For emerging and high profile threats, Security Response should provide sample Application Control and Firewall policies to aid mitigation
Updated: 09 Feb 2010 | 8 comments
Status:
Reviewed
Here is a suggestion from Security Response that is currently being considered, we would be very interested to get your input and thoughts on the subject:
As well as Security Response providing the usual AV/AS and IPS signatures on a regular basis, it would be good if, when appropriate, Security Response could also provide guidance on how to use Application Control and the Firewall to aid mitigation (or provide sample SEP policies which contain the needed config to achieve this).
Some examples would be:
- Firewall rule to block traffic to/from certain offending domains and/or IP address blocks.
- Application Control rule to block specific processes from being allowed to run.
Ideally then, it would be possible to also centrally report on machines which see the offending domains/IPs/processes appear.
idea Filed Under:
Comments
Its a good suggestion
Its a good suggestion..
I agree with you.. Our customer want us to apply Application control policy for known vulnerable processes. It would be grate if we get known threat(Process) list from Symantec.
Regards,
Srinivas H.P.
HCL Infosystems Ltd
unlock live update
The administrtor has locked this option
Do you mean something like this?
Using Application and Device Control to stop registry entries added by a threat or risk
http://service1.symantec.com/SUPPORT/ent-security....
This document has general steps, plus an included sample policy for trojan.clampi.
I think that this is a good
I think that this is a good idea, but there would be thousands of entries.
Protect the critical registry keys first
Hi,
I've been using this since Symantec released SEP. Create an application control policy that stop any modification to certain windows critical keys.
Authorized Symantec Consultant - Symantec Certified Specialist - Experts-Exchange Certified Guru
Please don't forget to mark your thread solved
I like the idea, especially
I like the idea, especially from the aspect of blocking known hostile hosts communications. However, if someone is already using a current firewall policy, how will Symantec make it easy to import/update the host list. The current process to import a large number of hosts/ips into a host group is not very efficient. (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008120421314248). On a weekly basis we are manually downloading, cutting, massaging, and pasting known hostile hosts into our host groups. I am working on a script to automate the process, but my scripting skills are not the greatest and I never have enough time to sit down to code.
Good Idea
Good Idea
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
Leverage the SEP components to enhance imminent threat response!
agree! GEB and AV signature updates are good. additional advice on how to setup firewall, A&D C and IPS custom signatures would really make the added value of SEP clear.
Would you like to reply?
Login or Register to post your comment.