Today's sophisticated threats require a security solution equipped with multiple layers of protection to keep your business secure. Symantec hosted a webcast on “Stop 64% More Malware Today” on Wednesday, February 06, 2013 that discussed the threat magnitude and how to stop more malware with resources you already have, as well as how to mitigate risk without sacrificing performance.
The following are answers to the additional questions raised in this webcast. To view a recording of the webcast, click here.
What’s New?
Q: What was featured in this webcast?
Antivirus only is NOT enough. Symantec Endpoint Protection 12.1 contains five layers of protection—Firewall and Intrusion Protection, Antivirus, Insight, SONAR, and Power Eraser for unrivaled security in both physical and virtual environments.
Software Updates
Q: What does MP stand for in the following? SEP 11 RU7 MP2?
RU stands for Release Update. This update is similar to a Windows Service Pack.
MP stands for Maintenance Pack. This is similar to a Microsoft Update Rollup.
Q: What is the upgrade path to 12.1 from 11.0.x?
Please check out the following article:
http://www.symantec.com/connect/articles/supported-upgrade-paths-symantec-endpoint-protection-121
Q: The version of Java that I am running is not supported by the version of SEPM I am using. What should I do?
There are a few options:
1. You can upgrade the version of Java you are running to the latest version.
2. You can upgrade the version of Symantec Endpoint Protection Manager you are using to the latest version.
3. You can use the local console on the Symantec Endpoint Protection Manager. The local console on the Symantec Endpoint Protection Manager uses the internal version of Java included in the Symantec Endpoint Protection Management server.
It is always recommended to upgrade to the latest version of Java. Running old versions of Java can make your system vulnerable. The latest version of SEPM 12.1 does work with the latest version of Java.
Q: Is it necessary to reboot the clients when migrating from SEP 12.1.1 to 12.1.2?
Yes. The SEP 12.1.2 install will not until you reboot. However, the client will continue to run SEP 12.1.1 and protect the system even if you do not reboot.
Q: So how does that upgrade to SEP 12 for free deal work?
If you currently own SEP 11 and your support/maintenance contract has not expired yet, then you can use the latest version of SEP 12.1 for no additional cost. Please contact your sales rep or reseller for more details.
For more details see:
http://www.symantec.com/docs/TECH103088
SONAR
Q: Is Sonar available in 12.1?
Yes. SONAR is available in SEP 12.1.
Q: I had heard that SEP 12.1.2 has increased its list of detectable "suspicious" behavior from 400 to 1400. I can't find any documentation on this. Can you shed some light on what has been enhanced?
In Symantec Endpoint Protection 12.1 RU2 we added over 1,000 new behavior. Applications will exhibit multiple behaviors. Some behaviors increase the application score and some behaviors decrease the application score. As the application runs, it may exhibit more behaviors that change the application score. Once the application score hits a certain threshold then we convict the application. Note: We do not document the list of behaviors we check for. These behaviors are updated on a regular basis.
Q: In the Endpoint Protection Manager, where can I see if Sonar is enabled?
You can see what technologies are installed from the Symantec Endpoint Protection Manager console on the Clients tab under the ‘Protection technology’ view.
Insight
Q: How does insight determine which files are "fine”.
Insight uses a database that has over 3 billion files and more than 2 trillion associations to determine what files are good or bad. Each file is rated based on the context of a file, such as how many copies of the file exist, where the file came from and who else is using the file. It uses a reputation system to give each file a reputation rating. As an analogy, you can think about the way Amazon gives ratings to a book. If the book has five stars and lots of ratings then the book is likely a good book. If the book has only one start and few ratings then the reputation of the book is questionable. Take a look at this site for more details:
http://www.symantec.com/reputation-based-security
Q: How do you configure Insight on a server?
Insight can be configured the same on a server as it is on a desktop. Insight will monitor programs downloaded from the Internet and block programs that have poor reputation.
Q: Is Insight only available in SEP 12?
Insight does require Symantec Endpoint Protection 12.1 or later. SEP 11 and SEP 12.0 SBE do not have Insight technology. However, other Symantec products such as Symantec Messaging Gateway and Symantec Web Gateway do have reputation (i.e. Insight).
Network Threat Protection
Q: When looking in the NTP logs, what column will show the "system infected" message?
The “system infected” message can be seen in the Event Type (or Summary) field of the Attack (or System) log.
Application and Device Control
Q: System Lockdown and Application and Device Control are the bread and butter of SEP. The problem is trying to deploy in a huge environment, 10K+. Any whitepapers or recommendations for doing this?
There are some resources we have online to help with this:
http://www.symantec.com/security_response/securityupdates/list.jsp?fid=adc
https://www-secure.symantec.com/connect/articles/how-block-or-allow-devices-symantec-endpoint-protection
Power Eraser
Q: Where can you download the newest version of power eraser?
Power Eraser is included in the SymHelp tool. The latest version of the SymHelp tool can be found here:
http://www.symantec.com/docs/TECH170752
The latest version of the Norton Power Erase standalone tool can be found here:
http://security.symantec.com/nbrt/
Q: Can you run Symantec Power Eraser on a remote PC?
The Power Eraser tool is included in the SEP Support tool. Here are some KB articles that tell you how to run the SEP Support tool remotely.
http://www.symantec.com/docs/HOWTO72599
The SymHelp tool replaces the SEP Support tool. Here are the command line options on how to run the SymHelp tool. These can be used to run the tool remotely.
http://www.symantec.com/docs/TECH170732
Q: Can Power Eraser be run by a non-administrative user on win7?
Power Eraser requires administrative access.
Malware Activity and Protection
Q: Why do we see increase in Malware after Adobe Flash updates?
This is most likely happens when the new version of Adobe Flash is released with an announcement of vulnerabilities that have been fixed. Attackers then use these announced vulnerability to attempt to infect systems still running the old version of Adobe. Many attackers may not know about the vulnerabilities in the old version until the new version is released and these vulnerabilities are announced.
Q: Out of the box, default setup of SEP 12.1.2, how much will it really stop?
Symantec Endpoint Protection 12.1 default policies offer the best of class protection. By default, Symantec Endpoint Protection 12.1 has five layers of defense: Network, Reputation, File System (including heuristics), Behavior and Remediation. With these five layers working together, we can stop both known and unknown threats.
For an example, please check out the 3rd party review from Dennis Labs:
http://dennistechnologylabs.com/reports/s/a-m/2012/DTL_2012_Q4_Ent.1.pdf
Q: We have a developer computer in which has been developing code internally for our systems, and the SEP 12.1 is seeing it as a "Trojan.gen" however sits as a status "Pending", doesn't remove it, does delete, doesn't do anything really. We tried to run a full sweep, which it finds, but does not delete anything. Ran the "Norton Power Eraser" and it ran a low-level sweep and found nothing. Yet when the system reboots, within 1 hour SEP finds the item again. Please explain?
This could be happening for several reasons. For instance, it could be that the system in question is getting attacked or infected by another system on your network. When this system gets attacked it will delete the malware and keep the system protected. However, at a later point the remote system simply tries to infect the system again causing another event to be generated. For this type of case, I recommend working with our enterprise support team. They can help you isolate the issue.
Q: Can Symantec make registry changes to fix unauthorized changes to the registry?
The Symantec Endpoint Protection product can clean up registry keys left behind by malware. It can also revert unintended or unauthorized changes to the registry made by malware.
Q: Can Symantec generate a signature for block Ultrasuf traffic with IPS technology as it already does with Emule, Kazaa, or Ares?
Ultrasurf uses encrypted traffic. A network signature like the one we have for Emule or Kazaa may not be possible. However, you can use Application Control to block Ultrasurf. Please check out this link:
http://www.symantec.com/connect/articles/proxybusters-part-1-ultrasurf#comment-8325121
Q: We have SEP installed on our main DC. Is this server protected? In addition, what was the name of the protection you recommended for servers?
Symantec Endpoint Protection 12.1 offers good protection for servers. However, in addition to Symantec Endpoint Protection we offer another product called Symantec Critical System Protection. Critical System Protection offers additional protection specifically targeting servers. It also has system configuration monitoring and system hardening features. For more information, please check out this link:
https://www.symantec.com/critical-system-protection
Q: If you do get a drive by download infection and delete the exe files manually to prevent the software from running, have you fixed the problem? Or is there something else that you have to do?
Drive by downloads can download multiple files and can install rootkits or other malware. Removing only the exe files associated with the drive by download may not always resolve the issue. I would recommend running Symantec Power Eraser as well.
Q: There are a number of OS on the market. Are they all equally vulnerable?
All operating systems have vulnerabilities. Some operating systems have better protection to reduce the risk of exposure from the vulnerabilities. However the amount of attacks on a particular operating system is not only related to the vulnerabilities it has but can also be related to the prevalence of the operating system and the amount of money or information that can be gained by breaking into devices running that operating system. Many attacks happen using social engineering, which attempts to fool the user into installing malicious applications or doing a task on behalf of the attacker.
False Positives
Q: What if Insight blocks a legit file?
Insight will block the download of an application if the application is still unknown. For example if only a very small number of people are using the application. These may be seen as false positives in some cases, but many of our customers do not want their users to be their first users on the Internet to run or install an application even if the application is good.
For resolving false positives, please check out this page:
http://www.symantec.com/connect/downloads/false-positive-prevention-and-correction-symantec-endpoint-protection-version-121
Q: I have an issue with false positives dealing with java files. What are my options with dealing with these false positives?
For resolving false positives, please check out this page:
http://www.symantec.com/connect/downloads/false-positive-prevention-and-correction-symantec-endpoint-protection-version-121
Q: What do I say to users who receive a pop-up notifying them of a risk but give them an option to proceed anyways?
The safest course of action would be to allow the risk to be quarantined. The pop-up should be primarily used as a notification so the user knows why the file was quarantined. However, you can turn the notifications off if this is a concern for your users.
Q: We're get "virus alerts" within SONAR for the svchost.exe, however when we're scanning them we see nothing. Are these false positive?
This is happening because svchost.exe is making changes to the hosts file. Turing off the hosts file detection will eliminate these logs. Please check out this KB for more details:
http://www.symantec.com/docs/TECH164391
Q: Is there a recommended tuning doc for the Sonar / Proactive Threat Protection to reduce "noise"?
The default setting is the recommended setting here. Sometimes SONAR is noisy because System Change events have been turned on (it is turned off by default). When this is turned on, you will get a log event for each application that modifies the hosts file or changes the DNS records. Please check out this KB for more details:
http://www.symantec.com/docs/TECH164391
Password Vaults
Q: I have users who use password vaults and I try to remind them Quicken, and others like this are bingo points for malware - am I giving good council?
A password vault can be a good way for a user to store all their passwords. It is much better for a user to store their passwords in a password vault then for them to write it down in plain text somewhere else.
Performance
Q: The biggest reason we turn off some layers of protection is because they are too processor intense on the local machine. What is your suggestion for older XP machines with smaller processors and less memory?
Try running Symantec Endpoint Protection 12.1. It has many performance enhancements that did not exist in SEP 11.
Q: Network Threat Protection was causing performance issues when we had it enabled on our PCs running behind a corporate firewall and running Windows Firewall. Symantec tech support team recommended us not to enable NTP. Should we need to re-visit this?
Yes. We strongly recommend that you at least enable IPS on all workstations. We have worked hard to reduce the performance impact of IPS.
Click link to learn more about Symantec Endpoint Protection 12 positioned as the Leader in 2013 Gartner Magic Quadrant.