SIMATIC. Process Control System PCS 7 Configuration Symantec Endpoint Protection (V12.1) Preface 1. Virus scanner administration 2.



Similar documents
Validity 1. Installation 2 SIMATIC. WinCC flexible Tag simulator Update 1. Readme

Validity 1. Improvements in STEP 7 2. Improvements in WinCC 3 SIMATIC. Readme. Programming and Operating Manual

Patch management and security. updates SIMATIC. Process Control System PCS 7 Patch management and security updates. Preface 1

WinCC Runtime Professional Readme SIMATIC HMI. WinCC V11 SP1. Readme WinCC Runtime Professional. Special considerations for Windows 7.

Creating the program. TIA Portal. SIMATIC Creating the program. Loading the block library. Deleting program block Main [OB1] Copying program blocks

SIMATIC. SIMATIC Logon. User management and electronic signatures. Hardware and Software Requirements. Scope of delivery 3.

Information Server Documentation SIMATIC. Information Server V8.0 Update 1 Information Server Documentation. Introduction 1. Web application basics 2

DANGER indicates that death or severe personal injury will result if proper precautions are not taken.

DANGER indicates that death or severe personal injury will result if proper precautions are not taken.

COMOS. Lifecycle COMOS Snapshots. "COMOS Snapshots" at a glance 1. System requirements for installing "COMOS Snapshots" Database management 3

Validity 1. Improvements in STEP 7 2. Improvements in WinCC 3. Simatic. Readme. Readme

DB Administration COMOS. Platform DB Administration. Trademarks 1. Prerequisites. MS SQL Server 2005/ Oracle. Operating Manual 09/2011

Symantec Endpoint Protection and Symantec Network Access Control Client Guide

SIMATIC HMI. WinCC V7.3. WinCC/DataMonitor. WinCC/DataMonitor. Installation Notes 1. WinCC/DataMonitor Release Notes 2

Performing an automated installation

Insight. Security Response. Deployment Best Practices

Support and Remote Dialup SIMATIC. Process Control System PCS 7. Support and Remote Dialup. Preface 1. Support and Remote Dialup.

Best Practices for Running Symantec Endpoint Protection 12.1 on the Microsoft Azure Platform

Symantec Endpoint Protection and Symantec Network Access Control Client Guide

Client Guide for Symantec Endpoint Protection and Symantec Network Access Control

Visualization SIMATIC. Visualization. Present sample project. HMI configuration. Insert HMI device from libraries 3. Configuring HMI connection 4

CPU PN/DP: Configuring an ET. 200S as PROFINET IO device SIMATIC. PROFINET CPU PN/DP: Configuring an ET 200S as PROFINET IO device

Symantec Endpoint Protection Small Business Edition Client Guide

SIMATIC. WinCC V7.0. Getting started. Getting started. Welcome 2. Icons 3. Creating a project 4. Configure communication 5

How To Set Up A Shared Insight Cache Server On A Pc Or Macbook With A Virtual Environment On A Virtual Computer (For A Virtual) (For Pc Or Ipa) ( For Macbook) (Or Macbook). (For Macbook

Creating the project and hardware. TIA Portal. SIMATIC Creating the project and hardware. Introduction to the TIA Portal 1. Creating a project

Symantec Endpoint Protection (SEP) 11.0 Configuring the SEP Client for Self-Protection

Symantec Endpoint Protection Small Business Edition Installation and Administration Guide

Symantec Endpoint Protection Analyzer Report

Managed Antivirus Quick Start Guide

Altiris IT Analytics Solution 7.1 SP1 from Symantec User Guide

Avira Small Business Security Suite Avira Endpoint Security. Quick Guide

LOGO! LOGO! App V.10. LOGO! app 1. Making basic settings and establishing a connection to LOGO! Using the device overview 3. Creating controls 4

AVeS Cloud Security powered by SYMANTEC TM

Protecting productivity with Plant Security Services

ESET NOD32 Antivirus. Table of contents

Symantec Endpoint Protection Small Business Edition Implementation Guide

W H I T E P A P E R : T E C H N I C AL

Trend Micro OfficeScan Best Practice Guide for Malware

Client Guide for Symantec Endpoint Protection and Symantec Network Access Control

Symantec Endpoint Protection Getting Started Guide

Symantec Endpoint Protection End-User Guide For MacOS X

How To Install Avira Small Business Security Suite (Small Business) On A Microsoft Microsoft Server (Small Bserver) For A Small Business (Small) Computer (Small Server)

Automation License Manager

Symantec Endpoint Protection Sizing and Scalability Best Practices White Paper

Avira Endpoint and Security. HowTo

Avira Small Business Security Suite. HowTo

Home Use Installation Guide For Symantec Endpoint Protection (SEP) 11 For Mac

Additionally, you can run LiveUpdate manually to check for the latest definitions directly from Symantec:

Symantec Endpoint Protection Getting Started Guide

Short-circuit current rating (SCCR) of. industrial control panels. NEC Article 409 and UL 508A

Symantec Endpoint Protection Small Business Edition Getting Started Guide

SIMATIC HMI. WinCC flexible 2008 Getting Started - First-Time Users Getting Started. Printout of the Online Help 06/2008 A5E

F-Secure Internet Security 2012

SIMATIC NET PC Software V8.2 SIMATIC NET. PG/PC - Industrial Ethernet / PROFIBUS SIMATIC NET PC Software V8.2. Introduction 1

SINAMICS drives SINAMICS DCM. DC converters from 6 kw to 2500 kw for variable-speed direct-current drives. Load-balanced control application

AVG File Server. User Manual. Document revision ( )

Securing the endpoint and your data

WebMarshal User Guide

Symantec AntiVirus Corporate Edition Patch Update

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Symantec Endpoint Protection Getting Started Guide

WHITE PAPER: BEST PRACTICES. Sizing and Scalability Recommendations for Symantec Endpoint Protection. Symantec Enterprise Security Solutions Group

Symantec Endpoint Protection Enterprise Edition Best Practices Guidelines. Regional Product Management Team Endpoint Security

IBM Security QRadar SIEM Version MR1. Administration Guide

Security basics and application SIMATIC NET. Industrial Ethernet Security Security basics and application. Preface. Introduction and basics

Introduction. PCI DSS Overview

Find the needle in the security haystack

AVG File Server User Manual. Document revision (8/19/2011)

Configuring Symantec AntiVirus for Hitachi High-performance NAS Platform, powered by BlueArc

A Guide to New Features in Propalms OneGate 4.0

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Best Practices for Running Symantec Endpoint Protection 12.1 on Point-of- Sale Devices

Configuring Symantec AntiVirus for NetApp Storage system

Using Tofino to control the spread of Stuxnet Malware

DANGER indicates that death or severe personal injury will result if proper precautions are not taken.

GFI Product Manual. Administration and Configuration Manual

Did you know your security solution can help with PCI compliance too?

Getting Started with Symantec Endpoint Protection

GFI White Paper PCI-DSS compliance and GFI Software products

Symantec Mail Security for Microsoft Exchange Server 2007/Server 2010

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

Configuration limits for products of the SIMATIC NET PC Software V12 SIMATIC NET. Configuration limits for products of the SIMATIC NET PC Software V12

IBM Security QRadar SIEM Version MR1. Vulnerability Assessment Configuration Guide

IBM Managed Security Services (Cloud Computing) hosted and Web security - express managed Web security

Introduction to Endpoint Security

F-Secure and Server Security. Administrator's Guide

Symantec Mail Security for Microsoft Exchange

Airtel PC Secure Trouble Shooting Guide

SIMATIC The Process Device Manager Manual Edition 12/2004 A5E

Kaspersky Security 9.0 for Microsoft SharePoint Server Administrator's Guide

Maintaining, Updating, and Protecting Windows 7

Kaseya Server Instal ation User Guide June 6, 2008

Avira Managed Security AMES FAQ.

Symantec Endpoint Protection Shared Insight Cache User Guide

Transcription:

Preface 1 Virus scanner administration 2 SIMATIC Configuration 3 Process Control System PCS 7 Configuration Symantec Endpoint Protection (V12.1) Commissioning Manual 04/2013 A5E03874574-02

Legal information Warning notice system This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger. DANGER indicates that death or severe personal injury will result if proper precautions are not taken. WARNING indicates that death or severe personal injury may result if proper precautions are not taken. CAUTION indicates that minor personal injury can result if proper precautions are not taken. NOTICE indicates that property damage can result if proper precautions are not taken. If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage. Qualified Personnel The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems. Proper use of Siemens products Note the following: Trademarks WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed. All names identified by are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner. Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions. Siemens AG Industry Sector Postfach 48 48 90026 NÜRNBERG GERMANY A5E03874574-02 P 04/2013 Technical data subject to change Copyright Siemens AG 2013. All rights reserved

Table of contents 1 Preface...5 2 Virus scanner administration...7 2.1 Introduction...7 2.2 Definitions...7 2.3 Using virus scanners...8 2.4 Basic virus scanner architecture...8 3 Configuration...11 3.1 Introduction...11 3.2 Overview of SEP modules and functions...11 3.3 SEP modules and functions...12 3.3.1 General information...12 3.3.2 Virus and Spyware Protection...12 3.3.3 Intrusion Prevention...14 3.3.4 Application and Device Control...14 3.3.5 LiveUpdate...14 3.3.6 Network Application Monitoring...14 Commissioning Manual, 04/2013, A5E03874574-02 3

Preface 1 This documentation describes the settings to be changed in Symantec Endpoint Protection 12.1 for use in an industrial plant. The configuration represents an extract of the settings from Symantec Endpoint Protection which were used in the compatibility test with PCS 7 and WinCC. Important information about this whitepaper Systems tested. The recommended settings for these virus scanners have been chosen to ensure that the reliable real-time mode of PCS 7 is not adversely affected by the virus scanner software. These recommendations describe how to discover and make effective as comprehensively as possible the best possible compromise currently known between the target, viruses and malicious software, and ensure a PCS 7 control system time response that is as deterministic as possible in all operating phases. If you choose different settings for the virus scanner, this could have negative effects on the real-time behavior. Purpose of the documentation This documentation describes the recommended settings for virus scanner software in combination with PCS 7 and WinCC, following the installation of the virus scanner. Skills required This documentation is aimed at persons involved in the engineering, commissioning, and operation of automated systems based on SIMATIC PCS 7 or WinCC. Knowledge of administration and IT techniques for Microsoft Windows operating systems is assumed. You should also be familiar with the security concept of PCS 7 and WinCC. Additional information is available on the Internet at the following address: http://support.automation.siemens.com (http://support.automation.siemens.com/ww/view/de/ 60119725) Commissioning Manual, 04/2013, A5E03874574-02 5

Preface Scope of the documentation The documentation applies to process control systems equipped with the respective product version of PCS 7 or WinCC. Note Note that certain virus scanners are only enabled for certain product versions. Additional information is available on the Internet at the following address: http://support.automation.siemens.com (http://support.automation.siemens.com/ww/view/ de/2334224) 6 Commissioning Manual, 04/2013, A5E03874574-02

Virus scanner administration 2 2.1 Introduction Using virus scanners in a process control system is only effective when they are part of a comprehensive security concept. A virus scanner alone generally cannot protect a process control system from security threats. 2.2 Definitions Virus scanners A virus scanner is software that detects, blocks or eliminates known harmful program routines (computer viruses, worms and similar malware). Scan engine (scanner module) The scan engine is a component of the virus scanner software that can examine data for harmful software. Virus signature file (virus pattern file or virus definition file) This file provides the virus signatures to the scan engine, which uses it to search data for harmful software. Virus scan client The virus scan client is a computer which is examined for viruses and managed by the virus server. Virus scan server The virus scan server is a computer which centrally manages virus scan clients, loads virus signature files and distributes them on the virus scan clients. Security Suite Program suites usually sold by former virus scanner manufacturers that provide further security functionalities in addition to traditional virus scanner functions, such as IPS, Application Control, Firewall, etc. Commissioning Manual, 04/2013, A5E03874574-02 7

Virus scanner administration 2.4 Basic virus scanner architecture 2.3 Using virus scanners The use of a virus scanner should never inhibit the plant's process mode. The following two examples illustrate the problems that arise in automation through the use of virus scanners: A virus infected computer cannot be switched off by a virus scanner if in doing so control is lost over the production process or a plant can no longer be operated in a safe condition. Even a virus infected project file, e.g. a database archive, cannot be automatically suspended, blocked or deleted if there is no longer any ability to trace important measured values by doing so. The following requirements are therefore set for virus scanners when used in industrial environments: When using a Security Suite (virus scanner plus options), all options that go beyond the functions of a traditional virus scanner must be capable of being deactivated, e.g. firewall, e-mail scan. It must be possible to deactivate the sending of data or reports to virus scanner manufacturers when a virus is found. In a centrally managed virus scanner architecture, it must be possible to divide the virus scanner clients into groups and to configure these clients. It must be possible to disable automatic distribution of virus signatures. It must be possible to distribute virus signatures manually and on a group basis. Manual and group-based file and system scans must be possible. When a virus is detected, a message must be generated in all cases but a file action (e.g. delete, block, move) must not necessarily be executed. All messages must be logged on the virus scanner server. The virus scanner clients must be configured in such a way that no message is displayed on them that could hide the more important process information. For performance reasons the virus scanner clients should be configured in such a way that only the local drives of the virus scanner clients are scanned in order to prevent overlapping scans on network drives. For performance reasons the virus scan clients should be configured in such a way that only the incoming data traffic is checked, provided that all data available locally has already been checked once. 2.4 Basic virus scanner architecture A basic virus scanner architecture as illustrated in the following illustration is recommended for implementing the requirements stated in the "Using virus scanners" chapter. The virus scan server receives its virus signatures from the update server of the respective virus scanner manufacturer on the Internet or from an upstream virus scan server and manages its virus scan clients. Administrative access to the virus scanner server is possible via a Web console or similar device. 8 Commissioning Manual, 04/2013, A5E03874574-02

Virus scanner administration 2.4 Basic virus scanner architecture Internet Virus scan server Web console Virus scan client Virus scan client Virus scan client Depending on the manufacturer it may also be possible to use multiple virus scan servers which can be arranged in parallel or in a hierarchy. Commissioning Manual, 04/2013, A5E03874574-02 9

Configuration 3 3.1 Introduction Additional functions beyond the traditional virus scanner are released for the first time with Symantec Endpoint Protection (SEP) 12.1. The following configurations relate to the version of variant of the SEP managed centrally which is configured using the SEP Manager. In addition, only an English installation is referred to. All the configurations described are deviations from the default configurations, which means any settings not described are not changed. Please note The following setting is absolutely necessary for the stable operation of PCS 7. Under Clients- >My Company->Policies->External Communication Settings: Submission Settings Allow Insight lookups for thread detection If this option is selected, the virus scanner tries to contact the Symantec Server directly via the Internet at every file scan. There is a significant delay if the virus scanner cannot reach the server. This makes the stable operation of PCS 7 impossible. All other check boxes under Submission Settings should also be cleared so that no internal information, even if it is anonymous, is sent to Symantec. The other options do not have a negative effect on PCS 7, however. 3.2 Overview of SEP modules and functions SEP has the following configurable modules that can be configured with policies (available in the SEP under Policies): Virus and Spyware Protection Firewall Intrusion Prevention Application and Device Control LiveUpdate Exceptions Additional settings (available in the SEP Manager under Clients > Policies > Locationindependent Policies and Settings): Custom Intrusion Prevention System Lockdown Network Application Monitoring Commissioning Manual, 04/2013, A5E03874574-02 11

Configuration 3.3 SEP modules and functions The following modules and settings are recommended and are tested for compatibility for use in a PCS 7 and WinCC environment. Virus and Spyware Protection Intrusion Prevention Device Control LiveUpdate Network Application Monitoring The following modules and settings are not recommended and are not checked in the compatibility test: Firewall Only the Windows Firewall is released for use with PCS 7 and WinCC as this is configured automatically depending on the product installed. Application Control This involves computer-specific settings that cannot be checked. Exceptions This involves system-specific settings that cannot be checked. Custom Intrusion Prevention This involves system-specific settings that cannot be checked. System Lockdown This involves computer-specific settings that cannot be checked. For this reason, no policies should be assigned for these modules and the settings should not be switched "On". Any use of modules and settings which are not recommended is the user's own responsibility. 3.3 SEP modules and functions 3.3.1 General information The options for the policies which have to be configured have no locks next to them. We recommend that you "close" all locks (by clicking on them). This guarantees that the configuration of the virus scan client cannot be changed locally. For the same reason we recommend that you, under Clients-> Policies-> Location-specific Settings-> Client User Interface Control Settings: Click Server Control and Customize and clear all the check boxes except for "Display the client" and "Display the notification area icon". 3.3.2 Virus and Spyware Protection The following configurations relate to a newly created Default Policy. Windows Settings-> Scheduled Scans-> Scans->Administrator- Defined Scans Daily Scheduled Scan Delete 12 Commissioning Manual, 04/2013, A5E03874574-02

Configuration 3.3 SEP modules and functions Technology-> Auto-Protect-> Actions-> Actions First action Leave alone (log only) Technology-> Auto-Protect-> Actions-> Remediation Terminate processes automatically Technology-> Auto-Protect-> Actions-> Remediation Stop services automatically Technology-> Auto-Protect-> Notifications-> Notifications Display the Auto-Protect result dialog on the infected computer Technology-> Download Protection-> Download Insight Enable Download Insight to detect potential risk in downloaded files based on file reputation Technology-> Download Protection-> Actions-> Malicious files First action Leave alone (log only) Technology-> Download Protection-> Actions-> Unproven files Specify action for unproven files Leave alone (log only) Technology-> Download Protection-> Notifications-> Notifications Display a notification message on the infected computer Technology-> SONAR-> SONAR Settings Enable SONAR Leave alone (log only) Windows Settings-> Email Scans- > Internet Email Auto-Protect-> Scan Details Enable Internet Email Auto-Protect Windows Settings-> Email Scans- > Microsoft Outlook Auto-Protect-> Scan Details Enable Microsoft Outlook Email Auto- Protect Commissioning Manual, 04/2013, A5E03874574-02 13

Configuration 3.3 SEP modules and functions Windows Settings-> Email Scans- > Lotus Notes Email Auto-Protect- > Scan Details Enable Lotus Notes Email Auto- Protect Windows Settings-> Advanced Options-> Miscellaneous-> Notifications-> Notifications Display error messages with a URL to a solution 3.3.3 Intrusion Prevention The following configurations relate to a newly created Default Policy. No changes required. 3.3.4 Application and Device Control The following configurations relate to a newly created Default Policy. The recommendation is only to use Device Control, in order to prevent the use of USB devices for example. All check boxes should be cleared under "Application Control". 3.3.5 LiveUpdate The following configurations relate to a newly created Default Policy. The settings for reaching the Symantec Update-Server on the internet or a higher-level update server must be adapted to the relevant network topology. Windows Settings-> Schedule-> LiveUpdate Scheduling Enable LiveUpdate Scheduling Windows Settings-> Advanced Settings-> User Settings Allow the user to manually launch LiveUpdate Windows Settings-> Advanced Settings-> User Settings Allow the user to modify HTTP, HTTPS, or FTP proxy settings for LiveUpdate 3.3.6 Network Application Monitoring This setting should only be used by administrators with sound network and security knowledge and in systems that have their own security administration. 14 Commissioning Manual, 04/2013, A5E03874574-02

Configuration 3.3 SEP modules and functions The setting "Network Application Monitoring" is under "Clients-> My Company-> Policies-> Location-independent Policies and Settings-> Network Application Monitoring". The inheritance settings have to be changed here, depending on the company and network topology. Network Application Monitoring Enable network application monitoring Check Network Application Monitoring When an application change is detected Allow and Log Commissioning Manual, 04/2013, A5E03874574-02 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information