Endpoint Protection

 View Only

  • 1.  Does SEP 12.1 have special abilities with respect to managing Java threats?

    Posted Jan 30, 2013 10:24 AM

    Yesterday John Strand and Paul of Pauldotcom put on a great webinar with respect to the current concerns (and hyseteria) over Java vulnerabilities:

    https://www.sans.org/webcasts/uninstall-java-realistic-recommendation-no-insanity-yes-96192

     

    While discussing the various countermeasures (using Proxies, GPO, etc), they mentioned that SEP 12.1 brought new tools that can be used for Java defenses.  They didn't get into detail, and I can't find anything in the documentation or the SEP or SEPM GUI.  Any idea what they were talking about?  What I would REALLY love is to identify all of the legit Java apps (we really don't have that many) and then create a java applet whitelist with SEP-- is that possible? 

     

    Much thanks in advance,

    Bill

     



  • 2.  RE: Does SEP 12.1 have special abilities with respect to managing Java threats?

    Posted Jan 30, 2013 01:16 PM

    Would be interesting to hear what they were talking about.

    Obviously you have the AV, SONAR, Firewall, Application and Device Control, HIPS, browser IPS and Downlod Insight. Yes, you can do whitelisting in SEP. Only executables on your hash list would be allowed to run.

    My guess would be Download Insight as it was just implemented in 12.1

    How the Insight Lookup process works

    Article:TECH169282  |  Created: 2011-09-09  |  Updated: 2012-06-28  | 

    Article URL http://www.symantec.com/docs/TECH169282

     

     

    Expected behavior of Download Insight

    Article:TECH171776  |  Created: 2011-10-13  |  Updated: 2012-05-10  |  Article URL http://www.symantec.com/docs/TECH171776

     



  • 3.  RE: Does SEP 12.1 have special abilities with respect to managing Java threats?

    Posted Jan 30, 2013 03:12 PM

    Thumbs up to the above - apparently the Insight technology may have been exactly the feature that was discussed on that webinar - it is the one of more important changes and implementations between SEP 11.x and 12.1.

    Have a look at one other article concerning SONAR and Insight:

    http://www.symantec.com/docs/TECH168849



  • 4.  RE: Does SEP 12.1 have special abilities with respect to managing Java threats?

    Posted Jan 30, 2013 03:29 PM

    Is there a way to leverage SONAR to specifically lock down Java applets to a whitelist? 



  • 5.  RE: Does SEP 12.1 have special abilities with respect to managing Java threats?

    Posted Jan 30, 2013 03:40 PM
    You wouldn't be able to use SONAR for this but can use the whitelisting feature


  • 6.  RE: Does SEP 12.1 have special abilities with respect to managing Java threats?

    Posted Jan 30, 2013 05:23 PM

    Hi Bill,

    This (and several previous Security Response blogs) may be of interest as well:

    Additional Protection for Recent Java Zero-Day
    https://www-secure.symantec.com/connect/blogs/additional-protection-recent-java-zero-day



  • 7.  RE: Does SEP 12.1 have special abilities with respect to managing Java threats?

    Posted Jan 30, 2013 09:34 PM

    Hmm i'm not sure what tool is that, most likely new features mentioned above (download insight or sonar)

    Based on your words it sounds like whitelisting?

     

     



  • 8.  RE: Does SEP 12.1 have special abilities with respect to managing Java threats?

    Posted Apr 26, 2013 07:25 AM

    This new Security Response blog post will be of interest to followers of this thread:

    2013 First Quarter Zero-Day Vulnerabilities
    https://www-secure.symantec.com/connect/blogs/2013-first-quarter-zero-day-vulnerabilities

    ...

    Symantec recommends users to follow these best security practices:

    • Ensure all applications are up to date with the latest security patches. Even though a zero-day exploit cannot be patched, the latest updates will provide protection from previously disclosed vulnerabilities.
    • Ensure antivirus and IPS definitions are up-to-date.
    • Avoid visiting sites of questionable integrity.
    • Avoid opening files provided by untrusted sources.
    • Implement multiple redundant layers of security such as non-executable and randomly mapped memory segments that may hinder an attacker's ability to exploit vulnerabilities.