Technical Note. CounterACT: Powerful, Automated Network Protection Inside and Out



Similar documents
Technical Note. ForeScout CounterACT: Virtual Firewall

Whitepaper. Securing Visitor Access through Network Access Control Technology

Network Access Control in Virtual Environments. Technical Note

Technical Note. ForeScout MDM Data Security

The ForeScout Difference

XStream Remote Control: Configuring DCOM Connectivity

Kaseya Server Instal ation User Guide June 6, 2008

ForeScout CounterACT Edge

K7 Business Lite User Manual

Symantec Endpoint Protection Getting Started Guide

ForeScout MDM Enterprise

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

ForeScout CounterACT Endpoint Compliance

Radia Cloud. User Guide. For the Windows operating systems Software Version: Document Release Date: June 2014

ForeScout CounterACT. Continuous Monitoring and Mitigation

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Metasys System Direct Connection and Dial-Up Connection Application Note

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

Cloud Services Prevent Zero-day and Targeted Attacks

Core Protection for Virtual Machines 1

WhatWorks in Blocking Network-based Attacks with ForeScout s CounterACT. Automating Network Access, Endpoint Compliance and Threat Management Controls

Addressing BYOD Challenges with ForeScout and Motorola Solutions

INSERT COMPANY LOGO HERE

SMALL BUSINESS EDITION. Sophos Control Center startup guide

Network Security Solutions Implementing Network Access Control (NAC)

ControlFabric Interop Demo Guide

Comodo MyDLP Software Version 2.0. Endpoint Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Getting Started with Symantec Endpoint Protection

ez Agent Administrator s Guide

Universal Management Service 2015

Install the Production Treasury Root Certificate (Vista / Win 7)

Trend Micro OfficeScan Best Practice Guide for Malware

Spector 360 Deployment Guide. Version 7.3 January 3, 2012

Best Practice Configurations for OfficeScan (OSCE) 10.6

Firewalls and Software Updates

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)

ilaw Installation Procedure

Wavecrest Certificate

Patching the Windows 2000 Server Operating System on S8100 Media Servers, IP600 Communications Servers, & DEFNITY ONE Communications Systems

IBM Security QRadar Vulnerability Manager Version User Guide

AVG 8.5 Anti-Virus Network Edition

Spector 360 Deployment Guide. Version 7

Iridium Extreme TM Satellite Phone. Data Services Manual

How To Install Safari Antivirus On A Dv8000 Dv Recorder On A Pc Or Macbook Or Ipad (For A Pc) On A Microsoft Dv8 (For Macbook) On An Ipad Or Ipa (

PC Security and Maintenance

11.0. Symantec Endpoint Protection 11.0 Reviewer s Guide

Instructions for Configuring a SAS Metadata Server for Use with JMP Clinical

McAfee Avert Labs Finding W32/Conficker.worm

Trend Micro KASEYA INTEGRATION GUIDE

19 Virtualization in ThinManager

Maintaining the Content Server

How To Set Up Safetica Insight 9 (Safetica) For A Safetrica Management Service (Sms) For An Ipad Or Ipad (Smb) (Sbc) (For A Safetaica) (

Lumension Endpoint Management and Security Suite

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Activity 1: Scanning with Windows Defender

ios Deployment Simplified FileMaker How To Guide

Step-by-Step Setup Guide Wireless File Transmitter

Orientation Course - Lab Manual

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

Endpoint protection for physical and virtual desktops

SMS Database System Quick Start. [Version 1.0.3]

Microsoft Software Update Services and Managed Symantec Anti-virus. Michael Satut TSS/Crown IT Support

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Sophos Anti-Virus for NetApp Storage Systems startup guide

Global VPN Client Getting Started Guide

Configuring Devices for Use with Cisco Configuration Professional (CCP) 2.5

AVeS Cloud Security powered by SYMANTEC TM

ArcMail Technology Defender Mail Server Configuration Guide for Microsoft Exchange Server 2003 / 2000

F-Secure Client Security. Administrator's Guide

GFI LANguard 9.0 ReportPack. Manual. By GFI Software Ltd.

CounterACT 7.0 Single CounterACT Appliance

HIRSCH Velocity Web Console Guide

Client Guide for Symantec Endpoint Protection and Symantec Network Access Control

Comodo Mobile Device Manager Software Version 1.0

For Active Directory Installation Guide

INSTALLING MICROSOFT SQL SERVER AND CONFIGURING REPORTING SERVICES

AVG File Server User Manual. Document revision (8/19/2011)

Moving the TRITON Reporting Databases

Bitrix Site Manager ASP.NET. Installation Guide

GFI LANguard 9.0 ReportPack. Manual. By GFI Software Ltd.

1. Installation Overview

Sophos Anti-Virus for NetApp Storage Systems user guide. Product version: 3.0

ACTIVE DIRECTORY DEPLOYMENT

Sophos Anti-Virus for Windows, version 7 user manual. For Windows 2000 and later

Windows Operating Systems. Basic Security

Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2)

Managing Qualys Scanners

Integrating with BarTender Integration Builder

Symantec Integrated Enforcer for Microsoft DHCP Servers Getting Started Guide

Comodo Endpoint Security Manager SME Software Version 2.1

HDA Integration Guide. Help Desk Authority 9.0

Lepide Software. LepideAuditor for File Server [CONFIGURATION GUIDE] This guide informs How to configure settings for first time usage of the software

NSi Mobile Installation Guide. Version 6.2

Installing Microsoft Exchange Integration for LifeSize Control

SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide

Remote Access - Mac OS X

Transcription:

CounterACT: Powerful,

Contents Introduction...3 Automated Threat Protection against Conficker... 3 How the Conficker Worm Works.... 3 How to Use CounterACT to Protect vs. the Conficker Worm...4 1. Use CounterACT s Ready-to-deploy Policy Templates to Speed Endpoint Protection.... 4 2. Track Corporate Compliance via Comprehensive Reports.... 4 3. Apply Extra Threat Protection.... 4 4. Ensure that the Microsoft Update Service is Running... 4 1: Deploy Endpoint Protection Policies.... 4 2: Track Corporate Compliance to Policies via Comprehensive Reports.... 5 3: Apply Extra Threat Protection.... 6 4: Schedule/Enforce the Microsoft Update Service... 7 About ForeScout...7

Introduction When the recent Conficker outbreak wreaked havoc upon Windows-based LANs in enterprises worldwide, CounterACT TM customers called in to say: our network is perfectly safe CounterACT s automatic zero-day threat prevention provided us with the 24/7/365 protection we have come to expect and rely on! Conficker (aka Downup, Downadup and Kido) is an aggressive worm that targets Windows-based systems. It s been estimated that the bug infected over 10 million PCs in just a few short weeks (over a million in a single 24-hour period)... making it one of the most prolific, dangerous and widespread infections in recent times. Anyone using a Windows-based system was cautioned to verify that their system was free of the Conficker worm and was running the latest, patched version of Microsoft Windows. CounterACT users, of course, had the peace of mind that their systems were automatically protected: here s why...................................................................................................................................................... Automated Threat Protection against Conficker CounterACT offers a powerful, automated 24/7/365 network solution for preventing the infection and spread of the Conficker worm. It both shields uninfected systems and remediates infected hosts, offering network users these security benefits: Prevention & Protection CounterACT ensures that the MS-Update service is always running on every Windows device. It also blocks Conficker infection using strong, built-in threat prevention technology. Enforcement & Remediation CounterACT ensures other IT protection tools (anti-virus, anti-spyware, etc.) are working and always on and automatically remediates infected hosts. Monitoring & Reporting CounterACT continuously monitors endpoint security posture and maintains a clean, secure network. It also records all remediation/enforcement actions taken against Conficker on malicious and/or infected hosts. How the Conficker Worm Works The worm exploits a bug in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008. It self-replicates as the downloadable library file %System%\[RANDOM FILE NAME].dll, deletes any user-created System Restore points and creates the service, netsvcs. The worm then creates a registry entry and connects to three URLs to obtain the IP address of the compromised computer: http://www.getmyip.org, http://getmyip.co.uk, http://checkip.dyndns.org. It then downloads and executes a file, creates an http server on the compromised computer on a random port, sends this URL as part of its payload to remote computers, then connects back to this URL to download the worm. In this way, each exploited computer begins to spread the worm without needing to re-download it from a web location. The worm then connects to a UPnP router, opens the http port, then attempts to locate the network device registered as the Internet gateway and opens the previously mentioned random port to allow access to the compromised computer from external networks. The worm then attempts to download a data file. It spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). Finally, the worm attempts to contact the following sites to obtain the current date: http://www.w3.org, http://www.ask.com, http://www.msn. com, http://www.yahoo.com, http://www.google.com, http://www.baidu.com. It uses the date information to generate a list of domain names. The worm then contacts these domains in an attempt to download additional files onto the compromised computer. 3

How to Use CounterACT to Protect vs. the Conficker Worm Take the following steps to protect your corporate network against the Conficker worm. 1. Use CounterACT s Ready-to-deploy Policy Templates to Speed Endpoint Protection The Windows Update Compliance Policy ensures endpoints are patched with MS08-067. The Microsoft Update Policy ensures the Microsoft Update service is running on all endpoints. The Anti-Virus Compliance Policy ensures that an anti-virus application is installed, running and up-to-date on all endpoints. The USB Device Compliance Policy detects/blocks all connected USB devices or all devices that are not allowed. 2. Track Corporate Compliance via Comprehensive Reports 3. Apply Extra Threat Protection CounterACT s IPS/Threat Protection Policy prevents worms from re-entering /spreading inside the network. 4. Ensure that the Microsoft Update Service is Running CounterACT also helps automate (enforces) the Microsoft update service. 1. Deploy Endpoint Protection Policies CounterACT is delivered with ready-to-deploy NAC Compliance templates that can be used to create and deploy policies in five easy steps: 1. Open the CounterACT Console and select the Compliance icon from the Console Toolbar. 2. The NAC Policy Wizard>Compliance folder opens. 3. Select the following policy templates and configure them by following the on screen instructions: Windows Update Compliance Anti-Virus Compliance USB Device Compliance Malicious Hosts 4. The policies you create appear in the NAC Policy manager. 5. Select the Apply button. Figure 1: Deploy Endpoint Protection Policies. 4

2. Track Corporate Compliance to Policies via Comprehensive Reports CounterACT offers easy-to-build reports that help you track corporate compliance to policies. The reports can be tailored to include the exact level of information you require, and can generate in five easy steps: 1. Select the Reports icon from the Console toolbar. 2. Select the NAC Policies Compliance Details link. 3. Define reports settings in the page that opens. 4. In the 2. Scope >Select Policy section; choose one of the policies you created. 5. Scroll down and generate the report. Figure 2: Generate the Compliance Report. 5

3. Apply Extra Threat Protection For additional protection, you can deploy CounterACT s IPS/Threat Protection Policy as follows: 1. Select the Threats icon form the Console toolbar (for version 6.3.2 and above) For versions 6.3.1 and below select the IPS Manager icon). 2. The Threat Protection Policy pane opens. 3. Select Port Block from the Action on Bite dropdown menu in the Network Worm Policy section. 4. Select Host Block from the Action on Email Worm dropdown menu in the Email Worm Policy section. 5. Select Customize. The Customize, Scan tab opens. 6. Select the Login type and verify that it is enabled. 7. Select the Details button and verify that the Password Scan and User Scan are enabled. 8. Select OK and Close. Figure 3: Deploy a Threat Protection Policy. 6

4. Schedule/Enforce the Microsoft Update Service To ensure the Microsoft Update service is running regularly: 1. Select the Compliance icon from the Console Toolbar. 2. The NAC Policy Wizard opens. Navigate to the Custom folder. 3. Select Next. The Name pane opens 4. Add a policy name and description and select Next. The IP Address Range dialog box opens. 5. Define the range of IP addresses to be inspected for this policy. Select Ok and then select Next. The Main Rule dialog box opens. 6. Select the Add button from the Condition section. The Condition dialog box opens. 7. Navigate to the Windows OS folder and then select Service Running. 8. Select the Does not meet the following criteria: radio button. 9. Select the Matches option from the drop down box and type in Automatic Updates in the field that follows. 10. Select Ok. The Main Rule dialog box reopens. 11. Select Add from the Actions section. 12. Navigate to the Remediate folder and the select the Run Script on Windows action. 13. Enter the following command in the Command or Script field: net start wuauserv. Figure 4: Ensure Microsoft Update Service is Running. 14. Select Ok. The Main Rule dialog box reopens. 15. Select Finish. The policy appears in the NAC Policy Manager. 16. Select Apply.... About ForeScout ForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks. The company s CounterACT appliance dynamically identifies and assesses all network users, endpoints and applications to provide complete visibility, intelligence and policy-based mitigation of security issues. ForeScout s open ControlFabric technology allows a broad range of IT security products and management systems to share information and automate remediation actions. Because ForeScout s solutions are easy to deploy, unobtrusive, flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies. Headquartered in Campbell, California, ForeScout offers its solutions through its network of authorized partners worldwide. Learn more at www.forescout.com.... ForeScout Technologies, Inc. 900 E. Hamilton Ave., Suite 300 Campbell, CA 95008 U.S.A. T 1-866-377-8771 (US) T 1-408-213-3191 (Intl.) F 1-408-371-2284 www.forescout.com 2014 ForeScout Technologies, Inc. Products protected by US Patent #6,363,489, March 2002. All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT and ControlFabric are trademarks of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners. Doc: 2013.0055 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information