Endpoint Protection

Now that Mr5 has been released for a few days, I was wondering if anyone has feedback on its ability to detect malware, viruses etc.

Clearly, the most frustrating (and topic here in this group that generates the most buzz) issue I see in this group is when Symantec does not detect and address a threat.  It is fact that all prior releases of Symantec product (MR4 and earlier, Corp 10 latest version) just flat out missed things and PC's became infected.

There was word and hope that MR5 would be an improvement in this area and so I was wondering what folks are seeing here.

So, how's MR5 doing?

Thanks! 

@OIStaff, Dissapointing but no.

I don't know where you read it but version difference does not make detection any better(for any vendor as a matter of fact.) As snekul said, it all depends upon the definitions. Of course IPS depends upon your capabilities.

Symantec's not the only A/V that doesn't get everything.  Check out the statistics at http://www.virustotal.com/estadisticas.html, nearly all files submitted were missed by at least one of the A/V vendors.  Most new threats are missed by at least half of them.   Who gets each detection first depends on who got what submitted to them first.

One of the biggest things people forget is that most A/V protections require someone to get infected first and then submit those files in to protect everybody else.  Behavior-based detection is the newer area that Symantec and other vendors are investing in to be able to detect those new and unknown threats.  Unfortunately, the bad guys get to test their code against everybody before they send it out into the wild.

 We are looking to completely stop malware infections in 2010. We have just switched from CA eTrust ITM over to SEP and are deploying the MR5 client. In addition we will be utilizing AppLocker on Windows 7 as we roll out these installs to create a whitelist of software that is allowed to install/open. In addition we have started investigating the possibility of taking away the administrative rights of our desktop users.

These three things in combination should help us dramatically reduce our number of infections. As far as MR4/MR5 goes, it's doing a much better job all around than our CA solution was ever capable of.

AppLocker was one of the things that really cought my attention with 7.  If there aren't software compatibility issues, many of us at my workplace are urging departments to go ahead with Windows 7 because of all the security improvements it has.

I haven't downloaded 7 yet but plan to shortly and eval.

It really seems that this is the only way to go.  Applocker type stuff.  If applocker basically says -- this runs and this doesn't then that is the way to go.

I have tried to implement taking away admin rights on local boxes (removing domain users from the local admin group) but in almost all cases this is really not applicable.  For example take a CPA firm.  During their tax season a program like Lacerte (leading CPA tax prep software) can have updates that need pushing out on a daily basis.  If local admin rights are not present, the update does not install.  If the client is using XP they must log off as the user with no admin rights, logon as a local box admin, apply the update, logoff and then log back in as the user with no rights.  Nice.

On Vista, at least the user does not have to log off.  They can be supplied with a local box admin account and password and supply this a update time.  This usually works. 

The same issues apply with apps that are web based.  Try implementing lock down on a web based app that needs to install controls on any new profile.  Good luck.

So, while in theory the lockdown of apps seems appealing, in practice it is really not manageable.  Even more so with my company because we take care of about 30 small businesses all with their own apps which makes this while not impossible, very very difficult, time consuming and is expensive for the client.

Sandeep, your reply was candid and I really appreciate that. 

Problem here then, and what I'm hearing is that software that detects based on signatures, regardless of the vendor, will never really be able to do the job it is advertised to perform -- that is, protect my PC from threats.  If that is the case, and with the bad guys getting better and richer every day, is not reactionary software really for all intents not up to the task at hand?

>> In addition we have started investigating the possibility of taking away the administrative rights of our desktop users.<<

Been there, done that many many years ago. Still get hit, occasionally pretty hard.
Won't matter. Today malware puts it's stuff in the user profile area where they have rights even if they have NO account on the computer locally and are only domain users with only "user rights".
Our people have no rights other than to login and use. If they aren't connected to the network they can't even login unless they have been there before and have a profile on that computer.
They can't even install a printer, yet malware CAN and DOES install because it doesn't follow the rules. Geesh, GOOGLE CHROME doesn't even follow the rules - this stuff puts files in the %userprofile%\application data and other folders where users have rights and MUST have rights. Otherwise their outlook won't work, the browser won't work, etc.
Some Malware installs as BHOs (Browser Helper Objects) and other nice things - looking like a requested "modification" instead of a full install, so it gets in.
Full lockdown will be problematic in many places as well - no more changing settings, updating software on the fly like so much of it insists on doing now (some HP software for their all-in-ones won't work properly if locked down too tightly)
True, the application "white list" will be a big help, but  be prepared for increased support calls for some organizations.
Say, what ever happened to the HEURISTICS we read so much about in the early 90s ????????????
There was some really good software that didn't rely on fingerprints at all! NO definitions! And it worked............ where did that go?

Sounds like you have some good thoughts around layering your protections.  However, it is highly unlikely you will ever completely stop malware.  The bad guys are smart and will find issues in SEP/AppLocker or other applications.  The only thing you can really do is layer your endpoint protective measures to harden the hosts.

Another item you might want to look at is using something like EmergingThreats Firewall rules to block inbound/outbound communications with the SEP firewall.  I have found it pretty effective at stopping lots of bad stuff from getting into our systems.