Symanec Protection Suites

 View Only

  • 1.  Key Logger Detection | SEP vs SWG??

    Posted Mar 01, 2011 04:16 AM

    Hi,

    We have discovered a key logger on one of our servers with the help of the Symantec Web Gateway. The server is also running SEP-11 (the latest AV definitions installed on 2011-02-23 rev. 019) and found that it has the latest signature sets, but the SEP could not detect the key-logger, nothing in its risk log either.

    Just wondering as to why is the SEP incapable of detecting a key logger (we have seen it detect a few in the past) and the Symantec Web Gateway detect the same? Wouldn’t key loggers actually be part of SEP signature-based detection?

    Appreciate any inputs.

    Thanks



  • 2.  RE: Key Logger Detection | SEP vs SWG??

    Posted Mar 01, 2011 10:04 AM

    How was the key logger detected by SWG? Check your SEP Truscan settings. Make sure you follow the Security Response recommendations for your Truescan and AV settings.

    Security Response recommends the following setting changes to Truscan for best protection

    Truscan Default Setting Security Response Recommendation
    Scan Sensitivity 9/Low 100
    Action on Detection Log Terminate
    Scan Frequency 1:00 00:15

    Security Response recommends the following Scan Settings

     

    Antivirus Security Setting Default Setting High Security Policy Security Response Recommendation
    Lock settings Some Some All
    Remediation: terminate processes No No Yes
    Remediation: terminate services No No Yes
    Auto-Protect action taken for security risks Quarantine/Log Quarantine/Log Quarantine/Delete
    Network Auto-Protect Disabled Enabled Enabled
    Bloodhound Level Default (2) Default (2) Default (3)
    SEP Startup System Start System Start System Start
    Auto-Protect Scan Modify and access Modify and access Modify and access

     

    Regards,

    Thomas



  • 3.  RE: Key Logger Detection | SEP vs SWG??

    Posted Mar 02, 2011 12:16 AM

    Thanks Thomas.

    We'll chcek the SEP settings to see if they are in-line with what Security Response recommends.

    If required, will make necessary changes and post the findings.

    Thanks again!

    MiRa..