To gain command line access to a Symantec Encryption Management Server (PGP Universal Server), you will need to create an SSH key. You can do this using a utility such as PuTTYgen to create an SSH key and PuTTY to log into the command line interface.

This article details how to utilize PuTTYgen and PuTTY to access Symantec Encryption Management Server (PGP)

1. Download PuTTY suite or PuTTYgen and PuTTY, from the site below:

http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

2. Open PuTTYgen.exe, leave the configuration as default, click 'Generate' button:

3. Generate some radomness for the key by moving the mouse over the blank area:

4. Copy the public key block from Key window where it says 'Public key for pasting into OpenSSH authorized_keys file':

5. Click 'Save private key' to save the private key of the key pair you created:

6. Log into SEMS management console as a superuser, such as admin, click 'System' --> 'Administrators' --> 'admin':

7. Click the plus + sign at the end of the 'SSHv2 Key':

8. Select 'Import Key Block', then paste the public key block that copied in step 4, click the 'Import' button:

9. After upload the key block, you will notify the hex fingerprint of the key will now show up in 'SSHv2 Key' line.

You can verify that the fingerprint matches the fingerprint found in the 'Key fingerprint' line on PuTTY Key Generator of step 3.

9. Click 'Save' button.

10. Open PuTTY.exe, enter the Host Name or IP address of the SEMS, select SSH as the protocol:

11. On the left panel, select 'Connection' --> 'SSH', on the 'Private key file for authentication', select the private key file that saved on step 5, then click 'Open' button to start a SSH session:

12. The first time you log into SEMS with PuTTY, you will be given a security warning, click 'Yes' button:

13. You will be prompted to enter a username, type 'root' and press enter:

REMEMBER:

Accessing the server command line for read-only purposes, such as to view settings, logs, etc, is supported. However, performing configuration modifications or customizations via the command line may viod your Symantec Support agreement.

Reference: https://support.symantec.com/en_US/article.HOWTO101011.html

Assumptions:

• Symantec Endpoint Encryption 11.1.2
• Server 2012 R2 standard
• Microsoft Active Directory Certificate Services is installed and configured on the domain

Creating the MMC

1. Log onto the SEE server as a user who has rights to request a certificate.
2. Click on the Start button, type cmd and hit the enter key.
3. Type mmc and hit the enter key.
4. Click on File, Add/Remove Snap-in…
5. Choose Certificates and click Add >.
6. Choose My user account and click Finish.
7. Click OK.

Creating the Certificate

1. Open or create an MMC with the Snap-in called Certificate – Current User.
2. Expand Certificates – Current User.
3. Right click on Personal and choose All tasks, Request New Certificate...
4. When the Certificate Enrollment wizard starts, click Next.
5. On the Select Certificate Enrollment Policy page, click Next.
6. On the Request Certificates page, select Basic EFS and click details and click Properties.
7. On the General tab, enter a Friendly Name: SEEM Server Recovery Certificate <Date>.
8. Click on the Subject tab.
9. Under Subject name, choose Common name and set the SEEM server FQDN as the Value and click Add.
10. Click on the Extensions tab and click on Key usage.
11. Click on Data encipherment and click Add >.
12. Click OK.
13. Click Enroll.
14. Click Finish.

Exporting PKCS #12 (Certificate and Private Key)

1. Open or create an MMC with the Snap-in called Certificate – Current User.
2. Expand Certificates – Current User, Personal, Certificate.
3. Double click the certificate that you just created.
4. Click on the Details tab.
5. Click on Copy to File…
6. On the Certificate Export Wizard click Next.
7. On the Export Private Key page, choose Yes, export the private key and click Next.
8. On the Export File Format page ensure Personal Information Exchange – PKCS #12 (.PFX) is selected and click Next.
9. On the Security page, select Password and type in a password and click Next.
10. Click Browse and select where to save the file and choose a descriptive file name and click Save.
11. Click on Finish.
12. Click OK.

Exporting PKCS #7 (Certificate)

1. Open or create an MMC with the Snap-in called Certificate – Current User.
2. Expand Certificates – Current User, Personal, Certificate.
3. Double click the certificate that you just created.
4. Click on the Details tab.
5. Click on Copy to File…
6. On the Certificate Export Wizard click Next.
7. On the Export Private Key page, choose No, do not export the private key and click Next.
8. On the Export File Format page ensure Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) is selected, choose Include all certificates in the certification path if possible and click Next.
9. Click Browse and select where to save the file and choose a descriptive file name and click Save.
10. Click on Finish.
11. Click OK.

Deploying the Recovery Certificate to a SEE Client

1. Log onto the server that hosts the SEE Management Console.
2. Open the SEE Management Console.
3. Expand the Symantec Endpoint Encryption Software Setup node and click on Windows Client.
4. Work your way through the wizard and when you reach the Removable Media Encryption Installation Settings – Recovery Certificate page, choose Encrypt files with a recovery certificate.
5. Browse to the PKCS #7 certificate and choose Open.
6. Review the Confirm Certificate window and click OK.
7. Complete the wizard.

Deploying the Recovery Certificate to GPO Based Policies

1. Log onto the server that hosts the SEE Management Console as a user who has rights to deploy GPO based policies.
2. Open the SEE Management Console.
3. Click on the Group Policy Management node.
4. Drill down, Forest, Domains, Domain, Group Policy Objects.
5. Right click on the desired GPO based policy and choose Edit…
6. Expand Computer configuration, Policies, Software Settings, Symantec Endpoint Encryption, Removable Media Encryption and choose Recovery Certificate.
7. Choose Change this setting, choose Encrypt files with a recovery certificate and click Change certificate…
8. Browse to the PKCS #7 certificate and choose Open.
9. Review the Confirm Certificate window and click OK.
10. Click Save.
11. Click OK.
12. Click File, Exit.

To gain command line access to a Symantec Encryption Management Server (PGP Universal Server), you will need to create an SSH key. You can do this using a utility such as PuTTYgen to create an SSH key and PuTTY to log into the command line interface.

This article details how to utilize PuTTYgen and PuTTY to access Symantec Encryption Management Server (PGP)

1. Download PuTTY suite or PuTTYgen and PuTTY, from the site below:

http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

2. Open PuTTYgen.exe, leave the configuration as default, click 'Generate' button:

3. Generate some radomness for the key by moving the mouse over the blank area:

4. Copy the public key block from Key window where it says 'Public key for pasting into OpenSSH authorized_keys file':

5. Click 'Save private key' to save the private key of the key pair you created:

6. Log into SEMS management console as a superuser, such as admin, click 'System' --> 'Administrators' --> 'admin':

7. Click the plus + sign at the end of the 'SSHv2 Key':

8. Select 'Import Key Block', then paste the public key block that copied in step 4, click the 'Import' button:

9. After upload the key block, you will notify the hex fingerprint of the key will now show up in 'SSHv2 Key' line.

You can verify that the fingerprint matches the fingerprint found in the 'Key fingerprint' line on PuTTY Key Generator of step 3.

9. Click 'Save' button.

10. Open PuTTY.exe, enter the Host Name or IP address of the SEMS, select SSH as the protocol:

11. On the left panel, select 'Connection' --> 'SSH', on the 'Private key file for authentication', select the private key file that saved on step 5, then click 'Open' button to start a SSH session:

12. The first time you log into SEMS with PuTTY, you will be given a security warning, click 'Yes' button:

13. You will be prompted to enter a username, type 'root' and press enter:

REMEMBER:

Accessing the server command line for read-only purposes, such as to view settings, logs, etc, is supported. However, performing configuration modifications or customizations via the command line may viod your Symantec Support agreement.

Hi,

This article will discuss how to effectively manage the archiving of the DCS database based on yoru retention needs and / or performance requirements This process allows you to minimise the amount of events stored within your active SCSPDB_[Name] database whilst also maintaining your audit requirements.

This is likely necessary if your DCS environment generates alot of noise, most likely detection events if you're centrally logging events in DCS.

In this example, the customers has an event threshold of say 6 months worth of events, some prevetion but mainly detection.

1. Connect to your Database instance that hosts your DCS database
2. Navigate to your database, typically named SCSPDB
3. Navigate to Tables and run the code below. Change the date to something more appropriate to your environment. Choose a time that is say 1 week in the past, to ensure your agents have checked in, and that your systems have some overlap. Again 1 week should be enough to ensure this, unless you're experiencing some very serious post delay.
   

   select event_type,count(1) from cspevent cs
   where cs.event_dt <= '2017-03-18 00:00:00.000'
   group by event_type

4. You will use to verify that your database has been migrated with some integrity. There will be some disparity between the Total events in the archived DB, hence the date below, which is used as a timestamp to ensure some additional integrity.
5. Record the results for reference later.
6. Create a backup of the database (manually through SSMS or via your automated backup solution)
7. Restore your new backup, but name it differently i.e. SCSPDB_Review_JantoJun2016
8. Run the same code as step 3 on the restored database and ensure the record counts match. If they do not, start from step 3 again and double check the figures  and that the backups processed properly.
9. If they do, then on the original DB run the Purge Script found under Programmability - SCSP_PurgeEvents (6.5), PurgeEventsByDate(6.6 onwards. An example of the code is shown below for a 6.5 purge script. This will delete all Realtime events, that are older than 7 days and it will delete as many as it can as fast as it can. Change purge limit to say 100,000 if you want to control the performance of the DB / minimise any table locking.
   

   DECLARE @RC int
   DECLARE @EventCLASS nvarchar(100) = 'Realtime' One of "REALTIME", "PROFILE", "ANALYSIS"
   DECLARE @PurgeMode nvarchar(100) = 'Purge' -- One of "TESTMODE","PURGE" (Testmode will show what will happen but does not actually delete anything, Purge does!)
   DECLARE @FilterMode nvarchar(100) = 'Days'
   DECLARE @FilterValue nvarchar(4000) = '7' -- Number of days to keep (anything older will be deleted)
   DECLARE @PurgeLimit int = 0 --or 100,000 This is a "governor" to limit how many records to delete at once
   DECLARE @Process_Rules varchar(8) = 'P' 	-- Flags indicating processing mode. P print, Q quiet
   
   -- TODO: Set parameter values here.
   
   EXECUTE @RC = [DCSSA_Review].[dbo].[SCSP_PurgeEvents]
      @EventCLASS
     ,@PurgeMode
     ,@FilterMode
     ,@FilterValue
     ,@PurgeLimit
     ,@Process_Rules
   GO
   
   
   

10. NOTE: In 6.6 onwards the script has changed, and TESTMODE actually purges the events, be careful

Now you'll have a slim line CSP database that is quicker to query and less cluttered, and a review DB that you can use say, direct SQL and / or SSRS to create KPIs and / or analsys on the data. Tip: You can extract the SQL from the CSP reports in the Java Console and use that to query directly or via SSRS etc.

Any questions, let me know.

Thanks,

Kevin

After the SQL database has been migrated to a new instance the "server.xml" file will need to be updated with the new database information. The default location of this file on the DCS Server is as follows:

"C:\Program Files (x86)\Symantec\Data Center Security Server\Server\tomcat\conf\server.xml"

There will be three lines in this file that each begin with a "<Resource auth=" tag.

<Resource auth="Container" driverClassName="net.sourceforge.jtds.jdbc.Driver"
    factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" initialSize="25" logAbandoned="true"
    maxActive="75" maxIdle="50" maxWait="30000" minEvictableIdleTimeMillis="55000" minIdle="25"
    name="Database-Console" password="1234567890abcdefghijklmnopqrstuvwxyzABCD"
    removeAbandoned="true" removeAbandonedTimeout="300" testOnBorrow="true"
    timeBetweenEvictionRunsMillis="34000" type="javax.sql.DataSource"
    url="jdbc:jtds:sqlserver://192.168.1.223/SCSPDB;instance=scsp;integratedSecurity=false"
    username="scsp_ops" validationInterval="34000" validationQuery="SELECT 1"/><Resource auth="Container" driverClassName="net.sourceforge.jtds.jdbc.Driver"
    factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" initialSize="125" logAbandoned="true"
    maxActive="425" maxIdle="175" maxWait="30000" minEvictableIdleTimeMillis="55000"
    minIdle="125" name="Database-Agent" password="1234567890abcdefghijklmnopqrstuvwxyzABCD"
    removeAbandoned="true" removeAbandonedTimeout="300" testOnBorrow="true"
    timeBetweenEvictionRunsMillis="34000" type="javax.sql.DataSource"
    url="jdbc:jtds:sqlserver://192.168.1.223/SCSPDB;instance=scsp;integratedSecurity=false"
    username="scsp_ops" validationInterval="34000" validationQuery="SELECT 1"/><!-- UMC DB Resource --><Resource auth="Container" driverClassName="net.sourceforge.jtds.jdbc.Driver"
    factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" initialSize="34" logAbandoned="true"
    maxActive="277" maxIdle="233" maxWait="30000" minEvictableIdleTimeMillis="55000" minIdle="89"
    name="Database-UMC" password="1234567890abcdefghijklmnopqrstuvwxyzABCD"
    removeAbandoned="true" removeAbandonedTimeout="300" testOnBorrow="true"
    timeBetweenEvictionRunsMillis="34000" type="javax.sql.DataSource"
    url="jdbc:jtds:sqlserver://192.168.1.223/dcsc_umc;instance=scsp;integratedSecurity=false"
    username="umcadmin" validationInterval="34000" validationQuery="SELECT 1"/>

The hostname/IP of the SQL Enterprise Database will need to be updated on the "url=" portion of these three lines as follows:

url="jdbc:jtds:sqlserver://192.168.1.223/SCSPDB;instance=scsp;integratedSecurity=false"

In the above example the "192.168.1.223" entry will need to be updated to the new hostname/IP of the migrated database.

Please note that before modifying the "server.xml" file that the DCS Services should be turned off. (See the image below for reference):

Once the "server.xml" file has been successfully modified, the services can be turned back on and the DCS server's database should be properly migrated.

Hi all,

In this article, I will explain the procedure to collect file fingerprint of any file or location within the system and add the same to Symantec Endpoint Protection Manager.

So, Let's get started.

Step 1: Go to Local Drive > Program files(x86) > Symantec > Symantec Endpoint Protection.

You will find Checksum.exe in this folder, that we will use to collect file fingerprint.

Step 2: Press and hold Shift Key and right click in empty location (Follow below screen shot) and select Open Command Window Here

Step 3: It will then open the command window at this location. 

Step 4: Now suppose you want to collect file fingerprints of every file from your computer's particular drive (in this case I have selected D drive)

Step 5: 

a. In this window type Checksum.exe or simply type "Ch" without quotes and hit Tab, this will automatically select Checksum.exe from this location.

b. Now type the name of the file which will save the file fingerprint data into a text file. In this example I have given a file with name output.txt You can give any name to this file followed by .txt extension for text file.

c. So the command until now is - Checksum.exe output.txt (There is a space between checksum.exe and output.txt)

d. Next is to select the drive name or the file path of which, we need to collect file fingerprint. So type "D:\" with quotes.

e: So the complete command to collect file fingerprint of all files from D drive is - 

Checksum.exe output.txt "D:\" (There is a space between checksum.exe and output.txt and "D:\")

f: Hit enter and it will start collecting the file fingerprints from D drive as shown below -

Step 6 : After the process completes the window will get close automatically and the output file will have the list of file fingerprints of files from D drive.

Another example : collect file fingerprint of Google chrome (executable file)

Step 1 : Right click on the Google Chrome icon and select properties, Now click on shortcut tab and copy the target path which is for chrome.exe

Step 2: Type the command as - Checksum.exe output.txt "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

Step 3: Hit enter and it will immediately collect file fingerprint of chrome.exe and store that in output.txt file (see screen shot)

Adding the output fingerprint file into SEPM.

Step 1: Open the Symantec Endpoint Protection Manager and go to Policies > Policy Components > File Fingerprint Lists and click on add a file fingerprint list

It will open Add File Fingerprint Wizard, Click Next

Step 2: Put name and description of the file.

Step 3: Hit next when you get below screen.

Step 4: Browse the path to the output.txt file.

Step 5: Hit Next and the file will get added to the SEPM.

Step 6: Hit Finish and you will see the fingerprint file will get saved in SEPM.

Thanks,

nThakare :)

Hi All,

Theseday we are hearing many cases of ransomware infection which is not only badly impacts bussiness but also the crticial data. As this virus encrypt the sensetive data with private key genrated from C2C or from attacker server. The way Ransomware enters into the network and infect the critical servers silently the installed antivrus also not able to detect proactively. I have been worked on couple of Ransomware virus attack therefore sharing my experince as well as little research, history, best practices and prevention methodology. This arctilce more focused on Ransomware Discovery and next article will be focused on prevention methodology. I am trying to answer all WH question related to ransomware.

Ransomware History and Trend

Ransomware is malware that encrypts a user's files-folder and often deletes the original copy if ransom (money) is not paid to attacker to get decryption keys.

Trend

Why ransomware target businesses?

• Attackers are aware of that ransomware can create major business disruptions therefore it will increase their chances of being paid more.
• Computer in companies are prone to vulnerabilities, which can be exploited through technical means and social engineering tactics.
• cyber criminals also know that business not report ransomware attacks for avoid legal or reputation consequences;

What are most common methods used by ransomware to come in?

• Plenty of Spam email with malicious links or attachments are sent as part of offer or notification campaigns 
• vulnerable software exploited
• Botnets;
• Self-propagation (spreading from one infected machine to another);

Why Ransomware get undetected?

1. Ransomware start communication with Command & Control servers is encrypted 
2.  Browser or method like TOR , Bitcoin used to avoid tracking by law enforcement agencies
3. Anti-sandboxing technique used so antivirus won’t detect as abnormal process;
4. Encrypted payloads make difficult for antivirus to scan as malware,
5. Polymorphic behavior of ransomware has ability to alter and create a new variant,
6. Ransomware has the ability to remain dormant 

Dear all,

This tutorial will give the overall ideal on how to install newly available Symantec Endpoint Protection 14 MP1 with embedded database.

So lets get started -

Step 1 - Download and extract the SEP 14 MP1 package and then run the setup.exe with an administrator

Step 2 - The installation will begin, hit Next

Step 3 - Accept the license agreement and click Next

Step 4 - It will automatically select the below location for the SEP manager install (check if you have enough disk space available) OR change the

Install directory

Step 5 - The setup is now ready to install, click Next

Step 6 - The setup will now get installed and this will copy all the required files to said location

Step 7 - Setup is now installed and we now need to configure the management server, click Next

Step 8 - You will see the Management server configuration wizard splash screen

Step 9 -Select the appropriate configuration type.

Note : The default configuration is for the new installation which will consists of clients below 500

The custom configuration will let you select the customize options to configure like selecting the SQL database for managing the SEP clients and its database

In this case we are going for default configuration which will by default select embedded database.

Step 10 - In this page, you need to fill the details like -

1. Company Name - Enter your company name

2. User name - This will be used as a username while login into SEPM console

3. Password - Enter the password, this will be used while authenticating the user in SEPM console login (you can change this password anytime from SEPM) and also as a database password

4. Confirm password - Enter the password same as above

5. Email address - Enter the email address of the administrator who might want to get password recovery emails and notifications from SEP manager

6. The emails will be send to registered email ID only if you add a email server into SEPM (contact your IT team for the same)

Rest is self explanatory.

Step 11 - Uncheck the Live update installation as it will take several hours to download and install the definitions (you can download it later)

partner information is optional, you can fill that if you feel necessary and hit Next

Step 12 - The database will get created in the specified location, as this will take lot of time so be calm and let it happen.

If there's an issue it will definitely throw an error that you use to troubleshoot further.

Step 13 - After the database builds, the configuration is also completes. Hit Finish to launch the SEP manager.

Step 14 - After you login to SEPM using username and password, your SEPM now installed and you can now install SEP client on your systems.

Thanks,

nThakare :)

Steps to disable Device Control switch option in SEP 14.0 for Mac within Client Management Settings.

From version SEP for Mac 14.0.x & later, there is now an switch option to enable/disable for settings.

Enable or disable Device Control from the SEP client's interface, see diagram below.

With this extra option, users are now allowed to disable Device Control manually by unchecking this available option, that is, if this is allowed, as set from the SEPM console.

1. In the Symantec Endpoint Protection Manager (SEPM) Console, select: 

Clients > {Highlight the specific group applicable - My Company / Default Group} > Policies tab

2. Expand the Location-specific Settings:

By clicking on the (+) Plus sign, you will expand to see: 

Client User Interface Control Settings

3.  From 'Client User Interface Control Settings' 

Click Tasks>> Edit Setting

If having chosen:

Server Control mode

  a.  Click Customize ... button

  b.  From section => Proactive Threat Protection

      Uncheck 'Allow user to enable and disable the application device control'

  c.  Click [ OK ] button

Mixed Control mode

  a.  Click Customize ... button

  b.  Click 'Client User Interface Control Settings' tab 

      {Similar options are displayed as was seen in the Server Control mode window}

  c.  Uncheck 'Allow user to enable and disable the application device control'

  d.  Click [ OK ] button

Related articles: 

About application control, system lockdown, and device control

http://www.symantec.com/docs/HOWTO80859

Hi All,

As I shared the little research, history and different ways how ransomware propagates into the network and system, now this article will be focused on prevention methodology which is prepared after referring many security sources like Symantec security resource, McAfee, TrendMicro etc. The best part of this article is I am also contributing by sharing my own best ideas to deal with Ransomware. I would request you all to share your valuable feedback to correct my ideas and to share more best practices.

Below is just overview of Ransomware attack flow

What are Ransomware Preventive Methodology?

1. Block all Phishing Email Subjects used to distribute Ransomware.
2. Most important - keep a backup of your critical files and folder.
3. File share or File server should be installed on Linux/Unix Servers so Ransomware and any other malware will not execute due to X86 platform compatibility – My IDEA
4. Use Hybrid threat protection security like for End-user Symantec antivirus, for Servers use Sophos and at spam gateway use Microsoft and vice versa as this will provide multilayered protection with multiple virus definitions – My IDEA
5. Keep critical file backup on TAPE drive (offline/external storage with restricted/biometric access– My IDEA
6. Block infected application immediately in application control.
7. Don’t give every end user administrator user rights and keep the policy of Least-Privilege.
8. Use FSRM to block ransomware's changes to your file servers.
9. Use maximum-security features of email and endpoint security solutions like Application and Device Control (ADC) policies; spam mail polices to prevent suspicious files.
10. Always monitor the behaviors of your browser and machine and validate the resource utilization like CPU, memory used by the suspicious process.
11. Be careful when opening new e-mails from unknown senders
12. Never enable Macros to view any incoming mail attachment
13. Avoid Mapping Network Drives
14. Always keep your security software up to date to protect yourself against them.
15. Install and configure Host Intrusion Prevention

What if Ransomware has already encrypted data?

1. Do not pay the ransom!
2. If machine is accessible then run Symhelp or antivirus log collection tool to provide support
3. Try to restore with windows restore point function
4. Try luck with some Decryption tool provided by some security vendors.

Anti-Ransomware tools

https://malwarebytes.box.com/s/of0z75mmdwydw327so885ujn4t5mulnj

http://download.bitdefender.com/am/cw/BDAntiRansomwareSetup.exe

https://go.kaspersky.com/Anti-ransomware-tool.html#form

Best ransomware Decryption tools

https://noransom.kaspersky.com/

https://decrypter.emsisoft.com/

http://www.talosintel.com/teslacrypt_tool/

http://solutionfile.trendmicro.com/SolutionFile/EN-1114221/RansomwareFileDecryptor%201.0.1654%20MUI.zip

https://esupport.trendmicro.com/en-us/home/pages/technical-support/1105975.aspx

In this article, a brief description is given about how to create a custom content filtering policy in Symantec Messaging Gateway.

The steps are as below:

1. Log in the Symantec Messaging Gateway GUI Console

                        Open a Browser> Type https://FQDN(for eg: https://172.31.1.204)

1. Go to Content> Policies> Email. Click on Add.

1. Select Blank Policy and Click Select.

1. Configuring a Content Filtering Policy:

a) Policy name and Settings:

            Add the Policy name and Check the Track violations of this policy in the dashboard and reports. This makes the custom policy get included in the reports and the Dashboard Entries.

b)  Subsequent Content Filter Handling:

Symantec Messaging Gateway evaluates policies One-By-One on the basis of their Order in the Policy List.

You can also specify how do you want Symantec Messaging Gateway to treat subsequent content filtering policies as follows:

Symantec Messaging Gateway evaluates policies One-By-One on the basis of their Order in the Policy List.

i) Continue with Evaluation & Actions:

When this option is triggered, all actions for the next policy that is triggered are added to the "ACTION-LIST."

ii) Provide Incidents & Notifications Actions Only:

 When this option is triggered, only the 'create incident' and 'send notification' actions of the next policy that is triggered are added to the "ACTION-LIST."

iii) Halt Evaluation & Actions:

When this option is triggered, Symantec Messaging Gateway takes the action on that policy but does not evaluate any further policies.

c) Conditions:

            Select whether the conditions you apply should effect both Outbound and Inbound messages or either of them. And also select whether all the conditions should be met or any one of them.

To add a condition, Click Add.

Add the content filtering conditions according to the requirement and Click Add Condition

d) Actions:

            The Actions should be specified for the conditions applied on the mails in the Content Filtering Policy. In the Actions Section Click on Add.
 

Select an Appropriate Action from the Action List.

e) Apply to the following Policy Groups:

            Specifies the group on which the content filtering policy should apply on. Multiple Groups can be selected on which the content filtering policy will imply.

You may then see the custom policy that you configured in the Content Filtering policy list.

Is it possible to monitor specific progress status with Host Integrity (HI) policy in endpoint protection? The answer is yes.

Here is a simple example of how to set the requirement in HI policy.

Details steps as below:

1. Edit HI policy--> click Requirements--> click "add" button--> select client platform: Windows and select "Custom requirement", click Ok:

2. On the custom requirement page, click add--> IF..THEN,

2.2. Under THEN--> add Function Utility: log message, and input message under log description: cmd running:

2.3. Under THEN, add ELSE, Under ELSE--> add Function Utility: log message, and input message under log description:cmd not running:

Open Endpoint Protection Manager console--> Monitors--> Logs--> Log type: Compliance, Log content: Client Host Integrity--> view log

The same HI event logs present. Besides, you can view Details for more information about the specific event as below.

Blacklisting and White listing domains in Symantec Messaging Gateway 10x:

1. Log On to Symantec Messaging Gateway.

2.1 Blacklisting a domain:
(a)    Go To Reputation> Policies> Bad Senders.

(b)    Edit the Local Bad Sender Domains.

(c)    In the Local Bad Sender Domains, Click on Add.

(d)    There you may add the Domain which you want to Blacklist.
(for eg. Bad-Sender.com)
You may also add multiple domains or e-mail Ids separated by comma.

Click Save.

(e)     Then Define the Action for that domain. The Action Delete is predefined.
You may also select from a list of actions from the list.

(f)    Click Save.

2.2  Whitelsiting a Domain:
            
(a)    Go To Reputation> Policies> Good Senders.

(b)    Edit the Local Good Sender Domains.

(c)    Click Add.

(d)    There you may add the Domain which you want to Whitelist.

(for eg. Good-Sender.com)
You may also add multiple domains or e-mail Ids separated by comma.

(e)    Specify the Action.

(f)    Click Save.
 

Introduction

This is the sixteenth in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles.

This article begins a new mini-series about a much misunderstood capability in SEP: how to keep SEP from scanning content that you don't want detected.

What's the Story?

For sake of illustration (pun intended) we take you now to Windows computer of a small but talented outfit that is defended by Symantec Endpoint Protection 14.  Johnny, the new security admin, is dismayed that one of the tools he has used for years at other companies is detected by SEP. 

The detection of this highlighted item is not a False Positive: AngryIPScanner is one powerful tool.  If it is on an organization's computers, perhaps brought there by someone who has compromised the network, SEP would be irresponsible not to raise a red flag.

(Note that as a Security Risk rather than a Threat, this detection is logged by default rather than quarantined or deleted.  The pop-up is still an annoyance for Johnny... he thinks: perhaps there's a way to fix that....) 

A clever professional, our security admin checks online articles and learns that he has the ability to use the Symantec Endpoint Protection Manager (SEPM) to create an exception against this detection....

Best Practice when Symantec Endpoint Protection is Detecting a File that is Believed to be Safe
http://www.symantec.com/docs/TECH98360

Creating exceptions for Virus and Spyware scans
http://www.symantec.com/docs/HOWTO80919

Who Should Have this Mighty Power?

Important note: be very careful with exclusions.  Every exception made opens a hole in the organization's defenses.  Introduce them as precisely as possible, to as few computers as possible.

Rather than have every computer in the organization ignore that tool without so much as a pop-up or record entry added to the SEPM console, our admin Johnny creates a new SEP client group, just for his band of IT rock stars.

He adds the machines of his IT staff to the group... (full details on the procedure can be found from Managing groups of clients)

This is the group which will have their own Exceptions policy that allows IT tools. For the rest of the organization, settings will be hardened to block Security Assessment Tools, Potentially Unwanted Applications and other questionable content. More details on that can be found in:

All About Grayware
https://www-secure.symantec.com/connect/articles/all-about-grayware

Here's the new Exception Policy, right after it was created.  Note that by default it's not associated with any client group - the admin has to make that connection! 

Now it's getting assigned:

Policy assigned! Now the exceptions configured in that policy will be applied to the computers in the associated client group.

How to Allow

From the SEPM console, Monitors, Logs, Risk, Johnny views the log of recent detections.  Then he just places a check next to the detection, chooses an action like Add risk to Exceptions policy, and click Apply: 

Be sure to choose the correct Exception policy!  Then Save Changes.

Here's how the Exceptions Policy looks after that Known Security Risk is excluded:

Note that Johnny can choose what action takes place in the environment he manages: completely Ignore that security risk or Log it.  

Be sure that the client machines connect to the SEPM and receive new policy settings and updates.  Once those are communicated, the client computers will begin to exclude that risk.   

Exceptions Get Tricky

All goes well for a while, and the IT client group are able to use the AngryIPScanner without detection.  Then one of the staff comes looking for Johnny's head.  Despite the exclusions, a new download of this tool is still detected and quarantined! 

Johnny has done his reading and points out that the detection name is not AngryIPScanner, but WS.Reputation.1.  That's a SEP detection for files with either a new/unknown or BAD reputation. He hits back with the truth that SEP is a whole suite of security technologies, and one component can convict a file that has slipped past another layer of defense.

SEP Times in the City: A Helpful Symantec Endpoint Protection Analogy
https://www-secure.symantec.com/connect/articles/sep-times-city-helpful-symantec-endpoint-protection-analogy

The same goes for exclusions.  This particular AngryIPScanner tool, can be used for good or ill.  That gives it its shady "This file is untrustworthy" reputation, and WS.Reputation.1 conviction.

"Well, what are you gonna do about it, Johnny?"

There were many options to select, when choosing how to exclude a detected application:

"Add Risk to Exceptions policy" will avoid the AntiVirus detection of a single classification, like AngryIPScanner.  Any different unique files (different versions of the tool) will be covered, but only for that excluded risk determination.

There's another option to select, which will avoid detecting a particular application by any method, technology or name. "Allow Application" will avoid detection for that one unique file (one fingerprint, also known as SHA256 hash), not for every different version of the tool.  Johnny quickly edits the client group's Exclusion policy so that SEP, in his environment, will not trigger on the file with the hash that his coworker encountered and a few other versions of the tool with unique hash fingerprints of their own....

Once the policy is saved and updated to all computers in the IT department client group, the detections cease. Johnny knows he's done the right thing, opening his environment up to as few specific files as possible, rather than any option that opened a potential door wider. Everyone gets back to work happily, until it's time to close up shop and head down to Dewey's for some hard-earned relaxation. 

Conclusion

Many thanks for reading!  I hope this article helps.  One note: though the illustrations are from SEP 14, the same options and actions apply to the older SEP 12.1 product. 

The next in the mini-series is now available, illustrating a few common situations.  Please leave comments and feedback below. 

Introduction

This is the seventeenth in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles.

This article continues a new mini-series about a much misunderstood capability in SEP: how to keep SEP from scanning content that you don't want detected.  For the basics, please be sure to read Exceptions, Illustrated: Part One

Fine Tuning the Terminator

Johnny, new security administrator for a small but talented organization, starts every day by taking a good look at his logs.  He has successfully created exclusions which let his band of IT gurus use powerful but potentially dangerous network auditing and admin tools that are denied to the rest of the company.  He wonders, though, what one of his staff is doing using an ancient version of the AngryIPScanner tool.  That 2.2.1 version was designed for Windows 98.

Happily, the Symantec Endpoint Protection Manager allows Johnny to tweak the settings in use in his environment.  It's possible to allow newer versions of the tool while blocking or terminating attempts to run that old one. In the correct Exceptions policy, he just changes the action for that fingerprint / hash to Terminate.....

After that, when an attempt is made to launch that old version, Windows throws a "cannot access the specified device, path, or file" error message and SEP logs an Administrator Defined Exception, Process Terminated, User-defined Risk. 

Johnny later learns that it is also possible to block the old application from running though SEP's Application and Device Control (ADC), but he is happy with the way he has accomplished his goal.

Block Software By Fingerprint
https://www.symantec.com/connect/articles/block-software-fingerprint

The Official Word

Here are two Technical Support articles that have additional details on how to learn and react to applications in the network.... 

Creating Centralized Exceptions Policies in the manager
http://www.symantec.com/docs/TECH183201

How to create an application exception in the Symantec Endpoint Protection Manager
http://www.symantec.com/docs/HOWTO61213

Applications that Change Frequently, Part One

Constant calls come in on the IT helpline about WS.Reputation.1 False Positive detections on a tool that the company needs.  This internal tool is tweaked and recompiled at least daily, then posted to a shared network location that everyone in the company has mapped as their H Drive.  The tool is called 1939im.exe and it is the organization's number one source of complaints and IT tickets.

Creating an exclusion against the fingerprint/hash of the file will not work, or at least work for long.  That fingerprint changes every time the tool is rebuilt, which is often.  Management is so frustrated that they have asked that SEP's Download Insight be disabled entirely.  Johnny, though a newbie to SEP 14, already understands what a powerful defense Download Insight is.  It may be helpful to adjust the sensitivity of Download Insight and uncheck some options in order to avoid some detections, but he does not want to disable it altogether.

Luckily, with a bit of research, Johnny is able to see a perfect solution.  Thanks to the shared drive and folder structure, the filename and path is always H:\Hllblls\1939im.exe on every computer. An exception can be created to ignore any file of that name in that location:

(One note: this exception is made in the policy that is applied to the company's many end-user client groups, not to the exceptions policy that is for the IT only client group!)

Johnny then uses his Windows permissions to make sure that the development team, responsible for the creation and posting of that tool, are the only user accounts with write access to that shared folder.  Other users may read and run the executable, but no unauthorized user account can replace that 1939im.exe file with malware of the same name!

Applications that Change Frequently, Part Two

Another pain point is that many trusted, legitimate files downloaded from a certain domain are constantly being detected.  These necessary files, which the company requires to do its business, are frequently detected as WS.Reputation.1 and other signature names.

Again, SEP's built-in exclusions save the day: it is possible to proactively allow downloads that come from a specified website or address.

Should those files be malicious, of course, they will be detected once they are on the computer's disk and acting evil.  The scan that takes place during download, though, will give them a pass.

Conclusion

Many thanks for reading!  Part three in the mini-series, illustrating some really poorly thought out exclusions, is under development now!

Please leave comments and feedback below. 

On the Symantec site, you can not search malwares by its hash, as for now. I made two scripts to help you, if there is a need to check a lot of hashes.
You will need a free VirusTotal account, to use them. From you profile, get your Public API Key (My API Key menu entry), and copy it into the scripts to the marked area in the scripts.
In HashList.txt, one hash (MD5, SHA1, SHA256) per line, you can list the hashes to check. The example contains the EICAR test hash.
VirusTotal-ReScanHash.ps1 will initiate the recheck of the sample with the latest definitions, this can come in handy, with relatively new potential malware, when the before-latest definition could not, but the latest might detect it. It is recommended to run this before generating a report with the other script VirusTotal-GetReport.ps1. This one will check, by its hash, if SEP can detect it or not, according to its VirusTotal detection, and also outputs the name, by it is detected. Output is in SEP_detection.txt.

Notes:
- Unfortunately, Public API access to VirusTotal is limited to 4/minutes, so there is a 26 second sleep between requests (if you have a private API key, feel free to remove the Sleeps). But for most cases (for me surely), it is faster then going manual, even with this limitation.
- The initiated rescan might take a little time to finish!

Additional credit goes to:
"David B Heise" - thanks for the VT API PS module (Invoke-VTRescan) - Source: https://psvirustotal.codeplex.com !
https://virustotal.com - thanks for the public API!

 It’s simple: Click here and log into G2 Crowd using your LinkedIn Account.  

You must contribute a detailed, balanced and complete review!

After your review is verified, G2 Crowd will send the first 40 reviewers a $25 Amazon Gift Card.

It’s that easy. 

It’s simple: Click here and log into G2 Crowd using your LinkedIn Account.

You must contribute a detailed, balanced and complete review!

After your review is verified, G2 Crowd will send the first 40 reviewers a $25 Amazon Gift Card.

It’s that easy. 

In May of 2017, Symantec added a Risk detection for the tool Winexe.

Winexe is a Linux based application that allows the execution of commands remotely on Windows based OSes. It installs a service on the remote system, executes the command and can then uninstall the service. Winexe allows execution of most of the windows shell commands. Although this tool has many legitimate applications its use in security incidents is prevalent enough for us to provide controls in our Potentially Unwanted Application (PUA) category.

Apart from its legitimate uses, Winexe can and has been used for network traversal attacks as part of the Empire powershell toolkit and was also known to have been used in the 2015 attack on the German Parliament.

The 2017 Internet Security Threat Report discusses the rise of many similar “dual use” tools to breach and traverse enterprise environments.

Detection information:

Detection for PUA.Winexe and its huerisitc counterpart PUA.Winexe!g1, was initially provided in virus definitions on May 29, 2017 revision 006.

PUA management and Risk acceptance:

Risk detections have the important distinction of not being inherently malicious and allow a greater degree of risk acceptance within many of Symantec products.

For a full list of Risks and categories of Risks detected by Symantec please see:

• Security Response: Risks

For more information on exclusions please see:

• Exceptions, Illustrated: Part One
• Excluding known risks from virus and spyware scans on Windows clients

System requirements for Symantec Endpoint Protection Manager and the Symantec Endpoint Protection clients are the same as those of the operating systems on which they are supported.

• Symantec Endpoint Protection Manager
• Symantec Endpoint Protection client for Windows
• Symantec Endpoint Protection client for Windows Embedded
• Symantec Endpoint Protection client for Mac
• Symantec Endpoint Protection client for Linux
• Supported virtual installations and virtualization products