Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Block network of client when any virus attack (do not broadcast that virus on network)

Created: 05 Apr 2012 • Updated: 12 Apr 2012 | 8 comments
Noor Shaikh's picture
This issue has been solved. See solution.

Hello Good Day All..!

 

I am using SEPM verison 12.1 and i want to know that is that possible on client when an virus attack on any of client and SEPM deletes it and block its network from broadcasting on network. Can SEPM have any feature to block that virus from broadcasting.

Keep in mind i am not using SNAC.

 

Thanks

Noor

Comments 8 CommentsJump to latest comment

Noor Shaikh's picture

Sharma.. above link do not helps me. Let me clear you. Let Suppose one client is infected from virus and SEP client detect it due to some reasons its do not delete and broadcast that virus on network so i want block the network of that client from broadcasting through SEPM can its possible..??

 

 

Thanks

Noor

Ashish-Sharma's picture

I think this is nt possible sepm only find virus and delete for client.

nt be block the network of that client from broadcasting..

if you have any concern you will be contact to support team

Thanks In Advance

Ashish Sharma

 

 

Noor Shaikh's picture

Thanks for quick reply Sharma..

 

if i use SNAC with SEPM then is it possible..??

 

your prompt response ll be highly appreciated 

 

Thanks

Noor

Chetan Savade's picture

Hi Noor Shaikh,

SEPM is not a Protection features. Its a management utility. So it's not possible with even SNAC.

Any features is included in the SEP for protection.

For protection against any type of exploit; customer should have NTP & IPS feature installed.

Question - Let Suppose one client is infected from virus and SEP client detect it due to some reasons its do not delete and broadcast that virus on network so i want block the network of that client from broadcasting through SEPM can its possible..??

--> The best way is to isolate the computer from the network to ensure that the threat is not spreading/infecting the other computers on the network 

If you know the threat characteristic and it's infection vectors you may apply firewall rules/Implement best practices to block certain ports involved, disabling auto play,disabling shares etc.

 

One other way is to move the affected client to a temp group and implement high security policy... like allowing only required ports and protocols, and with ADC policy to prevent infection through Autorun.inf, network scanning enabled, Bloodhound set to high level, etc.,

With all being said, the best way is to isolate the computer from the network and ensure complete remedidation before connecting it back to the network

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

SOLUTION
Ashish-Sharma's picture

 

Yes it's nt possible .

By default, when the client detects a virus, the client tries first to clean the virus

from the infected file. Then, if the client cannot clean the file, it logs the failure

and moves the infected file to the Quarantine.

By default, when the client detects a security risk, it quarantines the risk. It also

tries to remove or repair any changes that the security risk made. If the client

cannot quarantine a security risk, it logs the risk and leaves it alone.

individual security risks.

 

Thanks In Advance

Ashish Sharma

 

 

greg12's picture

Agree with Chetan, best way to protect your network is to isolate the infected client.

However, perhaps your are looking for something like the Risk Tracer feature of SEP, which can be enabled and configured in the AV/AS policy:

AV/AS policy > Auto-Protect > Advanced > Risk Tracer

The Risk Tracer feature cancels the communication to an attacking client. NTP and Active Response have to be enabled.

Here is an article about it:

https://www-secure.symantec.com/connect/articles/worms-and-threats-spread-across-networks-network-shares-have-become-more-common-recent-yea-0

In SEP 12.1, you have to enable the automatical blocking of attackers ("Active Response") in the Firewall policy, while in SEP 11 the setting was in the IPS policy.