UP L13: Leveraging the full protection of SEP 12.1.x 1
UP L13: Leveraging the full protection of SEP 12.1.x Hands on lab
Description
In this hands on lab you will learn about the different protection technologies bundled in SEP 12.1.x and see how they complement each other.
A basic understanding of cyber-threats and attack is recommended but not mandatory.
At the end of this lab, you should be able to
§ Configure protection technologies.
§ Understand which technology protects the endpoint in regard of multiple threat vectors.
§ Locate and view logs for each protection technology.
§ Understand the key differentiations of SEP 12.x Vs competitive endpoint protection solution.
UP L13: Leveraging the full protection of SEP 12.1.x 2
Notes § A brief presentation will introduce this lab session and discuss key concepts.
§ The lab will be directed and provide you with step-by-step walkthroughs of key features.
§ Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace.
§ Be sure to ask your instructor any questions you may have.
§ Thank you for coming to our lab session.
In this lab we will work with some sample threats and attacks to triggers the multiple engines included in SEP 12.1.x. The threats are stored on a webserver on the virtual machine SEPSTRESS. There is no need to login or open this virtual machine, all tasks are carried out from the windows 7 Client.
A word on the Setup: The Windows 7 VM has a SEP client and a SEP Manager (server) installed. To access the sample threat open Internet explorer with the shortcut provided on the desktop. The home page is initially set to the SEPSTRESS VM IP (192.168.64.66).
Policies have been customized to ensure that all technologies would be triggered. In a later exercise you will change the configuration to see the classic behavior and observe different technology being used to detect and stop the same threat.
UP L13: Leveraging the full protection of SEP 12.1.x 3
Triggering Antivirus signatures
Open Internet explorer and click the AV link. Follow the on screen instructions for the trojan.pidief.J and the bloodhound detection.
Trojan.Pidief.J
UP L13: Leveraging the full protection of SEP 12.1.x 4
This threat is downloaded from a malicious SWF file, the IPS has been disabled in order to get the AV trigger. Once the detection happened click the back button of your browser to get back to the AV Page and proceed to the bloodhound detection.
Bloodhound detection
Bloodhound are generic antivirus detection using our heuristic engine. One signature can apply to a family of threats with similar characteristics (few bytes changes from version to version).
Click Back on Internet explorer to proceed to the next test.
UP L13: Leveraging the full protection of SEP 12.1.x 5
Download and the virus collection
Download the virus collection (auto_infect.exe) to your desktop and run it. This file is a self-‐extractable, which generates sample viruses.
Run the virus collection
Right click on the auto_infect_demo and run as administrator.
UP L13: Leveraging the full protection of SEP 12.1.x 6
Cleanup successful?
Browse to C:\infection source and look if there are any files left in the folder. You should see that the content of the folder has been cleaned up. Observe the action field on the threat list on the Symantec Endpoint Protection Detection Results windows.
When prompted on the cmd windows press any key to complete the package execution.
UP L13: Leveraging the full protection of SEP 12.1.x 7
Insight (reputation) testing
From the SEPStress site in Internet explorer select the insight tab.
Note: in order not to interfere with the AV test the insight feature is disabled. You need to enable and configure Insight before proceeding to tests.
UP L13: Leveraging the full protection of SEP 12.1.x 8
Enable Insight download from the SEPM console
1. Open the SEPM console with the shortcut on you desktop use the credentials : admin / Symc4now!
2. Click on Policies
3. Select Virus and Spyware Protection
4. On the right hand side of the console doubleclick on the first policy called "balanced"
5. Within the policy window select Download Protection
6. Check the box to enable the feature : "Enable Download Insight to detect potential risks in downloaded files based on file reputation"
7. Click OK to validate the changes
UP L13: Leveraging the full protection of SEP 12.1.x 9
Check the policy version (serial number)
Every time you change a setting in a policy a new version is generated yelding a new policy serial number. Click the Client view on the SEPM. click the SEPSTRESS client folder and observe the policy serial number on the console's top right.
Note: If the date is still old, click the refresh link to see the updated serial number.
UP L13: Leveraging the full protection of SEP 12.1.x 10
Check the serial number on the client
1. Double click on the Symantec shield on the system tray (beside the clock).
2. Click help
3. Select troubleshooting
4. Observe the policy serial number: it should match the one you observed on the SEPM.
5. If the policy does not match click update button under policy profile.
UP L13: Leveraging the full protection of SEP 12.1.x 11
Testing insight
Try to download each of the test files and note the result. Insight needs to contact Internet to get the reputation score of the file, expect a slight delay between the download and the actual detection.
These samples are sorted per reputation score from unknown to proven malware, take a moment to notice the wording on the alter window for each detection.
This test is run with the default level of sensitivity (5/10) some file might not trigger.
UP L13: Leveraging the full protection of SEP 12.1.x 12
Observe the detection popups
On the systray you should see first a quick sliding popup before the full reputation report.
UP L13: Leveraging the full protection of SEP 12.1.x 13
Reputation report
Explore the details of this file: Prevalence, proven malicious, age.
Click origin
Click Activity and look at the possible options.
Note: if you allow a file an exception is created for other scans too, this may expose your system to unwanted threat. This option can be configured by policy.
UP L13: Leveraging the full protection of SEP 12.1.x 14
Increase Insight sensitivity
From the SEPM console edit the "balanced" virus and spyware protection policy and raise the sensitivity of download protection from 5 to 6, Save the changes and check that the policy is enabled on the client as previously explained.
UP L13: Leveraging the full protection of SEP 12.1.x 15
Download the unproven file
When the policy was set to 5/10 this file was not detected. Rising to 6/10 increases the sensitivity of the reputation engine. This would be applicable when facing a virus outbreak to ensure that new malware are not being installed on your endpoints.
Raising sensitivity also increases the risk for false positive.
UP L13: Leveraging the full protection of SEP 12.1.x 16
Testing Network threat protection (IPS)
Click on the IPS tab on the sepstress website. This section uses Java exploits to attempt to download a malware kit. The HTML file is clean but the java script isn't. The first detection will trigger the browser protection, which is a unique feature on the market. The other detections are triggering the Network detection engine on the packet level.
Before proceeding, you need to enable IPS as it was disabled to prevent interference with previously tested technologies. Open SEPM>Policy> Intrusion Prevention, check the Network and browser protections.
UP L13: Leveraging the full protection of SEP 12.1.x 17
Java downloader
Click on Sample 1 and observe the IPS reaction. This link attempt to modify the home page to force the user downloading a malware when clicking the home button or opening a new browser window/tab.
Detection
Once the detection occurred click the home button.
UP L13: Leveraging the full protection of SEP 12.1.x 18
SEP prevented the JavaScript to change the home page
SEP by default is configured to replace the malicious homepage with this page. Since there is no war to know which page was your homepage, you can use either this default page or a page of your choice from the SEPM console under the virus and spyware protection policy.
UP L13: Leveraging the full protection of SEP 12.1.x 19
Observe the log to see what happened
1. Open the SEP client and click View logs.
2. Select client management>view logs
3. Click on security log
UP L13: Leveraging the full protection of SEP 12.1.x 20
Open the latest event
Note that this particular attack applies to Internet Explorer only. You can see that the engine that was triggered is the browser protection. Since the malicious activity was caught on the browser level there is not remote host IP.
UP L13: Leveraging the full protection of SEP 12.1.x 21
Testing Network IPS
The home page has been reset, enter the SEPSTESS IP: http://192.168.64.66 to continue the exercise.
The first attack tries to download a file called bad.jar. In this exercise we linked the file directly on the site without using the malicious JavaScript. The network IPS signature will parse the jar file as its being downloaded. Observe the result.
Testing another signature
Click the back button on Internet explorer an try the last sample on the IPS page. Observe the result.
UP L13: Leveraging the full protection of SEP 12.1.x 22
View the logs
As previously explained open the Security risk screen and observe the logs. You should see the last 2 detections with a host IP address this time.
UP L13: Leveraging the full protection of SEP 12.1.x 23
Further protection
Detecting and preventing against network attack is a critical task. Preventing further attack from the same host is also possible we will now configure the firewall so that we can block the SEPSTESS server from further attacks.
Open the SEPM console and follow these steps:
1. Click on the Policy tab
2. Select Firewall
3. Open the firewall policy (double click)
4. Select Protection and stealth
5. Check automatically block attacker IP. Since we are making test change the setting to 2 seconds.
6. Close the policy with the OK button to save the changes.
7. Ensure the policy updated on the client as previously explained.
UP L13: Leveraging the full protection of SEP 12.1.x 24
Test the Active Response
Repeat the detection for the sample 2 and 3 on the IPS page. You should see a new popup with notification that active response was enabled. During this period you will not be able to connect to the SEPSTRESS Server.
Review the log
Open the client Security log an observe the sequence of events: Detection> Autoblock enabled> active response disabled
UP L13: Leveraging the full protection of SEP 12.1.x 25
Testing SONAR (behavioral engine)
Click the SONAR tab on the SEPSTRESS site. This test consists of an executable which drops an EICAR test file on the system. SONAR monitors in real time all executable and convicts files hat would have a know bad reputation (Insight), drop known malware of caries out tasks which would be determined as malicious by the artificial intelligence engine.
UP L13: Leveraging the full protection of SEP 12.1.x 26
The file triggers Insight
This test file is new and unproven, download insight is triggered first. Click on Activity and set to allow this file.
UP L13: Leveraging the full protection of SEP 12.1.x 27
Remove the user exception
When you selected Allow from the download insight windows SEP automatically configures an exception. To remove it and proceed with the SONAR detection follow these steps:
1. Change Settings
2. Exceptions> Configure Settings
3. Select dropEICAR.exe
4. Click Delete
Close all SEP windows.
UP L13: Leveraging the full protection of SEP 12.1.x 28
Run Dropeicar
From the download location right click on Dropeicar.exe and run as administrator. When prompted press enter to release EICAR to the system. Wait a few second and you should see the EICAR and SONAR detection being displayed.
Detection result
You should see a log only detection for SONAR. This is as we configured it for this exercise to prevent Insight from blocking the file.
UP L13: Leveraging the full protection of SEP 12.1.x 29
Testing tamper protection & SONAR system protection
SONAR is also used to prevent host file changes. The sample provided on the tamper protection is a batch attempting to append URL and IP to the host file.
The second technology you will test is called Tamper protection. When enabled users and software are prevented from disabling or tampering with SEP files, services and processes. Whit this example we attempt to disable AV auto protect with a registry file (.REG)
Download the archive scripts.zip and decompress it on the desktop.
UP L13: Leveraging the full protection of SEP 12.1.x 30
SONAR Host changer
1. Open cmd
2. Drop the host changer in the cmd window
3. Hit ENTER
4. Observe the result
SONAR Popup
The policy is configured to prompt. Select block. The options available in the policy are: Block, Prompt, Log and Ignore.
UP L13: Leveraging the full protection of SEP 12.1.x 31
Tamper protection
Double-‐click on the Disable autoprotect.reg (registry settings file). The access should be denied.
This concludes our lab. Feel free to explore the reporting and monitor view on the SEPM to look at the events you generated. Ask questions to the instructor if you need assistance.