Insight Deployment Best Practices Overview Symantec Insight is a reputation-based security technology that leverages the anonymous software adoption patterns of Symantec s hundreds of millions of users to automatically discover and classify every single software file, good or bad, on the Internet. Based on advanced data mining techniques, Insight seeks out mutating code separating out risky, low-reputation files from those that are safe. Symantec Endpoint Protection (SEP) uses reputation-based technology to protect you in three ways: First, SEP uses Insight to evaluate new files before they are introduced to a protected machine. This feature, called Download Insight, enables SEP to block all low-reputation files when they are introduced and before they can take root and cause damage. Since most malware is introduced via Web surfing, instant messaging, or email, by checking the reputation of all such files/attachments before they are saved and used drastically reduces infections on endpoints. Contents Overview... 1 Creating Effective Insight Policies... 2 False Positive Prevention... 10 Correcting a False Positive... 11 Second, all of SEP s security technologies (such as SONAR behavioral protection and Malheur heuristics) now leverage Insight reputation data as a second opinion to improve their accuracy. Just as you would want to get a second opinion from another physician about a potential medical problem, Insight provides a second, community-based assessment to our other security technologies to improve their detection rate and reduce false positives.
Third, since Insight can identify trusted, high-reputation files (as well as low-reputation bad files), our product now uses this data to avoid scanning highly-trusted programs, unless they are modified or change. This typically results in a reduction of 70-80 percent of scanning overhead while maintaining a higher level of security than previous products. This document is separated into three key areas of recommended practices: Creating Effective Insight Policies False Positive Prevention Correcting a False Positive The Creating Effective Insight Policies section provides specific advice on recommended Insight configurations based on your corporation s specific tolerance for risk. The False Positive Prevention section is designed primarily to provide recommendations on how to proactively make sure your files and files from your trusted vendors have a good reputation. The Correcting a False Positive section helps provides information on how to submit a false positive to Symantec for correction or to create Exceptions Policies to eliminate known false positives. Creating Effective Insight Policies There are three main functionalities configurable by administrators and users in the Symantec Endpoint Protection Manager (SEPM): 1. Download Insight Configuration: The Download Insight feature helps prevent your users from downloading low-reputation software onto their machines. 2. Insight Performance Improvements: This SEP feature uses reputation data to prevent wastefully scanning files with good reputation. This reduces the overhead of the security product without compromising security. 3. Insight Submissions: By submitting anonymous application adoption data to Symantec, you help increase the accuracy and precision of our reputation system. 1. Download Insight Configuration What does Download Insight check? Download Insight is only applied to software files at the time of their introduction (i.e., at the time of download and attempted installation) through typical Internet activities. Download Insight checks: New software files as they are downloaded by Internet Explorer, Firefox, Chrome, etc. Both user-downloaded files and drive-by downloads (not initiated by the user) are checked File attachments in emails when users save and/or launch these files from their email readers Files sent over Instant Messaging before users can save and launch these files on their computers Files downloaded over popular file-sharing programs (e.g., Micro Torrent) before users can save and launch these files on their computers Download Insight does not check other software on protected machines, such as actively running applications that are already installed and running. It only checks new software at the time it is introduced to a machine (e.g., downloaded). Its goal is to block a high percentage of new malware before it ever has a chance to run, with minimal false positive implications. You may specify a single Download Insight policy for your entire enterprise OR you may create multiple Download Insight policies for different corporate divisions (or even for individuals) if your different divisions have different risk tolerances. Page 2
How-to: Download Insight configuration settings can be accessed in the SEPM by clicking on Computers -> Policies tab -> Virus and Spyware Protection Policy -> Download Protection (see Figure 1). Figure 1 Page 3
Protection Level Setting Use this setting to control the file reputation level that Download Insight should consider to be malicious. In general, a lower protection level will yield both a lower false positive rate and a lower detection rate, while higher protection levels provide better protection but tend to have a higher rate of false positives on unknown/new files that have yet to build up a good reputation. Please follow the guide below to change the protection level slider setting. Levels Description 1-3 Appropriate for highly FP-averse divisions or test environments that cannot tolerate the blocking of newly downloaded good files that are still building reputation (e.g., new files from little-known publishers). At these levels, malware that is still building reputation may evade detection, but the system is highly unlikely to convict good files at download time. 4-6 Appropriate for most desktop users downloading normal software. These levels balance FP risk and detection to capture most malware with low FPs. Level 5 is the appropriate threshold for a majority of users and we discourage users from changing the value unless advised by Symantec support personnel. 7-9 Appropriate for highly secure environments where you wish to lock-down a server or desktop that does not frequently install new or unproven software. FPs on newly downloaded good files that lack a higher reputation will occur at this level, but very little malware will evade detection. NOTE: For most enterprises, we recommend the preset default configuration at Protection Level 5. This will block lowreputation software and software still without a reputation (e.g., software that is new and not from a trusted vendor) in addition to blocking files that trigger classic fingerprints or heuristics. Age & Prevalence Setting The Download Insight feature also provides administrators the ability to restrict the Age and Prevalence of downloaded files. We call this feature Policy-Based Lockdown (see Figure 1). TIP: You may want to institute prevalence/age blocking policies for departments that require a high level of security. For example, you could block Finance employees from downloading software unless it had at least 1000 users and had been in the field at least two weeks. Such a policy limits these users to using only proven software. You may also allow files with lower prevalence/age to reach your IT/Helpdesk department if your IT staff needs to download more arcane tools to do their jobs. The Age/Prevalence values that you specify in these fields will differ according to the risk profile and the nature of applications typically downloaded by each organization or division. These Age and Prevalence policies only apply to downloaded files (at the time of download), and they only apply to untrusted software that is not from Symantec-trusted software vendors. This means that software from vendors such as Microsoft, Symantec, Oracle, etc. will not be filtered due to Age or Prevalence criteria. This prevents false positives on downloads from trusted software vendors while ensuring that unproven software from untrusted vendors is blocked. We also highly recommend that you enable the option to automatically trust any files downloaded from your company s Intranet websites (see Figure 1). This option allows the Download Insight feature to automatically trust downloads that come from the domains, URLs and IPs published in your organization s trusted domain/intranet site list. (These sites are specified in your Trusted Zones list in Internet Explorer; if this option is set, the trusted zone list is automatically imported and used by Download Insight). Page 4
Actions Setting The next step is to configure the actions you want Download Insight to take if it detects a malicious or unknown file being downloaded. The options can be configured through the Actions tab under Download Protection window (see Figure 2). Figure 2 Recommended settings: We recommend leaving the action setting for malicious files (files with the lowest reputation) at its recommended default of Quarantine. We recommend leaving the action setting for unproven files (i.e., files that still lack a reputation) at the default Prompt value. This will warn users against downloading files that lack a solid reputation. SEP will warn users with a message that you may customize. Users can then decide if they should allow the file onto their systems. TIP: You can customize the Download Insight warning message to suit your company s needs. For example: This file may violate company policy. If the file is necessary for business purposes and you believe this message is in error, you may proceed and use the file. Otherwise, using this file may violate company policy and result in disciplinary action. Page 5
If you would prefer to simply quarantine/block unproven files, you can change the action taken for the unproven files to Quarantine. For example, while you might allow your HelpDesk team to use unproven files (with a warning), you may want to make sure that your Finance department employees can only install files with a known-good reputation. Therefore, you can set the unproven file option to Quarantine for your Finance department, while leaving this option at Prompt for the HelpDesk department. NOTE: If you set the option for unproven files to Quarantine or Delete then the small subset of files that are still building reputation in the Symantec community will be blocked at download time. Note that files authored vendors trusted by Symantec will not be given an unproven rating and will never fall into this category. As mentioned above, the SEPM console enables the administrator to provide custom warning text to the end user for the Prompt option. Typical information filled in this area includes admin contact details and a warning on the enterprise policy. The same warning will also be displayed if the end user decides to restore a file from the Quarantine. The text can be entered in the Notifications tab under Download Protection as shown in Figure 3, below. Figure 3 Page 6
2. Insight Performance Improvements The Insight ( scan-less ) feature reduces the overhead of SEP by enabling it to skip the real-time scanning of extremely high-reputation files, such as Word, Excel, Windows kernel files, and other files that are discovered to have a sterling reputation. On a typical system, when enabled, this prevents scanning of 70 to 80 percent or more of the applications on a system, dramatically reducing the overhead of the SEP product when compared with other endpoint security solutions. Should such a trusted file change even a flip of a single bit from a 1 to a 0 value, for example then the file immediately becomes untrusted and is scanned using all available protection technologies. HOW-TO: The ( scan-less ) feature can be configured in SEPM through the management console by clicking on Computers -> Policies tab -> Virus and Spyware Protection Policy -> Global Scan Options (see Figure 4). Figure 4 Recommended settings: We encourage you to leave the default option set at Symantec Trusted for the best performance and security. Page 7
2. Insight Submissions Symantec highly encourages you to anonymously submit your file usage data to Symantec s secure reputation servers. This feedback enables Symantec s systems to provide you with better protection. The Insight submission system is designed to comply with the Personally Identifiable Information (PII) regulations of all countries to ensure privacy. NOTE: Insight submissions require very little bandwidth. The administrator can enable or disable Insight submissions for SEP client installs via Symantec Endpoint Protection Manager (SEPM) using two methods: Figure 5 1. Set the group policy to enable submissions and include it in the client installation package (see Figure 5). You can ensure that your SEP instances are properly submitting telemetry data by leaving the default File Reputation option enabled, as highlighted below. 2. If the group policy is not included in the client installation package, then the admin can pre-set the client install to enable the submissions (see Figure 6). The submissions are controlled via the Submit reputation information to Symantec Security Response option highlighted in the figure. Page 8
Figure 6 Symantec Endpoint Protection Client The Download Insight options may be configured both in SEPM as well as in the client SEP UI. Download Insight can be accessed in the SEP client by clicking on Change Settings -> Global Settings. Recommended settings: We highly recommend that administrators disable Download Insight controls at the endpoints. This will help make sure that the administrator can provide uniform security protection across the organization. Page 9
False Positive Prevention SEP 12.1 will not detect known good files as malware. There are several ways to make sure your good files are known as good. The following steps will help prevent false positives when using SEP 12.1. Step 1 Using Digital Signatures One of the easiest ways to identify that a file is good is to know where it came from and who created it. An important factor in building confidence in a file being good is to check its digital signature. Executable files without a digital signature have a higher chance of being identified as unknown or low-reputation. Custom or home-grown application should be digitally signed with class three digital certificates Customers should insist that their software vendors digitally sign their applications Step 2 - Add to the Symantec White List Symantec has a growing white list of over 25 million good files. These files are used in testing signatures before they are published. Their hash values are also stored online and used to avoid false positives on the SEP client via real-time cloud lookups whenever a file is detected by any of our client security technologies (e.g., SONAR behavioral technology, a fingerprint, etc.). This white list is a powerful tool for avoiding false positives. Customers and vendors can add files to this list. Software vendors can request that their executable be added to the Symantec white list at https://submit. symantec.com/whitelist/ BCS Customers can have their system images submitted to the white-listing program here: https://submit. symantec.com/whitelist/bcs.cgi Symantec provides customers with simple whitelisting tools that can greatly simplify the submission of information on known good files to Symantec. NOTE: Do not use the above links to correct a false positive. See below for instructions on correcting a false positive. Step 3 - Test The initial deployment of SEP 12.1 during beta should include test machines with representative images of the software you run in your environment, including common third-party applications Monitor for potential issues during beta testing Step 4 - Feedback Each security technology in SEP 12.1 can collect data that is sent back to Symantec to measure and mitigate false positives via analysis, heuristic training against collected data sets, and custom generic whitelisting. Enable automated submission of meta data on detections Page 10
Correcting a False Positive Symantec wants to know about and correct false positives. Having a submission not only allows Symantec to correct a current issue, it also allows us study the causes of the false positive to avoid similar files from having issues in the future. Step 1 - Submit False positive submissions can be made immediately to Symantec via a Web form. All suspected false positives should be submitted to https://submit.symantec.com/false_positive/. It is critical for resolution of Reputation (Download Insight) false positives that the file or the SHA256 value of the file be included with the submission. (Hash value of a file is also presented in notices on client third-party tools.) False positives should not be submitted via the malware submission system. This is a change in procedure and not specific to SEP 12.1. The URL above should be used to report false positives, no matter which product involved. Once the submission has been processed and the file whitelisted by Symantec, the quarantine rescan feature will automatically restore the file out of quarantine. Step 2 - Exclude SEP 12.1 supports multiple ways to exclude good files from detection. Exclusions can be performed from the SEP management console to mitigate false positives enterprise-wide. You may exclude files downloaded from known, trusted domains (e.g., your corporation s Web domain or your company s vendors domains) from Download Insight detections (see Chapter 20 of the SEP Implementation Guide) You may add exclusions/exceptions in SEPM for critical files, directories or URLs/IPs Adding Exceptions Administrators can add new exceptions for files (e.g., File X is always safe ) or domains (e.g., All files downloaded from domain http://somedomain.com are safe ) in two ways: 1. Define Exceptions Policy To add a single or small number of domain/file exclusions, use the Exceptions Policy screens in SEPM. The Exceptions Policy can be used, for example, to add a new exclusion for an internally developed enterprise application. It can also be used to whitelist the domain of a new enterprise vendor that hosts trusted applications used by employees. HOW-TO: To add one or more files/domains to the Exceptions Policy, administrators can do so from SEPM through the management console by clicking on Computers -> Policies tab -> Exceptions -> Add an Exceptions Policy. Exceptions can be created to always trust a File or a Web Domain (see figure 7 and figure 8). Page 11
Figure 7 Figure 8 Page 12
2. Use Risk Log to View Recent Download Insight Blocking Events Administrators can also use SEPM Risk Log to review Download Insight blocking events in order to identify and address recent false positives encountered by their employees. The Risk Log includes every blocking event from every endpoint in the enterprise, and includes files blocked by our classic fingerprint-based antivirus scanner, our SONAR behavioral engine, and our new Insight technology. HOW-TO: To review recent blocking events, administrators can navigate to the Risk Log section of the SEPM console. Click on Monitors -> Logs -> Risk (under Log type) -> View Log button (see Figure 9). You can identify Insight-blocked files can be identified by their WS.Reputation.1 name in the Risk Name column of the table (see Figure 10). For each such Insight-blocked file, SEPM also displays the domain or IP address from where the file was downloaded (e.g., 183.168.232.137 or http://www.website.com). Figure 9 TIP: If the Risk Logs show many malicious downloads blocked by Insight, you can select to view block events By Application or By Web Domain (see Figure 10). Figure 10 Page 13
By Application If you select the view By Application option, you can get a list of all unique files that were blocked across the enterprise as well as the prevalence of each such blocked file. This data helps identify high-prevalence any malware that may be affecting employees. It also lets you identify high-prevalence false positives on good files. You may order this list by the prevalence of each false positive by clicking on the Count tab. This will allow you to quickly identify all high-prevalence false positives that are affecting users. The Risk Log provides a view of blocked files (ordered by prevalence) and enables rapid whitelisting of such high-prevalence false positives. This process will be described in more detail below. HOW-TO: To permanently allow (whitelist) a file across the enterprise, click on the + sign in the Action column for a particular file and select Allow Application from the drop-down list (see Figure 11). Future downloads of the selected file will no longer be blocked. Figure 11 By Web Domain Selecting to view events By Web Domain, will provide a list of domains from which your employees downloaded blocked files. These domains could either be malicious domains or potentially legitimate domains of vendors that host lower-reputation files. This view will also show that many legitimate files from trusted vendors websites are being blocked by Download Insight because they have a low reputation. If so, you might want to whitelist these domains so that Download Insight will no longer block the site. You can easily identify the highest-prevalence false positives by clicking on the Count tab. This will place those domains with the highest number of blocked files first, enabling rapid whitelisting of your important domains. The Risk Log also provides such a view and enables rapid whitelisting of such high-prevalence domains. HOW-TO: To permanently allow downloads from a domain, click the + sign in the Action column for that domain and select Trust Web Domain from the drop-down list (see Figure 12). Future downloads from the selected domain will be no longer be blocked based on Insight reputation. NOTE: Whitelisting a domain will not prevent our other technologies (e.g., fingerprints) from blocking files downloaded from such a domain. This will only override our Insight reputation rating for files downloaded from such a domain. Page 14
Figure 12 Page 15
Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical information is being delivered to you as is and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help businesses and consumers secure and manage their information. Headquartered in Moutain View, Calif., Symantec has operations in more than 40 countries. More information is available at www.symantec.com. For specific country offices and contact numbers, please visit our Web site. For product information in the U.S., call toll-free 1 (800) 745 6054. Symantec Corporation World Headquarters 350 Ellis Street Mountain View, CA 94043 USA +1 (650) 527-8000 www.symantec.com Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.