Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection.
Download
Report
Transcript Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection.
Symantec Endpoint Protection
Technical Review
Brian Pallozzi, CISSP
Principal Sales Engineer
Symantec Endpoint Protection
1
Agenda
1
Enterprise Security Protection Stack
2
What’s new (RU6)
3
Architectures
4
Suggestions
Symantec Endpoint Protection
2
The Changing Threat Landscape:
An Explosion of Malware
7000000
6000000
• 3 Billion attacks blocked
• 240 Million variants
• Highly targeted threats
In 2009
>15,000
signatures a day
Traditional Signatures
5000000
In 2010
4000000
25,000
3000000
detections a day
2000000
In 2000
5
In 2007
1,500
signatures a day
signatures a day
1000000
0
Symantec Endpoint Protection
3
Industry Recognition
WW Corporate Endpoint IDC 2009
Other
37%
Security Leadership
• Consumer Endpoint Security
Symantec
23%
(#1 market position1)
• Endpoint Security
(#1 market position2, Positioned in Leader’s Quadrant in
Gartner Magic Quadrant3)
• Messaging Security
Kaspersky
Cisco
Lab
4%
3%
McAfee
17%
Sophos Trend
7% Micro
9%
(#1 market position4, Positioned in Leader’s Quadrant in
Gartner Magic Quadrant leader5)
• Policy & Compliance
(#1 market position6)
• Email Archiving
(#1market position7, Positioned in Leader’s Quadrant in
Gartner Magic Quadrant8, Forrester Wave leader9)
• Data Loss Prevention
(#1 market position, Gartner Magic Quadrant10 and
Forrester Wave leader11)
• Security Management
(#1 market position12)
• Security Information & Event Management
(SIEM) (Positioned in Leader’s Quadrant in Gartner
Magic Quadrant13)
Source: IDC WW Corporate Endpoint Market 2008
4
Ingredients for Endpoint Security
Network Access
Control
TruScan
Application Control
Device Control
(Network) Intrusion
Prevention
Firewall
Antispyware
Antivirus
Symantec Endpoint
Protection 11.0
Symantec Network
Access Control 11.0
Single Agent, Single Console
Results:
Increased
Protection, Control &
Manageability
Reduced
Cost, Complexity &
Risk Exposure
Symantec
Endpoint Protection 11.0
and
Symantec Network
Access Control 11.0
Single Agent
Client User
Interface (UI)
• Client UI
focused on
ease-of-use for
end-users
• Enable users to
quickly view
settings and
navigate
7
Easy End User Troubleshooting
Antivirus
Symantec Endpoint Protection
9
Virus Definition Update Options
Enterprises can choose from several flexible update options:
Frequency
Availability
Certification Level
Quality
Delivery Options
Every 30
minutes
Fastest
Rapid Release
High
LU, VDTM/SEPM, IU
Every 8 Hours
Fast
Full
Highest
LU, VDTM/SEPM, IU
• Customers can choose how and when to deploy virus definition updates.
• Updates are hosted on thousands of servers worldwide.
• Microdef technology keeps the download to the desktop small (~ 250K/day).
• Fully certified AV content updates are available for SEP three times per day.
10
Improved Detection and Removal
• Repair engine (Eraser)
is extensible
– Improvements are
ongoing
– Not dependant on new
releases
• SEP 11
– Lower level rootkit
detection
– Admin specified
homepage restore
– Surgical cookie cleanup
ERASER
Bypass
MS API
Microsoft File System API
User Mode
Kernel Mode
Direct Volume
Scan
Mapping
Server
Windows File System
Volume Manager
Rootkit Hook Points
Client Performance Enhancements
Client Performance
• Quicker on-demand scans
due to load point caching
• Eraser performance
improvements
• On-demand Scan Tuning
“On the machines I tested, the end-user experience was pleasant. I could
easily perform other tasks and switch between applications – in fact,
even for the balanced scans…if I didn’t hear the hard disk,
I might not have known it was spinning.”
– Feedback from External Test customer
12
Testing Groups
• Virus Bulletin 100
– http://www.virusbtn.com
• AV-Test.org
– http://avtest.org
• AV Comparatives
– http://www.av-comparatives.org
• Anti Malware testing Standards Organization
– http://www.amtso.org/
1
Third Party Efficacy Tests
Third Party Reviews Validate Effectiveness
• High Detection Rates in Real Tests
• Low False Positives
Symantec Endpoint Protection
14
Proactive Technologies
Symantec Endpoint Protection
15
TruScan:
Behavioral Detection Engine
Enumerate
processes
Analyze
process behavior
Enumerate all
processes &
embedded
components
Assess behavior
& characteristics
of each
process
?
• Detects 1,000 new threats/month - not
detected by leading AV engines
• Very low (0.004%) false positive rate
Score each
process
Automatic
protection
Detection
routines are
weighted &
processes are
classified
Malicious code
is identified,
reported &
automatically
mitigated
A New Approach –
Behavioral Detection Engine
• Each Engine has two sets of detection modules:
– Pro-valid = evidence of valid application behavior
– Pro-malicious = evidence of malicious application behavior
• Each Detection Module has a weight
– The weight indicates the importance of the behavioral trait
• Each process gets 2 scores:
– Valid Score = measure of how valid the process is
– Malicious Score = measure of how malicious the process is
N
Trojan Score = S aiTi
a1
a2
a3
a4
a5
a6
T1
T2
T3
T4
T5
T6
TN
b1
b2
b3
b4
b5
b6
bM
V1
V2
V3
V4
V5
V6
VM
aN
i=1
M
Valid Score =
S bV
i=1
i i
** Caveat: It’s not as simple as this - detection Modules are cooperative
A Good Engine Will Create Separation Between
Valid Applications & Malicious Code
Valid
applications
Adjust Scores
(Sensitivity Settings)
to reduce FP’s
Malicious
Code
Device Control
• Block Devices by type (Windows Class ID)
• Supports all common ports
– USB, Infrared, Bluetooth, Serial, Parallel,
FireWire, SCSI, PCMCIA
• Can block read/write/execute from removable drives*
• Example:
– Block all USB devices except USB mouse and keyboard
Peripheral Deice Control
Application Control
Application
Behavior Analysis
Monitors behavior or
applications
Process
Execution Control
File Access
Control
Blocks unwanted
programs from running
Blocks unwanted access to
files or folders
Registry
Access Control
Controls access and
writing to registry keys
Module & DLL
Loading Control
Blocks applications from
loading modules
System Lockdown
System Lockdown Features
• Prevents unauthorized code from
running on protected system
• Malware
• Unauthorized applications
• Creates a Digital Inventory of the
system
• Checksum.exe tool builds inventory
• Create multiple inventories per
server
• Fingerprints all executables (exe,
com, dll, ocx, etc.)
• Block anything not on the list from
execution
21
Network Threat Protection
Symantec Endpoint Protection
22
Network Threat Protection Features
1010101
1010101
1010101
Back Door
Blended Threat
Buffer Overflow
Network Threat Protection Key Features
• Best-of breed rule-based firewall engine
• Inspects encrypted and cleartext network traffic
• IPS engine
• Generic Exploit Blocking (GEB)
• Packet- and stream-based IPS
• Custom IPS signatures similar to Snort™
• Autolocation switching
Known Exploits
Best-of-Breed Personal Firewall
Personal Firewall Features
DPI Firewall
• Rule-based firewall engine
• Firewall rule triggers
• Application, host, service, time
• Full TCP/IP support
• TCP, UDP, ICMP, Raw IP Protocol
• Support for Ethernet protocols
• Allow or block
• Token ring, IPX/SPX, AppleTalk,
NetBEUI
• Able to block protocol drivers
• E.g., VMware, WinPcap
• Adapter-specific rules
Deep Packet Inspection Engine employs IDP
Regular expression support
Allows custom signatures
Intrusion Prevention System
rule tcp, tcp_flag&ack, daddr=$LOCALHOST, msg="[182.1] RPC DCOM buffer
overflow attempt detected", content="\x05\x00\x00\x03\x10\x00\x00\x00"(0,8)
HTTP
FTP
IM
Custom Sig Engine
SSH
GEB
SMTP
Signature IDS
RCP
SMTP
RCP
SSH
HTTP
FTP
IM
Intrusion Prevention Features
• Combines Generic Exploit Blocking (GEB) and SCS IDS with Sygate IDS
• Deep packet inspection
• Sygate IDS engine allows admins to create their own signatures
• Uses signature format similar to SNORT™
• Regex support
• Signatures applied only to vulnerable applications
• Resistant to common and advanced evasion techniques
AutoLocation Switching Enhancements
AutoLocation Triggers
Policy:
Office
• IP address (range or mask)
• DNS server
• DHCP server
Policy:
Remote
• WINS server
• Gateway address
• TMP token exists (hw token)
• DNS name resolves to IP
Corporate
LAN
• Policy Manager connected
• Network connection type
(wireless, VPN, Ethernet, dialup)
Supports and/or relationships
Remote Location
(home, coffee shop,
hotel, etc.
Network Access Control
Policy Compliance
Symantec Endpoint Protection
27
Symantec Network Access Control
Ensures endpoints are protected
and compliant prior to accessing
network resources
• Choose quarantine, remediation or federated access
– Enforce policy before access is granted
– Execute updates, programs, services, etc
– Limit connection to VLAN, etc
• Broadest enforcement options of any vendor
– Remote connectivity (IPSec, SSL VPN)
– LAN-based, DHCP, Appliance
– Standards-based, CNAC, MSNAP
28
28
Management
29
Integrated Management
Policy Driven
Architecture
Symantec Endpoint Protection Manager (SEPM)
Java Based Console
-Policy Management
-Agent Management
-Roles and Administration
-Launch Reports
-View Alerts
SQL Data Store
-Policies
-Events& Logs
-Security Content
-Reporting Data
-State Information
-Updates and Patches
HTTPS
HTTP/S
Servers
Desktops
Laptops
Symantec Endpoint Clients
31
Replication & High Availability Architecture
Failover between Management Servers & Data Stores
Clustered
Databases
Endpoint
Policy
Datastore
Clustered
Databases
Datastore
Replication
SEPM
SEPM
SEPM
SEPM
SEPM
SEPM
32
Management Server Hierarchy
Data Replication
Group Update Provider
• Site-to-site data replication
for scalability & availability
• Small, simple lowmaintenance manager for
small offices
• Customizable filters control
what data is replicated
between sites
SEPM and Datastore
Regional
Site
• Only deltas replicated
across WAN links
SEPMs and Datastore
Main Site
Group Update
Provider
Small
Regional
Office
33
Advanced Grouping Management
• Database
Database
• Domains
• Groups
Domains
• Locations
• Clients
Company
1
Office
Temporary
Wireless
Europe
Headquarters
QA Lab
Locations
Office
Engineering
Sales
Accounting
Company
2
Company
3
3rd Party Integration
• LDAP
• Active Directory
• Syslog
• RSA
Basic Reporting and Alerting
• Scheduled Email
Reports
• 52 Default
Reports
• Monitors
• Customizable
Dashboard
• Notifications
New in Release Update 6
Macintosh Antivirus
Management
Scan
Randomization
Telemetry Support
Web Based SEPM
Console
Symantec
Protection Center
Symantec Endpoint
Recovery Tool
Symantec Protection Suite
37
New in RU6
Macintosh Management from SEPM Console
• Client package and group
• Policies
– Antivirus and Antispyware policy
– Centralized Exceptions policy
– LiveUpdate policy
• Run commands
– Enable Auto-Protect
– Restart Client Computers
– Scan
– Update Content
– Update Content and Scan
Symantec Protection Suite
38
New in RU6
Symantec Endpoint Protection for Macintosh
• Macintosh Antivirus client managed by Windows SEPM
• Support Mac OS X 10.4, 10.5, 10.6
• Support migrating from Symantec Antivirus for Macintosh 10.x
• Support G3, G4, G5, and Intel processors
Symantec Protection Suite
39
New in RU6
Scan Randomization
• Allow administrator to select a
window over time that a
scheduled scan will kick off
– Daily – up to 23 hours
– Weekly – up to 167 hours
– Monthly – up to 671 Hours
• Improve support for virtual
environment
• Available on Windows client
only.
Symantec Protection Suite
40
New in RU6
Data Collection - Telemetry
• Collect and send anonymous data
to Symantec for following
purposes
– To improve our product in the future.
– To improve customer support
• Able to Opt Out
• Following data are collected
– SEP / SNAC Enabled
– SEP / OS Version
– Database Stats
– Free Disk Space, CPU and Available Memory
– Major Errors
– Numbers Collected:
• Groups, Domains, Hosts, Admin Accounts,
Servers/Site, Clients from AD, Alerts, Replication
Errors, Revisions Kept, Policies, Computers per
Revision, Enforcers, GUPs, Percent of Computers
up to date
Symantec Protection Suite
41
New in RU6
Web-based SEPM Console
• Does not require Java Runtime on the remote client side
• Easy to access using Web browser
• Support Internet Explorer 7 & 8
Symantec Protection Suite
42
New in RU6
Web-based Portal
• Manage multiple Symantec
products through a Single
Console.
– Symantec Endpoint Protection
– Symantec Web Gateway
– Symantec Data Loss Prevention
– Symantec Critical System Protection
– Symantec IT Analytics
– Symantec Brightmail Gateway
• Support Internet Explorer 7 & 8
Symantec Protection Suite
43
New in RU6
Symantec Endpoint Recovery Tool (SERT)
• Windows PE 2.1 based bootable
CD
– Features:
• Symantec Endpoint Encryption Support
• Launch Command Prompt prior to Scanner
– Allows use of third party disk access apps
(BitLocker, etc.)
• Use definitions from local media (USB,
local disk, etc.) rather than downloading
from Internet – can also be used to scan
with rapid release definitions
• Download definitions from Internet
• No PIN code requirement (Norton
Bootable Recovery Tool requires PIN)
• Available through FileConnect
Symantec Protection Suite
44
Advanced Reporting – Business Intelligence
Symantec Endpoint Protection Alert – Standard Cube
IT Analytics
Traditional
Reporting
SEP
Database
SEP Database
SQL 2005
Reporting Services
Analysis Services
• Flexible
Multiplead-hoc/custom
report requestsreporting
can hinder server
performance
• Drill-down capabilities
• Large databases or complicated queries
may take a long time to run
• Multi-dimensional analysis
• Canned reports offer limited options for
• Improved
server
customization
or performance
data analysis
baydynamics
• Seamlessly export to Excel & PDF
RobustGraphical
Graphical
Robust
Dashboards
Dashboards
Multi-Dimensional Adhoc/Pivot Table
Reporting
Pivot Chart
Functionality with
Excel Export
4
Symantec Protection Center
Intelligent Management Integration
Endpoint
Protection
Network
Access Control
Data Loss
Prevention
Server
Protection
Symantec
Protection Center
VISIBILITY - Pinpoint relevant security threats promptly
RESPONSE - Accelerate time to protection
Messaging
Security
Web
Security
EFFICIENCY - Increase productivity of security operations
Reporting Analytics
46
New in RU6
Power Eraser
• Designed to complement mainline antivirus applications by detecting and remediating
specific types of threats:
• New variants of existing threats for which there is no coverage by the current
definition sets
• Fake antivirus applications, and other Rogue-ware
• Rootkits
• System settings that have been tampered with maliciously
• Because Symantec Power Eraser uses aggressive methods to detect these threats,
there is a risk that it can select some legitimate programs for removal. Use standard
antivirus applications and troubleshooting techniques first; if they do not remove all
of the threats, use Symantec Power Eraser.
• Available from the “Help and Support” button on the client.
Symantec Protection Suite
47
New in RU6
Power Eraser
• Part of the Symantec Endpoint Protection Support Tool
• Aggressive scanning
• Support Tool then finishes scanning
Symantec Protection Suite
48
New in RU6
Support Tool
Symantec Protection Suite
49
Designing and Sizing the correct SEP
Architecture
Symantec Endpoint Protection
50
SEP Design Considerations
•
What Technologies will be deployed
•
Do you want different security polices when users are in different locations
•
Will desktops/servers/laptops/users/depts have different policies
•
How many geographic locations are there in the company
•
How often does the customer want to provide content updates
•
Do you want to automatically deploy SEP patches
•
Which method of distribution does the customer want to use
•
Do you need a High Available Management Infrastructure
•
How long does the customer need to retain logs
•
What is the frequency of requests for data older then one week, one month, and one year
•
What metrics need to be gathered frequently
•
Who needs access to the Data and what is their location
•
Are there multiple administrative groups in the organization (ie IT, Sec, Desktop, Server)
•
Is there need to tie in to an existing 3rd party tool or authentication scheme
SEP Decisions
• Number of Management Servers:
• Management Servers locations:
• What Database(s) will be used:
• Number of Databases:
• Classification Methodology:
• Where log information will reside:
• Old Management Server Upgrade Path:
• What Technologies will be Deployed and configured:
Deployment Architectures
Single Site
Log Replication
Distributed Site
High Availability
Client/Server Communication
Recommendations
• Keep a SEP DB close to Each SEP Manager
• Pull Mode
– Client to Server Ratio Maximum: None
– Lowest heartbeat configuration: (# clients /1000) minute
• Push Mode
– Client to Server Ratio Maximum: 50,000
– 1000 client connections per minute
• Optimize I/O Channels
• Managers should have good/fast connectivity to DB
Recommendations
• Symantec Endpoint Protection Manager Recommendations for
environments under 10,000 clients
– 2GB RAM Minimum Requirement
– Single Processor
• Symantec Endpoint Protection Manager Recommendations for
environments over 10,000 clients
– 4GB RAM Minimum Requirement
– Dual Processor recommended
Heartbeat Sizing
Presentation Identifier Goes Here
57
Settings that Effect DB Sizing
Virus Event Storage Costs
Number of Viruses
in DB
Approximate Space
1,000
0.8 MB
5,000
4.3 MB
15,000
12.9 MB
25,000
21.6 MB
50,000
43.2 MB
Backups
The Number of backups kept impact
the total disk space needed on the
SEPM server.
Size is Approx 75% of DB size
multiplied by the number of copies
being kept.
Ex. 1GB db * 0.75 * 3 Copies =
2.3 GB of Disk Space needed on
SEPS1
Example: Total Disk Space Needed
• In 60 Days you have on average 15,000 Viruses
• You plan on Keeping 20,000 Events of each Log
• You Plan on Keeping 5 Versions of SEP both 64 bit,
32 Bit, English, and French
• 7 Backups are being kept
Item
Space
15,000 Viruses
12.9 MB
20,000 Events per Log
722 MB
20 Versions in DB
1.24 GB
Content Updates
300 MB
= Approx 2.27 GB
Multiply by 1.4 to add the overhead of
indexes and other tables
3.2 GB Needed for DB
16.8 GB Needed for Backups on SEPM
Server
4 GB of Disk Space on SEPM for IIS
Content
Best Practices
Recommended Client Protection Policies
Symantec Endpoint Protection
62
Malware Protection
Antivirus/Antispyware Policy
Symantec always recommends running SEP
with Auto‐Protect enabled and routine
scheduled scans enabled.
It is typically recommended to start your
deployment with a full weekly scan.
If you notice that there are not many
infections being discovered via the on‐demand
scan, it is recommended to decrease the
frequency and depth of the scan.
In environments with low infection rates, it is
not uncommon to find monthly full scan or
weekly quick scans being performed.
64
Antivirus/Antispyware Policy Cont:
Symantec provides 3 Antivirus and
Antispyware policies out of box. Symantec
recommends the default antivirus policy on
most machines.
On machines that are slow, have high
resource utilization, or on machines where
users typically complain of performance,
Symantec recommends applying the High
Performance policy.
For machines that are mission critical and
for machines/users that have a high
infection rate (Bad Internet Hygiene),
Symantec recommends applying the High
Security Antivirus Policy.
65
Antivirus/Antispyware Policy Cont:
It is suggested to enable the Delay Scheduled
Scans if running on Batteries. Enabling this
feature will typically increase end user
satisfaction with the product. Running a full
scan while running on batteries depletes the
power quicker.
To further increase end user acceptance of the
product, more companies provide the end user
the right to stop scans.
It is recommended to keep the defaults on
Internet Email Scanning, TruScan*,
Quarantine*, and Submissions.
Symantec only recommends installing
Outlook/Lotus plug‐ins when Antivirus is
absent on the Mail Server.
66
Antivirus/Antispyware Policy Cont:
Symantec updates definitions three times a
day, each day that goes by without a
definition update means less protection.
On average, Symantec adds over 20K
signatures a day. It is recommended to
display a notification to end users if
definitions are out dated.
If users have the ability to initiate LiveUpdate,
then Symantec recommends lowering the
number of days before sending a notification
to 5 days when content is out of date.
It is also recommended to set the Internet
Browser Protection recovery home page to
your companies’ website. Most companies
redirect to an internal web page with the
security policies and escalation procedures.
67
Antivirus/Antispyware Policy Cont:
*TruScan default settings depend upon
the manager version.
Set sensitivity high
Log initially until exceptions have been
addressed, then terminate
Set frequency to Scan new processes
immediately.
68
Antivirus/Antispyware Policy Cont:
*Quarantine
When is the last time you got anything out
of the quarantine?
Do nothing for performance
If Clean/Delete actions are too
drastic due to possible false positive
considerations, consider
Clean/Quarantine with a short
retention.
Consider the benefits of
performance vs. usefulness of Risk
Tracer.
69
Network Protection
Symantec Endpoint Protection
70
Firewalls and IPS
Reactive
Signature based scanning is not enough alone
Heuristics is not enough alone
Behavior technology is not enough alone
Proactive
Prevent unsolicited traffic from being accepted
Prevent accepted traffic from containing threats
Workstations vs. Servers
71
Firewall Policy
There are 4 traditional configurations that individuals may consider when deploying a client
firewall. Each configuration provides a different level of protection and changes the likelihood of
encountering false positives and preventing legitimate applications from working.
72
Firewall Policy
Firewall Disabled: Disabling the firewall minimizes the potential for making a mistake with the
configuration that can cause legitimate applications to cease working. Since every network
environment is unique, some customers find it easier to keep this technology disabled until
there is a need.
In Symantec Endpoint Protection, disabling the firewall but enabling Intrusion Prevention provides
additional protection with minimal configuration and false positives.
Block Known Trojan Ports: Choosing to allow all network traffic with the exception to ports
commonly associated with known Trojans will provide an additional level of Security while
minimizing the risk of creating a policy that might block a legitimate application. Although this
might provide some protection, the Intrusion Prevention Engine already provides signatures to
detect and block most of these exploits.
In this configuration, Administrators can choose to block specific applications without the need of
knowing what is installed in the environment.
73
Firewall Policy
Block all Inbound Connections: Configuring the firewall to block all inbound connections greatly
reduces the risk of an attacker gaining access to a client’s resources or data. Most applications
that get installed on the box will still be allowed to initiate communications which will minimize
some of the configuration settings that would need to be configured.
This configuration will not stop all malicious pieces of code from getting installed on the box nor will it
prevent the malicious code from communicating important pieces of data to a hacker. This configuration
will also block some legitimate corporate applications like management utilities that expect to receive
connections from a management server. It is highly recommended to test this configuration thoroughly
prior to deploying the configuration.
Some companies have found it easier to deploy this configuration that blocks all inbound connections
except from the Servers installed in the organization. This has minimized the number of changes that need
to be made as new applications are installed and it has minimized the number of exceptions needed to the
policy.
Explicit Deny: In this configuration, the firewall is configured to block all communications except
for those settings that you choose to accept. This is the most secure approach to creating firewall
policies. This means that any new code introduced to the environment (good or bad) will not be
allowed to communicate until an administrator approves it. Although this provides the most
secure architecture, constant changes are usually needed to accommodate application changes.
74
Firewall Policy
Symantec recommends to start deployment with the firewall disabled and Intrusion Prevention
(IPS) enabled. Administrators can then increase the protection on the Client by deploying the
firewall over time.
Extensive testing should be conducted prior to deploying the firewall policy.
It is also beneficial to consider disabling the firewall when on the corporate network and
hardening the firewall when users disconnect from the corporate network.
This is normally done through the Location Awareness feature. Care should be taken when defining network segments.
Symantec recommends using multiple network identifiers when creating the policy.
Symantec also recommends the use of Peer to Peer Enforcement between Clients. Peer to Peer
enforcement forces a client to block all connections from a remote machine until the machine
has proven that it is in compliance to corporate policy.
75
Intrusion Prevention Policy
Symantec recommends always running IPS on client machines. Symantec makes no
recommendations on changing the default settings for IPS.
If Administrators or individuals within the organization are running security tools and
assessment tools, Symantec does recommend excluding those machines from the IPS detection
as it may yield false positives.
Note: Symantec does not recommend running the IPS on a Server OS without fully testing.
76
Proactive Threat Protection
Symantec Endpoint Protection
77
Application and Device Control Policy
Application Control and Device Control are advanced features that can be used to further enhance
malware protection for your business. Extreme caution should be used in creating application and
device control policies as these advanced technologies may cause legitimate applications to cease
operating.
Symantec recommends using Application Control and Device Control Settings only after testing the
impact of the policy in your environment. Application Control and Device control allows
Administrators the ability to restrict the behavior of applications and users in the environment.
Since this is a diverse technology, the opportunities are endless as to what can be done.
78
Application and Device Control Policy
Allow Only Read to the following Keys to prevent tampering or changing of IE Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
79
Application and Device Control Policy
Consider
Disallowing execute autorun
Disallowing execute from USB
80
Application and Device Control Policy Cont:
Allow only read to the following Registry Keys that allow applications to start automatically:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_CLASSES_ROOT\comfile\shell\open\command
HKEY_CLASSES_ROOT\piffile\shell\open\command
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\txtfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Note: Symantec does not recommend running the Application Control on a Server OS without fully Testing Live
81
LiveUpdate
LiveUpdate Policy
Symantec recommends to configure multiple methods for updating content on clients that are
mobile. This will allow those systems that are not connected to the corporate network to
receive content updates when not connected to the management server.
The most typical recommendation is for customers to create two polices. One that defines
clients update from the management server while connected to the network and another policy
that defines updating through LiveUpdate directly from Symantec when the client machine is
not connected to the corporate network.
83
Location Awareness
*Symantec typically recommends that administrators
create two locations (Default/Internal and External)
when using these two LiveUpdate policies.
A default location is provided with each created group.
The default location ‘LiveUpdate” policy should have
the Clients contact the SEP Manager (SEPM) for their
content updates.
The external location LiveUpdate policy should have
Client conduct LiveUpdate calls directly to Symantec’s
LiveUpdate site to retrieve content updates.
*Weigh the risks, resource usage and benefits of single vs.
multiple locations. Weigh across all policy types.
84
External LiveUpdate Policy
It is recommended to set the “External” LiveUpdate policy retrieval schedule for every 4 hours.
Remember Symantec releases certified LiveUpdate content 3 times daily. This will ensure that the
client systems stay up to date with the latest security content updates.
85
External LiveUpdate Policy Cont:
It is also recommended to configure the Advanced Settings to “Allow the user to manually launch
LiveUpdate”.
86
External Location Configuration Cont:
Specify the conditions for this location trigger. In this case the ability to connect to the
management server was a condition that was used.
Symantec recommends that more then one condition be specified when configuring a location.
87
LiveUpdate Content
For the smallest possible size of your
microdefs, increase the number of
downloads to retain.
You sacrifice only disk space store them
and CPU cycles to build them.
88
Exceptions
Centralized Exceptions Policy
• The recommendation for exceptions is to add exceptions as needed. SEP automatically makes
exceptions for certain applications, but it is best to add additional exceptions for Databases,
Transactional Logs, VMWare Images, and other items that high transactional volume. It is also
recommended to not allow employees the ability to add exceptions unless needed. For additional
information on default exceptions and information on how to add exceptions, please reference
the Symantec Online Knowledge Base.
90
Thank you!
Brian Pallozzi, [email protected]
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Symantec Protection Suite
91