Download - UP L13 Leveraging the full protection of SEP 12.1vox.veritas.com/legacyfs/online/veritasdata/UP L13.pdfUP!L13:!Leveraging!the!full!protection!of!SEP!12.1.x!! 2! Notes !A brief presentation

UP L13: Leveraging the full protection of SEP 12.1.x 1

UP L13: Leveraging the full protection of SEP 12.1.x Hands on lab

Description

In this hands on lab you will learn about the different protection technologies bundled in SEP 12.1.x and see how they complement each other.

A basic understanding of cyber-threats and attack is recommended but not mandatory.

At the end of this lab, you should be able to

§ Configure protection technologies.

§ Understand which technology protects the endpoint in regard of multiple threat vectors.

§ Locate and view logs for each protection technology.

§ Understand the key differentiations of SEP 12.x Vs competitive endpoint protection solution.


Notes § A brief presentation will introduce this lab session and discuss key concepts.

§ The lab will be directed and provide you with step-by-step walkthroughs of key features.

§ Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace.

§ Be sure to ask your instructor any questions you may have.

§ Thank you for coming to our lab session.

In this lab we will work with some sample threats and attacks to triggers the multiple engines included in SEP 12.1.x. The threats are stored on a webserver on the virtual machine SEPSTRESS. There is no need to login or open this virtual machine, all tasks are carried out from the windows 7 Client.

A word on the Setup: The Windows 7 VM has a SEP client and a SEP Manager (server) installed. To access the sample threat open Internet explorer with the shortcut provided on the desktop. The home page is initially set to the SEPSTRESS VM IP (192.168.64.66).

Policies have been customized to ensure that all technologies would be triggered. In a later exercise you will change the configuration to see the classic behavior and observe different technology being used to detect and stop the same threat.


Triggering Antivirus signatures

Open Internet explorer and click the AV link. Follow the on screen instructions for the trojan.pidief.J and the bloodhound detection.

Trojan.Pidief.J


This threat is downloaded from a malicious SWF file, the IPS has been disabled in order to get the AV trigger. Once the detection happened click the back button of your browser to get back to the AV Page and proceed to the bloodhound detection.

Bloodhound detection

Bloodhound are generic antivirus detection using our heuristic engine. One signature can apply to a family of threats with similar characteristics (few bytes changes from version to version).

Click Back on Internet explorer to proceed to the next test.


Download and the virus collection

Download the virus collection (auto_infect.exe) to your desktop and run it. This file is a self-‐extractable, which generates sample viruses.

Run the virus collection

Right click on the auto_infect_demo and run as administrator.


Cleanup successful?

Browse to C:\infection source and look if there are any files left in the folder. You should see that the content of the folder has been cleaned up. Observe the action field on the threat list on the Symantec Endpoint Protection Detection Results windows.

When prompted on the cmd windows press any key to complete the package execution.


Insight (reputation) testing

From the SEPStress site in Internet explorer select the insight tab.

Note: in order not to interfere with the AV test the insight feature is disabled. You need to enable and configure Insight before proceeding to tests.


Enable Insight download from the SEPM console

1. Open the SEPM console with the shortcut on you desktop use the credentials : admin / Symc4now!

2. Click on Policies

3. Select Virus and Spyware Protection

4. On the right hand side of the console doubleclick on the first policy called "balanced"

5. Within the policy window select Download Protection

6. Check the box to enable the feature : "Enable Download Insight to detect potential risks in downloaded files based on file reputation"

7. Click OK to validate the changes


Check the policy version (serial number)

Every time you change a setting in a policy a new version is generated yelding a new policy serial number. Click the Client view on the SEPM. click the SEPSTRESS client folder and observe the policy serial number on the console's top right.

Note: If the date is still old, click the refresh link to see the updated serial number.


Check the serial number on the client

1. Double click on the Symantec shield on the system tray (beside the clock).

2. Click help

3. Select troubleshooting

4. Observe the policy serial number: it should match the one you observed on the SEPM.

5. If the policy does not match click update button under policy profile.


Testing insight

Try to download each of the test files and note the result. Insight needs to contact Internet to get the reputation score of the file, expect a slight delay between the download and the actual detection.

These samples are sorted per reputation score from unknown to proven malware, take a moment to notice the wording on the alter window for each detection.

This test is run with the default level of sensitivity (5/10) some file might not trigger.


Observe the detection popups

On the systray you should see first a quick sliding popup before the full reputation report.


Reputation report

Explore the details of this file: Prevalence, proven malicious, age.

Click origin

Click Activity and look at the possible options.

Note: if you allow a file an exception is created for other scans too, this may expose your system to unwanted threat. This option can be configured by policy.


Increase Insight sensitivity

From the SEPM console edit the "balanced" virus and spyware protection policy and raise the sensitivity of download protection from 5 to 6, Save the changes and check that the policy is enabled on the client as previously explained.


Download the unproven file

When the policy was set to 5/10 this file was not detected. Rising to 6/10 increases the sensitivity of the reputation engine. This would be applicable when facing a virus outbreak to ensure that new malware are not being installed on your endpoints.

Raising sensitivity also increases the risk for false positive.


Testing Network threat protection (IPS)

Click on the IPS tab on the sepstress website. This section uses Java exploits to attempt to download a malware kit. The HTML file is clean but the java script isn't. The first detection will trigger the browser protection, which is a unique feature on the market. The other detections are triggering the Network detection engine on the packet level.

Before proceeding, you need to enable IPS as it was disabled to prevent interference with previously tested technologies. Open SEPM>Policy> Intrusion Prevention, check the Network and browser protections.


Java downloader

Click on Sample 1 and observe the IPS reaction. This link attempt to modify the home page to force the user downloading a malware when clicking the home button or opening a new browser window/tab.

Detection

Once the detection occurred click the home button.


SEP prevented the JavaScript to change the home page

SEP by default is configured to replace the malicious homepage with this page. Since there is no war to know which page was your homepage, you can use either this default page or a page of your choice from the SEPM console under the virus and spyware protection policy.


Observe the log to see what happened

1. Open the SEP client and click View logs.

2. Select client management>view logs

3. Click on security log


Open the latest event

Note that this particular attack applies to Internet Explorer only. You can see that the engine that was triggered is the browser protection. Since the malicious activity was caught on the browser level there is not remote host IP.


Testing Network IPS

The home page has been reset, enter the SEPSTESS IP: http://192.168.64.66 to continue the exercise.

The first attack tries to download a file called bad.jar. In this exercise we linked the file directly on the site without using the malicious JavaScript. The network IPS signature will parse the jar file as its being downloaded. Observe the result.

Testing another signature

Click the back button on Internet explorer an try the last sample on the IPS page. Observe the result.


View the logs

As previously explained open the Security risk screen and observe the logs. You should see the last 2 detections with a host IP address this time.


Further protection

Detecting and preventing against network attack is a critical task. Preventing further attack from the same host is also possible we will now configure the firewall so that we can block the SEPSTESS server from further attacks.

Open the SEPM console and follow these steps:

1. Click on the Policy tab

2. Select Firewall

3. Open the firewall policy (double click)

4. Select Protection and stealth

5. Check automatically block attacker IP. Since we are making test change the setting to 2 seconds.

6. Close the policy with the OK button to save the changes.

7. Ensure the policy updated on the client as previously explained.


Test the Active Response

Repeat the detection for the sample 2 and 3 on the IPS page. You should see a new popup with notification that active response was enabled. During this period you will not be able to connect to the SEPSTRESS Server.

Review the log

Open the client Security log an observe the sequence of events: Detection> Autoblock enabled> active response disabled


Testing SONAR (behavioral engine)

Click the SONAR tab on the SEPSTRESS site. This test consists of an executable which drops an EICAR test file on the system. SONAR monitors in real time all executable and convicts files hat would have a know bad reputation (Insight), drop known malware of caries out tasks which would be determined as malicious by the artificial intelligence engine.


The file triggers Insight

This test file is new and unproven, download insight is triggered first. Click on Activity and set to allow this file.


Remove the user exception

When you selected Allow from the download insight windows SEP automatically configures an exception. To remove it and proceed with the SONAR detection follow these steps:

1. Change Settings

2. Exceptions> Configure Settings

3. Select dropEICAR.exe

4. Click Delete

Close all SEP windows.


Run Dropeicar

From the download location right click on Dropeicar.exe and run as administrator. When prompted press enter to release EICAR to the system. Wait a few second and you should see the EICAR and SONAR detection being displayed.

Detection result

You should see a log only detection for SONAR. This is as we configured it for this exercise to prevent Insight from blocking the file.


Testing tamper protection & SONAR system protection

SONAR is also used to prevent host file changes. The sample provided on the tamper protection is a batch attempting to append URL and IP to the host file.

The second technology you will test is called Tamper protection. When enabled users and software are prevented from disabling or tampering with SEP files, services and processes. Whit this example we attempt to disable AV auto protect with a registry file (.REG)

Download the archive scripts.zip and decompress it on the desktop.


SONAR Host changer

1. Open cmd

2. Drop the host changer in the cmd window

3. Hit ENTER

4. Observe the result

SONAR Popup

The policy is configured to prompt. Select block. The options available in the policy are: Block, Prompt, Log and Ignore.


Tamper protection

Double-‐click on the Disable autoprotect.reg (registry settings file). The access should be denied.

This concludes our lab. Feel free to explore the reporting and monitor view on the SEPM to look at the events you generated. Ask questions to the instructor if you need assistance.

Download - UP L13 Leveraging the full protection of SEP 12.1vox.veritas.com/legacyfs/online/veritasdata/UP L13.pdfUP!L13:!Leveraging!the!full!protection!of!SEP!12.1.x!! 2! Notes !A brief presentation

Top Related