Endpoint Protection

 View Only

  • 1.  Network Auto-Protect Question

    Posted May 01, 2010 02:16 AM
    Hi,

    This is likely a silly question but I am struggling to get my head around it.

    I am trying to understand the risk of not enabling Network Auto-Protect.  If it is not enabled which is the default setting I believe except for high-security policy what threat vectors does this open up?

    With Network Auto-Protect disabled what would happen if:
    • An infected file was copied from a file server to a local drive on the endpoint
    • An infected file was executed from a mapped drive

    Thanks

    Dave


  • 2.  RE: Network Auto-Protect Question

    Posted May 01, 2010 02:33 AM
    Hi,
    I hope this help;
    By default, Auto-Protect scans files as they are written from your computer to a remote computer. Auto-Protect also scans files when they are written from a remote computer to your computer.

    When you read files on a remote computer, however, Auto-Protect might not scan the files. By default, Auto-Protect tries to trust remote versions of Auto-Protect. If the trust option is enabled on both computers, the local Auto-Protect checks the remote computer's Auto-Protect settings. If the remote Auto-Protect settings provide at least as high a level of security as the local settings, the local
    Auto-Protect trusts the remote Auto-Protect. When the local Auto-Protect trusts the remote Auto-Protect, the local Auto-Protect does not scan the files that it reads from the remote computer. The local computer trusts that the remote Auto-Protect already scanned the files.

    Details:

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009081307565748

    Best Regards.
    Fatih


  • 3.  RE: Network Auto-Protect Question

    Posted May 01, 2010 04:26 AM
    When we  configure your computer to use a network cache. A network cache stores a record of the files that Auto-Protect scanned from a remote computer. If you use a network cache, you prevent Auto-Protect from scanning the same file more than one time. When you prevent multiple scans of the same file, you might improve system performance. You can set the number of files
    (entries) that Auto-Protect scans and remembers. You can also set the timeout before your computer removes the entries from the cache. When the timeout expires, your computer removes the entries. Auto-Protect then scans the files if you request them from the remote computer again.


  • 4.  RE: Network Auto-Protect Question
    Best Answer

    Posted May 01, 2010 03:26 PM
  • An infected file was copied from a file server to a local drive on the endpoint

    • AP will pick up the file as it is created and then closed on the local file system if the network scan is turned off. If it were turned on it would pick it up when first accessed on the file server.

  • An infected file was executed from a mapped drive

    • It wont see it if it is turned off. If something is written to the local drives it will see it.

    Best practice is to have it turned on since you dont know if the remote servers have AP on/.


    I hope that helps.


    JimW



  • 5.  RE: Network Auto-Protect Question

    Posted May 01, 2010 07:56 PM
    Thanks everyone for your quick responses.  This has helped me to better understand the Network Auto-Protect function.

    Dave