Symantec Endpoint Protection (SEP) 11.0 Configuring the SEP Client for Self-Protection



Similar documents
Symantec Endpoint Protection 11.0 Securing Virtual Environments Best Practices White Paper. Updated 7/20/2010

Symantec LiveUpdate Administrator. Getting Started Guide

Symantec Mail Security for Microsoft Exchange Management Pack Integration Guide

W H I T E P A P E R : T E C H N I C A L. Understanding and Configuring Symantec Endpoint Protection Group Update Providers

Symantec Mail Security for Microsoft Exchange Management Pack Integration Guide

Client Guide for Symantec Endpoint Protection and Symantec Network Access Control

Best Practices for Running Symantec Endpoint Protection 12.1 on the Microsoft Azure Platform

To install antivirus software on the Selenia Dimensions product. This document provides instructions for the following products.

11.0. Symantec Endpoint Protection 11.0 Reviewer s Guide

StarWind iscsi SAN Software: Installing StarWind on Windows Server 2008 R2 Server Core

Symantec Client Firewall Policy Migration Guide

How To Install Safari Antivirus On A Dv8000 Dv Recorder On A Pc Or Macbook Or Ipad (For A Pc) On A Microsoft Dv8 (For Macbook) On An Ipad Or Ipa (

Smart Control Center. User Guide. 350 East Plumeria Drive San Jose, CA USA. November v1.0

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

Symantec Client Security Administrator s Guide

Symantec Endpoint Protection Getting Started Guide

Getting started. Symantec AntiVirus Corporate Edition. About Symantec AntiVirus. How to get started

Client Guide for Symantec Endpoint Protection and Symantec Network Access Control

To install anti virus software on the Selenia 5.x product. This document applies to all Selenia 5.x products with version 5.2 software and above.

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

Symantec Mail Security for Microsoft Exchange Management Pack Integration Guide

Symantec Endpoint Protection

Windows Rootkit Overview

SIMATIC. Process Control System PCS 7 Configuration Symantec Endpoint Protection (V12.1) Preface 1. Virus scanner administration 2.

Symantec AntiVirus Corporate Edition Patch Update

Symantec Endpoint Protection 11.0

Symantec Endpoint Protection Small Business Edition Installation and Administration Guide

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Insight. Security Response. Deployment Best Practices

HP ThinShell. Administrator Guide

Active Directory Self-Service FAQ

SIDEKICK PC SETUP AND ACTIVATION ISSUES

Norton AntiVirus 9.0 for Macintosh

Symantec Endpoint Protection Analyzer Report

Symantec Client Security Administrator's Guide

ESET NOD32 Antivirus 4 for Linux Desktop. Quick Start Guide

Data Sheet: Endpoint Security Symantec Protection Suite Enterprise Edition Trusted protection for endpoints and messaging environments

Best Practices for Running Symantec Endpoint Protection 12.1 on Point-of- Sale Devices

Symantec AntiVirus Business Pack Administrator s Guide

Symantec Endpoint Protection Getting Started Guide

Norton Personal Firewall for Macintosh

Symantec AntiVirus Corporate Edition Administrator's Guide

Symantec Endpoint Protection Small Business Edition Implementation Guide

UP L13: Leveraging the full protection of SEP 12.1.x

MDM Mass Configuration Tool User s Manual

How To Set Up A Shared Insight Cache Server On A Pc Or Macbook With A Virtual Environment On A Virtual Computer (For A Virtual) (For Pc Or Ipa) ( For Macbook) (Or Macbook). (For Macbook

StarWind iscsi SAN Software: Tape Drives Using StarWind and Symantec Backup Exec

Symantec Endpoint Protection End-User Guide For MacOS X

Symantec Database Security and Audit 3100 Series Appliance. Getting Started Guide

Veritas Cluster Server Database Agent for Microsoft SQL Configuration Guide

MANUFACTURER RamSoft Incorporated 243 College St, Suite 100 Toronto, ON M5T 1R5 CANADA

NetBackup Backup, Archive, and Restore Getting Started Guide

Important Notes for WinConnect Server ES Software Installation:

File Management Utility User Guide

Manual niwis SEP Event Monitor NSEPEM. English

Enabling Backups for Windows and MAC OS X

Configuration Guide for SQL Server This document explains the steps to configure LepideAuditor Suite to add and audit SQL Server.

StarWind iscsi SAN Software: Using StarWind with MS Cluster on Windows Server 2008

Symantec Endpoint Protection Enterprise Edition Best Practices Guidelines. Regional Product Management Team Endpoint Security

Symantec Endpoint Protection and Symantec Network Access Control Client Guide

NTP Software QFS for NAS, Hitachi Edition

Universal Printer Driver Guide

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Symantec Endpoint Protection Small Business Edition Client Guide

Manage the Endpoints. Palo Alto Networks. Advanced Endpoint Protection Administrator s Guide Version 3.1. Copyright Palo Alto Networks

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

How-To: Changing the target IP address for pcanywhere Remote Control

Safe internet: Getting Started Guide

Moxa Device Manager 2.3 User s Manual

Symantec Mail Security for Microsoft Exchange Management Pack Integration Guide

ESET SMART SECURITY 9

Symantec Endpoint Protection

Symantec Mobile Security Manager Administration Guide

ESET NOD32 ANTIVIRUS 9

Integrating Symantec Endpoint Protection

ESET NOD32 ANTIVIRUS 8

MALWAREBYTES PLUGIN DOCUMENTATION

Windows Policies That Policy Check Verifies

1 Intel Smart Connect Technology Installation Guide:

Symantec Endpoint Protection Small Business Edition Getting Started Guide

LogLogic Symantec Endpoint Protection Log Configuration Guide

Symantec Endpoint Protection Evaluation Guide

Contents Notice to Users

USB PORT NETWORK HUB. User Manual DA DA

W H IT E P A P E R : TE C Symantec Endpoint Protection 11.0: H N Application and Device Control I C Technical Field Enablement Team A Version 1.

GFI WebMonitor Administration and Configuration Manual

Legal Notes. Regarding Trademarks KYOCERA MITA Corporation

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Using MioNet Senvid Inc. User Manual Version 1.07

Web Remote Access. User Guide

POWERLINK High Power Wireless LAN b/g/n USB Adapter User Manual

Symantec Mail Security for Microsoft Exchange

ESET SMART SECURITY 6

Symantec pcanywhere Administrator s Guide

Getting started. Symantec AntiVirus Corporate Edition 8.1 for Workstations and Network Servers

Symantec Mail Security for Microsoft Exchange

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

Symantec Backup Exec System Recovery Granular Restore Option User's Guide

Transcription:

SYMANTEC TECHNOLOGY NETWORK: SECURITY Symantec Endpoint Protection (SEP) 11.0 Configuring the SEP Client for Self-Protection

Purpose of this Whitepaper:... 3 Overview... 4 The SEP Client Interface... 5 Changing Policy Configuration Settings... 5 Accessing the SEP Client Interface... 9 Disabling/Uninstalling the SEP Client from outside the Client Interface... 11 Stopping SEP Services...11 Uninstalling the Client...12 Additional Technologies for Protecting the SEP client... 14 Tamper Protection Protecting SEP Processes...14 Application Control Protect Client files and registry keys...15 Appendix A One Page Overview... 16 2 / 17

Purpose of this Whitepaper: This Whitepaper provides guidance on the different ways to control access to specific parts of the Symantec Endpoint Protection (SEP) client. Many organizations do not allow administrative users to make changes to installed security software. Since the SEP client has many different security technologies in a single client, there are various ways to ensure that administrative users cannot make changes to the client software. This paper provides guidance for administrators who would like to ensure SEP client installations are protected from intended and/or unintended changes. 3 / 17

Overview There are different ways that a SEP client can be protected from intentional or unintentional changes. This Whitepaper describes three main approaches to protecting the SEP client and describes details about any limitations. This Whitepaper intends to provide guidance in protecting the SEP client from being tampered with by administrative users with administrative privileges on a system. Throughout this paper, the assumption is that administrative users should be prevented from making changes to the SEP client. By default, a restricted user cannot make changes to the SEP client. In cases where a restricted user can make changes, this will be noted in the document. Accessing the SEP client interface and changing policy configurations Administrators can control which parts of the SEP client interface are accessible or whether to hide it completely. In addition, administrators can control whether or not administrative can make changes to their policy configuration. When protecting a standard configuration from being changed, consider the following Policies: Antivirus and Antispyware policy Firewall Policy Intrusion Prevention Policy Application and Device Control policy LiveUpdate Policy Centralized Exceptions Stopping SEP client services or uninstalling of the SEP Client When the SEP client is installed, there are various ways to prevent administrative users from uninstalling the client, or stopping SEP Client Services. The following services are listed in the Microsoft Windows Services Manager: Symantec Endpoint Protection Symantec Management Client Symantec Event Manager Symantec Settings Manager Additional Technologies for protecting the integrity of the SEP client In addition to configuring Policies and Settings to prevent altering the SEP client, there are additional mechanisms to further protect the client from tampering. Application Control Tamper Protection 4 / 17

The SEP Client Interface This section provides an overview of what settings an administrator can set with respect to what a user is allowed to change. It is broken down into two main categories, changing policies, and accessing the User Interface Changing Policy Configuration Settings Please see each individual policy listed here for information on default settings and what needs to be done to lock down settings so they cannot be changed by administrative users. Antivirus and Antispyware policies By default administrative users can change Antivirus policy settings, including disabling Auto- Protect real-time scanning. In order to prevent administrative users from changing Antivirus and Antispyware settings each individual setting in the Antivirus and Antispyware policy must be locked. This is accomplished by clicking on the lock icon next to a given setting as shown in the screenshots below. Enable File System Auto-Protect unlocked (default setting) Enable File System Auto-Protect locked after clicking on lock icon A client with a locked Antivirus and Antispyware policy setting will still display the setting in the client User Interface but it will be grayed out and the user will not be able to change it. In order to lock all settings, each lock icon must be closed as shown in the screenshots above. The above example displays how to prevent administrative users from disabling Antivirus and Antispyware File System Auto-Protect. 5 / 17

Truscan Proactive Threat Protection Truscan Proactive Threat can be locked within the Antivirus and Antispyware policies. Truscan is the behavioral scanning component in Symantec Endpoint Protection. To lock administrative users from disabling Truscan Proactive, edit the Antivirus and Antispyware policy and configure as shown in the screenshot below. 6 / 17

Firewall Policies By default, Firewall policies rules and configurations cannot be changed in the Client Interface. By default, administrative users can disable Network Threat Protection (by right-clicking the tray icon and selecting Disable Symantec Endpoint Protection ). In order to prevent administrative users from disabling Network Threat Protection do the following steps in the SEPM. 1. Go to the Clients page and select the Policies tab. 2. Expand Location-specific Settings and click Client User Interface Control Settings. 3. Ensure the Server-Control radio button is selected and click Customize. 4. Uncheck the box next to Allow administrative users to enable or disable Network Threat Protection as shown below. Note: In order for this setting to take effect, it is required to block administrative users from disabling Antivirus and Antispyware Auto-Protect scanning and Truscan Proactive threat scanning through the configurations shown above. 7 / 17

Intrusion Prevention Policies Intrusion Prevention policies cannot be changed in the Client Interface by default. By taking the above steps to prevent administrative users from disabling Network Threat Protection, administrative users are prevented from disabling Intrusion Prevention scanning. Application and Device Control Policies Application and Device Control policies cannot be changed or disabled in the Client Interface by default. LiveUpdate Policies By default LiveUpdate policies cannot be changed in the Client Interface. Administrative users are also not allowed to run LiveUpdate manually from the user interface. If administrative users should be allowed to run LiveUpdate manually or change the LiveUpdate schedule this is done in the LiveUpdate Settings policy under the Advanced dialogue. Centralized Exceptions Policies By default, administrative users are able to add Exceptions to exclude files, folders, or threats from being scanned. In order to prevent administrative users from adding exceptions you must create a Centralized Exception policy and explicitly not allow administrative users to add their own exceptions as shown below. 8 / 17

Accessing the SEP Client Interface Administrators can control to what extent a user has access to the SEP Client interface. It is possible to provide granular control to administrative users using Mixed Control mode, however in this paper, only the option to hide the UI and/or System Tray icon completely will be discussed. By default a restricted user can open the SEP client interface. To access settings to configure access to the SEP client interface do the following steps: 1. Go to the Clients Page and select the Policies Tab. 2. Expand Location-specific Settings and click Client User Interface Control Settings. 3. Ensure the Server-Control radio button is selected and click Customize. This will show the below dialogue with options to hide the Tray icon and/or hide the Client Interface completely. Each option is described below. 9 / 17

Display the Client: By default, the SEP Client Interface will be shown if launched from the Tray icon or from the Start>Programs group. To hide the client, uncheck the box next to Display the Client. If the user tries to launch the SEP Client from Start>Programs>Symantec Endpoint Protection, they will get the following dialogue: ). Double- Display the notification area icon: By default the System Tray icon is shown ( clicking the icon launches the SEP User Interface. In order to hide the icon, uncheck the box next to Display the notification area icon. The SEP tray icon will not be displayed. 10 / 17

Disabling/Uninstalling the SEP Client from outside the Client Interface Aside from disabling the client through configurations in the interface many organizations wish to prevent the disabling of SEP via other methods (Task Manager, Services Manager., etc... ) or even uninstalling the client completely. Stopping SEP Services SEP client services can be seen in the Windows Services Control Manager. At this time the only service that can be prevented from being stopped manually is the Symantec Management Client. Although other services can be stopped, these do not disable antivirus protection because Auto- Protect is still active. It is important to note that restricted users cannot stop Windows services. It is best practices to provide employees with restricted user access unless it is necessary to allow administrative privileges. Administrative users can disable services within the Windows Service Control Manager because an Administrative user has root access to the Operating System. Here is an overview of SEP client services along with descriptions as to why stopping some services does not impact Antivirus protection: Symantec Endpoint Protection (rtvscan.exe) User mode antivirus functions (notifications, logging). There is no way to prevent administrative users from stopping this service. However, stopping this service does not disable Auto-Protect! Symantec Management Client (smc.exe) Network Threat Protection and client server communication functions. By default, it is not possible to stop this service in the Services Manager. If a user disables the service in the Services Control Manager, on shutdown the service will automatically be reset to Automatic. By default, Administrator administrative users can stop smc.exe by command line. In order to require a password for administrator administrative users to stop smc.exe by command line, do the following steps: 1. Go to the Clients page and select the Policies Tab. 2. Click General Settings and select the Security Settings tab. 3. Place a check in the box next to Require a password to stop the client service as shown in the screenshot below: 11 / 17

Symantec Event Manager (ccsvchst.exe) Common client component for Event Manager. There is no way to prevent administrative users from stopping this service. However, stopping this service does not affect Auto-Protect! Symantec Settings Manager (ccsvchst.exe) Common client component for Settings Manager. There is no way to prevent administrative users from stopping this service. However, stopping this service does not affect Auto-Protect! Additional protection for preventing SEP client services from being disabled by malicious programs is available in Tamper Protection, and is described below. Uninstalling the Client To prevent an administrative user from uninstalling the SEP client it is possible to require a password when uninstalling the client. To require a password do the following steps: 1. Go to the Clients page and select the Policies Tab. 2. Click General Settings and select the Security Settings tab. 3. Place a check in the box next to Require a password to uninstall the client as shown in the screenshot below: 12 / 17

13 / 17

Additional Technologies for Protecting the SEP client In addition to the steps listed above to protect the SEP client, there are technologies that provide additional ways of protecting the SEP client. Note that both of these features currently do not support 64 bit operating systems. Tamper Protection Protecting SEP Processes Tamper protection is a process that monitors SEP processes and prevents them from being shutdown forcefully from an external source, such as malicious code. By default this feature is enabled but set to log only and does not block processes. In order to activate Tamper Protection to block attempts to terminate SEP client services do the following stesp: 1. Go to the Clients page and select the Policies tab. 2. Click General Settings. 3. On the Tamper Protection tab, select Block it and log the event from the drop down box. 4. Click the Lock icon to prevent administrative users from disabling Tamper Protection as shown in the screenshot below: Note: Before configuring to block applications, be sure to monitor Tamper Protection logs to ensure that legitimate programs, such as software distribution software, doesn t stop SEP services for legitimate purposes. It is possible to exclude certain processes from triggering Tamper Protection. 14 / 17

Application Control Protect Client files and registry keys Symantec provides a pre-configured rule in Application Control policies to protect the client files and registry keys. When this rule is enabled, administrative users cannot manually delete SEP client files and/or registry keys. Enable this Application rule by creating an Application and Device Control policy and enabling as shown below: Note: This Application control rule is active on the local system. It does not prevent files from being deleted remotely. 15 / 17

Appendix A One Page Overview This check-list provides a summary of the components that organizations may wish to secure when hardening a client. Some options, such as hiding the Client User Interface completely, may not be a desired setting but is included here to provide an overview of available options. Preventing Administrative users from changing policies Lock Policies Manual Steps Required to lock policies? Antivirus and Antisypware Yes Firewall No IPS No Application and Device Control No LiveUpdate Policy No Centralized Exceptions Yes Disabling/uninstalling the SEP Client from outside the Client Interface Hardening Step Manual Steps Required? Require Password to open User Yes Interface Require Password when Yes uninstalling SEP Client Require Password when Yes stopping SEP service by command line (smc.exe stop) Require Password to import or Yes export a policy Hide System Tray Icon Yes Prevent Administrative users Yes from disabling SEP network threat protection in client UI Prevent Administrative users No from stopping SEP client service in Service Control Manager Prevent Administrative users Not possible at this time. Stopping other services does not from stopping other SEP disable Auto-Protect Antivirus protection Services in Service Control Manager Additional technologies to prevent tampering with the SEP Client Hardening Step Manual Steps Required? Tamper Protection Yes Application Control Default Rule to protect client files and registry keys. Yes 16 / 17

About Symantec Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at www.symantec.com. For specific country offices and contact numbers, please visit our Web site. For product information in the U.S., call tollfree 800 745 6054. Symantec Corporation World Headquarters 20330 Stevens Creek Boulevard Cupertino, CA 95014 USA 408 517 8000 800 721 3934 17 / 17 www.symantec.com Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products are trademarks of their respective holder/s. Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical information is being delivered to you as-is and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the Symantec technical Technology documentation Network or the information contained herein is at the risk of the user. Copyright 2007 Symantec Corporation. All rights reserved. 09/04 10318317

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information