Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Does SEP prevent DLL injection on standard executables?

Created: 25 Jun 2012 | 6 comments
Car_Bed's picture

this might be built into the clients detection methodology already, but can someone confirm? Also, is it detected from the AV componenet VIA Defs, IPS via Sigs, or FW?

Also let me know if its version specific (I would not think it is, but just incase)

Thanks

 

Paul....

 

anyone else :)

Comments 6 CommentsJump to latest comment

Simpson Homer's picture

Yes, SEP does  prevent DLL injection on standard executables.

This can be done easily via Application and the Device control policy.

 

Hardening Symantec Endpoint Protection (SEP) with an Application and Device Control Policy to increase security

 
Mick2009's picture

Hi Paul,

Do you mean "any injection" or do you mean "suspicious injection"? 

Many threats inject into legitimate services, etc, to hide themselves.  SEP will block those. 

With thanks and best regards,

Mick

Car_Bed's picture

Suspecious injection-

 

And how does SEP make the determination whats malicious/suspicious, is this signature based? Does it come down through LU Def set?

Above Homer states it can be done through App/Dev, however, we use alternative methods for our App and Dev control and hence dont deploy that componenet of the overall package. So back to my question of What piece detects it?

This is a seperate question from me keeping systems up to date, patched, versions of SEP up to date, etc..

 

The technology is either built into the product, and uses a specific componenet of the client or, as i believe SEP12 works, each piece supports the next, so each detection method work together backing each one up to detect a specific threat.

 

Thoughts?

Thank you for everyones feedback so far, its appreciated..

 

Mithun Sanghavi's picture

Hello,

Agreed with Mick.

Most of such injections are inserted by exploiting the vulnerabilities of Microsoft OR other Third Softwares which are installed on the machine.

Symantec would surely block these Threats.

 

However, you need to also make sure these are prevented from your network as well -

1) Make sure the server is up to date with all the Latest Microsoft Security patches and Updates.

2) Make sure you are running the Latest version of Softwares. Example -  Adobe, etc.

3) Incase of Suspicious Activity, run the Symantec Endpoint Support Tool, which would identify the suspicious file on your machine and the same have to be submitted the Symantec Security Response Team.

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Secondly, in reference to the Symantec Endpoint Protection version, we would advice you to always make you are running the Latest Version on the Network.

About Maintaining Consistency of Software Versions throughout a SEP 11 Organization

http://www.symantec.com/docs/TECH131660

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

cus000's picture

The answer is simple yes.

 

Most of SEP component will detect injection, but i don't think fw will ;)

Car_Bed's picture

Hate to dig this back up, but I still cant get a answer as to What componenet detects it?

 

For Browser redirection, specific technologies use a form of DLL injection to perform their function. I need to know what part of SEP detects this so we can account for it.

 

Anyone know, is is AV, IPS, ?