Endpoint Protection

Hi,

I have Symantec Endpoint Protection 11.0 installed on a Win2003 server, with managed clients on classroom computers running either WinXP or Win7.  The students log on as limited users, they do not have admin privileges on the computers, and I make sure that NTFS permissions are set so that they really only have Modify permissions on their local user profile folder.   

I recently noticed that students are able to place files into Quarantine even though they have Read Only permissions to those files.  The process of placing the file into Quarantine also removes the file from the hard drive.  They can then delete the file from Quarantine, which then deletes the file from the computer totally.

Most computers are running SEP 11.0.5002.333, some are running 11.0.4xxx.

This appears to me to be a serious breach of security - since limited users who are not able to delete restricted files through normal Windows deletion are actually able to do so using SEP's Quarantine.  I do not see any way on the server to disable this ability.

I understand the need for SEP to have access to all the files in order to detect and deal with threats, but I think that when manually adding something to Quarantine, it should follow the user's permissions only and allow him to only add files that that he has Modify or Full permissions to.

I would be interested in any ideas on how to fix this situation, or whether this requires a fix from Symantec.

Thanks,

-Michael

Hello,

I would suggest you to Upgrade the SEPM and SEP clients to SEP 11.0.6300.

I would recommend blocking users from accessing the SEP client's user interface. The SEP clients are running under the System account. This is necessary in order for the client to perform its job without having permissions hindrances. 

If your users are doing things they shouldn't be, that is really something that there should be company policies in place for. Users should have a good understanding of what they should and should not be doing, and repremanded accordingly.

The best option here would be to keep users from being able to access the SEP clients. See the following document link.

http://www.symantec.com/business/support/index?page=content&id=TECH136678

Yes,

I agree with blocking the access the SEP console.

Unfortunately, I don't think students understand "company policies".

Regards,

when you said " they place the file in the quarentine folder" do they actually copy paste the file or add it in the console.

quarantine folder will not have any access , right click and select property u will know

put a password for not to open sep...

or stop sep services.

I think the students have good knwledge on how to play around with sep :)

Hi,

You can disable the client console on client machine. This way student won’t be able to access the SEP client and make any changes.

Please check the below link on how you can do it,

How do you lock down SEP client interface so that end users cannot disable components or modify settings .

http://www.symantec.com/business/support/index?page=content&id=TECH136678&actp=search&viewlocale=en_US&searchid=1307732075752

Hope this helps you.

Hi all,

Thanks for your responses.

Mithun - regarding your suggestion to update to the latest patched release, I generally agree that this is a good idea, and I see that some interesting and important issues have been addressed in these patches.  However, I do not see that my specific issue has been addressed in these patches, so updating to the latest release is not a high priority for me.

Rafeeq - they add the files using the Add button in the View Quarantine screen on the client.

Kurt G. & Ldimple - thanks for the link to the document describing how to lock down the SEP client interface.  I don't want to hide or totally disable the SEP client icon, since I like that when I walk through the labs I can see that SEP is running and has a green (updated) icon. 

My only option appears to be assigning a password in order to open the client (as many of you  suggested).  I don't love that option, because I often have to chide students for not running or updating whatever AV product they have at home (many are apparantly not doing so, as they keep bringing in viruses on their USB thumb drives), and by easily accessing the SEP console they can see what an antivirus looks like as well as see that AV definitions by us are constantly being updated.

However, I will consider setting a password if I see that more students are taking advantage of the Quarantine issue that I described.  I found the issue myself a while ago while doing testing, but so far only 1 student has discovered it.

Regardless, I still think that when manually adding a file to Quarantine, SEP should check to see if the current user has Delete permissions to that file.  I would appreciate it if the Symantec employees here bring this issue to the development/engineering people for consideration.

Kurt - by the way, Beppe is correct, students don't give a hoot about "company policies".  I have a hard enough time keeping them from bringing food into the computer labs, and I know from experience that they'll click on anything they can. 

Thanks,

-Michael

Hi all,

Sorry, but I'm not marking any response here as the Solution.  As I wrote earlier, the only option I would consider would be to assign a password in order to open the client, but I don't love that option. 

It's really like using a sledgehammer to drive in a nail, it's overkill for the issue I asked about.  It may be an acceptable workaround that I may decide to use, but the real solution should be more granular and should be at the level of the Quarantine screen (in SEPM).

Thanks all for your help.

-Michael