technology brief: s technology brief ... › 2007 › 10 › 2007sepguide.pdfof symantec endpoint...

TE

CH

NO

LO

GY

BR

IEF

: EN

DP

OIN

T P

RO

TE

CT

ION

11

.0

Symantec Endpoint Protection 11.0 Reviewer’s Guide

TE

CH

NO

LO

GY

BR

IEF

: SY

ma

NT

EC

™ E

ND

PO

INT

PR

OT

EC

TIO

N 1

1.0

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Testing key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Software setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Endpoint manager features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Client manager features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

monitoring and logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Technology Brief: Symantec™ Endpoint Protection

Symantec Endpoint Protection 11.0 Reviewer’s Guide

2

Introduction

This document will introduce you to some of the more important endpoint protection features

of Symantec Endpoint Protection 11.0. Symantec Endpoint Protection better protects against

a variety of new threats, going beyond traditional antivirus and antispyware prevention to stop

rootkits, bots, zero-day attacks, and blended network-based intrusions.

Today, many security-minded companies struggle to protect endpoints from the latest threats

using a series of different, single-purpose products. Symantec Endpoint Protection makes it

possible for organizations of all sizes to get the most comprehensive set of protection technologies

by integrating them in a single client, all managed by a single management console. most of the

integrated protection technologies are turnkey and require no set-up or configuration. additional

advanced settings are also provided for those who want to further lock down systems, reducing

vulnerable areas.

While not covered in this guide, Symantec Network access Control 11.0 is also integrated

into the Symantec Endpoint Protection 11.0 client. This integration makes it easy to add NaC

capability later (through an additional license purchase), without an additional client deployment.

This document supplements several others that are part of the Symantec Endpoint Protection

product line, including:

• administration Guide for Symantec Endpoint Protection and Symantec Network access Control

• User’s Guide

• Installation Guide

Testing key features

Before you test, here are some items to consider and to compare to competing products:

• How many clients (or agents) are required to provide equal endpoint protection coverage

(aV, aS, FW, IPS, Device Control, NaC)?

• How extensive and granular are the advanced control features for firewall, application control,

and device control?

• Can the product take a snapshot of the system to automatically determine authorized

applications and processes and block others?

• How extensive are the IPS technologies (network layer, host layer, behavior-based, etc)?

• How easily can the product adapt to different network locations as a PC moves around?

• How easy is the product to manage and change protective policies, deploy clients, and

manage logs?

• How easy is the product to install and deploy across the enterprise?

• Does the management console provide dashboard view of top-line health for all key endpoint

protection technologies?

• How much of a memory footprint is consumed by the client?

Symantec™ Endpoint Protection Reviewer’s Guide

3

Symantec has included many different protection technologies in the product,

and here are some examples shown in the table below:

Software setup

First, setup your test network of at least one server and one client PC as follows:

Note that you need to have IIS running before the install: by default Windows

Server doesn’t install IIS and Symantec Endpoint Protection uses IIS for its management

and reporting functions. If you want to do remote administration of the Symantec

Endpoint Protection manager, you’ll need to install JRE 1.5 on the remote machine as

well as connect it via Internet Explorer (v6 or later) at port 9090 (unless you have set

up another port).

Symantec Endpoint Protection – Key Technologies

Protection Technology

Host IPS

Host IPS

Data Loss Prevention

Network IPS

Rules-based Firewall

aV/aS

Feature Name

TruScan™ – Proactive Threat Scan technology

application Control

Device Control

Generic Exploit Blocking

Firewall

antivirus and antispyware

Description

• Detects zero-day threats and threats not seen before.• Behavior-based detection with uniquely low false positive rate.• Technology is from the acquisition of Whole Security and does not require signatures.

• Protects from zero-day attacks.• System Lockdown is an easy way to set-up application Control.• Whitelisting allows only approved applications to be run.• Reduces ability for unknown applications and malware to run.• Technology is from the acquisition of Sygate.

• Helps prevent unauthorized data transfer and data theft from USB drives etc.• Controls which devices are allowed to connect. • Technology is from the acquisition of Sygate.

• Protects from exploit attacks on application, operating system and browser software vulnerabilities. • Generic vulnerability based signatures detect all variants of exploits providing protection before the exploit is on the system. • GEB is one of three IPS technologies, and is extremely easy to set-up and use.

• Protects from zero-day attacks and the spread of worms and Trojans. • Technology is from the acquisition of Sygate.

• Leading detection of toughest polymorphic threats and rootkit attacks.• VxmS rootkit technology is from the acquisition of Veritas.

Server Requirements

Windows Server 2003, SP 1(or) Windows Server 2000, SP 4

Either needs IIS pre-installed

Client Requirements

Windows XP (or) Windows Vista


There are two different ways that Symantec Endpoint Protection can be deployed:

either as a managed or unmanaged client. The unmanaged client does not require any

server software and can be installed as a standalone software package directly from

the installation CD. The managed client requires an executable “package” to be created

by the server and then deployed accordingly.

To install the managed client, first install the Symantec Endpoint Protection

manager, and then bring up its console and login with your chosen administrator name

and password. There are three different authentications for the manager: admin login

to the console, database login, and shared secret for client/server manager. You can

choose the same word for all three if you wish, this allows for some additional

flexibility if you have more than a single administrator.

Now go to Admin/Install packages/Export an install package and choose a shared

directory on your server where you will save the package. (Or you can have active

Directory’s Group Policy Object push out the package as an alternative.) Pick defaults

and all components for now, and choose the Global group and Computer mode for the

export. This will create an install package that you can distribute to your clients on

your test network.

You should see something similar to this screen:

4


Symantec Endpoint Protection manager has four organizing principles for its

operation. Each client is a member of a group, and each group can have one or more

network location, such as “home,” “office LaN,” or “VPN.” Groups can be divided into

different administrative realms, called domains, to segregate departmental security

admins. Finally, each client is subject to a series of protection policies that are

applied for its particular group and location.

Now go to your Windows clients and run the executable file that you just created from

the server’s shared directory. Once this is done, check under Clients tab to see if these

clients show up on your screen, which will indicate that your server manages them.

We next compare what information is available on the clients. Bring up the

Symantec Endpoint Protection client, go to the Change settings tab and you’ll see

something similar to the screen below:

5


Notice that the Network Threat Protection button isn’t active, indicating a managed

client. These policy settings have to be configured from the manager and pushed onto

the client.

Note: Please run LiveUpdate on the client to receive the latest signatures before

you begin your testing.

Endpoint Manager features

Let’s demonstrate some of the more advanced features of the product. We will

show you screenshots from both the manager and client sides so you can see what is

going on.

1. Go to Policies/New AV policy/Proactive Threat Scan. Here you can change how

the client responds to new threats that aren’t part of the antivirus and antispyware

signature databases.

TruScan™ – Proactive Threat Scan is a unique form of HIPS technology that

protects against unseen (zero-day) malware, ones for which no-signature exists.

It’s unique because it detects malicious code written by hackers, and not simply

alerting of bad behaviors. While this is much more difficult to do, it is correspondingly

more valuable. This is because many “obviously” bad behaviors are also performed

by valid applications, which is why typical behavior based technology is too “noisy”

and unusable for broad deployments. TruScan – Proactive Threat Scan provides a

higher quality of detection (ratio of true to false alerts)about the nature of the

process running on the system. Our consumer install base of 30m+ users measures

only 40 false alarms for every one million users.

How it works: TruScan – Proactive Threat Scan measures bad behaviors plus

many other characteristics to detect malicious processes. It looks beyond individual

actions to target malicious processes. Examples of characteristics that are flagged

include i) remote compromise via back door or bot, ii) data or identity theft,

iii) asphyxiation through mass replication, iv) downloaders, etc.

6


If you have a keylogging program to test (such as one that is available from

winsoul.com), you can download it to the client. You can also change the behavior

on this screen from the defaults if you want more than just logging of the event

when it is installed:

You can also change the Scan Frequency tab at the top of the screen to specify

how often TruScan – Proactive Threat Scan should run on the clients.

7


Note that the defaults chosen will be picked up on the client side, so go to

Change Settings/Proactive Threat Protection/Configure Settings on the client and

you’ll see the screen below that has the same layout and controls as the manager side:

8


2. Next we examine the various personal firewall settings. Symantec Endpoint

Protection includes a number of innovative features, including smart traffic rules,

which avoid having to set up special firewall rules to handle common network

configuration settings such as DHCP and DNS requests across the firewall. also

included are automatic settings that can be found under the Traffic and Stealth

Settings tab to enable reverse DNS lookups and stealth-mode Web browsing, as

shown in the screen below:

also note that the rule set can be configured to adjust to the particular network,

which is important for mobile users that move on and off VPNs, for example.

3. Next, we introduce the concept of client-side network intrusion prevention.

Symantec has built this into its Symantec Endpoint Protection client so that

malware including worms, bots, spyware, and other threats are stopped on the

network before they hit your system. One generic vulnerability signature (Generic

Exploit Blocking or GEB), can stop hundreds or thousands of threats and each of

their variants. This proactively protects the underlying vulnerabilities in your

applications, Browser, and Operating System on your systems.

a recent example of this is below: malware W32.Randex.GRS. The worm spreads

through network shares and by exploiting the following vulnerabilities:

• microsoft Windows DCOm RPC Interface Buffer Overrun Vulnerability (BID 8205)

• microsoft Windows LSaSS Buffer Overrun Vulnerability (BID 10108)

• microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 19409)

• microsoft Windows Plug and Play Buffer Overflow Vulnerability (BID 14513)


9

10

Go to Policies/Intrusion Prevention/Edit the policy/Settings and you can see the

various components of what makes up this policy such as port scanners and denial

of service attacks. You can also allow specific hosts or block specific IP addresses.

To see a list of all the attacks that are covered in this module, go to the Exceptions

page and click on Add and you can alter your policy for these specific items.

10


To effectively test and validate your protection from the Client Intrusion prevention

setup the following test and environment.

1) Select a vulnerability that you would like to focus on exploiting such as mS RPC

DCOm, or LSaSS vulnerability. (Sources: Bugtraq database

http://www.securityfocus.com/brief/512)

2) Set up a target machine with the appropriate OS and Service Pack – For effective

testing, the target system should be vulnerable to the specified application,

Browser, or Operating System vulnerability.

3) Set up an attacking machine with an OS of your choice.

4) Use an attack tool to send the attack

a. metasploit http://www.metasploit.com

b. Core Impact http://www.coresecurity.com

c. Immunity CaNVaS http://www.immunitysec.com

5) Look for artifacts of a successful attack, service crashes, new user added, and

new listening port.

6) Symantec Endpoint Protection with Intrusion Prevention will actively detect and

block attacks before reaching the system.

Best Practices

• Testing must be performed with real-world exploits, malware, bots, worms, or

websites with malware hosted against vulnerable machines.

• The client firewall should be disabled to allow the attack to go through.

• In the Intrusion Prevention Policy, disable the “automatically block an attacker’s

IP address”.

• Configure target system with normal user settings (File Sharing turned on) and

applications such as acrobat, QuickTime, and Yahoo Im with the specific versions

that you want to test with.

Test example using metasploit – Remotely exploiting a vulnerability with no

client interaction

Steps:

1) after installing and loading metasploit on an attacking system, select “Exploit”

from the menu (top-left corner). On the search page, enter “RPC DCOm”.

2) Choose “microsoft RPC DCOm Interface Overflow” from the list.

11


3) Select the Operating System of the target or select “auto”.

4) Choose an option for the attack. For this example, we will exploit the vulnerability

and get a shell back.

5) On the configuration screen, enter the IP address of the target system.

6) Click on “Launch Exploit”.

7) If you were successful with your exploit, you will have shell access to the system.

You can type “dir” to get a directory list.

8) Repeat the same test with Symantec Endpoint Protection. Notice that Intrusion

Prevention blocked the attack and it was not compromised.

4. Next, let’s talk about Application blocking. This feature can be used to allow only

particular applications to run on a machine, and reduce the exposure and risk to

unknown programs that could be unintentionally installed on the machine. This is

called System Lockdown. First, go to the command prompt on the client computer

and run the following command:

C:\Program Files\Symantec\Symantec Endpoint Protection\checksum test.txt C:\

Then copy this text file to a shared drive on the server. The fingerprint file collects the

signatures of all the current applications installed on that particular client so that

a user of that machine is protected from anything new such as Trojans or other

exploits that try to install themselves on the machine.

On the manager’s console, go to Policies/Policy Components/File Fingerprint and

run the “add a new fingerprint” wizard, importing the text file you just created.

Then enable System Lockdown under the Clients/Policies page.

You should see something similar to the screenshot below:

12


Test this policy by trying to run some new software (or to uninstall something) on

the client, it should be blocked.

5. Device control policies. In addition to application and system lockdown features,

there are also policies that can prohibit users from downloading files to removable

devices, or from getting infected from USB key drives or CDs. We’ll show you how to

do this, and also how you setup a new protection policy.

Let’s say you want to block access to the CD or DVD drive of your clients to prevent

them from loading software or playing music or videos on their PCs. On the management

console, go to Policies/Application and Device Control/Add a new app or device control/

Device Control and click on the “add” button below the blocked devices. Highlight

the CD/DVD entry and include in the blocked list.

Click on the button to notify users at the bottom of the screen and type a simple

message. Now confirm your choices with “OK” and you will be prompted to apply this

policy to a group. Use the Global group and confirm this and then this policy will

be updated. If you made a mistake, you can either edit this policy or withdraw the

policy back on the Policies screen.

Once this policy is applied to the group, your client’s PC should show a message

that you specified, and the CD drive will no longer show up when you browse My Computer

on Windows Explorer. If you go into the Symantec Endpoint Protection client, View

Logs/Client Management/Security Logs, you can see a status message similar to

the one shown below:

13


14

6. Location-specific policies. Symantec Endpoint Protection has the ability to

automatically switch policies based on the network location of the clients, so a more

stringent security policy could be applied to a home network, or when someone

uses a VPN to connect back to the office. You can set certain conditions such as IP

address or a directory server that is checked to determine the appropriate location.

Go to Clients/Policies tab/Add Location and then follow the steps of the location

wizard. You will be able to specify how to detect the new location based on the

factors shown in the screen below:

Once the conditions are met, you can set specific policies for the various protection

features. Here you can see how we have setup a location called “home network”

that checks for a Juniper SSL VPN:


14

Client Manager features

1. Managed client data can be found by going to Clients, then clicking on a particular

client and Edit Properties. Here you’ll see a screen that shows you OS, processor

and other hardware details, including whether or not a trusted computing module

is found on the PC.

2. Integration with Active Directory. Symantec Endpoint Protection manager

can synchronize its users and resources with an active Directory server, and

automatically keep synchronized on a set schedule (set for every 24 hours by

default). The synchronization extends to the organizational unit structure as

well as for individual users. Enterprises that are using LDaP servers can import

this information into Symantec Endpoint Protection manager.

3. Let’s adjust the resource consumption. For the base state (no scans running)

you can measure and compare the memory usage of Symantec Endpoint Protection

11.0 to previous releases of Symantec antiVirus. Bring up the Windows Task

manager on the client PC and click on “processes” and add up the processes that

the Symantec software is using: ccapp.exe, rtvscan.exe, SescLU.exe, ccSvcJst.exe,

and smc.exe.

Now keep the Task manager up and start an active scan on the client and see how

these figures change. You can also do some tuning here by going to Scan for

Threats/Create New Scan/Full Scan/Next/Advanced/Tuning and set options and

view the processes during the scan. This is where you can adjust the amount of

resources that Symantec Endpoint Protection client uses relative to other applications.

15


Monitoring and logging

The Symantec Endpoint Protection manager console has several pages that summarize

real-time threat data, produce reports, and log various events. While there are more

details of these functions in the administrator’s Guide, we’ll touch on a few highlights.

First, the home page of the management software shows summary statistics, an

overall status indicator, summaries of the past 24 hours of detection events, and

whether any clients have turned off critical components of the Symantec Endpoint

Protection software or require restarts.

There are also numerous reports that can be produced on a scheduled or ad hoc

basis as well. Finally, there are many different logs that are created and are available

from the server console, and are also accessible from individual clients.

Conclusion

Symantec Endpoint Protection 11.0 combines Symantec antiVirus with new advanced

threat prevention technologies to protect against a variety of new threats, going

beyond traditional antivirus and antispyware prevention to stop rootkits, bots,

zero-day attacks, blended network-based intrusions, and data loss.

In conducting your review of Symantec Endpoint Protection we trust you have

seen the value that we are delivering by integrating essential endpoint security technologies

into a single client, managed by a single console – delivering what customers need

for endpoint protection.

16


17

About Symantec

Symantec is the global leader

in information security providing

a broad range of software,

appliances and services

designed to help individuals,

small and mid-sized businesses,

and large enterprises secure

and manage their IT infrastructure.

Symantec’s Norton™ brand

of products is the worldwide

leader in consumer security

and problem-solving solutions.

Headquartered in Cupertino,

California, Symantec has

operations in 35 countries.

more information is available

at www.symantec.com.

Symantec has worldwide

operations in 35 countries.

For specific country offices and

contact numbers please visit

our Web site. For product infor-

mation in the U.S., call toll-free

1 800 745 6054

Symantec Corporation

World Headquarters

20330 Stevens Creek Boulevard

Cupertino, Ca 95014 USa

1 408 517 8000

1 800 721 3934

www.symantec.com

Copyright © 2007 Symantec Corporation. all rightsreserved. Symantec and the Symantec logo aretrademarks or registered trademarks of SymantecCorporation or its affiliates in the U.S. and othercountries. microsoft, microsoft Windows, Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2000 are registered trademarks of microsoft Corporation in the United States and other countries. Other names may be trademarks of their respective owners.

10/07 13082547

technology brief: s technology brief ... › 2007 › 10 › 2007sepguide.pdfof symantec endpoint...

Documents