Adding new threats to SEP before they are included by Symantec
I have had a stable SEP 11 MR2 environment running now for about 2 - 3 months. My boss asked me today if we can add filenames and sizes and hash sizes into SEP for inclusion in the next scanning.
Basically PCI and law enforcement send us new threats caught in the wild, and ask us to scan all of our systems for these and remove offending items to ensure safe identity transmissions.
The information provided is a filename (Often a common name fro a windows file by the way), file sizes and hash numbers.
Now we are assured that all of the leading AV manufacturers are also provided with this data for inclusion as soon as possible. I am just not sure if I can find / show that the latest info form Symantec we get has the new threats included, or even when they are included.
So is there a way we can manually add this information to the SEp manager for distribution to each SEP pc client when we receive them?
Thanks
Kevin Pulford
Systems Administrator
Harmons City, Inc.
Comments
we aren't going to allow customers to add to our definitions in that way, its too scary for words.
However, if you are running Proactive Threat Scan, then there is possibly a method which might work...
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
...what method would that be?
I am in a similar situation; our security department sent me a list of files and hash values they want "added to Symantec."
I called support, and the tech told me to create custom IPS sigs, and just paste the hash value into the content field. This does not work, and causes clients to log critical errors, "FATAL: failed to apply a new IPS library."
I am now trying to escalate my ticket, but am interested in knowing whether or not Kevin received any real answers to his question.
Maybe Paul is referencing using the Application and Device Control Policy. By Defining specific programs, using this feature, you can block these programs from running. if they exist.
That was my initial idea as well, however I did not find any options for adding specific hash values. If possible I'd like to prevent blocking valid programs with the same filename, and at the same time prevent a security risk from slipping through after a simple name change.
You can specify a file fingerprint when creating a new rule. When your adding a new process, click on the options button.
Ahh yes! Didn't see the options button down there.
I modified all of my process definitions, and will start testing.
Thanks for your help!
thats one way you could do it yes... if you know the filenames you want to block you could also perform forced detections using TruScan.
Custom IPS sigs should work for files coming across the network, but they would need to be crafted properly, making sure the packet data is correct.
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
Hi Paul,
umm i think IPS is not only to protect the client from files coming from across the network it suppose to block malicious activity inside the client too because its HIPS n NIPS both isint ?
Paul,
Can you explain how to force TruScan detections for files? I believe that would be our preferred method.
fmav_admin, yes, you can create them through Centralized Exceptions. Its pretty self explanatory once you are there. Just choose TruScan Proactive Threat Scan, then "Processes" and add your process names in.
auusie, yes, we have both available, but I was talking about Custom IPS signatures, in the form of NIPS.
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
Paul, Is there a notification
Paul,
Is there a notification type that I can use to add a condition so I receive an email when one of these processes is found by TruScan?
Would you like to reply?
Login or Register to post your comment.