View
239
Download
0
Tags:
Embed Size (px)
Citation preview
Symantec Endpoint ProtectionTechnical Review
Brian Pallozzi, CISSPPrincipal Sales Engineer
Symantec Endpoint Protection 1
Agenda
Symantec Endpoint Protection 2
Enterprise Security Protection Stack 1
What’s new (RU6)2
Architectures3
Suggestions4
The Changing Threat Landscape: An Explosion of Malware
3
Jan-00 Jul-00 Jan-01 Jul-01 Jan-02 Jul-02 Jan-03 Jul-03 Jan-04 Jul-04 Jan-05 Jul-05 Jan-06 Jul-06 Jan-07 Jul-07 Jan-08 Jul-08 Jan-09 Jul-09 Jan-100
1000000
2000000
3000000
4000000
5000000
6000000
7000000
Trad
ition
al S
igna
ture
s
In 2000
5signatures a day
In 2007
1,500 signatures a day
In 2009
>15,000 signatures a day
• 3 Billion attacks blocked• 240 Million variants • Highly targeted threats
3Symantec Endpoint Protection
In 2010
25,000detections a day
Source: IDC WW Corporate Endpoint Market 2008
4
Industry Recognition
• Endpoint Security (#1 market position2, Positioned in Leader’s Quadrant in Gartner Magic Quadrant3)
• Messaging Security (#1 market position4, Positioned in Leader’s Quadrant in Gartner Magic Quadrant leader5)
• Policy & Compliance (#1 market position6)
• Email Archiving (#1market position7, Positioned in Leader’s Quadrant in Gartner Magic Quadrant8, Forrester Wave leader9)
• Data Loss Prevention (#1 market position, Gartner Magic Quadrant10 and Forrester Wave leader11)
• Security Management (#1 market position12)
• Security Information & Event Management (SIEM) (Positioned in Leader’s Quadrant in Gartner Magic Quadrant13)
McAfee17%
Trend Micro9%
Sophos7%
Cisco4%
Kaspersky Lab
3%
Other37%
Symantec 23%
Security LeadershipWW Corporate Endpoint IDC 2009
• Consumer Endpoint Security (#1 market position1)
Ingredients for Endpoint Security
Symantec Endpoint Protection 11.0
Symantec Network Access Control 11.0
Antivirus
Antispyware
Firewall
TruScan
Device Control
Application Control
(Network) Intrusion Prevention
Network AccessControl
Single Agent, Single Console
Symantec Endpoint Protection 11.0
and Symantec Network Access Control 11.0
Results:
Reduced Cost, Complexity &
Risk Exposure
Increased Protection, Control &
Manageability
77
Single Agent
Client User Interface (UI)
• Client UI focused on ease-of-use for end-users
• Enable users to quickly view settings and navigate
Easy End User Troubleshooting
9
Antivirus
Symantec Endpoint Protection
10
Virus Definition Update Options
Enterprises can choose from several flexible update options:
Frequency Availability Certification Level Quality Delivery Options
Every 30 minutes
Fastest Rapid Release High LU, VDTM/SEPM, IU
Every 8 Hours Fast Full Highest LU, VDTM/SEPM, IU
• Customers can choose how and when to deploy virus definition updates.• Updates are hosted on thousands of servers worldwide.• Microdef technology keeps the download to the desktop small (~ 250K/day).• Fully certified AV content updates are available for SEP three times per day.
Improved Detection and Removal
• Repair engine (Eraser) is extensible– Improvements are
ongoing– Not dependant on new
releases• SEP 11
– Lower level rootkit detection
– Admin specified homepage restore
– Surgical cookie cleanup
User Mode
Kernel Mode
Rootkit Hook Points
Microsoft File System API
Windows File System
Volume Manager
ERASER
Bypass MS API
Mapping Server
Direct Volume Scan
12
Client Performance Enhancements
Client Performance
• Quicker on-demand scans due to load point caching
• Eraser performance improvements
• On-demand Scan Tuning
“On the machines I tested, the end-user experience was pleasant. I could easily perform other tasks and switch between applications – in fact, even for the balanced scans…if I didn’t hear the hard disk, I might not have known it was spinning.”
– Feedback from External Test customer
Testing Groups• Virus Bulletin 100
– http://www.virusbtn.com
• AV-Test.org– http://avtest.org
• AV Comparatives– http://www.av-comparatives.org
• Anti Malware testing Standards Organization– http://www.amtso.org/
13
Third Party Efficacy Tests
14
Third Party Reviews Validate Effectiveness• High Detection Rates in Real Tests• Low False Positives
Symantec Endpoint Protection
15
Proactive Technologies
Symantec Endpoint Protection
TruScan:Behavioral Detection Engine
Enumerateprocesses
Enumerate allprocesses &embedded
components
Analyzeprocess behavior
Assess behavior& characteristics
of eachprocess
Score eachprocess
Detectionroutines areweighted &
processes areclassified
Automaticprotection
Malicious codeis identified,reported &
automaticallymitigated
??
• Detects 1,000 new threats/month - not detected by leading AV engines
• Very low (0.004%) false positive rate
A New Approach – Behavioral Detection Engine
• Each Engine has two sets of detection modules:
– Pro-valid = evidence of valid application behavior
– Pro-malicious = evidence of malicious application behavior
• Each Detection Module has a weight
– The weight indicates the importance of the behavioral trait
• Each process gets 2 scores:
– Valid Score = measure of how valid the process is
– Malicious Score = measure of how malicious the process is
** Caveat: It’s not as simple as this - detection Modules are cooperative
b1 b2 b3 b4 b5 bM
V1 V2 V3 V4 V5 V6 VM
b6
T1 T2 T3 T4 T5 T6 TN
a1 a2 a3 a4 a5 aNa6
Trojan Score = Si=1
N
aiTi
Valid Score = Si=1
M
biVi
A Good Engine Will Create Separation Between Valid Applications & Malicious Code
Valid applications
Malicious Code
Adjust Scores (Sensitivity Settings)
to reduce FP’s
Device Control
• Block Devices by type (Windows Class ID)
• Supports all common ports
– USB, Infrared, Bluetooth, Serial, Parallel,FireWire, SCSI, PCMCIA
• Can block read/write/execute from removable drives*
• Example:
– Block all USB devices except USB mouse and keyboard
Peripheral Deice Control
W32.SillyFDC
• targets removable memory sticks
• spreads by copying itself onto removable drives
such as USB memory sticks
• automatically runs when the device is connected to
a computer
Application Control
Application Behavior Analysis
Monitors behavior or applications
ProcessExecution Control
Blocks unwanted programs from running
File AccessControl
Blocks unwanted access to files or folders
RegistryAccess Control
Controls access and writing to registry keys
Module & DLL Loading Control
Blocks applications from loading modules
\WINDOWS\system32\
21
System LockdownSystem Lockdown Features
• Prevents unauthorized code from running on protected system• Malware• Unauthorized applications
• Creates a Digital Inventory of the system• Checksum.exe tool builds inventory• Create multiple inventories per
server• Fingerprints all executables (exe,
com, dll, ocx, etc.)• Block anything not on the list from
execution
22
Network Threat Protection
Symantec Endpoint Protection
Network Threat Protection Features
Network Threat Protection Key Features
• Best-of breed rule-based firewall engine• Inspects encrypted and cleartext network traffic
• IPS engine• Generic Exploit Blocking (GEB)• Packet- and stream-based IPS• Custom IPS signatures similar to Snort™
• Autolocation switching
Buffer OverflowBack Door
1010101
1010101
1010101
Blended Threat Known Exploits
Best-of-Breed Personal Firewall
Personal Firewall Features
• Rule-based firewall engine• Firewall rule triggers
• Application, host, service, time• Full TCP/IP support
• TCP, UDP, ICMP, Raw IP Protocol• Support for Ethernet protocols
• Allow or block• Token ring, IPX/SPX, AppleTalk,
NetBEUI• Able to block protocol drivers
• E.g., VMware, WinPcap• Adapter-specific rules
Deep Packet Inspection Engine employs IDPRegular expression supportAllows custom signatures
DPI Firewall
SSHIM
SMTP
FTPHTTP
RCP
Intrusion Prevention Systemrule tcp, tcp_flag&ack, daddr=$LOCALHOST, msg="[182.1] RPC DCOM bufferoverflow attempt detected", content="\x05\x00\x00\x03\x10\x00\x00\x00"(0,8)
rule tcp, tcp_flag&ack, daddr=$LOCALHOST, msg="[182.1] RPC DCOM bufferoverflow attempt detected", content="\x05\x00\x00\x03\x10\x00\x00\x00"(0,8)
Custom
Sig E
ngine
Signature ID
S
GE
BSSH
IM
SMTP
FTPHTTP
RCP
Intrusion Prevention Features
• Combines Generic Exploit Blocking (GEB) and SCS IDS with Sygate IDS• Deep packet inspection• Sygate IDS engine allows admins to create their own signatures
• Uses signature format similar to SNORT™• Regex support• Signatures applied only to vulnerable applications
• Resistant to common and advanced evasion techniques
AutoLocation Switching Enhancements
AutoLocation Triggers
• IP address (range or mask)• DNS server• DHCP server• WINS server• Gateway address• TMP token exists (hw token)• DNS name resolves to IP• Policy Manager connected• Network connection type
(wireless, VPN, Ethernet, dial-up)
Supports and/or relationships
Policy: Office
Policy: Remote
Corporate LAN
Remote Location(home, coffee shop,
hotel, etc.
VPN
27
Network Access ControlPolicy Compliance
Symantec Endpoint Protection
28
28
Symantec Network Access Control
• Choose quarantine, remediation or federated access
– Enforce policy before access is granted
– Execute updates, programs, services, etc
– Limit connection to VLAN, etc
• Broadest enforcement options of any vendor
– Remote connectivity (IPSec, SSL VPN)
– LAN-based, DHCP, Appliance
– Standards-based, CNAC, MSNAP
Ensures endpoints are protected and compliant prior to accessing network resources
Management
29
Integrated Management Policy Driven
31
Architecture
LaptopsDesktops
SQL Data Store-Policies-Events& Logs-Security Content-Reporting Data-State Information-Updates and Patches
Java Based Console-Policy Management-Agent Management-Roles and Administration-Launch Reports-View Alerts
Servers
Symantec Endpoint Clients
HTTP/S
HTTPS
Symantec Endpoint Protection Manager (SEPM)
32
End-pointPolicy
Failover between Management Servers & Data Stores
Replication & High Availability Architecture
Datastore
Clustered Databases
SEPMSEPM SEPM
Datastore
Clustered Databases
SEPMSEPM SEPM
Replication
33
Management Server Hierarchy
Regional Site
Small Regional
Office
Main Site
Group Update Provider
• Small, simple low-maintenance manager for small offices
• Only deltas replicated across WAN links
Data Replication
• Site-to-site data replication for scalability & availability
• Customizable filters control what data is replicated between sites
SEPM and DatastoreGroup Update
ProviderSEPMs and Datastore
Advanced Grouping Management
• Database
• Domains
• Groups
• Locations
• Clients
Domains
Company 2
Company 1
Company 3
Database
Temporary Europe Headquarters
Engineering Sales Accounting
Office
Wireless
QA Lab
OfficeLocations
3rd Party Integration
• LDAP• Active Directory• Syslog• RSA
Basic Reporting and Alerting
• Scheduled Email Reports
• 52 Default Reports
• Monitors• Customizable
Dashboard• Notifications
New in Release Update 6
Symantec Protection Suite 37
Macintosh Antivirus Management
Symantec Protection Center
Symantec Endpoint Recovery Tool
Telemetry Support
Scan Randomization
Web Based SEPM Console
New in RU6Macintosh Management from SEPM Console
Symantec Protection Suite 38
• Client package and group• Policies
– Antivirus and Antispyware policy
– Centralized Exceptions policy
– LiveUpdate policy
• Run commands– Enable Auto-Protect
– Restart Client Computers
– Scan
– Update Content
– Update Content and Scan
New in RU6Symantec Endpoint Protection for Macintosh
Symantec Protection Suite 39
• Macintosh Antivirus client managed by Windows SEPM• Support Mac OS X 10.4, 10.5, 10.6• Support migrating from Symantec Antivirus for Macintosh 10.x• Support G3, G4, G5, and Intel processors
New in RU6Scan Randomization
Symantec Protection Suite 40
• Allow administrator to select a window over time that a scheduled scan will kick off– Daily – up to 23 hours
– Weekly – up to 167 hours
– Monthly – up to 671 Hours
• Improve support for virtual environment
• Available on Windows client only.
New in RU6Data Collection - Telemetry
Symantec Protection Suite 41
• Collect and send anonymous data to Symantec for following purposes– To improve our product in the future.
– To improve customer support
• Able to Opt Out• Following data are collected
– SEP / SNAC Enabled
– SEP / OS Version
– Database Stats
– Free Disk Space, CPU and Available Memory
– Major Errors
– Numbers Collected: • Groups, Domains, Hosts, Admin Accounts,
Servers/Site, Clients from AD, Alerts, Replication Errors, Revisions Kept, Policies, Computers per Revision, Enforcers, GUPs, Percent of Computers up to date
New in RU6Web-based SEPM Console
Symantec Protection Suite 42
• Does not require Java Runtime on the remote client side• Easy to access using Web browser• Support Internet Explorer 7 & 8
New in RU6Web-based Portal• Manage multiple Symantec
products through a Single Console.– Symantec Endpoint Protection
– Symantec Web Gateway
– Symantec Data Loss Prevention
– Symantec Critical System Protection
– Symantec IT Analytics
– Symantec Brightmail Gateway
• Support Internet Explorer 7 & 8
Symantec Protection Suite 43
New in RU6Symantec Endpoint Recovery Tool (SERT)• Windows PE 2.1 based bootable
CD– Features:
• Symantec Endpoint Encryption Support• Launch Command Prompt prior to Scanner
– Allows use of third party disk access apps (BitLocker, etc.)
• Use definitions from local media (USB, local disk, etc.) rather than downloading from Internet – can also be used to scan with rapid release definitions
• Download definitions from Internet• No PIN code requirement (Norton
Bootable Recovery Tool requires PIN)
• Available through FileConnect
Symantec Protection Suite 44
• Flexible ad-hoc/custom reporting
• Drill-down capabilities
• Multi-dimensional analysis
• Improved server performance
• Seamlessly export to Excel & PDF
• Multiple report requests can hinder server performance
• Large databases or complicated queries may take a long time to run
• Canned reports offer limited options for customization or data analysis
IT Analytics
SQL 2005Reporting ServicesAnalysis Services
Advanced Reporting – Business Intelligence
45
Traditional Reporting
SEPDatabase
SEP Database
Symantec Endpoint Protection Alert – Standard Cube
Robust Graphical Dashboards
Multi-Dimensional Ad-hoc/Pivot Table Reporting
Pivot Chart Functionality with Excel Export
Robust Graphical Dashboards
Multi-Dimensional Ad-hoc/Pivot Table Reporting
baydynamics
Symantec Protection CenterIntelligent Management Integration
46
Server Protection
Endpoint Protection
Messaging Security
Web Security
Data Loss Prevention
Network Access Control
VISIBILITY - Pinpoint relevant security threats promptly
RESPONSE - Accelerate time to protection
EFFICIENCY - Increase productivity of security operations
Symantec Protection Center
Reporting Analytics
New in RU6Power Eraser
Symantec Protection Suite 47
• Designed to complement mainline antivirus applications by detecting and remediating specific types of threats:
• New variants of existing threats for which there is no coverage by the current definition sets
• Fake antivirus applications, and other Rogue-ware
• Rootkits
• System settings that have been tampered with maliciously
• Because Symantec Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. Use standard antivirus applications and troubleshooting techniques first; if they do not remove all of the threats, use Symantec Power Eraser.
• Available from the “Help and Support” button on the client.
New in RU6Power Eraser
Symantec Protection Suite 48
• Part of the Symantec Endpoint Protection Support Tool
• Aggressive scanning
• Support Tool then finishes scanning
New in RU6Support Tool
Symantec Protection Suite 49
50
Designing and Sizing the correct SEP Architecture
Symantec Endpoint Protection
SEP Design Considerations• What Technologies will be deployed• Do you want different security polices when users are in different locations• Will desktops/servers/laptops/users/depts have different policies• How many geographic locations are there in the company• How often does the customer want to provide content updates• Do you want to automatically deploy SEP patches• Which method of distribution does the customer want to use• Do you need a High Available Management Infrastructure• How long does the customer need to retain logs• What is the frequency of requests for data older then one week, one month, and one year• What metrics need to be gathered frequently• Who needs access to the Data and what is their location• Are there multiple administrative groups in the organization (ie IT, Sec, Desktop, Server)• Is there need to tie in to an existing 3rd party tool or authentication scheme
SEP Decisions
• Number of Management Servers: • Management Servers locations:• What Database(s) will be used: • Number of Databases: • Classification Methodology: • Where log information will reside:• Old Management Server Upgrade Path:• What Technologies will be Deployed and configured:
Deployment ArchitecturesSingle Site Distributed Site
Log Replication High Availability
Client/Server Communication
Recommendations
• Keep a SEP DB close to Each SEP Manager• Pull Mode
– Client to Server Ratio Maximum: None
– Lowest heartbeat configuration: (# clients /1000) minute
• Push Mode– Client to Server Ratio Maximum: 50,000
– 1000 client connections per minute
• Optimize I/O Channels• Managers should have good/fast connectivity to DB
Recommendations
• Symantec Endpoint Protection Manager Recommendations for environments under 10,000 clients– 2GB RAM Minimum Requirement
– Single Processor
• Symantec Endpoint Protection Manager Recommendations for environments over 10,000 clients– 4GB RAM Minimum Requirement
– Dual Processor recommended
Heartbeat Sizing
Presentation Identifier Goes Here 57
Settings that Effect DB Sizing
Virus Event Storage Costs
Number of Viruses in DB
Approximate Space
1,000 0.8 MB
5,000 4.3 MB
15,000 12.9 MB
25,000 21.6 MB
50,000 43.2 MB
Backups
The Number of backups kept impact the total disk space needed on the SEPM server.
Size is Approx 75% of DB size multiplied by the number of copies being kept.
Ex. 1GB db * 0.75 * 3 Copies = 2.3 GB of Disk Space needed on SEPS1
Example: Total Disk Space Needed
• In 60 Days you have on average 15,000 Viruses
• You plan on Keeping 20,000 Events of each Log
• You Plan on Keeping 5 Versions of SEP both 64 bit, 32 Bit, English, and French
• 7 Backups are being kept
Item Space
15,000 Viruses 12.9 MB
20,000 Events per Log 722 MB
20 Versions in DB 1.24 GB
Content Updates 300 MB
= Approx 2.27 GB
Multiply by 1.4 to add the overhead of indexes and other tables
3.2 GB Needed for DB
16.8 GB Needed for Backups on SEPM Server
4 GB of Disk Space on SEPM for IIS Content
62
Best PracticesRecommended Client Protection Policies
Symantec Endpoint Protection
Malware Protection
Antivirus/Antispyware Policy
Symantec always recommends running SEP with Auto Protect enabled and routine ‐scheduled scans enabled.
It is typically recommended to start your deployment with a full weekly scan.
If you notice that there are not many infections being discovered via the on demand scan, it is ‐recommended to decrease the frequency and depth of the scan.
In environments with low infection rates, it is not uncommon to find monthly full scan or weekly quick scans being performed.
64
Antivirus/Antispyware Policy Cont:
Symantec provides 3 Antivirus and Antispyware policies out of box. Symantec recommends the default antivirus policy on most machines.
On machines that are slow, have high resource utilization, or on machines where users typically complain of performance, Symantec recommends applying the High Performance policy.
For machines that are mission critical and for machines/users that have a high infection rate (Bad Internet Hygiene), Symantec recommends applying the High Security Antivirus Policy.
65
Antivirus/Antispyware Policy Cont:
It is suggested to enable the Delay Scheduled Scans if running on Batteries. Enabling this feature will typically increase end user satisfaction with the product. Running a full scan while running on batteries depletes the power quicker.
To further increase end user acceptance of the product, more companies provide the end user the right to stop scans.
It is recommended to keep the defaults on Internet Email Scanning, TruScan*, Quarantine*, and Submissions.
Symantec only recommends installing Outlook/Lotus plug ins when Antivirus is ‐absent on the Mail Server.
66
Antivirus/Antispyware Policy Cont:
Symantec updates definitions three times a day, each day that goes by without a definition update means less protection.
On average, Symantec adds over 20K signatures a day. It is recommended to display a notification to end users if definitions are out dated.
If users have the ability to initiate LiveUpdate, then Symantec recommends lowering the number of days before sending a notification to 5 days when content is out of date.
It is also recommended to set the Internet Browser Protection recovery home page to your companies’ website. Most companies redirect to an internal web page with the security policies and escalation procedures.
67
Antivirus/Antispyware Policy Cont:
*TruScan default settings depend upon the manager version.
Set sensitivity high Log initially until exceptions have been
addressed, then terminate
Set frequency to Scan new processes immediately.
68
Antivirus/Antispyware Policy Cont:
*Quarantine When is the last time you got anything out
of the quarantine?
Do nothing for performance
If Clean/Delete actions are too drastic due to possible false positive considerations, consider Clean/Quarantine with a short retention.
Consider the benefits of performance vs. usefulness of Risk Tracer.
69
70
Network Protection
Symantec Endpoint Protection
Firewalls and IPS
Reactive Signature based scanning is not enough alone Heuristics is not enough alone Behavior technology is not enough alone
Proactive Prevent unsolicited traffic from being accepted Prevent accepted traffic from containing threats
Workstations vs. Servers
71
Firewall Policy There are 4 traditional configurations that individuals may consider when deploying a client
firewall. Each configuration provides a different level of protection and changes the likelihood of encountering false positives and preventing legitimate applications from working.
72
Firewall Policy Firewall Disabled: Disabling the firewall minimizes the potential for making a mistake with the
configuration that can cause legitimate applications to cease working. Since every network environment is unique, some customers find it easier to keep this technology disabled until there is a need.
In Symantec Endpoint Protection, disabling the firewall but enabling Intrusion Prevention provides additional protection with minimal configuration and false positives.
Block Known Trojan Ports: Choosing to allow all network traffic with the exception to ports commonly associated with known Trojans will provide an additional level of Security while minimizing the risk of creating a policy that might block a legitimate application. Although this might provide some protection, the Intrusion Prevention Engine already provides signatures to detect and block most of these exploits.
In this configuration, Administrators can choose to block specific applications without the need of knowing what is installed in the environment.
73
Firewall Policy
Block all Inbound Connections: Configuring the firewall to block all inbound connections greatly reduces the risk of an attacker gaining access to a client’s resources or data. Most applications that get installed on the box will still be allowed to initiate communications which will minimize some of the configuration settings that would need to be configured.
This configuration will not stop all malicious pieces of code from getting installed on the box nor will it prevent the malicious code from communicating important pieces of data to a hacker. This configuration will also block some legitimate corporate applications like management utilities that expect to receive connections from a management server. It is highly recommended to test this configuration thoroughly prior to deploying the configuration.
Some companies have found it easier to deploy this configuration that blocks all inbound connections except from the Servers installed in the organization. This has minimized the number of changes that need to be made as new applications are installed and it has minimized the number of exceptions needed to the policy.
Explicit Deny: In this configuration, the firewall is configured to block all communications except for those settings that you choose to accept. This is the most secure approach to creating firewall policies. This means that any new code introduced to the environment (good or bad) will not be allowed to communicate until an administrator approves it. Although this provides the most secure architecture, constant changes are usually needed to accommodate application changes.
74
Firewall Policy
Symantec recommends to start deployment with the firewall disabled and Intrusion Prevention (IPS) enabled. Administrators can then increase the protection on the Client by deploying the firewall over time.
Extensive testing should be conducted prior to deploying the firewall policy.
It is also beneficial to consider disabling the firewall when on the corporate network and hardening the firewall when users disconnect from the corporate network.
This is normally done through the Location Awareness feature. Care should be taken when defining network segments. Symantec recommends using multiple network identifiers when creating the policy.
Symantec also recommends the use of Peer to Peer Enforcement between Clients. Peer to Peer enforcement forces a client to block all connections from a remote machine until the machine has proven that it is in compliance to corporate policy.
75
Intrusion Prevention Policy Symantec recommends always running IPS on client machines. Symantec makes no
recommendations on changing the default settings for IPS.
If Administrators or individuals within the organization are running security tools and assessment tools, Symantec does recommend excluding those machines from the IPS detection as it may yield false positives.
Note: Symantec does not recommend running the IPS on a Server OS without fully testing.
76
77
Proactive Threat Protection
Symantec Endpoint Protection
Application and Device Control Policy
Application Control and Device Control are advanced features that can be used to further enhance malware protection for your business. Extreme caution should be used in creating application and device control policies as these advanced technologies may cause legitimate applications to cease operating.
Symantec recommends using Application Control and Device Control Settings only after testing the impact of the policy in your environment. Application Control and Device control allows Administrators the ability to restrict the behavior of applications and users in the environment. Since this is a diverse technology, the opportunities are endless as to what can be done.
78
Application and Device Control Policy
Allow Only Read to the following Keys to prevent tampering or changing of IE Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
79
Application and Device Control Policy
Consider Disallowing execute autorun
Disallowing execute from USB
80
Application and Device Control Policy Cont:
Allow only read to the following Registry Keys that allow applications to start automatically: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler HKEY_CLASSES_ROOT\comfile\shell\open\command HKEY_CLASSES_ROOT\piffile\shell\open\command HKEY_CLASSES_ROOT\exefile\shell\open\command HKEY_CLASSES_ROOT\txtfile\shell\open\command HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Note: Symantec does not recommend running the Application Control on a Server OS without fully Testing Live
81
LiveUpdate
LiveUpdate Policy
Symantec recommends to configure multiple methods for updating content on clients that are mobile. This will allow those systems that are not connected to the corporate network to receive content updates when not connected to the management server.
The most typical recommendation is for customers to create two polices. One that defines clients update from the management server while connected to the network and another policy that defines updating through LiveUpdate directly from Symantec when the client machine is not connected to the corporate network.
83
Location Awareness
*Symantec typically recommends that administrators create two locations (Default/Internal and External) when using these two LiveUpdate policies.
A default location is provided with each created group.
The default location ‘LiveUpdate” policy should have the Clients contact the SEP Manager (SEPM) for their content updates.
The external location LiveUpdate policy should have Client conduct LiveUpdate calls directly to Symantec’s LiveUpdate site to retrieve content updates.
*Weigh the risks, resource usage and benefits of single vs. multiple locations. Weigh across all policy types.
84
External LiveUpdate Policy
It is recommended to set the “External” LiveUpdate policy retrieval schedule for every 4 hours.
Remember Symantec releases certified LiveUpdate content 3 times daily. This will ensure that the client systems stay up to date with the latest security content updates.
85
External LiveUpdate Policy Cont:
It is also recommended to configure the Advanced Settings to “Allow the user to manually launch LiveUpdate”.
86
External Location Configuration Cont:
Specify the conditions for this location trigger. In this case the ability to connect to the management server was a condition that was used.
Symantec recommends that more then one condition be specified when configuring a location.
87
LiveUpdate Content
For the smallest possible size of your microdefs, increase the number of downloads to retain.
You sacrifice only disk space store them and CPU cycles to build them.
88
Exceptions
Centralized Exceptions Policy
• The recommendation for exceptions is to add exceptions as needed. SEP automatically makes exceptions for certain applications, but it is best to add additional exceptions for Databases, Transactional Logs, VMWare Images, and other items that high transactional volume. It is also recommended to not allow employees the ability to add exceptions unless needed. For additional information on default exceptions and information on how to add exceptions, please reference the Symantec Online Knowledge Base.
90
Thank you!
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Symantec Protection Suite 91
Brian Pallozzi, [email protected]