Symantec Endpoint Protection Analyzer Report

Transcription

1 Symantec Endpoint Protection Analyzer Report For Symantec Customer

2 Table of Contents Statement of Confidentiality Introduction Environmental Analysis Overview Findings Overview Client/Server Distribution Client Versions Protection Overview Antivirus and Antispyware Firewall IPS SONAR Download Insight Threat Detection Summary Infected Clients Top Infections Infections by Client Detections by Scan Type Top Actions Taken Detailed Findings SEP Manager is not running latest version SEP Manager is a vulnerable version Windows 2000 SEP Clients detected LiveUpdate Frequency SEPM Content Revisions are not Best Practice Client IPS installation below 90%

3 Statement of Confidentiality Symantec provides this report on an "as-is" basis, as a courtesy to a Symantec Customer. The deployment metrics provided within this report (e.g. client count, versions, etc.) are generally deemed to be directionally accurate but are non-official and should not be used for license audit purposes. Please engage the Symantec Global License Compliance team if a precise measurement of these items is desired. 3

4 1. Introduction Thank you for participating in the Symantec Endpoint Protection (SEP) Analyzer process. We have analyzed key metrics from the Symantec Customer SEP environment and the results are provided within this report. This report includes a high level summary of each category examined by SEP Analyzer, and reviews each topic, providing charts for each key metric along with details of how to interpret the data. The full set of data used to complete this analysis can be provided upon request. 4

5 2. Environmental Analysis Overview Collection Date :57: Collection Server SEPM SQL Server Address localhost Database Type Adaptive Server Anywhere Number of SEP Clients 523 Clients Number of threat detections (last 30 days) 343 Threats 2.1 Findings Overview Issue Are vulnerable SEP or SEPM Versions installed? Is SEPM running the latest version? Are there Windows 2000 clients in the environment? Is LiveUpdate Configured to update Multiple times per day? Is the SEPM Manager storing recommended content levels? Are Database Backups enabled in the environment? Are Database Maintenance tasks enabled and scheduled? Are there more than 10% of clients with out-ofdate AV Definitions? Is Intrusion Prevention System (IPS) deployed and running in the Environment? Are there infected clients which require attention? Result Review Review OK OK Review OK OK OK Review OK For detailed information on the findings, please review Section 4. 5

6 2.2 Client/Server Distribution Site Server Clients A SEP Site SEPM 523 6

7 2.3 Client Versions Version Clients

8 3. Protection Overview 3.1 Antivirus and Antispyware Antivirus and Antispyware is a fundamental component of SEP responsible for scanning and monitoring the file system for malicious files. All clients in your environment should be running Antivirus. The following graph outlines how Antivirus is currently deployed in your environment: Value Amount Installed 509 Disabled 1 Not Installed 12 Unknown 1 8

9 3.2 Firewall The SEP Firewall is a protection layer which monitors network traffic, and compares it to rules which to allow or block users from accessing the network. Only authorized traffic can pass. This is a highly powerful and customizable component of SEP. While Symantec recommends running this component on all possible systems, it should be noted that High availability servers such as mail servers, domain controllers, etc. should not have the firewall component installed. The following chart outlines how the firewall is deployed: Value Amount Installed 389 Disabled 2 Not Installed 131 Unknown 1 9

10 3.3 IPS The Intrusion Prevent System (IPS) significantly increases the level of protection that Symantec Endpoint Protection provides by checking for port scans and denial-of-service attacks, and protects against buffer overflow attacks. This engine also supports the automatic blocking of malicious traffic from infected computers. You should always have IPS enabled on your network. The following chart outlines how IPS is deployed in your environment: Value Amount Installed 376 Disabled 2 Not Installed 144 Unknown 1 10

11 3.4 SONAR Symantec Online Network for Advanced Response (SONAR) provides real-time protection against threats and proactively detects computer security risks. By examining programs as they run, SONAR identifies emerging threats based on application behavior, giving it the capability to locate new and previously unknown threats. Value Amount Installed 386 Disabled 37 Not Installed 98 Unknown 2 11

12 3.5 Download Insight Advanced Download Protection (Download Insight) is a new advanced protection feature included with the SEP 12.1 client. This feature allows the SEP client to leverage Symantec's Cloud-based reputation database when files are downloaded or executed directly from popular Web browsers. Value Amount Installed 473 Disabled 2 Not Installed 47 Unknown 1 12

13 4. Threat Detection Summary This section covers information related to the SEP client security detections. Each SEP client uploads inventory and security status information to the SEPM. If a client stops communicating with the SEPM, the SEPM will still report on the client for a configured period of time before the client is deleted: the default setting is 30 days. 13

14 4.1 Infected Clients SEP clients may report as being infected, when the remediation process was either unsuccessful, or there are still actions pending. Once client reports as being infected, the status will automatically clear if no further action is required. Analysis of reported infected clients should be a regular administrative process. No Clients were reporting an Infected Status 14

15 4.2 Top Infections An examination of the top infecting threats in the environment can provide insight on the overall health and security posture of the environment. The following chart outlines the top 5 infections detected in the environment in the past 30 days: Threat Name Count Tracking Cookies 113 Adware.GoonSquad 92 WS.Reputation.1 27 Adware.DealPly 19 Yontoo 17 15

16 4.3 Infections by Client This section outlines the number of file detections per client during the past 30 days. It is recommended to review the infected clients to determine if vulnerabilities exist on the system, or if user education is needed. The following chart outlines clients by detection count: Computer Name Infections STEVELAPTOP3 92 BOBSMITH1 19 XCHNG WALSH44 11 KISOK

17 4.4 Detections by Scan Type The following chart outlines the top 5 scan type which caused detections: Source Count Scheduled Scan 256 Real Time Scan 75 Manual Scan 12 17

18 4.5 Top Actions Taken The following chart outlines the top 5 actions taken against detected threats: Action Count Quarantined 159 Deleted 119 Cleaned by deletion 34 Left alone 20 Partially repaired 4 18

19 5. Detailed Findings 4.1 SEP Manager is not running latest version Finding: The SEPM in the environment is not running the latest version of Symantec Endpoint Protection Manager. Potential Impacts: SEP 12.1 RU 3( ) is the latest version of the software which includes the latest product fixes. Recommendation: Review release notes for Symantec Endpoint Protection 12.1 to determine if an upgrade would benefit the environment. See the following documentation: Detail Finding(s): Attribute Value SEPM Version SEP Manager is a vulnerable version Finding: The SEPM in the environment is susceptible to SYM Symantec Endpoint Protection Manager/Protection Center 12.x Buffer Overflow. Potential Impacts: A dynamic link library (dll) in the Symantec Endpoint Protection Manager (SEPM) 12.1.x server and Symantec Protection Center (SPC) 12.0.x Small Business Edition server does not properly validate all external input. This could potentially result in a buffer overflow and remote code execution with application privileges on the system that is hosting the management server. Recommendation: Upgrade your SEP Manager to 12.1 RU3 to ensure that this vulnerability is closed in the environment. For full information on this vulnerability, see the following article: advisory&pvid=security_advisory&year=&suid= _00 19

20 Detail Finding(s): Attribute Value SEPM Version Windows 2000 SEP Clients detected Finding: Some SEP Clients are running Windows 2000, which is incompatible with SEP 12.1 Potential Impacts: Machines running Windows 2000 are of concern due to the unsupported nature of the operating system by Microsoft, and SEP Recommendation: If possible decommission or upgrade the Operating Systems on these machines. If this is not a possibility, discuss with your sales team the benefits of protecting these systems with Symantec Critical System Protection. Detail Finding(s): Attribute Value SEPM Version LiveUpdate Frequency Finding: LiveUpdate is not configured to run multiple times per day. Potential Impacts: Symantec typically releases 3 certified content updates per day to ensure our customers have the maximum protection against known threats. Failure to update multiple times per day lowers security posture. Recommendation: Configure LiveUpdate to run on the SEP Manager hourly to ensure that the clients are able to obtain the latest updates. Detail Finding(s): Attribute Value SEPM Version

21 4.5 SEPM Content Revisions are not Best Practice Finding: SEPM Content Revisions are set to a lower number than recommended by Symantec. Potential Impacts: Clients which have not checked into the SEPM recently and running an older definition pattern will likely receive complete packages of content updates. This has a direct impact on network performance in the environment. Recommendation: Increase the amount of content revisions held by the SEPM manager. Client will then leverage Delta creation of virus definitions, increasing the speed and efficiency of virus definition distribution. Keep in mind adjusting the number of content revisions held will directly impact the size of the SEPM database and the content folder on the SEPM hard drive (each content update accounts for mb of space used). See the following article for information on configuring this setting: Detail Finding(s): Clients Revisions Recommended Client IPS installation below 90% Finding: The Percentage of client running IPS in the environment is less that 90%. Potential Impacts: Client level protection is significantly reduced without Intrusion Protection enabled on a system. Symantec's 2012 Threat Report indicates that 42% of detections are stopped via IPS signatures. Recommendation: The Intrusion Prevent System (IPS) significantly increases the level of protection that Symantec Endpoint Protection provides by checking for port scans and denial-of-service attacks, and protects against buffer overflow attacks. This engine also supports the automatic blocking of malicious traffic from infected computers. You should always have IPS enabled on your network on any system possible including servers. 21

22 Note: IPS is fully compatible with Windows servers and should be used to protect all servers except high availability or high utilization servers. Symantec s Critical System Protection may be a better choice for these servers. See the following article for guidelines: Detail Finding(s): IPS Installed Total Clients % Installed % 22

23 Copyright 2013, Symantec Corporation (Symantec). All rights reserved. This document may not be copied or further distributed, in whole or in part, without written permission from Symantec.