up l13 leveraging the full protection of sep 12.1vox. l13.pdf...

Download UP L13 Leveraging the full protection of SEP 12.1vox. L13.pdf UP!L13:!Leveraging!the!full!protection!of!SEP!12.1.x!!

Post on 22-Jun-2020




0 download

Embed Size (px)



    UP  L13:  Leveraging  the  full  protection  of  SEP  12.1.x     1    

    UP  L13:  Leveraging  the  full   protection  of  SEP  12.1.x   Hands  on  lab    


    In this hands on lab you will learn about the different protection technologies bundled in SEP 12.1.x and see how they complement each other.

    A basic understanding of cyber-threats and attack is recommended but not mandatory.

    At the end of this lab, you should be able to

    § Configure protection technologies.

    § Understand which technology protects the endpoint in regard of multiple threat vectors.

    § Locate and view logs for each protection technology.

    § Understand the key differentiations of SEP 12.x Vs competitive endpoint protection solution.

  • UP  L13:  Leveraging  the  full  protection  of  SEP  12.1.x     2      

    Notes § A brief presentation will introduce this lab session and discuss key concepts.

    § The lab will be directed and provide you with step-by-step walkthroughs of key features.

    § Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace.

    § Be sure to ask your instructor any questions you may have.

    § Thank you for coming to our lab session.


    In  this  lab  we  will  work  with  some  sample  threats  and  attacks  to  triggers  the  multiple  engines   included  in  SEP  12.1.x.  The  threats  are  stored  on  a  webserver  on  the  virtual  machine  SEPSTRESS.   There  is  no  need  to  login  or  open  this  virtual  machine,  all  tasks  are  carried  out  from  the  windows   7  Client.      

    A  word  on  the  Setup:     The  Windows  7  VM  has  a  SEP  client  and  a  SEP  Manager  (server)  installed.  To  access  the  sample   threat  open  Internet  explorer  with  the  shortcut  provided  on  the  desktop.  The  home  page  is   initially  set  to  the  SEPSTRESS  VM  IP  (  

    Policies  have  been  customized  to  ensure  that  all  technologies  would  be  triggered.  In  a  later   exercise  you  will  change  the  configuration  to  see  the  classic  behavior  and  observe  different   technology  being  used  to  detect  and  stop  the  same  threat.    




  • UP  L13:  Leveraging  the  full  protection  of  SEP  12.1.x     3      



    Triggering  Antivirus  signatures  


    Open  Internet  explorer  and  click  the  AV  link.  Follow  the  on  screen  instructions  for  the   trojan.pidief.J  and  the  bloodhound  detection.    



  • UP  L13:  Leveraging  the  full  protection  of  SEP  12.1.x     4      

    This  threat  is  downloaded  from  a  malicious  SWF  file,  the  IPS  has  been  disabled  in  order  to  get   the  AV  trigger.  Once  the  detection  happened  click  the  back  button  of  your  browser  to  get  back   to  the  AV  Page  and  proceed  to  the  bloodhound  detection.    

    Bloodhound  detection  


    Bloodhound  are  generic  antivirus  detection  using  our  heuristic  engine.  One  signature  can  apply   to  a  family  of  threats  with  similar  characteristics  (few  bytes  changes  from  version  to  version).    

    Click  Back  on  Internet  explorer  to  proceed  to  the  next  test.    



  • UP  L13:  Leveraging  the  full  protection  of  SEP  12.1.x     5      


    Download  and  the  virus  collection  


    Download  the  virus  collection  (auto_infect.exe)  to  your  desktop  and  run  it.  This  file  is  a  self-­‐ extractable,  which  generates  sample  viruses.    

    Run  the  virus  collection  


    Right  click  on  the  auto_infect_demo  and  run  as  administrator.    



  • UP  L13:  Leveraging  the  full  protection  of  SEP  12.1.x     6      


    Cleanup  successful?  


    Browse  to  C:\infection  source  and  look  if  there  are  any  files  left  in  the  folder.  You  should  see   that  the  content  of  the  folder  has  been  cleaned  up.  Observe  the  action  field  on  the  threat  list   on  the  Symantec  Endpoint  Protection  Detection  Results  windows.    

    When  prompted  on  the  cmd  windows  press  any  key  to  complete  the  package  execution.    


  • UP  L13:  Leveraging  the  full  protection  of  SEP  12.1.x     7      


    Insight  (reputation)  testing  


    From  the  SEPStress  site  in  Internet  explorer  select  the  insight  tab.    


    Note:  in  order  not  to  interfere  with  the  AV  test  the  insight  feature  is  disabled.  You  need  to   enable  and  configure  Insight  before  proceeding  to  tests.    



  • UP  L13:  Leveraging  the  full  protection  of  SEP  12.1.x     8      

    Enable  Insight  download  from  the  SEPM  console  



    1. Open  the  SEPM  console  with  the  shortcut  on  you  desktop  use  the  credentials  :  admin  /   Symc4now!  

    2. Click  on  Policies  

    3. Select  Virus  and  Spyware  Protection  

    4. On  the  right  hand  side  of  the  console  doubleclick  on  the  first  policy  called  "balanced"  

    5. Within  the  policy  window  select  Download  Protection  

    6. Check  the  box  to  enable  the  feature  :  "Enable  Download  Insight  to  detect  potential  risks  in   downloaded  files  based  on  file  reputation"  

    7. Click  OK  to  validate  the  changes  

  • UP  L13:  Leveraging  the  full  protection  of  SEP  12.1.x     9      

    Check  the  policy  version  (serial  number)  


    Every  time  you  change  a  setting  in  a  policy  a  new  version  is  generated  yelding  a  new  policy   serial  number.  Click  the  Client  view  on  the  SEPM.  click  the  SEPSTRESS  client  folder  and  observe   the  policy  serial  number  on  the  console's  top  right.    

    Note:  If  the  date  is  still  old,  click  the  refresh  link  to  see  the  updated  serial  number.    


  • UP  L13:  Leveraging  the  full  protection  of  SEP  12.1.x     10    


    Check  the  serial  number  on  the  client  



    1. Double  click  on  the  Symantec  shield  on  the  system  tray  (beside  the  clock).  

    2. Click  help  

    3. Select  troubleshooting  

    4. Observe  the  policy  serial  number:  it  should  match  the  one  you  observed  on  the  SEPM.  

    5. If  the  policy  does  not  match  click  update  button  under  policy  profile.  

  • UP  L13:  Leveraging  the  full  protection  of  SEP  12.1.x     11    


    Testing  insight  


    Try  to  download  each  of  the  test  files  and  note  the  result.  Insight  needs  to  contact  Internet  to   get  the  reputation  score  of  the  file,  expect  a  slight  delay  between  the  download  and  the  act