Resources use protection: Use of operating system resources (registry, libraries and drivers) is granted or denied on a process-by-process basis.

Multi-version support: Checker’s Integrity validation supports different versions of the same (authorized) program or resource.

Whitelisting: Included in the security policy, Checker maintain a list of permitted and approved processes. The execution of processes not included in this list will be blocked. Checker includes a so called self-learning capability that permits a fast an easy white listing definition.

Integrity protection: Integrity validation of whitelisted process and its resources. Processes or resources illegally altered will be blocked and reported.

Resources use protection: Checker controls the utilization of local resources (files, directories, libraries and drivers) filtered by whitelisted process.

Java resources loading control: Checker maintains a detailed list of all resources loaded by the Java Virtual Machine in ATMs. Loading of non-permitted Java resources will be blocked.

Local auditing registry in file, syslog and Windows Event Plug & Play Hardware protection: Checker detects the connection of new hardware and allows or denies mounting.

Device access control: Checker filters the access to connected devices on a process-by-process basis.

USB drives control: Reliable control of authorized USB drives for easy, yet secure maintenance. Supports content encryption and authentication of authorized USB drives.

Integrated Firewall: Checker controls inbound and outbound communications per ATM process, remote address, protocol and port, providing high level firewalling functionality matching the process whitelist.

VPN (Virtual Private Network): Checker-managed IPSec tunneling enables encrypted communications between existing applications in ATMs and servers with no need to modify the applications.

Restrictions based on roles or users: User control is based upon a list of authorized users and groups. Not only local users and groups are supported but also those defined in Active Directory domain controllers. By means of the security policy it is possible to assign each process to one or multiple users. When the process is executed and extra validation will be performed to determine whether the executor (user) has been granted to launch the process.

Keyboard control: It is possible to partially or totally disable all ATM keyboards other than the PINPAD so that they cannot be used or their use is partially limited. Limitations are selected from a predetermined list of options based on specific keys or groups of keys.

External pluggable storage devices control: Checker detects the connection of such devices and allows or denies mounting, reporting this situation as a security event.

ATM hard disks encryption can be fully managed from the Checker console, including remote commands to encrypt or decrypt ATM disks. Key management is automatic and transparent to the user.

Zero downtime: The encryption can be commanded from the server and the disk can undergo the encryption process while the ATM keeps operating, so there is no relevant downtime associated to the encryption of an ATM network.

Smart Environment Detection: Decryption is only possible for a specified ATM environment. ATM environment is defined as a configurable combination of identifiers associated to the ATM hard disk, the ATM hardware and the ATM network..

Network Management: Checker Server manages all Checker agents in the network. Through communication with agents, the Checker console Operator can enforce new security policies (which include whitelists, firewalls rules and more), manage security execution mode, upgrade checker software or request remote system shutdowns, among other possibilities.

Security Policy Management: Checker console includes a complete and intuitive security policy editor. Learning mode allows easy and fast security policies creation from existing and trusted ATMs, and also allows version control including visualization and modification of predesigned security policies.

Real-time security monitoring: Checker Server receives security events generated by agents in real time. These events are shown in a security dashboard, enabling easy security monitoring of the whole ATM network. Security events can easily be integrated into third party monitoring systems.

Management delegation: Management functionality in the Checker Server could be separated by users and roles. In addition to Role Based Access Control (RBAC), it is possible to assign these responsibilities to the different users in a limited manner within a self-service network, in such a way that the assignment of roles is only effective for one group of ATMs (so called node) or a set of nodes in the network hierarchy.

All relevant events that happen in the ATM and are controlled by Checker are registered locally in the ATM and centralized at the server. The relevant information on ATM events which is recorded by Checker includes:

Attempts to breach the policy being applied at any given moment.

Failed signature validations.

Requests to execute commands received from the server.

Results of executing commands.

Agent execution errors

Other events of interest from a security point of view (e.g., movement to critical mode, detection of an attempt to end an Agent process or change the ATM’s IP).