Endpoint Protection

 View Only
Expand all | Collapse all

Risk Tracer Questions

Migration User

Migration UserJun 03, 2010 04:52 PM

  • 1.  Risk Tracer Questions

    Posted Jun 03, 2010 02:08 PM
    We have utilized Risk Tracer with SAV10 to help determine the source of attacks. We do not have the Symantec firewall deployed only SAV10 AV/AS. When I was configuring policies to test SEPv11 AV/AS only on servers I went to enable Risk Tracer and I got a popup message that stated that the firewall was required along with IPS active response option enabled.

    Why would it change from product to product in regards to the requirements for Risk Tracer?


  • 2.  RE: Risk Tracer Questions

    Posted Jun 03, 2010 02:15 PM
    This is because the network threat protection is doing the work in the SEP product and its able to produce more data regarding IP and netbios name.


  • 3.  RE: Risk Tracer Questions

    Posted Jun 03, 2010 02:18 PM

    The Risk Tracer feature is a requirement but our servers use the Windows firewall. What's the best way to enable the firewall feature and the active response with IPS for these systems without actually using the firewall or IPS? For example I dont want to load the SEP firewall and have an allow all rule.

    Can I simply install the Firewall Component but not have a IPS or Firewall policy added to the group to get this to work? Does Windows Security Center still think that SEP firewall is on and disables windows firewall?



  • 4.  RE: Risk Tracer Questions

    Posted Jun 03, 2010 02:24 PM
    its possible u need to decide which one u need it ; but at a time one is enough

    About Windows Firewall and Symantec Endpoint Protection's NTP
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009120816110248


  • 5.  RE: Risk Tracer Questions

    Posted Jun 03, 2010 03:55 PM
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092711352448

    Y
    ou will have to install NTP and will have to have Firewall policy applied with allow all rule and IPS enabled..
    However even in IPS you can change the action from block to log.


  • 6.  RE: Risk Tracer Questions

    Posted Jun 03, 2010 04:00 PM
    The problem is my server team doesn't want any extra overhead and I would guess an allow all rule still adds overhead as it still has to inspect traffic. Same thing goes for IPS.


  • 7.  RE: Risk Tracer Questions

    Posted Jun 03, 2010 04:03 PM
    Thats true however in SEP..risk tracer is depends on NTP and the traffic it captures..


  • 8.  RE: Risk Tracer Questions

    Posted Jun 03, 2010 04:25 PM

    If I understand it correctly the following is required for Risk Tracer in SEP

    1. NTP installed with a firewall policy and IPS policy applied to group. (Firewall Policy cannot be withdrawn)
    2. IPS policy has to have active response enabled.

    If this is true then as someone stated earlier we have to make the choice of using Risk Tracer and NTP as the firewall or using the Windows firewall and not getting Risk Tracer. NTP and Windows Firewall cannot be enabled at the same time.

    As far as IPS is concerned can I can uncheck Enable Intrusion Prevention, Enable DoS, Enable port scan and leave Active Response Enabled? This would at least cut out the possibility of the IPS applying active blocks or detections and reduce some overhead.

     



  • 9.  RE: Risk Tracer Questions

    Posted Jun 03, 2010 04:25 PM
    I think the amount of overhead is going to be minimal unless you are on old systems. 


  • 10.  RE: Risk Tracer Questions

    Posted Jun 03, 2010 04:37 PM
    That would be the best way going for it.Risk Tracer is something that is little known/used ..Still it is one of the most helpful feature of SEP..People started only Started using it after Downadup came into picture..Still we can create a IDEA for making Risk Tracer Independent of NTP..


  • 11.  RE: Risk Tracer Questions

    Posted Jun 03, 2010 04:38 PM
    "If this is true then as someone stated earlier we have to make the choice of using Risk Tracer and NTP as the firewall or using the Windows firewall and not getting Risk Tracer"   Yes this is true.

    NTP and windows firewall can be enabled at the same time.

    Yes just having active response enabled should work. Im not sure why you wouldn't want IPS running anyways bet you wouldn't even notice the change and you would get the added protection.


  • 12.  RE: Risk Tracer Questions

    Posted Jun 03, 2010 04:51 PM
    NTP and Windows firewall can be enabled at the same time? I thought SEP NTP turned off Windows firewall.

    As far as IPS is concerned I agree with you about the added protection and not noticing but I'm dealing with server admins who are nervous about adding all of these features at one time. The big picture down the road is to have IPS enabled on servers.


  • 13.  RE: Risk Tracer Questions

    Posted Jun 03, 2010 04:52 PM
    We have been using it with SAV10 for years now.


  • 14.  RE: Risk Tracer Questions

    Posted Jun 03, 2010 05:20 PM
    Yes, i am running with NTP and windows firewall at the same time. 




  • 15.  RE: Risk Tracer Questions

    Posted Jun 03, 2010 05:21 PM
    There are documents that talk about withdrawing the policy like this one but i have not seen an issue with just using an allow all rule.

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009120816110248


  • 16.  RE: Risk Tracer Questions

    Posted Jun 04, 2010 02:14 PM
    So does withdrawing the firewall policy break Risk Tracer?


  • 17.  RE: Risk Tracer Questions

    Posted Jun 04, 2010 02:30 PM
    The firewall policy needs to be enabled for risk tracer. You can create an allow all rule and keep it enabled and shouldnt experience any issues as i have noticed in my testing.


  • 18.  RE: Risk Tracer Questions

    Posted Jun 08, 2010 10:18 AM

    How does Active Response work with Risk Tracer? If I had to guess it automatically blocks the attackers IP that Risk Tracer captured. If this is the case I would think this option is not required unless you want automatic blocking.

    I've submitted a case with Symantec to get a better understanding of the requirements.



  • 19.  RE: Risk Tracer Questions

    Posted Jun 08, 2010 10:21 AM
    Risk tracer doesn't work without the feature running. 


  • 20.  RE: Risk Tracer Questions

    Posted Jun 08, 2010 05:47 PM
    I tested Risk Tracer with two SEPv11 clients using the example provided by Symantec. These were existing systems with SEP installed with all components. I completely removed SEP using cleanwipe from both systems and manually checked and removed the teefer2 drivers.

    Then I installed new SEPv11 clients from an installer in which I only enabled AV_AS components and didnt have any firewall or IPS policies applied. I rebooted both systems and checked that only the AV-AS showed up in the client. I also checked for the teefer driver in the network adapter settings, device manager, c:\windows\system32\drivers, and registry and did not find anything.

    I mapped a drive from client A to client B. Disabled Auto-Protect on client A. Copied an eicar.com file from client A to client B. Client B presented an auto-protect notification that it blocked eicar.com. Shortly after a balloon message popped up from SEP and said tha traffic was blocked from client A for 10 minutes. Checked the AV logs on client and SEPM and both show remote host as the attacker IP.

    Questions/Comments

    1. It appears risk tracer is working without Firewall and IPS installed.
    2. Why did the traffic automatically get blocked by IPS if its not installed and no IPS policy is applied? All of my managed IPS polices are set to 10 seconds active response by the way.

    3. Has anyone on here responding from Symantec tested Risk Tracer without the firewall and IPS installed? What about testing Risk Tracer with firewall installed, withdrawl firewall policy, no IPS? What about firewall installed, withdrawl firewall policy, apply IPS policy with only active response enabled, IPS disabled.

    I will test all situations described above since the results i'm seeing from my first testing example show that the firewall and IPS are not required for Risk Tracer.


  • 21.  RE: Risk Tracer Questions

    Posted Jun 08, 2010 06:02 PM

    Just checked the IPS log and it shows the application name as Symantec AntiVirus. For other IPS logs the application name always shows something different like the jabber IPS signature will show googletalk. So basically the IPS log tells me Symantec AV reported this issue?



  • 22.  RE: Risk Tracer Questions

    Posted Jun 08, 2010 06:14 PM
    Test the Eicar example on two server that only have AV_AS installed, and no other policies. It's been like this from the first install. Guess what, auto protect reported the remote IP address, IPS log showed attacker IP blocked for 10 minutes. These servers have never had the firewall or IPS installed or enabled.

    Can someone from Symantec please test the same thing in your lab and let me know if the documentation and popup message in SEPM for the Risk Tracer configuration is incorrect?


  • 23.  RE: Risk Tracer Questions

    Posted Jun 08, 2010 06:28 PM

    I figured out how IPS is involved with Risk Tracer. My test clients were set to Mixed control and defaults left alone. Therfore the IPS options in the mixed control settings were set to client to control. The client user interface tabs had the display IPS notification enabled but greyed out.

    This explains why IPS automatically notified and blocked the attacker PC for 10 minutes (10 minutes is the SEP default).

    As soon as I change it to server control the IPS alert is not presented because I have it unchecked in the settings and the autoblock is not triggered. because I dont have a IPS policy applied. However an IPS alert is still logged on the client and server, and AV reports the infection with the source.

    This is exactly the results I expected from Risk Tracer, no need to deploy the firewall or IPS.



  • 24.  RE: Risk Tracer Questions
    Best Answer

    Posted Jun 09, 2010 11:54 AM
    Symantec support contacted me regarding my case and indicated that the firewall and IPS are required as indicated in this discussion.

    I began to think maybe my tests were not done correctly so I repeated my test descibed above in a clean environment this morning. Two new systems with fresh OS loads, new SEP installs. Same results!

    First Test (The client interface user control settings for these clients were set to server control. Display IPS notifications was unchecked)
    I mapped a drive from client A to client B. Disabled Auto-Protect on client A. Copied an eicar.com file from client A to client B. Client B presented an auto-protect notification that it blocked eicar.com. Checked the AV and security logs on client. AV log recorded source IP address and the security log recorded an IPS log about the event. Checked SEPM and the same logs are shown as well.

    Second Test (The client interface user control settings for these clients were set to mixed control. Contol settings set to client for IPS and Firewall features. Client user interface options greyed out but checked to display IPS notifications.)
    I mapped a drive from client A to client B. Disabled Auto-Protect on client A. Copied an eicar.com file from client A to client B. Client B presented an auto-protect notification that it blocked eicar.com. A few seconds later I received a balloon notification from SEP indicating that the remote IP address of the attacker had been blocked for 10 minutes. Checked the AV and security logs on client. AV log recorded source IP address and the security log recorded an IPS log about the event as well as an active response log. Checked SEPM and the same logs are shown as well.

    Conclusion
    The Risk Tracer feature in SEPv11 appears to work the same as SAV10. It doesnt require the firewall or IPS active response. I would classify this as reactive/reporting mode since Risk Tracer is only providing source IP in a report and is not actively taking action.
     
    When the firewall and IPS "active response" are enabled the IPS will automatically block the source IP address discovered by Risk Tracer. I would classify this as proactive/real-time response mode. The Risk Tracer logs are also availabe as well. This can be done is SAV10 as well but the SEPv11 IPS may be more enhanced with this feature.

    I've asked Symantec support to forward this to an engineer to confirm my findings. This is a very easy test to repeat. Once confirmed by Symantec I believe the information regarding Risk Tracer should be updated to reflect the above information.


  • 25.  RE: Risk Tracer Questions

    Posted Jun 09, 2010 12:20 PM

    Risk Tracer relies upon the Windows File and Printer Sharing, does not require anything else

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092711352448



  • 26.  RE: Risk Tracer Questions

    Posted Jun 09, 2010 12:43 PM

    Rafeeq,

    My testing confirms this but Symantec documentation and support people indicate that the firewall and IPS is required for SEPv11. Sure would have saved me time testing this if the documentation was correct for SEP



  • 27.  RE: Risk Tracer Questions

    Posted Jun 09, 2010 12:45 PM
    Thats really a good thing that you tested; that cleared my doubts too ;) Thanks for sharing;


  • 28.  RE: Risk Tracer Questions

    Posted Jun 09, 2010 01:20 PM
    Good to know that..thanks for Sharing your Test Results..