I started working in the IT field as a Systems Administrator. One of the tasks assigned to me was to select the replacement for their antivirus. I've already written a blog about it. It has Sales in the title. And also an article on what I've learned in IT.
In the years that passed, I've learned the importance of data protection. Every company uses a backup solution for their corporate data, from doing manual backups, to making backup scripts, to using a third party backup solution. Our data is so important that if ever a backup fails or was delayed by a few minutes, heads will roll and I've spent numerous nights at the office just to fix this. But sadly, this isn't the case with end users whose files are kept in their local PC with no backup. I'm not concerned whether their resumes are corrupted by the malware :P, instead I worry about what it will do to the OS and the corporate network afterwards. I'd like to note here that aside from cracked software, resumes are the 2nd most common sources of malwares in a company or rather the storage device that contained it. Getting infected by malware that destroys their data is the worst case scenario and that happens a lot that they're used to retyping their data and saving as often as possible. Malwares also take up valuable PC resources that it slows down the already slow and almost outdated PC - another reason/excuse that employees take more breaks. Fast-forward to the present.
The latest and current company I'm working for is a Symantec reseller and I'm assigned as a “resident go-to guy” when it comes to Symantec Security products. I can't say engineer because I'm not doing any engineering nor do I consider myself as a consultant or a specialist. I'm a Symantec-Noob. I was reluctant to push this product at first, based on past experiences and possibly - ignorance - with Norton and Symantec products on virus filled systems and the way they hogged the memory when hardware was a bit expensive. But then came SEP. After reading the manual, I saw that it looked promising . On with the learning.
First client.
The first company I was sent to was a contact center and they had over 12,000 clients running SAV 10. When we started there, we were getting negative feedback on how poorly the Symantec product performed and how slow their PCs had become. We checked the monthly reports and what was endorsed to us. It was clear that they were plagued by malware. Our contract prohibited us from connecting to or physically accessing PCs and servers other that what was assigned to us. We were only to give out instructions based on what Symantec’s website and knowledge base had and send it out to the respective department in charge. We persevered and were able to contain all the threats and we reduced our incidents from around 20 to just 5 per shift, with two of us.
Symantec also gave us their SECRIT which is a separate collector for its own database of logs. We used that to send email alerts to us on the latest virus alert for the company. We moved to SEP at the start of 2009. By then, all the existing threats were eliminated and SAV automatically treated those that came from the Internet and USB devices. One good thing about this company is that almost all of the workstations’ contents were almost identical and they have Altiris - so management is a breeze - if one deployment didn’t go as planned, they can just reimage it.
Compared to SAV, SEP is more streamlined and the deployment can use fewer servers for handling the logs and policies. Report generation is noticeably faster. And since the threats are already contained, we can start being proactive and check for the sources of the malware. This time Symantec provided us with their replacement to SECRIT which is the Symantec Threat Reporter (STR) – which is also a reporting server and has better flexibility in extracting records from its database. We saw the usual things found in the Reporting of SEP. We compared this with SEPs reporting and we got the email alerts a bit earlier than SEP which is understandable because aside from doing that, it is also doing policy implementation and client updating. If your company is frequently requesting for AV related reports, I suggest you setup a separate server for reporting. We used the STR to monitor the network and use SEP to enforce a policy on the use of USB devices through its Application and Device Control function.
The next step was to try and prevent users from accessing infected Web sites. We used Symantec-Norton’s SafeWeb website to verify whether the suspected site is a legitimate site or a malicious site. Aside from this, we used IE history viewer to get the browsing history of the users and check the sites visited. The application is only one executable file and can get the history of remote users assuming you have the necessary administrative rights and save it as a complete webpage. We also implemented the application control to block proxy programs from running in the clients PC. Towards our 9th month in the company, the threats are easily manageable that I now have spare time!
Most intrusions are found in the Temporary Internet Files folder and were treated by SEP without manual intervention. The logs may show “access denied” at first but the succeeding entries showed them as “cleaned”, “quarantined” or “deleted”. Those that were able to bypass the Windows policy in USB can no longer do so with the addition of the SEP policy and those that were using proxies are in for a surprise. The company decided not to renew our contract since SEP is now - ummm - more secure and manageable compared to SAV.
Second client.
My next (current) project is a banking institution of the government. I joined an existing team of 2 to continue with the support on Symantec Products. The current issue with the company is with the W32.Down_adup.B worm (intentionally misspelled). From my experience with the banking industry, this is one group that is very reluctant in applying changes to their network. “If it works, why fix it” mentality and they are not into the leading technology but rather likes the tried-and-tested (and perhaps, outdated) technology. There is no patch management that I’m aware of and Internet connection is given to a select few after a review by their IT management.
I was surprised when I viewed the SEP generated reports and saw that the infection count was in the thousands per type, three in particular! The network consists of roughly 3,500 clients. Clearly, this isn’t what management wanted to see. So, it's was time to redeem my company and Symantec. I made a specific report to generate and email all the alerts received by the server per day. Daily infection count is/was below 50, often below 10 and they’re in the Temporary Internet Files!
SEP is doing its job in protecting the system although the reporting is inaccurate (we’re fixing that at the moment). My main task at that moment was to prove that SEP was doing its job and the reason that malwares are returning was due to unpatched Windows vulnerabilities, which is oddly, assigned to another company. Aside from this, I’m also setting up Symantec Brightmail Gateway Appliance and Critical Systems Protection which is still in the setup phase. From the succeeding reports sent to us by SEP, almost all the threats that came in daily are from the usual Temporary Internet Files folder and as soon as the old machines (SEP doesn't support these hardware) are replaced, I'm expecting that they'll be booting us off as well. I can clearly see that all threats will be minimized within a few weeks after all of what's in my mind is put into action. This will be the time when employees aren't allowed to have Internet access because of personal productivity issues and not malwares.
SEP is, for the better part of it, really a true solution to malware. Once all the policies are set, and the system is in production, it's just a matter of maintenance. Something worth mentioning here is that I've never had a complaint that a client OS, or some other application, is ruined because SAV or SEP removed a system file out of paranoia, or what we call false-positives. I am also thankful for the Symantec Connect forums for providing information and additional help, aside from tech support, especially in the Ultrasurf/MD5 thread.