Endpoint Protection

There are a lot of posts about getting computer infections...  
We never hear about what was installed from a SEP perspective, what feature sets were enabled, what policies, how the polices are configured, etc...  So we just tell folks how to clean up, not really how to prevent it in the future. 

Hopefully people can list what settings they enable that are different from the out of box policies, in SEP to help protect their environments.

I'll start...
NOTE:  This is for desktops only, and does not address server OS's (e.g. some components are not compatible.)

1.  All features are enabled.  AV, AS, Network Threat Protection (NTP), Proactive Threat Protection (PTP), Device Control, etc.  I deploy it all now, and use polices to enable or withdraw them...
2.  Users that are Local Admin's are a security threat!  They can effectively disable the SEP client, and also allow items to execute.  Extra care must be taken in SEP to lock it down and prevent application execution from within the browser.  Some of this is addressed by others in this thread :-)

AV policy -

• Daily Active scan, scanning only 1 compressed file deep, and only executables
• Weekly Full scan, at defaults
• Uncheck "Scan when a file is backed up."   - It's redundant!
• Uncheck check Floppies - My PC's dont have Floppies
• Bloodhound is set to maximum
• Rick Tracer is enabled (which means NTP has to be enabled)
• Lock all settings, and users are NOT allowed to disable AutoProtect.  I'll find the issue at hand, rather than granting the user that power.
• All Email options are disabled, as I am scanning at the email server and gateway already.

TruScan PTP

• Trojans and Keylogger settings are set to Quarantine."
• Sensitivity is upped to around 50% or a hair less. (EDIT: Symantec now recommends this set to 100% - move the slider to the far right.)  Your mileage may vary, always test a change before putting it into production.
•  Scan Freq every 15minutes, from the default 1hr.

Submissions
All clients can submit samples

NTP is enabled fully.  

• If I have issues with the FW, I create ports as needed.  Generally for most cases in a single subnet, the default ruleset works.
• IPS is always enabled, even if I create an ANY<>ANY FW Rule.  
• More info on disabling the FW but still keep the IPS component working
• http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009080314433948

Device and App Control

• Block all programs from running from a removable device. 
• Block modification to hosts files
• Block all autorun.inf files!  There is a sample policy you can download from the Symantec support site that will block autorun.inf files.  It's highly recommended you get it.
• Import this policy and use it: http://www.symantec.com/business/support/index?page=content&id=TECH132337

I've had the greatest success in improving security, when Network Threat Protection is enabled.  But I still notice that many people are afraid of it...  Well good luck protecting your networks without it.  SEP without NTP, is no better than SAV 9/10.  Not installing NTP, you've basically just setup SAV all over again
Today's viruses are far too advanced, and are getting executed in a way that bypasses typical AV scanning methods.  Thus, it needs to be stopped at the network layer.  Think about it, traditional AV is for scanning files.  Network Threat Protection, stops threats at the network layer, before the payload has a chance to get saved to the hard drive.  Items like Confiker, exploited a Windows RPC vulnerability.  AV can't stop that.  But scan for the traffic that expliots the vulnerability, bam!  Instant protection.

I also of course advocate a perimeter gateway device that can scan your web traffic.  This includes HTTP, IM, and FTP.  Symantec's WebGate, Barracuda, MessageLabs, etc...
You also should have a intra-office messaging security suite too.  I've been using Symantec Mail Security for years since the 5.x days.  I love that product.  It scans internal messages for compliance and threats, which is where there is the biggest lapse in security for many offices.  Folks assume that their fancy perimeter hardware devices are all they need.  Well once inside the network, your hardware will do nothing to stop an internal threat.  

Remember, security in layers.  Does it need to be from different vendors?  I dont think so personally, folks that do believe in this, probably think Win95b was the best OS ever..  But it's important that you are examining all ways data can enter and leave the environment, and use products that can scan, identify, and stop threats at all layers of your environment.

ADDED:

 

After pushing this link/thread for a number of months to customers and the like, I've seen a dramatic reduction in calls about outbreaks.
However, one cannot rest with just an Endpoint product, Symantec or otherwise...  

That said, some updated content will be added shortly to my original post

Also, please read up on Power Eraser.  Symantec's new tool to aggressively remove malware from a system.  Similar in function to Malwarebytes, but seems to scan faster in my few tests in running it on clean systems (have yet to try it on an infected system)
https://www-secure.symantec.com/connect/videos/power-eraser-overview
https://www-secure.symantec.com/connect/blogs/we-are-pleased-announce-symantec-power-eraser

Also, the Symantec Endpoint Recovery Tool (SERT)
A bootable ISO used to scan machines while offline to clean systems of threats.  Built on what seems to be the same ISO that BESR is built on.  Note: It needs Internet access to get the latest defs, and as long as you dont have some generic whitebox with an obscure NIC, it should work fine.
https://www-secure.symantec.com/connect/videos/symantec-endpoint-recovery-tool-sert

Hay,

Great way to put togather the Symantec Endpoint settings.

One of the greatest features is the Group Update Providers.

Check out the documentation below:

  https://www-secure.symantec.com/connect/videos/group-update-providers-part-1<o p=""></o>

 

https://www-secure.symantec.com/connect/videos/group-update-providers-part-2<o p=""></o>

Aniket

Title: 'Security Best Practice Recommendations'
Document ID: 2009010808340848
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009010808340848?Open&seg=ent

Title: 'How to use Application and Device Control to limit the spread of a threat.'
Document ID: 2009041514273648
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009041514273648?Open&seg=ent

How to prevent a virus from spreading using the "AutoRun" feature 
Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x
Using Application and Device Control to stop registry entries added by a threat or risk

 Nice additions folks...

Now do we have any actual customer/users that have some real-world settings that they are using too?

 Any more input?

Surely you would want to better the community by sharing info, and not hoarding it?

I have modified the actual policy or rules quite a bit since posting this:::

https://www-secure.symantec.com/connect/articles/how-use-sep-protect-against-rogue-browser-helpers#comment-3505511

but the basics are the same. You can prevent EXE and DLL files from being created or running under user profile.

I'm sure it could be a lot cleaner and neater and better, but I'm still learning a LOT about these rules and how they work.....

 Whoa!  That is a crazy rule, I like it.

Could you attach it as an export?

That is impressive. If you could export it that would be great. I would love to throw this on my test SEPM and work with and see what can be added, improved, etc

I'll try to attach here. Like I said - there are packages for "webinars" and online training and other things that DO install and run DLL files from folders under the user profile, and you'll need to tweak the !@#$ (heck) out of it  ;-)  to make it fit your needs, but here it is.
And any suggestions for improvment or cleaning it up, making it better, more simple, I'm listening!
Hmmmm....... I don't see a place to actually attach a file, so...........
try this - you can find it here and download it from here........... (I hope)
http://dickerson-design.com/files/

Thanks!

 You can attach it to your article.

Does your application and device control policy block USB floppies?  If not, then you should probably re-enable the setting to check floppies.

This is for application control - to prevent processes/apps from placing EXE and DLL files in the profile area where they can be placed and run freely, like the rogue AV apps, etc.
This isn't for checking floppies, which would be a different topic.
HOWEVER, I do restrict USB drives in the DEVICE control side.
This is app side only, and if there's an app running from a CD or floppy that tries to install something in the profile area, then the above would/shoud catch it, too..........

Oh, thanks Vikram...........

Bumping this up, as I've been running into a lot of misconfigured SEPM's lately...

>>All Email options are disabled, as I am scanning at the email server and gateway already.<<
That's from the original post, however, unless you are running a Symantec product at the email gateway or server, I fully disagree with that statement.
When I was at PFG, SAV routinely caught stuff Trend missed.
Here with the state, SEP routinely catches stuff SOPHOS and their other product gateway miss.
Two levels are far better than one, and even if it's a Symantec product, they work differently, so I will never disable email scanning on a client, ever. It's saved our tails far too many times, I've seen it in action.

ShadowsPapa, security in layers..  This is why the Protection Suite Enterprise Suite is such a big deal for my customers.  You get endpoint, email, and gateway protection..  And more..  For less than 3 products sold ala carte.  It's crazy that Symantec can charge so little for the 9 products in that Suite.  

But it is important that if you do NOT have perimeter protection and equally good mail server protection, that you should enable the client side email protection, so that attachments can be scanned properly upon access/opening.

After opening a support case with Symantec they have advised us to disable the Outlook auto protect as it is only for scanning of attachments prior to them being opened.

Since the on access disk scanner will pick this up anyway when the temp files are written to disk on opening the attachment this was an accepable solution to fix the massive delay within outlook when the plugin was enabled. We also have perimeter scanning of email so this was an overall no-brainer.

Two more Symantec articles that may be useful.  Just came across these, so I can't give first-hand input yet.

Security Response recommendations for more aggressive Symantec Endpoint Protection (settings):  http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020308592948

Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase security (importable policy): http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010050810365948
 

 

 

Thanks for pointing out the Hardening policy -good stuff in there.

I'm following pretty much all the recommended settings tightened pretty well. We have multiple Windows policies in place and multiple other levels of protection, as well. However, I still have the most problems with non-detected stuff (usually .exe's) getting into the following places:
%UserProfile%\Local Settings\Temp\
%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\random_folder\

Generally, I'll get some sort of traffic warning or some other clue (multiple IE pop-ups) that there is an infection, but SEP is not detecting anything until a day after I submit the suspicious file for analysis.

Has anyone come up with a policy to restrict malware in the above folders without impacting IE functionality?

Another prime location is:
%UserProfile%\Local Settings\Application Data\random_folder\randomfile.exe

After pushing this link/thread for a number of months to customers and the like, I've seen a dramatic reduction in calls about outbreaks.
However, one cannot rest with just an Endpoint product, Symantec or otherwise...  

That said, some updated content will be added shortly to my original post

Also, please read up on Power Eraser.  Symantec's new tool to aggressively remove malware from a system.  Similar in function to Malwarebytes, but seems to scan faster in my few tests in running it on clean systems (have yet to try it on an infected system)
https://www-secure.symantec.com/connect/videos/power-eraser-overview
https://www-secure.symantec.com/connect/blogs/we-are-pleased-announce-symantec-power-eraser

Also, the Symantec Endpoint Recovery Tool (SERT)
A bootable ISO used to scan machines while offline to clean systems of threats.  Built on what seems to be the same ISO that BESR is built on.  Note: It needs Internet access to get the latest defs, and as long as you dont have some generic whitebox with an obscure NIC, it should work fine.
https://www-secure.symantec.com/connect/videos/symantec-endpoint-recovery-tool-sert

I love this policy:

Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase security (importable policy): http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010050810365948