Endpoint Protection

 View Only
  • 1.  Check signatures in SEP

    Posted Jan 22, 2015 09:54 AM

    How can I check to see if SEP has specific signatures by hash value? If I find they aren't there, can I add them manually? Thanks!



  • 2.  RE: Check signatures in SEP

    Posted Jan 22, 2015 09:56 AM

    This isn't possible to add signatures manually.

    You can check release history here:

    http://www.symantec.com/security_response/definitions/certified/



  • 3.  RE: Check signatures in SEP

    Posted Jan 22, 2015 10:04 AM

    Something like this?

    How to determine the unique hash of a file detected by Symantec Endpoint Protection

    http://www.symantec.com/business/support/index?page=content&id=TECH211522



  • 4.  RE: Check signatures in SEP

    Posted Jan 22, 2015 10:10 AM

    What I'm looking to check is if a couple hashes associated with a zero day will be detected by SEP or if they are not if there is a way for me to manually enter them somewhere in SEPM to detect and react to them.



  • 5.  RE: Check signatures in SEP

    Posted Jan 22, 2015 10:12 AM

    You can check the hash against https://www.virustotal.com to see if SEP detects it. From there you can make sure you have those defs loaded.

    There is no option to enter in the hash to block it if you know the file name you can enter in that, like below article:

    How to utilize SEP 12.1 for Incident Response - PART 1

     



  • 6.  RE: Check signatures in SEP

    Posted Jan 22, 2015 11:01 AM

    Thanks for the article. After reading it, how does SEP know/get the hash value? The article does not say that it was inputted anywhere unless I am missing it. 



  • 7.  RE: Check signatures in SEP

    Posted Jan 22, 2015 11:04 AM

    SEP can calculate it



  • 8.  RE: Check signatures in SEP

    Posted Jan 22, 2015 05:30 PM

    Thanks for the help! One more question. I was told about (after I posted this) that I could go into Policies -> Application and Device Control -> Application Control -> Block applications from running[AC1] and add the hash value in there to block under rules Block these applications. Is this method not as effective or would not do what I am looking at achieving?



  • 9.  RE: Check signatures in SEP

    Posted Jan 22, 2015 05:46 PM
    Yep if you already know the hash, this would work.


  • 10.  RE: Check signatures in SEP

    Posted Jan 23, 2015 02:34 AM

    Hi lamis18,

    If this is the 0-day you are inquiring about, there is AV and IPS coverage in place:

    Unconfirmed zero-day vulnerability discovered in Adobe Flash Player
    https://www-secure.symantec.com/connect/blogs/unconfirmed-zero-day-vulnerability-discovered-adobe-flash-player

    Keep in mind that VirusTotal is not always up-to-date and reflects only AV coverage, not IPS or other components.  VT can be a useful tool but it hasits limitations.

    Wth thanks and best regards,

    Mick