technology brief: s technology brief ... › 2007 › 10 › 2007sepguide.pdfof symantec endpoint...
TRANSCRIPT
TE
CH
NO
LO
GY
BR
IEF
: EN
DP
OIN
T P
RO
TE
CT
ION
11
.0
Symantec Endpoint Protection 11.0 Reviewer’s Guide
TE
CH
NO
LO
GY
BR
IEF
: SY
ma
NT
EC
™ E
ND
PO
INT
PR
OT
EC
TIO
N 1
1.0
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Testing key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Software setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Endpoint manager features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Client manager features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
monitoring and logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Technology Brief: Symantec™ Endpoint Protection
Symantec Endpoint Protection 11.0 Reviewer’s Guide
2
Introduction
This document will introduce you to some of the more important endpoint protection features
of Symantec Endpoint Protection 11.0. Symantec Endpoint Protection better protects against
a variety of new threats, going beyond traditional antivirus and antispyware prevention to stop
rootkits, bots, zero-day attacks, and blended network-based intrusions.
Today, many security-minded companies struggle to protect endpoints from the latest threats
using a series of different, single-purpose products. Symantec Endpoint Protection makes it
possible for organizations of all sizes to get the most comprehensive set of protection technologies
by integrating them in a single client, all managed by a single management console. most of the
integrated protection technologies are turnkey and require no set-up or configuration. additional
advanced settings are also provided for those who want to further lock down systems, reducing
vulnerable areas.
While not covered in this guide, Symantec Network access Control 11.0 is also integrated
into the Symantec Endpoint Protection 11.0 client. This integration makes it easy to add NaC
capability later (through an additional license purchase), without an additional client deployment.
This document supplements several others that are part of the Symantec Endpoint Protection
product line, including:
• administration Guide for Symantec Endpoint Protection and Symantec Network access Control
• User’s Guide
• Installation Guide
Testing key features
Before you test, here are some items to consider and to compare to competing products:
• How many clients (or agents) are required to provide equal endpoint protection coverage
(aV, aS, FW, IPS, Device Control, NaC)?
• How extensive and granular are the advanced control features for firewall, application control,
and device control?
• Can the product take a snapshot of the system to automatically determine authorized
applications and processes and block others?
• How extensive are the IPS technologies (network layer, host layer, behavior-based, etc)?
• How easily can the product adapt to different network locations as a PC moves around?
• How easy is the product to manage and change protective policies, deploy clients, and
manage logs?
• How easy is the product to install and deploy across the enterprise?
• Does the management console provide dashboard view of top-line health for all key endpoint
protection technologies?
• How much of a memory footprint is consumed by the client?
Symantec™ Endpoint Protection Reviewer’s Guide
3
Symantec has included many different protection technologies in the product,
and here are some examples shown in the table below:
Software setup
First, setup your test network of at least one server and one client PC as follows:
Note that you need to have IIS running before the install: by default Windows
Server doesn’t install IIS and Symantec Endpoint Protection uses IIS for its management
and reporting functions. If you want to do remote administration of the Symantec
Endpoint Protection manager, you’ll need to install JRE 1.5 on the remote machine as
well as connect it via Internet Explorer (v6 or later) at port 9090 (unless you have set
up another port).
Symantec Endpoint Protection – Key Technologies
Protection Technology
Host IPS
Host IPS
Data Loss Prevention
Network IPS
Rules-based Firewall
aV/aS
Feature Name
TruScan™ – Proactive Threat Scan technology
application Control
Device Control
Generic Exploit Blocking
Firewall
antivirus and antispyware
Description
• Detects zero-day threats and threats not seen before.• Behavior-based detection with uniquely low false positive rate.• Technology is from the acquisition of Whole Security and does not require signatures.
• Protects from zero-day attacks.• System Lockdown is an easy way to set-up application Control.• Whitelisting allows only approved applications to be run.• Reduces ability for unknown applications and malware to run.• Technology is from the acquisition of Sygate.
• Helps prevent unauthorized data transfer and data theft from USB drives etc.• Controls which devices are allowed to connect. • Technology is from the acquisition of Sygate.
• Protects from exploit attacks on application, operating system and browser software vulnerabilities. • Generic vulnerability based signatures detect all variants of exploits providing protection before the exploit is on the system. • GEB is one of three IPS technologies, and is extremely easy to set-up and use.
• Protects from zero-day attacks and the spread of worms and Trojans. • Technology is from the acquisition of Sygate.
• Leading detection of toughest polymorphic threats and rootkit attacks.• VxmS rootkit technology is from the acquisition of Veritas.
Server Requirements
Windows Server 2003, SP 1(or) Windows Server 2000, SP 4
Either needs IIS pre-installed
Client Requirements
Windows XP (or) Windows Vista
Symantec™ Endpoint Protection Reviewer’s Guide
There are two different ways that Symantec Endpoint Protection can be deployed:
either as a managed or unmanaged client. The unmanaged client does not require any
server software and can be installed as a standalone software package directly from
the installation CD. The managed client requires an executable “package” to be created
by the server and then deployed accordingly.
To install the managed client, first install the Symantec Endpoint Protection
manager, and then bring up its console and login with your chosen administrator name
and password. There are three different authentications for the manager: admin login
to the console, database login, and shared secret for client/server manager. You can
choose the same word for all three if you wish, this allows for some additional
flexibility if you have more than a single administrator.
Now go to Admin/Install packages/Export an install package and choose a shared
directory on your server where you will save the package. (Or you can have active
Directory’s Group Policy Object push out the package as an alternative.) Pick defaults
and all components for now, and choose the Global group and Computer mode for the
export. This will create an install package that you can distribute to your clients on
your test network.
You should see something similar to this screen:
4
Symantec™ Endpoint Protection Reviewer’s Guide
Symantec Endpoint Protection manager has four organizing principles for its
operation. Each client is a member of a group, and each group can have one or more
network location, such as “home,” “office LaN,” or “VPN.” Groups can be divided into
different administrative realms, called domains, to segregate departmental security
admins. Finally, each client is subject to a series of protection policies that are
applied for its particular group and location.
Now go to your Windows clients and run the executable file that you just created from
the server’s shared directory. Once this is done, check under Clients tab to see if these
clients show up on your screen, which will indicate that your server manages them.
We next compare what information is available on the clients. Bring up the
Symantec Endpoint Protection client, go to the Change settings tab and you’ll see
something similar to the screen below:
5
Symantec™ Endpoint Protection Reviewer’s Guide
Notice that the Network Threat Protection button isn’t active, indicating a managed
client. These policy settings have to be configured from the manager and pushed onto
the client.
Note: Please run LiveUpdate on the client to receive the latest signatures before
you begin your testing.
Endpoint Manager features
Let’s demonstrate some of the more advanced features of the product. We will
show you screenshots from both the manager and client sides so you can see what is
going on.
1. Go to Policies/New AV policy/Proactive Threat Scan. Here you can change how
the client responds to new threats that aren’t part of the antivirus and antispyware
signature databases.
TruScan™ – Proactive Threat Scan is a unique form of HIPS technology that
protects against unseen (zero-day) malware, ones for which no-signature exists.
It’s unique because it detects malicious code written by hackers, and not simply
alerting of bad behaviors. While this is much more difficult to do, it is correspondingly
more valuable. This is because many “obviously” bad behaviors are also performed
by valid applications, which is why typical behavior based technology is too “noisy”
and unusable for broad deployments. TruScan – Proactive Threat Scan provides a
higher quality of detection (ratio of true to false alerts)about the nature of the
process running on the system. Our consumer install base of 30m+ users measures
only 40 false alarms for every one million users.
How it works: TruScan – Proactive Threat Scan measures bad behaviors plus
many other characteristics to detect malicious processes. It looks beyond individual
actions to target malicious processes. Examples of characteristics that are flagged
include i) remote compromise via back door or bot, ii) data or identity theft,
iii) asphyxiation through mass replication, iv) downloaders, etc.
6
Symantec™ Endpoint Protection Reviewer’s Guide
If you have a keylogging program to test (such as one that is available from
winsoul.com), you can download it to the client. You can also change the behavior
on this screen from the defaults if you want more than just logging of the event
when it is installed:
You can also change the Scan Frequency tab at the top of the screen to specify
how often TruScan – Proactive Threat Scan should run on the clients.
7
Symantec™ Endpoint Protection Reviewer’s Guide
Note that the defaults chosen will be picked up on the client side, so go to
Change Settings/Proactive Threat Protection/Configure Settings on the client and
you’ll see the screen below that has the same layout and controls as the manager side:
8
Symantec™ Endpoint Protection Reviewer’s Guide
2. Next we examine the various personal firewall settings. Symantec Endpoint
Protection includes a number of innovative features, including smart traffic rules,
which avoid having to set up special firewall rules to handle common network
configuration settings such as DHCP and DNS requests across the firewall. also
included are automatic settings that can be found under the Traffic and Stealth
Settings tab to enable reverse DNS lookups and stealth-mode Web browsing, as
shown in the screen below:
also note that the rule set can be configured to adjust to the particular network,
which is important for mobile users that move on and off VPNs, for example.
3. Next, we introduce the concept of client-side network intrusion prevention.
Symantec has built this into its Symantec Endpoint Protection client so that
malware including worms, bots, spyware, and other threats are stopped on the
network before they hit your system. One generic vulnerability signature (Generic
Exploit Blocking or GEB), can stop hundreds or thousands of threats and each of
their variants. This proactively protects the underlying vulnerabilities in your
applications, Browser, and Operating System on your systems.
a recent example of this is below: malware W32.Randex.GRS. The worm spreads
through network shares and by exploiting the following vulnerabilities:
• microsoft Windows DCOm RPC Interface Buffer Overrun Vulnerability (BID 8205)
• microsoft Windows LSaSS Buffer Overrun Vulnerability (BID 10108)
• microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 19409)
• microsoft Windows Plug and Play Buffer Overflow Vulnerability (BID 14513)
Symantec™ Endpoint Protection Reviewer’s Guide
9
10
Go to Policies/Intrusion Prevention/Edit the policy/Settings and you can see the
various components of what makes up this policy such as port scanners and denial
of service attacks. You can also allow specific hosts or block specific IP addresses.
To see a list of all the attacks that are covered in this module, go to the Exceptions
page and click on Add and you can alter your policy for these specific items.
10
Symantec™ Endpoint Protection Reviewer’s Guide
To effectively test and validate your protection from the Client Intrusion prevention
setup the following test and environment.
1) Select a vulnerability that you would like to focus on exploiting such as mS RPC
DCOm, or LSaSS vulnerability. (Sources: Bugtraq database
http://www.securityfocus.com/brief/512)
2) Set up a target machine with the appropriate OS and Service Pack – For effective
testing, the target system should be vulnerable to the specified application,
Browser, or Operating System vulnerability.
3) Set up an attacking machine with an OS of your choice.
4) Use an attack tool to send the attack
a. metasploit http://www.metasploit.com
b. Core Impact http://www.coresecurity.com
c. Immunity CaNVaS http://www.immunitysec.com
5) Look for artifacts of a successful attack, service crashes, new user added, and
new listening port.
6) Symantec Endpoint Protection with Intrusion Prevention will actively detect and
block attacks before reaching the system.
Best Practices
• Testing must be performed with real-world exploits, malware, bots, worms, or
websites with malware hosted against vulnerable machines.
• The client firewall should be disabled to allow the attack to go through.
• In the Intrusion Prevention Policy, disable the “automatically block an attacker’s
IP address”.
• Configure target system with normal user settings (File Sharing turned on) and
applications such as acrobat, QuickTime, and Yahoo Im with the specific versions
that you want to test with.
Test example using metasploit – Remotely exploiting a vulnerability with no
client interaction
Steps:
1) after installing and loading metasploit on an attacking system, select “Exploit”
from the menu (top-left corner). On the search page, enter “RPC DCOm”.
2) Choose “microsoft RPC DCOm Interface Overflow” from the list.
11
Symantec™ Endpoint Protection Reviewer’s Guide
3) Select the Operating System of the target or select “auto”.
4) Choose an option for the attack. For this example, we will exploit the vulnerability
and get a shell back.
5) On the configuration screen, enter the IP address of the target system.
6) Click on “Launch Exploit”.
7) If you were successful with your exploit, you will have shell access to the system.
You can type “dir” to get a directory list.
8) Repeat the same test with Symantec Endpoint Protection. Notice that Intrusion
Prevention blocked the attack and it was not compromised.
4. Next, let’s talk about Application blocking. This feature can be used to allow only
particular applications to run on a machine, and reduce the exposure and risk to
unknown programs that could be unintentionally installed on the machine. This is
called System Lockdown. First, go to the command prompt on the client computer
and run the following command:
C:\Program Files\Symantec\Symantec Endpoint Protection\checksum test.txt C:\
Then copy this text file to a shared drive on the server. The fingerprint file collects the
signatures of all the current applications installed on that particular client so that
a user of that machine is protected from anything new such as Trojans or other
exploits that try to install themselves on the machine.
On the manager’s console, go to Policies/Policy Components/File Fingerprint and
run the “add a new fingerprint” wizard, importing the text file you just created.
Then enable System Lockdown under the Clients/Policies page.
You should see something similar to the screenshot below:
12
Symantec™ Endpoint Protection Reviewer’s Guide
Test this policy by trying to run some new software (or to uninstall something) on
the client, it should be blocked.
5. Device control policies. In addition to application and system lockdown features,
there are also policies that can prohibit users from downloading files to removable
devices, or from getting infected from USB key drives or CDs. We’ll show you how to
do this, and also how you setup a new protection policy.
Let’s say you want to block access to the CD or DVD drive of your clients to prevent
them from loading software or playing music or videos on their PCs. On the management
console, go to Policies/Application and Device Control/Add a new app or device control/
Device Control and click on the “add” button below the blocked devices. Highlight
the CD/DVD entry and include in the blocked list.
Click on the button to notify users at the bottom of the screen and type a simple
message. Now confirm your choices with “OK” and you will be prompted to apply this
policy to a group. Use the Global group and confirm this and then this policy will
be updated. If you made a mistake, you can either edit this policy or withdraw the
policy back on the Policies screen.
Once this policy is applied to the group, your client’s PC should show a message
that you specified, and the CD drive will no longer show up when you browse My Computer
on Windows Explorer. If you go into the Symantec Endpoint Protection client, View
Logs/Client Management/Security Logs, you can see a status message similar to
the one shown below:
13
Symantec™ Endpoint Protection Reviewer’s Guide
14
6. Location-specific policies. Symantec Endpoint Protection has the ability to
automatically switch policies based on the network location of the clients, so a more
stringent security policy could be applied to a home network, or when someone
uses a VPN to connect back to the office. You can set certain conditions such as IP
address or a directory server that is checked to determine the appropriate location.
Go to Clients/Policies tab/Add Location and then follow the steps of the location
wizard. You will be able to specify how to detect the new location based on the
factors shown in the screen below:
Once the conditions are met, you can set specific policies for the various protection
features. Here you can see how we have setup a location called “home network”
that checks for a Juniper SSL VPN:
Symantec™ Endpoint Protection Reviewer’s Guide
14
Client Manager features
1. Managed client data can be found by going to Clients, then clicking on a particular
client and Edit Properties. Here you’ll see a screen that shows you OS, processor
and other hardware details, including whether or not a trusted computing module
is found on the PC.
2. Integration with Active Directory. Symantec Endpoint Protection manager
can synchronize its users and resources with an active Directory server, and
automatically keep synchronized on a set schedule (set for every 24 hours by
default). The synchronization extends to the organizational unit structure as
well as for individual users. Enterprises that are using LDaP servers can import
this information into Symantec Endpoint Protection manager.
3. Let’s adjust the resource consumption. For the base state (no scans running)
you can measure and compare the memory usage of Symantec Endpoint Protection
11.0 to previous releases of Symantec antiVirus. Bring up the Windows Task
manager on the client PC and click on “processes” and add up the processes that
the Symantec software is using: ccapp.exe, rtvscan.exe, SescLU.exe, ccSvcJst.exe,
and smc.exe.
Now keep the Task manager up and start an active scan on the client and see how
these figures change. You can also do some tuning here by going to Scan for
Threats/Create New Scan/Full Scan/Next/Advanced/Tuning and set options and
view the processes during the scan. This is where you can adjust the amount of
resources that Symantec Endpoint Protection client uses relative to other applications.
15
Symantec™ Endpoint Protection Reviewer’s Guide
Monitoring and logging
The Symantec Endpoint Protection manager console has several pages that summarize
real-time threat data, produce reports, and log various events. While there are more
details of these functions in the administrator’s Guide, we’ll touch on a few highlights.
First, the home page of the management software shows summary statistics, an
overall status indicator, summaries of the past 24 hours of detection events, and
whether any clients have turned off critical components of the Symantec Endpoint
Protection software or require restarts.
There are also numerous reports that can be produced on a scheduled or ad hoc
basis as well. Finally, there are many different logs that are created and are available
from the server console, and are also accessible from individual clients.
Conclusion
Symantec Endpoint Protection 11.0 combines Symantec antiVirus with new advanced
threat prevention technologies to protect against a variety of new threats, going
beyond traditional antivirus and antispyware prevention to stop rootkits, bots,
zero-day attacks, blended network-based intrusions, and data loss.
In conducting your review of Symantec Endpoint Protection we trust you have
seen the value that we are delivering by integrating essential endpoint security technologies
into a single client, managed by a single console – delivering what customers need
for endpoint protection.
16
Symantec™ Endpoint Protection Reviewer’s Guide
17
About Symantec
Symantec is the global leader
in information security providing
a broad range of software,
appliances and services
designed to help individuals,
small and mid-sized businesses,
and large enterprises secure
and manage their IT infrastructure.
Symantec’s Norton™ brand
of products is the worldwide
leader in consumer security
and problem-solving solutions.
Headquartered in Cupertino,
California, Symantec has
operations in 35 countries.
more information is available
at www.symantec.com.
Symantec has worldwide
operations in 35 countries.
For specific country offices and
contact numbers please visit
our Web site. For product infor-
mation in the U.S., call toll-free
1 800 745 6054
Symantec Corporation
World Headquarters
20330 Stevens Creek Boulevard
Cupertino, Ca 95014 USa
1 408 517 8000
1 800 721 3934
www.symantec.com
Copyright © 2007 Symantec Corporation. all rightsreserved. Symantec and the Symantec logo aretrademarks or registered trademarks of SymantecCorporation or its affiliates in the U.S. and othercountries. microsoft, microsoft Windows, Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2000 are registered trademarks of microsoft Corporation in the United States and other countries. Other names may be trademarks of their respective owners.
10/07 13082547