Best Practices dealing with a threat outbreak when using Symantec Endpoint Protection
Hi all,
Over the past few months, a small group of people from across Symantec have helped put together a document that demonstrates how to best use Symantec Endpoint Protection when dealing with an outbreak. Our technicians have been using it with success, so we'd thought we'd make it public and share it with the general community.
There are a few technologies that will need to be in place before you can fully use the steps in the document: Application and Device Control (only works for non-64-bit systems), IPS, and the Client Firewall.
One last thing of note, as the threat landscape has changed considerably since Symantec Endpoint Protection was released, we've gone through and made some recommendations as to updating the security policy in the Symantec Endpoint Protection Manager. I'd recommend looking through these recommendations and seeing what might work. When we were working on the policy updates, our first thought was protection, then peformance. That said, some of these changes could affect performance...
References
Best practices for responding to active threats on a network
http://service1.symantec.com/SUPPORT/ent-security....
Security Response recommendations for Symantec Endpoint Protection settings
http://service1.symantec.com/SUPPORT/ent-security....
Comments
Here's few Articles written
Here's few Articles written by Connect Users / TAs / Sym Employees.
Find and Removing Threat. Handling Outbreaks.
https://www-secure.symantec.com/connect/articles/how-find-suspected-threats-your-computer
https://www-secure.symantec.com/connect/articles/virus-removal
https://www-secure.symantec.com/connect/articles/rootkit-intruder-living-your-kernel
https://www-secure.symantec.com/connect/articles/virus-remediation-procedures
Protection against threats. Proactive Approach.
https://www-secure.symantec.com/connect/articles/how-use-sep-protect-against-rogue-browser-helpers
https://www-secure.symantec.com/connect/articles/network-security-and-ways-protect-system
https://www-secure.symantec.com/connect/articles/security-may-be-illusion-risk-real-manage-it
https://www-secure.symantec.com/connect/articles/online-virus-and-behavioural-scan-engines
https://www-secure.symantec.com/connect/articles/what-do-p2p-applications-do-and-how-block-peer-peer-applications-p2p-using-symantec-endpoin
https://www-secure.symantec.com/connect/articles/more-how-disable-autoplay-feature-prevent-virus-spreading-way
https://www-secure.symantec.com/connect/articles/how-beat-w32downadup-infections-outbreak-scenario
https://www-secure.symantec.com/connect/articles/best-practice-downadupb-and-additional-information-same
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Are these recomendations practical?
Todd, while I am sure these recomendations from Security Response would improve security, I fear that performance of the PC may take a big hit.
Have you tried these out?
I will try this out on a sample population tomorow.
------------------------------------------------------------
MR99 will fix it all.
I think they are practical if
I think they are practical if you're having a malware problem (which most places seem to have), but if malware is a rare event (because of other security settings or well-trained users), then perhaps it is not practical for that environment. I think you are going to have to test and see for yourself if the performance hits are negative enough to justify not using all of the settings--but I'd test in batches, add some settings, test; add some more, test again. That way you can determine which settings are negligible and which ones cause dramatic changes, and you can at the very least implement all the changes that aren't going to cause any problems.
Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa
In small doses
snekul - I agree with you that we need to test and add.
I am miserable because I have a number of PCs with 256 Mb or 512 Mb RAM.
They really cant take anything more.
------------------------------------------------------------
MR99 will fix it all.
Would you like to reply?
Login or Register to post your comment.