This is the first in my Security Series of Connect articles. For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated in November 2017.
"Monitor First" runs the good advice from security guru Bruce Schneier. Millions have typically been spent putting a security infrastructure in place, with AntiVirus clients, firewalls, IDS/IPS, and so on. These powerful endpoints are able to stop most existing threats, and can report back to a central management console what action they have taken.
But, if no one is reading those logs and acting upon them, the company remains at a disadvantage. Here is an actual case (with data anonymized to protect this customer's identity) of how using the powerful reporting capabilities built in to the Symantec Endpoint Protection Manager (SEPM), and then acting upon that information, proved helpful to one admin who took the initiative to proactively seek out the cause of the constant re-infections throughout her corporate network.....
A Real-Life Example
Below is an example of how a report generated by SONAR logs can identify new malware for which there are not yet definitions. This report can also highlight specific computers from among the company's thousands which need immediate attention from the security admins.
For the past week, the network had been undergoing a persistent outbreak of various types of malware. Downloading and distributing Rapid Release definitions identified many new threats, but there always seemed to be more suspicious activity reported by end users.
To see if she could locate the source of the infections, the SEPM's admin clicked on Monitors, Logs, and chooses to view a SONAR report with the Advanced filter set to display only the Events where the action resulted in a verdict of "Suspicious."
This generated an on-screen report of "Security risk found" events, which could then be exported into .csv format. The admin took this file, imported it into MS Excel, enabled filtering, and hid certain columns to allow her to focus in on the information she was looking for.
For sake of space, the Date column is not displayed in this article, but the admin was quickly able to spot some files which the SEP 12.1 clients detected over and over again in the same locations on the same computers. Narrowing in again: she un-ticked the display for the known, approved programs that were listed, un-ticked Tracking Cookies, and filtered to display entries which generated a Detection Score of 80 or above.
Very quickly, the report narrowed to executable files which were found running from very unusual locations. These files had random names typical of malware....
A quick internet search on VirusTotal.com revealed that several of those SHA1 Application Hashes (unique identifiers) had poor reputations. Action was definitely called for.
She also noticed that all of these suspicious files were located on just a handful of computers. Very quickly she gave instructions to have those computers isolated from the network to keep them from spreading any infection. This is an important best practice from the following article:
Best Practices for Troubleshooting Viruses on a Network
Article URL http://www.symantec.com/docs/TECH122466
She also gave instructions for the SymDiag (formerly SymHelp) tool to be run on the computers with Threat Analysis Scan (previously called Load Point Analysis) checked. This tool identifies suspicious files on a computer, which can then be collected and submitted to Symantec's Security Response for full analysis...
Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team
https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante
Using Today's SymDiag to Combat Today's Threats
https://www.symantec.com/connect/articles/using-todays-symhelp-combat-todays-threats
Ah ha! The suspicious files from her report were flagged by the SymDiag tool, along with several other files that were deemed to be possible malware. The admin zipped them up in batches of nine or less and submitted them to Symantec Security Response.
How to Use the Web Submission Process to Submit Suspicious Files
Article URL http://www.symantec.com/docs/TECH102419
Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions
While Symantec was examining the files, she took additional measures to secure the network (hunting for more SONAR samples that had a lower Detection Score, monitoring other logs). One action taken was to use the MD5 hashes (provided from Symantec automatically by mail after she submitted samples) to create an ADC policy that blocked them. This was applied to the client groups throughout the company, stopping those threats from executing or spreading any further.
How to use Application and Device Control to limit the spread of a threat.
Article URL http://www.symantec.com/docs/TECH93451
The computers which had been compromised were fully patched, had third-party components like Java and Adobe brought up-to-date. Their users were given strong new passwords and a bit of education about computer security best practices. The machines were kept off the network, though, until they could receive a full system scan with definitions that contained protection.
In due course, the submitted files are examined and new AntiVirus definitions prepared. These new defs are downloaded via LiveUpdate and applied to all clients throughout the network. Those suspicious files, it seems, were members of the Downloader family. Evidently a malicious attacker had been using that handful of compromised systems to constantly download new, undetected hack tools and infostealers, staying one step ahead of traditional signature-based AV defenses. These tools were also crafted in such a way that as to resist the efforts of Auto-Protect products to terminate their processes. They could not withstand a full system scan in safe mode, though!
By using SONAR's heuristic powers, reviewing the logs and taking action to ensure that compromised machines were fully cleaned before being added back to the network, the persistent infection was cleaned.
Conclusion
Many thanks for reading! Please do leave comments and feedback below.
This is just one example of how SEPM's built-in reporting and alerting features can be used to ensure a corporate network's stability and security. If it would be helpful, I would be glad to provide additional illustrations....