SNAC Self Enforcement for Virus Definition Compliance
I have come across lot of customers who have Symantec Network Access Control License but they are not using it. It is part of the Symantec Protection Suite 3 or 4 that you might have.
The simple reason could be either they find it complicated to configure or do not understand how it can fit to their organizational goals or simply they are not aware of Self-Enforcement, i.e. SNAC HI policy enforcement without any Hardware or DHCP plug-in enforcer.
So here I would like to present an example where you can block Clients with Older Definition unless they are either updated through other sources or manually attended.
At today’s date protecting your endpoints with only Signature based protection is not enough, On top of that if the Virus Definitions are Outdated/ Old then it defeats the purpose of using Antivirus on your endpoints.
Many organizations view Virus Definition Compliance as major security concern however they do not understand how to tackle with these machines/Assets having older definitions.
So here is how SNAC can help you tackle this problem.
The best part is this requires no Hardware enforcers or DHCP software plug-in to be configured.
1. Make sure your SEPM is SNAC ready that is you see Host Integrity Policy option in Policies Tab if not you can add SNAC.xml file to the License folder in SEPM.
2. You should have Network Threat Protection installed on the clients.
3. Even though we normally do have Servers and Desktops in different groups, still would confirm if they are in different groups as you will not like your Servers getting Quarantined due to Old Definitions and interrupting your business operations.
4. You understand that by blocking the clients you will be interrupting their day to day work, so you have your management by your side to justify the cause.
5. Most importantly you understand how critical it is to have machines with updated definitions and while blocking clients with older definitions you not set the bar very high. For example if you have 20% clients with older than 3 days of definitions then you should keep the number of days on higher side to start with and then as Compliance improves you reduce the number of days.
Now to the simple part of Configuring the Policy:
1. Edit Host Integrity Policy and under Requirement Click Add and Select “Antivirus Requirement”
2. Give it any name that suits the policy requirement, then Start Antivirus if not running on the client is optional but you can still enable it and give the command to start the Service.
3. Under Antivirus Signature File checking, make sure you select the right number of days, also make sure it is days and not definition revision. Additionally you can give an option from a location from where the definition can be downloaded it can be any location. Click OK and you are done with configuring the requirement.
4. Now Under Advance Settings, It is highly recommended to set Notification for each type of Notifications selected, just so that the users are well aware what is happening on their machine and why. They should panic that their machines have been hacked.
5. Now Assign the Host Integrity Policy on all the groups on which you want this policy to be activated. To start with it should be a pilot batch of few clients and then probably after gaining confidence you can increase the number of groups.
6. Go to Policy Tab, Firewall Policy and create a new Firewall Policy, name it Quarantine or SNAC or any other name which can be related to policy.
7. Select All the Default rules and Delete them.
8. Click Add Rule, Name it Allow Basic then Click Next Select Allow Connection click Next till you reach Network Services then Add DNS,DHCP, LDAP, FTP and/or your Email application and ports.
Note: You can build your allow list which can include applications like cmd.exe or your business application (under Applications), or any specific port or additional service or if you want few machines which these clients should be allowed to connect like your Ticketing System etc.
9. Below this rule add another Rule to Block All communications. NOTE: Do not assign this policy on Any group
10. After assigning the policy, under the Clients Tab select the group in which you have applied the SNAC HI policy and go the Policies tab on the Top.
11. Under Quarantine Policies when Host Integrity Fails click on Add Policy
12. Select Quarantine Firewall Policy, Click Next Select Existing Shared policy and select the policy created above. Then do the same for other groups in which you want this policy to be applied.
13. Now once the client is blocked the user will either call helpdesk or will manually update the definitions, once the definition is updated the HI Status will change to Approved and the client will run normally with existing normal policies.
14. Other than blocking the Client machines using Firewall you can also put a Quarantine Liveupdate Policy with which you can guide the client machine to directly connect to internet or LUA (if you already have one) or Directly connect to SEPM bypassing GUP.
15. Most importantly you can also view logs and reports of the machines where HI Compliance failed.