This is the third of an informal series on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions).
- The first article, Using SEPM Alerts and Reports to Combat a Malware Outbreak, demonstrated how to use reporting features of SEP 12.1's SONAR component to identify Suspicious files for which there were no AntiVirus signatures yet created.
- The second, Recovering Ransomlocked Files Using Built-In Windows Tools, deals with a few possible ways how to prevent and recover from one of today's most-destructive threats, should it infect your network and hold your data hostage.
This third article illustrates how Symantec Endpoint Protection's optional Intrusion Prevention System (IPS) component can help security admins keep their organization secure and track down infected computers on the network.
Unlike AntiVirus, which looks for known malicious files, IPS scans the network traffic stream in order to find threats using known exploits and attack vectors. IPS does not detect specific files, but rather specific methods that can be used to get malicious files onto your network. This allows IPS to protect against both known and unknown threats, even before antivirus signatures can be created for them. It’s very cool.
SEP’s IPS component greatly increases the number of threats that can be blocked, so the use of IPS is strongly recommended on almost all endpoints. More details are contained in:
Best practices regarding Intrusion Prevention System technology
Not Just for Windows Any More!
IPS has been an optional component of SEP for Windows since the beginning. In order to enable IPS in Symantec Endpoint Protection 11.x, the client firewall portion (Network Threat Protection) must be installed and running. In SEP 12.1, the client firewall function is separate and does not need to be installed or enabled for IPS to function.
SEP 12.1 RU4 brought many new features to the SEP client that runs on Macintosh (“SEP for Mac”). An overview of these enhancements can be found in:
Overview for Symantec Endpoint Protection 12.1.4 for Mac
One of the best of these enhancements is that IPS can now defend Mac machines as well as the Windows boxes on the network. So, definitely upgrade the protection on your Macs!
How IPS Defends Clients
For an excellent illustration of how IPS can protect against a very dangerous threat, see Recovering Ransomlocked Files Using Built-In Windows Tools. Even if the initial Trojan.Cryptolocker .exe is not detected by SEP’s AntiVirus components, IPS attack signatures can still block the network traffic that this threat relies upon in order to generate the keys necessary to sabotage a computer’s files. If you see a pop-up “System Infected: Trojan.Cryptolocker” then IPS has just blocked the Trojan’s network activity (and saved you a load of grief). Get that computer isolated and perform a load point diagnostic to identify any unidentified malware files!
Generating SEPM Reports of Network Attacks
As detailed in my first article, your Symantec Endpoint Protection Manager contains advanced capabilities for reporting and alerting. It can often tell you exactly what is going on with the security of your network, if you know how to look.
One report that it can generate on demand is Network Threat Protection: Attacks. (Remember: in SEP 12.1, it is not necessary to have the NTP component of SEP installed in order to take advantage of IPS. IPS can be installed without NTP. The report of all IPS attacks is still listed under Network Threat Protection as a legacy inherited from SEP 11 days.)
Just click on Monitors, Logs tab, and pick the "Network Threat Protection" option for Log type. Choose “Attacks” to see all the IPS events that have occurred on managed SEP clients and been forwarded to the SEPM.
The logs for all the attack events will be displayed on screen, and can be exported for more advanced parsing and analysis with your favorite spreadsheet program.
Identifying Unprotected Computers
One example of how these can be useful: in a recent real-world case, an administrator had been fighting a never-ending battle to eradicate W32.Downadup from the corporate network. There were constant detections of this threat being stopped, but somewhere out there were infected computers which constantly tried to re-infect others. Examining the Risk Reports failed to show any instances where the threat was being detected by AV but “left alone,” so where were they?
Examining the exported Network Attack logs, it was pretty clear that IPS was also blocking infection attempts (traffic that attempted exploit of the vulnerability that W32.Downadup uses to spread). These logs, though, showed what IP addresses involved with each “[SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked. Traffic has been blocked for this application: SYSTEM”
Examining the Remote Hosts that were responsible for all that traffic was the solution to this case. There were a handful of infected computers that had no AV product on them at all. Installing SEP ended the persistent W32.Downadup troubles for good.
Identifying Infected Machines
In another recent real-world example: hundreds of Auto-Protect virus events (Event ID 51) were seen on the shared directory of a file server. Several days were spent examining the load points of the server itself, with nothing malicious found. The reason: the infection was on one of the 400 clients which connect daily to that mapped drive. Some client in the network had attempted to do the damage- but which one? It would not be possible to examine load point diagnostics from all those hundreds of clients.
Luckily, that file server had IPS installed. The IPS logs were examined and a large number of ”Incoming Auto-Block Event” entries were spotted, coming from one particular IP Address. This activity might have been a coincidence, but in this case it was a very big clue as to which mapped client was infected. That computer was isolated, cleaned, patched and returned to the network. Problem solved.
IPS can protect your computers- and everything on them- in ways that AV alone cannot. And, its logs can provide valuable intelligence about which computers in the network are infected.
Moral of this story: it’s much easier to deploy the SEP IPS client and read its logs than to examine 400 load point diagnostics. &: )
One final recommendation: it is always a good time to ensure that the organization's defenses are in good order. There is a great deal of malware in circulation, and it is guaranteed that tomorrow the baddies will come up with new code and techniques. Take precautions now!
Symantec Endpoint Protection – Best Practices
Many thanks for reading! Please do leave comments and feedback below.