Endpoint Protection

 View Only

Two Reasons why IPS is a "Must Have" for your Network 

Nov 13, 2013 09:26 AM

Introduction

This is the third in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated in December 2017.

This third article illustrates how Symantec Endpoint Protection's optional Intrusion Prevention System (IPS) component can help security admins keep their organization secure and track down infected computers on the network.

Please also see this important post from Security Response.....

What Symantec’s Intrusion Prevention System did for you in 2015

 

IP What?

Unlike AntiVirus, which looks for known malicious files, IPS scans the network traffic stream in order to find threats using known exploits and attack vectors. IPS does not detect specific files, but rather specific methods that can be used to get malicious files onto your network. This allows IPS to protect against both known and unknown threats, even before antivirus signatures can be created for them.  It’s very cool.

SEP’s IPS component greatly increases the number of threats that can be blocked, so the use of IPS is strongly recommended on almost all endpoints.  More details are contained in:

Best practices regarding Intrusion Prevention System technology
http://www.symantec.com/docs/TECH95347

 

Not Just for Windows Any More!

IPS has been an optional component of SEP for Windows since the beginning.  In order to enable IPS in Symantec Endpoint Protection 11.x, the client firewall portion (Network Threat Protection) must be installed and running. In SEP 12.1 and above, the client firewall function is separate and does not need to be installed or enabled for IPS to function. 

SEP 12.1 RU4 brought many new features to the SEP client that runs on Macintosh (“SEP for Mac”).  An overview of these enhancements can be found in:

Overview for Symantec Endpoint Protection 12.1.4 for Mac
http://www.symantec.com/docs/HOWTO92146

One of the best of these enhancements is that IPS can now defend Mac machines as well as the Windows boxes on the network.  So, definitely upgrade the protection on your Macs!

 

How IPS Defends Clients

For an excellent illustration of how IPS can protect against a very dangerous threat, see Recovering Ransomlocked Files Using Built-In Windows Tools.  Even if the initial Trojan.Cryptolocker .exe is not detected by SEP’s AntiVirus components, IPS attack signatures can still block the network traffic that this threat relies upon in order to generate the keys necessary to sabotage a computer’s files.  If you see a pop-up “System Infected: Trojan.Cryptolocker” then IPS has just blocked the Trojan’s network activity (and saved you a load of grief).  Get that computer isolated and perform a load point diagnostic to identify any unidentified malware files!

 

Generating SEPM Reports of Network Attacks

As detailed in my first article, your Symantec Endpoint Protection Manager contains advanced capabilities for reporting and alerting.  It can often tell you exactly what is going on with the security of your network, if you know how to look.

One report that it can generate on demand is Network Threat Protection: Attacks.  (Remember: in SEP 12.1, it is not necessary to have the NTP component of SEP installed in order to take advantage of IPS.  IPS can be installed without NTP.  The report of all IPS attacks is still listed under Network Threat Protection as a legacy inherited from SEP 11 days.)

Just click on Monitors, Logs tab, and pick the "Network Threat Protection" option for Log type.  Choose “Attacks” to see all the IPS events that have occurred on managed SEP clients and been forwarded to the SEPM.

Logs.jpg

 

 

The logs for all the attack events will be displayed on screen, and can be exported for more advanced parsing and analysis with your favorite spreadsheet program.

 

Identifying Unprotected Computers

One example of how these can be useful: in a recent real-world case, an administrator had been fighting a never-ending battle to eradicate W32.Downadup from the corporate network.  There were constant detections of this threat being stopped, but somewhere out there were infected computers which constantly tried to re-infect others.  Examining the Risk Reports failed to show any instances where the threat was being detected by AV but “left alone,” so where were they?

Examining the exported Network Attack logs, it was pretty clear that IPS was also blocking infection attempts (traffic that attempted exploit of the vulnerability that W32.Downadup uses to spread).  These logs, though, showed what IP addresses involved with each “[SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked. Traffic has been blocked for this application: SYSTEM”

 

traffic.jpg

 

Examining the Remote Hosts that were responsible for all that traffic was the solution to this case.  There were a handful of infected computers that had no AV product on them at all. Installing SEP ended the persistent W32.Downadup troubles for good.

 

Identifying Infected Machines

In another recent real-world example: hundreds of Auto-Protect virus events (Event ID 51) were seen on the shared directory of a file server.  Several days were spent examining the load points of the server itself, with nothing malicious found.  The reason: the infection was on one of the 400 clients which connect daily to that mapped drive.  Some client in the network had attempted to do the damage- but which one?  It would not be possible to examine load point diagnostics from all those hundreds of clients.

Luckily, that file server had IPS installed.  The IPS logs were examined and a large number of ”Incoming Auto-Block Event” entries were spotted, coming from one particular IP Address.  This activity might have been a coincidence, but in this case it was a very big clue as to which mapped client was infected.  That computer was isolated, cleaned, patched and returned to the network.  Problem solved.  

.

Conclusion

IPS can protect your computers- and everything on them-  in ways that AV alone cannot.  And, its logs can provide valuable intelligence about which computers in the network are infected.

Moral of this story: it’s much easier to deploy the SEP IPS client and read its logs than to examine 400 load point diagnostics.  &: )

 

One final recommendation: it is always a good time to ensure that the organization's defenses are in good order. There is a great deal of malware in circulation, and it is guaranteed that tomorrow the baddies will come up with new code and techniques.  Take precautions now!

Symantec Endpoint Protection – Best Practices
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

 

 

Many thanks for reading!  Please do leave comments and feedback below. 

 

Statistics
0 Favorited
25 Views
1 Files
0 Shares
0 Downloads
Attachment(s)
png file
test.png   108 B   1 version
Uploaded - Nov 17, 2023

Tags and Keywords

Comments

Jul 24, 2015 09:40 AM

@Mick2009 BRAVO ZULU man. Thank you sir!

Jul 24, 2015 09:05 AM

Ninth article in this series now available!

 

Using Today's SymHelp to Combat Today's Threats
https://www-secure.symantec.com/connect/articles/using-todays-symhelp-combat-todays-threats

Mar 31, 2014 02:52 PM

Great and very informative article.

Feb 20, 2014 02:39 AM

Mick,

BRAVO ZULU on this. Absolutely outstanding article!

Feb 13, 2014 12:08 PM

The fifth article in this series is now available.  An illustrated guide to the tools and techniques necessary to defeat W32.Downadup can be found in the new Connect article:

Killing Conficker: How to Eradicate W32.Downadup for Good
https://www-secure.symantec.com/connect/articles/killing-conficker-how-eradicate-w32downadup-good

Jan 16, 2014 05:55 AM

By request, adding the link to where more information can be found about each IPS SU (Security Updates) - these are new "definitions" for SEP's IPS component.  New SU's come out every day or two- be sure to keep up-to-date!

Symantec Endpoint Protection
http://www.symantec.com/security_response/securityupdates/list.jsp?fid=sep
 

Jan 09, 2014 06:37 AM

The fourth in this series has just been posted- it is a long one, but definitely worthwhile.

The Day After: Necessary Steps after a Virus Outbreak

https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak

Jan 03, 2014 08:19 AM

Adding a couple of official Symantec KB's that will help admins decide whether or not it is safe and desirable to install IPS on their servers....

 

Best Practices for Installing Symantec Endpoint Protection (SEP) on Windows Servers
http://www.symantec.com/docs/TECH92440

Best Practices for the Intrusion Prevention System component of Symantec Endpoint Protection on high-availability/high bandwidth servers.
http://www.symantec.com/docs/TECH162135

Nov 26, 2013 08:43 AM

Thank you Mick for sahring this information...

Nov 18, 2013 06:11 AM

Many thanks, SebastianZ!  Excellent links on this topic.  &: )

Nov 18, 2013 06:02 AM

Great and very informative article - highly recommended as part of securing the environment with SEP Best Practices.

 

In scope of IPS topic I can recommend as well following KBs:

- about IPS Policies implementation in SEPM:

* About working with Intrusion Prevention Policies

Article:HOWTO27088  |  Created: 2010-01-08  |  Updated: 2010-01-15  |  Article URL http://www.symantec.com/docs/HOWTO27088

* Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained

Article:TECH104434  |  Created: 2008-01-20  |  Updated: 2013-02-20  |  Article URL http://www.symantec.com/docs/TECH104434

 

- about the IPS Attack signatures:

* Security Updates informations:

http://www.symantec.com/security_response/securityupdates/list.jsp?fid=sep

* Database on the existing Attack Signatures that are being monitored by IPS

http://www.symantec.com/security_response/attacksignatures/

Nov 15, 2013 11:25 AM

Thanks Brian!

 

I don't have any statistics in front of me about which stops more, but trying to defend your data with AV alone is definitely fighting with one arm tied behind your back.  

Nov 15, 2013 11:19 AM

Here is another masterpiece from the master himself..!!!smileyyes

Nov 14, 2013 01:46 PM

nice! I do believe IPS actually stops more threats than AV sigs, correct?

Related Entries and Links

No Related Resource entered.