Latest update 17/12/2015

Transcription

1 TECHNICAL DOCUMENT Reference Nr. Written by /CI/2 Costas Ioannou Latest update 17/12/2015 F-SECURE CONFIGURATION BEST PRACTICE AGAINST ZERO-HOUR MALWARE F-SECURE CLIENT SECURITY (CS) F-SECURE SERVER SECURITY (SS) F-SECURE AND SERVER SECURITY (ESS) The following document is a best-practice configuration for making sure that you get the maximum protection level from F-Secure solution against ransomware and zerohour malware to maximum. Many settings are proposed to be locked. This means that end-user at the user interface cannot change the setting and thus disable a protection setting. F-secure Policy Manager Console can work in Antivirus Mode and in Advanced Mode. Some of the settings can be configured only in Advanced Mode. We indicate which settings are configured in Antivirus mode and which can only be configured in Advanced Mode. Under each configuration setting (or set of settings) you will find a brief explanation of what this setting accomplishes. TABLE OF CONTENTS Best Practice for F-secure Client Security and F-secure Server Security... 3 Policy Manager Console Antivirus Mode... 3 Policy Manager Console - Advanced Mode... 5 Best Practice for F-secure and Server Security traffic on Exchange... 7 Administrator s web User Interface... 7 Policy Manager Console Advanced Mode... 8

2 2 Disclaimer The information contained in this document is meant to help the reader in the combat against specific malware. Although utmost care has been taken for the correctness of the information, Inter Engineering does not accept any responsibility for the use, misuse or inability to use the information in this document. Due to the nature of the subject the information provided in this document is or will become incomplete over time. It is the sole responsibility of the reader to judge whether or not to use the information herein and to accept the consequences. If you disagree with this then you should not use this document. The aim of this document This document aims to provide the reader a configuration guide on how F- Secure Anti Malware software can contribute to protection of an organization against zero-hour malware.

3 3 BEST PRACTICE FOR F-SECURE CLIENT SECURITY AND F-SECURE SERVER SECURITY Policy Manager Console Antivirus Mode Automatic Updates Automatic Updates > Enabled Automatic Updates = Checked & Locked - end-user cannot disable automatic updates. Status > Automatic Updates > Virus Definition Version (column) - Check that latest updates are installed on all hosts Real Time protection Real-Time Scanning > Real Time scanning = Checked & Locked - end-user cannot disable real-time scanning Real-Time Scanning > Custom Action on infection = Quarantine Automatically (Locked) - end-user does not leave infected code in the hard drive by mistake Zero-hour protection Real-Time Scanning > Enable DeepGuard = Enabled and Locked - zero-hour malware detection cannot be disabled by end user. Mandatory for ransomware protection. Real-Time Scanning > Action on System Modification attempt = Automatic: Do not ask Real-Time Scanning > Use server Queries to improve accuracy = Enabled and Locked - additional method for zero-hour detection by cloud-looukups. Mandatory for ransomware protection. Real-Time Scanning > Use Advanced process monitoring = and locked - additional method for zero-hour detection. Mandatory for ransomware protection. Scanning on Desktop scanning on desktop is highly recommended especially if you don't have a gateway solution or F-secure on Microsoft-Exchange (ESS). Supports IMAP, POP3, SMTP scanning. Scanning > Enable Incoming Scanning = and locked - scanning cannot be disabled by user Scanning > Action on incoming infected attachments = Disinfect Attachment (Locked) - Attempt to disinfect infected attachment. Setting cannot be changed by enduser Scanning > Action on malformed message parts = Remove Message Part (Locked) - Malformed parts cannot be scanned. Setting cannot be changed by end-user

4 4 Scanning > Scan inside compressed attachments = Enabled and Locked - Scan inside archives (zip, rar, etc.). Setting cannot be changed by the enduser Web Traffic Scanning Web Traffic scanning on desktop is highly recommended especially if you don't have a gateway/proxy solution protecting web-traffic. Web Scanning > HTTP Scanning Enabled = Only Included Content Types (Locked) - Web traffic scanning cannot be disabled by end-user. Web Scanning > Action on infection = Block (Locked) - User cannot bypass an infected item and download it. Browsing Protection > Browsing Protection Enabled = Checked and Locked - Browsing protection protects browser from vulnerability exploits and blocks access to malicious URLs. Setting cannot be disabled by the end-user. Browsing Protection > Allow users to continue to blocked pages = Disabled and Locked - End-user cannot bypass the blocking of a malicious page. Desktop Firewall Firewall Security Levels > Enabled network quarantine = and locked - Network quarantine will block host s access to the network if virus definitions are old or RTS is disabled. Firewall Security Levels > Active network quarantine on host if real-time scanning is disabled = and locked - do not allow network access to endpoint if real-time scanning is disabled (except for updating). Application Control > Do not prompt for applications that DeepGuard has identified = and locked Application Control > Do not prompt for Applications that identified using Real-time protection network = and clear Application Control > Do not prompt for applications identified by scan engines = and clear - Application Control does not allow unknown applications to connect to the network. Web traffic scanning Advanced Protection Web Traffic Scanning > Advanced Protection - These settings can help you block java, flash, pdf, Silverlight, active-x, etc. content from web-sites. You can implement an aggressive policy where you block the active content from pages by default, and whitelis t only the websites you need in order to work. Note that this approach demands more administration than normal, because you need to whitelist sites that your users are visiting.

5 5 Policy Manager Console - Advanced Mode F-secure Antivirus > Plug-ins > confirm that All plugins (Antimalware engines) are Real-time scanning Scanning > Inclusions and Exclusions > Add Extensions Defined in Database = en a- bled + locked - F-secure may include new extensions in database as new threats may rise. Exclusions Scanning > Inclusions and Exclusions > Excluded Objects Enabled = Disabled (locked) Scanning > Inclusions and Exclusions > Excluded Objects >Disallow User Changes = Scanning > Inclusions and Exclusions > Excluded Processes Enabled = Disabled (locked) Scanning > Inclusions and Exclusions > Excluded Processes = empty (locked) -if you choose and need to enable exclusions the it s better to define exclusions (objects, processes, paths) into PMC and keep these locked so the enduser may not add exclusions at the local UI. Scanning on desktop level F-Secure Antivirus > Settings for Scanning > Scanning Options > Incoming Scanning > Action on Disinfection Failure = Remove attachment (Locked) - if disinfection of attachment fails, then remove the complete attachment. F-Secure Antivirus > Settings for Scanning > Scanning Options > Common > Inclusions and Exclusions > Included Extensions > Check included extensions that have the default extensions to scan. - Default extensions are: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ POT MSO PIF. ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ANI BAT CMD DOC DOT JOB LSP MHT PHP PPT SWF WMA WMV WMF WRI XLS XLT CLASS DOCX DOCM DOTX DOTM DOCB XLSX XLSM XLTX XLTM XLSB XLAM PPTX PPTM POTX POTM PPAM PPSX PPSM SLDX SLDM PUB F-Secure Antivirus > Settings for Scanning > Scanning Options > Common > Inclusions and Exclusions > Included Extensions for Compressed Files > check that they are the default - Default extensions are: ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX

6 6 F-Secure Antivirus > Settings for Scanning > Scanning Options > Common > Inclusions and Exclusions > Add Extensions Defined in Database Updates = Enabled (locked) - F-secure may automatically add extensions for scanning based on new threats rise. F-Secure Antivirus > Settings for Scanning > Scanning Options > Common > Inclusions and Exclusions > Excluded Extensions > Check for any 'dangerous' excluded extensions (see list of included extensions above) Automatic Updates F-Secure Automatic Update Agent > Settings > Communications > Ask Before Download = no (Locked) - prevent end-user from stopping downloads Zero-hour Detection F-Secure DeepGuard > Settings > Exploit protection = (locked) - protects browser from exploit attempts F-Secure DeepGuard > Settings > Applications > Check for any 'suspicious'/'unknown' application that is allowed by DeepGuard to run F-Secure Real-Time Protection Network Client > Participate in the Real-Time Protection Network = yes (Locked) F-Secure Real-Time Protection Network Client > Client is = Yes (Locked) F-Secure Real-Time Protection Network Client > Excluded Domains (Check for any 'suspicious' domain) - Real-Time Protection Network is F-secure s Cloud is one of Deep Guard s methods for detecting zero-hour malware. F-Secure Network Filter > Excluded Applications > check for any application that is not necessary to be included here.

7 7 BEST PRACTICE FOR F-SECURE AND SERVER SECURITY Administrator s web User Interface TRAFFIC ON EXCHANGE Attachment Stripping Transport Protection > Inbound Mail > Attachments > Strip attachments from Inbound messages = Transport Protection > Inbound Mail > Attachments > Strip these attachments = Disallowed Files Transport Protection > Inbound Mail > Attachments > Action on disallowed attachments = Drop Attachment Transport Protection > Inbound Mail > Attachments > Disallowed Files = *.bat,*.cmd,*.com,*.exe,*.hta,*.js,*.jse,*.pif,*.scr,*.shs,*.vbe,*.vbs,*.{* Transport Protection > Inbound Mail > Attachments > Quarantine stripped attachments = e n- abled - strip incoming dangerous attachments (executables and scripts) Incoming Virus protection Transport Protection > Inbound Mail > Viruses > Scan inbound messages for viruses = Transport Protection > Inbound Mail > Viruses > Heuristic scanning = Transport Protection > Inbound Mail > Viruses > Action on infected messages = drop attac h- ment Transport Protection > Inbound Mail > Viruses > Quarantine infected messages = Transport Protection > Inbound Mail > Grayware > Scan inbound e- mail messages for grayware = Transport Protection > Inbound Mail > Grayware > Action on Grayware = Drop attachment Transport Protection > Inbound Mail > Grayware > Quarantine dropped grayware = Transport Protection > Inbound Mail > Archives > Scan archives = Transport Protection > Inbound Mail > Archives > List of files to scan inside archives = unsafe files Transport Protection > Inbound Mail > Archives > Unsafe files = *.ACM, *.APP, *.ARJ, *.ASD, *.ASP, *.AX, *.BAT, *.BIN, *.BOO, *.BZ2, *.CAB, *.CHM, *.CMD, *.CNV, *.COM, *.CPL, *.CSC, *.DLL, *.DO?, *.DRV, *.EML, *.EXE, *.GZ, *.HLP, *.HTA, *.HTM, *.HTML, *.HTT, *.INF, *.INI, *.JS, *.JSE, *.LHA, *.LNK, *.LZH, *.MDB, *.MP?, *.MSG, *.MSO, *.OBD, *.OBT, *.OCX, *.OV?, *.P?T, *.PCI, *.PDF, *.PGM, *.PIF, *.PP?, *.PRC, *.PWZ, *.RAR, *.RTF, *.SCR, *.SHB, *.SHS, *.SYS, *.TAR, *.TD0, *.TGZ, *.TLB, *.TSP, *.TT6, *.VBE, *.VBS, *.VSD, *.VWP, *.VXD, *.WB?, *.WIZ, *.WML, *.WPC, *.WS?, *.XL?, *.XML, *.ZIP, *.ZL?, *.{*, Treatment of Archives files (zip, rar, etc.) Transport Protection > Inbound Mail > Archives > Excluded these files = <blank> Transport Protection > Inbound Mail > Archives > Limit max levels of nested archives to 3 / Transport Protection > Inbound Mail > Archives > Detect disallowed files inside archives = disallowed files / - enable this setting with caution as it can be resource intensive. On the other hand it will strip archives (zip, rar, etc.) which contain disallowed (executables and scripts). Transport Protection > Inbound Mail > Archives > Action on archive with disallowed files = drop archive Transport Protection > Inbound Mail > Archives > Action on max nested archives = drop archive Transport Protection > Inbound Mail > Archives > Action on password protected archives = drop archive

8 8 - beware that this setting will block password protected archives (zip, rar, etc.) Transport Protection > Inbound Mail > Archives > Quarantine dropped archives = Miscellaneous Options Transport Protection > Inbound Mail > Other > Intelligent File type recognition = - intelligent file type recognition recognizes file types based on their content and not on their filename extension. Transport Protection > Inbound Mail > Other > Limit max levels of nested message to 3 / e n- abled Transport Protection > Inbound Mail > Other > Actions on mails with exceeding nesting levels = drop the whole message Transport Protection > Inbound Mail > Other > Actions on malformed mails = drop the whole message Transport Protection > Inbound Mail > Other > Quarantine problematic messages = Storage Protection Real-time scanning Storage Protection > Real-time scanning > Viruses > Scan mailboxes = scan all mailboxes Storage Protection > Real-time scanning > Viruses > Scan public folders = scan all public folders Storage Protection > Real-time scanning > Viruses > Scan these attachments = unsafe files Storage Protection > Real-time scanning > Viruses > Exclude these attachments = <blank> Storage Protection > Real-time scanning > Viruses > Actions > Try to disinfect = disabled Storage Protection > Real- time scanning > Viruses > Actions > Quarantine infected attachments = Policy Manager Console Advanced Mode F-Secure Content Scanner Server > Settings > Virus Scanning > Scan Engines > All engines F-Secure Content Scanner Server > Settings > Virus Scanning > Action if Engine Malfunctions = Return Scan Error F- Secure Content Scanner Server > Settings > Virus Scanning > Scan Inside Archives = Enabled F- Secure Content Scanner Server > Settings > Virus Scanning > Suspect Max Nested A r- chives = Treat as Unsafe F-Secure Content Scanner server > Settings > Virus Scanning > Suspect Password Protected Archives = Treat As Unsafe F- Secure Content Scanner server > Settings > Virus Scanning > Scan extensions inside a r- chives > check that they are the default extensions - default extensions: ACM APP ARJ ASD ASP AX BAT BIN BOO BZ2 CAB CHM CMD CNV COM CPL CSC DLL DO? DRV EML EXE GZ HLP HTA HTM HTML HTT INF INI JS JSE LHA LNK LZH MDB MP? MSG MSO OBD OBT OCX OV? P?T PCI PDF PGM PIF PP? PRC PWZ RAR RTF SCR SHB SHS SYS TAR TD0 TGZ TLB TSP TT6 VBE VBS VSD VWP VXD WB? WIZ WML WPC WS? XL? XML ZIP ZL? {* F- Secure Content Scanner server > Settings > Virus Scanning > Extensions Allowed in Pas s- word Protected Archives = <empty>