Video Screencast Help

SEP - File transfer USB to WebServer

Created: 17 Jul 2013 | 5 comments

Hi,

After reading articles on the USB autoscan topic, it seems SEP does not have the autoscan USB functionality by default (but you can install doscan.exe and etc to utilize the function) and the auto-protect function protects the system when files are moved/modified/accessed from the USB.

So I have come up with a scenario: a customer comes in and decides to show us an image he has stored in his USB. As the customer sticks the USB into our network environment, the image is uploaded directly into our web server. Now, lets assume that we do not have the SEP installed/running in our web server. How will SEP protect the network from a potential malicious image, or any, file when the file is uploaded directly to the webserver? Besides the method of manually scanning the USB before uploading, are there other methods of tackling this scenario?

Thanks all!

Comments 5 CommentsJump to latest comment

_Brian's picture

Well the webserver would become infected unless you turn off autorun. This is highly recommended. You can use application and device control to stop the spread of threats as well.

See these:

How to protect a USB Flash Drive from being able to auto-start with an unauthorized Autorun.inf file

Article:TECH98330  |  Created: 2009-01-30  |  Updated: 2010-01-01  |  Article URL http://www.symantec.com/docs/TECH98330

 

How to prevent Autorun.inf files being copied or written to network file shares

Article:TECH131807  |  Created: 2010-01-19  |  Updated: 2012-03-07  |  Article URL http://www.symantec.com/docs/TECH131807

 

How to protect systems with SEP from an autorun.inf that links to malware.

Article:TECH201440  |  Created: 2013-01-08  |  Updated: 2013-01-08  |  Article URL http://www.symantec.com/docs/TECH201440

 

Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x and 12.1.x

Article:TECH104909  |  Created: 2008-01-09  |  Updated: 2011-12-14  |  Article URL http://www.symantec.com/docs/TECH104909

 

Using Application and Device Control to stop registry entries added by a threat or risk

Article:TECH95124  |  Created: 2009-01-21  |  Updated: 2010-01-21  |  Article URL http://www.symantec.com/docs/TECH95124

 

AjinBabu's picture

Hi, 

Auto protect will scan while a Read/ Write happen since it is a real time protection, whcih uses signature based scanning mechanisum

SONAR is also a real time protection which scans using the behavious of the operation.

 

About the types of threat protection that Symantec Endpoint Protection provides

Symantec Endpoint Protection uses state-of-the-art protection to integrate multiple types of protection on each computer in your network. It offers advanced defense against all types of attacks for both physical systems and virtual systems. You need combinations of all the protection technologies to fully protect and customize the security in your environment. Symantec Endpoint Protection combines traditional scanning, behavioral analysis, intrusion prevention, and community intelligence into a superior security system.

 describes the types of protection that the product provides and their benefits.

Table: Layers of protection

Protection type

Description

Benefit

Virus and Spyware Protection

Virus and Spyware Protection protects computers from viruses and security risks, and in many cases can repair their side effects. The protection includes real-time scanning of files and email as well as scheduled scans and on-demand scans. Virus and spyware scans detect viruses and the security risks that can put a computer, as well as a network, at risk. Security risks include spyware, adware, and other malicious files.

Virus and Spyware Protection detects new threats earlier and more accurately using not just signature-based and behavioral-based solutions, but other technologies.

·         Symantec Insight provides faster and more accurate malware detection to detect the new and the unknown threats that other approaches miss. Insight identifies new and zero-day threats by using the collective wisdom of over millions of systems in hundreds of countries.

·         Bloodhound uses heuristics to detect a high percentage of known and unknown threats.

·         Auto-Protect scans files from a signature list as they are read from or written to the client computer.

Network Threat Protection

Network Threat Protection provides a firewall and intrusion prevention protection to prevent intrusion attacks and malicious content from reaching the computer that runs the client software.

The firewall allows or blocks network traffic based on the various criteria that the administrator sets. If the administrator permits it, end users can also configure firewall policies.

The Intrusion Prevention System (IPS) analyzes all the incoming and the outgoing information for the data patterns that are typical of an attack. It detects and blocks malicious traffic and attempts by outside users to attack the client computer. Intrusion Prevention also monitors outbound traffic and prevents the spread of worms.

·         The rules-based firewall engine shields computers from malicious threats before they appear.

·         The IPS scans network traffic and files for indications of intrusions or attempted intrusions.

·         Browser Intrusion Prevention scans for attacks that are directed at browser vulnerabilities.

·         Universal download protection monitors all downloads from the browser and validates that the downloads are not malware.

Proactive Threat Protection

Proactive Threat Protection uses SONAR to protect against zero-day attack vulnerabilities in your network. Zero-day attack vulnerabilities are the new vulnerabilities that are not yet publicly known. Threats that exploit these vulnerabilities can evade signature-based detection, such as spyware definitions. Zero-day attacks may be used in targeted attacks and in the propagation of malicious code. SONAR provides real-time behavioral protection by monitoring processes and threats as they execute.

Application and Device Control monitors and controls the behavior of applications on client computers and manages the hardware devices that access client computers.

SONAR examines programs as they run, and identifies and stops malicious behavior of new and previously unknown threats. SONAR uses heuristics as well as reputation data to detect emerging and unknown threats.

Application Control controls what applications are allowed to run or access system resources.

Device Control manages the peripheral devices that users can attach to desktop computers.

The management server enforces each protection by using an associated policy that is downloaded to the client.

 

Regards

Ajin

Beppe's picture

Better to install SEP on the Web Server, indeed.

Would you instead prefer to wait several minutes to scan in advance several GBs of data in a USB drive (it might be an small SD card as well as a large HDD) before being granted to load a single file? Remembering the waste of time when such feature was available in 90's to scan just 1.44 MB FDD, now anything is just on a bigger scale.

Having a full scan of USB drives as soon as they are connected is a common request by IT administrators but its security benefit is practically null and the performance impact is huge and not accepted by users, hence it has not been implement in SEP.

Regards,

Giuseppe

SMLatCST's picture

Depends where you're plugging this USB stick in.  If it's plugged into the webserver itself, then unless the Webserver has SEP installed, it will get infected.

If the USB is stcuk into a client machine that then uploads to the file to the web server (which sounds like the scenario you're asking about), then SEP on the client machine will scan the file (using auto-protect) when it gets read for the upload.

Just make sure the USb stick is plugged into a machine with SEP on it, and the file access involved in the upload will cause SEP to auto-scan that file.  In fact, just highlighting the file can sometimes cause windows to initiate a "File access" event

ObfuscationOfYes's picture

Wow, all the replies have good information needed for this scenario. And yes, SMLatCST, that is exactly what the scenario is. Since there has to be a buffer period before the file is uploaded to the webserver, I was a little confused of where it actually happened (back to the ol' understanding of computer architecture/engineering).

I also thought of ideas you can configure at the Windows level, but it may be that Symantec has already caught on by then.