Security Best Practices

Stopping malware and other threats

The threat landscape has changed and cybercrime is rampant. The final defense against malware is a properly configured endpoint that deploys more than antivirus to provide layered protection and advanced policy configurations. Follow the steps you must do, should do, and can do to reduce your exposure and mitigate infection.

Use layered protection at the endpoint

Enabling the full-protection stack is the first step in defending against web-based attacks, unpatched vulnerabilities, drive-by downloads, mutating malware, and suspicious file behavior. For maximum effectiveness and efficiency, activate Network Threat Protection, the Intrusion Prevention System (IPS), Firewall, Antivirus, Insight and SONAR. Symantec Security Response has recommendations on enabling high-security vs. high performance vs balanced settings in our tech write-up: Security Response recommendations for Symantec Endpoint Protection 12.1 settings

Learn more about Insight

Read the Brief

Reduce the attack surface

Reduce the possible points of infection by restricting the applications allowed to run, the devices allowed to connect, and the actions a system can perform. Highly-sensitive or single-use endpoints (eg. point-of-sale, ATM or embedded) can significantly reduce the risk exposure by enabling policies that effectively reduce the attack surface. Learn more about running SEP on single-use endpoints.

Read the tech brief: Best Practices for Running Symantec Endpoint Protection 12.1 on Point-of-Sale Devices

Improve default Symantec Endpoint Protection settings

Get the most out of your Symantec Endpoint Protection product by improving its default settings. Only a few setting changes can make a big improvement to your security. 

Protect Against Advanced Persistent Threats: Configuration Guidelines

Keep browser plugins patched

Attacks have moved to the browser . It’s critical that attackers not be able to use Microsoft® Internet Explorer, or Adobe® Reader/Acrobat/Flash vulnerabilities to get on a system. Use each vendor’s auto update or software distribution tools to install patches as soon as they become available.

Block P2P usage

The simplest method for distributing malware is hidden inside files being shared on peer-to-peer (P2P) networks. Create and enforce a no-P2P policy, including home usage of a company machine. Enforce the policy at the gateway and, using SEP’s optional Application and Device Control (ADC) component, at the desktop.

Learn more about using Symantec Endpoint Protection’s Application Control to block P2P at the desktop

Turn off AutoRun

Stop Conficker/Downadup and other network based worms from jumping from USB keys and network drives without changing company polices on Open Shares.

Learn More

Ensure all OS patches are applied

Vendors like Microsoft and Apple periodically release hotfixes, service packs and security patches to correct known defects in their operating systems. Many threats function by exploiting known vulnerabilities for which patches are available. Computers with all manufacturer patches applied are invulnerable to these threats.

Turn on enhanced security in Adobe® Reader

Protect your machines from attacks hidden in PDF files by hardening Adobe Reader. 

Learn more about using the enhanced security settings available in Adobe Reader

Limit the use of network shares (mapped drives)

Worms love to spread via networked drives. Unless there is a strong business requirement, close mapped drives. If possible limit permissions to read-only rather than read-write.

Review mail security and gateway blocking effectiveness

Catching threats before they get to the desktop can be done with effective mail and web security scanning. Check that you have a mail security solution which updates frequently to detect the latest bad sender IPs, spam and malware threats at the mail gateway. Consider implementing a web security solution that will protect your organization against Web 2.0 threats, including malicious URLs and malware.

Review your security content distribution schedule

Antivirus signatures are released multiple times a day and IPS content roughly on a weekly basis or as needed. If possible, take advantage of these updates or at least update machines that are frequently infected.

Ensure that all of SEP’s components are installed

Administrators sometimes deploy SEP with only the traditional signature-based AntiVirus component. The additional optional components (Network Threat Protection, Intrusion Prevention System, Application and Device Control, Proactive Threat Protection) greatly enhance SEP’s ability to defend against today’s sophisticated threats. SEP 12.1’s Insight technology is particularly effective against the very latest threats for which no AntiVirus signatures yet exist. Unless there is a compelling reason to, each of these additional components should be deployed throughout the organization. For more details, see How to add or remove features to existing Symantec Endpoint Protection (SEP) client installations.

Implement application control rules to block specific threats

Symantec Endpoint Protection’s Application and Device Control is a power tool that can be used to stop a specific file, block peer-to-peer (P2P) network use or protect critical files and registry entries.

Educate users

Most malware attacks use social engineering. Education can be highly effective in stopping them. Your users don’t need to be security experts. Today, just remembering four things can keep them protected.

  • Only click through to trusted sources when conducting searches, especially on topics with high attention
  • Never update "media player," “codec," or “Flash” when promoted by a site hosting videos or not affiliated with that application
  • Do not use P2P applications on business machines and be cautious on home machines as well
  • Do not click on links or attachments in spam email

Educate yourself

Symantec provides multiple resources to keep you up-to-date on the latest security threats: knowledge base articlesSecurity Response blogsSymantec Connect, and the Internet Security Threat Report.

Featured postings to these sources