Message Image  

Endpoint Protection

 View Only

  • 1.  Application and Device Control Policy to stop FakeAV terminating SEP?

    Posted Mar 25, 2011 01:17 AM

    We're getting a few users getting infected with FakeAV and the nasty apps are disabling SEP.

    I saw this :

    Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase security

    http://www.symantec.com/business/support/index?page=content&id=TECH132337&locale=en_US

    And in particular, this:

    1. Protects Symantec Endpoint Protection files and registry keys

    Numerous threats attack Symantec Endpoint Protection in an attempt to gain access to protected machines. This rule set protects Symantec Endpoint Protection’s registry keys, files, processes and services from outside interference. Enabling this rule could interfere with any non-Symantec products that attempt to integrate with Symantec Endpoint Protection

    If we proceed, is this actually going to stop FakeAV from terminating SEP?  I mean, if FakeAV just calls "taskkill /F /IM smc.exe", will this policy prevent that?



  • 2.  RE: Application and Device Control Policy to stop FakeAV terminating SEP?

    Broadcom Employee
    Posted Mar 25, 2011 01:32 AM

    It is one of the steps towards ensuring security, fake AV';s which exhibit this kind of behaviour will be handled by hardening the policy as stated in the above URL



  • 3.  RE: Application and Device Control Policy to stop FakeAV terminating SEP?

    Posted Mar 25, 2011 06:05 AM

    Do you have tamper protection enabled? It should prevent attacks on SEP services.

    SEPM console setting:

    Clients > Policies > General Settings > Tamper protection

     

    Unfortunately, both ADC and tamper protection only work on 32-bit OS.



  • 4.  RE: Application and Device Control Policy to stop FakeAV terminating SEP?

    Broadcom Employee
    Posted Mar 25, 2011 06:25 AM

    Hi,

    Go through article "Does Symantec Endpoint Protection protect me from fake anti-virus programs?"

    http://www.symantec.com/business/support/index?page=content&id=TECH122898&actp=search&viewlocale=en_US&searchid=1296747071472



  • 5.  RE: Application and Device Control Policy to stop FakeAV terminating SEP?

    Posted Mar 25, 2011 06:26 AM

    Yes..That will block Fake AV's and other Malwares from blocking/disabling SEP> Tamper Protection does the same but however it is not as a strong as App control IMO



  • 6.  RE: Application and Device Control Policy to stop FakeAV terminating SEP?

    Trusted Advisor
    Posted Mar 25, 2011 06:48 AM

    Hello,

    I appreciate that you have already Hardened Symantec Endpoint Protection by Application and Device Control.

    I alsoAgree with Greg.

    Tamper protection is a Protection for the SEP clients itself. Make sure the Tamper Protection Policy is Enabled and locked down from the SEPM. Check the Screenshot.

    Tamper Protection can be enabled or disabled in a Group's General settings

    1. In the Symantec Endpoint Protection Manager (SEPM), on the left hand side, click Clients.
    2. On the Policies tab, under Settings, click General Settings.
    3. On the Tamper Protection tab, check (or uncheck) "Protect Symantec security software from being tampered with or shut down".

    NOTE: You must lock the lock icon in order to change the client settings or the option is still available on the client machines to enable or disable Tamper Protection.

     

    If FakeAV just calls "taskkill /F /IM smc.exe", The Tamper Protection will protect it and will provided a popup on your Screen in regards to the Tamper Protection.

     

     

    About the FAKEAV, let me share some Symantec Knowledgebase Articles.

    Does Symantec Endpoint Protection protect me from fake anti-virus programs?

    http://www.symantec.com/business/support/index?page=content&id=TECH122898&actp=search&viewlocale=en_US&searchid=1301048638543

    SEP and Norton Network Threat Protection/IPS Signature Naming Improvements

    http://www.symantec.com/business/support/index?page=content&id=TECH152794&actp=search&viewlocale=en_US&searchid=1301048638543

     

    A Good Symantec Forums Thread tells more:

    Turning up settings in SEP to deal with fakeav

    https://www-secure.symantec.com/connect/forums/turning-settings-sep-deal-fakeav

     


    and Last not the Least, Check this Symantec Article which tells a way out, inworst situation, if anything happens.

     

    Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

    https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

     



  • 7.  RE: Application and Device Control Policy to stop FakeAV terminating SEP?

    Posted Mar 27, 2011 05:24 PM

    Thanks for this.  In your screenshot, you have "Actions to take if an application attempts to tamper with or shut down Symantec security software" set to  "Log the event only".  In this case, wouldn't the "Protect Symantec software from being tampered with or shut down" setting do nothing and FakeAV could still shut it down? (but we'd get something in the log).



  • 8.  RE: Application and Device Control Policy to stop FakeAV terminating SEP?
    Best Answer

    Trusted Advisor
    Posted Mar 28, 2011 06:20 AM

    Hello,

    I appreciate your Observation. Nice Observation.

    That's a Default setting.

    I had uploaded the Screenshot only to make you understand about the Locks to the Tamper Protection.

    Well, I regards to your question;

    Yes, you could put the action accordingly and as per your requirements.

    However, make sure you do the Locking as well.

    Let me give the correct screenshot, as per your requirements.