Endpoint Protection

Hello,

I was hoping someone might know the answer to my query.  

I am trying to lock down the security of our workstations as much as possible and recently had a security audit conducted. The auditor told me that since he was able to go into the computer's Services and stop the "Symantec Endpoint Protection" service, that a malicious person/process would be able to do the same and thereby expose the system to a virus.  The Tamper protection that you can configure via Symantec's manager appears to only lock down access to the "Symantec Management Client" service on the client computer.

I've tried changing the "Symantec Endpoint Protection" service security rights via a GPO, and that does prevent people from being able to stop it, however it also breaks the connection beween SEP client and server, haha. This is the article I read about that...  https://www-secure.symantec.com/connect/forums/tamper-protection-does-not-prevent-user-changing-service-status-disable

So, since the "Symantec Management Client" appears to be the only service that Symantec provides a way to restrict access to, will this service alone protect a computer against malicious attack?

Tech details:   using SEP ver. 11.0.6005.562  (11 RU 6a) . users are local Power Users. Client PCs are Windows XP & 7.


Thank you,

Cielle

Short answer, no. You need AV/AS at least to protect a system from threats. Tamper protection should protect our services.

Symantec Management Client service will not protect you from threats.It Provides communication with the Symantec Endpoint Protection Manager. It also provides network threat protection and application and device control for the client.
 
 
So inorder to protect your machine you need Symantec Endpoint Protection service running.It Provides virus-scanning for Symantec Endpoint Protection.

Tamper Protection provides real-time protection for Symantec applications  and services

Thank you for your replies.

So, just so I'm clear Prachand, if a user on their local PC goes into Services and stops the Symantec Endpoint Protection service and so that it's not running, the Tamper protection will still protect the PC?

Thank you for your replies.

So, just so I'm clear Prachand, if a user on their local PC goes into Services and stops the Symantec Endpoint Protection service and so that it's not running, the Tamper protection will still protect the PC?

Tamper Protection will not protect the PC, it only protects the SEP software.
Mean times there are threat that first attack the AV software and make the machine vunerable for further attacks.

I think the maximum thing you can do form SEPM side in this matter is Edit AV/AS policy and go to File system auto-protect------>advanced reduce the time :"when auto-protect disabled enable after-- minute " and put a lock....

Why do your users even have the right to shut down services?
This should be locked down via GPO or local restrictions on machines.
If your users can shut down services on a local machine, the auditor should have brought up the fact that users have "administrative" rights on the machine, thus even with an AV/AS they can install anything they want.  Thus increasing your risk of infection 10 fold regardless of the fact that you have an AV/AS installed on the machine. 
Tamper protection will only disallow them from turning off the Symantec services... 

Hi Jason,

I beleive I mentioned before that my users are local Power Users, not local Administrators, and so cannot install anything at all. Local Power users rights are neccessary for our users in terms of software useability here, and as well those rights are not a security risk. I also mentioned that I did attempt to lock down the service via GPO, but no matter how I went about this, it disabled the agent's communication with the server.

Thats what I thought. :-(   The Tamper protection doesnt seem to really protect much of anything then if a user can go in and just stop the Endpoint Protection service. What I don't get is why Symantec designed the tamper protection system to protect the Management Client service but not the Endpoint Protection service -the one responsible for protecting against virus infection.

Thats what I thought, but was hoping there was something else. The minimum time you can set that to is 3 minutes, and alot can happen in that time. Also it doesnt work if the malicious person disables the service instead of just stopping it.  :-(

Lock down the SEP settings via policy.

Title: 'How to block a user's ability to disable Symantec Endpoint Protection on Clients'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007110514540148

Make sure Tamper Protection is also locked down, and make sure it is not set to 'log only'.

Title: 'How to configure Tamper Protection in Symantec Endpoint Protection 11.0'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092616550248

sandra

Thank you for your response Sandra. 

This is already how I've configured the clients here, and they are correctly not able to right click the tray icon and select disable as it is greyed out.  Also I have Tamper Protection set to block attempts as per the tech doc. 

However still neither of these prevents anyone from going into Windows Services and simply shutting down the Endpoint Protection service.   :-(

Thank you for your response Sandra. 

This is already how I've configured the clients here, and they are correctly not able to right click the tray icon and select disable as it is greyed out.  Also I have Tamper Protection set to block attempts as per the tech doc. 

However still neither of these prevents anyone from going into Windows Services and simply shutting down the Endpoint Protection service.   :-(

Or disabling it at startup.  (I read through the other post.)   Ultimately this has very much to do with Windows rights and permissions.

I recommend voting up this Idea:

Tamper Protection: Monitor the Startup Type of the Symantec Services
https://www-secure.symantec.com/connect/idea/tamper-protection-monitor-startup-type-symantec-services

In setting the GPO on the SEP service (the one that breaks communication to the SEP), are you setting to restrict access to the service to specific users and/or groups?  If so, which ones?

sandra

Ok so good news! I just tried testing on a Windows 7 PC, I thought I had before but must have been mistaken. Anyways, Windows 7 prevents Power Users from stoppping ANY of the services! :-)  Thank you Microsoft, finally! haha  So, since we're rolling out this new OS with completion coming soon, I am no longer worried about the Symantec service security hole as it existed on Windows XP.