Migration Success Story
It all started with a frantic call from a client. Around 11pm on a Friday night, one of our customers called us with some bad news. They were infected with Conficker. The infection spread quickly, as their current AV solution, Trend Micro, was unable to detect, or remove the infection. There were significant consequences associated with the infection: their customers were unable to access business critical services; access to remote sites was unavailable; and a large majority of their domain accounts were being consistently locked out. Basically, all business critical functions came to a halt. These all stemmed from the Conficker virus and we immediately booked a flight to arrive onsite on Saturday morning.
Once we arrived onsite we determined that the Trend Micro solution was not able to detect or remove the Conficker.B virus. We wanted to prove that Symantec Endpoint Protection was the solution that would not only detect the threat, but also remediate the virus so that all business critical functionality was restored. We staged an ad-hoc SEP environment, and quickly migrated a handful of suspected infected clients from Trend Micro to SEP 11. The results were overwhelming. Not only were we able to now detect the virus, we were also able to remediate the threat, stop propagation, and restore functionality to these assets.
After the client agreed that SEP was able to provide the mitigation they so desperately needed, we quickly provisioned a PO, the CIO signed off, and our next task was to deploy SEP to nearly 5000 clients in less than 48 hours. We went to work to define the associated SEP design and architecture requirements. Given the simplicity of SEP and its group structure capabilities, this was completed in less than an hour. Once we had the design in hand, we configured the SEP environment accordingly and then needed to move forward with a migration strategy.
Given the fact that SEP comes bundled with many different uninstall scripts, including Trend Micro, we were able to create an install package that seamlessly un-installed Trend Micro, and installed SEP11. After some quick testing, we pushed out the SEP11 installation package in a phased approach, to 500 clients at a time. In the first day alone, we were able to install SEP to close to 2500 clients successfully. By the second day, we had almost all 5000 clients deployed in the environment.
The reporting capabilities within SEP gave us a holistic view of just how intrusive and effective the virus had on the environment. Trend Micro was unable to produce the effective reporting information that the client so desperately required. Using the advanced reporting capabilities in SEP, we were able to establish just how intrusive the virus was in propagating across the many different segments of the organization and quickly adapt strategies to remediate the threat.
Once we were assured that SEP was deployed to the majority of the hosts, our next step was to completely remediate the Conficker threat. We determined that by proactively running full system scans, configured in the associated SEP policies, and using some of the unique Proactive Threat Protection (PTP) and Network Threat Protection (NTP) capabilities, would provide us with the most efficient and effective capabilities to remove the Conficker virus.
We configured SEP to run a full system scan on all of the hosts immediately. The results were surprising. Over 75% of their workstations and servers were infected with Conficker. The default configurations of SEP removed the virus from the majority of all the infected machines. Some of the assets required a reboot in order to completely eradicate the virus. Since we could also issue reboot commands through the SEP console, this gave us the ability to remove the virus in a very quick and efficient methodology.
Our next challenge was how to identify infected machines that did not have any anti-virus protection. These machines were still attempting to infect other machines, and were causing bandwidth links to become saturated, as a result of the virus, on the many different network segments. SEP has the capability to scan for unmanaged clients, identifying machines and assets that do not have SEP installed. A quick scan revealed about 100-200 clients that did not have anti-virus protection. We quickly deployed SEP to these remaining endpoints, scanned and removed the infection, and were able to restore functionality to the remaining network segments.
By this time, it was close to 5pm on Sunday, and we wanted to understand the remaining risks to the organization to ensure that when people returned to work on Monday, they would not be faced with issues that would affect business functionality. We were able to create key reports within SEP that showed the status of our remediation attempts, but also identifying other threats that Trend Micro was not able to find. These threats primarily involved key-loggers, spyware and other virus remnants that Trend Micro could not identify or remove. We then setup notifications to alert the client on any threats that they needed to take action on. This allowed them to take a proactive approach to security in their environment, rather than the reactive approach they were so used to following.
After performing some reconnaissance around 11pm on Sunday, we were able to determine that the virus most likely originated from a USB thumb drive. Using SEP’s “Application & Device Controls” we setup a policy to prevent any USB thumb drives from being plugged into any host running SEP.
After an exhaustive 48 hours, Monday morning arrived. People began to show up for work, and we worked to install SEP on additional endpoints, such as laptops that were not connected to the network over the weekend. The client was amazed that the virus was not only remediated, but also that we were able to deploy roughly 5000 clients in the course of a weekend. The virus was remediated, SEP was deployed, and it was time to catch up on some well needed sleep.
I wish this scenario was just a one-time event, but it’s not. As a security analyst working at our company for over 8 years, we have to deal with these types of situations more often than not. Over the course of the last 6-8 months, we have seen a significant increase in virus remediation projects. The threat landscape is changing dramatically, and Conficker is a great example of that. Time after time as we arrive onsite to address virus remediation issues, I keep telling myself… “If only they were running SEP”.
In my opinion, Symantec Endpoint Protection version 11 is the hottest new endpoint security product. SEP is a reliable, fully redundant, scalable enterprise-class product that can protect your company using many different protection technologies. These technologies, including Anti Virus (with proactive threat management), Anti Spyware, Application / Device Control, Firewall, and Intrusion Prevention (part of the Network Threat Protection Engine) are leaps and bounds ahead of the competition and offer you a full 360 degrees of protection. The product has a smaller footprint, uses less memory, and has exceptional reporting capabilities that can be combined with automated notifications to provide your support team with a detailed perspective on the security status of your environment.