up l13 leveraging the full protection of sep 12.1vox. l13.pdf...
Post on 22-Jun-2020
Embed Size (px)
UP L13: Leveraging the full protection of SEP 12.1.x 1
UP L13: Leveraging the full protection of SEP 12.1.x Hands on lab
In this hands on lab you will learn about the different protection technologies bundled in SEP 12.1.x and see how they complement each other.
A basic understanding of cyber-threats and attack is recommended but not mandatory.
At the end of this lab, you should be able to
§ Configure protection technologies.
§ Understand which technology protects the endpoint in regard of multiple threat vectors.
§ Locate and view logs for each protection technology.
§ Understand the key differentiations of SEP 12.x Vs competitive endpoint protection solution.
UP L13: Leveraging the full protection of SEP 12.1.x 2
Notes § A brief presentation will introduce this lab session and discuss key concepts.
§ The lab will be directed and provide you with step-by-step walkthroughs of key features.
§ Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace.
§ Be sure to ask your instructor any questions you may have.
§ Thank you for coming to our lab session.
In this lab we will work with some sample threats and attacks to triggers the multiple engines included in SEP 12.1.x. The threats are stored on a webserver on the virtual machine SEPSTRESS. There is no need to login or open this virtual machine, all tasks are carried out from the windows 7 Client.
A word on the Setup: The Windows 7 VM has a SEP client and a SEP Manager (server) installed. To access the sample threat open Internet explorer with the shortcut provided on the desktop. The home page is initially set to the SEPSTRESS VM IP (192.168.64.66).
Policies have been customized to ensure that all technologies would be triggered. In a later exercise you will change the configuration to see the classic behavior and observe different technology being used to detect and stop the same threat.
UP L13: Leveraging the full protection of SEP 12.1.x 3
Triggering Antivirus signatures
Open Internet explorer and click the AV link. Follow the on screen instructions for the trojan.pidief.J and the bloodhound detection.
UP L13: Leveraging the full protection of SEP 12.1.x 4
This threat is downloaded from a malicious SWF file, the IPS has been disabled in order to get the AV trigger. Once the detection happened click the back button of your browser to get back to the AV Page and proceed to the bloodhound detection.
Bloodhound are generic antivirus detection using our heuristic engine. One signature can apply to a family of threats with similar characteristics (few bytes changes from version to version).
Click Back on Internet explorer to proceed to the next test.
UP L13: Leveraging the full protection of SEP 12.1.x 5
Download and the virus collection
Download the virus collection (auto_infect.exe) to your desktop and run it. This file is a self-‐ extractable, which generates sample viruses.
Run the virus collection
Right click on the auto_infect_demo and run as administrator.
UP L13: Leveraging the full protection of SEP 12.1.x 6
Browse to C:\infection source and look if there are any files left in the folder. You should see that the content of the folder has been cleaned up. Observe the action field on the threat list on the Symantec Endpoint Protection Detection Results windows.
When prompted on the cmd windows press any key to complete the package execution.
UP L13: Leveraging the full protection of SEP 12.1.x 7
Insight (reputation) testing
From the SEPStress site in Internet explorer select the insight tab.
Note: in order not to interfere with the AV test the insight feature is disabled. You need to enable and configure Insight before proceeding to tests.
UP L13: Leveraging the full protection of SEP 12.1.x 8
Enable Insight download from the SEPM console
1. Open the SEPM console with the shortcut on you desktop use the credentials : admin / Symc4now!
2. Click on Policies
3. Select Virus and Spyware Protection
4. On the right hand side of the console doubleclick on the first policy called "balanced"
5. Within the policy window select Download Protection
6. Check the box to enable the feature : "Enable Download Insight to detect potential risks in downloaded files based on file reputation"
7. Click OK to validate the changes
UP L13: Leveraging the full protection of SEP 12.1.x 9
Check the policy version (serial number)
Every time you change a setting in a policy a new version is generated yelding a new policy serial number. Click the Client view on the SEPM. click the SEPSTRESS client folder and observe the policy serial number on the console's top right.
Note: If the date is still old, click the refresh link to see the updated serial number.
UP L13: Leveraging the full protection of SEP 12.1.x 10
Check the serial number on the client
1. Double click on the Symantec shield on the system tray (beside the clock).
2. Click help
3. Select troubleshooting
4. Observe the policy serial number: it should match the one you observed on the SEPM.
5. If the policy does not match click update button under policy profile.
UP L13: Leveraging the full protection of SEP 12.1.x 11
Try to download each of the test files and note the result. Insight needs to contact Internet to get the reputation score of the file, expect a slight delay between the download and the act