Endpoint Protection

The last week we have been hit really hard by the W32.IRCbot and other bot infections.  Every system on our network is infected now with at least 20 - 30 infected files.  We had this issue a few months ago but now it is back and in different file locations.

The SEP client is now catching it and by policy is cleaning by deletion however for some reason it is still able to spread across our network.

Any ideas??????


This includes all our Windows 2003 servers and Windows XP systems.  So far Windows 7 systems are not being affected.  All Service packs are installed and all systems have the current Microsoft security updates.

We are running the most current SEP 11 RU5 version as well.

 A few pointers,

  Do not login with domain admin accounts on potentially infected machines ( Use "Run as" when necessary)

   Disable autorun execution via a GPO (it is anyway not needed in an enterprise network) 
http://support.microsoft.com/kb/967715

  Do not login with domain admin accounts on potentially infected machines ( Use "Run as" when necessary)

  Network Threat protection and the IPS is able to stop a lot of threats from propagating and might be worth adding to your SEP clients if not already installed

  Make sure SEP is indeed installed AND up to date on all systems, most detections you receive could just be notifications and not technically a reinfection.

Cool. I will have our main GPO guy create this.

I have pretty much all 3 technologies on in policy on all our XP systems.  Our servers are a little different.  I only have Antivirus policy on.  Not sure what is needed on the server side when it comes to SEP.  I have always gone the way of no firewall etc on servers but what is Symantec's best practices for file/print servers, domain controllers, SQL servers, etc????

On the client side I have the following policies enabled and all three technologies installed:

AV/AS
Firewall Policy - Mainly to block P2P and other software from talking.
Intrusion Prevention -  Settings are default.
Application and Device Control  - To block proxy programs and other p2p and games.
Centralized Exceptions


Any white papers on best practices????  We are a pretty good sized school district so security is important but at the same time it can't get in the way of "student rights."  (don't get me started with that one!) 

Thanks,

Kris

Best Practices for Installing Symantec Endpoint Protection on Windows Servers

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009021811070448

SEP secret sauce for better protection

https://www-secure.symantec.com/connect/forums/sep-secret-sauce-better-protection 

One thing I'd look at is the Microsoft Guidelines for Security and Compliance.  They have two configurations, an Enterprise security and a Specialized Security - Limited Functionality environment.  I think you'd be best looking at the Enterprise security--just implement parts of it at a time for testing, then add more until you get it all implemented.  That way you don't have to try very hard to track down problems, if they arrise.

A large portion of these settings in XP disable old features left in place for compatibilities sake (many of which are now disabled by default in Vista/7/Sever 2008).  They come as toolkits that contain sample policies and the documentation explaining them.

Anyway, here are the links:

Windows XP
Server 2003
Windows Vista
Server 2008
Windows 7
IE 8