Cyberarms – Intrusion Detection


Cyberarms Intrusion Detection is the second IDS product that we will be evaluating.  The first product been BF Guard.


As the saying goes everything is idealistic until it get reals.

My real world came almost week ago.  I was home that Saturday morning having cleared my schedule.  A friend had dropped off two laptops.  There were viruses and malwares to rid off, cluttered full hard drive to prune, and personal data to remove.

Never imagined, I had similar problems until I tried connecting to one of the computers in our Lab and was faced with that now familiar error message, “exceeded maximum number of connections”.



Downloaded Cyberarms version 2.2 from here.

Install Files

Version 2.2 only supports 64 bit systems and so those of us that that still have 32-bit systems are out of luck.

Compressed Package

The installer is packaged as a zip file.

Extracted Files



Screen Shot

We have two sets of Install Steps:

  1. Prerequisite
    • Visual C++ 2010 Runtime Libraries (x64)
  2. Core
    • Cyberarms Intrusion Detection


Visual C++ 2010 Runtime Libraries (x64)
  1. Install Components
  2. Extract Files
  3. If  “Visual C++ 2010 Runtime Libraries (x64)” exist on system
    • User is asked whether to remove or repair package
  4. Runtime Installed on system


Install Components?

Extracting Files

Repair or Remove

Repair is Complete



  1. License Agreement
  2. Select Install Folder
  3. Confirm Installation
  4. Installing…
  5. Install Complete

License Agreement


Select Installation Folder


Confirm Installation

Installing Cyberarms Intrusion Detection


Installation Complete



Screen Shot


Settings – Lock out configuration

  1. Set lock threshold (unsuccessful logins )
    • By default set @ 3 unsuccessful logins
  2. Set lock duration ( minutes )
    • By default set for 20 minutes
  3. Hard lock threshold ( unsuccessful logins )
    • By default set or 10 unsuccessful logins
  4. Hard lock duration ( hours )
    • By default set for 24 hours
  5. Hard lock forever
    • In cases of multiple failed logins where hard lock threshold reached, a choice on whether to lock forever


Settings – Safe Networks

  1. Define safe network also known as whitelisting


Settings – Email Notification

  1. We indicated that we want to be notified on everything
    • Events
      • On soft lock events
      • On hard lock events
      • On unlock events
  2. Reports
    • Unfortunately, we are only in the evaluation phase and have yet to allocate money for a paid version.
      Therefore, No Reports yet.

Settings – SMTP Configuration

  1. Enter Email Addresses
    • Sender address
    • Recipient address
  2. SMTP server
    • SMTP Server
  3. SMTP/SSL Port
    • 25
  4. Use SSL for communication
  5. This server requires authentication
    • Username & Password


Agents – TLS/SSL Security Agent

Because Terminal Services is the lone service that we are exposing and securing via Active Directory on this box, it is the only service that we enable.

Original Screen

Revised Screen

  1. Override Configuration
    • Check
  2. Enable this Security Agent
    • Check
  3. Extended Configuration
    • RdpPort
      • Keep port 3389 if you have left Terminal Services running on its default port



We tried connecting thru RDP from a few boxes and intentionally entered wrong password.


Security Log



The following information is logged:

  1. Intrusion #1
    • Type :- Intrusion
    • Latest Entry :- Date
    • IP Address :- z.y.x.w
    • Message :- TLS/SSL Security Agent: Possible intrusion attempt.


Email Notifications


  1. We have attached a couple of emails
    • Our Inbox filtered to show messages from Cyberarms IDDS
    • Test Email Notification
    • Soft Lock Notification
    • Hard Lock Notification



Message – Test Message

Message – Soft Lock

Message – Hard Lock



Cyberarms Intrusion Detection tool is a very, very strong well engineered product.

It capables identifies intrusion attempts based on monitoring Windows Event Viewer.

The newest version requires x64 based system and for those still running 32 bit OS that might be an impedance.



  1. Configure Intrusion Detection to block based on your requirements
  2. Secure your systems today with Cyberarms Intrusion Detection and Defense System


BFGuard – Day 2


In this post we actually start BFGuard and try to connect to the host from other workstations.


Target OS

Here are the Windows OS that we will use for this exercise:

  1. Server
    • Windows Server 2012 R2
  2. Client
    • Windows Server 2012 R2
    • Windows 7

What we saw

BF Guard

BF Guard – Application

Scenario – After 1 failed Login

BF Guard – Application – Statistics

  1. ip
    • Count :- 1
    • Date :- 2016-06-15 15:34:13
      • Time in GMT, not local time


Scenario – After Numerous failed Logins

BF Guard – Application – Statistics

  1. ip
    • Count :- 7
    • Date :- 2016-06-15 16:47:18
      • Time in GMT, not local time


BF Guard – Application – Log entrys

  1. @ 2017-06-15 09:47:39
    • – Auto blocking IP: for: 54864000 minutes


BF Guard – Application – Blocked IP

  1. IP Address
    • IP Address :-
    • From :- 2017-06-15 09:47:39
    • To      :- 2017-06-15 10:47:39
    • City    :- Blocked


OS – Windows

Windows Logs

Windows Logs – Security

Windows Logs – Security – Filter

Here we filter for “Audit Failure“.

Windows Logs – Security – Logs

And, here are the events captured.


Windows Logs – Security – Log – Detailed

Windows Logs – Security – Log – Detailed- Event ID = 4625


  1. Subject
    • Security SID :- NULL SID
      • Since account that we entered to login in under is not known to the targeted computer or Active Directory, we get “NULL SID
    • Logon ID :-  0x0
      • Again, unknown Logon ID
  2. Logon Type
    • Our Logon Type is 3
      • Logon Type = 3
        • Network
  3. Account for which Logon Failed
    • Security SID :- NULL SID
    • Account Name :- bobsmith
    • Account Domain :- LAB
  4. Failure Information
    • Failure Reason :- unknown username or password
    • Status :- 0xC00006D
    • Sub Status :- 0xC0000064
  5. Process Information
    • Caller Process ID :- 0x0
      • Remote Caller Process is not known
    • Caller Process Name :-
      • Remote Caller Process is not known
  6. Network Information
    • Workstation Name :- ASTSQL01
    • Source Network Address :-
      • Network Address not passed in
    • Source Port :-
      • Network Port not passed in
  7. Detailed Authentication Information
    • Logon Process :- NtlmSsp
    • Authentication Package :- NTLM
  8.  Summary
    • Log Name :- Security
    • Source :- Microsoft Windows security
    • Event ID:- 4625
    • Task Category :- Logon
    • Keywords :- Audit Failure
    • Computer :- Host attempted for logon


OS – Windows Firewall

Reviewed server’s Windows Firewall to see how it is configured for “Remote Desktop“.



  1. Remote Desktop configured as:
    • Domain :- Yes
    • Home/Work :- Yes
    • Public :- No
    • Group Policy – Yes



Unfortunately, Windows was not able to capture the incoming IP Address.

BF Guard was thus unable to read the IP Address from the Windows Logs.

Because of this inability, it is not able to re-configure the local Windows Firewall and have it start blocking the Source IP Address.


BFGuard – Day 1


Googled online to identify steps to take for securing MS Windows Terminal Services.

One of the tools mentioned is BFGuard.


What is BFGuard?

BFGuard stands for “Brute Force Guard”.

How does it work?

It principally monitors the local machine’s event log.  The relevant log file in this case is the “Security Log“.

Upon finding entries that indicate failed logins correlative data is gathered.  Obvious correlative data includes username and IP Address.

Once the configured maximum number of failed attempts are reached the specific IP Address is blacklisted.


Please download the free tool from here.

Screen Shots Please

Log Entries


Blocked IP







From the screen shots here are the functionalities offered:

  1. A listing of “Blocked IPs
  2. Ability to whitelist specific IP Addresses
  3. Statistics on each connected IP Address



Wanted to introduce the product.

In the days ahead we will revisit and update our post.