Symantec Endpoint Protection

For those running SEP 12.1 clients (current version 12.1.2015.2015), note that a maintenance patch has been released (RU2 MP1) updating the program to 12.1.2100.2093.

The client only patch can be downloaded here:

http://www.symantec.com/business/support/index?page=content&id=TECH204859

The zip file contains patches for both 32 and 64bit systems.

 

We've had some complaints from users of SEP 12.1 that are running as unmanaged clients that Windows Start had become bogged down due to a Startup scan. If one wants to disable this scan, note that it cannot be done within the SEP interface. Not that anyone here asked, but to kill it,

1). Open SEP
2). Click Change Settings
3). Click Configure Settings under Client Management
4). Click Tamper Protection Tab
5). Untick the Protect Symantec etc box
6). Open Regedit
7). Go to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\AdministratorOnly\General
Change the StartupScansEnabled DWORD value to 0.
. Go back and Tick the Protect box in Tamper Protection.

 

Thanks Cruel Sis.

 

How good is web realtime protection for unmanaged client in SEP 12.1? I used SEP 11 for a few years and its realtime protection web protection sucked.

 

Itman- I totally agree with you about SEP11, and for that matter earlier versions of SEP12. Lately my opinion is changing.

Yesterday due to a client's request I did a quick-and-dirty test of SEP12, The test was run on a clone of one of the client's production machines (sadly running XP). I managed to dig up enough discrete samples of malware from our pots to establish 2 datasets- Dataset 1 contained 30 malicious URL's (via the pots) as well as 15 Email malware links (obtained via SHEILA). Dataset 2 contained 45 malware exe's for an on-demand scan. Please note that just because these malware samples showed up yesterday did not make them new (a point lost on many YouTuber's)- just Real World. I did make sure that each set had 1 sample of Ransomware- for both samples although the exe was fresh, the payload was known.

Results:

Dataset 1- The URL's were followed in all cases with IE8. SONAR detected all samples except the Ransomware piece. However in this case the payload was detected and quarantined.

Dataset 2- Out of the 45 samples, an on demand scan missed 14 (~69% detection- Yikes!!). I ran the remaining 14 (including the undetected Ransomware). 12 were unable to change the system and were eventually quarantined. One sample did spew out a daughter which took up residence in App data but without a mechanism to call it forth. The Ransomware sample did hit me with a FBI screenlock after run, but surprisingly enough on reboot there was a SEP malware clean routine that occurred prior to load Windows that totally cleaned it up.

Moral of the story- I used 90 probably not new samples (WowieZowie). But even so I couldn't criticize how SEP12 performed (even though I wanted to).

Whenever I get a chance I will see how it performs on Windows 8 with Early Launch coming into play. But as I am so biased in favor of Win8 with regard to malware prevention I wonder if I can trust myself to do the test; but I guess that's why God created employees.

 

The web/internet protection is fine. It consists of IPS system which blocks bad sites/IPs - this is may be Symatec's first defense layer. Then there is SafeWeb site reputation, then they have Download Insight - this all related about web protection in version 12 / 12.1 , etc... Let's add SONAR, signature and heuristic detection (they are not directly web-related), Microsoft technologies (SmartScreen and many others, though). Overall you should be fine.

 

SafeWeb is actually only found on Norton products, not on SEP. Also, Download Insight on SEP kicks in after SONAR has reacted to the potential threat, so it just will pop up with "only x users have downloaded this file" or some such nonsense.

 

SafeWeb is also available for free for everybody who wants and can use it

SONAR can react only when a file has been executed. Download Insight pops-up everythime a file is downloaded from the Internet (e.g. via a browser). So Download Insight generally pops-up first.

You might be describing a case where you actually run a sample (without saving it first) , SONAR was fast to react and stop it and for some reason there was a delay in the Download Insight notification. This is non-typical issue and not how the software generally works.

 

Hi er- Sorry if I misunderstood, but it seemed that you wrote that SafeWeb was an intrinsic part of SEP, which it is not.

On my SEP setup, when downloading malicious code, in all instances SONAR will pop up first (if the sample is detected) and will act on it. After that occurs DI will appear (sometimes). But the only reason this happens on my test system is that I have DI set at a very low level- necessary as the Client, a developer deals in custom code this rendering DI (for them) nothing but an annoyance. Sorry if I wasn't clear on this.

 

Thanks. No-one has complained yet but this is definitely worth knowing.

 

Hi sis,

no problem