Endpoint Protection

Hi All,

I would like to ask on how can we create a policy from the SEPM to automatically isolate a pc if it gets infected by any types of threat?
If the policy for this is possible, please provide the procedure on how to create the policy.

thanks.

Hi do you have a Network Access Control integrate from your SEPM server? if so you can use the NAC to configure if the workstation is can comply the the policy that you created to access the the network?

SEPM on it own does not have feature to Isolate any infected PC.

You can achieve this by using SNAC(Symantec Network Access Control), that will isolate the PC and put it into a isolated zone depending on the policy.

A well thought firewall policy would do the trick. Limit the open ports on the clients to only what is required by your company. This is more on prevention rather than cure.

Hi,

Yes, the SEPM is configured with NAC integrated. How can I configure the NAC policy for this? I don't see NAC policy for virus infection.
Can you provide the procedure to achieve the objective?
Thanks in advance.

SNAC is doing when the client do not comply the Host integrity policy such as Check Def. , Check Patch, Check Server is not running?
and then run the Quarantine policy such as Firewall policy for limited zone.

But if i want to do the SNAC when client is infected or having any outbreak, Can SEPM can do that?
Thank you

If you have a NAC it will check the defintion of your PC right? if the pc doesnt comply the host integrity checking it wont allow you to connect in the network? then if the PC is compliance and the virus defintion is up to date it will allow to access the network? do you think if your pc its up to date of virus definition can the virus spread immedietly on the network? if your all pc is compliance I believe that you wont have a virus outbreak in you network?

HI all

if in future i've found the newly threat or zero attack and Symantec can not detect, have not the AVAS and IPS Def. in that time.
How we isolate or do quarantine group automatically when during Symantec will create the Def. for the newly threat?

i've seen that other competitor av (i may not say the name)
He can do the quarantine policy automatically.
You can set the how many counter will count in the specific range time (example 100 time in 1 minute)
if action count more than the value that you've set, the client will receive the quarantine policy automatically for blocking zone or something that you want.
This is good proactive protection i think.

How can Symantec do? How do you think?
Virus outbreak is means found the newly threat and not contanining in Def. at that time
So, if customer have update Def. every hour and using SNAC for check the Def. compliance.
However, this solution will not good enough for proactive proteciton if Symantec can not detect this threat.

Symantec has Proactive Threat Protection which uses heuristic scanning for zero-day threats. Based from the admin guide, it monitors applications and processes with suspicious behavior and you can configure it to whatever actions you want done and the level of security.

It also has a software IPS labeled as Network Threat Protection.

to isolate a pc, you must remove the pc from the network. a good starting point maybe if the infection cannot be cleaned or deleted, we should run a batch file to stop network services. but we should also take into consideration the level of the threat because this would be inconvinient to the user. don't forget the admin rights for the batch file.

Hi, why not raise this case to symantec support??? :-)

Do you think SEP and NAC can address this concern? I don't see policy for virus infection on NAC.
Do we have any other workaround for this aside from creating a policy for NAC to check the definition of the client?

Thanks.

Sorry, but this:
>>If you have a NAC it will check the defintion of your PC right? if the pc doesnt comply the host integrity checking it wont allow you to connect in the network? then if the PC is compliance and the virus defintion is up to date it will allow to access the network? do you think if your pc its up to date of virus definition can the virus spread immedietly on the network? if your all pc is compliance I believe that you wont have a virus outbreak in you network?<<

Is not correct! We've experienced at least a half dozen heavy infections of computers with FULLY current defs.
NAC can isolate a computer that's not current, but if it IS current and still gets infected, NAC can't do anything about it.

And while this statement:

>>Symantec has Proactive Threat Protection which uses heuristic scanning for zero-day threats. Based from the admin guide, it monitors applications and processes with suspicious behavior and you can configure it to whatever actions you want done and the level of security.

It also has a software IPS labeled as Network Threat Protection.
<<

Is factual, it's not going to help him either - see my comments above. PTP has MISSED everything! It's never triggered, not a single time, it's never logged anything, not once in almost a year. It's pretty worthless IMO. Several rogue BHOs have been installed, the phoney AV apps run rampant over it.
We've had at least a half dozen heavily infected computers with SEP and ALL pieces set to high levels! Things DO get through, the ideal thing would be to have SEP or NAC to recognize this and isolate the computer. PROBLEM with this is, SEP missed the infections to begin with so can't isolate it because SEP doesn't know anything is wrong!
It took 2 other software pieces to clean those computers. One we had to reimage. Another I had to manually clean. SEP only saw the problem when it was too late - and in another case, the bug actually STOPPED SEP services!!
Yes, SEP was disabled by the infection in one case.
My suggestion is to find another way - once the computer is infected, it means SEP missed it - or SEP was disabled by it, so SEP can't isolate the computer.
I have at least a half-dozen REAL LIFE cases from recent weeks and months to show - SEP misses at times, and you don't want to assume SEP can or will isolate the computer.
NAC won't help if the infection has killed SEP services like it did here.

Now that being said - other apps will miss things too - NOT just SEP.
But in reality, SEP and SNAC won't be able to isolate a computer if it's become infected because the fact that the computer is infected in the first place means SEP missed!