Client Guide Symantec
Client Guide Symantec
Client Guide Symantec
Client Guide for Symantec Endpoint Protection and Symantec Network Access Control
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 11.00.00.00.02
Legal Notice
Copyright 2007 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, LiveUpdate, Sygate, Symantec AntiVirus, Bloodhound, Confidence Online, Digital Immune System, and Norton are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 http://www.symantec.com
Contents
Section 1
Chapter 1
Introduction
Introducing your Symantec client
About the client ........................................................................... About managed clients and unmanaged clients ............................ About the notification area icon ................................................ What keeps your computer's protection current ................................. About the role of Symantec Security Response ............................. How protection is updated on managed clients ............................. How protection is updated on unmanaged clients ......................... About security policies .................................................................. Updating the security policy ..................................................... Where to get more information ....................................................... Accessing online Help ............................................................. Accessing the Symantec Security Response Web site ..................... 11 12 12 14 15 15 15 16 16 16 17 17
Chapter 2
Chapter 3
Contents
Section 2
Chapter 4
Chapter 5
Chapter 6
Contents
Initiating on-demand scans ...................................................... Configuring antivirus and antispyware scanning ................................ Creating scheduled scans ......................................................... Creating on-demand and startup scans ....................................... Editing and deleting startup, user-defined, and scheduled scans ............................................................................. Interpreting scan results ............................................................... About interacting with scan results or Auto-Protect results ............ Submitting information about antivirus and antispyware scans to Symantec Security Response .................................................... Configuring actions for viruses and security risks ............................... Tips for assigning second actions for viruses ............................... Tips for assigning second actions for security risks ....................... About risk impact ratings ........................................................ Configuring notifications for viruses and security risks ....................... Configuring centralized exceptions for antivirus and antispyware scans ................................................................................... About the Quarantine ................................................................... About infected files in the Quarantine ........................................ About handling infected files in the Quarantine ........................... About handling files infected by security risks ............................. Managing the Quarantine .............................................................. Viewing files and file details in the Quarantine ............................ Rescanning files in the Quarantine for viruses ............................. When a repaired file cant be returned to its original location .......... Clearing backup items ............................................................. Deleting files from the Quarantine ............................................ Automatically deleting files from the Quarantine ......................... Submitting a potentially infected file to Symantec Security Response for analysis ........................................................
65 65 66 69 71 72 73 74 75 78 78 79 80 82 84 84 85 86 86 86 87 87 88 88 88 89
Chapter 7
Contents
Specifying actions and sensitivity levels for detecting Trojan horses, worms, and keyloggers ............................................ 97 Setting the action for the detection of commercial applications .................................................................... 98 Configuring notifications for proactive threat scan detections .............. 98 Submitting information about proactive threat scans to Symantec Security Response .................................................................. 99 Configuring a centralized exception for proactive threat scans ............ 100
Chapter 8
Section 3
Chapter 9
Contents
Section 4
Chapter 10
146 146 147 147 147 148 149 150 150 150 150 152 152
Index
Contents
Section
Introduction
Introducing your Symantec client Responding to the client Managing the client
10
Chapter
About the client What keeps your computer's protection current About security policies Where to get more information
Scan your computer for viruses, known threats, and security risks. Monitor ports for known attack signatures. Monitor programs on your computer for suspicious behavior.
12
See About Symantec Endpoint Protection on page 35. Symantec Network Access Control ensures that your computer's security settings conform to network policies. Security settings can include software, software configuration settings, signature files, patches, or other elements. See About Symantec Network Access Control on page 127.
13
Open Symantec Endpoint Protection Open Symantec Network Access Control Update Policy
1 2 3 4 5
In the main window, in the sidebar, click Change Settings. On the Change Settings page, next to Client Management, click Configure Settings. In the Client Management Settings dialog box, on the General tab, under Display Options, select the location to which you want to change. Uncheck Show Symantec Endpoint Protection icon in notification area. Click OK.
14
Introducing your Symantec client What keeps your computer's protection current
1 2 3 4 5
In the main window, in the sidebar, click Change Settings. On the Change Settings page, next to Client Management, click Configure Settings. In the Client Management Settings dialog, under Display Options, select the location to which you want to change. Check Show Symantec Endpoint Protection icon in notification area. Click OK.
Introducing your Symantec client What keeps your computer's protection current
15
16
You can change the frequency with which LiveUpdate checks for updates. You can also run LiveUpdate manually if you know about a virus outbreak or other security risk outbreak. See About LiveUpdate on page 27.
1 2 3
In the Windows notification area, right-click the client icon. In the pop-up menu, click Update Policy. In the confirmation dialog box, click OK.
17
Click Help & Support, and then click Help Topics. Click Help on any of the individual dialog boxes. Context-sensitive Help is available only in screens on which you can perform actions. Press F1 in any window. If there is context-sensitive Help is available for that window, context-sensitive Help appears. If context-sensitive Help is not available, the full Help system appears.
The Virus Encyclopedia, which contains information about all known viruses Information about virus hoaxes White papers about viruses and virus threats in general General and detailed information about security risks
To access the Symantec Security Response Web site, use the following URL:
18
Chapter
About client interaction Acting on infected files About notifications and alerts
20
Security alerts
Symantec Endpoint Protection informs you when it blocks a program or when it detects an attack against your computer. See Responding to security alerts on page 24.
If you haveSymantec Network Access Control enabled on the client, you might see a Network Access Control message. This message appears when your security settings do not conform to the standards that your administrator has configured. See Responding to Network Access Control notifications on page 25.
21
You can use the notifications to act on the file immediately. You can also use the log view or the Quarantine to act on the file later. See Interpreting scan results on page 72. See Quarantining risks and threats from the Risk Log and the Threat Log on page 148. See About the Quarantine on page 84. To act on an infected file
In the scan progress dialog box, select the files that you want when the scan completes. In the scan results dialog box, select the files that you want. In the client, in the sidebar, click View Logs, and then next to Antivirus and Antispyware Protection, click View Logs. In the log view, select the files that you want.
Right-click the file or files, and then select one of the following options:
Undo Action Taken: Reverses the action taken. Clean (viruses only): Removes the virus from the file. Delete Permanently: Deletes the infected file and all side effects. For security risks, use this action with caution. In some cases, if you delete security risks you might cause an application to lose functionality. Move to Quarantine: Places the infected files in the Quarantine. For security risks, the client also tries to remove or repair the side effects. Properties: Displays the information about the virus or security risk.
In some cases, the client might not be able to perform the action that you selected.
22
The application asks to access your network connection. An application that has accessed your network connection has been upgraded. The client switched users through Fast User Switching. Your administrator updated the client software.
You may see the following type of message, which tells you when an application or a service tries to access your computer:
Internet Explorer (IEXPLORE.EXE) is trying to connect to www.symantec.com using remote port 80 (HTTP - World Wide Web). Do you want to allow this program to access the network?
In the message box, click Detail. You can view more information about the connection and the application, such as the file name, version number, and path name.
If you want the client to remember your choice the next time that this application tries to access your network connection, click Remember my answer, and do not ask me again for this application. Do one of the following tasks:
To allow the application to access the network connection, click Yes. Click Yes only if you recognize the application and you are sure that you want it to access the network connection. If you are unsure whether to allow the application to access the network connection, ask your administrator.
23
To block the application from accessing the network connection, click No.
Table 2-1 displays how you can respond to notifications that ask you whether you want to allow or block an application. Table 2-1 If you click
Yes
The client...
Allows the application and does not ask again. Allows the application and asks you every time. Blocks the application and does not ask you again. Blocks the application and asks you every time.
Yes
No
No
Yes
No
No
You can also change the action of the application in the Running Applications field or in the Applications list. See Configuring application-specific settings on page 122.
The application that is listed in the following message tries to access your network connection. Although the client recognizes the name of the application, something about the application has changed since the last time the client encountered it. Most likely, you have upgraded the product recently. Every new product version uses a different file fingerprint file than the older version. The client detects that the file fingerprint file changed.
24
make sure all other users are logged off of Windows and try logging off of Windows and then log back on. If you are using Terminal Services, the user interface is not supported.
or
Symantec Endpoint Protection was not running but will be started. However, the Symantec Endpoint Protection is unable to show the user interface. If you are using Windows XP Fast User Switching, make sure all other users are logged off of Windows and try logging off of Windows and then log back on. If you are using Terminal Services, the user interface is not supported.
Fast User Switching is a Windows features that makes it possible for you to quickly switch between users without having to log off the computer. Multiple users can share a computer simultaneously, and switch back and forth without closing the applications they run. One of these windows appears if you switch users by using Fast User Switching. To respond to a fast user switching message, follow the instructions in the dialog box.
To download the software immediately, click Download Now. To be reminded after the specified time, click Remind me later.
If a message appears after the installation process begins for the updated software, click OK.
25
An application that has been launched from your computer has been blocked in accordance with the rules that are set by your administrator. For example, you may see the following message: Application Internet Explorer has been blocked, file name is IEXPLORE.EXE. These notifications indicate that your client has blocked the traffic that you specified as not trusted. If the client is configured to block all traffic, these notifications appear frequently. If your client is configured to allow all traffic, these notifications do not appear.
Intrusions
An attack was launched against your computer, and an alert either informs you of the situation or provides instructions on how to deal with it. For example, you may see the following message: Traffic from IP address 192.168.0.3 is blocked from 10/10/2006 15:37:58 to 10/10/2006 15:47:58. Port Scan attack is logged. Your administrator may have disabled intrusion prevention notifications on the client computer. To see what types of attacks your client detects, you can enable the client to display intrusion prevention notifications. See Configuring intrusion prevention notifications on page 120.
1 2
Follow any suggested procedures that appear in the message box. In the message box, click OK.
After you close the message box, open the client to see if it displays any suggested procedures to restore network access.
26
Chapter
About LiveUpdate Running LiveUpdate at scheduled intervals Running LiveUpdate manually Testing the security of your computer About locations Changing locations About Tamper Protection Enabling, disabling, and configuring Tamper Protection
About LiveUpdate
LiveUpdate obtains program and protection updates for your computer by using your Internet connection. Program updates are minor improvements to your installed product. These differ from product upgrades, which are newer versions of entire products. Program updates are usually created to extend the operating system or hardware compatibility, adjust a performance issue, or fix program errors. Program updates are released on an as-needed basis. Note: Some program updates may require that you restart your computer after you install them.
28
LiveUpdate automates program update retrieval and installation. It locates and obtains files from an Internet site, installs them, and then deletes the leftover files from your computer. Protection updates are the files that keep your Symantec products up-to-date with the latest threat protection technology. The protection updates you receive depend on which products are installed on your computer. By default, LiveUpdate runs automatically at scheduled intervals. Based on your security settings, you can run LiveUpdate manually. You might also be able to disable LiveUpdate or change the LiveUpdate schedule.
1 2 3 4 5 6 7
In the client, in the sidebar, click Client Management > Options. In the Client Management Settings dialog box, click Scheduled Updates. On the Scheduled Updates tab, check Enable automatic updates. In the Frequency group box, select whether you want the updates to run daily, weekly, or monthly. In the When group box, select the day or week and time of day you want the updates to run. To specify how to handle missed updates, click Advanced. In the Advanced Schedule Options dialog box, select the options for LiveUpdate to retry missed updates. For more information on these options, click Help.
8 9
29
In the client, in the sidebar, click LiveUpdate. LiveUpdate connects to the Symantec server, checks for available updates, then downloads and installs them automatically.
1 2 3 4
In the client, in the sidebar, click Status. Beside Network Threat Protection, click Options > View Network Activity. Click Tools > Test Network Security. In the Symantec Security Check Web site, do one of the following:
To check for online threats, click Security Scan. To check for viruses, click Virus Detection.
In the End-user License Agreement dialog box, click I accept, and then click Next. If you clicked Virus Detection in step 4, click I consent, and then click Next. If you want to stop the scan at any time, click Stop.
About locations
A location refers to a security policy that is based on your network environment. For instance, if you connect to the office network by using your laptop from home, your administrator can set up a location named Home. If you use the laptop in the office, you may use a location named Office. Other locations may include VPN, branch office, or hotel. The client switches between these locations because your security needs and usage needs can differ between network environments. For example, when your laptop connects to your office network, your client might use a restrictive set of policies that your administrator configured. When it connects to your home network, however, your client might use a policy set that gives you access to more
30
configuration options. Your administrator plans and configures your client accordingly, so that the client bridges those differences automatically for you. Note: In a managed environment, you can change locations only if your administrator has provided the necessary access.
Changing locations
You can change a location if necessary. For example, you might need to switch to a location that lets a colleague access files on your computer. The list of locations that are available is based on your security policies and on your computer's active network. Note: Based on the available security policies, you may or may not have access to more than one location. You may find that when you click a location, you do not change to that location. This means that your network configuration is not appropriate for that location. For example, a location that is called Office may be available only when it detects the office local area network (LAN). If you are not currently on that network, you cannot change to that location. To change a location
1 2 3 4
In the client, in the sidebar, click Change settings. On the Change Settings page, beside Client Management, click Configure Settings. On the General tab, under Location Options, select the location to which you want to change. Click OK.
Block tamper attempts and log the event Log the tampering event but do not interfere with the tampering event
31
Tamper Protection is enabled for both the managed clients and the unmanaged clients, unless your administrator has changed the default settings. When Tamper Protection detects a tampering attempt, the action it takes by default is to log the event in the Tamper Protection Log. You can configure Tamper Protection to display a notification on your computer when it detects a tampering attempt. You can customize the message. Tamper Protection does not notify you about attempts to tamper unless you enable that functionality. If you use an unmanaged client, you can change your Tamper Protection settings. If you use a managed client, you can change these settings if your administrator allows it. A best practice when you initially use Symantec Endpoint Protection is to leave the default action Log Only while you monitor the logs once a week. When you are comfortable that you see no false positives, then set Tamper Protection to Block and Log. Note: If you use a third-party security risk scanner that detects and defends against unwanted adware and spyware, the scanner typically impacts Symantec processes. If you have Tamper Protection enabled while you run a third-party security risk scanner, Tamper Protection generates a large number of notifications and log entries. A best practice is to always leave Tamper Protection enabled, and to use log filtering if the number of events that are generated is too large.
1 2
In the main window, in the sidebar, click Change Settings. Beside Client Management, click Configure Settings.
32
3 4 1 2 3 4
On the Tamper Protection tab, check or uncheck Protect Symantec security software from tampering. Click OK.
To configure Tamper Protection In the main window, in the sidebar, click Change Settings. Beside Client Management, click Configure Settings. On the Tamper Protection tab, in the Action to take list box, select Block and Log or Log Only. If you want to be notified when Tamper Protection detects suspicious behavior, check Display the following message when tampering is detected. If you enable these notification messages, you may receive notifications about Windows processes as well as Symantec processes.
5 6
To customize the message that displays, type in new text or delete any text you want in the message field. Click OK.
Section
Introducing Symantec Endpoint Protection Symantec Endpoint Protection client basics Managing Antivirus and Antispyware Protection Managing Proactive Threat Protection Managing Network Threat Protection
34
Chapter
About Symantec Endpoint Protection How Symantec Endpoint Protection protects your computer
A stand-alone computer that is not connected to a network, such as a home computer or a laptop. The computer must include a Symantec Endpoint Protection installation that uses either the default option settings or administrator-preset settings. A remote computer that connects to your corporate network that must meet security requirements before it connects.
The default settings for Symantec Endpoint Protection provide Antivirus and Antispyware Protection, Proactive Threat Protection, and Network Threat Protection by using a desktop firewall and host-based intrusion prevention. You can adjust the default settings to suit your companys needs, to optimize system performance, and to disable the options that do not apply.
36
Introducing Symantec Endpoint Protection How Symantec Endpoint Protection protects your computer
If an administrator manages your computer, some options may be locked or unavailable, depending upon your administrators security policy. Your administrator runs scans on your computer and can set up scheduled scans. Your administrator can advise you as to what tasks you should perform by using Symantec Endpoint Protection.
Antivirus and Antispyware Protection Network Threat Protection Proactive Threat Protection
Auto-Protect scans Auto-Protect runs constantly and provides real-time protection for your computer by monitoring activity on your computer. Auto-Protect looks for viruses and security risks when a file is executed or opened. It also looks for viruses and security risks when you make any modifications to a file. For example, you might rename, save, move, or copy a file to and from folders. Scheduled, startup, and on-demand scans You or your administrator can configure other scans to run on your computer. These scans search for residual virus signatures in infected files. These scans also search for the signatures of security risks in infected files and system
Introducing Symantec Endpoint Protection How Symantec Endpoint Protection protects your computer
37
information. You or your administrator can initiate scans to systematically check the files on your computer for viruses and security risks. The security risks might include adware or spyware.
38
Introducing Symantec Endpoint Protection How Symantec Endpoint Protection protects your computer
Chapter
About viruses and security risks How the client responds to viruses and security risks Enabling and disabling protection components Using the client with Windows Security Center Pausing and delaying scans
40
Symantec Endpoint Protection client basics About viruses and security risks
Description
The programs or the code that attach a copy of themselves to another computer program or document when it runs. Whenever the infected program runs or a user opens a document that contains a macro virus, the attached virus program activates. The virus can then attach itself to other programs and documents. The viruses generally deliver a payload, such as displaying a message on a particular date. Some viruses specifically damage data by corrupting programs, deleting files, or reformatting disks.
Malicious Internet The programs that run automated tasks over the Internet for malicious purposes. bots Bots can be used to automate attacks on computers or to collect information from Web sites. Worms The programs that replicate without infecting other programs. Some worms spread by copying themselves from disk to disk, while others replicate only in memory to slow a computer down. The programs that contain code that is disguised as or hiding in something benign, such as a game or utility. The threats that blend the characteristics of viruses, worms, Trojan horses, and code with server and Internet vulnerabilities to initiate, transmit, and spread an attack. Blended threats use multiple methods and techniques to spread rapidly and cause widespread damage throughout the network. The stand-alone or appended programs that secretly gather personal information through the Internet and relay it back to another computer. Adware may track browsing habits for advertising purposes. Adware can also deliver advertising content. Adware can be unknowingly downloaded from Web sites, typically in shareware or freeware, or can arrive through email messages or instant messenger programs. Often a user unknowingly downloads adware by accepting an End User License Agreement from a software program. Dialers The programs that use a computer, without the user's permission or knowledge, to dial a 900 number or an FTP site. The programs typically accrue charges. The programs that are used by a hacker to gain unauthorized access to a user's computer. For example, one hacking tool is a keystroke logger, which tracks and records individual keystrokes and sends this information back to the hacker. The hacker can then perform port scans or vulnerability scans. Hacking tools may also be used to create viruses. The programs that alter or interrupt the operation of a computer in a way that is intended to be humorous or frightening. For example, a program can be downloaded from a Web site, email message, or instant messenger program. It can then move the Recycle Bin away from the mouse when the user tries to delete it. It can also cause the mouse to click in reverse. Any other security risks that do not conform to the strict definitions of viruses, Trojan horses, worms, or other security risk categories.
Trojan horses
Blended threats
Adware
Hacking tools
Joke programs
Other
Symantec Endpoint Protection client basics About viruses and security risks
41
Description
The programs that allow access over the Internet from another computer so that they can gain information or attack or alter a user's computer. You might install a legitimate remote access program. A process might install this type of application without your knowledge. The program can be used for malicious purposes with or without modification of the original remote access program. The stand-alone programs that can secretly monitor system activity and detect passwords and other confidential information and relay it back to another computer. Spyware can be unknowingly downloaded from Web sites, typically in shareware or freeware, or can arrive through email messages or instant messenger programs. Often a user unknowingly downloads spyware by accepting an End User License Agreement from a software program.
Spyware
Trackware
The stand-alone or appended applications that trace a user's path on the Internet and send information to the target system. For example, the application can be downloaded from a Web site, email message, or instant messenger program. It can then obtain confidential information regarding user behavior.
Detect, remove, and repair the side effects of viruses, worms, Trojan horses, and blended threats. Detect, remove, and repair the side effects of security risks such as adware, dialers, hacking tools , joke programs, remote access programs, spyware, trackware, and others.
The Symantec Security Response Web site provides the latest information about threats and security risks. The Web site also contains extensive reference information, such as white papers and detailed information about viruses and security risks. Figure 5-1 shows the information about a hacking tool and how Symantec Security Response suggests that you handle it.
42
Symantec Endpoint Protection client basics How the client responds to viruses and security risks
Figure 5-1
Symantec Endpoint Protection client basics Enabling and disabling protection components
43
Files within compressed files are scanned and cleaned of viruses and security risks. No separate programs or options changes are necessary for Internet-borne viruses. Auto-Protect scans uncompressed program and document files automatically as they are downloaded. When the client detects a virus, by default the client tries to clean the virus from the infected file. The client also tries to repair the effects of the virus. If the client cleans the file, the client completely removes the risk from your computer. If the client cannot clean the file, the client moves the infected file to the Quarantine. The virus cannot spread from the Quarantine. When you update your computer with new virus definitions, the client automatically checks the Quarantine. You can rescan the items in the Quarantine. The latest definitions might clean or repair the previously quarantined files. Note: Your administrator may choose to scan files in the Quarantine automatically. By default, for security risks, the client quarantines the infected files. The client also returns the system information that the security risk has changed to its previous state. Some security risks cannot be completely removed without causing another program on your computer, such as a Web browser, to fail. Your antivirus and antispyware settings might not handle the risk automatically. In that case, the client prompts you before it stops a process or restarts your computer. Alternatively, you can configure your settings to use the log only action for security risks. When the client software discovers security risks, it includes a link in the scan window to Symantec Security Response. On the Symantec Security Response Web site you can learn more about the security risk. Your administrator may also send a customized message.
44
Symantec Endpoint Protection client basics Enabling and disabling protection components
checks programs for viruses and security risks as they run. It also monitors your computer for any activity that might indicate the presence of a virus or security risk. When a virus, virus-like activity (an event that could be the work of a virus), or a security risk is detected, Auto-Protect alerts you. You can enable or disable Auto-Protect for files and processes. You can also enable or disable Auto-Protect for Internet email and Auto-Protect for email groupware applications. In managed environments, your administrator can lock these settings.
Symantec Endpoint Protection client basics Enabling and disabling protection components
45
On the Windows desktop, in the notification area, right-click the client icon, and then do one of the following actions:
In the client, on the Status page, next to Antivirus and Antispyware Protection, do one of the following actions:
Click Options > Enable Antivirus and Antispyware Protection. Click Options > Disable Antivirus and Antispyware Protection.
1 2 3
In the client, in the sidebar, click Change settings. Next to Antivirus and Antispyware Protection, click Configure Settings. Do one of the following actions:
On the Internet Email Auto-Protect tab, check or uncheck Enable Internet Email Auto-Protect. On the Outlook Auto-Protect tab, check or uncheck Enable Microsoft Outlook Auto-Protect. On the Notes Auto-Protect tab, check or uncheck Enable Lotus Notes Auto-Protect.
Click OK.
46
Symantec Endpoint Protection client basics Enabling and disabling protection components
Your administrator may have set the following limits for when and how long you can disable protection:
Whether the client allows either all traffic or all outbound traffic only. The length of time the protection is disabled. How many times you can disable protection before you restart the client.
If you can disable protection, you can reenable it at any time. The administrator can also enable and disable protection at any time, even if it overrides the state you put the protection in. See About Network Threat Protection on page 101. See Blocking an attacking computer on page 121. To enable or disable Network Threat Protection
In the client, on the Status page, beside Network Threat Protection, do one of the following actions:
Click Options > Enable Network Threat Protection. Click Options > Disable Network Threat Protection.
1 2 3 4 5
In the client, in the sidebar, click Change settings. Next to Proactive Threat Protection, click Change Settings. In the Proactive Threat Scan Settings dialog box, on the Scan Details tab, under Trojans and Worms, check or uncheck Scan for trojans and worms. Under Keyloggers, check or uncheck Scan for keyloggers. Click OK.
Symantec Endpoint Protection client basics Using the client with Windows Security Center
47
Symantec Endpoint Protection is installed, and virus and security OUT OF DATE (red) risk definitions are out of date Symantec Endpoint Protection is installed and File System Auto-Protect is not enabled Symantec Endpoint Protection is installed, File System Auto-Protect is not enabled, and virus and security risk definitions are out of date OFF (red)
OFF (red)
Symantec Endpoint Protection is installed and Rtvscan is turned OFF (red) off manually
Table 5-3 shows the Symantec Endpoint Protection firewall status reporting in WSC. Table 5-3 WSC firewall status reporting Firewall status
NOT FOUND (red) ON (green) OFF (red) ON (green)
48
If there is more than one firewall enabled, WSC reports that multiple firewalls are installed and enabled.
49
To pause a scan
When the scan runs, in the scan dialog box, click the pause icon.
If you initiated the scan, the scan stops where it is and the scan dialog box remains open until you start the scan again. If your administrator initiated the scan, the Scheduled Scan Pause dialog box appears.
In the Scheduled Scan Pause dialog box, click Pause. The administrator-scheduled scan stops where it is and the scan dialog box remains open until you start the scan again.
3 1 2
In the scan dialog box, click the start icon to continue the scan.
To delay an administrator-scheduled scan When the administrator-scheduled scan runs, in the scan dialog box, click Pause the Scan. In the Scheduled Scan Pause dialog box, click Snooze 1 hour or Snooze 3 hours. Your administrator specifies the period of time that you are allowed to delay the scan. When the pause reaches the limit, the scan restarts from the beginning. Your administrator specifies the number of times that you can delay the scheduled scan before this feature is disabled.
50
Chapter
About Antivirus and Antispyware Protection About Auto-Protect Working with antivirus and antispyware scans Configuring antivirus and antispyware scanning Interpreting scan results Submitting information about antivirus and antispyware scans to Symantec Security Response Configuring actions for viruses and security risks Configuring notifications for viruses and security risks Configuring centralized exceptions for antivirus and antispyware scans About the Quarantine Managing the Quarantine
52
Managing Antivirus and Antispyware Protection About Antivirus and Antispyware Protection
Managing Antivirus and Antispyware Protection About Antivirus and Antispyware Protection
53
Program files
Include dynamic-link libraries (.dll), batch files (.bat), command files (.com), executable files (.exe), and other program files. The client searches program files to look for file virus infections.
1 2 3 4 5 6 7 1 2
In the client, in the sidebar, click Change settings. Next to Antivirus and Antispyware Protection, click Change Settings. In the Antivirus and Antispyware Protection Settings dialog box, on the Auto-Protect tab, under File types, click Selected. Click Extensions. In the text box, type the extension to add, and then click Add. Repeat step 5 as needed. Click OK.
To add file extensions to the scan list for an on-demand, scheduled, or startup scan In the client, in the sidebar, click Scan for threats. Right-click the scan for which you want to add file extensions, and then select Edit. Changes apply only to the specific scan that you select.
3 4 5 6
On the Options tab, under File types, select Selected extensions, and then click Extensions. Type the extension to add, and then click Add. Repeat step 4 as needed. Click OK.
54
Managing Antivirus and Antispyware Protection About Antivirus and Antispyware Protection
your company's security policy allows the adware, you can exclude the risk from scans. The client might flag a file as infected; however, the file does not contain a virus. This situation might happen because a particular virus definition is designed to catch every possible variation of the virus. Because the virus definition must be necessarily broad, the client sometimes reports that a clean file is infected. If antivirus and antispyware scans continue to report a clean file as infected, you can exclude the file from scans. Exclusions are the items that you don't want or need to include in scans. Your corporate security policy might let you run the software that the client reports as a risk. In that case, you can exclude the folders that contain the software. You use a centralized exception to exclude items from scans. The exception applies to all antivirus and antispyware scans that you run. Your administrator might configure exceptions as well. Administrator-defined exceptions take precedence over user-defined exceptions. See Configuring centralized exceptions for antivirus and antispyware scans on page 82. Warning: Be careful with exclusions. If you exclude a file from a scan, the client does not take action to clean it if the file later becomes infected. This situation can be a potential risk to the security of your computer.
Enable Auto-Protect. Auto-Protect constantly scans the files that have been accessed or modified. Run Auto-Protect for your email, if available. Protect your global template files by disabling automatic macros.
55
When the Symantec Endpoint Protection client detects a virus or security risk
When viruses and security risks infect files, the client responds to the risk types in different ways. For each type of risk, the client uses a first action, and then applies a second action if the first action fails. By default, when the client detects a virus, the client tries first to clean the virus from the infected file. Then, if the client cannot clean the file, it logs the failure and moves the infected file to the Quarantine. By default, when the client detects a security risk, it quarantines the risk. It also tries to remove or repair any changes that the security risk made. If the client cannot quarantine a security risk, it logs the risk and leaves it alone. Note: In the Quarantine, the risk cannot spread. When a client moves a file to the Quarantine, you do not have access to the file. The client can also reverse its changes for the items that it quarantines. For each scan type, you can change the settings for how the client handles viruses and security risks. You can set different actions for each category of risk and for individual security risks. Note: In some instances, you might unknowingly install an application that includes a security risk such as adware or spyware. If Symantec has determined that quarantining the risk does not harm the computer, then the client quarantines the risk. If the client quarantines the risk immediately, its action might leave the computer in an unstable state. Instead, the client waits until the application installation is complete before it quarantines the risk. It then repairs the risk's effects.
About Auto-Protect
Auto-Protect is your best defense against virus attacks. Whenever you access, copy, save, move, or open a file, Auto-Protect scans the file to ensure that a virus has not attached itself. Auto-Protect scans the file extensions that contain executable code and all .exe and .doc files. Auto-Protect can determine a files type even when a virus changes the files extension. For example, a virus might change a file's extension to one that is different from the file extensions that you configured Auto-Protect to scan.
56
You can enable or disable Auto-Protect if your administrator does not lock the setting. See Enabling and disabling Antivirus and Antispyware Protection on page 43.
Scans for security risks such as adware and spyware Quarantines the infected files Removes or repairs the side effects of the security risks
You can disable scanning for security risks in Auto-Protect. See Disabling and enabling Auto-Protect security risk scanning and blocking on page 60. If Auto-Protect detects a process that continuously downloads a security risk to your computer, Auto-Protect displays a notification and logs the detection. (Auto-Protect must be configured to send notifications.) If the process continues to download the same security risk, multiple notifications appear on your computer and Auto-Protect logs multiple events. To prevent multiple notifications and logged events, Auto-Protect automatically stops sending notifications about the security risk after three detections. Auto-Protect also stops logging the event after three detections. In some situations, Auto-Protect does not stop sending notifications and logging events for the security risk. Auto-Protect continues to send notifications and log events when any of the following situations is true:
On client computers, you or your administrator can disable blocking the installation of security risks (the default setting is enabled). The action for the type of security risk that the process downloads has an action of Leave alone.
Lotus Notes 4.5x, 4.6, 5.0, and 6.x Microsoft Outlook 98/2000/2002/2003/2007 (MAPI and Internet) Microsoft Exchange client 5.0 and 5.5
57
Note: Auto-Protect works on your supported email client only. It does not protect email servers. Antivirus and Antispyware Protection also includes Auto-Protect scanning for additional Internet email programs by monitoring all traffic that uses the POP3 or SMTP communications protocols. You can configure the client software to scan incoming and outgoing messages for risks. Scans of outgoing email help to prevent the spread of threats that use email clients to replicate and distribute themselves across a network. Note: Internet email scanning is not supported for 64-bit computers. For scans of Lotus Notes and Microsoft Exchange email, Auto-Protect scans only the attachments that are associated with email. For Internet email scanning of the messages that use the POP3 or SMTP protocols, Auto-Protect scans the following items:
When you open a message with an attachment, the attachment is immediately downloaded to your computer and scanned when the following statements are true:
You use Microsoft Exchange client or Microsoft Outlook over MAPI. You have Auto-Protect enabled for email.
Over a slow connection, downloading messages with large attachments affects mail performance. You may want to disable this feature if you regularly receive large attachments. See Disabling and enabling Auto-Protect security risk scanning and blocking on page 60. Note: If a virus is detected as you open email, your email may take several seconds to open while Auto-Protect completes its scan. Email scanning does not support the following email clients:
IMAP clients AOL clients Web-based email such as Hotmail, Yahoo! Mail, and GMAIL
58
1 2 3 4 5
In the client, in the sidebar, click Change settings. Next to Antivirus and Antispyware Protection, click Configure Settings. On the Internet Email Protection tab, click Advanced. Under Connection settings, uncheck Allow encrypted POP3 connections and Allow encrypted SMTP connections. Click OK.
In the client, on the Status page, next to Antivirus and Antispyware Protection, click Options > View File System Auto-Protect Statistics.
59
In the client, on the Status page, next to Antivirus and Antispyware Protection, click Options > View Threat List.
Typically viruses affect only certain types of files. If you scan selected extensions, however, you get less protection because Auto-Protect does not scan all files. The default list of extensions represents those files that are commonly at risk of infection by viruses. Auto-Protect scans the file extensions that contain executable code and all .exe and .doc files. It can also determine a files type even when a virus changes the files extension. For example, it scans .doc files even if a virus changes the file extension. You should configure Auto-Protect to scan all file types to ensure that your computer receives the most protection from viruses and security risks. To configure Auto-Protect to determine file types
1 2 3
In the client, in the sidebar, click Change settings. Next to Antivirus and Antispyware Protection, click Configure Settings. On the Auto-Protect tab, under File Types, do one of the following actions:
Click All Types to scan all files. Click Selected to scan only those files that match the listed file extensions, and then click Extensions to change the default list of file extensions.
60
4 5
If you selected Selected, check or uncheck Determine file types by examining file contents. Click OK.
Scans for security risks such as adware and spyware Quarantines the infected files Tries to remove or repair the effects of the security risk
In cases where blocking the installation of a security risk does not affect the stability of a computer, Auto-Protect also blocks the installation by default. If Symantec determines that blocking a security risk could compromise a computers stability, then Auto-Protect allows the risk to install. Auto-Protect also immediately takes the action that is configured for the risk. From time to time, however, you might temporarily need to disable scanning for security risks in Auto-Protect scans of files, and then re-enable it. You might also need to disable blocking security risks to control the time at which Auto-Protect reacts to certain security risks. Note: Your administrator might lock these settings. To disable or enable Auto-Protect security risk scanning and blocking
1 2 3
In the client, in the sidebar, click Change settings. Next to Antivirus and Antispyware Protection, click Configure Settings. On the Auto-Protect tab, under Options, do any of the following actions:
Check or uncheck Scan for security risks. Check or uncheck Block security risks from being installed. Check or uncheck Scan files on network drives.
Click OK.
Configure whether or not your Auto-Protect trusts files on the remote computers that run Auto-Protect.
61
Specify whether or not your computer should use a cache to store a record of the files that Auto-Protect scans from a network.
By default, Auto-Protect scans files as they are written from your computer to a remote computer. Auto-Protect also scans files when they are written from a remote computer to your computer. When you read files on a remote computer, however, Auto-Protect might not scan the files. By default, Auto-Protect tries to trust remote versions of Auto-Protect. If the trust option is enabled on both computers, the local Auto-Protect checks the remote computer's Auto-Protect settings. If the remote Auto-Protect settings provide at least as high a level of security as the local settings, the local Auto-Protect trusts the remote Auto-Protect. When the local Auto-Protect trusts the remote Auto-Protect, the local Auto-Protect does not scan the files that it reads from the remote computer. The local computer trusts that the remote Auto-Protect already scanned the files. Note: The local Auto-Protect always scans the files that you copy from a remote computer. The trust option is enabled by default. If you disable the trust option, you might reduce network performance. To disable trust in remote versions of Auto-Protect
1 2 3 4 5 6
In the client, in the sidebar, click Change settings. Next to Antivirus and Antispyware Protection, click Change Settings. On the Auto-Protect tab, click Advanced. In the Auto-Protect Advanced Options dialog box, under Additional Advanced Options, click Network. Under Network scanning settings, uncheck Trust files on remote computers running Auto-Protect. Click OK until you return to the main window.
You can configure your computer to use a network cache. A network cache stores a record of the files that Auto-Protect scanned from a remote computer. If you use a network cache, you prevent Auto-Protect from scanning the same file more than one time. When you prevent multiple scans of the same file, you might improve system performance. You can set the number of files (entries) that Auto-Protect scans and remembers. You can also set the timeout before your computer removes the entries from the cache. When the timeout expires, your computer removes the entries. Auto-Protect then scans the files if you request them from the remote computer again.
62
Managing Antivirus and Antispyware Protection Working with antivirus and antispyware scans
1 2 3 4 5 6
In the client, in the sidebar, click Change settings. Next to Antivirus and Antispyware Protection, click Configure Settings. In the Antivirus and Antispyware Settings dialog box, on the Auto-Protect tab, click Advanced. In the Auto-Protect Advanced Options dialog box, under Additional advanced options, click Network. In the Network Scanning Options dialog box, check or uncheck Network cache. If you enabled the network cache, use the defaults or do any of the following actions:
Use the arrows or type in the number of files (entries) that you want Auto-Protect to scan and remember. Type the number of seconds for which you want entries to remain in the cache before your computer clears the cache.
Click OK.
Quick Scan
Full Scan
Managing Antivirus and Antispyware Protection Working with antivirus and antispyware scans
63
As long as Auto-Protect is enabled, a daily quick scan and a single, weekly scheduled scan of all files provides sufficient protection. If viruses frequently attack your computer, consider adding a full scan at startup or a daily scheduled scan. You can also configure the frequency of the scans that look for suspicious behavior rather than known risks. See Configuring how often to run proactive threat scans on page 95.
How the Symantec Endpoint Protection client detects viruses and security risks
The client prevents virus infections on a computer by scanning the computers boot sector, memory, and files for viruses and security risks. The scan engine uses the virus and security risk signatures that are found in the definitions files. The scan engine performs an exhaustive search for any known viruses that are inside the executable files. Antivirus and antispyware scans search the executable parts of document files to find macro viruses. You can perform a scan on demand or schedule a scan for when you are away from your desk. Table 6-2 describes the computer components that the client scans. Table 6-2 Component
Computer memory
Boot sector
64
Managing Antivirus and Antispyware Protection Working with antivirus and antispyware scans
Selected files
Managing Antivirus and Antispyware Protection Configuring antivirus and antispyware scanning
65
In the My Computer window or the Windows Explorer window, right-click a file, folder, or drive, and then click Scan For Viruses. This feature is not supported on 64-bit operating systems.
In the client, on the Status page, next to Antivirus and Antispyware Protection, click Options > Run Quick Scan. In the client, in the sidebar, click Scan for threats. Do one of the following actions:
Under Quick Scan, click Quick Scan. Under Full Scan, click Full Scan. In the scan list, right-click any scan, and then click Scan Now. The scan starts. A progress window appears on your computer to show the progress of the scan and the results.
66
Managing Antivirus and Antispyware Protection Configuring antivirus and antispyware scanning
1 2 3
In the client, in the sidebar, click Scan for threats. Click Create a New Scan. In the What To Scan dialog box, select one of the following types of scan to schedule:
Custom: Scans the selected areas of the computer for viruses and security risks. Quick: Scans the areas of the computer that viruses and security risks most commonly infect. Full: Scans the entire computer for viruses and security risks.
Managing Antivirus and Antispyware Protection Configuring antivirus and antispyware scanning
67
If you selected Custom, check the appropriate check boxes to specify where to scan. The symbols have the following descriptions:
The file, drive, or folder is not selected. If the item is a drive or folder, the folders and files in it are also not selected. The individual file or folder is selected.
The individual folder or drive is selected. All items within the folder or drive are also selected. The individual folder or drive is not selected, but one or more items within the folder or drive are selected.
5 6
Click Next. In the Scan Options dialog box, you can do any of the following actions:
Change the default settings for what is scanned. The default setting is to scan all files. Specify how the client responds if a virus or security risk is detected. By default, the client cleans viruses from infected files and repairs any side effects. If the client cannot remove the virus, the client quarantines the file. By default, the client quarantines security risks and removes or repairs any side effects. If the client cannot quarantine and repair the risk, the client logs the event.
7 8 9
Under Scan Enhancements, select any of the locations. Click Advanced. You can set any of the following options:
Compressed files options Backup options Dialog options Tuning options Storage migration options
68
Managing Antivirus and Antispyware Protection Configuring antivirus and antispyware scanning
10 Under Dialog options, in the drop-down list, click Show scan progress, and
then click OK.
11 Click OK. 12 In the Scan Options dialog box, you can also change the following options:
Actions: Change first and second actions to take when viruses and security risks are found. Notification: Construct a message to display when a virus or security risk is found. You can also configure whether or not you want to be notified before remediation actions occur. Centralized Exceptions: Create an exception for a security risk detection.
13 Click Next. 14 In the When To Scan dialog box, click At Specified Times, and then click
Next.
15 In the Schedule dialog box, specify the frequency and when to scan. 16 Click Advanced. 17 In the Advanced Schedule Options dialog box, do the following actions:
Check Retry the scheduled scan within <number> hours of the scheduled time. Set the number of hours within which you want the scan to run. For example, you might want a weekly scan to run only if it is within three days of the scheduled time for the missed event. Check or uncheck Perform this user-defined scheduled scan even when the user is not logged in. User-defined scans are always run if the user is logged in, regardless of this setting.
18 Click OK. 19 In the Schedule dialog box, click Next. 20 In the Scan Name dialog box, type a name and description for the scan.
For example, call the scan: Friday morning
21 Click Finish.
Managing Antivirus and Antispyware Protection Configuring antivirus and antispyware scanning
69
Another scan scans drive D. Another scan scans drive E. In this example, a better solution is to create one scheduled scan that scans drives C, D, and E.
1 2 3 4
In the client, in the sidebar, click Scan for threats. Click Create a New Scan. Click Next. In the What to Scan dialog box, select one of the following types of scans to schedule:
Click Next.
70
Managing Antivirus and Antispyware Protection Configuring antivirus and antispyware scanning
If you selected Custom, in the Select Files dialog box, check the appropriate files and folder that you want to scan. The symbols have the following descriptions:
The file, drive, or folder is not selected. If the item is a drive or folder, the folders and files in it are also not selected. The individual file or folder is selected.
The individual folder or drive is selected. All items within the folder or drive are also selected. The individual folder or drive is not selected, but one or more items within the folder or drive are selected.
7 8
Click Next. In the Scan Options dialog box, you can do any of the following actions:
Change the default settings for what is scanned. The default setting is to scan all files. Specify how the client responds if a virus or security risk is detected. By default, the client cleans viruses from infected files and repairs any side effects. If the client cannot remove the virus, the client quarantines the file. By default, the client quarantines security risks and removes or repairs any side effects. If the client cannot quarantine and repair the risk, the client logs the event.
10 Click Advanced. 11 In the Advanced Scan Options dialog box, you can set any of the following
options:
Compressed files options Backup options Dialog options Tuning options Storage migration options
Managing Antivirus and Antispyware Protection Configuring antivirus and antispyware scanning
71
12 Under Dialog options, in the drop-down list, click Show scan progress, and
then click OK.
13 When you are finished configuring advanced options, click OK. 14 You can also change the following options:
Actions: Change first and second actions to take when viruses and security risks are found. Notifications: Construct a message to display when a virus or security risk is found. You can also configure whether or not you want to be notified before remediation actions occur. Centralized Exceptions: Create exceptions for scanning.
15 When you are finished configuring scan options, click OK. 16 In the When to Run dialog box, do one of the following actions:
17 In the Scan Options dialog box, click Next. 18 Type a name and description for the scan.
For example, call the scan: MyScan1
19 Click Finish.
1 2 3 4
In the client, in the sidebar, click Scan for threats. In the scans list, right-click the scan that you want to edit, and then click Edit. Make any changes on the What to scan, Options, and General tabs. For scheduled scans, you can also modify the schedule. Click OK.
72
To delete a scan
1 2 3
In the client, in the sidebar, click Scan for threats. In the scans list, right-click the scan that you want to delete, and then click Delete. In the Confirm Deletion dialog box, click Yes.
The names of the infected files The names of the viruses or security risks The actions that the client performed on the risks
By default, you are notified whenever a virus or security risk is detected. Note: The language of the operating system on which you run the client might not be able to interpret some characters in virus names. If the operating system cannot interpret the characters, the characters appear as question marks in notifications. For example, some unicode virus names might contain double-byte characters. On the computers that run the client on an English operating system, these characters appear as question marks. If you configure the client software to display a scan progress dialog box, you can pause, restart, or stop the scan. When the scan is completed, results appear in the list. If no viruses or security risks are detected, the list remains empty and the status is completed. See Pausing and delaying scans on page 48.
73
Close
Closes the results dialog box if you do not need to take action on any of the risks If you need to take action, one of the following notifications appears: Remove Risk Required. Appears when a risk requires process termination. If you choose to remove the risk, you return to the results dialog box. If a restart is also required, the information in the risk's row in the dialog box indicates that a restart is required. Restart Required. Appears when a risk requires a restart. Remove Risk and Restart Required. Appears when a risk requires process termination and another risk requires a restart.
If a restart is required, the removal or repair is not complete until you restart the computer. You might need to take action on a risk but choose not to take action right now.
74
Managing Antivirus and Antispyware Protection Submitting information about antivirus and antispyware scans to Symantec Security Response
The risk can be removed or repaired at a later time in the following ways:
You can open the risk log, right-click the risk, and then take an action. You can run a scan to detect the risk and reopen the results dialog box.
You can also take action by right-clicking a risk in the dialog box and by selecting an action. The actions that you can take depend on the actions that were configured for the particular type of risk that the scan detected. See Acting on infected files on page 20.
Submitting information about antivirus and antispyware scans to Symantec Security Response
You can specify that information about Auto-Protect or scan detection rates is automatically sent to Symantec Security Response. Information about detection rates potentially helps Symantec refine virus definitions updates. Detection rates show the viruses and security risks that are detected most by customers. Symantec Security Response can remove the signatures that are not detected, and provide a segmented signature list for the customers who request it. Segmented lists increase antivirus and antispyware scan performance. The submission of detection rates is enabled by default. Note: Your administrator might lock the submission settings. You can also submit items in the Quarantine to Symantec. See Submitting a potentially infected file to Symantec Security Response for analysis on page 89. To submit information about antivirus and antispyware scans to Symantec Security Response
1 2 3 4
In the client, in the sidebar, click Change settings. Next to Antivirus and Antispyware Protection, click Configure Settings. On the Submissions tab, check Automatically submit antivirus and antispyware detections. Click OK.
Managing Antivirus and Antispyware Protection Configuring actions for viruses and security risks
75
In the Scan Actions dialog box, in the tree, select a type of virus or security risk. By default, each security risk subcategory is automatically configured to use the actions that are set for the entire Security Risks category.
To configure a category or specific instances of a category to use different actions, check Override actions configured for Security Risks, and then set the actions for that category only.
76
Managing Antivirus and Antispyware Protection Configuring actions for viruses and security risks
Managing Antivirus and Antispyware Protection Configuring actions for viruses and security risks
77
Delete risk
Deletes the infected file from your computers hard drive. If the client cannot delete a file, information about the action that the client performed appears in the Notification dialog box. The information also appears in the Event Log. Use this action only if you can replace the file with a backup copy that is free of viruses or security risks. When the client deletes a risk, it deletes the risk permanently. The infected file cannot be recovered from the Recycle Bin.
See Tips for assigning second actions for viruses on page 78. See Tips for assigning second actions for security risks on page 78.
4 5
Repeat steps 1 and 3 for each category for which you want to set specific actions. If you selected a security risk category, you can select custom actions for one or more specific instances of that security risk category. You can exclude a security risk from scanning. For example, you might want to exclude a piece of adware that you need to use in your work. Click OK.
78
Managing Antivirus and Antispyware Protection Configuring actions for viruses and security risks
Managing Antivirus and Antispyware Protection Configuring actions for viruses and security risks
79
A factor that is rated low has a minimal impact. A factor that is rated medium has some impact. A factor that is rated high has a significant impact in that area. If a particular security risk has not been assessed yet, default ratings are used. If a security risk has been assessed, but a particular factor does not apply to that risk, then a rating of none is used. These ratings appear in the Security Risk Exceptions dialog box when you configure a centralized exception for known security risks. You can use these ratings to help to determine which security risks to exclude from scans and allow to remain on your computer. Table 6-4 describes the rating factors and what a high rating means for each of them. Table 6-4 Rating factor
Privacy Impact
Performance Impact
Measures the extent to which a security risk degrades a computer's performance. A high rating indicates that performance is seriously degraded.
Stealth Rating
Measures how easy it is to determine if the security risk is present on a computer. A high rating indicates that the security risk tries to hide its presence.
80
Managing Antivirus and Antispyware Protection Configuring notifications for viruses and security risks
Overall rating is an average of the other factors. This rating indicates whether or not another application depends on the presence of this security risk to function properly.
You can construct the detection message that you want to appear on your computer. To construct the message, you type directly in the message field. You can right-click in the message field to select variables to include in the message. Table 6-5 describes the variable fields that are available for notifications messages. Table 6-5 Field
VirusName
Managing Antivirus and Antispyware Protection Configuring notifications for viruses and security risks
81
Status
Filename PathAndFilename
The name of the file that the virus or security risk infected. The complete path and name of the file that the virus or security risk infected. The drive on the computer on which the virus or security risk was located. The name of the computer on which the virus or security risk was found. The name of the user who was logged on when the virus or security risk occurred. The type of event, such as Risk Found. The type of scan that detected the virus or security risk. The date on which the virus or security risk was found. The affected area of the application, for example, File System Auto-Protect or Lotus Notes Auto-Protect. A full description of the actions that were taken in response to detecting the virus or security risk.
Location
Computer
User
ActionDescription
You can configure notifications for user-defined scans and for Auto-Protect. The notification configuration includes remediation options. Remediation options are only available for scans and File System Auto-Protect. You can click Help for more information about the options that are used in this procedure. To configure notifications for viruses and security risks
For a new scan, in the Scan Options dialog box, click Notifications.
82
Managing Antivirus and Antispyware Protection Configuring centralized exceptions for antivirus and antispyware scans
For an existing scan, on the Scan Options tab, click Notifications. For Auto-Protect, in the Antivirus and Antispyware Protection Settings dialog box, on any of the Auto-Protect tabs, click Notifications.
In the Notifications Options dialog box, under Detection Options, check Display notification message on infected computer. Check this option if you want a message to appear on your computer when the scan finds a virus or security risk. In the message box, do any or all of the following actions to construct the message that you want:
Click to type or edit text. Right-click, click Insert Field, and then select the variable field that you want to insert. Right-click, and then select Cut, Copy, Paste, Clear, or Undo.
For Auto-Protect configuration, check or uncheck Display the Auto-Protect results dialog. This parameter allows or suppresses the dialog box that contains results when File System Auto-Protect finds viruses and security risks.
Under Remediation Options, check the options that you want to set for the scan or for File System Auto-Protect. The following options are available:
Automatically terminate processes Configures the scan to terminate processes automatically when it needs to do so to remove or repair a virus or security risk. You are not prompted to save data before the scan terminates the processes. Configures the scan to stops services automatically when it needs to do so to remove or repair a virus or security risk. You are not prompted to save data before the scan stops the services.
Click OK.
Managing Antivirus and Antispyware Protection Configuring centralized exceptions for antivirus and antispyware scans
83
For managed clients, your administrator may have created centralized exceptions for your scans. You can view administrator-defined exceptions, however you cannot modify them. If you create a centralized exception that conflicts with an administrator-defined exception, the administrator-defined exception takes precedence. This procedure describes configuring a centralized exception from the Change Settings page. You can also configure exceptions when you create or modify an on-demand, scheduled, or startup scan, or when you modify Auto-Protect settings. Exceptions apply across all antivirus and antispyware scans. If you configure an exception when you create or edit a particular scan, the exception applies to all antivirus and antispyware scans. Note: You can also configure centralized exceptions for proactive threat scans. You can click Help for more information about the options that are used in these procedures. To exclude a security risk from scans
1 2 3 4 5 6 7 1 2 3 4 5 6
In the client, in the sidebar, click Change settings. Next to Centralized Exceptions, click Configure Settings. In the Centralized Exceptions dialog box, on the User-defined Exceptions tab, click Add > Security Risk Exception > Known Risks. In the Select Security Risks dialog box, check the security risks that you want to exclude from scans. If you want to log an event when the security risk is detected and ignored, check Log when the security risk is detected. Click OK. In the Centralized Exceptions dialog box, click OK.
To exclude a file from scans In the client, in the sidebar, click Change settings. Next to Centralized Exceptions, click Configure Settings. In the Centralized Exceptions dialog box, on the User-defined Exceptions tab, click Add > Security Risk Exceptions > File. In the Add File Exception dialog box, select the file or type the filename that you want to exclude, and then click Add. Click OK. In the Centralized Exceptions dialog box, click OK.
84
1 2 3 4 5 6 7 1 2 3 4
In the client, in the sidebar, click Change settings. Next to Centralized Exceptions, click Configure Settings. In the Centralized Exceptions dialog box, on the User-defined Exceptions tab, click Add > Security Risk > Folder Exceptions. In the Add Folder Exception dialog box, select the folder or type the folder name that you want to exclude. Check Include Subfolders if you want to exclude subfolders of the selected folder. Select the folder that you want to exclude, and then click OK. In the Centralized Exceptions dialog box, click OK.
To exclude extensions from scans In the client, in the sidebar, click Change settings. Next to Centralized Exceptions, click Configure Settings. In the Centralized Exceptions dialog box, on the User-defined Exceptions tab, click Add > Security Risk Exceptions > Extensions. In the Add Extension Exceptions dialog box, type the extension that you want to exclude. You can only include one extension name in the text box. If you type multiple extensions, the client treats the entry as a single extension name.
5 6 7
Click Add. Repeat step 4 through step 5 to add more extensions. In the Centralized Exceptions dialog box, click OK.
85
Note: The language of the operating system on which you run the client might not be able to interpret some characters in risk names. If the operating system cannot interpret the characters, the characters appear as question marks in notifications. For example, some unicode risk names might contain double-byte characters. On those computers that run the client on an English operating system, these characters appear as question marks. When the client moves an infected file to the Quarantine, the risk cannot copy itself and infect other files. This action is a recommended second action for both macro and non-macro virus infections. However, the Quarantine action does not clean the risk. The risk stays on your computer until the client cleans the risk or deletes the file. Viruses and macro viruses can be quarantined. Boot viruses cannot be quarantined. Usually, boot viruses reside in the boot sector or partition tables of a computer; these items cannot be moved to the Quarantine. You can also view properties of the infected file. See Viewing files and file details in the Quarantine on page 86.
Restore the selected file to its original location. Permanently delete the selected file. Rescan the files after you receive updated virus definitions. Export the contents of the Quarantine to either a comma-delimited (*.csv) file or an Access database (*.mdb) file. Manually add a file to Quarantine. You can browse to the location of and select the file that you want to move to the Quarantine.
86
Submit a file to Symantec Security Response. Follow the instructions in the on-screen wizard to submit the selected file for analysis.
The client is configured to move the infected items that are detected during Auto-Protect or a scan to the Quarantine. You manually select a file and add it to the Quarantine.
The default options for Auto-Protect and all scan types are to clean a virus from an infected file on detection. The scan software places the file in the Quarantine if the file cannot be cleaned. For security risks, the default option is to place the infected files in the Quarantine, and to repair the side effects of the security risk. To add a file manually to the Quarantine
1 2 3
In the client, in the sidebar, click View quarantine. Click Add. Select the file that you want to add to the Quarantine, and then click Add.
87
1 2
In the client, in the sidebar, click View quarantine. Right-click the file that you want to view, and then click Properties.
1 2
When the Repair Wizard appears, click Yes. Click Next. Follow the on-screen instructions to rescan the files in the Quarantine
1 2 3
Update your definitions. In the client, in the sidebar, click View quarantine. Select the file and then click Clean.
1 2 3
In the client, in the sidebar, click View quarantine. Right-click the repaired file, and then click Restore. Specify the location for the cleaned file.
88
1 2 3
In the client, in the sidebar, click View quarantine. Select one or more backup files. Click Delete.
1 2 3
In the client, in the sidebar, click View quarantine. Select one or more files. Click Delete.
1 2 3
In the client, in the sidebar, click View quarantine. Click Purge Options. In the Purge Options dialog box, select one of the following tabs:
89
4 5 6 7
Check or uncheck Length of time stored exceeds. The client deletes the files after the configured time expires. If you check the Length of time stored exceeds check box, type or click an arrow to enter the amount of time. Select the unit of time from the drop-down list. The default is 30 days. If you check the Total folder size exceeds check box, type in the maximum folder size to allow, in megabytes. The default is 50 megabytes. If you check both check boxes, all files that are older than the time that you have set are deleted first. If the size of the folder still exceeds the limit that you set, the client deletes the oldest files individually. The client deletes the oldest files until the folder size does not exceed the limit.
8 9
Repeat steps 4 through 7 for any of the other tabs. Click OK.
1 2 3 4
In the client, in the sidebar, click View quarantine. Select the file in the list of quarantined items. Click Submit. Follow the on-screen instructions in the wizard to collect the necessary information and submit the file for analysis.
90
Chapter
About Proactive Threat Protection Configuring how often to run proactive threat scans Managing proactive threat detections Configuring notifications for proactive threat scan detections Submitting information about proactive threat scans to Symantec Security Response Configuring a centralized exception for proactive threat scans
92
How often and when do you want to scan processes? How much computer resources do you want to provide for Proactive Threat Protection?
Note: If your administrator does not lock proactive threat scan settings, you can configure the settings. Locked settings include a locked padlock icon. The labels on locked settings appear grayed-out.
Type of processes
Trojan horses and worms Processes that exhibit characteristics of Trojan horses or worms. Proactive threat scans use heuristics to look for the processes that behave like Trojan horses or worms. These processes may or may not be threats.
93
Table 7-1
Type of processes
Keyloggers
Commercial applications Known commercial applications that might be used for malicious purposes. Proactive threat scans detect several different types of commercial applications. You can configure actions for two types: keyloggers and remote control programs. Adware and spyware Processes that exhibit the characteristics of adware and spyware Proactive threat scans uses heuristics to detect the unknown processes that behave like adware and spyware. These processes may or may not be risks.
94
Logs the detection of well-known commercial applications Logs the detection of processes that behave like Trojan horses, worms, or keyloggers Quarantines processes that behave like Trojan horses, worms, or keyloggers and that require remediation
When a proactive threat scan quarantines a detection, it handles any side effects of the process. If the client rescans the detection after content updates are downloaded to your computer, the client might restore the process to your computer. The client restores the process if the process is no longer considered malicious. The client also restores any side effects of the process. However, the client does not automatically restart the process. For detection of commercial keylogger or remote control applications, you or your administrator can specify a different action. For example, you might want to ignore the detection of commercial keylogger applications. When the client ignores an application, it allows the application and does not log its detection. For Trojan horse, worm, or keylogger detections, you can specify a particular action that the client always uses when it makes a detection.
Managing Proactive Threat Protection Configuring how often to run proactive threat scans
95
changing the sensitivity might not change the number of false positives, it only changes the number of total detections. See Managing proactive threat detections on page 95.
1 2 3 4
In the client, in the sidebar, click Change settings. Next to Proactive Threat Protection, click Configure Settings. In the Proactive Threat Scan Settings dialog box, on the Scan Frequency tab, check At a custom scanning frequency. Do one or more of the following actions:
Next to Scan every, set the length of time in number of days, hours, and minutes between scanning processes. Check Scan new processes immediately to scan new processes when they are detected.
96
When the detection of Trojan horses, worms, or keyloggers is enabled, you can choose how you want to manage the detections. By default, proactive threat scans use Symantec defaults. This means that the client determines the action for the detection. (The defaults that are unavailable on the user interface do not reflect the Symantec defaults. The unavailable settings reflect the default settings that you use when you manually manage detections.) Typically, the Symantec default settings provide the best way to handle detections. However, if you have experience with scan results on your computer, you might want to configure the actions and sensitivity levels manually. To configure these parameters, you disable the Symantec defaults option. To minimize false-positive detections, Symantec recommends that you use the Symantec-managed defaults initially. After a certain length of time, you can observe the number of false positives that the clients detect. If the number is low, you might want to tune the proactive threat scan settings gradually. For example, for the detection of Trojan horses and worms, you might want to move the sensitivity slider slightly higher than its default. You can observe the results of the proactive threat scans that run after you set the new configuration. Note: For managed clients, typically your administrator configures the proactive threat scan settings that are appropriate for your computer. For commercial applications, you can specify the type of action to take when a proactive threat scan detects commercial keylogger or commercial remote control programs. You can change these settings regardless of the configuration for Trojan horses, worms, or keyloggers.
1 2 3 4 5
In the client, in the sidebar, click Change settings. Next to Proactive Threat Protection, click Configure Settings. In the Proactive Threat Scan Settings dialog box, on the Scan Details tab, under Trojans and Worms, check or uncheck Scan for trojans and worms. Under Keyloggers, check or uncheck Scan for keyloggers. Click OK.
97
Specifying actions and sensitivity levels for detecting Trojan horses, worms, and keyloggers
If you choose to manage Trojan horse, worm, or keylogger detections yourself, you can configure the action to take when these processes are detected. That action is always used when proactive threat scans make a detection. For example, you might set the action to log only. If a proactive threat scan detects a process that it categorizes as a true positive, the client logs the detection. The client does not quarantine the process. You can also set different sensitivity levels for the detection of Trojan horses and worms and the detections of keyloggers. The sensitivity level determines how sensitive proactive threat scans should be when they scan processes. A higher sensitivity results in more detections. Keep in mind that some of these detections might be false positives. Setting the sensitivity level lower or higher might not change the percentage of false positives that proactive threat scans produce. It only changes the number of total detections. You might want to keep the sensitivity level lower until you see the results of proactive threat scans on your computer. If proactive threat scans do not produce any detections at a lower sensitivity level, you can increase the sensitivity. You can click Help for more information about the options that are used in the procedure. To set the action and the sensitivity level for Trojan horses and worms
1 2 3
In the client, in the sidebar, click Change settings. Next to Proactive Threat Protection, click Configure Settings. In the Proactive Threat Scan Settings dialog box, on the Scan Details tab, under Trojans and Worms, ensure that Scan for trojans and worms is checked, and then uncheck Use defaults defined by Symantec. Under Sensitivity, move the slider to the left or right to decrease or increase the sensitivity respectively. In the drop-down list, select Log, Terminate, or Quarantine. Click OK.
4 5 6 1 2 3
To set the action and sensitivity level for keyloggers In the client, in the sidebar, click Change settings. Next to Proactive Threat Protection, click Configure Settings. In the Proactive Threat Scan Settings dialog box, on the Scan Details tab, under Keyloggers, ensure that Scan for keyloggers is checked, and then uncheck Use defaults defined by Symantec.
98
Managing Proactive Threat Protection Configuring notifications for proactive threat scan detections
4 5 6
For the sensitivity level, select Low or High. In the drop-down list, select Log, Terminate, or Quarantine. Click OK.
1 2 3
In the client, in the sidebar, click Change settings. Next to Proactive Threat Protection, click Configure Settings. In the Proactive Threat Scan Settings dialog box, on the Scan Details tab, under Commercial Applications, do any of the following actions:
Set the action for commercial keyloggers to Log, Terminate, Quarantine, or Ignore. Set the action for commercial remote control applications to Log, Terminate, Quarantine, or Ignore.
Click OK.
1 2
In the client, click Change settings. Next to Proactive Threat Protection, click Configure Settings.
Managing Proactive Threat Protection Submitting information about proactive threat scans to Symantec Security Response
99
3 4 5
In the Proactive Threat Scan Settings dialog box, on the Notifications tab, check Display a message when there is a detection. Check or uncheck Prompt before terminating a process and Prompt before stopping a service. Click OK.
The path to the executable The executable The information about the file and the registry load points that refer to the threat The internal state information The content version that the proactive threat scan used
Any personal information that can identify your computer is not submitted. The submission of proactive threat scan detections to Symantec Security Response is enabled by default. Note: Your administrator can lock the submissions settings. You can click Help for more information about the options that are used in the procedure. To enable or disable submitting information to Symantec Security Response
1 2
In the client, in the sidebar, click Change settings. Next to Antivirus and Antispyware Protection, click Configure Settings.
100
Managing Proactive Threat Protection Configuring a centralized exception for proactive threat scans
In the Antivirus and Antispyware Protection Settings dialog box, on the Submissions tab, check or uncheck Automatically submit Proactive Threat Scan detections. Click OK.
1 2 3 4 5 6
In the client, in the side bar, click Change settings. Next to Centralized Exceptions, click Configure Settings. On the User-defined Exceptions tab, click Add, and then select Proactive Threat Protection Exception. In the Add Proactive Threat Exception dialog box, type a process name or select a file for which you want to create an exception. In the Action drop-down list, select Ignore, Log Only, Quarantine, or Terminate. Click Add.
Chapter
About Network Threat Protection Configuring the firewall Configuring intrusion prevention Configuring application-specific settings Enabling and disabling file and print sharing
102
code to a particular port. If a program that is vulnerable to this attack listens to that port, the code can let the attacker gain access to, disable, or even take control of the computer. The programming code that is used to generate the attacks can exist inside a packet, or it can span several packets. Your client is installed with default settings for Network Threat Protection. In most cases you do not have to change the settings. It is generally safe to leave the settings as they are. However, if you have a detailed understanding of networks, you can make many changes in the client firewall to fine-tune your protection.
Intrusion prevention
To assess how to better protect your computer, you can test the vulnerability of your computer to outside network attacks and viruses. To test your computer, you can run several scans. See Testing the security of your computer on page 29.
103
Client computer
Internet
The firewall allows or blocks network traffic that is specified by the firewall policy
All information that enters or leaves the private network must pass through the firewall. The firewall examines the information packets and blocks those that do not meet the specified security criteria. The way it examines the information packets is through the use of firewall rules. Firewall Policies consist of one or more rules that work together to allow or block users from accessing the network. Only authorized traffic can pass. A Firewall Policy defines the authorized traffic. The firewall works in the background. Your administrator determines the level of interaction that you have with the client by permitting or by blocking your ability to configure firewall rules and firewall settings. You can interact with the client only when it notifies you of new network connections and possible problems, or you can have full access to the user interface.
Blocks inbound traffic and outbound traffic. Warns you of any connection attempts from other computers and the attempts by applications on your computer to connect to other computers.
104
Intrusions
105
The Symantec IPS signatures use a stream-based engine that scans multiple packets. Symantec IPS signatures intercept network data at the session layer and capture segments of messages that are passed back and forth between an application and the network stack. The Symantec IPS examines packets in two ways. It scans each packet individually by looking for the patterns that do not adhere to specifications and that can crash the TCP/IP stack. It also monitors the packets as a stream of information, by looking for the commands that are directed at a particular service to exploit or crash the system. The IPS can remember the list of patterns or partial patterns from previous packets, and the IPS can apply this information to subsequent packet inspections. The IPS relies on an extensive list of attack signatures to detect and block suspicious network activity. Symantec supplies the known threat list, which you can update on the client by using Symantec LiveUpdate. The Symantec IPS engine and corresponding set of IPS signatures are installed on the client by default.
The custom IPS signatures use a packet-based engine that scans each packet individually. Both the stream-based and packet-based engines detect signatures in the network data that attack the TCP/IP stack, operating system components, and the application layer. However, packet-based signatures can detect attacks in the TCP/IP stack earlier than stream-based signatures. The packet-based engine does not detect signatures that spans multiple packets. The packet-based IPS engine is more limited, because it does not buffer partial matches, and it scans single packet payloads only.
The intrusion prevention system logs the detected attacks in the Security Log. The custom IPS signatures may log detected attacks in the Packet Log. See Configuring intrusion prevention on page 119.
106
Table 8-2
Actions that the client takes when applications access the client or network Action
Allow
Icon
Description
Allows the inbound traffic to access the client computer and the outbound traffic to access the network. If the client receives traffic, the icon displays a small blue dot in the lower left-hand corner. If the client sends traffic, the icon displays the dot in the lower right-hand corner.
Ask
Asks whether inbound traffic is allowed to access your computer or company network. If you or your administrator configured the client to ask you whether to allow your applications to access network resources, the icon appears with a small, yellow question mark. You can set the client to remember your responses, so that you do not have to tell the client again.
Block
Blocks the inbound traffic and the outbound traffic from accessing the network or an Internet connection.
Note: The client does not detect network traffic from PDA (personal digital assistant) devices. To view traffic history
1 2 3
In the client, in the sidebar, click Status. Beside Network Threat Protection, click Options > View Network Activity. For more information on the graphs and fields, click Help. Click Close.
You can display the traffic as either broadcast traffic or unicast traffic. Broadcast traffic is the network traffic that is sent to every computer in a particular subnet, and is not directed specifically to your computer. Unicast traffic is the traffic that is directed specifically to your computer. To show or hide Windows services and broadcast traffic
1 2 3
In the client, in the sidebar, click Status. Beside Network Threat Protection, click Options > View Network Activity. In the Network Activity dialog box, right-click the Running Applications field and do the following actions:
107
To show or hide Windows services, check or uncheck Show Windows Services. To display broadcast traffic, check Show Broadcast Traffic. To display unicast traffic, uncheck Show Broadcast Traffic.
4 1 2 3
Click Close.
To change the way the application icon appears In the client, in the sidebar, click Status. Beside Network Threat Protection, click Options > View Network Activity. In the Running Applications field, right-click the application, and then click one of the following views:
Click Close.
108
Enables the additional traffic features such as driver-level protection, NetBIOS protection, token ring traffic, DNS reverse lookup, and stealth mode settings.
Your administrator may or may not have given you permission to customize firewall rules and firewall settings. If you do not have permission, the administrator creates firewall rules and enables settings in a Firewall Policy and distributes the policy to the client. If you do have permission, you can create rules and modify settings on the client to fit your network environment. Your administrator may have configured the client to merge the rules that your administrator created and rules that you have created. You can disable the protection at certain times, such as during the installation of new software. See Enabling and disabling Network Threat Protection on page 45.
109
Actions
Allow or block, and log or do not log. The action parameters specify what actions the firewall takes when it successfully matches a rule. If the rule is selected in response to a received packet, the firewall performs all actions. The firewall either allows or blocks the packet and logs or does not log the packet. If the firewall allows traffic, it lets the traffic that the rule specifies to access your network. If the firewall blocks traffic, it blocks the traffic that the rule specifies so that it does not access your network.
For example, a rule may state that remote port 80 is allowed to the IP address 192.58.74.0, between 9 AM and 5 PM daily. Table 8-4 describes the triggers you can define in a firewall rule. Table 8-4 Trigger
Application
110
Protocol
All IP protocols Any protocol. TCP Port or port ranges. UDP Port or port ranges. ICMP Type and code. Specific IP Protocol Protocol number (IP type). Examples: Type 1 = ICMP, Type 6 = TCP, Type 17 = UDP
Network adapter If you define a network adapter trigger, the rule is relevant only to the traffic that is transmitted or received by using the specified type of adapter. You can specify either any adapter or the one that is currently associated with the client computer.
111
rulebase. A rule must permit the initial outbound traffic before the firewall logs the connection. Stateful inspection lets you simplify rulebases because you don't have to create the rules that permit traffic in both directions for traffic that is typically initiated in one direction only. Client traffic that is typically initiated in one direction includes Telnet (port 23), HTTP (port 80), and HTTPS (port 443). Clients initiate this traffic outbound so you only have to create a rule that permits outbound traffic for these protocols. The firewall permits the return traffic. By configuring only the outbound rules, you increase client security in the following ways:
Reduce rulebase complexity. Eliminate the possibility that a worm or other malicious program can initiate connections to a client on the ports that are configured for outbound traffic only. You can also configure inbound rules only, for traffic to clients that the clients do not initiate.
Stateful inspection supports all the rules that direct TCP traffic. Stateful inspection does not support the rules that filter ICMP traffic. For ICMP, you must create the rules that permit traffic in both directions when necessary. For example, for clients to use the ping command and receive replies, you must create a rule that permits ICMP traffic in both directions.
112
until the firewall finds a match. After the firewall finds a match, the firewall takes the action that the rule specifies, and subsequent lower priority rules are not inspected. For example, if a rule that blocks all traffic is listed first, followed by a rule that allows all traffic, the client blocks all traffic. You can order the rules within the priority categories so that the firewall evaluates the rules in a logical sequence. You can order the rules so that they are evaluated according to exclusivity, with the most restrictive rules evaluated first and the most general rules evaluated last. For example, if you create rules that block traffic, you must place these rules near the top because other rules may allow the traffic. Table 8-5 shows the order in which the firewall processes the rules and the settings. Table 8-5 Order that the firewall processes rules, firewall settings, IPS signatures, and IPS settings Setting
Custom IPS signatures Intrusion prevention settings, traffic settings, and stealth settings Smart traffic filters Firewall rules Port scan checks IPS signatures that are downloaded through LiveUpdate
Priority
First Second Third Fourth Fifth Sixth
Adding rules
When you add a firewall rule, you must decide what effect you want the rule to have. For example, you may want to allow all traffic from a particular source or block the UDP packets from a Web site. To add rules
1 2 3 4 5
In the client, in the sidebar, click Status. Beside Network Threat Protection, click Options > Configure Firewall Rules. In the Configure Firewall Rules dialog box, click Add. On the General tab, type a name for the rule, and then click either Block this traffic or Allow this traffic. To define the network adapter for the rule, in the Apply this rule to the following network adapter drop-down list, select a network adapter.
113
To choose whether you want the state of the screen saver to activate the rule, select an option in the Apply this rule while the screen saver is drop-down list. To specify the state of the screen saver, select an option in the Apply this rule while the screen saver is drop-down list. To define the triggers for the rule, select any one of the following tabs:
7 8
For more information about the options on each tab, click Help.
To define the time period when the rule is active or inactive, click Scheduling, and then set up a schedule.
10 When you're done making changes, click OK. 11 In the Configure Firewall Rules dialog box, make sure the check mark appears
in the Rule Name column to enable the rule.
12 Click OK.
1 2 3 4
In the client, in the sidebar, click Status. Beside Network Threat Protection, click Options > Configure Firewall Rules. In the Configure Firewall Rules dialog box, select the rule that you want to move. Do one of the following actions:
To have the firewall process this rule before the rule above it, click the blue up arrow. To have the firewall process this rule after the rule below it, click the blue down arrow.
114
1 2 3 4
In the client, in the sidebar, click Status. Beside Network Threat Protection, click Options > Configure Firewall Rules. In the Configure Firewall Rules dialog box, check or uncheck the check box next in the Rule Name column for the rule you want to enable or disable. Click OK.
1 2 3 4 5 6 1 2 3 4
In the client, in the sidebar, click Status. Beside Network Threat Protection, click Options > Configure Firewall Rules. In the Configure Firewall Rules dialog box, select the rules you want to export. Right-click the rules, and then click Export Selected Rules. In the Export dialog box, type a file name, and then click Save. Click OK.
To import rules In the client, in the sidebar, click Status. Beside Network Threat Protection, click Options > Configure Firewall Rules. In the Configure Firewall Rules dialog box, right-click the firewall rules list, and then click Import Rule. In the Import dialog box, locate the .sar file that contains the rules you want to import.
115
5 6
1 2 3 4 5 1 2 3 4 5
In the client, in the sidebar, click Status. Beside Network Threat Protection, click Options > Configure Firewall Rules. In the Configure Firewall Rules dialog box, select the rule, and then click Edit. Change the settings on any tab. When you have finished changing rules, click OK.
To delete rules In the client, in the sidebar, click Status. Beside Network Threat Protection, click Options > Configure Firewall Rules. In the Configure Firewall Rules dialog box, select one or more rules and click Delete. In the message box that appears, click Yes. Click OK.
116
Description
Checks the traffic that comes from both the TCP/IP stack and other protocol drivers. Most attacks in an enterprise network occur through Windows TCP/IP connections. Other attacks can potentially be launched through other protocol drivers. Any protocol drivers that access a network are network applications. The client then blocks protocol drivers from accessing the network unless a rule specifically allows the access. If a protocol driver tries to access the network, a notification asks whether you want to allow it. Blocks the NetBIOS traffic from an external gateway. You can use Network Neighborhood file and printer sharing on a LAN and protect a computer from NetBIOS exploits from any external network. This option blocks the NetBIOS packets that originate from the IP addresses that are not part of the defined ICANN internal ranges. ICANN internal ranges include 10.x.x.x, 172.16.x.x, 192.168.x.x, and 169.254.x.x, with the exception of the 169.254.0.x and 169.254.255.x subnets. NetBIOS packets include UDP 88, UDP 137, UDP 138, TCP 135, TCP 139, TCP 445, and TCP 1026. Allows the client computers that connect through a token ring adapter to access the network, regardless of the firewall rules on the client. If you disable this setting, any traffic that comes from the computers that connect through a token ring adapter cannot access the corporate network. The firewall does not filter token ring traffic. It either allows all token ring traffic or blocks all token ring traffic.
Block all traffic until Blocks all inbound traffic to and outbound traffic from the client computer when the firewall the firewall starts and is not running for any reason. after the firewall stops The computer is not protected:
After the client computer turns on and before the firewall service starts. After the firewall service stops and the client computer stops.
This time frame is a small security hole that can allow unauthorized communication. This setting prevents unauthorized applications from communicating with other computers. Allow initial DHCP and Allows the initial traffic that enables network connectivity. This traffic includes the initial NetBIOS traffic DHCP and NetBIOS traffic that allows the client to obtain an IP address. Enable stealth mode Web browsing Detects the HTTP traffic from a Web browser on any port and removes the browser name and version number, the operating system, and the reference Web page. It stops Web sites from knowing which operating system and browser the computer uses. It does not detect HTTPS (SSL) traffic.
117
Description
Prevents an intruder from forging or spoofing an individuals IP address. Hackers use IP spoofs to hijack a communication session between two computers, such as computer A and B. A hacker can send a data packet that causes computer A to drop the communication. Then the hacker can pretend to be computer A and communicate with and attack computer B. To protect the computer, TCP resequencing randomizes TCP sequence numbers.
Prevents the detection of the operating system of a client computer. The client changes the TTL and identification value of TCP/IP packets to prevent the identification of an operating system. Allows inbound and outbound ARP (Address Resolution Protocol) traffic only if an ARP request was made to that specific host. It blocks all other unexpected ARP traffic and logs it in the Security Log.
1 2 3 4 5
In the client, in the sidebar, click Change settings. Beside Network Threat Protection, click Configure Settings. In the Network Threat Protection Settings dialog box, click Firewall. On the Firewall tab, in the Traffic Settings and Stealth Settings group boxes, check the check boxes to enable the settings. Click OK.
If the client sends a request to the server, the client waits for five seconds to allow an inbound response. If the client does not send a request to the server, each filter does not allow the packet.
118
Smart filters allow the packet if a request was made. They do not block packets. The firewall rules allow or block packets. To enable Smart traffic filtering
1 2 3 4
In the client, in the sidebar, click Change settings. Beside Network Threat Protection, click Configure Settings. In the Network Threat Protection Settings dialog box, click Firewall. Check one or more of the following check boxes:
Click OK.
Blocking traffic
You can configure your computer to block inbound traffic and outbound traffic in the following situations:
When your computer's screen saver is activated. You can configure your computer to block all the inbound and the outbound Network Neighborhood traffic when your computers screen saver is activated. As soon as the screen saver turns off, your computer returns to the previously assigned security level. When the firewall does not run. The computer is not protected after the client computer turns on and before the firewall service starts or after the firewall service stops and the computer turns off. This time frame is a small security hole that can allow unauthorized communication. When you want to block all inbound and outbound traffic at any time. You may want to block all traffic when a particularly destructive virus attacks your company's network or subnet. You would not block all traffic under normal circumstances. Your administrator may have configured this option to be unavailable.
1 2 3
In the client, in the sidebar, click Change settings. Beside Network Threat Protection, click Configure Settings. In the Network Threat Protection Settings dialog box, click Microsoft Windows Networking.
119
4 5 1 2 3 4 5 6 1 2 3 4 5
On the Microsoft Windows Networking tab, click Block Microsoft Windows Networking traffic while the screen saver runs. Click OK.
To block traffic when the firewall does not run In the client, in the sidebar, click Change settings. Beside Network Threat Protection, click Configure Settings. In the Network Threat Protection Settings dialog box, click Firewall. On the Firewall tab, click Block all traffic until the firewall starts and after the firewall stops. Optionally click Allow initial DHCP and NetBIOS traffic. Click OK.
To block all network traffic at any time In the client, in the sidebar click Status. Beside Network Threat Protection, click Options > View Network Activity. Click Tools > Block All Traffic. To confirm, click Yes. To return to the previous firewall settings that the client uses, uncheck Tools > Block All Traffic.
You can allow all traffic by disabling Network Threat Protection. See Enabling and disabling Network Threat Protection on page 45.
Intrusion prevention system signatures that detect and prevent network attacks. Intrusion prevention settings that prevent port scans and denial-of-service attacks. Active response, which automatically blocks the computers that send attacks.
Typically, when you disable the intrusion prevention settings on your computer, your computer is less secure. However, you may need to disable these settings to prevent false positives or to troubleshoot the client computers.
120
The client logs the attacks and the security events that the intrusion prevention system detects in the Security Log. The client may log the attacks and the events in the Packet Log. Note: Your administrator may have configured these options to be unavailable. To enable intrusion prevention settings
1 2 3 4
In the client, in the sidebar, click Change settings. Beside Network Threat Protection, click Configure Settings. In the Network Threat Protection Settings dialog box, click Intrusion Prevention. To enable a setting, check any of the following check boxes:
Enable Intrusion Prevention Enable denial of service detection Enable port scan detection
Click OK.
1 2 3 4
In the client, in the sidebar, click Change settings. Beside Network Threat Protection, click Configure Settings. In the Network Threat Protection Settings dialog box, click Intrusion Prevention. Check Display Intrusion Prevention notifications.
121
5 6 7
To hear a beep when the notification appears, check Use sound when notifying users. Type an amount of time you want the notifications to appear in the Number of seconds to display notifications field. Click OK.
1 2 3 4
In the client, in the sidebar, click Change settings. Beside Network Threat Protection, click Configure Settings. In the Network Threat Protection Settings dialog box, click Intrusion Prevention. Check Number of seconds to automatically block an attacker's IP address, and then enter the number of seconds. Enter a number from one second to 999,999 seconds. The default time is 600 seconds, or 10 minutes.
Click OK. If you dont want to wait the default amount of time to unblock the IP address, you can unblock it immediately.
1 2
In the client, in the sidebar, click View logs. Beside Client Management, click View Logs > Security Log.
122
In the Security Log, select the row that contains Active Response in the Event Type column, and then click Action > Stop Active Response. To unblock the blocked IP addresses, click Action > Stop All Active Response. If you unblock an active response, the Event Type column displays Active Response canceled. If the active response times out, the Event Type column displays Active Response disengaged.
4 5
In the message box that appears, click OK. Click File > Exit.
1 2 3 4 5 6
In the client, in the sidebar, click Status. Beside Network Threat Protection, click Options > View Applications List. In the View Applications List dialog box, select the application you want to configure, and then click Configure. In the Configure Application Settings dialog box, in the Trusted IPs for the application field, type an IP address or an IP range. In the Remote server ports or Local ports group boxes, select a TCP or a UDP port. To specify the direction of the traffic, click one or both of the following items:
123
To allow outbound traffic, click Allow outgoing connections. To allow inbound traffic, click Allow incoming connections.
7 8 9
To apply the rule when the screen saver runs, click Allow while screen saver is activated. To set up a schedule when the restrictions are or are not in effect, click Enable scheduling. Select one of the following items:
To specify the time when the restrictions are in effect, click During the period below. To specify the time when the restrictions are not in effect, click Excluding the period below.
10 Set up the schedule. 11 Click OK. 12 In the View Applications List dialog box, to change the action, right-click the
application, and then click Allow, Ask, or Block.
13 Click OK.
You can also change the action for the application from the Network Activity dialog box. To change an application's action from the Network Activity dialog box
1 2 3 4
In the client, in the sidebar, click Status. Beside Network Threat Protection, click Options > View Network Activity. In the Network Activity dialog box, in the Running Applications field, right-click the application or service, and then click Allow, Ask, or Block. Click Close. When you change the application's action, the application appears in the Applications list.
1 2 3 4
In the client, in the sidebar, click Status. Beside Network Threat Protection, click Options > View Network Activity. In the Running Applications field, right-click the application, and then click Terminate. Click OK.
124
Managing Network Threat Protection Enabling and disabling file and print sharing
1 2 3
In the client, in the sidebar, click Status. Beside Network Threat Protection, click Options > View Applications List. In the View Applications List dialog box, do one of the following actions:
To remove an application from the list, select it, and then click Remove. To remove all applications from the list, click Remove All.
Click OK.
1 2 3 4
In the client, in the sidebar, click Change settings. Beside Network Threat Protection, click Configure Settings. In the Network Threat Protection Settings dialog box, click Microsoft Windows Networking. On the Microsoft Windows Networking tab, to browse other computers and printers on the selected network, click Browse files and printers on the network. To enable other users to browse files on your computer, click Share my files and printers with others on the network. Click OK.
5 6
Section
126
Chapter
About Symantec Network Access Control Running a Host Integrity check Remediating your computer Viewing the Symantec Network Access logs About enforcement Configuring the client for 802.1x authentication
128
Symantec Network Access Control basics About Symantec Network Access Control
The client continuously evaluates its compliance. You turn on the client computer. The client runs a Host Integrity check that compares the computer's configuration with the Host Integrity Policy that was downloaded from the management server. The Host Integrity check evaluates your computer for compliance with the Host Integrity Policy for antivirus software, patches, hot fixes, and other security requirements. For example, the policy may check how recently its antivirus definitions have been updated, and which were the latest patches applied to the operating system. A Symantec Enforcer authenticates the client computer and either grants the computer network access or blocks and quarantines non-compliant computers. If the computer meets all the policy's requirements, the Host Integrity check passes. The Enforcer grants full network access to computers that pass the Host Integrity check. If the computer does not meet the policy's requirements, the Host Integrity check fails. When a Host Integrity check fails, the client or a Symantec Enforcer blocks or quarantines your computer until you remediate your computer. Quarantined computers have limited or no access to the network. See About enforcement on page 131. Your administrator may have set up the policy so that a Host Integrity check passes even if a specific requirement fails. The client may display a notification every time the Host Integrity check passes. See Responding to Network Access Control notifications on page 25. The client remediates non-compliant computers. If the client finds that a Host Integrity Policy requirement is not met, it installs or requests you to install the required software. After your computer is remediated, it tries to access the network again. If the computer is fully compliant, the network grants the computer network access. See Remediating your computer on page 129. The client proactively monitors compliance. The client actively monitors the compliance state for all client computers. If at any time the computers compliance status changes, so do the network access privileges of the computer.
129
You can view more information about the Host Integrity check results in the Security Log.
1 2 3
In the client, in the sidebar, click Status. Beside Network Access Control, click Options > Check Now. If a message appears that confirms that the Host Integrity check ran, click OK. If you had been blocked from network access, you should regain network access when your computer has been updated to comply with the security policy.
The client downloads the software update automatically. The client prompts you to download the required software update.
130
Symantec Network Access Control basics Viewing the Symantec Network Access logs
In the Symantec Endpoint Protection dialog box that appears, do one of the following actions:
To see which security requirements that your computer failed, click Details. To immediately install the software, click Restore Now You may or may not have the option to cancel the installation after it has started. To postpone the software install, click Remind me later in and select a time interval in the drop-down list. The administrator can configure the maximum number of times you can postpone the installation.
If you use a managed client, both of the logs may be regularly uploaded to the server. Your administrator can use the content in the logs to analyze the overall security status of the network. You can export the log data from these logs. To view Symantec Network Access Control logs
1 2 3 4
In the client, in the sidebar, click Status. To view the System Log, beside Network Access Control, click Options > View Logs. To view the Security Log, in the Client Management Logs - System log dialog box, click View > Security Log. Click File > Close.
131
About enforcement
The client interacts with a Symantec Enforcer. The Enforcer ensures that all the computers that connect to the network it protects run the client software and have a correct security policy. An Enforcer must authenticate the user or the client computer before it allows the client computer to access the network. Symantec Network Access Control works with several types of Enforcers to authenticate the client computer. The Symantec Enforcer is the network hardware appliance that verifies Host Integrity results and the client computer's identity before it allows the computer network access. The Enforcer checks the following information before it allows a client to access the network:
The Symantec Network Access Control client runs. The client has a unique identifier (UID). The client been updated with the latest Host Integrity Policy. The client computer passed the Host Integrity check.
An unauthenticated client or third-party supplicant sends the user information and compliance information to a managed 802.11 network switch. The network switch relays the information to the LAN Enforcer. The LAN Enforcer sends the user information to the authentication server for authentication. The RADIUS server is the authentication server. If the client fails the user-level authentication or is not in compliance with the Host Integrity Policy, the Enforcer may block network access. The Enforcer places the non-compliant client computer in a quarantine network where the computer can be remediated. After the client remediates the computer and brings it into compliance, the 802.1x protocol reauthenticates the computer and grants the computer access to the network.
132
Symantec Network Access Control basics Configuring the client for 802.1x authentication
To work with the LAN Enforcer, the client can use either a third-party supplicant or a built-in supplicant. Table 9-1 describes the types of options you can configure for 802.1x authentication. Table 9-1 Option
Third-party supplicant
Symantec Network Access Control basics Configuring the client for 802.1x authentication
133
Warning: Contact your administrator before you configure your client for 802.1x authentication. You must know whether your corporate network uses the RADIUS server as the authentication server. If you configure 802.1x authentication incorrectly, you may break your connection to the network. To configure the client to use a third-party supplicant
1 2 3 4
In the client, in the sidebar, click Status. Beside Network Access Control, click Options > 802.1x. Click Enable 802.1x authentication. Click OK. You must also set up a firewall rule that allows third-party 802.1x supplicant drivers onto the network. See Adding rules on page 112.
You can configure the client to use the built-in supplicant. You enable the client for both 802.1x authentication and as an 802.1x supplicant. To configure the client to use either transparent mode or a built-in supplicant
1 2 3 4 5
In the client, in the sidebar, click Status. Beside Network Access Control, click Options > 802.1x. Click Enable 802.1x authentication. Click Use client as an 802.1x supplicant. Do one of the following actions:
To select transparent mode, check Use Symantec Transparent Mode. To configure a built-in supplicant, click Allows you to choose the authentication protocol. You then need to choose the authentication protocol for your network connection.
6 1 2 3
Click OK.
To choose an authentication protocol On the client computer, click Start > Settings > Network Connections > Local Area Connection. In the Local Area Connection Status dialog box, on the General tab, click Properties. In the Local Area Connection Properties dialog box, click Authentication.
134
Symantec Network Access Control basics Configuring the client for 802.1x authentication
On the Authentication tab, click the EAP type drop-down list, and select one of the following authentication protocols:
Smart Card or other Certificate Protected EAP (PEAP) Symantec Transparent Mode
5 6
The client computer failed the user authentication because you typed your user name or your password incorrectly. Your client computer is in the wrong VLAN. The client computer does not obtain a network connection. A broken network connection usually happens because the switch between the client computer and the LAN Enforcer did not authenticate your user name and password. You need to log on to a client computer that authenticated a previous user. The client computer failed the compliance check.
You can reauthenticate the computer only if you or your administrator configured the computer with a built-in supplicant. Note: Your administrator may not have configured the client to display the Re-authentication command. To reauthenticate your computer
1 2 3 4
Right-click the notification area icon. Click Re-authentication. In the Re-authenticate dialog box, type your user name and password. Click OK.
Section
136
Chapter
10
About logs Viewing the logs and the log details Managing log size Quarantining risks and threats from the Risk Log and the Threat Log Using the Network Threat Protection logs and the Client Management logs Exporting log data
About logs
Logs contain records of security-related activities on your computer, which includes virus and security risk activities, configuration changes, and errors. They also include information about virus and security risk definitions file information, computer status, and the traffic that enters or exits your computer. These records are called events or entries. The logs display these events with any relevant additional information. If you use a managed client, its logs can be regularly uploaded to the management server. An administrator can use their data to analyze the overall security status of the network. Logs are an important method for tracking your computers activity and its interaction with other computers and networks. You can use the information in the logs to track the trends that relate to viruses, security risks, and attacks on your computer. If several people use the same computer, you might be able to identify who introduces risks, and help that person to use better precautions. The Network Protection logs can help you to detect potentially threatening activity such as port scanning. They can also be used to trace traffic back to its source.
138
You can also use Network Protection logs to help troubleshoot connectivity problems or possible network attacks. If you have Symantec Endpoint Protection installed, the following log views are available:
Scan Log, from Antivirus and Antispyware Protection Risk Log, from Antivirus and Antispyware Protection System Log, from Antivirus and Antispyware Protection Threat Log, from Proactive Threat Protection System Log, from Proactive Threat Protection Tamper Protection Log, from Tamper Protection Traffic Log, from Network Threat Protection Packet Log, from Network Threat Protection Security Log, from Client Management and Network Threat Protection Control Log, from Client Management System Log, from Client Management
If you have Symantec Network Access Control installed, the following logs are available:
The logs can tell you when your computer has been blocked from the network and help you to determine why your access has been blocked. For more information about a log, you can press F1 to view the help for that log. Table 10-1 describes each log and what you can do with it. Table 10-1 Log
Scan Log
Description
The Scan Log contains entries about the scans that have run on your computer over time. You can perform the following tasks in the Scan Log: View a list of the scans that have occurred on your computer over time. Scans are displayed with additional relevant information about the scans. Export the data in the log to a comma-delimited text file, for use in other applications.
139
Description
The Risk Log contains entries about viruses and security risks, such as adware and spyware, that have infected your computer. Security risks include a link to the Symantec Security Response Web page that provides additional information. You can perform the following tasks in the Risk Log:
View a list of the virus- and security risk-related events. Export the data in the log to a comma-delimited text file, for use in other applications. Clean a risk from your computer. Delete a risk permanently from your computer.
Undo the changes that Symantec Endpoint Protection made when it deleted a risk or repaired its side effects. Quarantine the risks that have been detected on your computer.
Antivirus and The Antivirus and Antispyware Protection System Log contains information about system Antispyware activities on your computer that are related to viruses and security risks. This information Protection System Log includes configuration changes, errors, and definitions file information. You can perform the following tasks in the Antivirus and Antispyware Protection System Log:
View a list of the antivirus- and antispyware-related events. Export the data in the log to a comma-delimited text file, for use in other applications. Filter the information in the log to view only one or a few types of events. Right-click an entry and view its properties.
Threat Log
The Threat Log contains information about the threats that Proactive Threat Protection has detected on your computer. These include the commercial applications that can be used for malicious purposes. Examples are Trojan horses, worms, or keyloggers, or mass-mailing worms, macro viruses, and script-based threats. You can perform the following tasks in the Threat Log:
View the list of the Proactive Threat Protection threat-related events. Export the data in the log to a comma-delimited text file, for use in other applications.
Terminate the malicious programs or the malicious processes that have been found on your computer. Restore items from the Quarantine.
Put the threats that have been detected on your computer into the Quarantine. Right-click an entry and view its properties.
Note: The action buttons that are active depend on the actions that are appropriate for
the selected log entry.
140
Proactive Threat The Proactive Threat Protection System Log contains information about system activities Protection System Log on your computer that are related to Proactive Threat Protection. You can perform the following tasks in the Proactive Threat Protection System Log:
View the system events related to Proactive Threat Protection. Export the data to a comma-delimited text file, for use in other applications. Filter the information in the log to view only one or a few types of events. Right-click an entry and view its properties.
Tamper Protection Log The Tamper Protection Log contains entries about the attempts to tamper with the Symantec applications on your computer. These entries contain information about the attempts that Tamper Protection detected or detected and thwarted. You can perform the following tasks in the Tamper Protection Log:
View the list of the Tamper Protection-related events. Export the data in the log to a comma-delimited text file, for use in other applications. Right-click an entry and view its properties.
Traffic Log
The Traffic Log contains information about the connections that your computer makes through the network. You can perform the following tasks in the Traffic Log: View a list of the incoming traffic events and the outgoing traffic events whenever your computer is connected to a network. From the File menu, clear all the entries from the log.
From the File menu, export the data in the log to a tab-delimited text file, for use in other applications. From the File menu, access the Network Threat Protection settings and change the settings that are available to you. From the View menu, switch between a local view and a source view.
From the Filter menu, filter the entries by selecting a time range. From the Action menu, back trace the data packets that were used in attempted attacks to locate their origin. Note that not every entry can be back traced.
Note: Actions that are inappropriate for a particular entry or that your administrator does
not allow are unavailable.
141
Description
The Packet Log contains information about the packets of data that enter or leave through the ports on your computer. You can perform the following tasks in the Packet Log: View a list of the incoming traffic events and the outgoing traffic events whenever your computer is connected to a network. From the File menu, clear all the entries from the log.
From the File menu, export the data to a tab-delimited text file, network monitor format, or Netxray format, for use in other applications. From the File menu, access the Network Threat Protection settings and change the settings that are available to you. From the View menu, switch between a local view and a source view.
From the Filter menu, filter the entries by selecting a time range. From the Action menu, back trace the data packets that were used in attempted attacks to locate their origin. Note that not every entry can be back traced.
Control Log
The Control Log contains information about the registry keys, files, and DLLs that an application accesses, as well as the applications that your computer runs. You can perform the following tasks in the Control Log:
View a list of the control events. From the File menu, clear all the entries from the log.
From the File menu, export the data in the log to a tab-delimited text file, for use in other applications. From the View menu, switch between a local view and a source view.
From the Filter menu, filter the entries by selecting a time range.
Security Log
The Security Log contains information about the activities that were directed toward your computer that can potentially pose a threat. Activities such as denial-of-service attacks, port scans, and executable file alterations are examples. You can perform the following tasks in the Security Log:
View security-related events. From the File menu, clear all the entries from the log.
From the File menu, export the data in the log to a tab-delimited text file, for use in other applications. From the View menu, switch between a local view and a source view.
From the Filter menu, filter the entries, either based on a time range or based on severity.
From the Action menu, back trace the data packets that were used in attempted attacks to locate their origin. Note that not every entry can be back traced. Stop the client from blocking the attacks that other computers make.
142
Using and managing logs Viewing the logs and the log details
Description
The System Log contains information about all of the operational changes that have occurred on your computer. Examples include activities such as when a service starts or stops, the computer detects network applications, or software is configured. You can perform the following tasks in the System Log:
View a list of the system events whenever your computer is connected to a network. From the File menu, clear all the entries from the log.
From the File menu, export the data in the log to a tab-delimited text file, for use in other applications. From the Filter menu, filter the entries, either based on a time range or based on severity.
Note: If you are logged on to a managed client, some options in some of the logs may be unavailable. The availability of these options depends on what your administrator allows. This note applies to the Network Threat Protection and the Client Management Traffic, Packet, Control, Security, and System logs. Options that are inappropriate for a particular entry in any log may be unavailable.
Using and managing logs Viewing the logs and the log details
143
To view a log
1 2
In the client, in the sidebar, click View logs. Beside the type of log that you want to view, click View Logs and then click the name of the log. From a view of any of the Network Threat Protection logs and the Client Management logs, you can switch to a view of the other logs. Use the View menu at the top of the dialog box to access the other logs.
If you have opened a view for one of the Network Threat Protection or Client Management logs, click either Local View or Source View. The columns in the log change depending on whether you choose the local view or source view. The local view shows the content from the perspective of the local port and the remote port. This perspective is more commonly used in a host-based firewall. The source view displays the content from the perspective of the source port and the destination port. This perspective is more commonly used in a network-based firewall.
If entries in the Network Threat Protection logs and the Client Management logs have more information available, it appears in the following locations:
Description information appears in the lower left-hand pane of the log view. Data information appears in the lower right-hand pane of the log view.
You can also view the details of any entry in the Antivirus and Antispyware Protection, Tamper Protection, and Proactive Threat Protection logs. For the Risk Log, the details provide some additional information that is not available in the main log view window. To view log entry details in the Antivirus and Antispyware Protection, the Tamper Protection, and the Proactive Threat Protection logs
1 2 3 4
In the client, in the sidebar, click View logs. Beside Antivirus and Antispyware Protection, Tamper Protection, or Proactive Threat Protection, click View Logs. Click the name of the log that you want to view. Right-click an entry in the list and then select Properties.
144
Using and managing logs Viewing the logs and the log details
Antivirus and Antispyware Protection System Log and the Proactive Threat Protection System Log by event type.
1 2 3 4
In the client, in the sidebar, click View logs. To the right of Network Threat Protection or Client Management, click View Logs. Click the name of the log you want to view. In the log view window, click Filter, and then select the time period for which you want to view the log's events. For example, if you select 2 Week Logs, the log viewer displays the events that were recorded over the past 14 days.
1 2 3 4
In the client, in the sidebar, click View logs. To the right of Network Threat Protection or Client Management, click View Logs and then click the Security Log or the System Log. In the log view window, click Filter, and then click Severity. Select one of the following to uncheck:
Critical (Security Log only) Major (Security Log only) Minor (Security Log only) Error (System Log only) Warning (System Log only) Information
Using and managing logs Viewing the logs and the log details
145
Unchecking an item eliminates events of that severity level from the view.
You can click Severity and select another level to eliminate additional severity levels from the view.
Configuration change Symantec AntiVirus startup/shutdown Virus definition file Scan omissions Forward to Quarantine Server Deliver to Symantec Security Response Auto-Protect load/unload Client management and roaming Log Forwarding Unauthorized communication (access denied) warnings Login and certificate management Client Compliance Proactive Threat Scan load error Proactive Threat Scan commercial applications load error Proactive Threat Scan operating system not supported
You can reduce the number of events that appear in the two System Logs by displaying only certain types of events. For example, if you wanted to view only the events that are related to Auto-Protect, you could select only the Auto-Protect load/unload type. If you select one type, it does not stop the recording of events in the other categories. It only keeps the other categories from appearing when you display the System Log. Note: Only relevant events are available for exclusion from the view.
146
1 2 3 4 5 6
In the client, in the sidebar, click View logs. Beside AntiVirus and AntiSpyware Protection or Proactive Threat Protection, click View Logs. Click System Log. Click Filter. Check or uncheck one or more categories of events. Click OK.
Configuring the retention time for the Antivirus and Antispyware Protection log entries and the Proactive Threat Protection log entries
To set the amount of time to retain log entries
1 2
In the client, on the Status page, beside AntiVirus and AntiSpyware Protection, click Options, and then click Change Settings. On the General tab, set the number value and time unit for retaining the entries in these logs. The entries that are older than the value you set here are deleted. Click OK.
Configuring the size of the Network Threat Protection logs and the Client Management logs
You can set the log size for each Network Threat Protection log and each Client Management log.
147
1 2
In the client, on the Status page, to the right of Network Threat Protection, click Options, and then click Change Settings. In the Network Threat Protection Settings dialog box, on the Logs tab, in the Maximum log file size text field, type the maximum number of kilobytes you want the log file size to be. You should keep the log file size small because of the space available on the computer. The default size for all logs is 512 KB, except for the Control Log and the Packet Log. The default size for the Control Log and the Packet Log is 1024 KB.
Click OK.
Configuring the retention time for the Network Threat Protection log entries and the Client Management log entries
You can specify how many days that entries are saved in each log. After the maximum number of days is reached, the oldest entries are replaced. You may want to delete entries to save space or to retain entries to review your computer's security. To set the number of days to retain log entries
1 2
In the client, on the Status page, to the right of Network Threat Protection or Client Management, click Options, and then click Change Settings. In the Network Threat Protection Settings dialog box, on the Logs tab, in the Save each log entry for text field, type the maximum number of days to save the log entries. Click OK.
About deleting the contents of the Antivirus and Antispyware System Log
You cannot permanently remove event records from the System Log by using the user interface.
Deleting the contents of the Network Threat Protection logs and the Client Management logs
If your administrator allows it, you can clear the contents of the Network Threat Protection log and the Client Management logs. After youve cleared the log, each log immediately starts saving entries again.
148
Using and managing logs Quarantining risks and threats from the Risk Log and the Threat Log
Note: If the clear option is unavailable, you do not have permission to delete log contents. If you have permission, you can also clear a log's content from the File menu of the log itself. To delete the contents of a log
1 2 3 4
In the client, on the Status page, to the right of Network Threat Protection, click Options, and then click Change Settings. In the Configure Network Threat Protection dialog box, on the Logs tab, beside the log that you want, click Clear Log. When you are asked to confirm, click Yes. Click OK.
Quarantining risks and threats from the Risk Log and the Threat Log
You can quarantine the threats that have been logged to the Proactive Threat Protection Threat History Log. You can quarantine risks from the Antivirus and Antispyware Risk Log. You can also clean and delete risks from the Antivirus and Antispyware Risk Log.
Using and managing logs Using the Network Threat Protection logs and the Client Management logs
149
1 2 3
In the client, in the sidebar, click View logs. Beside either AntiVirus and AntiSpyware Protection or Proactive Threat Protection, click View Logs and then click the name of the log you want. Select a risk or threat and then click Quarantine. Based on the preset action for a risk detection, Symantec Endpoint Protection may or may not be able to perform the action you selected. If the threat or risk is successfully placed into quarantine, you get a success message. You don't need to take any further action to keep your computer safe from this risk or threat. You can leave the files that are quarantined because of risks in the Quarantine or you can delete them. You should leave them in the Quarantine until you are sure that the applications on your computer have not lost any functionality. See About infected files in the Quarantine on page 84. In the instances where Symantec Endpoint Protection is not able to put the risk or threat into the quarantine, you get an error message. In these instances, you may want to contact your administrator.
You can also clean and delete risks and threats, as well as undo actions from these logs, where applicable. See Acting on infected files on page 20.
Using the Network Threat Protection logs and the Client Management logs
The Network Threat Protection logs and the Client Management logs allow you to track your computers activity and its interaction with other computers and networks. These logs record information about the traffic that tries to enter or exit your computer through your network connection. These logs also record information about the results of the firewall policy that is applied to the client. You can manage the Network Threat Protection client logs and the Client Management client logs from a central location. The Security, Traffic, and Packet logs allow you to trace some data back to its source. It traces by using ICMP to determine all the hops between your computer and an intruder on another computer. Note: Some options for these logs may be unavailable, based on the control type that your administrator has set for your client.
150
Using and managing logs Using the Network Threat Protection logs and the Client Management logs
Refreshing the Network Threat Protection logs and the Client Management logs
To refresh a log
1 2 3
In the client, in the sidebar, click View logs. To the right of Network Threat Protection or Client Management, click View Logs and then click the name of the log you want. On the View menu, click Refresh.
1 2 3 4
In the client, on the Status page, to the right of Network Threat Protection, click Options, and then click Change Settings. In the Network Threat Protection Settings dialog box, click Logs. Check Enable Packet Log. Click OK.
Using and managing logs Using the Network Threat Protection logs and the Client Management logs
151
Figure 10-1
Your computer
Hackers computer
Data
Hop 1
Hop 2
Hop 3
Hop 4
Hop 5
Hop 6
For some log entries, you can trace a data packet that was used in an attack attempt. Each router that a data packet passes through has an IP address. You can view the IP address and other details. The information that is displayed does not guarantee that you have discovered who the hacker truly is. The final hops IP address lists the owner of the router that the hackers have connected through, and not necessarily the hackers themselves. You can back trace some logged events in the Security Log and the Traffic Log. To back trace a logged event
1 2 3 4
In the client, in the sidebar, click View logs. To the right of Network Threat Protection or Client Management, click View Logs. Then, click the log that contains the entry that you want to trace. In the log view window, select the row of the entry that you want to trace. Click Action, and then click BackTrace.
152
In the Back Trace Information dialog box, click Who is >> to view detailed information on each hop. A drop panel displays detailed information about the owner of the IP address from which the traffic event originated. You can use Ctrl-C and Ctrl-V to cut and paste the information in the panel into an email message to your administrator.
6 7
Click Who is << again to hide the information. When you are finished, click OK.
Using the Client Management logs with Symantec Network Access Control
If you have Symantec Network Access Control installed, you can perform the following tasks from the Action menu in the Security Log and the System Log:
Update a policy See Updating the security policy on page 16. Check Host Integrity See Running a Host Integrity check on page 129.
Antivirus and Antispyware System Log Antivirus and Antispyware Risk Log Antivirus and Antispyware Scan Log Proactive Threat Protection System Log Proactive Threat Protection Threat Log Tamper Protection Log
153
Note: If you filter the log data in any way and then export it, you only export the data that you have currently filtered. This restriction is not true for the logs that you export to a tab-delimited text file. All the data in those logs is exported. See Filtering the log views on page 143. You can export the following logs to a tab-delimited .txt file:
Client Management Control Log Network Threat Protection Packet Log Client Management Security Log Client Management System Log Network Threat Protection Traffic Log
Note: In addition to a tab-delimited text file, you can also export the data from the Packet Log into network monitor format or NetXray format. To export data to a .csv file
1 2 3 4 5 6 7
In the client, in the sidebar, click View logs. Beside either AntiVirus and AntiSpyware Protection, Proactive Threat Protection, or Tamper Protection, click View Logs. Click the name of the log you want. In the log window, make sure that the data that you want to save is displayed. Click Export. In the Save As dialog box, type a name for the file. Browse to the directory where you want the file to be saved. Click Save.
To export Network Threat Protection log data or Client Management log data to text file
1 2 3
In the client, in the sidebar, click View logs. To the right of Network Threat Protection or Client Management, click View Logs. Click the name of the log you want to export data from.
154
Click File and then click Export. If you selected the Packet Log, you can click Export to network monitor format or Export to Netxray format instead.
5 6
In the Save As dialog box, type a name for the file. Browse to the directory where you want the file to be saved. Click Save.
Index
Symbols
64-bit computers 65 802.1x authentication about 131 configuring 133 reauthenticating 12
A
actions assigning second actions for viruses 78 tips for assigning second actions for security risks 78 active response about 121 adapters defined 110 adware 40 allow traffic 112, 122 anti-MAC spoofing enabling 115 Antivirus and Antispyware Protection about 36, 51 enabling and disabling 44 status 44 Antivirus and Antispyware Protection System Log 139 applications allowing or blocking 122 defined 109 attacks blocking 101 network 104 signatures 104 Auto-Protect determining file types 59 disabling security risk scanning 60 disabling temporarily 44 enabling and disabling for email 45 enabling and disabling for the file system 45 encrypted email connections 58 for Internet email 56
Auto-Protect (continued) for Lotus Notes 56 for Microsoft Exchange clients 56 groupware email clients 56 network cache 61 network scanning options 61 scanning by extension 52 security risks 56 status 44 trusting remote versions 61 using 55 viewing scan statistics 58 viewing the risk list 59
B
Backup Items folder clearing 88 blended threats 40 block an attacking computer 121 block traffic 112, 118, 122 bots 40 broadcast traffic showing 106
C
centralized exceptions excluding items from scans 54 for antivirus and antispyware scans 82 for proactive threat scan detections 100 client about 11 disabling 12 interacting with 19 opening 12 commands notification area icon 12 Control Log 141
156
Index
D
defined scans 104 definitions file 14, 64 detection rates sending information to Symantec 74 dialers 40 driver-level protection enabling 115
firewall rules (continued) order processed 111 scheduling 109 folders excluding from scans 82
H
hacking tools 40 host defined 110 Host Integrity check running 129
E
email encrypted connections 58 excluding Inbox file from scans 52 releasing attachments from Quarantine 87 email scanning. See Auto-Protect enforcement about 131 exclusions creating for scans 54 extensions excluding from scans 82 including in scans 52
I
infected file acting on 20 Internet bots 40 intrusion prevention about 104 configuring 119 enabling 120 notifications for 120 respond to 24 IPS signatures about 104
F
files backup of 88 excluding from scans 82 locating repaired 87 releasing files from Quarantine 87 rescanning files automatically in the Quarantine 87 rescanning files manually in the Quarantine 87 scanning 52 submitting to Symantec Security Response 89 firewall about 102 settings 107, 115 firewall rules about 108 changing the order of 113 creating 112 deleting 115 editing 115 enabling and disabling 114 exporting 114 importing 114 logging 109
J
joke programs 40
L
LiveUpdate how it works 15 locations about 29 changing 30 logs about 137 back tracing entries 150 Client Management 149 configuring how long entries are kept 146147 configuring the size of 146 deleting 147 description 138 enabling the Packet Log 150 export formats 152153 exporting data 152 exporting filtered log entries 153 filtering 143
Index
157
logs (continued) filtering by event category 145 filtering by severity level 144 filtering by time period 144 limiting the size of 146 network access control 130 Network Threat Protection 149 quarantining risks and threats from 148 refreshing 150 Symantec Endpoint Protection 138 Symantec Network Access Control 138 viewing 142 viewing entry properties 143
notifications about 19 intrusion prevention 120 network access control 25 responding to 22 user interaction with 73
O
on-demand scans creating 69 initiating 65 scanning by extension 52 online Help accessing 17 options unavailable 36 OS fingerprint masquerading enabling 115 Other risk category 40
M
macro virus infections preventing 54 managed clients updating 15 vs. stand-alone clients 35 managed environments about 12 manual scans. See on-demand scans messages intrusion prevention 120 responding to 22
P
Packet Log 141 enabling 150 policies about 16 updating 12, 16 port scans port 104 ports about 101 print sharing 124 Proactive Threat Protection about 37, 91 enabling or disabling 46 proactive threat protection managing 95 Proactive Threat Protection System Log 140 proactive threat scan about 92 actions 97 centralized exceptions for 100 commercial applications 98 detections 93 false positives 94 frequency 95 notifications for 98 sensitivity level 97 submitting information about 99
N
NetBIOS protection enabling 115 Network Access Control notifications 25 network access control about 127128 enforcement 131 remediating the computer 129 network activity displaying 105 network cache Auto-Protect settings 61 network scanning Auto-Protect settings 61 Network Threat Protection about 37, 101 enabling and disabling 45 notification area icon about 12 hiding and displaying 13
158
Index
proactive threat scan (continued) types of processes to detect 96 protection enabling and disabling types of 43 types 11 updating 1415 protocol defined 110
Q
Quarantine 84 deleting files 86, 88 deleting files manually 88 handling files infected by security risks 86 handling infected files 85 managing 86 moving files to 85 releasing files 87 removing backup files 88 rescanning files automatically 87 rescanning files manually 87 submitting files to Symantec Security Response 89 viewing file details 86 viewing infected files 85
R
reauthentication 134 remote access programs 41 risk impact ratings 79 Risk Log 139 rootkits 39
S
Scan Log 138 scan types manual 65 scans. See antivirus and antispyware all file types 53 centralized exceptions for 82 compressed files 65 delaying 48 excluding files from 54 files 52 interpreting results 72 pausing 48 scanning files by extension 52 scheduled 66
scans (continued) snooze options 49 scheduled scans creating 66 editing and deleting 71 multiple 69 scanning by extension 52 Security Log 141 security risk scanning disabling in Auto-Protect 60 security risks 39 configuring actions for 75 configuring notifications for 80 detection options 80 excluding from scans 82 how the client detects 63 how the client responds 42 process continues to download 56 remediation options 80 tips for assigning second actions 78 what to do when detected 55 settings firewall 107 intrusion prevention 120 share files and folders 124 signatures 14 Smart DHCP 117 Smart DNS 117 Smart traffic filtering defined 117 Smart WINS 117 spyware 41 stand-alone clients vs. managed clients 35 startup scans creating 69 editing and deleting 71 scanning by extension 52 stateful inspection about 110 creating rules for traffic 110 stealth mode Web browsing enabling 115 Symantec Security Response about 15 accessing 17 submitting files to 89 Web site 1617
Index
159
W
Windows Security Center seeing antivirus status from 47 seeing firewall status from 47 Windows services showing 106 worms 40
T
Tamper Protection about 30 configuring 31 enabling and disabling 31 Tamper Protection Log 140 TCP resequencing enabling 115 testing your computer 29 Threat Log 139 threats blended 40 token ring traffic enabling 115 Trackware 41 traffic allowing or blocking 122 blocking 118 displaying 105 Traffic Log 140 Trojan horses 40
Z
zero-day protection 91
U
UDP connections about 111 unblock an attacking computer 121 unmanaged clients updating 15 unmanaged environments about 12 user-defined scans editing and deleting 71
V
viruses 3940 assigning second actions 78 configuring actions for 75 configuring notifications for 80 detection options 80 file damage from 21 how the client detects 63 how the client responds 42 remediation options 80 unrecognized 89 what to do when detected 55