ClearICE Report Utility for BlackICE 
Online Help and Quick Start Guide

Register ClearICE Here

If you can't find your answer here, check the ClearICE FAQ

If you are running ClearICE 3.0, 4.0 or the Network ICE Special Edition you must purchase and  install the latest ClearICE full release.

ClearICE is fully compatible with the new BlackICE PC Protection release from Internet Security Systems.

The Date and Time of the CLEARICE.EXE file should match the date and time in the latest update link shown above.  If it doesn't match then you need to download the update.

Top Virus Alerts!

Before reporting attacks it is necessary to determine the level of threat to your system the attack poses.  The reporting of attacks could have been more automated, however, the choice not to do so is a very conscious one on my part for a very good common sense reason.  

It is imperative that good old human judgment be used in determining what attacks should actually be reported.  BlackICE Defender gives us a severity number that is calculated based upon specific criteria about the attack when it is intercepted.  

My rule of thumb is to report attacks if they are of a severity of 4 or above. 
(This is a 59 or above in the old version of BlackICE Defender)  

The reason for this is simple. Attacks below 4, in my opinion, are handled adequately by BlackICE in terms of the action it takes against the attack.  It also helps the ISPs that would receive attack reports to not be overwhelmed by reports of superfluous attack reports. Please use good judgment in reporting attacks, ensuring the cooperation of the ISPs in helping to curb the rising incidence of hacking on the Internet.

PRIOR to reporting BlackICE Defender log entries from the Shields Up ( www.grc.com ) web site, or any other port-scanning web sites, it is YOUR RESPONSIBILITY to determine whether these log entries are actual attacks! These log entries may be created as a result of your interaction with the web site. 

It is possible, however, that a skillful hacker could disguise their activities by masquerading as one of these web sites in order to sneak past your defenses.  Be aware of your security testing efforts and the effects they might have on BlackICE Defender or any other firewall or intrusion detection system you may have in place.  

Check with the Network ICE Knowledge Base and other Internet resources to determine whether the log entries pose any kind of threat to your computer security.

Thank you for using ClearICE ! 

Ben E. Brady
Brady & Associates, LLC.

Using ClearICE - The Quick Start Guide

SETTING THE OPTIONS

Step 1. Click Options

FILE PATH SETTINGS

ClearICE automatically points to the BlackICE Defender log file, attack-list.csv file in the folder where BlackICE is installed on your computer. 

The default location is the "Program Files\Network ICE\BlackICE" folder. 

If you have installed BlackICE Defender into a different folder, press the "Open Folder" button next to the BlackICE Attack File Path entry field to browse your hard disk to the folder where BlackICE Defender is installed.

WHOIS - Finding out what ISP controls the Intruder IP Address.
A Whois lookup finds and displays information about the parties to whom an Internet Protocol address (IP) is registered. An email address is often included for use in sending a complaint concerning unauthorized attempts to access your computer.

The "WhoIs Trace" button will do a basic WhoIs query using your default browser, if you have not set a path to a third-party utility as discussed below. The default query is submitted to SpamCop as their WhoIs query provides a very user-friendly experience in terms of finding the email address where you will send the intrusion report.  Just look at the bottom of the query for the abuse email address.

An external third party Whois utility must be able to take an IP address on its command line, to work from the "WhoIs Trace" button. So far, Smart WhoIs, NeoTrace and Visual Trace Route are the only ones I have found that work this way.

We recommend Smart WhoIs as it seems to be the fastest of the three applications in returning the information regarding the Intruder IP address.  

If you would like to purchase Smart WhoIs, CLICK HERE.

To use an external WhoIs query utility, check the "External WhoIs" box in the Options window, then either enter the path and filename of the utility or use the handy Browse button. 

To use Smart WhoIs, point to the special interface file SWLAUNCHER.EXE in the ClearICE folder.

ALARM SETTINGS 

Most of these settings are self-explanatory. 

Alarm Interval is the period of time that must pass before detecting new log entries in the BlackICE Attack-list.CSV file. The default is 60 seconds. (6,000 milliseconds) The minimum value is 10 seconds (600 milliseconds).

Alarm Recycle is a multiplier value used in controlling the periodicity of the import process.  It works in conjunction with the Alarm Interval.  As an example, the Alarm Interval default is 6000, or 60 seconds. The Alarm Recycle default is a 1. This equates to performing the import once every 60 seconds.

Now if you want to perform the import say every minute and a half, you can set the Alarm Interval to 3000 (30 seconds) and the Alarm Recycle to 3 and you will be able to do a check on the BlackICE log file every 90 seconds.  This must function this way as the Windows timer functionality has a problem with intervals greater than 65 seconds.  The Alarm Recycle is very flexible. 

With the new implementation you can now set ClearICE to perform an import at intervals GREATER than the previous maximum of 1 minute.  For example, with an Alarm Interval of 6000 and an Alarm Recycle of 1440 you can set ClearICE to perform a BlackICE log file check and import data once a day.

Primary Sound and Secondary Sound allow you to select the appropriate wave file to play when an intrusion is detected.  The Secondary Sound will continue to sound each time the Alarm Interval cycles in order to remind you to check the database for new entries. You can silence the Secondary Sound by pressing the "Intruder" button located on the toolbar of the main ClearICE window.

Alarm Period Enable allows you to set a period of time when the alarm will sound.  The default period, if it is enabled is from 7:00 AM to 11:00 PM. ClearICE will not sound any alarms during the time OUTSIDE of this period. 

OPERATIONAL SETTINGS

Minimize on Start - allows ClearICE to be minimized to the system tray upon start up.

Empty Import Database - Allows you to clear the ClearICE database prior to importing. This is very useful if you want to import a large file. If you have this checkbox enabled, the Duplicate Filter Enable is turned off. You should not use this setting unless you actually want to delete all of the records in the  ClearICE database and import all records in the Attack-list.csv file.

Duplicate Filter Enable - Allows you to skip over duplicate records that have already been imported into the ClearICE database. This enables you to import only the new attacks.  If you turn this checkbox on (This should be the normal setting) then the Empty Import Database checkbox is turned off. 

Email Attack Popup Disable - disables the popup message of instructions that normally pops up when you press the Email Attack button.

Auto Import Disable - disables the automatic import feature and requires manual importing of the data.

Attack Count Threshold - used for display purposes. If the number of attacks for an entry exceeds this value, the count is displayed as red numbers.

CUSTOM MESSAGES 

(suggested verbiage)

Green Alert: (Severity threshold: 2)
While this attack doesn't seem to be particulary malicious, it has become an annoyance. Please take the appropriate action in warning this individual that his actions are in violation of your Terms of Service Agreement or Acceptable Use Policies.

Yellow Alert: (Severity threshold: 3)
It is our opinion this attack is serious enough to warrant your attention. Please take the appropriate action in warning this individual that his actions are in violation of your Terms of Service Agreement or Acceptable Use Policies.

Red Alert: (Severity threshold 4)
We consider this to be a particularly malicious attack, it will not be tolerated and we request that you take immediate action to stop this individual from continuing their actions, which are most likely a severe violation of your Terms of Service.

Click OK to save your Options settings. All settings are saved into the ClearICE.INI file located in the folder where ClearICE is installed. No Windows Registry entries are created in the use of ClearICE. This is by design.

Step 2. Importing the BlackICE Defender Log file
Go to the Browse Menu and select Browse Attacks to see the imported data. Only uniquely identifiable attack records are imported. If there are other records that are duplicate entries in the attack-list.csv file, they can be viewed using Browse | View BlackICE Attack List menu selection.  During normal operation, the attacks are automatically imported into the ClearICE database. If you wish to manually trigger the import to see attacks that may not have been imported yet, press the Import button to import the records at any time. 

When the import is finished, you can delete the attack-list.csv file and let BlackICE Defender create a new one. There have been some requests for me to automatically delete the log file but I feel it should be the responsibility of the user to decide whether the log file should be deleted and when and also, since the attack-list.csv file is created by BlackICE Defender and belongs to the BlackICE Defender program it is responsible for the maintenance of the data contained in the attack-list.csv file.

If you get an attack after the browse is open, click the "Import" button to include the new attacks or just wait until the Alarm Interval period cycles again.

Step 3. Sorting the data 
Click on one of the tabs (by Sequence, by Date & GMT, by Intruder IP Address or by Intruder Name) to sort the listing in the order desired. Clicking on the Date & Time tab sorts in DESCENDING order, latest attack first. by Sequence order sorts in Ascending order.

If you click on a column label, the listing will automatically bring up a menu for you to select the type of sort, ascending or descending, that column of the browse.

Step 4. Reporting Attacks - Quick Start instructions
1. WHOIS QUERY
Click the attack row to be reported, then click the "WhoIs Trace" button. A Whois query will be performed using the Intruder IP address of the selected attack. Make note of the email address to use to report your comments. (You will need the clipboard for another purpose.) Usually, you can send abuse reports to abuse@domain, but this is not always the case.

2. RECORD THE ATTACK
Click the "Email Attack" button to copy a standard message including the selected row's log details to the clipboard, for transfer to your email. 

When "Email Attack" is clicked, a green dot appears in the second column from the left, indicating that the attack has been "reported". This reminder will be retained, even if you "Import" again.  A message is also displayed as follows:

If multiple attack rows are to be reported, use the "Multi-Record Export Method" detailed below, to create a file for attaching to the email. 

NOTE! Most ISPs WILL NOT ACT upon reports submitted in this fashion. Unless you specifically know that the ISP will accept multiple record reports, DO NOT USE THEM!

3. CREATE THE EMAIL MESSAGE
Open your email client, enter the email address of the ISP into the "To:" field and enter an appropriate "Subject:". Now place the cursor in the body of the email message and Paste the attack details. (CTRL-V works as well) 

4. SEND THE EMAIL MESSAGE

For more details regarding reporting attacks click HERE!

BROWSE WINDOW FEATURES

BROWSE | VIEW BLACKICE ATTACK LIST FILE opens a display of the raw data in the log. No data operations are possible.

BROWSE | BROWSE INTRUSIONS opens the primary ClearICE window. The logged records are displayed as rows, with each field in a separate column, and can be Sorted, Tagged and Exported. Initially, all records appear.

The icons on the tool bar located below the menu bar are used to navigate through the rows. The function of each will pop up when the mouse is hovered over the icon for a second.

SORTING
The tabs at the top of the listing display the rows in one of three predetermined orders: "by Sequence." displays the rows in the order in which they were originally logged (in ascending GMT Time order within Date order, in ascending Date order.

"By Date & GMT" displays the rows in DESCENDING Date order with a secondary sort by Greenwich Mean Time order within each Date. The effect is the opposite of By Sequence. Clicking on this tab will display the attacks with the most recently received attack at the top of the list.

"By Intruder IP " displays the rows in Intruder IP order. All of the attacks from a Intruder IP are displayed together. A serious/persistent attack is easy to identify by multiple rows with the same Intruder IP address.

"By Intruder Name" displays the rows in Intruder Name order. All of the attacks from an Intruder Name are displayed together. This allows you to easily see all of the intrusions received from a specific Intruder in order to determine any specific trends in the attacks.

A "Custom View" tab will appear if you create a custom view with the View Wizard.

If you want to do some other type of sort that is not provided for by the tabs, you can right click on the column header of any of the columns displayed in the browse and select the type of sort you would like to execute.

The background color of the columns used by the tab sorts are colored cyan.

USER-DEFINED VIEWS NEW FEATURE!

You will notice at the top of the Browse Intrusions window there are 2 drop down list fields. The Queries group and the View group.  These fields are used to interact with the ClearICE database in order to perform ad-hoc queries to reduce the complexity of the data in the list and customizable user defined list box views in order to reduce the complexity of the data displayed on the screen. 

The modules used in the Browse Intrusions procedure, Query Wizard, View Wizard and Spreadsheet Wizard (used to export data) provide a consistent interface for working with the ClearICE database. The Report Wizard also provides the ability to produce user-defined reports that may be printed to hard copy or other electronic output. All you have to do is follow the prompts for each of the wizards and make the appropriate decisions to produce the desired results.

Any custom view that was in effect when you exit the Browse Intrusions window, will be re-established when you open the Browse Intrusions window again.  You can return to the Default view by pressing the "Reset View" button or selecting "Default View" from the drop field list.

TAGGING SUBSETS OF RECORDS FOR PROCESSING

Located at the bottom of the Browse Intrusions window is the ClearICE tagging interface.  A series of buttons that are used to select records from the database for specific handling such as reporting or deletion.

Tagging is used in preparation for exporting multiple selected rows as a group to an external file, for attaching to an email or processing in a spreadsheet. Click on the first row to be exported, then click the "Tag" button. A red dot will appear in the row's left column, indicating that the row is Tagged. Now click the tag column of all other rows in the group to be exported. A row's tag can be removed by clicking the tag column again.

Between the "Rev tag" and "Whois" buttons at the bottom of the window is a 3-function button, labeled with the display function it will perform when next clicked. Each time the button is clicked, the listing changes to display only the "Tagged", only the "Untagged" or "All" rows and the button label cycles to the next function.

When the desired rows are all tagged, click the 3-function button until its label becomes "Tagged". Then click once more. All un-Tagged rows will disappear. If the rows are not sorted in the order you want, clicking one of the tabs will probably do the job (for instance, Date & Time is a good ordering for reporting an attack).

Several other buttons are also provided for mass tagging operations:
"tag All" tags all attack records.
"Untag all" removes the red tag from any tagged attacks.
"Rev tags" inverts existing tagging. Previously tagged records are un-tagged and un-tagged attacks are tagged.

GRAPHING INTRUSION DATA

Clicking on the Graphs menu on the Menu bar or the Graphs button on the Browse Intrusions window will execute the graphing functions of the data in the ClearICE data file.  As shown above, you can graph by Severity, Issue Name (intrusion type) and Date (by Month). Right clicking on any of the graphs will allow you to print the graph or save it to a file. Future enhancements will allow you to embed graphs in the hardcopy reports.

MULTI-RECORD EXPORTING TO EXCEL, HTML, CSV AND DBF
New Feature!

Pressing the Export Data button located on the Browse Intrusions window will allow you to customize the creation of an export file in one of several different formats.  Excel spreadsheet, CSV, HTML and dBase files.  

IMPORTANT NOTE! You MUST have MS Office installed for the export to execute successfully.

Your feedback is appreciated!
We actively seek input from you, the users, to determine the development direction of the product. 
What other features would you like to see? Do you have an idea or a suggestion? 

Please click on the email link below and send me your comments.

Ben E. Brady
Brady & Associates, LLC.

ClearICE Home Page