Epilog is available in compressed format, and has been designed with an installation wizard to allow for easy installation and configuration of all critical components. The compressed file includes the major component of the agent, namely all components of Snare including the epilog.exe . The Epilog service is contained in the 'epilog.exe' binary. This binary contains all the programs to read the log records, filter the events according to the objectives, provide a web based remote control and monitoring interface, and provide all the necessary logic to allow the binary to act as a service defined in Windows.

Wizard Install

Download the SnareEnterpriseEpilog-Windows-v{Version}-SUPP-MultiArch.exe file from the Secure Site on the Intersect Alliance website where {Version} is the most recent version of the file available.
Ensure you have administrator rights, double-click th SnareEnterpriseEpilog-Windows-v{Version}-SUPP-MultiArch.exe file. This is a self extracting archive, and will not require WinZip or other programs. A series of screens will then be displayed, requesting that various parameters be set. Read these settings carefully, using this manual as reference. Most of the references are discussed later in this guide, so it pays to read this guide first, before installing the software. The installation wizard will prompt the user to set a password for accessing the Remote Control Interface. It is strongly recommended that this setting is accepted and configured. The initial password dialog is shown in Figure 2.
Image Removed
Figure 2 Epilog password dialog box

Silent Install

The silent install option is provided for system administrators wishing to automate the process of installing Snare Enterprise Epilog for Windows.

Command line options

The Snare installer has a number of command line options to support silent, automated installations:

• /VerySilent – The Wizard will be hidden for the duration of the installation process. Any message boxes will still be displayed.
• /SuppressMsgBoxes – Any messages boxes will be dismissed with the default answer.
• /Log="filename" – Two log files will be created: filename and filename.Snare.log. The Wizard installation log will be written to filename and a detailed Snare installation log will be written to filename.Snare.log.
• /LoadInf="INFfile" – The INFfile is a template file produced by another Snare installation. It contains all the necessary information to complete the installation and configure the agent for normal operations. See below for more details on how to produce this file.
• /SnarePass="ZPass" – For security reasons, some parts of the INFfile are encrypted and require a decryption password. ZPass is an encrypted version of the decryption password and is produced as part of the INFfile procedure.
• /Reinstall – Tell the installer to overwrite any existing installation.
• /Upgrade – Tell the installer to upgrade the existing installation. If no existing installation is detected, the installer will abort. This option will only upgrade the Snare files, all configuration settings will remain untouched and the "LoadInf" file will be ignored.

Silent Install Setup Information File (INF)

To silently deploy a completely configured agent, the installer requires the help of a Setup Information File, also known as an INF file. To produce a working INF file, follow these steps:

Install the Snare agent using the Wizard.
Using the web interface, configure the agent's Network and Remote Control settings.
Configure one or more objectives.
Ensure you have administrator rights, open a command prompt and browse to the directory where Snare is installed and execute the following commands:
epilog -x Export the information and error messages, along with the INF file contents to the screen.
epilog -x INFfile Export the information and error messages to the screen and write the INF file contents to a file e.g INFfile for use with the /LoadInf command line option.
Follow the prompts carefully and where required, enter the necessary password information for either the Service Account and/or the Sensitive Information encryption.
Note down the Installation Password. The /SnarePass command line option will accept this encrypted password and use it to decrypt the sensitive information in INFfile.

Silent Deployment

To install using the silent installer, ensure you have administrator rights, open a command prompt and browse to the directory where the setup program is stored. Using the "/verysilent" option, run the file:
SnareEnterpriseEpilog-Windows-v{Version}-SUPP-MultiArch.exe /verysilent /suppressmsgboxes /LoadInf="Settings.inf"
This will install the Snare application with the options specified in the Settings.INF (e.g the INFfile) file and will not display any pop-up windows. This option is suitable for packaging and non-interactive installations.

Running Epilog

Upon installation of the Epilog agent, an 'Intersect Alliance' menu item is installed off the Program main Windows menu. The Epilog remote control launch menu is then available from Programs->Intersect Alliance->Epilog for Windows. If the menu launcher is not available, the Epilog control interface may be accessed via a web browser from the local machine by visiting the URL http://localhost:6162/. If you previously configured a password, you will need this to log in, along with the username 'snare'.
For events to be passed to a remote host, the Epilog service must be running. The Epilog service may be checked that it is active by selecting the Services item in Control Panel on older Windows NT hosts, or by selecting Services from the Administrative Tools or Computer Management menus. If Epilog is not running, double click on the service name, then select Automatic from the Startup Type list so that the service is started automatically when the host is rebooted, and then click the Start button. Click OK to save the settings.

Evaluation Version

Intersect Alliance offers a trial version of the agents providing full functionality for a limited time for evaluation purposes. If this version is installed, the following will be included in the header of each screen:
This indicates on what date, and the number of days the agent will cease to log to a server. When this date is passed, the following will be displayed:
The Latest Events page will continue to update with current events, however no further events will be transmitted to the server.
To continue enjoying the benefits of Snare, please contact Intersect Alliance to purchase a licensed solution.