Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Configuring Symantec Endpoint Protection 11.x for Maximum Protection

Created: 23 Apr 2013
Mithun Sanghavi's picture
+3 3 Votes
Login to vote

Hello,

The following general best practices document for configuring and managing SEP 11.0 was prepared by the Symantec product team.

It is always recommended to have the Latest version of SEP 11.x on your Client machines. Check this Article:

About Maintaining Consistency of Software Versions throughout a SEP 11 Organization

http://www.symantec.com/business/support/index?page=content&id=TECH131660

See the attached files for additional documents.

Here is a general outline for configuring SEP to maximize protection from today's emerging threats:

(This outline is in order of easiest to implement first)

  1. Implement recommendations from Symantec Security Response: http://www.symantec.com/docs/TECH122943
  2. Validate that SEPM and SEP clients use latest definitions (Symantec publishes certified definitions 3 times daily) 
  3. Configure "locked down" AV  policies so that end users can't change settings or disable SEP
  4. Enable TruScan (Behavioral Protection, AKA Proactive Threat Scan)
  5. Consider increasing Bloodhound Heuristics to Maximum (will increase chance of false positives, new Bloodhound signatures are initially only enabled when set to maximum, after the rules are fine tuned, they are later enabled at the default Bloodhound level)
  6. Enable IPS (initially deploy with Allow/Log exception before enterprise wide Block/Log policy)
  7. Enable Application & Device Control (Always thoroughly test AC/DC rules before widespread deployment)
  8. Block Autorun.inf from removable devices
  9. Protect SEP from being disabled and/or tampering
  10. Harden Internet Explorer against "drive by downloads"
  11. Monitor/Block devices
  12. Enable FW (needs to be carefully considered to not block necessary applications, again test before deployment)

Attached are two additional white papers on using AC/DC

Here are detailed Knowledge Base articles relevant to the recommendations above:

Symantec Endpoint Protection Best Practices: General

  • Security Response recommendations for Symantec Endpoint Protection settings

          http://www.symantec.com/docs/TECH122943

  • Security Best Practices for Protecting a Business Environment from Common Threats

           http://www.symantec.com/docs/TECH105236

  • Best Practices for Installing Symantec Endpoint Protection on Windows Servers

          http://www.symantec.com/docs/TECH92440

 

SEP Best Practices: AntiVirus, Behavioral & Heuristic protection

 

SEP Best Practices: Network Threat Protection

SEP Best Practices: Application & Device Control

Attached is an Application Control policy file that can be imported into SEPM. These rules should be tested before widespread deployment!

Best Practices: Responding to Infections

Threat Landscape