Endpoint Protection

 View Only

  • 1.  SEP 11 - System lockdown on malware incident

    Posted May 24, 2012 11:55 AM

    We had a recent malware attack on a computer that went undetected by Symantec except for an IPS alert. The IPS blocked access to the C&C server but a local payload was able to do a lot of damage to the computer and its connected network.

    Is there a feature of SEP that will isolate the computer from the network i.e. disconnect the network card, which can be triggered on certain events?

    We would like the computer to isolate itself any time the IPS triggers.

     



  • 2.  RE: SEP 11 - System lockdown on malware incident

    Posted May 24, 2012 12:28 PM

    you can try system lockdown from

    http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/2540d77eae4bc39b802573620055ad7c?OpenDocument

    for exe's , dlls try might help , never tried for Network card , try this in test network first .



  • 3.  RE: SEP 11 - System lockdown on malware incident

    Broadcom Employee
    Posted May 24, 2012 12:47 PM

    you can create a firewall rule for this client to be isolated from network



  • 4.  RE: SEP 11 - System lockdown on malware incident

    Posted May 25, 2012 09:52 AM

    So i create a firewall rule to block ALL traffic inbound/outbound but how do i get this to automatically trigger on and be applied when the IPS triggers?



  • 5.  RE: SEP 11 - System lockdown on malware incident

    Posted May 25, 2012 10:32 AM

    Basically we want to isolate a computer from the network as soon as the intrusion prevention triggers an alert.