Endpoint Protection

Has anyone thought about using SEP with AV and HIPS as a honeypot specifically targeting Windows malware? I guess you could call it more of a sensor but depending on how vulnerable you make the host Windows PC it could work well in catching and identifying worms and other malware.

I was thinking about setting up a Windows XP system with open file shares, very little to no patches, etc... and installing SEP with AV and HIPS. My main target is worms that take advantage of vulnerabilities and/or weak or no permissions.

Thoughts?

Sure, that's a kool idea. Just make sure, you have  the  IPS feature turned on and updated, so that you would be able to track the attacks...

It will work as long as the vulnerabilities are known to SEP but it won't really be a "true" honeypot.

I specifically worked with an unpatched XP with no SP and XP with SP1 and ran Metasploit against them. SEP worked nicely.

You won't have the honeypot aspect to it because SEP will be blocking everything you throw at it most likely. Honeypots are meant to be compromised for the purpose being able to to study the intrusion and learn the steps the hacker took. A true honeypot should not have any AV on it theoretically.

I agree that what I'm wanting to do isnt really a "honeypot" by it's true definition so I'm kind of calling it more of a sensor. For this implementation I'm basically only concerned with catching "known" malware at this time. We basically have an environment which runs many flavors of Windows OS's and are usually not patched and/or does not have local AV/firewall installed. This "sensor" is basically there to attract worms and malware so we can gather source information and go cleanup the infected system(s). We get source information sometimes from SAV and SEP risk tracer but this is not widely used in these environments. The environments where we have the risk tracer turned on everywhere also are patched on a regular basis. therefore most risk tracer alerts are from user initiated infections instead of the crawling worm hitting unpatched systems. Conficker is a great example.

Your best bet is to go with a Nepenthes honeypot, https://www-secure.symantec.com/connect/articles/using-nepenthes-honeypots-detect-common-malware

I've used it in our environment so you may find it useful as well. A google search will also give you a plethora of info and various ways of incorporating it into the environment.

Here's my proposal based on my idea of using that to test the efficiency of the basic components and the content of the definition file:

Install the entire package with almost everything set to log...

AV/AS would have the Bloodhound level set to Minimum or disabled. Uncheck the "Trust files..." option in the Network Settings. Set the action to quarantine first and log next for everything. Risk tracer is enabled, obviously.

Set the firewall policy to allow all (Remote access, File sharing, etc..).

Enable all IPS. You should get logs from this.

Enable application learning.

Use the application and device control policy. Look for 'SEP Hardening Application and Device Control Policy' in the forums. Get that, enable them and set to Log only.

Do a full scan every night and then one using another PC mapping the hard drive afterwards.

- Happy hunting -