Cyber security information center

Technical analysis of Hola

Posted by Vectra Threat Labs on Jun 1, 2015 7:19:00 AM

blog-hola-networkUpdated June 3, 2015 11:00 AM (see details)

Recently a popular privacy and unblocker application known as Hola has been gaining attention from the security community for a variety of vulnerabilities and highly questionable practices that allow the service to essentially behave as a botnet-for-hire through its sister service called Luminati. Vectra researchers have been looking into this application after observing it in customer networks over the past several weeks, and the results are both intriguing and troubling. In addition to its various botnet-enabling functions that are now part of the public record, the Hola application contains a variety of features that make it an ideal platform for executing targeted cyber attacks.

Let’s start with the basics
Hola markets itself as providing anonymous browsing and an unblocker for accessing any content from any location. “Unblocking” comes in two forms. The first is that an Hola user can pretend to be in any country she wants, enabling access to content that would only be available within the target country. A common example is a Canadian citizen accessing the US version of Netflix. The second is an employee in a company which blocks certain outbound traffic can use Hola to get past the blockage.

The software is available either as a browser extension or a stand-alone application with versions for every major operating system, and Hola claims 46 million users worldwide. Vectra researchers analyzed the Windows 32-bit version of Hola for Windows, and the Android ARM and Android x86 versions of Hola for mobile available prior to May 27, 2015. 

Once installed, the service acts as giant peer-to-peer network known internally as “Zon” where a user’s Internet traffic is bounced through other Hola users. In the Zon network, every unpaid user is used as an exit node, meaning that if you were to install the application, you would carry traffic from other anonymous users. Worse still, Hola caches content on user devices, meaning that not only would you carry someone else’s traffic without your knowledge, but you could be used to cache their content as well. These are all things that Hola publicly states on its website and license agreement. While users who have just realized this have expressed shock, the story doesn’t end there.

Our decision to analyze this software was that it triggered a type of detection we call “External Remote Access” in some of our customers’ networks. The algorithm behind this detection finds connections that are established from the inside of a customer’s network to the Internet and the subsequent interaction is clearly driven by a human on the outside of the customer’s network. This pattern is consistent with how a peer-to-peer anonymity network works. The employee computer with Hola installed must use well-known techniques to make a firewall allow the peer’s connection to complete and these techniques effectively make the connection appear – to the firewall and to Vectra – to be initiated from the employee’s machine to the peer who wishes to make use of it. Once the connection is up, the external human controlling the peer drives all the action.

Read a blog on cyber attackers using The Onion Router

Digging deeper
Things get a bit more interesting when you realize that Hola (the company) operates a second brand called Luminati that sells access to the Hola network to third parties. If this sounds to you like a recipe for a botnet, you’re not alone. In fact moderators from the controversial site 8chan claim to have experienced a DDoS originating from the Hola/Zon network

In addition, third-party researchers have uncovered a variety of vulnerabilities in the Hola software that allow users to not only be tracked, but also can be exploited to run arbitrary code on an Hola user’s machine. It should be noted that vulnerabilities in perfectly legitimate software aren’t unusual – most software publishers are judged by the competence of their programmers in preventing security vulnerabilities as well as the speed with which they react to reported vulnerabilities. The vulnerabilities were publicized on May 29. On June 1, Hola stated the vulnerabilities were patched, and their statement was rebutted by the third-party researchers in an update to their original post.

It also appears that the DDoS mentioned above is not the first time hackers have attempted to use Hola for malicious activity. While analyzing the protocol used by Hola, Vectra researchers found 5 different malware samples on VirusTotal that contain the Hola protocol. The SHA256 hashes for these samples are listed below: 

  • 83fd35d895c08b08d96666d2e40468f56317ff1d7460834eb7f96a9773fadd2d 
  • 2f54630804eeed4162618b1aff55a114714eeb9d3b83f2dd2082508948169401
  • 65687dacabd916a9811eeb139d2c2dada1cefa8c446d92f9a11c866be672280b
  • 43498f20431132cd28371b80aed58d357367f7fa836004266f30674802a0c59c
  • 59a9fedeb29552c93bb78fff72b1de95a3c7d1c4fc5ad1e22a3bbb8c8ddbfaba 

Unsurprisingly, this means that bad guys had realized the potential of Hola before the recent flurry of public reports by the good guys.

Enabling a human attacker
While analyzing Hola, Vectra Threat Labs researchers found that in addition to reports of Hola enabling a botnet, it contains a variety of capabilities that can enable a targeted, human-driven cyber attack on the network in which an Hola user’s machine resides.

First, the Hola software can download and install any additional software without the user’s knowledge. This is because in addition to being signed with a valid code-signing certificate, once Hola has been installed, the software installs its own code-signing certificate on the user’s system. On Windows systems, the certificate is added to the Trusted Publishers Certificate Store. This modification to the system allows any additional code to be installed and run without the user being notified by the operating system or browser.

In addition, Hola contains a built-in console that remains active even when the user is not browsing via the Hola service – it is included in the process that acts as a forwarder for other peers’ traffic. The presence of this console – dubbed “zconsole” – is surprising on its own, as it enables direct human interaction with a Hola node even when the service is not actively in use by the system’s user. So if a human outside the system were to gain access to this console, what could they do?

  • List and kill any running process
  • Download any file with an option to bypass anti-virus (AV) checking
  • Execute a downloaded file and:
    • Run the file with the token of another process
    • Run it as a background process
  • Open a socket to any IP address, device, guid, alias or Windows name
  • Read and write content across the socket to the console or to a file

This represents just a small subset of the functionality available in the console. The developers of the console have been gracious enough to include a man page to help someone unfamiliar with the commands.

These capabilities can enable a competent attacker to accomplish almost anything. This shifts the discussion away from a leaky anonymity network enabling a botnet, and instead forces us to acknowledge the possibility that an attacker could use Hola as a platform to launch a targeted attack within any network containing the Hola software.

As a result, we highly encourage organizations to determine if Hola is active in their network and decide whether the risks highlighted in this blog are acceptable. To help with this, we have crafted Yara rules to identify whether Hola is present on a system. For customers that have an intrusion prevention system (IPS) deployed, we have also created Snort signatures to help them identify Hola traffic in their network.

Additions and clarifications since first publication
  • Where there were statements about botnets in conjunction with Hola, clarifications were made that Hola was used to enable a botnet and is itself, not a botnet.
  • Added information in paragraph three about the specific version Hola for Windows and Hola for mobile analyzed for this blog. This information was already present in the later section entitled SHA256 Hashes of Windows and Android Versions of Hola Software Analyzed.
  • Added information that became available after our blog was published about Hola patching their software.
  • Clarified that the samples on VirusTotal indicate malicious attempts to use Hola; evidence of these attacks succeeding is not available
  • Updated our recommendation to organizations in the final paragraph

Snort signatures to detect Hola or Luminati traffic (link to file)

alert tcp any any -> any any (msg:"VECTRA TROJAN Zon Network Encrypted"; content:"|ac 2e bf 5c|"; offset:0; depth:4; classtype:trojan-activity; sid:500001; rev:2; )
alert tcp any any -> any any (msg:"VECTRA TROJAN Zon Network PCLR"; content:"PCLR"; offset:0; depth:4; classtype:trojan-activity; sid:500002; rev:2; )
alert tcp any any -> any any (msg:"VECTRA TROJAN Zon Network ZCLR"; content:"ZCLR"; offset:0; depth:4; classtype:trojan-activity; sid:500003; rev:2; )
alert tcp any any -> any any (msg:"VECTRA TROJAN Zon Network ZPNG"; content:"ZPNG"; offset:0; depth:4; classtype:trojan-activity; sid:500004; rev:2; )
Yara rules to detect Hola software on endpoint (link to file)
 rule Zon_Network {
              description = "ZON Networks protocol"
              thread_level = 3
              in_the_wild = true
              authors = "Vectra"
              date = "5-10-15"
              $s1 = "zconn_new"
              $s2 = "zmsg_znatconnect_handler"
              $s3 = "zmsg_upgrade"
              $s4 = "zmsg_snd_rcv_handler"
              $s5 = "zmsg_upgrade_peer"
              $s6 = "zmsg_ts_long_cb"
              $s7 = "zmsg_write"
              $s8 = "zmsg_http_write"
              $s9 = "zmsg_http_read"
              $s10 = "zmsg_write_handler"
              $s11 = "zmsg_read"
              $s12 = "zmsg_read received"
              $s13 = "zmsg_read_handler"
              $s14 = "zmsg_read_invalid"
              $s15 = "zmsg_magic_write_handler"
              $s16 = "zmsg_magic_read_handler"
              $s17 = "zmsg_http_send_handler"
              $s18 = "zmsg_zping_resp_handler"
              $s19 = "zmsg_route_req_handler"
              $s20 = "zmsg_route_get_next_hop_cb"
              $s21 = "zconn_son_free"
              $s22 = "zconn_write_handler"
              $s23 = "zconn_read_handler"
              $s24 = "zconn_write"
              $s25 = "zconn_read"
              $s26 = "zconn_dns_fail"
              $s27 = "zconn_http_handler"
              $s28 = "zconn_local_handler"
              $s29 = "zconn_handler"
              $s30 = "zmsg_release"
              $s31 = "zmsg_fail_connect"
              $s32 = "zmsg_accumulate"
              $s33 = "zconn_info"
              10 of them
SHA256 hashes of Windows and Android versions of Hola software analyzed
53a2c3ac094b5d2031a96b63d1ce2dc31739fffd07d8241399dc9c444d10b6ec hola_svc.exe
97f5ebe94d94ccf8c42fccca69cd8ca7d50731e598523bf5e73975b6a6e32291 hola.exe
6ad1b7278e17045d9f2ddc208cfb5e92e5c90e153158d80a7e18b3af4831ad60 hola_br.exe
5ab55033c66e7f78d3fb060fb4ff755d335ad9e37cb3e1ddaf22b57c9bb8468a hola_setup.exe
1687cc861c305917deba24c036ef2eb5c2b6f1da531b76ff20473e332431a068 hola_svc.exe
1687cc861c305917deba24c036ef2eb5c2b6f1da531b76ff20473e332431a068 hola_updater.exe
Details of code-signing certificate installed by Hola
        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha1WithRSAEncryption
            O=VeriSign, Inc.
            OU=VeriSign Trust Network
            OU=Terms of use at (c)10
            CN=VeriSign Class 3 Code Signing 2010 CA
            Not Before: Aug 25 00:00:00 2014 GMT
            Not After : Sep 19 23:59:59 2015 GMT
            O=Hola Networks Ltd.
            CN=Hola Networks Ltd.
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
               Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
            X509v3 Key Usage: critical
               Digital Signature
            X509v3 CRL Distribution Points:
               Full Name:
            X509v3 Certificate Policies:
               Policy: 2.16.840.1.113733.
                 User Notice:
                   Explicit Text:
            X509v3 Extended Key Usage:
                Code Signing
            Authority Information Access:
               OCSP - URI:
               CA Issuers - URI:
            X509v3 Authority Key Identifier:
            X509v3 Subject Key Identifier:
            Netscape Cert Type:
               Object Signing
    Signature Algorithm: sha1WithRSAEncryption
Man page for Hola zconsole
Usage: sha1sum [OPTIONS] FILE
  --temp: path to temp directory
Example: sha1sum --temp Hola-Setup-1.7.5.exe
calculate sha1 checksum
Usage: reg PATH ATTRIB
  PATH: registry path
  ATTRIB: attribute in the registry path
get a registry value
Usage: sh_kill [-f] [-w SEC] PID
  -f: forcefully
  -w SEC: wait SEC seconds for termination (default 1 sec)
  PID: the pid of the process
kill a process
Usage: sh_file_ver PATH
get file version (win32 metadata)
Usage: sh_ps
list currently running processes
Usage: svc_performance enabel|disable
set svc to performance mode
Usage: get_workdir
Returns client's workdir
Usage: idle [--peek]
  --peek: query idle on updaters on vista/7
Returns client's idle information
Usage: event_busy_time on/off/reset
set eventloop busy time logging
  --temp: will execute EXE from temp directory
  --bg: will run process in background
  --detach: will run process without inherting handles
  --token-pid PID: will use the access token from PID to run EXE
  --stdin STRING: string which will be used as stdin for EXE
Example: exec_spawn --temp --bg Hola_install.exe --silent
Example: exec_spawn --token-pid 1234 --bg c:/temp/Hola_install.exe --silent
  --temp: will execute EXE from temp directory
  --bg: will run process in background
  --detach: will run process without inherting handles
  --token-pid PID: will use the access token from PID to run EXE
  --stdin STRING: string which will be used as stdin for EXE
Example: exec --temp --bg Hola_install.exe --silent
Example: exec --token-pid 1234 --bg c:/temp/Hola_install.exe --silent
Executes an executable
  --no-rec: send non recursive request
  --timeout MS: put a timeout on the requst
  --port PORT: destination port
  --dev DEVID: send on the specified DEVID
send a dns request
Usage: wget [OPTIONS] URL
  --file FILE: destination where to copy downloaded file
  --temp: downloades to temp directory
  --hdrs "hdrs": use these request hdrs as is
  --discard: throw away obtained data
  --zprotocol: use protocol to speed download
Example: wget --file c:/temp/h_i.exe
Example: wget
wget a url and save to FILE
Usage: idle_checks_update full_screen screen_saver
Example: idle_checks_update 0 1
Usage: force_user_away [idle|active|auto]
force user away status
Usage: test_lexit
test lexit handling
Usage: test_exception
test exception handling
Display build information
Usage: tar [OPTIONS]
  -z : gzips the resulting tar
Mini tar create implementation
Usage: gzip [OPTIONS]
  --decrypt : decrypts the file before gzipping
Mini gzip implementation
Usage: ps [OPTIONS]
  -s: short format
  -v: verbose
  -v -v: very verbose
  -p: show pointers
  -l: allow output >512K
  -t: show time
Print etask tasks
Usage: quit [--install]
  --install: quit and install (upgrade) afterwards
  --restart: quit and restart (external source) afterwards
  --ui: send quit to ui
  --ui-logoff: quit
Quit application
Usage: echo_spawn [-e|--sleep MS] TEXT...
  -e: output TEXT to stderr instead of stdout
  --sleep: sleeps MS milliseconds
Echo command just using etask
Usage: echo [-e] TEXT...
  -e: output TEXT to stderr instead of stdout
Echo command
Usage: help [OPTIONS]
  all: show all available commands
  -s STRING: search for commands containing the string
Show help for all commands
result truncated: see log for full result
session logoff.
Usage: webserver_timeout ip
cause webserver timeout - works only in unittests!
Usage: ztget_resp_info cid conn
get tunnel ztget resp info - works only in unittests!
Usage: jtest_perr -t type [OPTIONS]
  -t : perr type
  -i : perr info
  -b : string that will be used as the context log
create a perr report. works only in unittests
Usage: unblocker_json_set STATUS JSON_FILE_CONTENT
set unblocker json rules
Usage: set_ext_tunnel
set external tunnel as default for unittests
set wpad pac file and enable unblocker
Usage: unblocker_get_port
get port for unblocking a given country string
Usage: unblocker_tunnels_del [all|] OPTIONS
  --ip: src peer ip to erase specifically [default localhost]
delete tunnels associated with unblocker rules
Usage: test_unblocker CID
test unblocker functionality
Usage: znatconnect OPTIONS
  --dev: specify device for socket connect
use znatconnect logic to connect to another peer
Usage: get_cookie
return the current cookie from registry
Usage: set_cookie COOKIE
save the supplied cookie to registry
  empty : call 'pset_qa' with no options resets all settings
  -q : set qa type - performance/logic
       + any /svc/conf/protocol/debug/ boolean flag
  -a : set qa agents group - ofer/steve/ron/z1/z2/z3/internal/
  -p : set qa peers group
  -t : set qa tunnels group
Example: pset_qa -q "logic disable_cache" -g "11 12 126" -p 54
Usage: set_enc [--all] IS_ENABLE
set net enc mode
Usage: webserver_write [stop|start]
set whether the webserver should succeed in writing data - works
  only in unittests
Usage: delay_get_from_cache [stop |start]
delay read from local cache - works only in unittests
Usage: browser_serving [stop|start]
set whether the browser should process data for serving - works
  only in unittests
Usage: jtest_set_multizget <data_rate>
set multizget stats - data_rate, peer, tunnel chunk obtaining time   works only in in unittests!
Usage: jtest_get_wait [1 | 0]
new get requests will be blocked until next cli call -
  works only in unittests!
Usage: jtest_multizget_best_cp [cid | reset]
set multizget's best cp - works only in in unittests!
Usage: multizget_time_to_complete time
set multizget time to complete - works only in unittests
Usage: ztget_timeout cid conn
cause ztget timeout - works only in unittests
Usage: ztun_timeout cid conn
cause ztun timeout - works only in unittests
Usage: zget_resp_info cid conn
get agent zget resp info - works only in unittests
Usage: zget_info cid conn
get client zget info - works only in unittests
Usage: gid_info cid conn
get client gid info - works only in unittests
Usage: zg_closed cid conn
check agent zg context has closed - works only in unittests
Usage: zget_closed cid conn
check client zget context has closed - works only in unittests
Usage: chunk_timeout fid index cid
cause chunk timeout - works only in unittests
Usage: chunk_check_timeout fid index
check chunk timeout - works only in unittests
Usage: jtest_dnss_hook_cb HOST
simulates dnss network resolution hook callback
Dnss resolution hook callback
Usage: jtest_dnss_cb HOST IP1 [IP2 ...]
simulates dnss network resolution callback
Dnss resolution callback
Usage: jtest_new_conn PROCESS IP PORT [APK]
returns the newly redirect port on
Add new connection
Usage: jtest_max_space
set static max free space as times*dbc_file_size
Usage: jtest_torrent_stats
Example: jtest_torrent_stats num_peers=3;num_unchoked=1;
set torrent stats for unittests
Usage: perr [OPTIONS] ptr
  -c - dump client perr (ptr is browser_get_t), default option
  -a - dump agent perr (ptr is zget_resp_t)
  -t - dump tunnel perr (ptr is ztget_resp_t)
dump the perr information in ptr
Usage: ndfs_flush [--no-reset]
  --no-reset - flush only non active slabs that don't require reset
write all ndfs data to files and remap to volume
Usage: protocol_cache_mode MODE
Set caching mode for protocol
Usage: protocol_db_purge [conf]|[urls|peers|NDFS|bw|analyzer]
  - will purge all dbs
  conf = takes settings from /conf/protocol/debug/purge/.. urls = erases dbs urls, chksms, strs
  peers = erases dbs agents, caches, knownagents, url_peers
  ndfs = erases NDFS db
  bw = erases dbs bw, bw_peers
  analyzer = erases dbs get, zget, zgetchunk, action
  delete = delete db files if their size not reduced
Example: protocol_db_purge urls|peers
Purge protocol different data bases
Usage: zsipc OPTIONS CMD
  --cancel SCID ID: cancel zipc with ID on server SCID
  CMD: ipc command
Example: zsipc zcipc 5 protocol_db_purge
Example: zsipc --cancel -2 5
Send ipc command to server
Usage: zroute [add|del] -i --src [src_cids] --dst [dst_cids] --cmd [zmsg] [--reverse] --of_traffic [percent]
  no options-  dumps existing rules
  [add|del] - add remove the rule
  --src - cids that this rule will apply to ("1 4 5 28")
          if omitted works on all clients  --dst - cids that this rule will route to ("-7 -11 -57")
          must exist - cannot be omitted  --cmd - specific msg this rule applies to ("ZGETAGENTS")
          if omitted applies to all msgs
  --idx - index of rule to delete
  --metric - metric of rule to add - default 0
  --reverse - apply only to reverse version of this cmd
Usage: prot_restart
restart the protocol task
Usage: zc_timeout [dev]
simulate zc bio timeout - works only in in unittests!
Usage: tunnel_tcp_connect IP PORT
  IP: destination IP
  PORT: destination PORT
TCP connect and tunnel the ipc to tcp
Usage: tunnel_tcp_listen [--port LOCAL_PORT] ARGV
  LOCAL_PORT: local server port of the listen socket
  ARGV: argv of a command to execute on the spawned connection
Open tcp listener for zipc tcp tunnel
Usage: zping [--server|--cid ] OPTIONS
  --sdev - source dev alias name
send zmsg zping to remote client
Usage: sock_list
See also: sock_write, sock_read, sock_connect, sock_close,
list all open sockets previously created with sock_connect
Usage: zmsg_release
See also: zmsg_accumulate
process all zmsgs accumulated since calling 'zmsg_accumulate' cmd
  works only in unittests!
Usage: zc_congestion -s -r
set or release congestion state from given sockets by cids
  works only in unittests
Usage: connect_delay ip is_resume
delay / resume tcp connect - works only in unittests!
Usage: zmsg_fail_connect [cid1 cid2 ...]
list of cids to fail esocket_connect_fast - works only in unittests!
Usage: zmsg_accumulate [cid1 cid2 ...]
See also: zmsg_release
when receiving zmsgs on sockets of the given ips dont process them
  - wait for zmsg_release call - works only in unittests!
Usage: sock_info FD
  returns tcp info if successful -1 if fails
See also: sock_write, sock_read, sock_connect, sock_close,
get tcp info of a given fd
Usage: sock_close [FD]
  returns 0 if successful -1 if fails. if no FD, then close all.
See also: sock_write, sock_read, sock_connect, sock_info,
close a given fd, previously created with sock_connect
Usage: sock_write [--str STR] [--file FILE] [--size SIZE] FD
  returns the number of written bytes or -1 if fails
  --str STR - writes STR content
  --file FILE - writes the contents of FILE
  --size SIZE - writes SIZE bytes of 'x's
See also: sock_connect, sock_read, sock_close, sock_info,
write to a given fd, previously created with sock_connect
Usage: sock_read [--size SIZE] [--file FILE] [--console] FD
  returns the read data to console output
  --file FILE - output is written to FILE
  --console - output is written to the console
  --size SIZE - exactly SIZE will be read
    remember that this is a blocking socket.
    if no SIZE is given all the data will be read up to 10K
See also: sock_write, sock_connect, sock_close, sock_info,
read from a given fd, previously created with sock_connect
Usage: sock_connect [--bind DEV] IP PORT
  returns the created fd or -1 if fails
  --bind can be used to bind to a specific device, guid, alias or
    windows name can be used
See also: sock_write, sock_read, sock_close, sock_info,
create a blocking tcp socket
Usage: jtest_zconn_resolve ip1 ip2 ...
set static resolve response for zconn_handler
Usage: jtest_cleanup_test
tests there are no open connections
Usage: jtest_set_next_port_read PORT
set the next socket that will be read - used to control internal
timings - works only in in unittests!
Usage: jtest_bio_flush IP
flush zconn according to destination ip - works only in in unittests!
Usage: jtest_zconn_write_fail IP
close zconn write handler according to destination ip - works only in in unittests!
Usage: jtest_sock_info CID STATS
  STATS: rtt:kb_sec_up:kb_sec_dn
set specific zconn sock bw info - works only in in unittests
Usage: zc_sock_info FD
print out specific zconn sock information
Usage: dev_clr_info DEV
  DEV - can be any one of cm alias, windows devid or connection table name
Example: dev_clr_info ethB1A1
reset all device level stats
Usage: dev_list
print out list of protocol recognized devices
Usage: set_wan_port DEV PORT
set wan tcp port
Usage: dev_info [--protocol] DEV
  DEV - can be any one of cm alias, windows devid
    or connection table name
  --protocol - print protocol info, device bw table and per zconn
Example: dev_info ethB1A1
print out dev bw information
Usage: pif_info cid ifname
get peer interface info - works only in unittests
Usage: zch_info cid
get zch info - works only in unittests
Usage: zconn_info cid
get zconn info - works only in unittests
Usage: protocol_disable IS_DISABLE
Disable protocol
Usage: protocol_network_change [OPTIONS]
  dev: development network
  release: release network
Change between development and release networks
Usage: internal_agent
  internal_agent set IS_ENABLE
  internal_agent get
returns the current state
enable/disable internal agent
Usage: pool_shrink [OPTIONS]
  --close [peer,br,web|all]: close connections
  --close-idle [peer,br,web|all]: close idle connections
  --ndfs-flush: flush ndfs cache (without protocol reset)
clear all in memory cache
Usage: log_collect OPTIONS (svc_live|svc_crash)
  --tgz : tar and gzip the log collect directory. file is created
          in the Hola parent dir
collect relevant files from crash or protocol error
Usage: log_flush
flush svc log to file
Usage: io_in_mem [all|db|ndfs|file] 0/1
set various system io components to work in memory
Usage: get_logged_in
returns: [ACTIVE_SID|-1] [[PID1] [SID1]] [[PID2] [SID2]] ...
get list of running ui's and there sessions
Usage: start_ui [PID]
returns 1 if ui already running
Start ui using PID to take access token from
Usage: is_ui_running
Checks if there is a ui up and running
  empty : call 'set_qa' with no options resets all settings
  -q : set qa type - performance/logic/cm/routing
  -c|--disable-cache : clear cache and dont write urls/chunks
Example: set_qa -q logic -g "ofer steve"
set_qa [OPTIONS]
Usage: reg_change
Re-read registry settings, since they have have changed.
Usage: set_patch PATH PATCH
Set patch for a given layer
Usage: patch_get PATH [OPTIONS]
  --no-stats: do not update stats before generating patch
Get patch delta
Usage: patch_init
Allocates a layer for the patch commands
Usage: set_notify_multi PATH_1 PATH_2 ... PATH_N
Notifies on leaf changes to set (non leaf not implemented)
Usage: conf_restore_default
Restore default configuration
Usage: conf_save WRITE_DELAY
  write_delay - delayed priority - integer in the range of 1(=NOW) to 4(=LOW)
Save the configuration to disk
Usage: conf_get PATH
Get value of a path
Usage: mkdir PATH
make new dir
Usage: copy PATH PATH
copy subtree to different location
Usage: print PATH
Print configuration
Usage: del PATH
Delete subtree from configuration
Usage: get PATH
Get path value
Usage: set_raw PATH SET_STR
Creates/overwrites a complete set in string format from PATH
Usage: set PATH VALUE
Set path to value
Usage: dnss_purge_db
purge dnss db
Usage: dnss_stats_reset
reset dnss statistics
Usage: wget_result
wget result get
Usage: wget_test [OPTIONS] URL
  URL - url to get
  -i, --dev DEVID - bind to device
  -a, --av-bypass - do av bypass
  -l, --limit - limit output size to given limit
  -m, --out-mem - write output to 'content' ptr in result struct
  -f, --out-file - write output to given file name
    if empty filename (''), the filename is extracted from the   url, or 'file.txt' is used if the url has no filename
  -p, --post-len - add post data in this size
Usage: tap_fd_pass
pass tap file descriptor using SCM_RIGHTS msg works only on pipe
Usage: tap_prepare
prepare for tap initialization
Usage: cm_connected
Internet connected or not
Usage: cm_focus
Refresh devices connectivity

Topics: Targeted Attacks, Automated Breach Detection, P2P