SEP secret sauce for better protection
There are a lot of posts about getting computer infections...
We never hear about what was installed from a SEP perspective, what feature sets were enabled, what policies, how the polices are configured, etc... So we just tell folks how to clean up, not really how to prevent it in the future.
Hopefully people can list what settings they enable that are different from the out of box policies, in SEP to help protect their environments.
NOTE: This is for desktops only, and does not address server OS's (e.g. some components are not compatible.)
1. All features are enabled. AV, AS, Network Threat Protection (NTP), Proactive Threat Protection (PTP), Device Control, etc. I deploy it all now, and use polices to enable or withdraw them...
2. Users that are Local Admin's are a security threat! They can effectively disable the SEP client, and also allow items to execute. Extra care must be taken in SEP to lock it down and prevent application execution from within the browser. Some of this is addressed by others in this thread :-)
AV policy -
- Daily Active scan, scanning only 1 compressed file deep, and only executables
- Weekly Full scan, at defaults
- Uncheck "Scan when a file is backed up." - It's redundant!
- Uncheck check Floppies - My PC's dont have Floppies
- Bloodhound is set to maximum
- Rick Tracer is enabled (which means NTP has to be enabled)
- Lock all settings, and users are NOT allowed to disable AutoProtect. I'll find the issue at hand, rather than granting the user that power.
- All Email options are disabled, as I am scanning at the email server and gateway already.
- Trojans and Keylogger settings are set to Quarantine."
- Sensitivity is upped to around 50% or a hair less. (EDIT: Symantec now recommends this set to 100% - move the slider to the far right.) Your mileage may vary, always test a change before putting it into production.
- Scan Freq every 15minutes, from the default 1hr.
All clients can submit samples
NTP is enabled fully.
- If I have issues with the FW, I create ports as needed. Generally for most cases in a single subnet, the default ruleset works.
- IPS is always enabled, even if I create an ANY<>ANY FW Rule.
- More info on disabling the FW but still keep the IPS component working
Device and App Control
- Block all programs from running from a removable device.
- Block modification to hosts files
- Block all autorun.inf files! There is a sample policy you can download from the Symantec support site that will block autorun.inf files. It's highly recommended you get it.
- Import this policy and use it: http://www.symantec.com/business/support/index?page=content&id=TECH132337
I've had the greatest success in improving security, when Network Threat Protection is enabled. But I still notice that many people are afraid of it... Well good luck protecting your networks without it. SEP without NTP, is no better than SAV 9/10. Not installing NTP, you've basically just setup SAV all over again
Today's viruses are far too advanced, and are getting executed in a way that bypasses typical AV scanning methods. Thus, it needs to be stopped at the network layer. Think about it, traditional AV is for scanning files. Network Threat Protection, stops threats at the network layer, before the payload has a chance to get saved to the hard drive. Items like Confiker, exploited a Windows RPC vulnerability. AV can't stop that. But scan for the traffic that expliots the vulnerability, bam! Instant protection.
I also of course advocate a perimeter gateway device that can scan your web traffic. This includes HTTP, IM, and FTP. Symantec's WebGate, Barracuda, MessageLabs, etc...
You also should have a intra-office messaging security suite too. I've been using Symantec Mail Security for years since the 5.x days. I love that product. It scans internal messages for compliance and threats, which is where there is the biggest lapse in security for many offices. Folks assume that their fancy perimeter hardware devices are all they need. Well once inside the network, your hardware will do nothing to stop an internal threat.
Remember, security in layers. Does it need to be from different vendors? I dont think so personally, folks that do believe in this, probably think Win95b was the best OS ever.. But it's important that you are examining all ways data can enter and leave the environment, and use products that can scan, identify, and stop threats at all layers of your environment.
After pushing this link/thread for a number of months to customers and the like, I've seen a dramatic reduction in calls about outbreaks.
However, one cannot rest with just an Endpoint product, Symantec or otherwise...
That said, some updated content will be added shortly to my original post
Also, please read up on Power Eraser. Symantec's new tool to aggressively remove malware from a system. Similar in function to Malwarebytes, but seems to scan faster in my few tests in running it on clean systems (have yet to try it on an infected system)
Also, the Symantec Endpoint Recovery Tool (SERT)
A bootable ISO used to scan machines while offline to clean systems of threats. Built on what seems to be the same ISO that BESR is built on. Note: It needs Internet access to get the latest defs, and as long as you dont have some generic whitebox with an obscure NIC, it should work fine.