Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Does SEP 12.1 have special abilities with respect to managing Java threats?

Created: 30 Jan 2013 • Updated: 30 Jan 2013 | 7 comments

Yesterday John Strand and Paul of Pauldotcom put on a great webinar with respect to the current concerns (and hyseteria) over Java vulnerabilities:

https://www.sans.org/webcasts/uninstall-java-realistic-recommendation-no-insanity-yes-96192

 

While discussing the various countermeasures (using Proxies, GPO, etc), they mentioned that SEP 12.1 brought new tools that can be used for Java defenses.  They didn't get into detail, and I can't find anything in the documentation or the SEP or SEPM GUI.  Any idea what they were talking about?  What I would REALLY love is to identify all of the legit Java apps (we really don't have that many) and then create a java applet whitelist with SEP-- is that possible? 

 

Much thanks in advance,

Bill

 

Comments 7 CommentsJump to latest comment

.Brian's picture

Would be interesting to hear what they were talking about.

Obviously you have the AV, SONAR, Firewall, Application and Device Control, HIPS, browser IPS and Downlod Insight. Yes, you can do whitelisting in SEP. Only executables on your hash list would be allowed to run.

My guess would be Download Insight as it was just implemented in 12.1

How the Insight Lookup process works

Article:TECH169282  |  Created: 2011-09-09  |  Updated: 2012-06-28  | 

Article URL http://www.symantec.com/docs/TECH169282

 

 

Expected behavior of Download Insight

Article:TECH171776  |  Created: 2011-10-13  |  Updated: 2012-05-10  |  Article URL http://www.symantec.com/docs/TECH171776

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SebastianZ's picture

Thumbs up to the above - apparently the Insight technology may have been exactly the feature that was discussed on that webinar - it is the one of more important changes and implementations between SEP 11.x and 12.1.

Have a look at one other article concerning SONAR and Insight:

http://www.symantec.com/docs/TECH168849

Bill_K's picture

Is there a way to leverage SONAR to specifically lock down Java applets to a whitelist? 

.Brian's picture

You wouldn't be able to use SONAR for this but can use the whitelisting feature

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

Hi Bill,

This (and several previous Security Response blogs) may be of interest as well:

Additional Protection for Recent Java Zero-Day
https://www-secure.symantec.com/connect/blogs/additional-protection-recent-java-zero-day

With thanks and best regards,

Mick

Mick2009's picture

This new Security Response blog post will be of interest to followers of this thread:

2013 First Quarter Zero-Day Vulnerabilities
https://www-secure.symantec.com/connect/blogs/2013-first-quarter-zero-day-vulnerabilities

...

Symantec recommends users to follow these best security practices:

  • Ensure all applications are up to date with the latest security patches. Even though a zero-day exploit cannot be patched, the latest updates will provide protection from previously disclosed vulnerabilities.
  • Ensure antivirus and IPS definitions are up-to-date.
  • Avoid visiting sites of questionable integrity.
  • Avoid opening files provided by untrusted sources.
  • Implement multiple redundant layers of security such as non-executable and randomly mapped memory segments that may hinder an attacker's ability to exploit vulnerabilities.

 

With thanks and best regards,

Mick

cus000's picture

Hmm i'm not sure what tool is that, most likely new features mentioned above (download insight or sonar)

Based on your words it sounds like whitelisting?