Endpoint Protection

 View Only

  • 1.  Endpoint Protection loophole on new files?

    Posted Mar 04, 2014 02:50 PM

    We were told that Symantec Endpoint Protection, and most virus engines in general, has some kind of vulnerability that allow certain virus/malware to be written to disk and execute before realtime protection can detect them.

    Is this true?  Are there any known cases?  Are there any remedies to patch things up without implementing a full scan engine solution or scripted disk scan?  Scan engine introduce too much dependencies and complexity.  And my latest impression seems that DoScan wasn't meant to be controlled programatically.  There aren't even a way to create log file and verify result anymore.

    Thanks.

     



  • 2.  RE: Endpoint Protection loophole on new files?

    Posted Mar 04, 2014 02:53 PM

    Well if there is no signature and SEP can't detect it than I could see this happening.

    But no vulnerability related to SEP that I've ever heard of



  • 3.  RE: Endpoint Protection loophole on new files?

    Posted Mar 04, 2014 03:18 PM

    In that case, Scan Engine probably won't help either, right?  Is there a way we can get an official confirmation on this?  i.e., writing files onto a Windows directory with SEP auto protection on is safe and protected, automatically. 

    Otherwise, we have to either pass the file/stream through scan engine (very slow so far), or write them to a temp location, kick off a DoScan or something, then move to final destination.  In the latter case, I could see the same file being scanned thrice.  I'm trying avoid all the complexity and dependency, but I need some kind of authorative looking opinion to back me up cheeky

     



  • 4.  RE: Endpoint Protection loophole on new files?

    Posted Mar 04, 2014 03:20 PM

    Does this article work?

    About the types of threat protection that Symantec Endpoint Protection provides



  • 5.  RE: Endpoint Protection loophole on new files?

    Posted Mar 04, 2014 03:56 PM

    Thanks for the follow up.  That makes me more convinced that SEP has me covered from every angle.

    One thing mentioned was "reverse shell (backdoor) malware that is written to disk and executed before A/V has a chance to recognize it".  But if you do explicit scan, or pass through scan engine, this can be prevented.

    Any clue on what this is?  



  • 6.  RE: Endpoint Protection loophole on new files?
    Best Answer

    Posted Mar 04, 2014 04:03 PM

    Oh certainly, metasploit has AV bypass modules. here's one blog on it:

    http://bernardodamele.blogspot.com/2011/04/execute-metasploit-payloads-bypassing.html

    A google search will give you tons more :)

    What it comes down to is that there is no signature that detects the malicious process or activity.

    AV is a must, but you need to use other defenses as well (IPS, firewall, etc.)



  • 7.  RE: Endpoint Protection loophole on new files?

    Posted Mar 04, 2014 04:23 PM

    Thank you so much, that give me some clue what they are talking about. 

    In our case, we do have intrusion protection, reverse proxy, firewall plus a web layer, and the only way to upload file is stream it through a service sitting on a remote server, file type, size, etc are also checked at every step.  No one has access to the console to execute shell script.  

    I'm just not sure triple scan the same file does any good.  But at least we have some talking point.  Thanks again for all your help.



  • 8.  RE: Endpoint Protection loophole on new files?

    Posted Mar 04, 2014 04:25 PM

    Awesome! I'm to have been of some help smiley

    Enjoy the rest of your day

    -Brian