TECHNOLOGY BRIEF: ENDPOINT Symantec PROTECTION endpoint protection 11.0 11.0 Symantec Endpoint Protection 11.0 Reviewer s Guide
Technology Brief: Symantec Endpoint Protection Symantec Endpoint Protection 11.0 Reviewer s Guide Contents Introduction......................................................................... 2 Testing key features.................................................................. 2 Software setup....................................................................... 3 Endpoint Manager features............................................................ 6 Client Manager features..............................................................15 Monitoring and logging.............................................................. 16 Conclusion.........................................................................16
Introduction This document will introduce you to some of the more important endpoint protection features of Symantec Endpoint Protection 11.0. Symantec Endpoint Protection better protects against a variety of new threats, going beyond traditional antivirus and antispyware prevention to stop rootkits, bots, zero-day attacks, and blended network-based intrusions. Today, many security-minded companies struggle to protect endpoints from the latest threats using a series of different, single-purpose products. Symantec Endpoint Protection makes it possible for organizations of all sizes to get the most comprehensive set of protection technologies by integrating them in a single client, all managed by a single management console. Most of the integrated protection technologies are turnkey and require no set-up or configuration. Additional advanced settings are also provided for those who want to further lock down systems, reducing vulnerable areas. While not covered in this guide, Symantec Network Access Control 11.0 is also integrated into the Symantec Endpoint Protection 11.0 client. This integration makes it easy to add NAC capability later (through an additional license purchase), without an additional client deployment. This document supplements several others that are part of the Symantec Endpoint Protection product line, including: Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control User s Guide Installation Guide Testing key features Before you test, here are some items to consider and to compare to competing products: How many clients (or agents) are required to provide equal endpoint protection coverage (AV, AS, FW, IPS, Device Control, NAC)? How extensive and granular are the advanced control features for firewall, application control, and device control? Can the product take a snapshot of the system to automatically determine authorized applications and processes and block others? How extensive are the IPS technologies (network layer, host layer, behavior-based, etc)? How easily can the product adapt to different network locations as a PC moves around? How easy is the product to manage and change protective policies, deploy clients, and manage logs? How easy is the product to install and deploy across the enterprise? Does the management console provide dashboard view of top-line health for all key endpoint protection technologies? How much of a memory footprint is consumed by the client? 2
Symantec has included many different protection technologies in the product, and here are some examples shown in the table below: Symantec Endpoint Protection Key Technologies Protection Technology Host IPS Host IPS Data Loss Prevention Feature Name TruScan Proactive Threat Scan technology Application Control Device Control Description Detects zero-day threats and threats not seen before. Behavior-based detection with uniquely low false positive rate. Technology is from the acquisition of Whole Security and does not require signatures. Protects from zero-day attacks. System Lockdown is an easy way to set-up Application Control. Whitelisting allows only approved applications to be run. Reduces ability for unknown applications and malware to run. Technology is from the acquisition of Sygate. Helps prevent unauthorized data transfer and data theft from USB drives etc. Controls which devices are allowed to connect. Technology is from the acquisition of Sygate. Network IPS Generic Exploit Blocking Protects from exploit attacks on application, operating system and browser software vulnerabilities. Generic vulnerability based signatures detect all variants of exploits providing protection before the exploit is on the system. GEB is one of three IPS technologies, and is extremely easy to set-up and use. Rules-based Firewall Firewall Protects from zero-day attacks and the spread of worms and Trojans. Technology is from the acquisition of Sygate. AV/AS Antivirus and Antispyware Leading detection of toughest polymorphic threats and rootkit attacks. VxMS rootkit technology is from the acquisition of Veritas. Software setup First, setup your test network of at least one server and one client PC as follows: Server Requirements Windows Server 2003, SP 1 (or) Windows Server 2000, SP 4 Client Requirements Windows XP (or) Windows Vista Either needs IIS pre-installed Note that you need to have IIS running before the install: by default Windows Server doesn t install IIS and Symantec Endpoint Protection uses IIS for its management and reporting functions. If you want to do remote administration of the Symantec Endpoint Protection Manager, you ll need to install JRE 1.5 on the remote machine as well as connect it via Internet Explorer (v6 or later) at port 9090 (unless you have set up another port). 3
There are two different ways that Symantec Endpoint Protection can be deployed: either as a managed or unmanaged client. The unmanaged client does not require any server software and can be installed as a standalone software package directly from the installation CD. The managed client requires an executable package to be created by the server and then deployed accordingly. To install the managed client, first install the Symantec Endpoint Protection Manager, and then bring up its console and login with your chosen administrator name and password. There are three different authentications for the Manager: admin login to the console, database login, and shared secret for client/server manager. You can choose the same word for all three if you wish, this allows for some additional flexibility if you have more than a single administrator. Now go to Admin/Install packages/export an install package and choose a shared directory on your server where you will save the package. (Or you can have Active Directory s Group Policy Object push out the package as an alternative.) Pick defaults and all components for now, and choose the Global group and Computer mode for the export. This will create an install package that you can distribute to your clients on your test network. You should see something similar to this screen: 4
Symantec Endpoint Protection Manager has four organizing principles for its operation. Each client is a member of a group, and each group can have one or more network location, such as home, office LAN, or VPN. Groups can be divided into different administrative realms, called domains, to segregate departmental security admins. Finally, each client is subject to a series of protection policies that are applied for its particular group and location. Now go to your Windows clients and run the executable file that you just created from the server s shared directory. Once this is done, check under Clients tab to see if these clients show up on your screen, which will indicate that your server manages them. We next compare what information is available on the clients. Bring up the Symantec Endpoint Protection client, go to the Change settings tab and you ll see something similar to the screen below: 5
Notice that the Network Threat Protection button isn t active, indicating a managed client. These policy settings have to be configured from the manager and pushed onto the client. Note: Please run LiveUpdate on the client to receive the latest signatures before you begin your testing. Endpoint Manager features Let s demonstrate some of the more advanced features of the product. We will show you screenshots from both the manager and client sides so you can see what is going on. 1. Go to Policies/New AV policy/proactive Threat Scan. Here you can change how the client responds to new threats that aren t part of the antivirus and antispyware signature databases. TruScan Proactive Threat Scan is a unique form of HIPS technology that protects against unseen (zero-day) malware, ones for which no-signature exists. It s unique because it detects malicious code written by hackers, and not simply alerting of bad behaviors. While this is much more difficult to do, it is correspondingly more valuable. This is because many obviously bad behaviors are also performed by valid applications, which is why typical behavior based technology is too noisy and unusable for broad deployments. TruScan Proactive Threat Scan provides a higher quality of detection (ratio of true to false alerts)about the nature of the process running on the system. Our consumer install base of 30M+ users measures only 40 false alarms for every one million users. How it works: TruScan Proactive Threat Scan measures bad behaviors plus many other characteristics to detect malicious processes. It looks beyond individual actions to target malicious processes. Examples of characteristics that are flagged include i) remote compromise via back door or bot, ii) data or identity theft, iii) asphyxiation through mass replication, iv) downloaders, etc. 6
If you have a keylogging program to test (such as one that is available from winsoul.com), you can download it to the client. You can also change the behavior on this screen from the defaults if you want more than just logging of the event when it is installed: You can also change the Scan Frequency tab at the top of the screen to specify how often TruScan Proactive Threat Scan should run on the clients. 7
Note that the defaults chosen will be picked up on the client side, so go to Change Settings/Proactive Threat Protection/Configure Settings on the client and you ll see the screen below that has the same layout and controls as the manager side: 8
2. Next we examine the various personal firewall settings. Symantec Endpoint Protection includes a number of innovative features, including smart traffic rules, which avoid having to set up special firewall rules to handle common network configuration settings such as DHCP and DNS requests across the firewall. Also included are automatic settings that can be found under the Traffic and Stealth Settings tab to enable reverse DNS lookups and stealth-mode Web browsing, as shown in the screen below: Also note that the rule set can be configured to adjust to the particular network, which is important for mobile users that move on and off VPNs, for example. 3. Next, we introduce the concept of client-side network intrusion prevention. Symantec has built this into its Symantec Endpoint Protection client so that malware including worms, bots, spyware, and other threats are stopped on the network before they hit your system. One generic vulnerability signature (Generic Exploit Blocking or GEB), can stop hundreds or thousands of threats and each of their variants. This proactively protects the underlying vulnerabilities in your Applications, Browser, and Operating System on your systems. A recent example of this is below: Malware W32.Randex.GRS. The worm spreads through network shares and by exploiting the following vulnerabilities: Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205) Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108) Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 19409) Microsoft Windows Plug and Play Buffer Overflow Vulnerability (BID 14513) 9
Go to Policies/Intrusion Prevention/Edit the policy/settings and you can see the various components of what makes up this policy such as port scanners and denial of service attacks. You can also allow specific hosts or block specific IP addresses. To see a list of all the attacks that are covered in this module, go to the Exceptions page and click on Add and you can alter your policy for these specific items. 10
To effectively test and validate your protection from the Client Intrusion prevention setup the following test and environment. 1) Select a vulnerability that you would like to focus on exploiting such as MS RPC DCOM, or LSASS vulnerability. (Sources: Bugtraq database http://www.securityfocus.com/brief/512) 2) Set up a target machine with the appropriate OS and Service Pack For effective testing, the target system should be vulnerable to the specified Application, Browser, or Operating System vulnerability. 3) Set up an attacking machine with an OS of your choice. 4) Use an attack tool to send the attack a. Metasploit http://www.metasploit.com b. Core Impact http://www.coresecurity.com c. Immunity CANVAS http://www.immunitysec.com 5) Look for artifacts of a successful attack, service crashes, new user added, and new listening port. 6) Symantec Endpoint Protection with Intrusion Prevention will actively detect and block attacks before reaching the system. Best Practices Testing must be performed with real-world exploits, malware, bots, worms, or websites with malware hosted against vulnerable machines. The client firewall should be disabled to allow the attack to go through. In the Intrusion Prevention Policy, disable the Automatically block an attacker s IP address. Configure target system with normal user settings (File Sharing turned on) and applications such as Acrobat, QuickTime, and Yahoo IM with the specific versions that you want to test with. Test example using Metasploit Remotely exploiting a vulnerability with no client interaction Steps: 1) After installing and loading Metasploit on an attacking system, select Exploit from the menu (top-left corner). On the search page, enter RPC DCOM. 2) Choose Microsoft RPC DCOM Interface Overflow from the list. 11
3) Select the Operating System of the target or select auto. 4) Choose an option for the attack. For this example, we will exploit the vulnerability and get a shell back. 5) On the configuration screen, enter the IP address of the target system. 6) Click on Launch Exploit. 7) If you were successful with your exploit, you will have shell access to the system. You can type dir to get a directory list. 8) Repeat the same test with Symantec Endpoint Protection. Notice that Intrusion Prevention blocked the attack and it was not compromised. 4. Next, let s talk about Application blocking. This feature can be used to allow only particular applications to run on a machine, and reduce the exposure and risk to unknown programs that could be unintentionally installed on the machine. This is called System Lockdown. First, go to the command prompt on the client computer and run the following command: C:\Program Files\Symantec\Symantec Endpoint Protection\checksum test.txt C:\ Then copy this text file to a shared drive on the server. The fingerprint file collects the signatures of all the current applications installed on that particular client so that a user of that machine is protected from anything new such as Trojans or other exploits that try to install themselves on the machine. On the Manager s console, go to Policies/Policy Components/File Fingerprint and run the Add a new fingerprint wizard, importing the text file you just created. Then enable System Lockdown under the Clients/Policies page. You should see something similar to the screenshot below: 12
Test this policy by trying to run some new software (or to uninstall something) on the client, it should be blocked. 5. Device control policies. In addition to application and system lockdown features, there are also policies that can prohibit users from downloading files to removable devices, or from getting infected from USB key drives or CDs. We ll show you how to do this, and also how you setup a new protection policy. Let s say you want to block access to the CD or DVD drive of your clients to prevent them from loading software or playing music or videos on their PCs. On the management console, go to Policies/Application and Device Control/Add a new app or device control/ Device Control and click on the Add button below the blocked devices. Highlight the CD/DVD entry and include in the blocked list. Click on the button to notify users at the bottom of the screen and type a simple message. Now confirm your choices with OK and you will be prompted to apply this policy to a group. Use the Global group and confirm this and then this policy will be updated. If you made a mistake, you can either edit this policy or withdraw the policy back on the Policies screen. Once this policy is applied to the group, your client s PC should show a message that you specified, and the CD drive will no longer show up when you browse My Computer on Windows Explorer. If you go into the Symantec Endpoint Protection client, View Logs/Client Management/Security Logs, you can see a status message similar to the one shown below: 13
6. Location-specific policies. Symantec Endpoint Protection has the ability to automatically switch policies based on the network location of the clients, so a more stringent security policy could be applied to a home network, or when someone uses a VPN to connect back to the office. You can set certain conditions such as IP address or a directory server that is checked to determine the appropriate location. Go to Clients/Policies tab/add Location and then follow the steps of the location wizard. You will be able to specify how to detect the new location based on the factors shown in the screen below: Once the conditions are met, you can set specific policies for the various protection features. Here you can see how we have setup a location called home network that checks for a Juniper SSL VPN: 14
Client Manager features 1. Managed client data can be found by going to Clients, then clicking on a particular client and Edit Properties. Here you ll see a screen that shows you OS, processor and other hardware details, including whether or not a trusted computing module is found on the PC. 2. Integration with Active Directory. Symantec Endpoint Protection Manager can synchronize its users and resources with an Active Directory server, and automatically keep synchronized on a set schedule (set for every 24 hours by default). The synchronization extends to the organizational unit structure as well as for individual users. Enterprises that are using LDAP servers can import this information into Symantec Endpoint Protection Manager. 3. Let s adjust the resource consumption. For the base state (no scans running) you can measure and compare the memory usage of Symantec Endpoint Protection 11.0 to previous releases of Symantec AntiVirus. Bring up the Windows Task Manager on the client PC and click on processes and add up the processes that the Symantec software is using: ccapp.exe, rtvscan.exe, SescLU.exe, ccsvcjst.exe, and smc.exe. Now keep the Task Manager up and start an active scan on the client and see how these figures change. You can also do some tuning here by going to Scan for Threats/Create New Scan/Full Scan/Next/Advanced/Tuning and set options and view the processes during the scan. This is where you can adjust the amount of resources that Symantec Endpoint Protection client uses relative to other applications. 15
Monitoring and logging The Symantec Endpoint Protection Manager console has several pages that summarize real-time threat data, produce reports, and log various events. While there are more details of these functions in the Administrator s Guide, we ll touch on a few highlights. First, the home page of the management software shows summary statistics, an overall status indicator, summaries of the past 24 hours of detection events, and whether any clients have turned off critical components of the Symantec Endpoint Protection software or require restarts. There are also numerous reports that can be produced on a scheduled or ad hoc basis as well. Finally, there are many different logs that are created and are available from the server console, and are also accessible from individual clients. Conclusion Symantec Endpoint Protection 11.0 combines Symantec AntiVirus with new advanced threat prevention technologies to protect against a variety of new threats, going beyond traditional antivirus and antispyware prevention to stop rootkits, bots, zero-day attacks, blended network-based intrusions, and data loss. In conducting your review of Symantec Endpoint Protection we trust you have seen the value that we are delivering by integrating essential endpoint security technologies into a single client, managed by a single console delivering what customers need for endpoint protection. 16
About Symantec Symantec is the global leader in information security providing a broad range of software, appliances and services designed to help individuals, small and mid-sized businesses, and large enterprises secure and manage their IT infrastructure. Symantec s Norton brand of products is the worldwide leader in consumer security and problem-solving solutions. Headquartered in Cupertino, California, Symantec has operations in 35 countries. More information is available at www.symantec.com. Symantec has worldwide operations in 35 countries. For specific country offices and contact numbers please visit our Web site. For product information in the U.S., call toll-free 1 800 745 6054 Symantec Corporation World Headquarters 20330 Stevens Creek Boulevard Cupertino, CA 95014 USA 1 408 517 8000 1 800 721 3934 www.symantec.com Copyright 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Microsoft, Microsoft Windows, Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2000 are registered trademarks of Microsoft Corporation in the United States and other countries. Other names may be trademarks of their respective owners. 10/07 13082547 17