Mumbai Security and Compliance User Group

 View Only

SNAC Self Enforcement for Virus Definition Compliance 

Feb 25, 2013 03:16 PM

I have come across lot of customers who have Symantec Network Access Control License but they are not using it. It is part of the Symantec Protection Suite 3 or 4 that you might have.

The simple reason could be either they find it complicated to configure or do not understand how it can fit to their organizational goals or simply they are not aware of Self-Enforcement, i.e. SNAC HI policy enforcement without any Hardware or DHCP plug-in enforcer.

So here I would like to present an example where you can block Clients with Older Definition unless they are either updated through other sources or manually attended.

At today’s date protecting your endpoints with only Signature based protection is not enough, On top of that if the Virus Definitions are Outdated/ Old then it defeats the purpose of using Antivirus on your endpoints.

Many organizations view Virus Definition Compliance as major security concern however they do not understand how to tackle with these machines/Assets having older definitions.

So here is how SNAC can help you tackle this problem.

The best part is this requires no Hardware enforcers or DHCP software plug-in to be configured.

Pre-requisites:

1.       Make sure your SEPM is SNAC ready that is you see Host Integrity Policy option in Policies Tab if not you can add SNAC.xml file to the License folder in SEPM.

2.       You should have Network Threat Protection installed on the clients.

3.       Even though we normally do have Servers and Desktops in different groups, still would confirm if they are in different groups as you will not like your Servers getting Quarantined due to Old Definitions and interrupting your business operations.

4.       You understand that by blocking the clients you will be interrupting their day to day work, so you have your management by your side to justify the cause.

5.       Most importantly you understand how critical it is to have machines with updated definitions and while blocking clients with older definitions you not set the bar very high. For example if you have 20% clients with older than 3 days of definitions then you should keep the number of days on higher side to start with and then as Compliance improves you reduce the number of days.

 

 

Now to the simple part of Configuring the Policy:

1.       Edit Host Integrity Policy and under Requirement Click Add and Select “Antivirus Requirement”

 

 

 

 

2.       Give it any name that suits the policy requirement, then Start Antivirus if not running on the client is optional but you can still enable it and give the command to start the Service.

3.       Under Antivirus Signature File checking, make sure you select the right number of days, also make sure it is days and not definition revision. Additionally you can give an option from a location from where the definition can be downloaded it can be any location. Click OK and you are done with configuring the requirement.

4.       Now Under Advance Settings, It is highly recommended to set Notification for each type of Notifications selected, just so that the users are well aware what is happening on their machine and why. They should panic that their machines have been hacked.

5.       Now Assign the Host Integrity Policy on all the groups on which you want this policy to be activated. To start with it should be a pilot batch of few clients and then probably after gaining confidence you can increase the number of groups.

6.       Go to Policy Tab, Firewall Policy and create a new Firewall Policy, name it Quarantine or SNAC or any other name which can be related to policy.

7.       Select All the Default rules and Delete them.

8.       Click Add Rule, Name it Allow Basic then Click Next Select Allow Connection click Next till you reach Network Services then Add DNS,DHCP, LDAP, FTP and/or your Email application and ports.

Note: You can build your allow list which can include applications like cmd.exe or your business application (under Applications), or any specific port or additional service or if you want few machines which these clients should be allowed to connect like your Ticketing System etc.

9.       Below this rule add another Rule to Block All communications. NOTE: Do not assign this policy on Any group

10.       After assigning the policy, under the Clients Tab select the group in which you have applied the SNAC HI policy and go the Policies tab on the Top.

 

 

11.       Under Quarantine Policies when Host Integrity Fails click on Add Policy

12.       Select Quarantine Firewall Policy, Click Next Select Existing Shared policy and select the policy created above. Then do the same for other groups in which you want this policy to be applied.

13.       Now once the client is blocked the user will either call helpdesk or will manually update the definitions, once the definition is updated the HI Status will change to Approved and the client will run normally with existing normal policies.

14.       Other than blocking the Client machines using Firewall you can also put a Quarantine Liveupdate Policy with which you can guide the client machine to directly connect to internet or LUA (if you already have one) or Directly connect to SEPM bypassing GUP.

15.       Most importantly you can also view logs and reports of the machines where HI Compliance failed.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Jun 21, 2017 07:51 PM

have anyone solved this Issue?

Jun 21, 2017 07:50 PM

have you solved this Issue?

Jun 21, 2017 07:34 PM

have anyone solved thiss Issue?

Nov 09, 2015 09:03 AM

Hello @JUSTICE I appreciatte your response.

 

I checked that and no, the user is not allowed to cancel the download. In fact the log says this:

Requirement name: "Antivirus requirement 1".
--- Start checking requirement conditions ---.

Rule type: Antivirus enforcement.

Condition: Antivirus is running.
Result is pass.
Condition was checking "Symantec Endpoint Protection".

Condition: Antivirus signature file is up to date.
Result is fail.
Condition was checking "Symantec Endpoint Protection".

Processing remediation actions.

Condition: File download complete.
Condition was checking "ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/static/symcdefsv5i64.exe".
An error occurred.
Error: URL not accessible or failed to create destination file.
[Details: URL not accessible or failed to create destination file]

Processing remediation actions.
Condition: Remediation status.
Remediation postponed.
[Details: 11/09/2015 11:41:42]

Requirement name: "Antivirus requirement 1".
Result is fail.

When I try to access the URL I can do that. Maybe the issue is in the command that I use to execute the downloaded file (%F% /q) or in the liveupdate policy don't know.

I'm testing this policy so I'm "playing" whit it but I want to use in our production environment so any help is appreciatted.

 

 

Nov 05, 2015 11:25 AM

@_Damian, it appears the HI policy allows the user to "postpone" remediation as reflected in the error message. This has always been a "thorn in my side" as I do not want the user to postpone remediation to put the endpoint back into compliance under a HI check. Check on this setting in your HI policy under consideration. See Advanced Settings > Remediation Dialog Options

Nov 05, 2015 10:54 AM

hi,

 

Anyone know why I get this error message?

 

Requirement name: "Antivirus requirement 1".
--- Start checking requirement conditions ---.

Rule type: Antivirus enforcement.

Condition: Antivirus is running.
Result is pass.
Condition was checking "Symantec Endpoint Protection".

Condition: Antivirus signature file is up to date.
Result is fail.
Condition was checking "Symantec Endpoint Protection".

Processing remediation actions.
Condition: File download complete.
Condition was checking "ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/static/symcdefsv5i64.exe".
Result is fail.
Error: user postponed remediation.
[Details: 11/05/2015 13:35:26]

Requirement name: "Antivirus requirement 1".
Result is fail.

May 22, 2015 07:23 AM

thanks mate..

May 21, 2015 09:47 AM

@Jeshrel, only the client that fails the HI check. You also want to ensure the changes are made to the relevant [test or production] SEPM Group and check the Policy Serial Number. Also check on your Compliance logs to see what is occurring as in HI success or failings.

May 21, 2015 08:41 AM

Hy Vikram,

 

Great article..

 

After i apply the quarantine policy, if one client fails will the entire group be blocked or only the client that fails the HI check?

 

 

Feb 02, 2015 11:37 AM

Your last response said that I have to put the complete URL for file download.  Based On that suggestion, I'm planning to use this URL:

ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/static/symcdefsi64.exe

This virus definition file is for 64 bit clients.  So I suspect that this would only update the definitions on a 64 bit client and fail on a 32 bit client.  Since I do not see an option to specify 32 bit or 64 bit in the Host Integrity policy, I would like to know how to make this work.

Jan 29, 2015 03:26 PM

The file name remains the same, it gets replace with a new file so you need to put the complete URL  for file download

Jan 29, 2015 02:49 PM

In the screenshot you provided above you show this Download URL:

ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/static

There are many files located at that site, is the SEP Client and Host Integrity smart enough to know what it needs to download? 

 

 

Nov 21, 2014 08:36 AM

Hello Vikram,

I need to use the latest IU file in the FTP location and use the command %F% to install the definitions right.

It would work even work if I am not using any quarantine policy to block the clients right.

Nov 17, 2014 08:42 AM

Is neither working??

Nov 17, 2014 01:03 AM

Hi,

I am testing HI and would like the below:

1. Check if SEP client is installed, if not install from the network path provided.

2. Check if the definitinos are within the past week. If not, update from the network path provided.

 

Unfortunately they are not working. Can someone please help with screenshots? Below is the settings I have done.

Screenshot attached.

HI_0.PNG

Apr 13, 2014 10:42 AM

What I see on a daily basis I wish client/customers would deploy SNAC in their environment as they are entitled to it. As a SEPM admin we can advise and recommend - not make the final decisions for an operational issue and problem in the environment. BRAVO ZULU as always Vikram and Team Symantec.

Jun 06, 2013 08:55 PM

Thanks Vikram !

Feb 28, 2013 09:58 PM

The official best practice says to upgrade your SEPM to add SNAC.

Feb 27, 2013 02:39 PM

Excellent article. Is there one on how to add SNAC after SEPM has already been installed? I've seen a few ways but not an *official* from Symantec. Unless I missed it...

Related Entries and Links

No Related Resource entered.