Frequently asked questions about how Symantec Critical System Protection 4.5 protects your computer

Article:TECH112761  |  Created: 2005-01-10  |  Updated: 2007-01-18  |  Article URL http://www.symantec.com/docs/TECH112761
Article Type
Technical Solution


Issue



This document provides answers to frequently asked questions about how Symantec Critical System Protection (Symantec CSP) 4.5 provides computer protection.


Solution



Does Symantec CSP 4.5 provide Day 0 protection?
Yes, Symantec CSP provides Day 0 protection against threats that behave in ways that are not normal and expected for that computer. Symantec CSP does this by managing processes' access to and interaction with resources, rather than looking for known signatures. Regardless of the attack type, Symantec CSP's process behavior controls permit a program (or its child programs or processes) to access only those resources that are defined in the policy. It stops Day 0 attacks without causing disruption by applying behavioral controls on all processes that are running on the system.

How does Symantec CSP protect against memory resident viruses?
Some viruses reside in memory by exploiting buffer overflow vulnerabilities in network servers. The virus connects over the network, overflows the buffer, and writes its malicious code into the server's memory.

Typically, the malicious code causes the infected server to access files, registry keys, or the network in ways that are not normal for that server. Because the means of access is not normal for the infected server, the Symantec CSP policies deny that access.

Symantec CSP policies provide the following specific types of protection against these viruses:
  • The policies block connections from remote systems that are not explicitly permitted. Viruses that come from most remote systems cannot connect to the target service program and so cannot create a buffer overflow.
  • The policies detect buffer overflows in common services and daemons. If a buffer overflow does occur and the malicious code attempts to access resources, the Symantec CSP agent recognizes that the access request is coming from injected code and denies the access.
  • The policies detect unusual requests for access to resources. If you disabled buffer overflow detection in the policy and the Agent cannot detect that a request is coming from injected code, the Agent still blocks unusual attempts to access files, registry keys or the network. For example, most memory resident viruses try to modify the system configuration so that the virus is started each time the computer starts. To do this, they attempt to write themselves into a file that is in a system directory and to modify specific registry keys. Because these activities are not normal for the infected server, the Symantec CSP agent prevents the virus from accessing these resources.

Can Symantec CSP take a hash of a file to determine whether the file has been tampered with?
No, Symantec CSP does not hash files to determine whether the file is changed. The protection functions provided in Symantec CSP are designed to prevent unwanted changes rather than to report whether changes have been made.

Can Symantec CSP detect slow port scans?
Symantec CSP can detect slow port scans only if the scan attempts to establish a connection in a way that Symantec CSP has been configured to monitor or prevent.

Does Symantec CSP have a network monitoring option?
Symantec CSP does not have a mechanism to capture packets or to collect network usage statistics. However, you can use the profile feature to capture every inbound or outbound network connection for one or more processes.


Security questions

How are the configuration settings stored on the agent and how are they secured?
The agent's configuration settings are stored in the Agent.ini file. Though the file is not encrypted, Symantec CSP hides this file from the rest of the system.

In addition, Symantec CSP default policies prevent users from running the agent configuration tool (sisipsconfig), which is used to change the settings in the Agent.ini file. If you want users to run the agent configuration tool, you can enable policy options that permit only specified users or groups, who are authenticated by Active Directory or LDAP, to run the tool. To configure access for running the tool, use the following General Interactive Program Options:
  • "Allow Symantec Critical System Protection Configuration Tools to run with Full privileges for specific users"
  • "Allow Symantec Critical System Protection Configuration Tools to run with Full privileges for specific groups"

How does the agent protect itself?
At each agent computer, the Symantec CSP policies protect all resources that are associated with Symantec CSP, including access to the agent. Symantec CSP resources are hidden from all other programs on the computer so that those programs are not aware that Symantec CSP exists.

In addition, the agent driver loads at the kernel level, making it non-bypassable at startup. The agent cannot be remotely disabled because no protection features run in the Windows user mode.

Though the policy can be disabled locally by using the Policy Override Tool, this tool has built-in protections. When you disable the Policy Override option in the Global Policy Options on the management server, users at the agent computers cannot run the Policy Overrride Tool and so cannot disable the policy on the local computer.

If you enable the Policy Override option, then users can disable the policy at the local computer. However, users who want to access the Policy Override Tool must type a code that they see on the screen before they can disable the policy. In addition, a user cannot disable the policy at the local computer unless they also set a time for the agent to automatically re-enable the policy.

How does Symantec CSP protect communications between the management server and the management console?
Communications between the management server and the console are secured with Secure Sockets Layer x.509 certificate-based channel encryption (HTTPS). Access to any specific Symantec CSP Management Server requires a User Interface (UI) certificate and a certificate password. The management console logon dialog box provides the means to specify the certificate and password information.



References
Frequently asked questions about Symantec Critical System Protection 4.5

Frequently asked questions about Symantec Critical System Protection 4.5 installation
Frequently asked questions about Symantec Critical System Protection 4.5 policies
Frequently asked questions about configuring Symantec Critical System Protection 4.5 for upgrades to other products




Legacy ID



2005061009574653


Article URL http://www.symantec.com/docs/TECH112761


Terms of use for this information are found in Legal Notices