Endpoint Protection

Hi all,

I'm using SEP v12.1 just the AV component only, so i wonder what else can I do to prevent the Cryptolocker virus issue on all of my Production file servers ?

Any help and best practice steps would be greatly appreciated here.

Thanks,

Is there a reason you're using only AV? You're missing out on the protection SEP provides.

• Software Restriction Policy (SRP)
• Restrict write permissions on file servers as much as possible
• When roles change, adjust permissions on file servers
• On Access scanning should have On Read, On Write, and On Rename on.
• AV Live Protection should be enabled
• Behavior Monitoring (HIPS) should be enabled (Alert only is fine even if it is selected, as HIPS malware detections are blocked regardless of this setting)
• Web Protection (Block Access to Malicious Websites and Download Scanning) should be On.
• Educate users to contact IT if they encounter a file that cannot be opened, or any suspicious pop-ups

Hi John,

First, definitely add more than just AV alone!  You are fighting with one arm tied behind your back.

SEP Times in the City: A Helpful Symantec Endpoint Protection Analogy
https://www-secure.symantec.com/connect/articles/sep-times-city-helpful-symantec-endpoint-protection-analogy

Ensure that network scanning is enabled and that clients which connect in to the file server do not have write access unless absolutely necessary. 

Ensure that regular backups are made and that these backups are air gapped or otherwise not corruptable from that server's network.

These may help:

Ransomware protection and removal with Symantec Endpoint Protection
http://www.symantec.com/docs/HOWTO124710

Ransomware Do's and Dont's: Protecting Critical Data
https://www-secure.symantec.com/connect/blogs/ransomware-dos-and-donts-protecting-critical-data

Please do keep this thread up-to-date with your progress!

With thanks and best regards,

Mick

Mick, How do I enable "network scanning" ?

which component is that ?

Brian,

This was my predcessor decision, I am inclined towards enabling the full stack of SEP client v12.1 on all File servers, but not sure if I have to enable some exclusions.

So assuming I have enable all of the feature stacks in the SEP clients, is that enough in general by default ?

You'll be much more secure doing this. There still may need to policy tuning but adding additional layers makes you more secure.
 

Here are a couple articles with specifics:

Add or remove features to existing Endpoint Protection clients
http://www.symantec.com/docs/TECH90936

Configuring Network Scan Settings in Symantec Endpoint Protection
http://www.symantec.com/docs/TECH95508

Just raising awareness of a new whitepaper from Symantec Security Response:

REPORT: Organizations must respond to increasing threat of ransomware

https://www.symantec.com/connect/blogs/report-organizations-must-respond-increasing-threat-ransomware

Hi John,

Just a ping to see if you have received the information you were looking for?  This thread is still marked "needs solution."

Mick,

Is there any SEP-specific settings that I need to enable or configure before I deploy it to all of my production file servers ?

So far it is just running with AV components only.

Thanks in advance.

The default should be good enough for now, however, have you tested this in a non-prod environment. This is a bigger change.

Brian,

There is no test environment apart from one empty new VM.

So far there is no problem in the VM as it is not being used at all. So I guess I can just apply it or deploy it on the production file servers in my domain.

Ok. Hopefully all goes well.