Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection.
Download ReportTranscript Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection.
Symantec Endpoint Protection Technical Review Brian Pallozzi, CISSP Principal Sales Engineer Symantec Endpoint Protection 1 Agenda 1 Enterprise Security Protection Stack 2 What’s new (RU6) 3 Architectures 4 Suggestions Symantec Endpoint Protection 2 The Changing Threat Landscape: An Explosion of Malware 7000000 6000000 • 3 Billion attacks blocked • 240 Million variants • Highly targeted threats In 2009 >15,000 signatures a day Traditional Signatures 5000000 In 2010 4000000 25,000 3000000 detections a day 2000000 In 2000 5 In 2007 1,500 signatures a day signatures a day 1000000 0 Symantec Endpoint Protection 3 Industry Recognition WW Corporate Endpoint IDC 2009 Other 37% Security Leadership • Consumer Endpoint Security Symantec 23% (#1 market position1) • Endpoint Security (#1 market position2, Positioned in Leader’s Quadrant in Gartner Magic Quadrant3) • Messaging Security Kaspersky Cisco Lab 4% 3% McAfee 17% Sophos Trend 7% Micro 9% (#1 market position4, Positioned in Leader’s Quadrant in Gartner Magic Quadrant leader5) • Policy & Compliance (#1 market position6) • Email Archiving (#1market position7, Positioned in Leader’s Quadrant in Gartner Magic Quadrant8, Forrester Wave leader9) • Data Loss Prevention (#1 market position, Gartner Magic Quadrant10 and Forrester Wave leader11) • Security Management (#1 market position12) • Security Information & Event Management (SIEM) (Positioned in Leader’s Quadrant in Gartner Magic Quadrant13) Source: IDC WW Corporate Endpoint Market 2008 4 Ingredients for Endpoint Security Network Access Control TruScan Application Control Device Control (Network) Intrusion Prevention Firewall Antispyware Antivirus Symantec Endpoint Protection 11.0 Symantec Network Access Control 11.0 Single Agent, Single Console Results: Increased Protection, Control & Manageability Reduced Cost, Complexity & Risk Exposure Symantec Endpoint Protection 11.0 and Symantec Network Access Control 11.0 Single Agent Client User Interface (UI) • Client UI focused on ease-of-use for end-users • Enable users to quickly view settings and navigate 7 Easy End User Troubleshooting Antivirus Symantec Endpoint Protection 9 Virus Definition Update Options Enterprises can choose from several flexible update options: Frequency Availability Certification Level Quality Delivery Options Every 30 minutes Fastest Rapid Release High LU, VDTM/SEPM, IU Every 8 Hours Fast Full Highest LU, VDTM/SEPM, IU • Customers can choose how and when to deploy virus definition updates. • Updates are hosted on thousands of servers worldwide. • Microdef technology keeps the download to the desktop small (~ 250K/day). • Fully certified AV content updates are available for SEP three times per day. 10 Improved Detection and Removal • Repair engine (Eraser) is extensible – Improvements are ongoing – Not dependant on new releases • SEP 11 – Lower level rootkit detection – Admin specified homepage restore – Surgical cookie cleanup ERASER Bypass MS API Microsoft File System API User Mode Kernel Mode Direct Volume Scan Mapping Server Windows File System Volume Manager Rootkit Hook Points Client Performance Enhancements Client Performance • Quicker on-demand scans due to load point caching • Eraser performance improvements • On-demand Scan Tuning “On the machines I tested, the end-user experience was pleasant. I could easily perform other tasks and switch between applications – in fact, even for the balanced scans…if I didn’t hear the hard disk, I might not have known it was spinning.” – Feedback from External Test customer 12 Testing Groups • Virus Bulletin 100 – http://www.virusbtn.com • AV-Test.org – http://avtest.org • AV Comparatives – http://www.av-comparatives.org • Anti Malware testing Standards Organization – http://www.amtso.org/ 1 Third Party Efficacy Tests Third Party Reviews Validate Effectiveness • High Detection Rates in Real Tests • Low False Positives Symantec Endpoint Protection 14 Proactive Technologies Symantec Endpoint Protection 15 TruScan: Behavioral Detection Engine Enumerate processes Analyze process behavior Enumerate all processes & embedded components Assess behavior & characteristics of each process ? • Detects 1,000 new threats/month - not detected by leading AV engines • Very low (0.004%) false positive rate Score each process Automatic protection Detection routines are weighted & processes are classified Malicious code is identified, reported & automatically mitigated A New Approach – Behavioral Detection Engine • Each Engine has two sets of detection modules: – Pro-valid = evidence of valid application behavior – Pro-malicious = evidence of malicious application behavior • Each Detection Module has a weight – The weight indicates the importance of the behavioral trait • Each process gets 2 scores: – Valid Score = measure of how valid the process is – Malicious Score = measure of how malicious the process is N Trojan Score = S aiTi a1 a2 a3 a4 a5 a6 T1 T2 T3 T4 T5 T6 TN b1 b2 b3 b4 b5 b6 bM V1 V2 V3 V4 V5 V6 VM aN i=1 M Valid Score = S bV i=1 i i ** Caveat: It’s not as simple as this - detection Modules are cooperative A Good Engine Will Create Separation Between Valid Applications & Malicious Code Valid applications Adjust Scores (Sensitivity Settings) to reduce FP’s Malicious Code Device Control • Block Devices by type (Windows Class ID) • Supports all common ports – USB, Infrared, Bluetooth, Serial, Parallel, FireWire, SCSI, PCMCIA • Can block read/write/execute from removable drives* • Example: – Block all USB devices except USB mouse and keyboard Peripheral Deice Control Application Control Application Behavior Analysis Monitors behavior or applications Process Execution Control File Access Control Blocks unwanted programs from running Blocks unwanted access to files or folders Registry Access Control Controls access and writing to registry keys Module & DLL Loading Control Blocks applications from loading modules System Lockdown System Lockdown Features • Prevents unauthorized code from running on protected system • Malware • Unauthorized applications • Creates a Digital Inventory of the system • Checksum.exe tool builds inventory • Create multiple inventories per server • Fingerprints all executables (exe, com, dll, ocx, etc.) • Block anything not on the list from execution 21 Network Threat Protection Symantec Endpoint Protection 22 Network Threat Protection Features 1010101 1010101 1010101 Back Door Blended Threat Buffer Overflow Network Threat Protection Key Features • Best-of breed rule-based firewall engine • Inspects encrypted and cleartext network traffic • IPS engine • Generic Exploit Blocking (GEB) • Packet- and stream-based IPS • Custom IPS signatures similar to Snort™ • Autolocation switching Known Exploits Best-of-Breed Personal Firewall Personal Firewall Features DPI Firewall • Rule-based firewall engine • Firewall rule triggers • Application, host, service, time • Full TCP/IP support • TCP, UDP, ICMP, Raw IP Protocol • Support for Ethernet protocols • Allow or block • Token ring, IPX/SPX, AppleTalk, NetBEUI • Able to block protocol drivers • E.g., VMware, WinPcap • Adapter-specific rules Deep Packet Inspection Engine employs IDP Regular expression support Allows custom signatures Intrusion Prevention System rule tcp, tcp_flag&ack, daddr=$LOCALHOST, msg="[182.1] RPC DCOM buffer overflow attempt detected", content="\x05\x00\x00\x03\x10\x00\x00\x00"(0,8) HTTP FTP IM Custom Sig Engine SSH GEB SMTP Signature IDS RCP SMTP RCP SSH HTTP FTP IM Intrusion Prevention Features • Combines Generic Exploit Blocking (GEB) and SCS IDS with Sygate IDS • Deep packet inspection • Sygate IDS engine allows admins to create their own signatures • Uses signature format similar to SNORT™ • Regex support • Signatures applied only to vulnerable applications • Resistant to common and advanced evasion techniques AutoLocation Switching Enhancements AutoLocation Triggers Policy: Office • IP address (range or mask) • DNS server • DHCP server Policy: Remote • WINS server • Gateway address • TMP token exists (hw token) • DNS name resolves to IP Corporate LAN • Policy Manager connected • Network connection type (wireless, VPN, Ethernet, dialup) Supports and/or relationships Remote Location (home, coffee shop, hotel, etc. Network Access Control Policy Compliance Symantec Endpoint Protection 27 Symantec Network Access Control Ensures endpoints are protected and compliant prior to accessing network resources • Choose quarantine, remediation or federated access – Enforce policy before access is granted – Execute updates, programs, services, etc – Limit connection to VLAN, etc • Broadest enforcement options of any vendor – Remote connectivity (IPSec, SSL VPN) – LAN-based, DHCP, Appliance – Standards-based, CNAC, MSNAP 28 28 Management 29 Integrated Management Policy Driven Architecture Symantec Endpoint Protection Manager (SEPM) Java Based Console -Policy Management -Agent Management -Roles and Administration -Launch Reports -View Alerts SQL Data Store -Policies -Events& Logs -Security Content -Reporting Data -State Information -Updates and Patches HTTPS HTTP/S Servers Desktops Laptops Symantec Endpoint Clients 31 Replication & High Availability Architecture Failover between Management Servers & Data Stores Clustered Databases Endpoint Policy Datastore Clustered Databases Datastore Replication SEPM SEPM SEPM SEPM SEPM SEPM 32 Management Server Hierarchy Data Replication Group Update Provider • Site-to-site data replication for scalability & availability • Small, simple lowmaintenance manager for small offices • Customizable filters control what data is replicated between sites SEPM and Datastore Regional Site • Only deltas replicated across WAN links SEPMs and Datastore Main Site Group Update Provider Small Regional Office 33 Advanced Grouping Management • Database Database • Domains • Groups Domains • Locations • Clients Company 1 Office Temporary Wireless Europe Headquarters QA Lab Locations Office Engineering Sales Accounting Company 2 Company 3 3rd Party Integration • LDAP • Active Directory • Syslog • RSA Basic Reporting and Alerting • Scheduled Email Reports • 52 Default Reports • Monitors • Customizable Dashboard • Notifications New in Release Update 6 Macintosh Antivirus Management Scan Randomization Telemetry Support Web Based SEPM Console Symantec Protection Center Symantec Endpoint Recovery Tool Symantec Protection Suite 37 New in RU6 Macintosh Management from SEPM Console • Client package and group • Policies – Antivirus and Antispyware policy – Centralized Exceptions policy – LiveUpdate policy • Run commands – Enable Auto-Protect – Restart Client Computers – Scan – Update Content – Update Content and Scan Symantec Protection Suite 38 New in RU6 Symantec Endpoint Protection for Macintosh • Macintosh Antivirus client managed by Windows SEPM • Support Mac OS X 10.4, 10.5, 10.6 • Support migrating from Symantec Antivirus for Macintosh 10.x • Support G3, G4, G5, and Intel processors Symantec Protection Suite 39 New in RU6 Scan Randomization • Allow administrator to select a window over time that a scheduled scan will kick off – Daily – up to 23 hours – Weekly – up to 167 hours – Monthly – up to 671 Hours • Improve support for virtual environment • Available on Windows client only. Symantec Protection Suite 40 New in RU6 Data Collection - Telemetry • Collect and send anonymous data to Symantec for following purposes – To improve our product in the future. – To improve customer support • Able to Opt Out • Following data are collected – SEP / SNAC Enabled – SEP / OS Version – Database Stats – Free Disk Space, CPU and Available Memory – Major Errors – Numbers Collected: • Groups, Domains, Hosts, Admin Accounts, Servers/Site, Clients from AD, Alerts, Replication Errors, Revisions Kept, Policies, Computers per Revision, Enforcers, GUPs, Percent of Computers up to date Symantec Protection Suite 41 New in RU6 Web-based SEPM Console • Does not require Java Runtime on the remote client side • Easy to access using Web browser • Support Internet Explorer 7 & 8 Symantec Protection Suite 42 New in RU6 Web-based Portal • Manage multiple Symantec products through a Single Console. – Symantec Endpoint Protection – Symantec Web Gateway – Symantec Data Loss Prevention – Symantec Critical System Protection – Symantec IT Analytics – Symantec Brightmail Gateway • Support Internet Explorer 7 & 8 Symantec Protection Suite 43 New in RU6 Symantec Endpoint Recovery Tool (SERT) • Windows PE 2.1 based bootable CD – Features: • Symantec Endpoint Encryption Support • Launch Command Prompt prior to Scanner – Allows use of third party disk access apps (BitLocker, etc.) • Use definitions from local media (USB, local disk, etc.) rather than downloading from Internet – can also be used to scan with rapid release definitions • Download definitions from Internet • No PIN code requirement (Norton Bootable Recovery Tool requires PIN) • Available through FileConnect Symantec Protection Suite 44 Advanced Reporting – Business Intelligence Symantec Endpoint Protection Alert – Standard Cube IT Analytics Traditional Reporting SEP Database SEP Database SQL 2005 Reporting Services Analysis Services • Flexible Multiplead-hoc/custom report requestsreporting can hinder server performance • Drill-down capabilities • Large databases or complicated queries may take a long time to run • Multi-dimensional analysis • Canned reports offer limited options for • Improved server customization or performance data analysis baydynamics • Seamlessly export to Excel & PDF RobustGraphical Graphical Robust Dashboards Dashboards Multi-Dimensional Adhoc/Pivot Table Reporting Pivot Chart Functionality with Excel Export 4 Symantec Protection Center Intelligent Management Integration Endpoint Protection Network Access Control Data Loss Prevention Server Protection Symantec Protection Center VISIBILITY - Pinpoint relevant security threats promptly RESPONSE - Accelerate time to protection Messaging Security Web Security EFFICIENCY - Increase productivity of security operations Reporting Analytics 46 New in RU6 Power Eraser • Designed to complement mainline antivirus applications by detecting and remediating specific types of threats: • New variants of existing threats for which there is no coverage by the current definition sets • Fake antivirus applications, and other Rogue-ware • Rootkits • System settings that have been tampered with maliciously • Because Symantec Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. Use standard antivirus applications and troubleshooting techniques first; if they do not remove all of the threats, use Symantec Power Eraser. • Available from the “Help and Support” button on the client. Symantec Protection Suite 47 New in RU6 Power Eraser • Part of the Symantec Endpoint Protection Support Tool • Aggressive scanning • Support Tool then finishes scanning Symantec Protection Suite 48 New in RU6 Support Tool Symantec Protection Suite 49 Designing and Sizing the correct SEP Architecture Symantec Endpoint Protection 50 SEP Design Considerations • What Technologies will be deployed • Do you want different security polices when users are in different locations • Will desktops/servers/laptops/users/depts have different policies • How many geographic locations are there in the company • How often does the customer want to provide content updates • Do you want to automatically deploy SEP patches • Which method of distribution does the customer want to use • Do you need a High Available Management Infrastructure • How long does the customer need to retain logs • What is the frequency of requests for data older then one week, one month, and one year • What metrics need to be gathered frequently • Who needs access to the Data and what is their location • Are there multiple administrative groups in the organization (ie IT, Sec, Desktop, Server) • Is there need to tie in to an existing 3rd party tool or authentication scheme SEP Decisions • Number of Management Servers: • Management Servers locations: • What Database(s) will be used: • Number of Databases: • Classification Methodology: • Where log information will reside: • Old Management Server Upgrade Path: • What Technologies will be Deployed and configured: Deployment Architectures Single Site Log Replication Distributed Site High Availability Client/Server Communication Recommendations • Keep a SEP DB close to Each SEP Manager • Pull Mode – Client to Server Ratio Maximum: None – Lowest heartbeat configuration: (# clients /1000) minute • Push Mode – Client to Server Ratio Maximum: 50,000 – 1000 client connections per minute • Optimize I/O Channels • Managers should have good/fast connectivity to DB Recommendations • Symantec Endpoint Protection Manager Recommendations for environments under 10,000 clients – 2GB RAM Minimum Requirement – Single Processor • Symantec Endpoint Protection Manager Recommendations for environments over 10,000 clients – 4GB RAM Minimum Requirement – Dual Processor recommended Heartbeat Sizing Presentation Identifier Goes Here 57 Settings that Effect DB Sizing Virus Event Storage Costs Number of Viruses in DB Approximate Space 1,000 0.8 MB 5,000 4.3 MB 15,000 12.9 MB 25,000 21.6 MB 50,000 43.2 MB Backups The Number of backups kept impact the total disk space needed on the SEPM server. Size is Approx 75% of DB size multiplied by the number of copies being kept. Ex. 1GB db * 0.75 * 3 Copies = 2.3 GB of Disk Space needed on SEPS1 Example: Total Disk Space Needed • In 60 Days you have on average 15,000 Viruses • You plan on Keeping 20,000 Events of each Log • You Plan on Keeping 5 Versions of SEP both 64 bit, 32 Bit, English, and French • 7 Backups are being kept Item Space 15,000 Viruses 12.9 MB 20,000 Events per Log 722 MB 20 Versions in DB 1.24 GB Content Updates 300 MB = Approx 2.27 GB Multiply by 1.4 to add the overhead of indexes and other tables 3.2 GB Needed for DB 16.8 GB Needed for Backups on SEPM Server 4 GB of Disk Space on SEPM for IIS Content Best Practices Recommended Client Protection Policies Symantec Endpoint Protection 62 Malware Protection Antivirus/Antispyware Policy Symantec always recommends running SEP with Auto‐Protect enabled and routine scheduled scans enabled. It is typically recommended to start your deployment with a full weekly scan. If you notice that there are not many infections being discovered via the on‐demand scan, it is recommended to decrease the frequency and depth of the scan. In environments with low infection rates, it is not uncommon to find monthly full scan or weekly quick scans being performed. 64 Antivirus/Antispyware Policy Cont: Symantec provides 3 Antivirus and Antispyware policies out of box. Symantec recommends the default antivirus policy on most machines. On machines that are slow, have high resource utilization, or on machines where users typically complain of performance, Symantec recommends applying the High Performance policy. For machines that are mission critical and for machines/users that have a high infection rate (Bad Internet Hygiene), Symantec recommends applying the High Security Antivirus Policy. 65 Antivirus/Antispyware Policy Cont: It is suggested to enable the Delay Scheduled Scans if running on Batteries. Enabling this feature will typically increase end user satisfaction with the product. Running a full scan while running on batteries depletes the power quicker. To further increase end user acceptance of the product, more companies provide the end user the right to stop scans. It is recommended to keep the defaults on Internet Email Scanning, TruScan*, Quarantine*, and Submissions. Symantec only recommends installing Outlook/Lotus plug‐ins when Antivirus is absent on the Mail Server. 66 Antivirus/Antispyware Policy Cont: Symantec updates definitions three times a day, each day that goes by without a definition update means less protection. On average, Symantec adds over 20K signatures a day. It is recommended to display a notification to end users if definitions are out dated. If users have the ability to initiate LiveUpdate, then Symantec recommends lowering the number of days before sending a notification to 5 days when content is out of date. It is also recommended to set the Internet Browser Protection recovery home page to your companies’ website. Most companies redirect to an internal web page with the security policies and escalation procedures. 67 Antivirus/Antispyware Policy Cont: *TruScan default settings depend upon the manager version. Set sensitivity high Log initially until exceptions have been addressed, then terminate Set frequency to Scan new processes immediately. 68 Antivirus/Antispyware Policy Cont: *Quarantine When is the last time you got anything out of the quarantine? Do nothing for performance If Clean/Delete actions are too drastic due to possible false positive considerations, consider Clean/Quarantine with a short retention. Consider the benefits of performance vs. usefulness of Risk Tracer. 69 Network Protection Symantec Endpoint Protection 70 Firewalls and IPS Reactive Signature based scanning is not enough alone Heuristics is not enough alone Behavior technology is not enough alone Proactive Prevent unsolicited traffic from being accepted Prevent accepted traffic from containing threats Workstations vs. Servers 71 Firewall Policy There are 4 traditional configurations that individuals may consider when deploying a client firewall. Each configuration provides a different level of protection and changes the likelihood of encountering false positives and preventing legitimate applications from working. 72 Firewall Policy Firewall Disabled: Disabling the firewall minimizes the potential for making a mistake with the configuration that can cause legitimate applications to cease working. Since every network environment is unique, some customers find it easier to keep this technology disabled until there is a need. In Symantec Endpoint Protection, disabling the firewall but enabling Intrusion Prevention provides additional protection with minimal configuration and false positives. Block Known Trojan Ports: Choosing to allow all network traffic with the exception to ports commonly associated with known Trojans will provide an additional level of Security while minimizing the risk of creating a policy that might block a legitimate application. Although this might provide some protection, the Intrusion Prevention Engine already provides signatures to detect and block most of these exploits. In this configuration, Administrators can choose to block specific applications without the need of knowing what is installed in the environment. 73 Firewall Policy Block all Inbound Connections: Configuring the firewall to block all inbound connections greatly reduces the risk of an attacker gaining access to a client’s resources or data. Most applications that get installed on the box will still be allowed to initiate communications which will minimize some of the configuration settings that would need to be configured. This configuration will not stop all malicious pieces of code from getting installed on the box nor will it prevent the malicious code from communicating important pieces of data to a hacker. This configuration will also block some legitimate corporate applications like management utilities that expect to receive connections from a management server. It is highly recommended to test this configuration thoroughly prior to deploying the configuration. Some companies have found it easier to deploy this configuration that blocks all inbound connections except from the Servers installed in the organization. This has minimized the number of changes that need to be made as new applications are installed and it has minimized the number of exceptions needed to the policy. Explicit Deny: In this configuration, the firewall is configured to block all communications except for those settings that you choose to accept. This is the most secure approach to creating firewall policies. This means that any new code introduced to the environment (good or bad) will not be allowed to communicate until an administrator approves it. Although this provides the most secure architecture, constant changes are usually needed to accommodate application changes. 74 Firewall Policy Symantec recommends to start deployment with the firewall disabled and Intrusion Prevention (IPS) enabled. Administrators can then increase the protection on the Client by deploying the firewall over time. Extensive testing should be conducted prior to deploying the firewall policy. It is also beneficial to consider disabling the firewall when on the corporate network and hardening the firewall when users disconnect from the corporate network. This is normally done through the Location Awareness feature. Care should be taken when defining network segments. Symantec recommends using multiple network identifiers when creating the policy. Symantec also recommends the use of Peer to Peer Enforcement between Clients. Peer to Peer enforcement forces a client to block all connections from a remote machine until the machine has proven that it is in compliance to corporate policy. 75 Intrusion Prevention Policy Symantec recommends always running IPS on client machines. Symantec makes no recommendations on changing the default settings for IPS. If Administrators or individuals within the organization are running security tools and assessment tools, Symantec does recommend excluding those machines from the IPS detection as it may yield false positives. Note: Symantec does not recommend running the IPS on a Server OS without fully testing. 76 Proactive Threat Protection Symantec Endpoint Protection 77 Application and Device Control Policy Application Control and Device Control are advanced features that can be used to further enhance malware protection for your business. Extreme caution should be used in creating application and device control policies as these advanced technologies may cause legitimate applications to cease operating. Symantec recommends using Application Control and Device Control Settings only after testing the impact of the policy in your environment. Application Control and Device control allows Administrators the ability to restrict the behavior of applications and users in the environment. Since this is a diverse technology, the opportunities are endless as to what can be done. 78 Application and Device Control Policy Allow Only Read to the following Keys to prevent tampering or changing of IE Settings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings 79 Application and Device Control Policy Consider Disallowing execute autorun Disallowing execute from USB 80 Application and Device Control Policy Cont: Allow only read to the following Registry Keys that allow applications to start automatically: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler HKEY_CLASSES_ROOT\comfile\shell\open\command HKEY_CLASSES_ROOT\piffile\shell\open\command HKEY_CLASSES_ROOT\exefile\shell\open\command HKEY_CLASSES_ROOT\txtfile\shell\open\command HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Note: Symantec does not recommend running the Application Control on a Server OS without fully Testing Live 81 LiveUpdate LiveUpdate Policy Symantec recommends to configure multiple methods for updating content on clients that are mobile. This will allow those systems that are not connected to the corporate network to receive content updates when not connected to the management server. The most typical recommendation is for customers to create two polices. One that defines clients update from the management server while connected to the network and another policy that defines updating through LiveUpdate directly from Symantec when the client machine is not connected to the corporate network. 83 Location Awareness *Symantec typically recommends that administrators create two locations (Default/Internal and External) when using these two LiveUpdate policies. A default location is provided with each created group. The default location ‘LiveUpdate” policy should have the Clients contact the SEP Manager (SEPM) for their content updates. The external location LiveUpdate policy should have Client conduct LiveUpdate calls directly to Symantec’s LiveUpdate site to retrieve content updates. *Weigh the risks, resource usage and benefits of single vs. multiple locations. Weigh across all policy types. 84 External LiveUpdate Policy It is recommended to set the “External” LiveUpdate policy retrieval schedule for every 4 hours. Remember Symantec releases certified LiveUpdate content 3 times daily. This will ensure that the client systems stay up to date with the latest security content updates. 85 External LiveUpdate Policy Cont: It is also recommended to configure the Advanced Settings to “Allow the user to manually launch LiveUpdate”. 86 External Location Configuration Cont: Specify the conditions for this location trigger. In this case the ability to connect to the management server was a condition that was used. Symantec recommends that more then one condition be specified when configuring a location. 87 LiveUpdate Content For the smallest possible size of your microdefs, increase the number of downloads to retain. You sacrifice only disk space store them and CPU cycles to build them. 88 Exceptions Centralized Exceptions Policy • The recommendation for exceptions is to add exceptions as needed. SEP automatically makes exceptions for certain applications, but it is best to add additional exceptions for Databases, Transactional Logs, VMWare Images, and other items that high transactional volume. It is also recommended to not allow employees the ability to add exceptions unless needed. For additional information on default exceptions and information on how to add exceptions, please reference the Symantec Online Knowledge Base. 90 Thank you! Brian Pallozzi, [email protected] Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Symantec Protection Suite 91