose 'CSOC' to open the results interface.

• The slider at the top right allows you to choose the time period for which you want to view the statistics.

Attack Investigation

• The 'Attack Investigation' pane lists attacks on your domain which were blocked during the selected period.

• Each attack is accompanied with the date and time of attack, the action taken, the IP address from which the attack originated and the category of attack. Click a category to see a description of the category underneath the table.

• The 'Action' column lets you create support tickets to whitelist, blacklist or block the source IP/country (Premium users only).

• The pie-chart shows a breakdown of attacks by category. Place your mouse over any segment to see the number of attacks in a category and the percentage of total attacks which fall into this category.



Attacks Investigation - Column Descriptions


ID Serial number of the attack

Date Date at which the attack was detected

Type Indicates whether the attack was monitored or blocked

IP Indicates the IP address from which the attack has originated

Category Indicates the category of the attack. Clicking a category will display a short description of the attack type at the bottom of the pane.

Action Allows you to whitelist or block/blacklist the IP address from which the attack originated. Refer to the explanation below for more details.

• To view the description of the attack type, click the category of the attack



• To take an action against the IP address from which the attack originated, click the hamburger icon in the 'Action' column.

• Add IP to Whitelist - Choose this if you think an attack is a false positive and the source IP can be trusted. Traffic from white-listed IPs will not be monitored.

• Add IP to Blacklist - Choose if you want to prevent all further traffic from the IP to all registered domains.

• Block IP - Choose if you want to prevent all further traffic from the IP to the attacked domain.

• Block IP Country - Choose If want you to prevent all traffic from any IP located in the country which hosts the source IP of the attack.

After selecting an action, a dialog populated with the details of your request will appear. Click 'Submit' to send the request to the CSOC team.

You can track your submitted tickets from the 'Tickets' interface. Refer to Viewing and Managing Support Tickets for more details.

Attack Trends:

The 'Attack Trends' chart shows a timeline of blocked attacks, allowing you to easily track threat activity over time.



• Place your mouse on the chart line to see the exact number of attacks blocked at that point in time.

• Click and drag on a point on the line to zoom in on a particular time range. Click 'Reset Zoom' to return to the original view.

Origin of Attacks:

The 'Origin of Attacks' map shows the regions from which the attacks on your domains came, and the number of attacks from each region. The table on the right is a more granular record of the top 10 source IPs and the countries in which they are located.

• Click on an regional hot-spot to view IP and country details, the domain targeted and the total number of attacks.



Distribution of Attack Origins:

The 'Distribution of Attack Origins' pane displays a break down of countries from which attacks originated. It also liststhe top ten countries from which attacks were identified along with the number of attacks from each country.

Place your mouse over a sector to see the total number of attacks from a particular country, and the percentage of all attacks that came from the country.

Blocked Attacks by Type:

'Blocked Attacks by Type' shows attacks on the domain by category. It also lists the top ten attack types along with the number of attacks in each.



• Place your mouse over a chart sector to see the number of attacks of that type, and the percentage of all attacks that belong to the category.

• Click a sector to show a brief description of the attack type below the pie-chart.Top Ten Target URI:

This section shows the top ten most targeted internal locations on the domain. Internal locations include items like directory paths, inner pages and files.

• Place your mouse over a chart sector to see the number of attacks on a particular URI, and the percentage of total attacks that targeted this URI.



4.6 Content Delivery Network MetricsYour cWatch license includes a subscription to the Cybersecure CDN service for your domains. You can configure your domains to use the service by adding a CNAME entry to your DNS record for the domain. The CNAME entry is generated by cWatch. See Adding Domains and Domain Configuration for more details

Once configured, the CDN service will:

• Accelerate performance by delivering your website content to your visitors from data centers closest to theirlocation. The amount of CDN traffic available for a domain depends on the cWatch license active on the domain. See License Types for more details.



The Content Delivery Network (CDN) Metrics page for a domain displays statistics on your CDN usage and traffic throughput.

• Click a domain name on the left then choose 'CDN Metrics' .

• The slider at the top right allows you to choose the time period for which you want to view the statistics.

The page contains three panes:

Live Status

The 'Live Status' pane shows how much CDN data your website has used of your plan quota. The two line graphs show the number of requests per second and the amount of data per second that was used by your website. Use theslider at top-right to change the time scale.



• Place your the mouse cursor on a sector to view the precise amount of data used/remaining.

Geographical Overview

The 'Geographical Overview' map shows the regions from which the traffic to your domain originated, with the number of access requests from each region. The table on the right is a more granular record of the top 10 source countries from which the access requests and traffic originated.

• Click on an regional hot-spot to view the traffic and number of access requests from that region.

World Distribution



The 'World Distribution' pane displays a break down of continents from which access requests and traffic originated.

• Place your mouse over a sector to see the total number of access requests/traffic which originated from a particular continent.

4.7 Viewing and Managing Support TicketscWatch allows web administrators to create support tickets for various requests like removal of malware from domains, whitelisting/blacklisting IP addresses, whitelisting of items so they are excluded from website scans and more. cWatch technicians from Comodo will attend the requests to resolve the issues.

Tickets can be created in the following ways:

• Request for removal of malware or false positive item identified by malware scanning to Whitelist, from the Malware interface. Refer to Comodo Malware Scan Results for more details.

• Request to block an IP addresses from which an attack originated or adding the IP address to Whitelist or Blacklist from the CSOC interface. Refer to Cyber Security Operation Center Results for more details.

• Manually adding a support ticket for various activities like Phishing removal, DNS configuration, Vulnerability Removal and more. Refer to the explanation of creating a new ticket.

Once a ticket is added, certified cWatch technicians will resolve your requests and issues. You can track your submitted tickets from the 'Tickets' interface for a domain.

The Tickets interface for a domain displays a list of support tickets generated for the domain with their status, and allows you to manually create new tickets provide additional information, if needed in order to resolve the issues.

• To open the 'Tickets' page for a domain, click the domain name at the left and choose 'Tickets' from the options.



• The Filter Options at the top right allow you to filter the tickets based on their status.

• The pie-chart on the provides a breakdown of tickets by status. Placing the mouse on a sector displays the percentage of items in each category. The table on the right displays the list of tickets generated for that domain.

Open Tickets - Column Descriptions


Status Indicates the status of the ticket. The possible values are:

• In Progress - The ticket is being attended by a technician

• Open - The ticket is yet to be attended.

• Awaiting Input - The technician needs some information from you in order to resolve the issue.

Reported The date at which the ticket was generated.

Type Displays the type of the request as per the ticket.

Name The name to identify the ticket.

Value Displays the IP address or file name of the item to be blacklisted/whitelisted as per the ticket.

Description The description of the issue.

To generate a new ticket

• Click 'Add Ticket' at the top right of the 'Tickets' page.



The 'Add Ticket' dialog will open.

Add Ticket Dialog - Form Parameters

Form Element Description

Type Select the type of request from the drop-down:



Whitelist IP - Creates a request for adding an IP address to whitelist for the domain, so that traffic from that IP will not be intercepted. Enter the IP address to be added in the 'Value' field.

Blacklist IP - Creates a request for adding an IP address to blacklist for the domain, so that traffic from that IP will be blocked. Enter the IP address to be added in the 'Value' field.

Whitelist File - Creates a request for adding an item, like an executable file to the whitelist for the domain, so that the item will be excluded from the future website scans. Enter the full file name of the item in the 'Value' field.

Malware Removal - Creates a request for removing an item identified as malware basedon your analysis. Enter the full file name of the item in the 'Value' field.

Blacklist Removal - Creates a request for removing the domain for which the ticket is raised, from Comodo Blacklist. The domain name will be auto-populated in the 'Value' field.

Phishing Removal - Creates a request for removing the domain for which the ticket is raised, from list of global phishing websites. The domain name will be auto-populated in the 'Value' field.

Other - Creates request for other needs like creating new correlation rules or Mod Security rules, attend to incidents and more. You can enter your request in the description field.

DNS Configuration - Creates a request for adding and managing the DNS records for the domain registered with the DNS service provider/webhost. Enter the record to be registered in the 'Value' field and your request in the description field.

Block IP - Creates a request for blocking any traffic from a specified IP address to the domain for which the ticket is created. Enter the IP Address to be blocked in the 'Value' field.

Block IP Country - Creates a request for blocking any traffic from the whole country to which a specified IP address belongs, to the domain for which the ticket is created. Enterthe IP Address in the 'Value' field.

Vulnerability Removal - Creates a request for removing vulnerability of a specified category from the domain. Enter the name of the vulnerability/attack category in the 'Value' field.



Value Enter the parameters like IP address, File name, as per the option chosen from the Typedrop-down.

Name Enter a name with a short description of the issue, to identify the ticket.

Description Enter a detailed description of your request

• Enter the details on the 'Add Ticket 'dialog and click 'Save'

A new ticket will be created with the status 'Open'. A cWatch technician will attend to the ticket shortly to resolve yourrequest. Once attended, the ticket status will change to 'In Progress'. If the technician requires any additional information in order to help resolve the issue, the ticket status will change to 'Awaiting Input'. You can edit the ticket to provide the required details. See the explanation under Viewing and Editing a Ticket for more details.

On completion, the ticket will be closed and removed.

Viewing and Editing a Ticket

• To view a ticket, click the status button in the 'Status' column.

The 'Ticket Detail' interface displays the details of the ticket, its status and comments by the technician. If the ticket is



in 'Awaiting Input' status, you can provide your input as requested by the technician and save the ticket.

4.8 Domain ConfigurationThe 'Settings' interface allows administrators to:

• Configure vulnerability and malware scanning on a domain

• Configure FTP access so cWatch technicians can resolve issues on your domain

• Register a domain with the Cybersecure content delivery network. This service provides website acceleration, website monitoring and web-application firewall protection

• Upload or purchase an SSL certificate to secure connections to the domain

• Click a domain name on the left and choose 'Settings':

The interface contains four tabs:

• Scan Settings - Allows you to configure the domain for vulnerability and malware scanning. See Configuringthe Domain for cWatch Scanning for more details.

• FTP Settings - Allows you to provide FTP access details for your server. See Configuring FTP Settings for more details.

• CDN Settings - Allows you to register the domain with the Cybersecure content delivery network. See Configuring CDN Settings for more details.

• SSL Settings - Allows you to configure SSL protection for the domain. See Configuring SSL Certificate for the Domain for more details.



4.8.1 Configuring the Domain for cWatch ScanningYou need to upload a .php file to your domain in order to configure malware scanning. cWatch will access the file at the location you specify and commence scanning your website.

To download the scanner file

• Click the domain name on the left and choose 'Settings'

• Click the 'Scan Settings' tab

• Click 'Download the .php scan' file

• Upload the file to a publicly accessible location on your domain

• Enter the URL of the file in the text field and click 'Save'

cWatch will access the .php file and begin scanning your website according to a schedule.



Your domain will be scanned in 12 hour intervals and the results will be displayed in the 'Malware' page of the domain. See Comodo Malware Scan Results for more details.

4.8.2 Configuring FTP SettingscWatch allows you to create tickets for the Cyber Security Operation Center (CSOC) to investigate threats and remove malware. For more details, see Viewing and Managing Support Tickets.

The 's/FTP' settings area allows you to provide secure FTP access to the CSOC team so that they can carry out these tasks on your domain.

To enter the FTP server details to cWatch


• Click the 's/FTP Settings' tab



s/FTP Settings - Table of Parameters


FTP Hostname Enter the hostname of your FTP server

FTP Username/ FTP Password

Enter the username and password of the account to be used by cWatch to access the FTP server

FTP Directory Enter the path to the location of the domain in the FTP server.

FTP Port Enter the port through which the domain can be securely accessed.

• Enter the details and click 'Save s/FTP Settings'.

4.8.3 Configuring CDN Settings• You must configure your domain to use the CDN service in order to monitor traffic, identify threats and

accelerate web-site performance.

• To configure the service you need to add a CNAME entry to your domain's DNS record. The CNAME entry is listed in the 'CDN Settings' area.

• The amount of CDN traffic available for a domain depends on the cWatch license active on the domain. SeeLicense Types for more details.

Once configured, the CDN service will:

• Accelerate performance by delivering your website content to your visitors from data centers closest to theirlocation.





To open the CDN Settings page


• Click the 'CDN Settings' tab

• Add the 'CNAME' record displayed in this interface to the DNS entry for your domain to route your site traffic through the CDN. Your web host may be able to help you with this step. Guidance is also available at https://support.google.com/a/topic/1615038?hl=en.


https://support.google.com/a/topic/1615038?hl=en


• It may take up to 20 minutes for the CDN to receive the traffic to your domain. Once it has started, you can view traffic statistics on the 'CDN Metrics' page for the domain. See Content Delivery Network Metrics for more details.

4.8.4 Configuring SSL Certificate for the DomaincWatch allows you to upload the SSL certificate you wish to use to secure your domain.

To configure SSL Protection for your domain


• Click the 'SSL Settings' tab



SSL Settings - Table of Parameters


Certificate Paste the PEM content of your certificate.

SSL Chain Certificate Paste the PEM content of the intermediate certificate if your certificate chain contains an intermediate certificate. If not, leave this field blank.

Certificate Key Enter the private key of your certificate

• Click 'Create New SSL Certificate'

cWatch will create a new certificate and bind it with the domain for data transfer through the CDN.

5 The Settings InterfaceThe 'Settings' interface lists all registered domains along with their license details, CNAME record and overall security level. You can also quickly configure a particular domain by clicking 'Manage Settings'.



• To open the 'Settings' interface, click the gear icon on the left

Settings Interface - Column Interface

Column Header Description

Domain The name of the registered domain

CNAME The CNAME DNS record created for the domain by cWatch. The CNAME should be added to your DNS entry for the domain in order to activate the CDN service. See Configuring CDN Settings for more details.

License The type of license associated with the domain. Protection features and CDN traffic quotas vary according to license type. See License Types for a license comparison.

Security The security level of the domain is based on the results of the malware scans on your domain. If the security level is anything other than 'Safe', then please check the 'Malware' area of the domain to see whether you have active malware. Refer to ComodoMalware Scan Results for more details.

Settings Will open the 'Settings' page for the domain. This allows you to configure:

• CDN coverage

• FTP access for the CSOC team

• The domain's SSL certificate

• Malware scanning on the domain

Refer to Domain Configuration more details.

6 Upgrading Licenses for DomainsYou may want to upgrade the cWatch license for a domain if:

• You wish to enable the superior protection features afforded by a Pro or Premium license

• You need more CDN traffic for a domain



You can use one of your existing licenses or buy a new license.

To upgrade the license for a domain

• There are various ways to upgrade your license:

• Click 'Dashboard' then click on the domain you wish to upgrade. Click the 'Upgrade to Pro' or 'Upgrade to Premium' button.

OR

• Select the target domain from the list of registered domain on the left then

• Open 'CDN Metrics' and click 'Upgrade License'

OR

• Open 'Alert' then click 'Upgrade License'

Any available licenses you own will be displayed in a drop-down.

• Choose the license you want to associate with the domain. The new license will be automatically transferred to the selected domain.

If you do not have any licenses available then you will be presented with the option to a buy new license:

• Choose 'Click to Buy'

You will be taken to the cWatch license purchase page.

• Complete the purchase process. See Purchasing a License for more details.

• The license will be added to your account.

• Restart the process of upgrading the license for the domain as explained above.

• The new license will be displayed in the drop-down

• Select the license to associate it with the domain

7 Managing Your ProfileThe Profile interface allows administrators to view and edit their profile information and communication preferences



for notifications and alerts. Administrators can also change their password to login to cWatch console and to access Comodo Account Manager (CAM) at https://accounts.comodo.com.

• To open the 'Profile' interface, click the icon at the left.

Following sections explain about:

• Editing your profile

• Changing your password

To edit your profile

• Click 'Edit Profile'

The 'Edit Profile' dialog will open.


https://accounts.comodo.com/


Edit Profile Dialog - Form Parameters

Form Element Description

Full Name Displays your username/email address as entered during your sign-up to cWatch. This field cannot be edited.

Mobile (call) Specify your mobile phone number at which you wish to receive the notifications and alerts as calls.

• Select your country from the first drop-down

• Enter the phone number with the country code prefix

Email Displays your primary email address as entered during your sign-up to cWatch and allows you to add your alternative or additional email address(es) at which you wish to receive the notifications and alerts as emails

• To add an alternative email address, click 'Add new e-mail address'

• Enter the alternative email address in the text box and click the + button at the right.



• Repeat the process to add more addresses.

Alerting Channel Choose the means of communication you prefer to receive the alerts and notifications. The available options are:

• Text (SMS) messages

• Phone call

• Email

• Click 'Save' for your changes to take effect.

To change your password

• Click 'Change Password' from the 'Profile' interface

You will be taken to the CAM login page at https://accounts.comodo.com/login.

• Use your current username and password to login to CAM

The 'Change Password' page will appear

• Enter your old password, new password and re-enter your new password for confirmation in the respective fields

• Click 'Submit'

Your password will be changed, You can login to cWatch console and CAM with the new password, from the next login attempt.

8 Getting SupportcWatch live chat support is the quickest and more comprehensive way to get assistance to configure your domains and get information on support tickets. Simply click the 'Chat' button to launch a session with a qualified support technician at Comodo. The technician will offer advice on domain configuration and assist with escalating support tickets you have raised. You can even have your chat history emailed to you for future reference.

To launch a chat session

• Click the 'Chat with us button' at the bottom right of the cWatch interface.

A chat window will open.


https://accounts.comodo.com/login


• Enter your name, email address and your message in the respective fields and click 'Start chat'

Within seconds, a Comodo Support Technician will respond in a chat window and ask you to describe the problem



• Start chatting! Use the chat window to explain any problems you are having with configuring your domain orgetting help on your tickets

• The technician will offer advice accordingly.

• To end the session, click the hamburger icon at bottom right and choose 'End Chat'



You will be given an option to save the chat history for your future reference.

• To save the chat history, click 'Send Transcript'



• Enter the email address to which the chat history needs to be sent and click 'Send Email'.

You will receive the chat history at the specified email address.



About ComodoThe Comodo organization is a global innovator of cybersecurity solutions, protecting critical information across thedigital landscape. Building on its unique position as the world's largest certificate authority, Comodo authenticates,validates and secures networks and infrastructures from individuals to mid-sized companies to the world's largestenterprises. Comodo provides complete end-to-end security solutions across the boundary, internal network andendpoint with innovative technologies solving the most advanced malware threats, both known and unknown. Withglobal headquarters in Clifton, New Jersey, and branch offices in Silicon Valley, Comodo has international offices inChina, India, the Philippines, Romania, Turkey, Ukraine and the United Kingdom. For more information, visitcomodo.com.

Comodo Security Solutions, Inc. Comodo CA Limited

1255 Broad Street

Clifton, NJ, 07013

United States

Email: [email protected]

3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Greater Manchester M5 3EQ,

United Kingdom.

Tel : +44 (0) 161 874 7070

Fax : +44 (0) 161 877 1767

For additional information on Comodo - visit http://www.comodo.com.


http://www.comodo.com/

mailto:[email protected]

https://www.comodo.com/

Documents

cWatch Web Security Administrator Guide · Comodo cWatch Web Security-Domain Administrator Guide • Select the license type, license period and number of domains. • If you already