Critical System Protection

 View Only
  • 1.  what will default blocked when scsp prevention is enabled?

    Posted Jun 13, 2013 04:46 AM

    Dear all,

    I am going to apply prevention policy  in enable mode.

    by default what will be blocked, when scsp prevention is enabled?

     



  • 2.  RE: what will default blocked when scsp prevention is enabled?
    Best Answer

    Broadcom Employee
    Posted Jun 13, 2013 05:58 AM

    what policy have you applied. if default sym_win_null_sbp  it will not block/prevent



  • 3.  RE: what will default blocked when scsp prevention is enabled?
    Best Answer

    Broadcom Employee
    Posted Jun 13, 2013 06:00 AM

    Policy : sym_win_null_sbp

    The Windows Null prevention policy provides no protection for an agent computer. The Null prevention policy does not log policy violations. The Null prevention policy is automatically applied to every agent when it registers with the management server. The Null policy works with all supported Windows operating systems

     



  • 4.  RE: what will default blocked when scsp prevention is enabled?
    Best Answer

    Posted Jun 13, 2013 07:18 AM

    Thanks I am going to apply below SCSP default policy. what will block by default

    Sym_Win_Protection_Core_sbp 

    and

    Sym_Win_Protection_Strict



  • 5.  RE: what will default blocked when scsp prevention is enabled?
    Best Answer

    Posted Jun 13, 2013 11:33 AM

    Strict will block a LOT of things, and is only recommended for extremely valuable or extremely high risk servers.  At the black hat conference in 2012, all the usual suspects like Lulzsec and Anonymous were given a CSP enabled server to try and hack, and they couldn't.  That was using the CORE policy.



  • 6.  RE: what will default blocked when scsp prevention is enabled?
    Best Answer

    Broadcom Employee
    Posted Jun 13, 2013 01:14 PM

    The Windows Core prevention policy provides basic protection for the operating system and common applications, while providing a highly compatible environment for all other programs. The Core policy is suitable for most servers and workstations, and works with Windows 2000, Windows Server 2003, Windows 2008, Windows 7, and Windows XP Professional operating systems.

    Policy file name: sym_win_protection_core_sbp

    The Windows Core prevention policy offers the following functionality:

    Privilege level

    The Core policy gives safe privileges to default services and default interactive programs.

    The Core policy gives safe privileges to the Windows administrators group. When a user logs on to an agent computer using an account that is a member of this group, all default interactive programs and default services that are run by this user are given safe privileges.

    Interactive program protection

    The Core policy provides specific behavior controls for the following interactive applications:

    • Symantec Critical System Protection UI program

    • Microsoft Outlook and Outlook Express

    • Microsoft Office

    • Microsoft Internet Explorer

    Service protection

    The Core policy provides specific behavior controls for the core operating system services, as well as the following application services:

    • Microsoft Exchange Server

    • Microsoft SQL Server

    • Microsoft Internet Information Server (IIS)

    The Core policy denies services from launching programs that may be used by exploits and that services normally do not launch.

    Network restrictions

    The Core policy prevents remote computers from making inbound network connections to an agent computer. Exception lists allow specific remote computers to make inbound network connections.

    Buffer overflow detection

    The Core policy enables buffer overflow detection for the following:

    • Symantec AntiVirus™ and Symantec Client Security, as well as other host security programs

    • Services (core OS and default)

    • Interactive programs

    Exception lists let you disable buffer overflow detection for specific programs.

    The Windows Strict prevention policy provides all the protection of the Core prevention policy, and provides additional restrictions on interactive applications. The Strict policy enforces additional restrictions on interactive applications, including blocking networking, blocking modification of executable files, and treating Windows administrators as normal users. Common interactive applications work under the Strict policy, but you may need to relax the additional restrictions for some interactive programs.The Strict policy is suitable for most servers and workstations, and works with Windows 2000, Windows Server 2003, Windows 2008, Windows 7, and Windows XP Professional operating systems.

    Policy file name: sym_win_protection_strict_sbp

    The Windows Strict prevention policy offers the following functionality:

    Privilege level

    The Strict policy gives no special privileges to Windows administrators. You can use policy options to set privileged users and user groups.

    The Strict policy gives standard privileges to default services and default interactive programs.

    Interactive program protection

    The Strict policy restricts the types of e-mail attachments that can be opened.

    The Strict policy denies interactive programs from writing executable files on disk. This means, for example, that the policy denies downloading binaries from the Internet or saving executables sent as e-mail attachments.

    See Windows Core policy.

    Service protection

    See Windows Core policy.

    Network restrictions

    See Windows Core policy.

    The Strict policy denies network access from default services and default interactive programs, except for specific ports. This means that arbitrary programs trying to access the Internet are blocked unless specified in the exception list.

    The Strict policy allows outbound network connections on ports 80 (HTTP), 135 (Location Service), 389 (LDAP), and 443 (HTTPS).

    Buffer overflow detection

    See Windows Core policy.

    The Strict prevention policy protects auto-start locations as read-only. Because many programs attempt to write to these auto-start locations in their normal operations, the following commands and functions will not work with the Strict prevention policy in place:

    • The Strict policy blocks a user from running the chkdsk command and scheduling a volume to be checked on the next reboot.

    • The Strict policy blocks COM object registration and ActiveX component installation.

      • The policy provides the option Block registration of COM and ActiveX controls under the Custom Interactive, Custom Service, Default Service, and Default Interactive options programs so that you can selectively allow COM Object Registration and ActiveX component installation, if necessary.

      • The following log messages are indicative of a process attempting to register a COM object or install an ActiveX component. You should clear the corresponding policy option, Block registration of COM and ActiveX controls, to allow COM object registration and ActiveX component installation if these denials are prohibiting a program from functioning correctly.

        Process: C:\Program Files\Internet
        Explorer\IEXPLORE.EXE[4232]
        Event Type: ACCESS 
        Severity: WARNING
        Process Set: iexplore_ps
        Resource:
        HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30528230-99F7-
        4BB4-88D8-FA1D4F56A2AB}\InprocServer32\
        Operation: NtOpenKey
        Permissions Requested: 0x20006 (set_value; create_sub_key;​
        
         read_control)
        
        Process: C:\Program Files\Internet
        Explorer\IEXPLORE.EXE[4232]
        Event Type: ACCESS
        Severity: WARNING
        Process Set: iexplore_ps
        Resource: HKEY_USERS\S-1-5-21-746137067-308236825-682003330-
        70795_Classes\CLSID\{30528230-99F7-4BB4-88D8-
        FA1D4F56A2AB}\InprocServer32
        Operation: NtOpenKey
        Permissions Requested: 0x20006 (set_value; create_sub_key;
        read_control)

        Note:

        The GUID in the Resource string is likely to change from system to system. For example: HKEY_LOCAL_MACHINE\SOFTWARE\​​ Classes\CLSID\{30528230-99F7-4BB4-88D8-FA1D4F56A2AB}\InprocServer32\

    • The Strict policy blocks changing network settings, such as the DNS servers.

      • Many VPN products change the DNS server setting when a tunnel is created or terminated. The policy blocks these changes, and the tunnel likely will not work. You can add the VPN program to the safe privilege list to allow software to work properly.

      • The DHCP client also changes the DNS server setting. The policy specifically allows the DHCP client to make the changes, so systems using DHCP do work with the Strict policy.

    • The Strict policy blocks the ability of the system to recognize a Bluetooth device.

     



  • 7.  RE: what will default blocked when scsp prevention is enabled?
    Best Answer

    Posted Jun 13, 2013 03:04 PM

    Thank you very much for giving info.. if you have any more info, please share



  • 8.  RE: what will default blocked when scsp prevention is enabled?
    Best Answer

    Posted Jun 13, 2013 06:15 PM

    DO NOT apply the prevention policy in Enforce mode.

    Globally disable the policy (upper left hand corner, hit the green switch) THEN apply.  Then watch the logs as they roll into the manager.  Anything that is in BLUE would have been blocked if you had not disabled prevention.

    Watch the logs.  Investigate the blocks that would have occurred if you had prevention enabled (the events that are in blue).  Ask yourself  "Are these blocks nefarious?".

    As a rule, I would assume all blocks are "Guilty Until Proven Innocent".  Use Google, and your knowledge of Windows/Unix.  If necessary, create a sterile lab that has NO network access and install everything by hand (in case a gold Image has been corrupted, which I have seen happen) and see if you still see the bad/blocked behavior.

    This is the crucial stage of the CSP rollout process called "Policy Tuning".  If you do this wrong, you can render the product useless.

    Remember:  Guilty until proven innocent.

    Here are four classic errors that happen with Policy Tuning:

    1. Allowing behavior that should be blocked.  Basically, when this is done, it allows an attack.  Often this occurs because the person tuning CSP thought that the policy was too noisy, or it was too hard to research the source and ramifications of the behavior.  Don't do this.
       
    2. Allowing the blocked behavior for the whole default_ps Process Sets (PSETs).  This is not good, because ANYTHING that does not get assigned to a process set gets assigned to the default.  This includes viruses.  You should not tune the default PSET unless absolutely necessary.  Use the custom process set feature to create your own.
       
    3. Adding applications to the safepriv_ps or fullpriv_ps.  Anything in the Full Priv PSET will be ignored by CSP, as if CSP was not installed  This should rarely, if ever, be used.    

      The SafePriv process sets are given FULL access to the system, except for the CSP files, processes and registry keys.  When using SafePriv, CSP is protected but nothing else is.
       
    4. Using the event wizard to "quiet" CSP without knowing what the choices offered in the Event Wizard mean.  If you don't know, investigate.  It is much harder to find and undo exceptions then it is to properly investigate before you allow the behavior.

    Remember that you are basically profiling the machines that you install this on.  You will learn more about these machines that you install CSP on then you thought possible.

    On each block you come across, ask yourself "What is the worst thing that could happen if I allow this behavior?"  If you do not know the answer to this question, or are unsure, do not allow the behavior.

    There is a chance that you will find a real live genuine infection/intruder when going through this process.  Do NOT just brush off the blue (would have been blocked) events, as you just may have found something you do not want in your environment.

    Use the custom process sets to pull out applications that are known by you, but are not in the out of the box policy (like homegrown applications, etc).  Use the custom PSETS to control these applications.

    A lot of people use consultants to intially set up their environment. If you are unsure, I would suggest contacting one.  I am sure someone who does this will chime in here soon.  

    The benefits consultants bring are 1) Experience in the field 2) Experience with deploying CSP 3) The knowledge on what constitutes good and bad behavior, as they have most likely seen it before.  Don't be afraid to bring on someone who has done this before.

    Note:  This is a VERY brief description of the journey you are about to take.  Make sure you are ready, or at least practice in a lab before you just throw this into production.  

     



  • 9.  RE: what will default blocked when scsp prevention is enabled?

    Posted Jun 21, 2013 10:39 AM

    I will wholeheartedly agree with everything Chuck (above) said. My company does a great deal of CSP consulting and I'd be happy to discuss your particular project and the high level steps you should be taking to ensure success.

    Chris Tyrrell

    Conventus Corp

    ctyrrell@conventus-sei.com