Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

For emerging and high profile threats, Security Response should provide sample Application Control and Firewall policies to aid mitigation

Created: 11 Aug 2009 • Updated: 09 Feb 2010 | 9 comments
GrahamA's picture
38 Agree
1 Disagree
+37 39 Votes
Login to vote
Status: Reviewed

Here is a suggestion from Security Response that is currently being considered, we would be very interested to get your input and thoughts on the subject:

As well as Security Response providing the usual AV/AS and IPS signatures on a regular basis, it would be good if, when appropriate, Security Response could also provide guidance on how to use Application Control and the Firewall to aid mitigation (or provide sample SEP policies which contain the needed config to achieve this).

Some examples would be:

  • Firewall rule to block traffic to/from certain offending domains and/or IP address blocks.
  • Application Control rule to block specific processes from being allowed to run.

Ideally then, it would be possible to also centrally report on machines which see the offending domains/IPs/processes appear.

Comments 9 CommentsJump to latest comment

shp's picture

Its a good suggestion..
I agree with you.. Our customer want us to apply Application control policy for known vulnerable processes. It would be grate if we get known threat(Process) list from Symantec.

Regards,
Srinivas H.P.
HCL Infosystems Ltd

0
Login to vote
Jeremy Dundon's picture

Using Application and Device Control to stop registry entries added by a threat or risk
http://service1.symantec.com/SUPPORT/ent-security....

This document has general steps, plus an included sample policy for trojan.clampi.

+3
Login to vote
Scuba Steve's picture

I think that this is a good idea, but there would be thousands of entries.

+2
Login to vote
Aaed Alqarta's picture

Hi,

I've been using this since Symantec released SEP. Create an application control policy that stop any modification to certain windows critical keys.

Authorized Symantec Consultant - Symantec Certified Specialist - Experts-Exchange Certified Guru

Please don't forget to mark your thread solved

0
Login to vote
jeffwichman's picture

I like the idea, especially from the aspect of blocking known hostile hosts communications.  However, if someone is already using a current firewall policy, how will Symantec make it easy to import/update the host list.  The current process to import a large number of hosts/ips into a host group is not very efficient.  (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008120421314248).  On a weekly basis we are manually downloading, cutting, massaging, and pasting known hostile hosts into our host groups.  I am working on a script to automate the process, but my scripting skills are not the greatest and I never have enough time to sit down to code.

0
Login to vote
AravindKM's picture

Good Idea

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

0
Login to vote
Serengeti's picture

agree! GEB and AV signature updates are good. additional advice on how to setup firewall, A&D C and IPS custom signatures would really make the added value of SEP clear.

0
Login to vote
John Santana's picture

Yes this is just what we need to have :-) !

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote