Saturday 20 June 2020


Symantec Endpoint protection manager


This blog is for Symantec Endpoint protection manager, below are the few important question answers which can be helpful for those who want to work as an SEPM administrator.

  1. What is Symantec Endpoint protection manager

Symantec Endpoint Protection, developed by Broadcom Inc., is a security software suite that consists of anti-malwareintrusion prevention and firewall features for server and desktop computers.

Symantec Endpoint Protection provides advanced threat protection that protects your endpoints (laptops, desktops, and servers) from both known threats and those threats that have not been seen before.
  1. What is LUA

Answer: LUA is an enterprise web application that lets you manage Symantec updates on an internal LiveUpdate (LU) server, it downloads definition signatures and other contains and distribute the updates to client’s computers.

  1. What is GUP
Answer: It helps to distribute contains update within the organization, it is very useful at remote location with minimum bandwidth. 
  1. Difference between GUP and LUA
Answer:
GUP
LUA
We can use a windows work station as GUP
We need extra software and hardware
It work on windows OS
It work on any OS like linux 
It support 10,000 machines
It support unlimited machines depends on bandwidth
It give definition update to workstations and servers where clients is install , If workstation is not able to take update from GUP due to any issue than it takes update from SEPM
It give definition update to SEPM, and workstations take update from SEPM.

  1. How to make a machine as a GUP
Answer:
Step1. Go to the Policies of that Group where that Systems are Stored in Symantec Console.
Step2. Click on Live Update Setting Policy
Live Update Policy Screen Display. Choose the Server Setting
Step3. There three option displays
a)                   Internal & External Live Update Setting
b)                  Group Updater Provider
c)                   Third Party Management

Step 4. Check on the Use of Group Updater Provider. Now Group Updater Provider is Enable. Click on it.
Step 5. Two options are available in Group Updater Provider
a)                   Group Updater Provider Selection for Clients.
b)                  Group Update Provider Setting

Step 6. Choose Single Group Update Provider / Multiple Group Update Providers as per required and Update the Hostname/IP of Group Updater System.
Step 7. Click Ok.

  1. Ports used for GUP
Answer: Port: 2967 user for GUP update
  1. What is Virus and Spyware protection in SEPM
Answer:  Antivirus and AntiSpyware has been renamed to Virus and Spyware. Virus and spyware scans identify and neutralize or eliminate viruses and security risks on your computers.
Function of virus and spyware:
Administrator can define the scan weekly or daily or san specify as per their requirements
We can give permission to user they can stop scan or not
We can defend start-up scan  ( what files it scan when computer starts)

There is auto protect features in virus scan spyware (scan files)
We can define what kind of files it scan for ex. Scan all files or selected files
virus and spyware gives us option called “Download protection” in which we can define first Action and second action or antivirus ( what action it take when a malicious file get downloaded) ex. Clean in first Action and delete in second action.

Early Launch Anti-Malware ( We can enable it or disabled it )
Early launch anti-malware (ELAM) protects client computers from threats that load at startup. Symantec Endpoint Protection includes an early launch anti-malware driver that works with the Microsoft early launch anti-malware driver to provide the protection. The settings are supported on Microsoft Windows 8 and Windows Server 2012.
The early launch anti-malware driver is a special type of driver that initializes first and inspects other startup drivers for malicious code. When the Symantec Endpoint Protection driver detects a startup driver, it determines whether the driver is good, bad, or unknown. The Symantec Endpoint Protection driver then passes the information to Windows to decide to allow or block the detected driver.
The Symantec Endpoint Protection settings provide an option to treat bad drivers and bad critical drivers as unknown. Bad critical drivers are the drivers that are identified as malware but are required for computer startup. By default, Windows allows unknown drivers to load. You might want to select the override option if you get any false positive detection that block an important driver. If you block an important driver, you might prevent client computers from starting up.
The Windows early launch anti-malware driver must be enabled for the Symantec Endpoint Protection settings to take effect. You use the Windows Group Policy editor to view and modify the Windows ELAM settings. See your Windows documentation for more information.
SONAR
SONAR is the real-time protection that detects potentially malicious applications when they run on your computers. SONAR uses heuristics as well as reputation data to detect emerging and unknown threats. SONAR provides "zero-day" protection because it detects threats before traditional virus and spyware detection definitions have been created to address the threats.
In Sonar we can define high risk detection and low risk detection
DNS change detection and host file change detection.
Internet Email Auto-Protect
We can define all files scan or not
We have global scan option in which we can enable Insight and bloodhound

Insight
Insight allows scans to skip digitally signed files and trusted good files. Some files contain typical vulnerabilities. After those files are scanned initially, subsequent scans can skip the files since vulnerability definitions rarely change. Insight also uses file reputation data to skip trusted files. You can configure the level of trust. If you select Symantec and Community Trusted, scans skip more files (less secure). If you select Symantec Trusted, scans skip fewer files (more secure).

Bloodhound
Bloodhound isolates and locates the logical regions of a file to detect a high percentage of unknown viruses. Bloodhound then analyzes the program logic for virus-like behavior.
We have Quarantine option where we can defend what action it should take on quarantine files and which folder it should use for quarantine.
There is miscellaneous option in which we can enable and disable Windows Security Center 

Windows Security Center recognizes that Symantec Endpoint Protection Cloud (SEPC) is installed on the device but it says that "Actions needed in Symantec Endpoint Protection Cloud" or "Actions needed for protection settings" but SEPC is secure when you open it.
We can defined log files Action under miscellaneous
We can enable and disable Virtual Image Exception

8.       What is Virtual Image Exception?
Administrators leverage base images to build virtual machines for their virtual desktop infrastructure (VDI) environment. The Symantec Virtual Image Exception tool lets your clients bypass the scanning of base image files for threats. Bypassing some files reduces the resource load on disk I/O. It also improves CPU scanning process performance in your VDI environment.
Before you enable this feature in Symantec Endpoint Protection Manager, first run the Virtual Image Exception tool against the base image files. The Virtual Image Exception tool marks the base image files by adding an attribute. If the file is modified, this attribute is removed. This tool is located in the /Virtualization/VirtualImageException folder on the Symantec Endpoint Protection Tools installation file.
This feature is disabled by default. Enable the feature so that when your client starts to scan a file, it looks for this attribute. If the base image file is marked and remains unchanged, the client skips scanning the file.


  1. What Application and device control
Answer: An Application and Device Control Policy is a powerful tool that lets you create custom enforcement policies for your environment. Configuring Application and Device Control Policies of the Administration.

Application control restrict what an application is permitted to do and what system resource it can use, Application control has many purpose, including preventing malware from hijacking application, protecting confidential data from inadvertently being removed from your company and restricting which application can run.
Click on Policy à Application and device control à Application Control à Addà Write new rule set name à Click on Add à select “Process name to match” Write process name that you want to block
We can specify type of device we want to block like CD/DVD, RAM drive, network drive, Removable Drive
Device control: It block client from accessing such as USB drive, Bluetooth device, printers and serial and parallel ports
Click on Policy à Application and device control à control device à Click on Add à Enter device ID and class name

  1. What is host integrity in SEPM
Answer: Host Integrity (HI) is a feature of Symantec Endpoint Protection (SEP) that can be used to ensure that client computers are protected and compliant with a company's security policies. Host Integrity policies can used to define, enforce, and remediate the security of clients as defined by the policy
Click on policyà Host Integrity à Requirement  à Add à select the requirementà ok

  1. What is live update
Answer: Symantec makes the latest updates available to you through LiveUpdate for your product. You can connect to the LiveUpdate server to check for updates, download available updates, and then select from the downloaded updates to install them.
  1. Memory Exploit Mitigation
Answer: Memory Exploit Mitigation stops attacks on commonly used software that the vendor has not patched on Windows computers. Memory Exploit Mitigation uses various mitigation techniques to detect the exploit attempt. Each technique then either blocks the exploit or terminates the application that the exploit threatens.
Policy à Memory Exploit Mitigation à Mitigation/ Application Rules
Here you can see the list of Application (under Application Rules ) and list of files and process (under Memory Exploit Mitigation )
  1. Integrations
Answer: WSS Traffic Redirection
Web Security Service (WSS) Traffic Redirection lets you protect your endpoints from web-based threats.
·   Redirects to the WSS server
·   Is blocked
·   Continues to its destination

  1. Exceptions
Answer: We can exclude file folder from the scan we just need to add that in the exception list
  1. What is Proactive threat protection
Answer: It is used to protect computer from unknown attacks, Zero day attacks. We can see it in client at end point and it is linked with sonar.
  1. What is virus and spyware protection
Answer: it protect computer from known attacks and it works as per virus and spyware policy
  1. What is Network and host exploit mitigation
Answer: It protect against web, Network threats and zero day attack exploits, it is linked with firewall and intrusion prevention and works as per the policy defined in  firewall and intrusion prevention
  1. Policy components
Answer:
  1. What is network thread protection
Answer:  Network threat protection blocks threats from accessing your computer by using rules and signatures
Network thread protection works according to the policy of firewall and IP  
  1. What is temper protection setting
Answer: Tamper Protection provides real-time protection for the Symantec applications that run on servers and clients. It protects Symantec processes and internal objects from the attacks that non-Symantec processes such as worms, trojan horses, viruses, and other security risks may make

Disable Tamper Protection on a single client
Use this method to disable Tamper Protection on a small number of clients. To disable Tamper Protection on multiple clients, use the method below.
  1. In the SEP client interface, click Change Settings.
  2. Next to Client Management, click Configure Settings.
  3. Click the Tamper Protection tab.
  4. Perform one of the following actions:
    • Uncheck Protection Symantec security software from being tampered with or shutdown. This disables Tamper Protection.
    • Change the drop-down menu to Log only.

      Note: This setting leaves Tamper Protection enabled. However, Tamper Protection will no longer block attempts to modify SEP files, folders, processes, or Registry values.
       
  5. Click OK. Tamper Protection is now disabled for this SEP client.

  1. Explain SEPM installation process
Answer:
  1. Types of logs and reports
Answer: There are mainly 8 Types of logs and Reports available in SEPM,
  1. Audit Log
  2. Application and device control
  3. Compliance
  4. Computer Status
  5. Network and host Exploit  mitigation
  6. Risk
  7. Scan
  8. System
Apart from this if user is using SONAR then we can use get SONAR logs from logs files
To get log files click on Monitor à Logs à Select log type

23. What is sylink file
Answer:
Sylink file is an XML file containing communication settings it has following files
- A list of SEPM servers to connect to.
        I.            The public SEPM certificate for all servers.
      II.            The KCS, or encryption key.
    III.            The Domain ID that the client belongs to
The default locations of the Sylink.xml file for SEP clients are as follows:
  1. Windows Vista/7/8/10, 2008 and above: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config
  2. Windows XP and 2003: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config

To get sylink file from SEPM follow the below path:
Click on Client à select the group à right clickà Export communication setting à Select the browser where you want to export à Click on Export
  1. How to integrate active directory
  1. Answer: Login to the SEPM console.
  2. Click Admin > Servers.
  3. Right-click on the server name and select Edit the server properties.
  4. Click Directory Servers tab.
  5. Click Add.
  6. Add Directory Server window will pop up.
  7. In the General tab type the domain name.
  8. For Server Type select Active Directory.
  9. In Server IP Address or Name enter IP
  10. Enter the username and password for a domain user or dedicated service account.
  11. Click OK
  12. In Server Properties window the Directory Server gets listed after credentials are successfully verified.
  13. Under Synchronized Directory Settings check Synchronize with Directory Servers.
  14. Select Schedule as per your convenience.
  15. Click OK.

  1. What is Application control and device control
Answer: An Application and Device Control Policy is a powerful tool that lets you create custom enforcement policies for your environment.

Application control restricts what an application is permitted to do and which system resource it can use. Application control has many purpose, including preventing malware from hijacking application, protecting confidential data from inadvertently being removed from your company, and restricting which application can run.
Device Control: by using Device Control, a client computer is blocked from accessing, such as USB drives, Bluetooth device, printer, and serial parallel ports.
  1. What is Symantec getway security
Answer: Symantec Gateway Security 5400 Series is a next-generation firewall appliance that integrates full packet inspection firewall technology with intrusion prevention intelligence at the gateway between the Internet and corporate network or between network segments
  1. Explain services of SEPM
Answer:
  1. Symantec Endpoint Protection
Provide Malware and threat protection for Symantec Endpoint Protection
  1. System Events Broker
Coordinates execution of background work for winRT application. If this service is stopped or disabled, then background work might not be triggered. 
  1. Symantec Critical System protection Server
Application server which communicates with SCSP console, Agent and database.
  1. Symantec Endpoint Protection launcher
Launch service which can invoke special processes for SEMP
  1. Symantec Endpoint protection local proxy service
Proxies the web Traffic, for WSS traffic Redirection to allow for more granular web traffic management
  1. Symantec Endpoint Protection Manager
Application server which communicates with Symantec Endpoint protection manager, SEP client and database
  1. Symantec Endpoint protection manager API services
Application services provides Web services.  
  1. SEPM Web server
Webserver which communicate with SEPM Endpoint protection client and database
  1. Symantec Network Access Control
Checks that the computer complies with the defined security policy and communicates with the symantec enforces to allow your computer to access
  1. Symantec Event Notification services
Monitors events and notifies subscribers to COM + Events systems of these events.

  1. What is SEPCC (SEP cloud console)
Answer: Symantec Endpoint Protection Cloud (SEP Cloud) is an easy to use security-as-a-service that protects and manages PC, Mac, mobile devices and servers from a single console, making it the ideal solution for organizations with limited IT security resources. SEP Cloud effectively stops today’s ransomware, zero-day threats and other sophisticated attacks using advanced multi-layered technologies including advanced machine learning and behavior analysis.
  1. How to update definition in SEPM and workstation
Answer: to update definition on SEPM we can run a command on server “luall.exe” which will update the definition of SEPM server.
It may be possible that there is no communication from client to server and due to that definition is not getting updated, to resolve this we need to download sylink file from the SEPM and past that at location “ c:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config “
To do this first stop the smc.exe services and after copy you start the service
It will re-stabilized the communication
You can download intelligent updater and run the file by double click, it will update the definition
  1. How to make a client package and apply in a group.
Answer:
Click Adminà Install Packageà Add a client install package à Write name à select the package from the browser à ok

Apply package on group
 Click on Client à Install packages à Right clickà Addà select the package from the drop down list à Select download source
  1. What is heartbeat of Symantec
Answer: default, clients connect to the management server every 5 minutes
  1. How to apply a policy Application and device control to a group
How to block device control
Answer: we can block by using The class ID (The class ID refers to the Windows GUID.)
Click on Policy-> Application and device control à right click à add
For windows setting select windows setting à Device control à here you can block device
  1. Which component of SEPM provide protection from buffer over flow?
Answer: SEPM Protect provide buffer over flow by Network Intrusion privation systems.



8 comments:

  1. Rahul Prakash >>>>> Download Now

    >>>>> Download Full

    Rahul Prakash >>>>> Download LINK

    >>>>> Download Now

    Rahul Prakash >>>>> Download Full

    >>>>> Download LINK

    ReplyDelete
  2. Thank you Haseeb.

    ReplyDelete