What is this about?

In this article we will have a look at portfolio of both Symantec and Norton Security products. The introduced list will include both Enterprise products in case of Symantec family and Consumer products from Norton family. Some of the products will be possibly already familiar to you but what I hope to achieve in this article is to introduce some of the products that are maybe not that widely known but can indeed make your environment much more secure. During the course of reading you will undoubtly see that the range of Symantec Security products is really vast - reaching from Antivirus applications for desktops and laptops up to very specialized solutions for Exchange, Domino Servers or NAS devices. The portfolio will include both products descriptions as well as link to product home pages or whitepapers where more detailed info or pricing can be obtained. For Norton Security products I recommend as well perusing the provided links to the online reviews that will additionaly provide more informations about the software.

Index

Symantec Products:

Norton Products:

Symantec Security Products for Enterprise

• Symantec Antivirus Corporate Edition (CE) 10.x - legacy Symantec Antivirus solution. Product reached its End-of-Support-Life (EOSL) on July 4, 2012 and was replaced by newer SEP 11.x and SEP 12.1 software solutions. Depending on the version old legacy SAV CE may be directly upgraded either to SEP 11.x or 12.1 - please consult relevant migration documentation for supported upgrade paths.

End of Life announcement for Symantec AntiVirus Corporate Edition and Symantec Client Security
http://www.symantec.com/docs/TECH178551
Frequently asked questions about Symantec AntiVirus 10.x End of Support Life
http://www.symantec.com/docs/TECH184999
How to request a virus definition extension for Symantec AntiVirus 10.x Corporate Edition beyond its End-of-Support-Life date
http://www.symantec.com/docs/HOWTO73168

• Symantec Endpoint Protection Enterprise Edition 11.x / 12.1 - Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Mac computers, and servers in your network against malware such as viruses, worms, Trojan horses, spyware, and adware. Additionally it is able to provide protection against even the more sophisticated attacks that evade traditional security measures such as rootkits and zero-day attacks.The suite comprises of Antivirus / Antimalware protection, Firewall, IPS and Application and Device Control. In 12.1 version SEP is built on multiple additional layers of protection, including Symantec Insight and SONAR both of which provide protection against new and unknown threats. The most recent SEP 12.1 version is 12.1 RU4. Latest version of Symantec Endpoint Protection 11.x is 11 RU7 MP4 - this is as well the last release of SEP 11.x product family and with this revision the product reaches its EOL stage - we recommend upgrading to SEP 12.1.

Symantec Endpoint Protection
http://www.symantec.com/endpoint-protection
Release Notes and System Requirements for all versions of Symantec Endpoint Protection and Symantec Network Access Control
http://www.symantec.com/docs/TECH163829
Latest Symantec Endpoint Protection Released - SEP 12.1.RU4
https://www-secure.symantec.com/connect/blogs/latest-symantec-endpoint-protection-released-sep-121ru4
Support life extension for Endpoint Protection 11.x and Endpoint Protection Small Business Edition 12.0.x
http://www.symantec.com/docs/TECH211491
 

• Symantec Endpoint Protection SBE 12.1 - Symantec Endpoint Protection Small Business Edition incorporates many of the features from Symantec Endpoint Protection Enterprise Edition. It is designed for small-to-medium businesses with up to 250 clients. Same as the full version the SBE protects against malware such as viruses, worms, Trojan horses, spyware, and adware. Please review the release and implementation documentation about SBE version as several of the features and functionalities included natively in 12.1 EE may be missing in 12.1 SBE edition. From the most importart differences to mention:

1. no SQL Database support
2. no Application and Device Control feature
3. no Host Integrity enforcement
4. no Shared Insight Cache support
5. no AD Synchronisation option
6. does not include several other components such as Risk Tracer, Virtual Image Exception, Group Update Providers
7. includes some limitations regarding the available management options in the SEPM GUI

Feature comparison between SEP 12.1 SBE and EE
https://www-secure.symantec.com/connect/articles/feature-comparison-between-sep-121-sbe-and-ee
Installing and configuring Symantec Endpoint Protection Small Business Edition
http://www.symantec.com/docs/TECH91893
Symantec™ Endpoint Protection, Symantec Endpoint Protection Small Business Edition, and Symantec Network Access Control 12.1.4 Release Notes
http://www.symantec.com/docs/DOC6838

• Symantec Endpoint Protection SBE 2013 - Symantec Endpoint Protection Small Business Edition 2013 offers simple, fast and effective protection against viruses and malware. It is available as a cloud-managed service which means there are no additional hardware requirements for the management layer as all administrative task are executed from a web-based console. SBE 2013 has as well an option available for on-premise management application in case this is more preferable to cloud-managed one. Similar to other SEP 12.1 solution as SBE and Enterprise Edition the SBE 2013 offers an unified security solution with a variety of features like Antivus and Antimalware protection, Firewall, heuristic Sonar protection, etc.

Symantec Endpoint Protection Small Business Edition 2013
http://www.symantec.com/endpoint-protection-small-business-edition-2013
Quick Start Tips for SEP Small Business Edition 2013
https://www-secure.symantec.com/connect/articles/quick-start-tips-sep-small-business-edition-2013
Symantec Endpoint Protection Small Business Edition 2013
https://www-secure.symantec.com/connect/articles/symantec-endpoint-protection-small-business-edition-2013

• Symantec Protection Suite (SPS) - a budled product of Symantec Security Software, available both in Small Business Edition as well as Enterprise editions, comprising of following components:

1. Endpoint Protection
2. Endpoint Protection for Macintosh
3. Antivirus for Linux
4. Mail Security for Microsoft Exchange
5. Mail Security for Domino
6. Messaging Gateway
7. System Recovery Desktop Edition
8. Symantec Protection Center
9. Web Gateway

SPS provides multiple layers of protection for endpoint security, messaging security, web, data loss prevention, and data and system recovery, allows as well for  deployment of integrated essential endpoint and messaging security technologies as unified solutions with coordinated management.

Symantec Protection Suite Enterprise Edition
http://www.symantec.com/protection-suite-enterprise-edition
Compare Antivirus Software & Security Products
http://store.symantec.com/antivirus-comparison
Protect More, With Less - See How Symantec Protection Suite Can Do It
http://www.symantec.com/tv/products/details.jsp?vid=1211579625001
Top 10 Benefits of Symantec Protection Suite
https://www-secure.symantec.com/connect/articles/top-10-benefits-symantec-protection-suite

• SAV for Linux (SAVFL) - software designed to provide antivirus protection on Linux OS. Symantec AntiVirus for Linux includes real-time antivirus file protection through Auto-Protect scanning, and file system scanning via manual and scheduled scans. Symantec AntiVirus for Linux requires a specific kernel on the system before installing Symantec AutoProtect package or otherwise you should compile your own kernel with our AutoProtect to ensure it will function properly

Best practice to install Symantec Antivirus for Linux
http://www.symantec.com/docs/TECH150596
System requirements for Symantec AntiVirus for Linux 1.0
http://www.symantec.com/docs/TECH101598
SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide
https://www-secure.symantec.com/connect/articles/sav-linux-scanning-best-practices-somewhat-illustrated-guide
SAV for Linux: A (Somewhat) Illustrated Guide Part 2
https://www-secure.symantec.com/connect/articles/sav-linux-somewhat-illustrated-guide-part-2
SAV for Linux: A (Somewhat) Illustrated Guide Part 3
https://www-secure.symantec.com/connect/articles/sav-linux-somewhat-illustrated-guide-part-3

• Network Access Control (SNAC) - Symantec product to validate and enforces policy compliance for the computers that try to connect to the production network. This validation and enforcement process begins before the computer connects to the network and continues throughout the duration of the connection. The Host Integrity policy is the security policy that serves as the basis for all evaluations and actions. SNAC clients may interact with a Symantec Enforcer. The Enforcer ensures that all the computers that connect to the network that it protects run the client software and have a correct security policy. SNAC can work as well in so called self-enforcement mode where it uses the Symantec desktop firewall to police network access, providing the easiest and fastest enforcement deployment option.

Symantec Endpoint Protection and Symantec Network Access Control Implementation Guide 12.1
http://www.symantec.com/docs/DOC4321
About the types of enforcement in Symantec Network Access Control
http://www.symantec.com/docs/HOWTO55734
How Symantec Network Access Control works
http://www.symantec.com/docs/HOWTO55733

• Symantec Critical System Protection (SCSP) - proactive policy-based protection and compliance software targeted at securing physical, virtual and cloud server environments. CSP consist of both HIDS (host-based intrusion detection) and HIPS (host-based intrusion prevention) as well as least privilege access control and application and device control policies. Some of the key features of SCSP:

- Non-signature based Host Intrusion Prevention
- Provides zero-day protection with use of out-of-box OS hardening policies. Those are either prebuild for Windows environments or based on the latest vSphere hardening guidelines, to protect the virtual environment  at the management server, hypervisor and guest level.
- Full integration with AD
- Broad platform support - Windows (Server Core editions including), VMware, Unix, Linux AIX, HP-UX
- Real-time File/Directory Integrity Monitoring - identifies changes to files and directories alongside with information who made the change and what was changed
- Configuration Monitoring - can identify policy violations and suspicious activity
- Tamper Prevention policies - allows lock down of system, administrators, settings and files to prevent tampering
- Application and Device Control - allows for lock down of application executables, devices like removable media and configuration settings
- Host firewall - controls inbound and outbound traffic, host based
- Advanced Memory Controls - to combat various types of memory attacks
- Privilege Access Control - rola-based policies to prevent unauthorized user access
- Compliance Solution addressing security regulations like PCI DSS, SOX or HIPPAA

Symantec Critical System Protection
http://www.symantec.com/critical-system-protection
Symantec Critical System Protection - Maximum protection for physical and virtual data centers - Whitepaper
http://www.symantec.com/content/en/us/enterprise/fact_sheets/b-critical_systems_protection_DS_21197836-1.en-us.pdf
Symantec Critical System Protection and how is it different from Symantec Endpoint Protection
https://www-secure.symantec.com/connect/articles/symantec-critical-system-protection-and-how-it-different-symantec-endpoint-protection

• Symantec Data Loss Prevention (SDLP) - data security solution that discovers, monitors and manages confidential data both when it is stored and during transfer. DLP helps monitor the confidential data usage in order to establish potential high-risk users or endpoints. DLP provides as well email protection for corporate mobile devices like Iphone or Android based smartphones. DLP includes a Vector Machine Learning technology that learns how to detect sensitive data based on the unique characteristics of the sample data rather than on the file fingerprinting. DLP provides coverage of data monitoring and protection on all 3 levels:

- DLP Storage - DLP can scan the datacenters to find and protect confidential data stored on file servers, shares, databases or similar file repositories. In case of sensitive information exposure DLP can both provide the incident security teams with data owner and location information as well as content details of it in order to allow for fastest remediation.
- DLP Endpoint - scans for confidential data on laptops and desktops. DLP can secure the data from being copied to external drives by disabling the devices itself in order to prevent data leakage. It can as well encrypt confidential data if such is being identified and unprotected on the endpoints. DLP can also prevent the sensitive information to be printed out by desktop or laptop users.
- DLP Network - protects against data breaches in the network. Prevents data loss over outbound emaila by monitoring the email traffic and if needed quarantining or blocking it to prevent leak of sensitive information.
 

Video - Symantec Data Loss Prevention

Symantec Data Loss Prevention
http://www.symantec.com/data-loss-prevention
What's New in Symantec Data Loss Prevention 12- Whitepaper
http://www.symantec.com/content/en/us/enterprise/fact_sheets/b-whats-new-in-dlp12-21299912-en.us.pdf

• Symantec Web Gateway - security solution that allows for filtering of undesirable URLs to secure end users by preventing them from visiting specific either malicious sites or sites that would violate the company policy - the integrated filtering list allows for administration of 62 different site categories. Web Gateway is powered by Symantec Insight technology that uses the Global Intelligence Network and allows to identify and block new and emerging threats before they propagate to end users. Symantec Web Geteway allows for integration with Symantec DLP for Web solution that identifies sensitive data and prevents it from leaking outside of corporate channels via Web traffic. Some of the other key features of Web Gateway:

1. Application control capabilities
2. Symantec RuleSpace URL filtering with flexible policy setting
3. Virtual or physical appliance deployment option
4. SSL Decryption capabilities
5. Multiple layers of malware protection
6. Integrates with award-winning Symantec AntiVirus engine

Symantec Web Gateway
http://www.symantec.com/web-gateway
Symantec™ Web Gateway 5.1 - Whitepaper
http://www.symantec.com/content/en/us/enterprise/fact_sheets/b-symantec-web-gateway-51-DS-21197723-1.en-us.pdf

• Symantec Mail Security for Microsoft Exchange (SMSMSE) - integrated mail protection against malware, spyware, spam and phishing. Allows for real-time or scheduled scan of email content in order to provide efficient protection. Latest version of Mail Security for Exchange provide support for all recent Exchange versions up to Exchange 2013 - all varieties of Exchange environments are supported - hosted, VMware or Hyper-V. Mail Security scans are based both on standard definitions as well as advanced heuristics technologies.

Symantec Mail Security for Microsoft Exchange
http://www.symantec.com/mail-security-for-microsoft-exchange
Symantec™ Mail Security for Microsoft Exchange 7.0 - Whitepaper
http://www.symantec.com/content/en/us/enterprise/fact_sheets/b-mail_security_for_microsoft_exchange_DS-1207718-4.en-us.pdf
Release notes for Symantec Mail Security 7.0 for Microsoft Exchange
http://www.symantec.com/business/support/index?page=content&id=TECH200283
Overview of Premium AntiSpam in Symantec Mail Security for Microsoft Exchange
http://www.symantec.com/business/support/index?page=content&id=TECH89148

• Symantec Mail Security for Domino (SMSDOM) - solution is providing a real-time protection against malware, spyware, spam and phishing - this version is targeted at Lotus Domino Servers. Mail Security for Domino natively supports both Windows and IBM AIX environments with full support for Lorus Domino Clusters.

Symantec Mail Security for Domino
http://www.symantec.com/mail-security-for-domino
Symantec Mail Security for Domino - Whitepaper
http://www.symantec.com/content/en/us/enterprise/fact_sheets/b-mail_security_domino_DS_12688872.en-us.pdf
Release notes for Symantec Mail Security 8.1.x for Domino
http://www.symantec.com/business/support/index?page=content&id=TECH181843
SMSDOM Best Practices: Setup
http://www.symantec.com/business/support/index?page=content&id=TECH175550

• Symantec Messaging Getaway (SMG) - the most feature-rich mail security solution from Symantec. It contains features like real-time antimalware and antispam protection, advanced content filtering, data loss prevention and email encryption. Since release 10 the product contains improved Targeted Attack Protection that helps against targeted attacks and zero-day threats by removing exploitable content from Office and .pdf attachments. Antispam filtering feature similarly like in Symantec Mail Security product line is powered by Symantec Brightmail set of technologies that are able to identify threats based on reputation.

Symantec Messaging Gateway
http://www.symantec.com/messaging-gateway
Symantec Messaging Gateway 10.5 - Whitepaper
http://www.symantec.com/content/en/us/enterprise/fact_sheets/b-symantec-messaging-gateway-10.5-DS-21320399.en-us.pdf
Symantec Messaging Gateway v/s Symantec Mail Security for Exchange- Which solution is the right one for my organization?
https://www-secure.symantec.com/connect/articles/symantec-messaging-gateway-vs-symantec-mail-security-exchange-which-solution-right-one-my-o

• Symantec Protection Engine for Network Attached Storage (SPE for NAS) - product formerly known as "Symantec Antivirus for NAS" - provides high-performance content scan and threat detection. Specifically designed and recommended for various range of NAS devices allows for detection of both known threats as well as those with no known signatures through advanced heuristics. This solution provides increased scanning performance and improved detection capabilities for protection against multi-blended threats. Supported NAS platform vendors include: BlueArc, EMC, Hitachi, NetApp, Sun. For all third-party NAS devices SPE for NAS can integrate via ICAP protocol.

Introduction to Symantec Protection Engine for Network Attached Storage
https://www-secure.symantec.com/connect/articles/introduction-symantec-protection-engine-network-attached-storage
Symantec Protection Engine for Network Attached Storage
http://www.symantec.com/protection-engine-network-attached-storage
Symantec Protection Engine for Network Attached Storage 7.0 - Whitepaper
http://www.symantec.com/content/en/us/enterprise/fact_sheets/b-protection_engine_for_nas_7_DS_20007094.en-us.pdf

• Symantec Protection Engine for Cloud Services - formerly known as "Scan Engine". SPE for Cloud Services is a client/server application that allows to incorporate threat detection technologies into almost any application. Protection Engine includes Symantec's proprietary, patented URL categorization technology and industry-leading malware protection for fast, scalable, and reliable content scanning services. These services help organizations protect their data and storage systems against the ever-growing malware threat landscape.

Symantec Protection Engine for Cloud Services
http://www.symantec.com/protection-engine-for-cloud-services
Symantec Protection Engine for Cloud Services 7.0
http://www.symantec.com/content/en/us/enterprise/fact_sheets/b-scan_engine_DS_14056879.en-us.pdf

• Symantec Endpoint Encryption Full Disk Edition - advanced data and file ecnryption for desktop, laptops and removable media devices. Endpoint Encryption supports both Windows and MAC computers. Some of the key benefits:

1. Protects and prevents your information from accidental data loss and assures protection for desktops and laptops against unauthorized access
2. Meets government directives and regulations and offers full audit trail
3. Provides scalable, centralized management for easy deployment and administration
4. Offers boot protection, pre-boot authentication, and pre-boot event logging and supports Single Sign-On (SSO) to avoid the need to remember and enter multiple passwords
5. Provides native MS AD integration

Symantec Endpoint Encryption Full Disk Edition
http://www.symantec.com/endpoint-encryption
Symantec Endpoint Encryption Full Disk Edition - Whitepaper
http://www.symantec.com/content/en/us/enterprise/fact_sheets/b-endpoint_encryption_full_disk_edition_DS_21157417.en-us.pdf

• Symantec Mobile Security - Security solution designed for large enterprise-wide deployments providing protection against malicious threats and unauthorized data access on Android devices. Beside threat detection Symantec Mobile Security offers as well privacy and theft protection of the spoken devices. Key features of Symantec Mobile Security:

- Scheduled or on-demand scans on the device.
- Anti-phishing Web browser protection
- Remote locate function to locate a lost or stolen device
- Remote lock function to lock stole device
- Remote wipe function to erase a stolen device
- Scream alarm allowing to locate a missing device
- Integration with Symantec Liveupdate
- centralized management and distribution of security policies

Symantec Mobile Security
http://www.symantec.com/mobile-security
Symantec Mobile Security - Whitepaper
http://www.symantec.com/content/en/us/enterprise/fact_sheets/b-mobile-security-DS-21260542.pdf

Norton Security Products for Consumer Market

• Norton Antivirus 2014 - provides antivirus and antimalware solution for consumer PC computers. Includes as well set of tools to clean up the threats from the machine: Norton Power Eraser and Norton Bootable Recovery Tool. Key features of the product:

- powered by Symantec Insight that identifies which files and applications are safe and which are dangerous based on the reputation of files
- SONAR Behavioral Protection - heuristic detections of unknown threats
- including Intrusion Prevention ssystem that helps blocking exploits at network level
- Internet Protection System - protects against suspicious links
- Download Insight - prevents downloads from website with low reputation score
- Scam Insight - reviews websites to determine if PII input is safe
- Identity Safe - personal vault of passwords and credentials
- Safe Web and Safe Web for Facebook modules
- Anti-phishing Technology - block phishing attempts

Video - The New Norton AntiVirus

Norton Antivirus Product Page
http://us.norton.com/antivirus

Reviews:
http://www.pcmag.com/article2/0,2817,2424097,00.asp
http://anti-virus-software-review.toptenreviews.com/norton-review.html

• Norton Internet Security - complete internet protection suite for PC computers. Includes all the cleanup tools from Norton Antivirus. Additionally provides enhanced internet experience security by including following features (some of the features covers the ones implemented in Norton Antivirus as well):

- powered by Symantec Insight
- SONAR Behavioral Protection
- Download Insight and Scam Insight
- Internet Protection System -  protection against suspicious links and content on both websites and social networking sites
- Spam Blocking - to secure users from unwanted emails
- Identity Safe
- Anti-phishing Technology
- Safe Web and Safe Web for Facebook modules
- Parental Control for children
- 2way Firewall included
- includes additional performance tools known from Norton 360 suite: Defrag, Startup Manager

Video - The New Norton Internet Security

Norton Internet Security Product Page
http://us.norton.com/internet-security/

Reviews:
http://www.pcmag.com/article2/0,2817,2424558,00.asp

• Norton 360 - most feature-rich security solution for PC computers providing a mix of both antivirus/antispyware solutions and tools as well as backup/restore technologies. Key features of Norton 360:

- Antivirus and antimalware protection powered by Symantec Insight and reputation scans.
- SONAR behavioural protection - proactively helps detecting unknown threats
- SPAM blocking function
- Download Insight - prevents download from suspicious websites
- Scam Insight - reviews website reputation
- Anti-Phishing technologies
- Identity Safe - to store safely user names and passwords
- Parental Controls
- Safe Web for Facebook - used to scan Facebook Wall for security threats
- Firewall
- Automatic product downloads and content downloads are secured by Symatec Liveupdate
- Performance Tools including - Defrag, Startup MAnager and PC Tuneup
- Cleanup and Threat Removal tools - Norton Power Eraser, Norton Bootable Recovery Tool
- Automatic Backup with Symantec Online Backup allowing 2GB of online storage

Video - The New Norton 360

Norton 360 Product Page
http://us.norton.com/360

Reviews:
http://internet-security-suite-review.toptenreviews.com/premium-security-suites/norton-360-review.html
http://www.pcmag.com/article2/0,2817,2409973,00.asp

• Norton 360 Multi-Device - a bundled solution including cross-platform coverage of security products:

- Norton 360 for Windows
- Norton Internet Security 5 for Macintosh
- Norton Mobile Security for Android and IOS

Video - Norton 360™ Multi-Device

Norton 360 Multi-Device Product Page
http://us.norton.com/norton-360-multi-device

Reviews:
http://www.pcmag.com/article2/0,2817,2426595,00.asp
http://computer-protection-software-review.toptenreviews.com/norton-360-multi-device-review.html

• Norton Internet Security for Mac - complete protection suite for Macintosh computers. Key features included within the pack:

- AntiVirus and Antispyware Protection
- Two-Way Firewall
- Location Awareness: adjust level of protection depending on where the Mac laptop is being used
- Norton Safe Web and Safe Search: Proactively protects users while surfing the Web by warning of and blocking unsafe and fake websites right in search results.
- Norton Safe Web for Facebook - scans Facebook News Feeds for malicious downloads
- Antiphishing Technology: Blocks fraudulent phishing websites
- Vulnerability Protection: Updates daily to defend against threats that can infect Mac through gaps in the operating system.
- Confidential File Guard: Password protects users' files.
- Email and Instant Message Monitoring: Scans iChat and other IMs for suspicious attachments and other tricks used to steal user's identity.

Norton Internet Security for Mac - Product Page
http://us.norton.com/macintosh-internet-security

Reviews:
http://www.pcmag.com/article2/0,2817,2426503,00.asp
http://mac-internet-security-software-review.toptenreviews.com/norton-internet-security-for-mac-review.html

• Norton Antivirus 12 for Mac - basic antivirus protection for Macintosh, does not include Firewall or any of the Norton Safe Web features included in Norton Internet Security for Mac. Does include following components:

Daily Protection Updates
Vulnerability Protection
Email and Instant Message Monitoring

Norton Antivirus 12 for Mac - Product Page
http://us.norton.com/macintosh-antivirus

Reviews:
http://mac-antivirus-software-review.toptenreviews.com/norton-antivirus-for-mac-review.html
http://www.macexpertguide.com/2012/11/19/review-norton-antivirus-12-mac

• Norton Mobile Security - security solution designed for consumer market of Android and IOS devices both smartphones and tablets. Includes antivirus and antitheft protection. Allows control of the selected mobile features over website. Key features:

- Back up the contacts from Android, iPhone or iPad device
- includes spam blocking features
- blocks  phishing websites
- comprehensive antimalware solution
- scans downloaded apps and apps updates for threats
- allows for scanning of SD cards when inserted or on schedule basis
- remotele locks the device if stolen
- allows to erase all information from the device if stolen or lost
- includes option to block the mobile if SIM card is removed and does not allow for other SIM to be used
- shows location of missing device to help locate it
- allows taking photos remotely in case the device was stolen to identify the identity of the thief
- scream alarm to locate the missing device

Video - Norton Mobile Security

Norton Mobile Security Product Page
http://us.norton.com/norton-mobile-security

Reviews:
http://www.pcmag.com/article2/0,2817,2386221,00.asp
http://www.laptopmag.com/reviews/security-apps/norton-mobile-security-pro.aspx

• Norton Hotspot Privacy - solution designed to protect login details, passwords and privacy while using public Wi-Fi hotspots. Creates a private, encrypted connection making the user invisible while on public hotspot and securing the data send over the public network. Protects the entire session so that both Web browsing activities or apps execution are protected. Devices supported by the product include: PC, Mac, IPad and IPod, Iphone devices. Despite the name suggesting Wi-fi networks only the product works as well on wired public networks.

Video - Norton Hotspot Privacy

Video - WiFi is not secure: Protect your privacy with Norton Hotspot Privacy

Norton Hotspot Privacy Product Page
http://us.norton.com/norton-hotspot-privacy

Reviews:
http://www.pcmag.com/article2/0,2817,2410765,00.asp
http://www.businesscomputingworld.co.uk/review-norton-hotspot-privacy

Online gaming - "En Taro Adun" to the Part 5 of the Security 1:1 Series

Online gaming just like any other branch of internet community is being targeted for scam, fraud and hacks. Few years back the scope of the scams involving online players may not have been that visible - but with time as online games (here especially MMORPG games) became more popular with several different communication channels between the players, they made it to be very often an easy prey for the attackers. At the moment we speaking here of a base reaching millions of users - majority of them be nor IT-Security aware neither adolescent. Adding to this that the most of the game systems are based on password security only (with few exceptions offering additional two-factor authentication) - the field to exploit looks really promising for any attacker. Property theft be it either physical or virtual is still a theft and in this article we will explore several various means being utilized by malicious attackers to get hold of players credentials, accounts and virtual items.

The Security 1:1 series consist so far of following articles:

• Security 1:1 - Part 1 - Viruses and Worms

• Security 1:1 - Part 2 - Trojans and other security threats

• Security 1:1 - Part 3 - Various types of network attacks

"If no mistake have you made, yet losing you are... a different game you should play"

The are many reasons for attackers to target the online game community - as more and more online games have some kind of online store, your gaming account if often already connected to your payment information. Once the attackers have access to the account itself they can further compromise your credit card information. Other most obvious reason is your online account itself and the value of the "virtual stuff" you collected on it. Despite some beliefs that "virtual gaming things" cannot be worth that much, it is as a matter of fact sometimes worth a lot in real world currency. Both items and virtual gold are sold or either some kind of auction houses or auction websites (like Ebay). Getting access to your gaming account and ransack all your characters - its one way for the attacker to make some easy money.

The accounts itself may be sold as well with prices ranging from couple of Euros up to thousands depending on the level of the characters on the account, completed achievements and collected gear. All this in normal process takes time - the more time invested into an account, the more it is worth. Please note on this occasion that gold, items or account resale violate the term of use in most of the online games and game providers will ban the accounts itself if such activities are detected.

"Hail to the Horde!" - about phishing emails

Phishing is by all means the most widespread type of online gaming frauds. The purpose of this kind of attack at gamers is most commonly targeted at getting unauthorized access to gamer's account information. With this kind of access the attacker may later on exploit the account further for other fraud activities. Wave of game-related phishing attacks started for good few years back and still up to this day hundreds of examples can be found of such malicious attempts - the scale of how those phishing attempts are widespread can only confirm one thing - that still a lot of players are falling to them and become unaware victims!

Another grave danger comes from compromised game accounts - most of the players tend to use the same credentials for their gaming account as for their private or corporate access - if the attackers already got access to your video game account, what stops them from accessing your other accounts, that may contain much more sensitive information.

The attack pattern of phishing emails can vary slightly but there are some common elements that you should be vigilant of:

• source email address ("From" field) - this will be 100% a spoofed address. What you see will resemble as much as possible the real, legitimate email address that could come from your game provider. Only by examining the source code of the email and viewing the email header you can check exactly what is the source of the message and that it is in reality completely different that way you see in your mail browser.

• your email address ("To" field) - beware that many times the address to which you receive the email is not the same email address you're using with your gaming account. Many gamers are simply not checking this field. This is very important and allows already from beginning to classify the email as phishing attempt even without reading its content.

• email greeting - you will most likely never be addressed directly by your first or last name. What you will see here will be a brief "Hallo", "Dear valued customer", "Greetings" or similar.

• email signature - will indicate that it was send by Support Team, Account Team, Billing Team, Management Team or similar to stress the importance of the email, in most cases it does not mention any person by name. Signature will include as well links to the game provider - links here can be also spoofed or be legitimate to convince the recipient that the message is legitimate.

• email content will include a request for you to verify your data and access information by following a given link and providing input of those information in the browser. At this point we have the most important element in the phishing email - the link provided in the content section will be 100% spoofed and re-directing you to a malicious website of the attacker. Other than request for verification the email may contain as well information that you have violated the conditions or rules of the game (very often the email will imply you are for example trying to sell your account and this is a breach of terms of service) and your account will be blocked unless you follow a given link and verify your data. Another popular pattern are emails stating that some of the information on your account has been modified (email, name, etc.) recently which could potentially mean that it has been compromised (!) or that you will loose access to it as a result of the change. As you obviously did not make any changes the requester ask you to follow the given link and verify your data.

• redirection to fake website - the website itself may look very professional and be almost a mirror of the legitimate site to convince the user again of its authenticity. Later on we will have a look at the real-life examples of fake login website.

Below references will provide some examples and show that many online games are being targeted for potential phishing attacks. Don't feel secure though if your game haven't been listed here or targeted in the past - there is a really big chance the phishing attacks on it were/are happening as well.

Reference:
Phishing scam invades Star Wars online game
http://www.gmanetwork.com/news/story/266007/scitech/geeksandgaming/phishing-scam-invades-star-wars-online-game
Star Wars The Old Republic Phish: Scam You, it Will
http://www.threattracksecurity.com/it-blog/star-wars-the-old-republic-phish-scams-you-it-does
Guild Wars 2 players targeted in phishing attacks
http://www.techspot.com/news/50087-guild-wars-2-players-targeted-in-phishing-attacks.html
Hackers target Guild Wars 2 players
http://www.bbc.co.uk/news/technology-19543035

"Your gold is welcome here" - phishing targeting Battle.Net

Video: About scam attempts - World of Warcraft (WoW) / Battle.net

One thing to consider is that most attacker may not even know which game you play or if you play at all. Phishing is simply send to everyone "on the list" - one of the reasons most phishing attempts target most popular games that have the biggest base of players - the bigger the gaming community is, the higher possibility that the phishing attack will reach certain percentage of real players. The "cherry on the pie" for online attackers nowadayas is Blizzard - as all of its online games (World of Warcraft, Diablo, Starcraft) are currently managed by one shared account - Battle.net. Considering that the Battle.net account may include not only your gaming data but as well real payment information - be that either Paypal details or Credit Card information - the stakes go up as you realise the compromise of this account will cause damage not only to your virtual stuff but can potentially affect your real assets as well.

Size of the gaming community is one of several factors playing a definitive role when attackers select their target. Another factor is the willingness of this community to pay with real money for virtual items. This willingness is much higher in case of players that already pay monthly fee for a game itself and attackers are aware of this fact as well.

Reference:
Phishing in a World of Warcraft
http://nakedsecurity.sophos.com/2011/01/20/phishing-in-a-world-of-warcraft
Phishing scam hits World of Warcraft
http://www.gmanetwork.com/news/story/265872/scitech/geeksandgaming/phishing-scam-hits-world-of-warcraft

Being a big player on the gaming market, Blizzard is fully aware of the phishing threat targeted at unaware gamers and attempts to educated them about the looming danger. Under the the following link (http://us.battle.net/en/security/theft) you can find information and recommendations from Blizzard about several of account theft types and what can be done to prevent further damage. The sites provides as well examples on the phishing emails with Blizzard recommendations what "not-to-do" in case you find yourself to be potential target of phishing.

Further reference:
Battle.net - Phishing
https://us.battle.net/support/en/article/phishing

• Below I have posted example of the legitimate Battle.Net login website and second one of a faked login website. On the first look there are really not many differences but let's analyze both:

♦ During my testing the fake website triggered right away an alarm from Microsoft Smart Screen:

♦ In the address bar you can observe as well IE is reporting an unsafe website while on the legitimate one we see that it has been "Identified by Digicert"

♦ There is slight font different on certain words between both sites.

♦ Obviously the web page address in the address bar is different - but it is similar enough to trick users not paying attention to this (due to security concerns I covered the fake address).

♦ Interesting thing to mention is that the fake website contains only one fake link -"LOG IN". All the other links on the bottom of the page, even the create an account button are legitimate and redirecting to the official battle.net website.

US Battle.Net official legitimate website

 

US Battle.Net fake website

 

Let's have a look at some real live examples of Phishing emails targeted at Blizzard players:
 

Example 1: "From" field indicates Blizzard Entertainment but after checking the email belongs private account from "@gmail.com". Many sentences in the email are not grammatical what already makes one suspicious. The first link is spoofed, the other two are legitimate. The recipient is addressed as "Dear Customer" while legitimate correspondence would address the recipient directly by name.

----------------------------------------------------------------------------

Example 2: Again source as Blizzard Entertainment with spoofed email that after checking again comes from private account at @gmail.com. Email contains Blizzard post address to trick user of its authenticity.

"Look. More hidden footprints!" - about In-Game Phishing

Phishing means not always email. In almost every on-line game nowadays you will find either an on-line chat system or in-game mail system - both of those communication channels can be exploitet by malicious attackers. As an example to visualise the in-game phishing attack we take World of Warcraft and information published by TrendLabs (see references below). In the example provided by TrendLabs attackers were tempting the gamers by sending them invitations to beta-testing of World of Warcragt expansion -> Mists of Pandaria. As a reward for participation gamers are being offered free in-game mount - everything they need to do to get it is to register on the website following the provided link. The link takes the player to website that poses as legitimate Battle.net page. As soon as they login on the website to claim their reward the account is being compromised.

The second example brought up by TrendLabs describes misuse of the in-game chat system, where attacker poses as a Blizzard employee and whispers the unaware player to offer him a free in-game gift items or other rewards. Again to claim it the user is required to login on the given website. Same as in case of standard email phishing or in-game email phishing the links will often include phrases or words known to player - related to the games itself and should both attract the players and convince them of the authenticity. In-game chat phishing may as well include a threat to the player regarding account violation and pending ban procedures - this will have exact same meaning as the email phishing - only the transport channel is different. Blizzard on its own warns the player about fake/malicious whispers in-game and provides guidance on how to identify a fake whisper (https://eu.battle.net/support/en/article/phishing).

Reference:
World of Warcraft Scams: Mist of Pandaria, Free Mounts and Phishing Galore
http://blog.trendmicro.com/trendlabs-security-intelligence/world-of-warcraft-scams-mist-of-pandaria-free-mounts-and-phishing-galore
World of Warcraft Scams: Free Gifts and Fake Account Suspension Threats
http://blog.trendmicro.com/trendlabs-security-intelligence/world-of-warcraft-scams-free-gifts-and-fake-suspend-account-threats

"We cannot prevail against so many!" - about Keyloggers and Infostealer Trojans

If you are already aware about the phishing attempts and know how to recognize them on the sight - good for you, but still there are other means to get to your online gaming account credentials. Being an active player you certainly visit not only official game forums but as well other third-party or even private websites, forums, channels etc. Keep in mind those not always are harmless and can indeed be malicious. Often they will offer a third-party add-ons or tools that will make your gaming experience better - with the tool comes a gratis obligatory bonus - a keylogger trojan. As soon as it is installed on the target machine it will start recording all your keystrokes - including the credentials used to login the game. Don't expect to logon your game the next day - even if you do, do not expect to find your characters in the same state you left them. To protect yourself make sure you fulfil two easy steps: do not visit untrustworthy websites, do have a proper antivirus/antimalware solution. Be aware that many game providers will deny you any account restoration if they find out that it was compromised because of credentials leak on your side.

Reference:
How to protect your system from keyloggers [Updated]
http://wow.joystiq.com/2007/06/05/how-to-protect-your-system-from-keyloggers

There are many variants of Infostealer Trojans - some of them have functionality typical for keyloggers (capturing all your keystrokes), others are directly targeting data stored on the machine in search for credentials. Many of them are targeting not only only games but have multiple purposes and can as well collect other information like your online banking details and send them back to the author. Many of the malware attackes targeting gaming community will involve several attack vectors - phishing emails will re-direct players to spoofed websites offering fake patches or add-ons infected with malware. Those will contain both trojans that users will execute unwillingly by installing the fake updates and worms that will spread by itself to increase the scope of infection. Malware can as well perform actions killing antivirus processes to avoid detection or even have rootkit characteristics to stay completely hidden on the system.

Some of the examples of gaming trojans seen in the past or reported to Symantec:

• Trojan.Xilon [2002]. Trojan comes disguised as a patch for the Diablo II game. It also allows a hacker to steal Diablo II user account and character information.
• W32.HLLW.Gotorm  [2003]. Worm designed to steal sensitive account information and CD keys for popular games, including Half Life, Warcraft 3, Counterstrike, Starcraft, and Diablo 2, and attempts to spread through the KaZaA file-sharing network.
• Infostealer.Wowcraft (or PWSteal.Wowcraft) [2005] - Trojan attempting to steal password to the "World of Warcraft" MMORPG
• Trojan.Jasbom (or PWSteal.Lineage) [2005] - Trojan logs keystrokes, mouse clicks, and application memory, when playing MMORPG Lineage.
• Infostealer.Gampass [2006] - Trojan targetting MMORPG games and stealing registration keys.
• Infostealer.Maplosty [2006] - Trojan attempts to steal information related to the MapleStory online game, and send it to a predetermined email address.
• Infostealer.Onlinegame [2008] - Trojan steals online game password information from the compromised computer. This trojan was targetting mostly MapleStory, World of Warcraft and MSN Games.
• Trojan.Grolker [2013] - Trojan used both to steal gaming and online banking credentials from compromised machines.

Reference:
Trojan targets World of Warcraft gamers
http://arstechnica.com/uncategorized/2006/05/6778-2

Leveling Up: Gaming Trojan Adds Banks to Target List
https://www-secure.symantec.com/connect/blogs/leveling-gaming-trojan-adds-banks-target-list

2010 Symantec Teams came across a malicious server hosting over 44 million stolen gaming credentials from a variety of online games. Important to notice is that the credentials were not only collected (using most likely Trojans like Infostealer.Gampass) and stored but a large part of it was as well validated as being active by another Trojan specifically designed for this purpose - Trojan.Loginck. If you think of it obtaining amount of 44 million accounts credentials is one thing, another one is to validate them in order to find out the ones being still active and potentially available for exploit. Have a look at the whole story described in the Symantec blog as per reference below.

Reference:
44 Million Stolen Gaming Credentials Uncovered
https://www-secure.symantec.com/connect/blogs/44-million-stolen-gaming-credentials-uncovered

"A Jedi uses the Force for knowledge and defense, never for attack” - Scammers and Phishers will use your interests against you and attack when the time is right

Any major events in the online games or releases of new expansions will mark the time where an increased scam/phishing attack is to be expected. Attackers are fully aware where the interests for the particular game are the greatest and will precisely choose this time to strike, offering free bonuses, in-game items, free beta passes - all of this related to the new add-on or update, even when it wasn't yet released officially. This is as well a reoccurring trend - every time a new expansion is being released a new wave of phishing attacks hits to gain access to accounts and new in-game items, mounts, pets, etc. The value of those items is highest just after the release of the expansion and will drop significantly while the time pass, which in the end leads to decreased income from potential sale.

TrendLabs reported in one of its articles (see reference) of increased amount of scams just before the release of Diablo 3. Apparently the browsing search results for "diablo 3 free download" were giving a bunch of scam sites offering the free beta version prior to official release

Reference:
Diablo 3 Scams Preempt Game Release
http://blog.trendmicro.com/trendlabs-security-intelligence/diablo-3-scams-preempt-game-release

In another attempt scammers did hit during the release of Starcraft 2 sending out phish scam supposedly coming from Blizzard Store and already confirming the purchase of the game. The only action required from end user was to login the spoofed website to redeem the code and claim the copy of the game.

Reference:
Beware: Email Scam Targeting StarCraft II Fans
http://www.tomshardware.com/news/StarCraft-II-Scams-Battle.net-Blizzard.com,10997.html

Similar attempts were reported again prior to release of again Diablo 3 and again before release of its expansion "Reaper of Souls" - below an example of such invitation email with fake game code and spoofed link to battle.net.

Diablo III - Reaper of Souls Phishing Email

Reference:
Gaming the security – Beware of fake Diablo III beta invitations!
https://www.securelist.com/en/blog/208193131/Gaming_the_security_Beware_of_fake_Diablo_III_beta_invitations

"Now, go. Leave this place, and never return!" - about Power-Leveling and other in-game scams

Email phishing or in-game phishing are only a part of the threats that await unaware players. Many of the scams are to be found directly in the game - some of the scam attempts may come from players itself but many are performed by organized collectives or even companies. Noteworthy is that if you fall victim to any of the listed below - your only hope may be contact with the support staff of the particular game, but even then keep in mind that activities such as "gold or account resale" or "power-leveling" are deemed as violating the in-game terms of use and will most probably void your support, in worst case scenario even lead to the ban of your account.

Let's have a look at few most common of online game scams you can encounter:

• In-game trade - bad trades are commonly known - you paid a price that is 10x exceeding the real value of the item. Game support will most likely not reimburse any items traded due to bad or misinformation about its price on the gamer's side. In-game trade scammers may as well exploit existing bugs in game to perform scammed trade in which you trade an item but receive nothing in return. Recommendation: Trade only with people you known and trust. Do not fall for trades that seem to good to be true.

• Account trade or sale - action violating the game's term of use. Often legitimate players try to sell or trade their account when they get bored of a particular game. Account trade scammer may be both the seller and the buyer - you can find yourself in situation when you buy an realy great looking account but in reality it's not worth a penny. Or you may sell your pumped-up account for money and got scammed during the process. Game support will most probably be denied if you report any scam that was involving account resale or trade.

• Gold and items sale - illegal by most of the game providers terms of use. You will find though quite many even professional companies offering tons of gold or high-level items for sale. Both the gold and items will most likely come from gold-farms or gold-bots. If the seller is scammer at the same time he may ask you for you account credentials during the sale process - don't ever fall for this. In any way your game account may become banned if in suspicion of in-game items or gold selling activities.

• Power-Leveling - paid service offered to users mostly by companies. It involves providing the company with your game credentials in order for the company employees to level up your characters in game. Power-leveling comprises many various dangers to your account - you need to provide your credentials willingly (this already should be enough of a warning sign to prevent you from using such services), you need to be aware that your account will be most likely leveled up by bots and not real people and this way it will be violating game terms of use and may endanger your account, lastly you may get back your account with characters ransacked of anything of value and will be not able to get back any money you paid as well.

Reference:
How Not to Get Victimized by MMORPG Scams and Hackers
http://www.ereviewguide.com/news/2012/04/09/how-not-to-get-victimized-by-mmorpg-scams-and-hackers

"Black magic bars our way, but the will of the templar is stronger" - how to protect yourself against online game fraud

Here I would like to provide you with some recommendations on how to protect your gaming account against scam. Below in reference section you will find as well respective links to some of the game publishers and their best practices to secure online accounts.

1. Account security - protect your login credentials, refrain from account sharing where someone else knows as well your login data.
2. Password security - make sure your password and user name are complex enough (to survive potential brute-force password cracking attack), do not reuse your gaming password again as your banking or corporate password, in case you have problems remembering the complex password make use of password manager software such as Norton Identifty Safe (https://identitysafe.norton.com).
3. Additional credentials security - if your game provider offers additional two-actor authentication, make sure you sign up for this. Two-factor authentication will include your normal logon name with password credentials alongside with hardware-based token authenticator or tokens generated on your mobile/smartphone device.
4. Email account security - make sure your email account adheres to same security regime as your gaming account, if attacker cannot gain access to your game account thay may try comprising first your email account
5. Anti-virus software - make sure you are using legitimate antivirus/antimalware solutions (such as many of the Symantec or Norton Security Solutions) that can protect your machine from malware infestation
6. Shared computers - if possible refrain from playing on shared or public computers that can compromise your account security
7. Operating system - make sure your operating system is update to prevent unauthorized access by exploited vulnerabilities
8. Beware of fan pages or third-party forums related to your games - those may be contain malicious downloads
9. Beware what your download and where from - advertised patch or add-on may be in reality something else
10. Learn how to recognize phishing emails, do not open unknown attachments, do not follow links included in HTML emails, do check the email header to find out the real originating email address
11. Beware that in-game phishing also exist, make sure the person you whisper on the in-game chat is really the person you take him for
12. Be sure that the legitimate game support will never ask you for you password details
13. Do not buy or sell game accounts
14. Do not buy items or gold from third-party companies - such actions may jeopardise security of your account and violate game terms of use
15. Do not use power-leveling services - ask yourself why are you playing for if you want to powerlevel? What's the fun of someone else leveling your characters for you?
16. In case of any suspicious activities targeted at you or your gaming account do contact the respective game support.

Reference:
ArenaNet - A Note about Phishing Emails
https://forum-en.guildwars2.com/forum/support/account/A-Note-about-Phishing-Emails/first
Battle.Net - Types of Account Thefts
http://us.battle.net/en/security/theft
Riot Games Security
http://www.riotgames.com/riot-games-security
League of Leagends - Protecting Your Account
https://support.leagueoflegends.com/entries/21552105-Protecting-Your-Account
Eve Online - Account security
https://wiki.eveonline.com/en/wiki/Account_security

"Your flesh is weak" - 18 GB of malware downloaded successfully?!

A quite recent example of scam hitting thousands of naive and impatient players. GTA 5 has been released in October 2013 for Xbox and PS3 exlusively. PC edition has not been even announced by that time by Rockstar, but despite this online search results were showing websites (mostly torrent sources) offering free GTA 5 PC version download, luring this way players eager to get this version ahead of its release. The installer looked quite convincing - 18GB in size, had a working executable setup.exe file. Attempting to install the game takes the user to a phishing website where he needs to input his personal information to register the game and fill out some surveys. What about the downloaded 18GB of files - most part most likely junk data, rest - malicious content. This is one more example that even with a much higher general awareness about phishing attacks and online gaming scams that ever before, people are still easily falling for scams as obvious as this one.

References:
Legit-Looking GTA V PC “Leaked” Setup Infects Thousands of PCs Worldwide
http://wccftech.com/gta-v-pc-scam-infects-thousands-pcs-world-wide
Torrent scam hits thousands eager for PC version of GTA V
http://news.cnet.com/8301-10797_3-57608943-235/torrent-scam-hits-thousands-eager-for-pc-version-of-gta-v
It's a trap! Malware disguises itself as Grand Theft Auto 5 for PC gamers
http://www.pcworld.com/article/2056566/its-a-trap-malware-disguises-itself-as-grand-theft-auto-5-for-pc-gamers.html
GTA 5 PC Torrent Fools Gamers: Installs 18 GB Malware
http://au.ibtimes.com/articles/517603/20131029/gta-pc-click-read-version-18-gb.htm

--------------------------

General article references:
Online Games: Fun or Risky?
http://us.norton.com/yoursecurityresource/detail.jsp?aid=online_games
Online gaming fraud: the evolution of the underground economy
https://www.securelist.com/en/analysis/204792139/Online_gaming_fraud_the_evolution_of_the_underground_economy
Online games and fraud: using games as bait
http://www.securelist.com/en/analysis/204791963/Online_games_and_fraud_using_games_as_bait

To prevent unauthorized users from removing the Symantec DLP Agent from an endpoint computer you just need to Add uninstallation passwords to agents.

Uninstallation passwords prevent unauthorized users from removing the Symantec DLP Agent from an endpoint computer.
Passwords can only be added to Symantec DLP Agents during agent installation or upgrade. If you have existing agents you want to protect, you must remove the agent and then reinstall the agent with the password.

Passwords are generated using the UninstallPwdKeyGenerator.exe tool. You can add the uninstallation password by including the password parameter
in the agent installation command line. You can use either Symantec Management Platform (SMP) or a software management system (SMS) program to install the agents with the uninstallation password.

You cannot add the uninstallation password to agents through the installation wizard.

To add the uninstallation password to an agent installation
Add the uninstallation password parameter in the agent installationcommand line

UNINSTALLPASSWORDKEY="<password key>"
where <password key> is the password that you created with the password generation tool.

A sample agent installation command line might look like the following example:
msiexec /i AgentInstall.msi /q INSTALLDIR="%ProgramFiles%\Manufacturer\Endpoint Agent\" ENDPOINTSERVER="hostname" PORT="8000" KEY="" UNINSTALLPASSWORDKEY="<password key>" SMC="hostname" SERVICENAME="EDPA" WATCHDOGNAME="WDP"

Using uninstallation passwords
When you want to uninstall a Symantec DLP Agent that is password protected, you must enter the correct password before the uninstallation continues. If you uninstall your agents manually, a pop-up window appears on the endpoint computer that requests the password. You must enter the password in this window.

If you are using a software management system, include the password parameter in the command string. If you want to uninstall a group of agents, specify the uninstallation password in the agent uninstallation command line. To enter the uninstallation password using a command line
Enter the following parameter in the uninstallation command line;
UNINSTALLPASSWORD="<password>"where <password> is the password that you specified in the password generator.
 

An agent command line looks like the following example:
msiexec /uninstall ? <product code> /q UNINSTALLPASSWORD="<password>"

Below is the process of upgrading agents and uninstallation passwords.

You can upgrade any agents which are protected by uninstallation passwords without affecting the password. If you do not want to change the password, do not include the password parameter to the upgradecommandline. The pre-existing uninstallation password is included in the upgraded agent automatically. Only include the password parameter if you want to change the password or if you want to add a new password to an agent.To add or change a password while upgrading an agent
Add the following password parameter to the upgrade command line:
UNINSTALLPASSWORDKEY=<password key> where <password key> is the password key that you created using the password generation tool.

Introduction

This is the fourth of an informal series on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions). 

• The first article, Using SEPM Alerts and Reports to Combat a Malware Outbreak, demonstrated how to use reporting features of SEP 12.1's SONAR component to identify Suspicious files for which there were no AntiVirus signatures yet created.
• The second, Recovering Ransomlocked Files Using Built-In Windows Tools, deals with a few possible ways how to prevent and recover from one of today's most-destructive threats, should it infect your network and hold your data hostage.
• Third came Two Reasons why IPS is a "Must Have" for your Network, which illustrated how SEP's optional Intrusion Prevention System (IPS) component can help security admins keep their organization secure and track down infected computers on the network 

This fourth article is for use after the attacks have ended.  It intends to help admins prevent further attacks and make recovery from any future infection as painless as possible.

BOOM!

Malware infections can be devastating.  Crucial files corrupted, data lost, intellectual property stolen, reputation tarnished, endless man-hours of labor wasted. Every company has their horror stories. 

Once the key malicious files are found and submitted to Symantec Security Response, definitions against that threat can be created and distributed.  Though it requires a lot of inconvenience, the virus outbreak is over…. Now what?  Back to business as usual?

How To Not Get Flattened Again

Hopefully not!  Though the steps necessary for recovery will differ from network to network and threat to threat, once an outbreak is over, there is always one best course of action: Learn the lesson- prepare better defenses.
 

How Did the Bad Guys Get In?

If possible, determine how and where this infection began.  See if the entry route can be determined- and that door firmly shut! 

This will be difficult, as SEP is not a forensic application. It may be possible to see which computers have had active Downloader threats on them: identify all the computers that were affected by a particular threat, and then examine those systems in more depth. 

As an example: an exported Risk Report from the SEPM will contain the unique hash of the threat sample.  With some filtering (and hiding columns for clarity), it's clear that all of the following computers detected the same Downloader.Trojan on the same day.  Chances are this malicious .exe had been present there, and then new definitions were downloaded and applied which added detection against it.  The next time the application ran (or a scheduled scan ran) it was picked up.

My advice would be to examine those five computers to see if they have weak passwords, or are missing patches and hotfixes, or if they have peer to peer clients installed, or if their internet browser download history shows unusual activity.  See what clues might be there! 

Change the Secret Plans- Quick!

Many threats have the ability to ability to upload files from a compromised computer. If the outbreak that has just ended was one with Infostealer capabilities, ask "what information did the intruders have access to?"If sensitive data was on the laptop, workstation or server that was even temporarily pwned, assume that it is now in the hands of an unknown remote party. Take measures, if possible, to ensure that what they got away with is outdated and useless. For instance:

• There have been cases where databases full of customer usernames and passwords have been stolen. Inform whoever needs informing and then ensure that all of those user passwords are reset.
• In other cases, attackers have left behind evidence that the details of every account in Active Directory were harvested. In such cases, hackers can RDP right into the company at will using valid admin credentials (without needing a single piece of malware) unless strong new passwords are made mandatory for every account.

The chances of sensitive data being successfully stolen are reduced if Data Loss Prevention (DLP) is used.  If such a security tool is not already in use, it might be a good idea to implement one before there is another breach.  The 2013 Cost of Data Breach Study may help determine if DLP is a good investment.

Do Not Fight with One Arm Behind Your Back and Shoelaces Tied Together 

Too many companies are still relying on old releases of SEP that have only the bare-minimum AV component installed.  Symantec Endpoint Protection is not Symantec AntiVirus, our long-retired product which only offered traditional signature-based scanning.  SEP a powerful suite of security tools.  

SEP 11 (which is now past its End Of Limited Support) came with AntiVirus, plus optional Proactive Threat Protection (PTP), firewall, IPS, and Application and Device Control (ADC) components.  SEP 12.1 enhanced the performance and effectiveness of all of those tools and added the powerful Insight reputation-based protection. 

To dramatically improve the defense of your network and everything on it, use a modern product with adequate components.  AV, IPS and Insight should be seen as an absolute minimum.  ADC, PTP and Network Threat Protection (NTP, the firewall) supplement their power at blocking malicious activity before it can get in place, and make removal much easier.  Definitely upgrade and use these features!   

How to add or remove features to existing Symantec Endpoint Protection (SEP) client installations
http://www.symantec.com/docs/TECH90936

Stronger Passwords.... DLP... Add IPS.... What Else?

The battle plan in Symantec's "Five Steps" article has been effective for many years. 

Best Practices for Troubleshooting Viruses on a Network
http://www.symantec.com/docs/TECH122466 
 

It's appropriate to quote at length from Step 5. Post-op: Prevent Recurrence here:

Patching vulnerabilities

Vulnerabilities are computer software flaws that can be exploited by malicious code. These vulnerabilities can be repaired by applying patches provided by the software vendor. In today's network environment, regular patching is a requirement. Every network should have a Patch and Configuration Management Policy for testing new patches and rolling them out to client computers. Patching plans should focus not just on operating systems and browser add-ons, but all deployed software. Any software installed on a computer should be regularly checked for updates—from office utilities to databases to web server applications. All software should be cataloged and regularly checked for updates. Internally developed code should be regularly audited for security holes and fixed as soon as possible. Appliances such as routers and printers should also be checked for software updates and patched quickly. This can be a lot to manage, but it is vitally important in preventing security incidents.

 

AutoPlay (AutoRun)

Autoplay is a functionality in Windows that allows files to automatically be opened or "played". This feature is useful to launch installation files and other applications from CDs and USB flash drives, but over the last few years has become one of the largest attack vectors in the enterprise environment. While USBs may provide an initial source of infection through the use of AutoPlay, most network drives are designed to use this functionality too. This allows threats to attack from a network drive as soon as the drive is mapped. Since antivirus software is designed to scan the local hard drive, the threat will be able to attack the client computer without detection or prevention, unless additional measures like Network Auto-Protect are employed.

In order to protect your network, disabling AutoPlay is the recommended course of action. This can be done on individual computers, pushed out to client computers using the Group Policy editor, configured by a policy in Symantec Endpoint Protection, or accomplished by disabling the external media ports on the computer entirely from within the BIOS. There is also a known Windows vulnerability within the autoplay feature that may re-enable it unless Windows patches are applied.

 

Network shares

First and foremost, access to all network shares should require a strong password not easily guessed. "Open Shares" are network shares that allow the inherited permissions from the user to validate access. These do not require an additional authentication and therefore allow threats to spread very fast. Open shares should be minimized as much as possible, and when they are absolutely essential to business continuity, write and execute privileges should be restricted.

If a user only needs to obtain files from a source, they should only be granted read access. For added security, write access for users needing file-transfer capabilities can be limited to a "temporary" storage folder on a file server, which is cleared semi-regularly. In terms of execution permissions, limit this access to administrators or power users who have such need. Disabling or limiting access to two other share-types is also recommended: Admin$ shares allow complete root access on a computer to any user that can authenticate as a member of the administrator group; Inter-Process Communication (IPC) shares, or IPC$, are intended to help communication between network-available processes and other computers on the network.

The problem with the aforementioned shares is that, regardless of whether strong passwords are in place, once a user is logged on to a system with elevated rights, any threat present can use the credentials to access Admin$ or IPC$ shares available on the network. Once the user is logged in, the rights and permissions are implicit -- the door has been unlocked. Anything that user account has access to will be accessible to anything that impersonates the account.

The best practices in this regard are:

• Do not auto-map network shares, instead supply a desktop icon to allow users access to the drive as needed.
• Do not log on using an account with elevated privileges (such as the domain or local Admin) unless absolutely necessary to perform a certain task.
• Be sure to log off once the task is completed.
• For most day to day duties, use a more restrictive account.

 

Email

Email attachments, while perhaps not as prevalent as in years past, are still used to spread malicious code today. Most email servers currently on the market provide the ability to strip certain attachment types from emails. Limiting the types of files that are valid as attachments handicaps many threats' ability to spread.

Investing in AntiSpam software is another way of reducing exposure to threats. Doing so reduces the number of phishing scams and spam that reach end users, and thus the network as a whole.

 

Education

An educated end user is a safer end user. Ensure that your users understand the basics of safe computing, such as the following:

• Do not give passwords to anyone or store them in an easily accessible location, either physical or electronic.
• Do not open unexpected email attachments from known or unknown sources.
• Do not click on unknown URLs.
• Scan software downloaded from the Internet before installing it.
• Having documentation, internal training, or periodic seminars on computer security available gives your users options for learning more about the topic.

 

Firewalls and other tools

Perimeter firewalls are critical to protect the network as a whole, but cannot cover all points of entry. Client firewalls add an extra layer of security by protecting individual computers from malicious behavior, such as Denial of Service attacks, and are critical to manage today's threat landscape.

Beyond basic firewalls, network and host-based Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) can help monitor unwanted activity on the network, and in many cases stops or alerts on the offending traffic in real time. Many client-side firewalls today provide these features.

 

Emergency Response Team and Plans

Even after all these tasks are complete, it is still a good idea to be prepared in case of the worst. Draft a plan how to respond to a potential outbreak and assign tasks and responsibilities to members of an Emergency response team. How quickly will an alert be generated if there's something on the network? Will there be administrators available to deal with it? How easy is it to reroute traffic and services on the network? Can compromised computers be isolated quickly before they affect other computers? Having plans in place for these things makes dealing with unpleasant situations much easier and saves both time and money.

Great Stuff! What Other Steps Should Also Be Done?

• Scheduled scans should still be a part of every computer's weekly routine. Configure one in your AV policy!
• Ensure regular Backups are being performed- and don't forget to test recovery!  A recent backup of all important data can make a future outbreak an inconvenience rather than a catastrophe.
• Find all unsecured endpoints (and entry points!) and get them defended.  SEP's unmanaged detector feature can help track these down.
• Don't leave security settings at their defaults!  Follow Security Response recommendations for Symantec Endpoint Protection 12.1 settings
• Use "Defense in Depth."  Don't just defend at the endpoint- have a corporate firewall, mail security product and so on to safeguard all means of entry.
   

Final Recommendation

Your Symantec Endpoint Protection Manager contains in-depth records of threat-related activity, and the SEPM can alert you when there is a potential security incident for which manual action should be taken.  For example, some threats have ways of "tricking Windows" into protecting their processes from certain AntiVirus technologies.  It is possible to create a notification for incidents where SEP detects a threat but ultimately leaves it alone.

In the above example, the administrator will receive a mail whenever and of these Left Alone events occur.  The admin can then take a closer look at that computer and stop an infection before it can secure its foothold. So: definitely use SEPM notifications and scheduled reports.  These empower admins to know what is happening in their network- much better than finding out a breach from the news media or from law enforcement!
 

Conclusion

Increase the Peace!  With a bit of best practice and careful attention, disasters can be avoided. Yes, some effort will be involved- effective preventative measures can either be taken now, or there can be a lot of panicked screaming and running around in a mad rush during the next inevitable breach or destructive outbreak.  Symantec provides the tools, but what happens to your business tomorrow is up to you. 

Many thanks for reading!  Please do leave comments and feedback below. 

 Symantec Data Loss Prevention for Mobile connects to your corporate network through Wi-Fi access or through cellular 3G connectivity. Network traffic for Webmail, third-party applications such as Yahoo and Facebook, and corporate email applications including Microsoft Exchange ActiveSync,IBM Lotus Notes Traveller, is sent through the HTTP/S protocol. Corporate email can be sent through Microsoft ActiveSync as either HTTP or HTTPS protocol information. Microsoft ActiveSync receives the information from the corporate proxy server after it has gone through detection; then, sends the message to the corporate Exchange Server. Messages that are sent through applications such as Facebook or Dropbox can be blocked from the message, depending on your policies.

The above graphic illustrates the connections necessary to enable Symantec Data Loss Prevention for Mobile:

Mobile devices must connect to the corporate network through a virtual private network (VPN) to send corporate messages or access the corporate network. The Mobile Prevent solution requires that mobile devices use the VPN On Demand feature to create a constant, protected VPN connection. If you are not connected to the corporate network, Mobile Prevent cannot detect any policy violations.

Your mobile device connects to the VPN server to gain access to your corporate network.

The VPN server assigns an IP address to each mobile device that connects to it. These IP addresses form a VPN subnetwork. The VPN subnetwork lets your mobile devices access the corporate network and the corporate proxy server. You can specify a range of IP addresses that your VPN server can assign to other devices. All of the IP addresses that the VPN server assigns to your mobile devices are within this range. If a range of addresses were not specified for your VPN server, the network could randomly assign IP addresses to your mobile devices. A specific range of IP addresses lets Symantec Data Loss Prevention identify which IP addresses are assigned to mobile devices and which addresses are not connected. Using a range of IP addresses assists in identifying which mobile device generated an incident.

If you deploy Mobile Prevent and Network Prevent together, the IP address identifies Network and Mobile incident types.

On the Mobile Prevent side, VPN On Demand ensures that the VPN connection is not interrupted. Apple mobile devices use VPN On Demand to dynamically create a VPN session. VPN on Demand starts the VPN session when connecting to a specific list of configured domains (for example .com, .net, or .org). Certificate-based authentication is required to configure the VPN On Demand feature. By configuring how VPN On Demand automatically enables VPN on an iOS mobile device, you can ensure that all traffic goes through your corporate network. You need a Web proxy that is deployed in transparent mode to route traffic from the mobile devices in your corporate network to Symantec Data Loss Prevention. The network traffic is routed uses the ICAP service.

You can use a mobile device management (MDM) solution to apply the network and VPN configuration.

VPN configuration can be specified in a configuration profile by your mobile device management (MDM) solution. The MDM solution applies a configuration profile to each mobile device that you want to connect to your corporate network.

Use a mobile device management (MDM) solution to manage and apply a wide variety of configuration settings to multiple mobile devices. You can load user profiles where corporate mail settings, VPN settings, security certificates, and proxy server settings are preconfigured onto the mobile devices. To access the Mobile Prevent for Web Server, you must use an MDM solution to apply the VPN server configuration profile. The VPN server configuration profile sets the conditions for VPN On Demand to route all network traffic through the VPN and into your corporate network. Only network traffic flowing in your corporate network can be monitored for violations.

Implementing Mobile Prevent :

The Mobile Prevent for Web Server integrates with a VPN server, an MDM solution, and a Web proxy server using ICAP. If it detects confidential data in Web content, the proxy will reject requests or remove HTML content as specified in your Mobile Prevent policies.

First, you need to know the high-level steps that are required for implementing Mobile Prevent. You can check the cross-referenced sections for more details. There are two deployment scenarios for Mobile Prevent: the Mobile Prevent as a standalone product, and Mobile Prevent installed in combination with Network Prevent. The following procedure assumes that you are implementing Mobile Prevent as a standalone product. If you want to implement Mobile Prevent and Network Prevent, you must also follow the implementation instructions for Network Prevent.

About deploying Mobile Prevent as a standalone solution :
When you deploy Mobile Prevent as a standalone solution, no other detection server is deployed with the Mobile Prevent for Web Server. The Mobile Prevent for Web Server interacts with the Enforce Server and the corporate proxy server to monitor and prevent incidents on mobile devices. The following diagram describes how the Mobile Prevent solution fits into your corporate infrastructure:

In this deployment, mobile devices connect to the corporate network through your VPN server. The VPN server assigns each mobile device an IP address. This address lets the device access the internal corporate network. After the device is assigned a unique IP address, all HTTP, HTTPS, and FTP traffic is monitored by the Mobile Prevent for Web Server. Each device must be connected to the corporate network through the VPN. If the VPN connection to the corporate network is lost, Mobile Prevent cannot detect any violations.

iPads and iPhones use a native feature called VPN On Demand to create a secure VPN connection automatically without user intervention. VPN On Demand requires certificate-based authentication to create the connection to the VPN Server.

After the VPN connection is established, traffic is sent through the proxy server and analyzed by Mobile Prevent for Web Server. Traffic between the proxy server and the Mobile Prevent for Web Server is done over the ICAP protocol. If no violations are discovered, the traffic is sent to its destination either internally or externally. If violations are discovered, an incident is created and response actions are implemented. Incidents are recorded on the Enforce Server.

When a mobile device sends an email through Microsoft Exchange ActiveSync, the HTTP/HTTPS packets are sent to the ActiveSync server. The packets are then sent to the Exchange Server. Any corporate email should go through Microsoft Exchange ActiveSync. Mobile Prevent does not support the SMTP protocol.

Note: Mobile Prevent does not support response mode (RESPMOD).

Below implementing procedures assume that you already have your VPN and proxy servers running in your environment.
 

Procedure Step 1 : Add a new Mobile Prevent Server.

Adding a detection server
  Add the detection servers that you want to your Symantec Data Loss Prevention system from the System > Servers > Overview screen.

You can add the following types of servers:

Network Monitor Server, which monitors network traffic.

Network Protect Server, which inspects stored data for policy violations (Network Discover).

Network Prevent Server, which prevents SMTP violations.

Network Prevent Server, which prevents ICAP proxy server violations such as FTP, HTTP, and HTTPS.

Mobile Prevent for Web Server, which monitors and prevents HTTPS, HTTPS, and FTP violations over mobile devices.

Note:
 If your Symantec Data Loss Prevention license includes both Mobile Prevent for Web and Network Prevent for Web Servers you add a single detection server called Network and Mobile Prevent for Web Server.
 

Endpoint Server, which controls Symantec DLP Agents that monitor endpoint computers.

Classification Server, which analyzes email messages that are sent from a Symantec Enterprise Vault filter, and provides a classification result that Enterprise Vault can use to perform tagging, archival, and deletion as necessary.

Procedure Step 2: Configure your Mobile Prevent Server.

Configuring the Mobile Prevent for Web Server
You can use a number of configuration options for Mobile Prevent for Web Server. For example, you can configure the server to:

Ignore small HTTP/S requests or responses.

Ignore requests to or responses from a particular host or domain (such as the domain of a business subsidiary).

Ignore user search engine queries.

To modify your Mobile Prevent for Web Server configuration

Go to System > Servers > Overview and click the Mobile Prevent for Web Server.
On the Server Detail screen that appears, click Configure.
You can verify or modify settings on the ICAP tab as described in subsequent steps. The tab is divided into several sections: Request Filtering, Response Filtering, and Connection.

Verify or change the Trial Mode setting.
Verify or modify the filter options for requests from HTTP clients (user agents). The options in the Request Filtering section are as follows:
Ignore Requests Smaller Than
 Specifies the minimum body size of HTTP requests to inspect. (The default is 4096 bytes.) For example, search-strings typed in to search engines such as Yahoo or Google are usually short. By adjusting this value, you can exclude those searches from inspection.
 
Ignore Requests without Attachments
 Causes the server to inspect only the requests that contain attachments. This option can be useful if you are mainly concerned with requests intended to post sensitive files.
 
Ignore Requests to Hosts or Domains
 Causes the server to ignore requests to the hosts or domains you specify. This option can be useful if you expect a lot of HTTP traffic between the domains of your corporate headquarters and branch offices. You can type one or more host or domain names (for example, www.company.com), each on its own line.
 
Ignore Requests from User Agents
 Causes the server to ignore requests from user agents (HTTP clients) you specify. This option can be useful if your organization uses a program or language (such as Java) that makes frequent HTTP requests. You can type one or more user agent values (for example, java/6.0.29), each on its own line.
 

Note: The Response Filtering options are not supported for Mobile Prevent.
 

Verify or modify the filter options for responses from Web servers. The options in the Response Filtering section are as follows:
Ignore Responses Smaller Than
 Specifies the minimum size of the body of HTTP responses that are inspected by this server. (Default is 4096 bytes.)
 
Inspect Content Type
 Specifies the MIME content types that Symantec Data Loss Prevention should monitor in responses. By default, this field contains content-type values for Microsoft Office, PDF, and plain text formats. To add others, type one MIME content type per line. For example, type application/wordperfect5.1 to have Symantec Data Loss Prevention analyze WordPerfect 5.1 files.

Note that it is generally more efficient to specify MIME content types at the Web proxy level.
 
Ignore Responses from Hosts or Domains
 Causes the server to ignore responses from the hosts or domains you specify. You can type one or more host or domain names (for example, www.company.com), each on its own line.
 
Ignore Responses to User Agents
 Causes the server to ignore responses to user agents (HTTP clients) you specify. You can type one or more user agent values (for example, java/1.4.2_xx), each on its own line.
 

Verify or modify settings for the ICAP connection between the HTTP proxy server and the Mobile Prevent for Web Server. The Connection options are as follows:
TCP Port
 Specifies the TCP port number over which this server listens for ICAP requests. This number must match the value that is configured on the HTTP proxy that sends ICAP requests to this server. The recommended value is 1344.
 
Maximum Number of Requests
 Specifies the maximum number of simultaneous ICAP request connections from the HTTP proxy or proxies. The default is 25.
 
Maximum Number of Responses
 Specifies the maximum number of simultaneous ICAP response connections from the HTTP proxy or proxies. The default is 25.
 
Connection Backlog
 Specifies the number of waiting connections allowed. A waiting connection is a user waiting for an HTTP response from the browser. The minimum value is 1. If the HTTP proxy gets too many requests (or responses), the proxy handles them according to your proxy configuration. You can configure the HTTP proxy to block any requests (or responses) greater than this number.
 

In the Mobile IP Ranges fields, enter the range of IP addresses that your VPN server is configured to assign to mobile devices. The IP addresses are used to identify the incidents that were triggered from mobile devices as Mobile incidents.
The IP addresses you enter into this range do not dynamically affect the VPN Server. This range is only to identify your mobile devices in the administration console. You must enter the exact same range of IP addresses when you configure the VPN Server to assign the addresses.

Click Save to exit the Configure Server screen and then click Done to exit the Server Detail screen.

Procedure Step 3: Configure your VPN Server with the IP address range that you want to assign to the corporate mobile devices for the Mobile Prevent sub-network

Procedure Step 4 : Configure your VPN profile with the MDM application.

You must configure the VPN profile before mobile devices can connect to the corporate network. The VPN profile combines security certificates, the VPN server configuration settings, VPN On Demand settings, and any network configuration settings. Normally, the VPN profile is set and applied through your MDM solution. Along with the VPN profile, you can configure other aspects of your mobile device such as Microsoft Exchange ActiveSync, firewall properties, or LDAP settings.

Procedure Step 5 : Define ICAP services on proxy to route traffic to Mobile Prevent Web Server.

Procedure Step 6 : Create and deploy a policy for Mobile Prevent.

Creating policies for Mobile Prevent
You can create the policies that include most standard response rules. The response rules include Add Note, Limit Incident Data Retention, Log to a Syslog Server, Set Attribute, and Set Status.

You can also incorporate the response rules that are specific to Mobile Prevent Server as follows:

Network Prevent and Mobile Prevent: Block HTTP/HTTPS

Blocks the posts that contain confidential data (as defined in your policies). This includes Web postings, Web-based email messages, and files that are uploaded to Web sites or attached to Web-based email messages.

Note:
Certain applications may not provide an adequate response to the Network Prevent and Mobile Prevent: Block HTTP/HTTPS response action. This behavior has been observed with the Yahoo! Mail application when a detection server blocks a file upload. If a user tries to upload an email attachment and the attachment triggers a Network Prevent: Block HTTP/HTTPS response action, Yahoo! Mail does not respond or display an error message to indicate that the file is blocked. Instead, Yahoo! Mail appears to continue uploading the selected file, but the upload never completes. The user must manually cancel the upload at some point by pressing Cancel.

Other applications may also exhibit this behavior, depending on how they handle the block request. In these cases a detection server incident is created and the file upload is blocked even though the application provides no such indication.
 

Network Prevent and Mobile Prevent: Remove HTTP/HTTPS Content

Removes confidential data from posts that contain confidential data (as defined in your policies). This includes Web-based email messages and files that are uploaded to Web sites. Note that the Remove HTTP/HTTPS Content action works only on requests.

Network Prevent and Mobile Prevent: Block FTP Request

Blocks FTP transfers that contain confidential data (as defined in your policies).

For details on setting up any response rule action, open the online Help.

Go to Manage > Policies > Response Rules and click Add Response Rule.

Even if you do not incorporate response rules into your policy, Mobile Prevent captures incidents as long as your policies contain detection rules. You can set up such policies to monitor Web and FTP activity on your mobile device before implementing the policies that block or remove content.

If you have configured your proxy to forward both HTTP/HTTPS requests and responses, your policies work on both. For example, policies are applied to both an upload to a Web site and a download from a Web site.

To create a test policy for Mobile Prevent

In the Enforce Server administration console, create a response rule that includes one of the actions specific to Mobile Prevent. For example, create a response rule that includes the Network Prevent and Mobile Prevent: Block HTTP/HTTPS action.
Create a policy that incorporates the response rule you configured in the previous step.
For example, create a policy called Test Policy as follows:

Include a Content Matches Keyword detection rule that matches on the keyword "secret."

Include a Network Prevent and Mobile Prevent: Block HTTP/HTTPS response rule.

Associate it with the Default policy group.

Procedure Step 7 : Test the system by generating an incident against your test policy.

Testing Mobile Prevent

You can test Mobile Prevent by sending an email that violates your test policy.

To test your system

Connect your mobile device to the Internet and connect to your corporate VPN.
Open your corporate email client and send an email with an attachment containing confidential data. For example, access your Microsoft Outlook client and send an email with an attachment containing the word secret and paragraphs of other text.
In the Enforce Server administration console, go to Incidents > Mobile and click Incidents - All. Look for the resulting incident. For example, search for an incident entry that includes the appropriate timestamp and policy name.
Click on the relevant incident entry to see the complete incident snapshot.

Procedure Step 8 : If required, troubleshoot the implementation.

See the Symantec Data Loss Prevention System Requirements and Compatibility Guide for more details on configuring Mobile Prevent to work within your organization.

This topic covers the installation of DLP Enforcer and Detection Server version 12.0 in grpahic representation for a Single Tier Architecture. Oracle is already installed on the server. The installation guide can be found under DLP installation set up under the folder 'Symantec_DLP_12.0_Docs_Win-IN\Symantec_DLP_12.0_Install_Guide_Win.pdf'. Before install make sure the system requirements are met and this guide can be found under 'Symantec_DLP_12.0_Docs_Win-IN\Symantec_DLP_12.0_System_Requirements_Guide.pdf'. Download the attachment to know about the seqeunce of install.

Logon as Administrator to the Enforce Server system on which you intend to install Enforce.

Double-click ProtectInstaller64_12.0.exe to execute the file, and click  OK.

In the Welcome panel, click Next.

After you review the license agreement, select I accept the agreement, and click Next.

In the Select Components panel, select the type of installation you are performing and then click Next. Since this single Tier, selecting the this will install all the components on the same server.

In the LicenseFile panel, browse to the directory containing your license file. Select the license file, and click Next.

License files have names in the format name.slf.

In the Select Destination Directory panel, accept the default destination directory, or enter an alternate directory, and click Next. The default installation directory is: C:\SymantecDLP.

Note: Do not install Symantec Data Loss Prevention in any directory that includes spaces in its path.

In the Select Start Menu Folder panel, enter the Start Menu folder where you want the Symantec Data Loss Prevention shortcuts to appear. The default is Symantec Data Loss Prevention.

In the System Account panel, create the Symantec Data Loss Prevention system account user name and password and confirm the password. Then click Next. This account is used to manage Symantec Data Loss Prevention services. The default user name is “protect.”

In the Transport Configuration panel (this panel only appears when during single-tier installations), enter an unused port number that Symantec Data Loss Prevention servers can use to communicate with each other and clickNext.

The default port is 8100.

In the SymantecManagementConsole panel, optionally enter the host name or IP address of the Symantec Management Console server to use for managing Symantec Data Loss Prevention Endpoint Agents. If you are not using the Symantec Management Console to manage agents, leave the field blank. Click Next.

If you have not purchased a license for Endpoint Prevent or Endpoint Discover, click Next to skip this step.

Note that you can add this host name or IP address later on the Enforce Server by navigating to Administration>Settings>SystemSettings. Then configure the Symantec Management Console setting..

In the Oracle Database Server Information panel, enter the location of the Oracle database server and listener port. Since this is single Tier is local host.

In the Oracle Database User Configuration panel, enter the Symantec Data Loss Prevention database user name and password. Confirm the password and enter the database SID (typically “protect”), then click Next.

In the AdditionalLocale panel, select an alternate locale, or accept the default of None, and click Next.

For a new Symantec Data Loss Prevention installation, make sure that the Initialize Enforce Data box is checked and then click Next.

In the Single Sign On Option panel, select the sign-on option that you want to use for accessing the Enforce Server administration console, then click Next:

Enter the password for the Administrator credentials. Click Next.

Confirm your participation in the Symantec Data Loss Prevention Supportability Telemetry program, and provide the appropriate information. The Symantec Data Loss Prevention Supportability Telemetry Program can significantly improve the quality of Symantec Data Loss Prevention. For more information, click the Supportability and Telemetry Program Details link.

Select the StartServices check box to start the Symantec Data Loss Prevention services after the after the completion notice displays. The services can also be started or stopped using the Windows Services utility.

Click Finish.

Starting all of the services can take up to a minute. The installation program window may persist for a while, during the startup of the services. After a successful installation, a completion notice displays.

Logon to console using the Administrator account and accept the EULA.

The home page look like this.

The next step is depending on the requirement Import the solution pack.  You must import a Symantec Data Loss Prevention solution pack immediately after installing and verifying the single-tier server, and before changing any single-tier server configurations.

Next is to Registering the detection server.

Log on to the Enforce Server as Administrator. Go to System > Servers > Overview. Click Add Server.

Select the type of detection server to add and click Next.

Enter the General information. This information defines how the server communicates with the Enforce Server.

■ In Name, enter a unique name for the detection server.

■ In Host, enter the detection server’s host name or IP address. (For a single-tier installation, click the Same as Enforce check box to autofill the host information.)

■ In Port, enter the port number the detection server uses to communicate with the Enforce Server. If you chose the default port when you installed the detection server, then enter 8100. However, if you changed the default port, then enter the same port number here (it can be any port higher than 1024).

Click Save.

The Server Detail screen for that server appears.

To verify that the server was registered, return to the System Overview page. Verify that the detection server appears in the server list, and that the server status is Running.

This completes the install process of Enforce and detection server in single Tier install.

Hope you find helpful.

Some customers want to know whether the DLP can send an Email notification to the manager if an employee trigger an incident. The answer is Yes.

This is some kind of workflow in DLP that can help the manager to master and improve the employee's behavior to avoid the data leak.

In order to send email notification to the manager, the DLP need to integrate with the Active Directory where the relationship between the employee and the manager is stored. 

The basic principle of such kind of configuration is obtaining the manager's email from AD by using the sender attribute in the incident which is the employee's email address.

Here we will give an example of the configuration in the testing environment to send email notification to the manager:

1. In a SMTP incident, the value of the sender attribute is the sender's email address, we need to use this attribure to query the information of the sender's manager:

2. Based on the testing environment, there are two users: dlp-test-user01 and dlp-test-manager. The dlp-test-manager is the manager of the dlp-test-user01:

3. We can use a third-party LDAP browse tool, such as LDAP Browser, to find out the attributes' relationship between these two users in AD:

Accordint to the screenshot above, the value of the Email Address of the employee is stored in the 'mail' attribute, and the 'manager' attribute is storing the base DN of the employee's manager.

Then we need to check the attributes of the manager:

According to the screenshot above, we can find out that:

the value of the 'manager' attribute of the employee is the same to the 'distinguishedName' attribute of the manager.

That's mean we can use the employee's 'manager' to relate to the manager's 'distinguishedName'.

4. After find out the relationship of the attributes in AD, we need to create two Custom Attributes in DLP, named as 'TempManager' and 'ManagerEmail':

The 'TempManager' is used to store the value of the employee's 'manager' attribute and manager's 'distinguishedName' attribute.

The 'ManagerEmail' is used to store the value of the manager's 'mail' attribute.

Remember to select the 'Is Email Address' during the creation of the 'ManagerEmail':

5. In DLP, create a new Directory Connection to let the DLP Enforce connect to the AD:

6. Then, we need to create the attribute lookup.

Add a new LDAP Loolup Plugin, select the 'Directory Connectiron' as the newly added one, and, on the 'Attribute Mapping', input the query as below:

attr.TempManager=:(mail=$sender-email$):manager

7. Modify the Lookup Plugin Execution Chain, and select to enable this newly added LDAP Lookup:

8. Edit the Lookup Plugin Parameters, and select to enable the Sender parameter:

9. Reload the plugins, and make suer the status of the newly added plugin is On:

10. After all these configurations, we need to check out whether the attributes are lookuped correctly:

11. At last, we need to create a response rule to send email notification to the manager.

During the creation of the Send Email Notification response, select the 'ManagerEmail' option:

Note: 

It's because we create the ManagerEmail attribute as an Email Address that it can be used on the response rule.

Then, if an employee triger a SMTP incident, an email notification will be send to his/her manager.

We can check out the result on the history of the incident:

Lately it has been noticed an increasing spread of threats which, entering a system by various means are encrypting several files on the attacked system like office documents, database files, e-mail archives, which represent a value for the attacked customer.

Those threats generally, after encrypting the files, sometimes delete themselves or propagate through the network.

To decrypt the file the hackers generally ask to pay a certain amount of money.

In order not to create misunderstandings, customers need to be aware of the following:  encrypted files will remain encrypted.  These should be replaced from a known-good backup (and Enterprises are responsible for regularly backing up their own important data).

Symantec products do not decrypt files that have been affected by these threats.

Why? The reason is as simple as very often not considered. The majority of these kind of threats is using an RSA public-key cryptography at 1024 or 2048 bits. Despit of a number of commercial tools which are released the truth is such: for large RSA key sizes (in excess of 1024 bits), no efficient method for solving this problem is known (this is the so called "RSA problem")

To know more about it:

http://en.wikipedia.org/wiki/CryptoLocker

http://en.wikipedia.org/wiki/RSA_(cryptosystem)

http://en.wikipedia.org/wiki/RSA_problem

Anyway, to pay the hackers is not a solution at all.

When a customer pays the hackers, there is no guarantee that the attacker can or will supply a method of unlocking their computer or decrypting their files.  For some variants, Symantec has received reports that the threat was received, the attacker provided a code to allow the threat to un-do the encryption that has been done on the customer’s files. Then, once Symantec updated our detection, the threat .exe is removed (deleted/quarantined) and the un-encryption can no longer continue.

When customers pay hackers for threats, such as these, it encourages attackers to continue these tactics and  additional attacks against everyone. 

 Please do not pay the hackers!

Additional information about those threats

http://www.symantec.com/docs/TECH211589

https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace

https://www-secure.symantec.com/connect/blogs/cryptolocker-alert-millions-uk-targeted-mass-spam-campaign

https://www-secure.symantec.com/connect/blogs/cryptolocker-qa-menace-year

First Response

If the infection somehow already entered in our environment, the damage, unfortunately is already done.

Anyway, if we identify the threat in a timely manner, we can prevent the threat to spread and contain the damage.

Whenever you find a system in your environment which is being infected from this kind of encrypting threat, the first thing to do, even more than in other cases is:

Isolate the machine from the network!!

Afterwards, you will need to identify the virus finding the executable file and submit it to Symantec Security Response.

Contact the Symantec Enterprise Technical Support to know how to submit files:

http://www.symantec.com/support/contact_techsupp_static.jsp

In order to stop the eventual expanding of the threat in your environment, through the Symantec Endpoint Protection, you can use the “Application and Device Control” component to block the execution of that specific file, identifying it through the hash MD5:

http://www.symantec.com/business/support/index?page=content&id=TECH93451

An alternative way to get the hash MD5:

http://www.symantec.com/business/support/index?page=content&id=TECH96745

Once the threat has been blocked and the incoming new definitions from Symantec will remove the threat we can restore our data from backup.

There are many ways to maintain a safe backup of sensible data: each organization can choose the most suitable to its needs. Here an example:

http://www.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools

How to prevent this unpleasant situation to repeat?

What the most of the people who faced this kind of threat at least once surely will desire, it is not to face it anymore.

To achieve this it is possible to take proactive steps to protect our environment.

-           Disable Auto-Run

The first thing to do, if not done already, surely is disable Auto-Run feature on all machines:

http://www.symantec.com/business/support/index?page=content&id=TECH104447

- Enable IPS (Intrusion Prevention System) component:

http://www.symantec.com/business/support/index?page=content&id=TECH95347

http://www.symantec.com/business/support/index?page=content&id=TECH104434

http://www.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

-           Increase the overall security

Moreover, again using the “Application and Device Control” component it is possible, it is possible to harden the overall security of the system with a specific policy:

http://www.symantec.com/business/support/index?page=content&id=TECH132337

http://www.symantec.com/business/support/index?page=content&id=TECH132307

Anyway, this is a general mean of prevention, helpful but not specific for this kind of threats.

It is always recommended to test the policy accurately before applying it massively to any production environment.

-           Lock your system down

Surely effective solution which will protect you from this and other kind of threats, it is to use the Symantec Endpoint Protection feature which is called “System Lockdown”.

It is based on the idea that an organization uses a determined and pre-allowed set of application which can be collected and allowed by an administrator, blocking the execution of anything else.

This document contains a guide to this feature:

http://www.symantec.com/business/support/index?page=content&id=HOWTO55130

CAUTION! Anyone who would like to implement this feature is invited to test it deeply! An incorrect deployment of the feature can highly compromise the functionality of the systems in object.

-           Granular approach (using Application and Device Control)

We can implement an application and device control policy to block the execution of the most common file extensions used by this class of threats, in the paths which are known to be the common launch points.

About “Application and Device Control” in general:

http://www.symantec.com/security_response/security updates/list.jsp?fid=adc

Attached to this article it is given an example of  policy which can be imported in SEP Manager and it is ready to use.

Please keep in mind: before implementing this policy massively in a production environment, test it on a small grouop of machine, verify its compatibility to your needs. Also feel free to customize it as you may find more appropriate

What are the features of our policy?

-           Blocking  Auto-Run (works out of the box)

-           Blocks  access to script files (works out of the box)

-           Blocks execution from removable drives (the details about the device types should be added. For an example of device ID check: http://www.symantec.com/business/support/index?pag...)

-           Blocks the execution of files with extension “.exe”, “.com”, “.scr”, “.pif” from the known launch points of those threats and also from some kinds of archives. 

Here the complete list:

%appdata%\

%appdata%\*\

%temp%\

%temp%\*\

%temp%\rar*\

%temp%\7z*\

%temp%\wz*\

%temp%\*.zip\

%iappdata%\

%localappdata%\

%localappdata%\*\

%userprofile%\Local Settings\Application\

%userprofile%\Local Settings\Application\*\

C:\$Recycle.Bin\

C:\$Recycle.Bin\*\

Please Note: This policy is going to block whatever file with the listed extension which is executing from the given locations. This may include also genuine third party applications or custom made applications.

You can anyway exclude custom application from being blocked adding them in the section “Do not apply to the following processes” located in the condition of the rule.

This article is a continuation of my three previous articles:

1. How to utilize SEP 12.1 for Incident Response - PART 1
2. How to utilize SEP 12.1 for Incident Response - PART 2
3. How to utilize SEP 12.1 for Incident Response - PART 3

In it, we will look at using Application Learning in an incident response situation. The purpose of application learning is for the SEP client to collect and monitor the applications and services that run on client PCs. I do want to point out that I only use this for incident response. While it is perfectly acceptable to use this in a normal situation, if you have many clients, your database can grow quite rapidly. If you do decide to use this on a regular basis, you should check out the Best Practices Guide to Application Learning in Symantec Endpoint Protection Manager

Now, let's get started. From time to time I come across a problem user who is no stranger to re-infection. I have a special purpose group setup for such cases. Application learning is enabled for this group. Enabling application learning is a two step process.

Log in to the SEPM:

1. Navigate to Admin page >> select your Local Site and select Edit Site Properties. Tick the checkbox for "Keep track of every application that the clients run". This will enable the feature.
2. Go to the Clients page and create your special purpose group and uncheck inheritance. Go to the Policies tab at the top and under Settings select Communications Settings. Under Upload tick the checkbox for "Learn applications that run on the client computers". This tells the SEP client to monitor all applications and upload it to the SEPM.

Now, this process will not be completed immediately. Logs will start to come in but it will depend on what you have your heartbeat set to. For this special purpose group, I like to set the heartbeat from anywhere from 5-15 minutes. Since this is usually done for one or two clients at a time, this should not be a problem. I like to give the entire process a few hours to take shape before I really dig into it. Once you feel enough time has passed, you can begin reviewing what applications are running on the PC.

To do this, go to the Policies page and under Tasks select Search for Applications

A new box will come up which will allow you to do some filtering:

Feel free to edit as you see fit and select Search when completed. You will get a similar result if all is working correctly:

Now, what I like to do is export the results and compare it to a list of known good process that are on our golden image(s). This can be a tedious task although it makes it slighly easier to find bad processes when you have a list of what you know contain good ones. When I find what I believe are bad processes I will submit them to ThreatExpert and Virustotal for analysis. If it's found to be malicious, I submit to Symantec Security Reponse so they can create a signature for it.

I hope this article has been helpful for you. Please post any feedback or questions that you may have.

Brian

Microsoft Exchange ActiveSync is a way that you can send corporate emails from a mobile device. ActiveSync can send email either to recipients internal to the corporate network or outside of the corporate network. ActiveSync sends corporate email through an HTTP or HTTPS protocol. Any sensitive information transferring internally or externally that violates your policies is blocked.

The following diagram illustrates how corporate messages are sent through ActiveSync:

Note:  The following diagram also applies to iPhones.
 

In this example, messages are sent from the iPad email client, which is configured with ActiveSync, through the VPN-connected corporate network. The message is sent as an HTTP/S request. The message is received in the ActiveSync Server and sent on to the Microsoft Exchange Server. The Exchange Server sends the message to the MTA server as an SMTP message. The MTA server sends the corporate message on to the recipient.

You can disable ActiveSync monitoring by filtering.

Ignoring Microsoft Exchange ActiveSync monitoring
 

If you do not want to monitor corporate email messages going through ActiveSync, use the following procedure:

Ignoring Microsoft Exchange ActiveSync monitoring

On the Enforce Server administration console, go to the Server Settings for the Mobile Prevent for Web Server.
In the Request Filtering section, add the host name of the ActiveSync Server to the Ignore Requests to Hosts or Domains field.
Click Save.

About deploying Mobile Prevent as a standalone solution
 

When you deploy Mobile Prevent as a standalone solution, no other detection server is deployed with the Mobile Prevent for Web Server. The Mobile Prevent for Web Server interacts with the Enforce Server and the corporate proxy server to monitor and prevent incidents on mobile devices. The following diagram describes how the Mobile Prevent solution fits into your corporate infrastructure:

In this deployment, mobile devices connect to the corporate network through your VPN server. The VPN server assigns each mobile device an IP address. This address lets the device access the internal corporate network. After the device is assigned a unique IP address, all HTTP, HTTPS, and FTP traffic is monitored by the Mobile Prevent for Web Server. Each device must be connected to the corporate network through the VPN. If the VPN connection to the corporate network is lost, Mobile Prevent cannot detect any violations.

iPads and iPhones use a native feature called VPN On Demand to create a secure VPN connection automatically without user intervention. VPN On Demand requires certificate-based authentication to create the connection to the VPN Server.

After the VPN connection is established, traffic is sent through the proxy server and analyzed by Mobile Prevent for Web Server. Traffic between the proxy server and the Mobile Prevent for Web Server is done over the ICAP protocol. If no violations are discovered, the traffic is sent to its destination either internally or externally. If violations are discovered, an incident is created and response actions are implemented. Incidents are recorded on the Enforce Server.

When a mobile device sends an email through Microsoft Exchange ActiveSync, the HTTP/HTTPS packets are sent to the ActiveSync server. The packets are then sent to the Exchange Server. Any corporate email should go through Microsoft Exchange ActiveSync. Mobile Prevent does not support the SMTP protocol.

Note:  Mobile Prevent does not support response mode (RESPMOD).

for more information about "How Symantec Data Loss Prevention for Mobile works"& How to implement symantec DLP with mobile please refer my previous article link.

https://www-secure.symantec.com/connect/articles/how-symantec-data-loss-prevention-mobile-works-how-implement

 Deploying Mobile Prevent and Network Prevent together :
 

You can also deploy Mobile Prevent with Network Prevent. The following diagram describes how the two products will fit into your corporate infrastructure.

Please see Deployment options for Mobile Prevent.
 

https://www-secure.symantec.com/connect/articles/how-symantec-data-loss-prevention-mobile-works-how-implement

In this scenario, the Mobile Prevent for Web Server and the Network Prevent Server are deployed as a single detection server. The combined detection server is called Network and Mobile Prevent for Web Server.

In this combination deployment, mobile devices still connect to the corporate network through your VPN server. The VPN server assigns each mobile device an IP address. In this combination deployment, you must specify a range of IP addresses that the VPN server uses for the Mobile Prevent subnetwork. By using a specific range of IP addresses, Symantec Data Loss Prevention can identify Mobile Prevent incidents. After the device is assigned a unique IP address, all HTTP, HTTPS, Microsoft Exchange ActiveSync email, and FTP traffic is monitored by the Network and Mobile Prevent for Web Server. Each device must be connected to the corporate network through the VPN. If the VPN connection to the corporate network is lost, Mobile Prevent cannot detect any violations.

After the VPN connection is established, traffic is sent through the proxy server and analyzed by Network and Mobile Prevent for Web Server. If no violations are discovered, the traffic is sent to its destination. If incidents are generated through mobile devices, the incidents are labeled as Mobile incidents and appear in the Mobile incident page. If incidents are generated through data flowing through your corporate network, incidents are labeled as Network Prevent incidents.

Note: Deploying Mobile Prevent and Network Prevent together may negatively affect the performance of the Network Prevent Server. Performance may be affected if the mobile device traffic is from low-speed 3G networks and has a higher latency than Network Prevent traffic.
 

In Advanced server settings

Use the Server Settings tab of a detection server's System > Servers > Overview > Server Detail screen to modify the settings on that server.

Use caution when modifying these settings on a server. It is recommended that you check with Symantec Support before changing any of the settings on this screen. Changes to these settings normally do not take effect until after the server has been restarted.

There are no advanced settings on the Enforce Server that can be modified from its server detail screen.

Detection server advanced settings

Setting        :  Icap.ExchangeActiveSyncCommandsToInspect

Default        :  SendMail

Description  :  A comma-separated, case-sensitive list of ActiveSync commands which need to be sent through Symantec Data Loss Prevention   detection. If this parameter is left blank, ActiveSync support is disabled. If this parameter is set to "any", all ActiveSync commands are inspected.
                                     

Symantec Data Loss Prevention provides a set of response rule actions that you can specify to remediate an incident. These provided actions include logging, sending an email, blocking an end-user action, notifying a user, and other responses.

You can also use Endpoint FlexResponse plug-ins to provide additional response actions. These plug-ins contain custom instructions for remediation actions that are executed on endpoint computers. Endpoint FlexResponse rules are only applicable to Automated Response rules. You cannot create Endpoint FlexResponse rule actions for Smart Response rules.

Symantec Data Loss Prevention customers can contact Symantec or Symantec partners to obtain Endpoint FlexResponse plug-ins. In addition, developers with a knowledge of the Python programming language can create custom Endpoint FlexResponse plug-in scripts using a Symantec-provided API. These custom remediation actions can include encryption, applying Digital Rights Management (DRM), or redacting confidential information.

You use the Endpoint FlexResponse utility to deploy Endpoint FlexResponse plug-ins on endpoint computers in your Symantec Data Loss Prevention deployment where you require Endpoint FlexResponse actions. You can deploy the plug-ins manually using the Endpoint FlexResponse utility, or you can use system management software (SMS) to distribute the utility and deploy the plug-ins. After you deploy an Endpoint FlexResponse plug-in on an endpoint computer, you use the Enforce Server administration console to add an Endpoint: FlexResponse action to a response rule, and then you add the response rule to an active policy.

below figure of Endpoint FlexResponse plug-in process shows the sequence of activities that result in an Endpoint FlexResponse action.

Endpoint FlexResponse provides you with additional flexibility to remediate incidents.Whenyou first install Endpoint Prevent, you have a fixed set of response rule actions available to use. By installing Endpoint FlexResponse plug-ins, you can remediate incidents in a variety of ways. For example, these additional remediation methods could include encryption, applying Digital Rights Management (DRM), or redacting confidential information (which are available separately from Symantec partners). After you install an Endpoint FlexResponse plug-in, you can then configure a response rule to perform the desired function..

Note: Contact a Symantec partner or Symantec sales representative to obtain Endpoint FlexResponse plug-ins.

You can use Endpoint FlexResponse rules on the following types of endpoint destinations and protocols:

■ Endpoint Discover
■ Hard drive monitoring
■ USB-connected devices
■ SMTP
■ HTTP(S)
 

After you have installed the Endpoint FlexResponse plug-in, you can add it as a response rule action in your policy.

Note: Endpoint FlexResponse rules are only applicable to automatic response rules. You cannot create Endpoint FlexResponse rule actions for manual remediation policies.

You can create credentials for the Endpoint FlexResponse plug-ins. These credentials can be Endpoint-specific, or they can apply to all of your detection servers. You can use credentials to assign specific users access to the remediated data.

Deploying Endpoint FlexResponse

Procedure Step 1 : Obtain the Endpoint FlexResponse plug-in. Contact a Symantec partner or Symantec sales representative. Endpoint FlexResponse plug-ins are not available with the default Symantec Data Loss Prevention installation. 

Procedure Step 2 : Configure any Endpoint credentialson the Enforce Server. This step is optional --

Procedure Step 3 : Deploy the plug-in to your endpoint computers using the FlexResponse utility and third-party systems management  oftware (SMS).  here I will explain you about Deploying process of Endpoint FlexResponse plug-ins on endpoint computers......

You can deploy Endpoint FlexResponse plug-ins to endpoint computers only after you have installed the Symantec DLP Agents. See the Symantec Data Loss Prevention Installation Guide for information on how to install the agents. Endpoint FlexResponse plug-ins must be installed on your endpoint  mputers. Endpoint FlexResponse response rules cannot operate if the plug-in is not installed on each of your endpoint computers. Use a silent nstallation method to install the Endpoint FlexResponse plug-in. Silent installation methods involve systems management software (SMS), which can distribute  oftware to all of your endpoint computers. You may need to create SMS scripts to access the installation folder. Installing the Endpoint FlexResponse plug-in is a two-part process:

Now Install the Endpoint FlexResponse plug-in and the FlexResponse utility on your endpoint computers.

Before you can deploy your Endpoint FlexResponse plug-in, the endpoint computers in your organization must first be able to access the physical plug-in
.zip file. You can either place the plug-in .zip file somewhere on a central network share, or you can install the file physically on each endpoint computer. If you use the central network share method, you must ensure that all of your endpoint computers can access the network share. Use the following  rocedure if you want to install the plug-in .zip file physically on each endpoint computer. This procedure only instructs you how to access the plug-in .zip file. After you access the file, you must deploy it.

See your individualSMSapplication documentation for more information on how to install using SMS.

To install Endpoint FlexResponse plug-ins

1 In your systems management software package, specify the plug-in(s) that you want to install.

2 Specify the installation parameters such as the installation directory. Plug-ins can be installed anywhere on the endpoint computer because they are deployed to the correct Symantec DLP Agent database later.

3 Specify the msiexec properties.

4 Install the FlexResponse utility to all of your endpoint computers as well. The FlexResponse utility is only available through Symantec and Symantec partners.

Now the next step is Load the Endpoint FlexResponse plug-in using the FlexResponse utility.

The Endpoint FlexResponse utility manages Endpoint FlexResponse plug-ins. The Endpoint FlexResponse utility is not part of the default Symantec Data Loss Prevention download. The utility is only available through Symantec or Symantec partners.

Endpoint FlexResponse plug-ins must be in a .zip package format. You cannot deploy the plug-ins if they are in any other format.
You must use the utility from the Symantec DLP Agent installation tools directory.

To load Endpoint FlexResponse plug-ins
1 From a command window, navigate to the Symantec DLP Agent installation tools directory. <Agent installation directory>\flrinst.exe
2 Enter the following command: -op=install -package=<Plug-in name> where <Plug-in name> is the specific name of the plug-in .zip file.
3 Repeat step 2 until you have loaded all of your plug-ins.
4 Using yourSMSapplication, remove the utility from your endpoint computers.

Procedure Step 4: Enable Endpoint FlexResponse actions on your Enforce Server. Before you can use Endpoint FlexResponse plug-ins in your response rules, you must enable Endpoint FlexResponse functionality through the Enforce Server. By default, Endpoint FlexResponse functionality is not enabled. Enable Endpoint FlexResponse functionality through the Advanced Agent Settings.

To enable Endpoint FlexResponse functionality
1 Go to: System > Agents > Agent Configuration and open the configuration for editing.
2 Click the Advanced Agents Settings tab.
3 Find the PostProcessor.ENABLE_FLEXRESPONSE.int setting.
4 Change the setting to 1.
5 Click Save and Apply.

 If you want to Uninstal Endpoint FlexResponse plug-ins usingthe FlexResponse utility

Use the following procedure to uninstall Endpoint FlexResponse plug-ins from your endpoint computers:

To uninstall Endpoint FlexResponse plug-ins from endpoint computers
1 Using a command prompt window, navigate to the Symantec DLP Agent installation tools directory. <Agent installation directory>\flrinst.exe
2 Enter the following command: -op=uninstall -package=<Plug-in name> where <Plug-in name> is the full path where the plug-in resides and the
specific name of the plug-in .zip file.
3 Repeat step 2 until you have uninstalled all of the plug-ins.

If you want to Retriev Endpoint FlexResponse plug-ins from a specific endpoint computer:

Use the following procedure to retrieve a specific plug-in from an endpoint computer.

You can only use the retrieve function on a single endpoint computer at a time. The plug-in appears in the Symantec DLP Agent installation directory
as a .zip file. Inside the .zip file is the plug-in in a .txt format. You can make edits to the plug-in in the .txt file. If you do make edits, you must re-deploy the plug-in to the endpoint computer before the edits take effect. Modified plug-ins only affect the individual endpoint computers where they were modified.
To retrieve an Endpoint FlexResponse plug-in from a specific endpoint computer:

1 On the endpoint computer, open a command prompt window.
2 Navigate to the Symantec DLP Agent installation tools directory: <Agent installation directory>\flrinst.exe

3 Enter the following command:-op=retrieve -package=<Plug-in name> where <Plug-in name> is the specific name of the plug-in .zip file.
4 Look in the Symantec DLP Agent installation directory for a .txt file that contains the same name as the plug-in.

Next is Retrieving a list of ndpoint FlexResponse plug-ins from an endpoint computer

Use the following procedure to retrieve a list of plug-ins that have been installed on a specific endpoint computer. You can only use the list function on individual endpoint computers. You cannot use the list function on a set of endpoint computers. The list of endpoint computers contains only the name of the plug-in package. The list does not contain any type of description about the plug-ins. It is recommended that you use descriptive names for your plug-ins so that you can recognize them within the list. To retrieve the list of Endpoint FlexResponse plug-ins from an endpoint computer
1 On the endpoint computer, open a command prompt window.
2 Navigate to the Symantec DLP Agent installation tools directory: <Agent installation directory>\flrinst.exe
3 Enter the following command: -op=list The list of installed Endpoint FlexResponse plug-ins appears in the Command
prompt window.

Last and final Procedure Step 5: Add Endpoint FlexResponse actions to your policies.

for more information please refer below link.....you will get the more idea about this...

https://www-secure.symantec.com/connect/articles/dlp-policy-block-uploading-file-type-web-httphttps

According to this article:

https://www-secure.symantec.com/connect/articles/u...

and the KB:

http://www.symantec.com/business/support/index?pag...

we can understand the load balance and failover in SCSP.

Here we will provide more information about the installation with a graphical guide.

1. During the installation of the first SCSP server, you will need to choose 'Install Tomcat and create the database schema':

2. After this installation, the SCSPDB will be created and configured inside the SQL Server instance. So, for the second SCSP server, you will just need to install the Tomcat Component ONLY:

3. Before the installation of the second SCSP server, you need to copy the configuration file and certificate file on the first SCSP server to the second one.

The configuration file is located in:

C:\Program Files\Symantec\Critical System Protection\Server\tomcat\conf\server.xml

The Certificate file is located in:

C:\Program Files\Symantec\Critical System Protection\Server\server-cert.ssl

BUT, after the copy, you need to modify the SQL Server inside the configuration file.

It's recommanded to modify the SQL Server Connection String into IP address, just like the below one:

4. After the installation of the second SCSP server, you will find out there are some files missing in this second SCSP server. The most important one is the agent-cert.ssl:

Now, the installation of the fail-over SCSP server finished.

Then we will take a look into the installation of the SCSP agent.

5. During the installation of the SCSP agent, we need to configure the primary server and the alternate server:

6. After the installation, we can make some testing of the failover communication.

The agent connect to the primary server firstly, then we stop the SCSP Server service to shutdown the primary SCSP.

After that, the agent will connect to the alternate one.

We can check the communication events in the agent about this failover process:

Scans of SharePoint Servers :

The Network Discover Server locates a wide range of exposed confidential data on SharePoint servers. It communicates with the Enforce Server to obtain information about policies and scan targets. It sends information about the exposed confidential data that it finds to the Enforce Server for reporting and remediation.

The following types of SharePoint items are scanned:

1] Wiki pages

2] Blogs

3] Calendar entries

4] Tasks

5] Project tasks

6] Discussion entries

7] Contact lists

8] Announcements

9] Links

10] Surveys

11] Issue tracking

12] Custom lists

13] Documents in the document library

Note:  Only the latest version of a document is scanned.

 The communication between the Discover Server and the SharePoint Web Front End (WFE) is SOAP-based.

Communication is secure when the SharePoint Web sites are configured to use SSL.

For HTTPS, validation of the server SSL certificate is not the default. To enable validation of the server SSL certificate, turn on the advanced setting Discover.ValidateSSLCertificates. Then import the server SSL certificate to the Discover Server.

If the specified SharePoint site is configured to be on a port that is not the default (80), ensure that the SharePoint server allows the Discover Server to communicate on the required port.

The SharePoint solution uses Windows SharePoint Services (WSS) application programming interfaces. User access to the content is based on the rights for the specified user in SharePoint. Enter the user credentials to specify this user when you configure a SharePoint scan.

                       #########      Configuring and running SharePoint server scans               ########

Before you run a scan, you must set up a target using the following procedure.

The SharePoint solution must be installed on the Web Front End in a farm. In next section of the same article I have explain with details for better understanding of installation on the Web Front End.

To set up a new target for the scan of a SharePoint server

i]  Click Manage > Discover Scanning > Discover Targets > New Target > Server > SharePoint.

ii] On the General tab, enter the name of this scan target.

iii] Select the policy groups that contain the policies for this target scan.

iv] Select the Discover Servers where this target scan can run.

v] Select Scheduling options.
 

Choose Submit Scan Job on Schedule to set up a schedule for scanning the specified target. Select an option from the schedule drop-down list to display additional fields.

Choose Pause Scan between these times to automatically pause scans during the specified time interval. You can override a target's pause window by going to the Discover Targets screen and clicking the start icon for the target entry. The pause window remains intact, and any future scans that run up against the window can pause as specified. You can also restart a paused scan by clicking the continue icon for the target entry.

vi] On the Scanned Content tab, enter the credentials for this scan.

You can specify a default user name for access to all SharePoint sites, except those specified using the Add editor.

If you specify SharePoint sites with the Add editor, you can specify separate credentials for each site.

The user accounts should have "Browse Directories" permissions in SharePoint to perform the scan. To retrieve permissions, the user account needs the "Enumerate Permissions" SharePoint permission level.

 Access privileges for SharePoint 2007 and 2010 scans:

To perform the SharePoint scan, the user accounts should have sufficient rights to access and browse the SharePoint site content. The user account must also have permission to invoke Web services and permission to obtain the access control list (ACL).

These rights correspond to the lower-level SharePoint permissions "Browse Directories,""Use Remote Interfaces," and "Enumerate Permissions." Refer to the Microsoft SharePoint documentation for more information on SharePoint permissions and permission levels. If the user account does not have the "Enumerate Permissions" right, then the ACL is not obtained for the SharePoint content.

The following permission levels in SharePoint already have these permissions defined:

Full Control (includes Browse Directories, Use Remote Interfaces, and Enumerate permissions)

Design (includes Browse Directories and Use Remote Interfaces permissions)

Contribute (includes Browse Directories and Use Remote Interfaces permissions)

vii] Specify the SharePoint sites to scan.

For each site, enter a target URL to the SharePoint Web application or site collection or site to be scanned. All the items in its child sites and sub sites are scanned.

For a Web application, specify for example: http://www.sharepoint.com:2020

For a site collection, specify for example: http://www.sharepoint.com:2020/Sites/collection

For a site or sub-site, specify for example: http://www.sharepoint.com:2020/Sites/mysharepoint/sub/mysite

For the SharePoint site, use the public URL instead of the internal URL.

The Following syntax applies for the URL and credentials on each line.

URL,[username,password]Select one of the following methods of entering the location for the SharePoint server:

a] Uploaded file

Select Scan Sites From an Uploaded File. Create and save a plain text file (.txt) listing the servers you want to scan. Create the file using an ASCII text editor and enter one URL per line. Then click Browse to locate the file with the list. Click Upload Now to import it.

b] Individual entries

Select Scan Sites. Click Add to use a line editor to specify the servers you want to scan. Server information that is entered here takes precedence over the default values and applies only to the path specified.

viii] Select Path Filters.

Use the Include Filter and Exclude Filter to specify the items that Symantec Data Loss Prevention should process or skip. If the field is empty, Symantec Data Loss Prevention performs matching on all items. If you enter any values for the Include Filter, Symantec Data Loss Prevention scans only those items that match your filter. Delimit entries with a comma, but do not use any spaces.

You can provide filters using regular expressions, or paths relative to the location of the SharePoint site. Filters can include a site collection, site, sub site, folder, file name, or file extension. Path filters are not applied on attachments of an item, such as a .doc attachment to a list item.

All path filters are case-sensitive .

For the Include Filter, regular expression matching is applied to files, but not to folders.

For the Exclude Filter, regular expression matching is applied to both files and folders.

Only the path until the first "?" or "*" is considered when a folder or file is matched.

When all the specified path filters are relative, the matching folder is skipped, and the scan statistics do not include the items in the skipped folders.

ix]  Select Date Filters.

The date filters let you include items from the matching process based on their dates. Any items that match the specified date filters are scanned.

x] Select Size Filters.

The size filters let you exclude items from the matching process based on their size. Symantec Data Loss Prevention includes only the items that match your specified size filters. If you leave this field empty, Symantec Data Loss Prevention performs matching on items or documents of all sizes.

Filtering Discover targets by item size:

Use size filters to exclude items from the matching process that are based on their size.

Size filters are only available for files on file shares, Endpoint files, Lotus Notes documents, SharePoint items, and Exchange items.

You can configure other options for this target.

To exclude items based on item size:

a] In the Enforce Server administration console, go to Manage > Discover Scanning > Discover Targets.
b] Click the name of the scan that you want to filter based on item size.
c] Click the Scanned Content tab.
d] Enter optional values under the item size filters.
Symantec Data Loss Prevention includes only the items that match your specified size filters. If you leave this field empty, Symantec Data Loss Prevention performs matching on items of all sizes.

Note that all filters are combined with "and" if a value is provided. Consider all filter values (for example include, exclude, and date) when adding or modifying scan filters. Avoid unintentionally including everything, or excluding everything from the scan.

e] To exclude items smaller than a particular size, enter a number in the field next to Ignore Smaller Than. Then select the appropriate unit of measure (Bytes, KB, or MB) from the drop-down list next to it.
f] To exclude items larger than a particular size, enter a number in the field next to Ignore Larger Than. Then select the appropriate unit of measure (Bytes, KB, or MB) from the drop-down list next to it.
g] Click Save to save all updates to this target.

xi] Under Scan Type, select Scan only new or modified items (incremental scan). This option is the default for new targets.

If you have changed the policy or other definitions in an existing scan, you can set up the next scan as a full scan. Select the following option:

Scan all items for the next scan. Subsequent scans will be incremental.

If you always want to scan all items in this target, select the following option:

Always scan all items (full scan)

xii] Select the Advanced tab for options to optimize scanning. On the Advanced tab, you can configure throttling options and set Inventory Mode for scanning.
 

a]Throttling Options

Specify the maximum number of items to be processed per minute, or specify the maximum number of bytes to be processed per minute. For bytes, specify the unit of measurement from the drop-down list. The options are bytes, KB (kilobytes), or MB (megabytes).

Note: Byte throttling is only applied after the fetch of each item. Therefore, actual network traffic may not exactly match the byte throttling that is set.
 

b] Inventory Scanning

Enter the number of incidents to produce before moving on to the next site to scan (a URL from the Scanned Content tab). To audit whether confidential data exists on a target, without scanning all of it, set up Inventory Mode for scanning. Setting incident thresholds can improve the performance of scanning by skipping to the next site to scan, rather than scanning everything.

After the incident threshold has been reached, the scanning of this site is stopped, and scanning proceeds to the next site. Because the process is asynchronous, a few more incidents may be created than specified in the incident threshold.

                       #########          How to Set Up Scans Of SharePoint Servers           #########

Now I will explain you step by step procedure for Configuring and running SharePoint server scans.

To set up scanning of SharePoint servers, complete the following process:

Procedure Step 1: Verify that your SharePoint server is on the list of supported targets.
 

The following SharePoint server targets are supported:

Microsoft Office SharePoint Server 2007, on Windows Server 2003, 32-bit

Microsoft Office SharePoint Server 2007, on Windows Server 2003, 64-bit, or Windows 2008 R1

Microsoft Office SharePoint Server 2010, on Windows Server 2008 R2

SharePoint 2003 is supported only with the SharePoint scanner.

Supported SharePoint scanner targets:

The following SharePoint targets are supported for scanners:

a] Microsoft Office SharePoint 2007 Server, on Windows Server 2003, 32-bit

Separate scanner installation is available for SharePoint 2007 32-bit servers. Use the following SharePoint scanner installation file for SharePoint 2007 32-bit servers:

SharePoint2007Scanner_windows_x32_11.5.exe

The scanner must be installed on one of the Web Front End (WFE) servers of a SharePoint 2007 32-bit farm.

The Microsoft Visual C++ 2005 SP1 (32-bit) Redistributable Package must be installed on the computer.

b] Microsoft Office SharePoint 2007 Server, on Windows Server 2003, 64-bit, or Windows 2008 R1

Separate scanner installation is available for SharePoint 2007 64-bit servers. Use the following SharePoint scanner installation file for SharePoint 2007 64-bit servers.

SharePoint2007Scanner_windows_x64_11.5.exe

The scanner must be installed on one of the Web Front End (WFE) computers of a SharePoint 2007 64-bit farm.

The Microsoft Visual C++ 2005 SP1 (64-bit) Redistributable Package must be installed on the computer.

c] SharePoint 2003

Make sure the correct SharePoint scanner is installed for your version of SharePoint.

Procedure Step 2 :  Verify that you have sufficient permissions to install the SharePoint solution on the Web Front Ends in a Farm.

Also verify that the scan user has the permissions to run the scan of the SharePoint server.

Access privileges for SharePoint 2007 and 2010 scans :

To perform the SharePoint scan, the user accounts should have sufficient rights to access and browse the SharePoint site content. The user account must also have permission to invoke Web services and permission to obtain the access control list (ACL).

These rights correspond to the lower-level SharePoint permissions "Browse Directories,""Use Remote Interfaces," and "Enumerate Permissions." Refer to the Microsoft SharePoint documentation for more information on SharePoint permissions and permission levels. If the user account does not have the "Enumerate Permissions" right, then the ACL is not obtained for the SharePoint content.

The following permission levels in SharePoint already have these permissions defined:

Full Control (includes Browse Directories, Use Remote Interfaces, and Enumerate permissions)

Design (includes Browse Directories and Use Remote Interfaces permissions)

Contribute (includes Browse Directories and Use Remote Interfaces permissions)

Procedure Step3 :  Installing the SharePoint solution on the Web Front Ends in a farm :

 The SharePoint target running on Network Discover communicates with the SharePoint solution and fetches content after the target is authenticated with SharePoint. You can configure the application to use SSL if secure data transfer is required between the Network Discover and SharePoint servers.

Specific permissions are required for the SharePoint solution installation process.

The Symantec SharePoint solution is versioned, and is not backward-compatible. If you are upgrading from Symantec Data Loss Prevention version 11.5 or earlier, you must upgrade your SharePoint solution. 

Below is the lists the SharePoint Solution version that is compatible with your version of Symantec Data Loss Prevention.

Symantec Sharepoint Solution Version                                               Compatible Symantec DLP Version

No Version Number                                                                           11.0 through 11.5

11.5.1                                                                                               11.5.1

11.6                                                                                                  11.6

To install the Symantec SharePoint solution

1] Copy the SharePoint solution installer Symantec_DLP_Solution.exe to a temporary directory on the SharePoint Web Front End. This file is located in the DLPDownloadHome\Symantec_DLP_11_Win\Third_Party\SharePoint or DLPDownloadHome/Symantec_DLP_11_Lin/Third_Party/SharePoint directory, where DLPDownloadHome is the name of the directory in which you unzipped the Symantec Data Loss Prevention software.

2] Start the Windows SharePoint Services Administration service on the SharePoint server. On the SharePoint server, click Start > All Programs > Administrative Tools > SharePoint Central Administration.

3]Double-click the Symantec_DLP_Solution.exe file. The Symantec Data Loss Prevention solution installation program starts.

4] Click Next, and the installation program performs a number of preliminary checks.

If one of these checks fail, correct the problem and restart the installation program.

Click Next.

5] Accept the Symantec License Agreement , and click Next.
6] The installation program copies the files and deploys the solution to all Web Applications in the SharePoint farm.
7] After installation, verify that the SharePoint solution has been correctly deployed to the server or server farm.
8] Connect to SharePoint Central Administration. On the SharePoint server, go to Start > All Programs > Administrative Tools > SharePoint Central Administration.
9] For SharePoint 2007, click the Operations tab. In the Global Configuration section, select Solution management.
10] For SharePoint 2010, click System Settings. Then select Manage Farm Solutions.
11] Verify the deployment. If the solution is installed correctly, the list includes symantec_dlp_solution.wsp.
12] If the solution must be removed, use the SharePoint retract and undeploy features.

Procedure Step 4: Click Manage > Discover Scanning > Discover Targets to create a SharePoint target and to configure scans of SharePoint servers.
 

 Please refer the above First Part of the same article i.e ##### Configuring and running SharePoint server scans#####

Precedure Step 5 : Set any additional scan options for the SharePoint target.
 

Network Discover scan target configuration options :

Use the General, Scanned Content, and Advanced tabs to configure a Network Discover scan target.

The General tab is available for all types of targets.

The Scanned Content and Advanced tabs are only available for some types of targets.

For the additional configuration information that is specific to one type of target, refer to the section for that target type.

Note that all filters are combined with "and" if a value is provided. Consider all filter values when adding or modifying scan filters, to avoid unintentionally including or excluding everything from the scan.

For configuration when adding or editing a target, select from the following options:

Optional tasks                                                                                                                                     Tab in scan target
 

Configure required fields.These required fields should be set when a new target is added.                          General

ScheduleNetwork Discover scans.                                                                                                        General

Configure incremental scans.                                                                                                               General 

Provide authentication, and set up credentials.                                                                                      Scanned Content

Include, or exclude, repositories from a scan.                                                                                        Scanned Content

Filter targets by file size.                                                                                                                     Scanned Content

Filter targets by date last accessed or modified.                                                                                   Scanned Content

Optimize your resources with scan throttling.                                                                                        Advanced

Create an inventory of the locations of unprotected sensitive data.                                                          Advanced

Move or quarantine files in network file shares with Network Protect.                                                       Protect
 
 

Procedure Step 6: Start the SharePoint server scan.

Click Manage > Discover Scanning > Discover Targets.

Select the scan target from the target list, then click the Start icon.

Final Precedure Step 7: Verify that the scan is running successfully.

Network Monitor :

Network Monitor accurately detects confidential information across configured network protocols and content types before it leaves the network. Real-time monitoring and reporting deliver constant visibility on data security.

Network Monitor Servers gather network traffic from scanned ports or taps, and report on private or proprietary data leaking as it moves across the network. The Enforce Server defines the policy groups, protocols, and protocol filters that control the Network Monitor Servers. The incidents that servers find are organized into reports, alerts, and actions on the Enforce Server. A network of Monitor Servers can be deployed on the company network to report on network activity and policy compliance. Monitor Servers can enforce a uniform set of policies or specialized policies based on the location and purpose of the server. Some example deployments of Network Monitor Servers are as follows:

Monitoring outgoing traffic - A Network Monitor Server resides in each corporate datacenter that routes data to the Internet. Each Network Monitor Server scans the outgoing traffic for that datacenter. All the servers scan for violations of the same policy groups. This configuration allows the Enforce Server to create separate reports for multiple stakeholders in the corporation.

Monitoring a large flow of traffic - Multiple Network Monitor Servers are placed on the same span of traffic. Traffic is distributed through a traffic load balancer, or load balancing is done through protocol and IP filters.

Monitoring a subgroup of users - A policy group is configured with policies to capture all traffic from a select group of users. A monitor NIC captures the same traffic, but it is assigned to the more selective policy group. This configuration protects the other monitors from the greater scale of traffic that the selected policy group generates.

In any deployment, Network Monitor gives organizations the ability to monitor all network communications, including:

1] Email

2] Instant messaging

3] Web mail and Web postings

4] File transfers

5] Network news

6] Peer-to-peer

7] Telnet

8] All other TCP sessions through any port.

Network Monitor also enables you to quantify your organization's risk from potential confidential data loss incidents. Network Monitor automatically classifies each data loss incident by severity, which enables response teams to quickly prioritize high-risk situations and focus resources.

 Network Monitor captures and analyzes traffic on your network, detecting confidential data, and significant traffic metadata over protocols you specify. For example, SMTP, FTP, HTTP, and various IM protocols. You can configure a Network Monitor Server to monitor custom protocols and to use a variety of filters (per protocol) to filter out low-risk traffic.

To monitor network traffic, a Network Monitor Server requires:
a] A network Switch Port Analyzer (SPAN) or network tap to acquire traffic on the target network.

b] A card on the Network Monitor Server host to capture the network traffic that is acquired from the SPAN or tap. Either a network interface card (NIC) or
Endace DAG network measurement card (Endace card) can be used. (Note that in addition to this traffic-capturing card, a separate NIC is required for
communication between the Network Monitor Server and the Enforce Server.)

c] Packet capture software.Whenyou use a NIC for packet capture, packet capture software must be installed on the Network Monitor Server host. When you use an Endace card, the card must use the correct driver.

Please perform the following high level tasks and procedure to implement Network Monitor.

Step by step procedure is here.

Procedure Step 1 : Install and set up the network tap or SPAN that captures network traffic.

Procedure Step 2 : Choose a method of capturing network traffic.

You can use three different methods to capture the network traffic that is acquired by a SPAN or tap:

a]  NIC on a Windows platform. Windows platforms using a NIC for packet capture require a WinPcap library on the Network Monitor Server host. If WinPcap is not already on the Network Monitor Server host, you must install it. See the Symantec Data Loss Prevention System Requirements and Compatibility Guide for information about the supported version of the WinPcap library.

b] NIC on a Linux platform. Linux platforms using a NIC use native Linux packet capture which requires PACKET_MMAP support in the kernel. Support for
PACKET_MMAP is included by default in supported Linux kernels.

c] Endace card on either Windows or Linux platforms. An Endace DAG network measurement card can be used on both Windows and Linux platforms to
provide network packet capture in high-traffic environments. See the Symantec Data Loss Prevention System Requirements and Compatibility Guide for
information about supported Endace cards and drivers.

Platform                                            Card                                          Software

Windows                                          NIC                                            WinPcap

Linux                                               NIC                                             Native

Windows and Linux                          Endace                                        Endace

Procedure Step 3 : Install the necessary NIC or Endace card on the Network Monitor as described by the card documentation. Also use the appropriate Symantec Data Loss Prevention Installation Guide (Windows or Linux). This NIC or Endace card must operate in promiscuous mode so that it picks up all inbound and all outbound traffic.
See the Symantec Data Loss Prevention System RequirementsandCompatibility Guide for information about supported NICs and Endace cards.

 Procedure Step 4: On a Windows platform, install WinPcap if it is not already installed.

If WinPcap software is not already present on a Windows platform, you must install it.

To install WinPcap on the Network Monitor Server:

1 Copy the WinPcap files to a local drive.

2 Run the WinPcap executable and follow the installation instructions.

3 Reset the Windows registry settings by running pcapstart.reg and follow the instructions that are displayed.

Additional details can be found in the Symantec Data Loss Prevention Installation Guide.

Procedure Step 5 : If necessary, update the Endace driver.

If you upgrade a Network Monitor Server to the current version, you may need to update the Endace card driver. See the Symantec Data Loss Prevention System Requirements and Compatibility Guide for information about supported Endace cards and drivers.

Updating an Endace Driver

1 Install the new driver as described by Endace documentation.

2 Reconfigure the Network Monitor to use the new driver. 

Procedure Step 6 : Disable checksum offloading for the NIC that is used to monitor network traffic. For Linux platforms, use the following commands to disable checksum offloading for both receiving and transmitted data on the eth0 interface:

ethtool -K eth0 tx off
ethtool -K eth0 rx off
To see the current status of checksum offloading, use the ethtool -k eth0 command.

Note: Certain checksum algorithms work by modifying network packets and adding empty checksums. Empty checksums can cause network capture
drivers to drop the packets, in which case they are not evaluated by Network Monitor.

Procedure Step 7 : Use a protocol analyzer such as Wireshark to validate traffic on the tap or SPAN that feeds into your NIC or Endace card.

Procedure Step 8 : Configure the Network Monitor Server.

You configure the Network Monitor Server by selecting the network interface (NIC or Endace card) to use for traffic capture. You must also select which protocols to monitor.

To configure a Network Monitor Server

A] In the Enforce Server administration console, go to System > Servers > Overview and click the Network Monitor Server. The Server Detail screen appears.
If you do not use a high-speed packet capture adapter (Endace or Napatech) for traffic capture, skip to step F.

B] If you use a high-speed packet capture adapter (Endace or Napatech), click Server Settings.

C] Enter the appropriate values in the following fields:

PacketCapture.ENDACE_BIN_PATH :  Type the path to the Endace \bin directory.

By default, this directory is located at endace_home\dag-version\bin (for example, on a Windows platform, c:\Program Files\Endace\dag-3.2.2\bin). Note that you cannot use variables (such as %ENDACE_HOME%) in any of the fields that are listed here.
 
PacketCapture.ENDACE_LIB_PATH :  Type the path to the Endace \lib directory
 
PacketCapture.ENDACE_XILINX_PATH :  Type the path to the Endace \xilinx directory.
 
PacketCapture.IS_ENDACE_ENABLED :  Change the value to true.

D] Stop and restart the Network Monitor Server. Symantec Data Loss Prevention displays the Endace card in the Network Interfaces field of the Configure Server screen for the Network Monitor Server. 
 

E] Go to System > Servers > Overview and again click on the Network Monitor Server. 

F] On the Server Detail screen, click Configure. You can verify or modify settings in the general section at top and on the Packet Capture tab, as described in subsequent steps. 

G] Leave the Source Folder Override field blank to accept the default directory for buffering network streams before the Network Monitor Server processes them. (This setting is the recommended setting.) To specify a custom buffer directory, type the full path to the directory. 

H] Leave the Archive Folder field blank. 

I] Select one or more Network Interfaces (NICs or Endace cards) through which the Network Monitor Server should capture traffic.

J] In the Protocol section, select one or more protocols to monitor. For example, select the check boxes for SMTP, HTTP, and FTP. For a protocol to appear in this section, it must already be configured on the global Protocols screen in the Enforce Server.
See the online Help associated with the Configure Server screen.

K] Click Save.

M] Stop and restart the Network Monitor Server. Click Recycle next to the Status entry in the Server Detail screen.

Procedure Step 9 : Create and deploy a test policy for Network Monitor.

For Network Monitor, you can create the policies that include any of the standard response rules. To set up a response rule action, go to Manage > Policies > Response Rules and click Add Response Rules.

To create a test policy for Network Monitor

a] In the Enforce Server administration console, create a response rule that includes one of the actions that applies to Network Monitor. For example, create a response rule that includes the All: Set Status action.

b] Create a policy that incorporates the response rule you configured in the previous step.
For example, create a policy called Test Policy as follows:

i) Include a Content Matches Keyword detection rule that matches on the keyword test_vontu_secret_keyword.

ii) Include an All: Set Status response rule.

iii) Associate it with the Default policy group.

As a policy author you can define a new policy from scratch or from a template.

To add a new policy or a policy template

Click Add Policy at the Manage > Polices > Policy List screen.
Choose the type of policy you want to add at the New Policy screen.

i) Select Add a blank policy to add a new empty policy.

ii) Select Add a policy from a template to add a policy from a template.

iii) Click Next to configure the policy or the policy template.

Procedure Step Last : Test the system by generating an incident against your test policy.

You can test Network Monitor by sending an email that violates your test policy.

To test your system

i)  Access an email account that routes messages through the MTA.
ii) Send an email that contains confidential data. For example, send an email that contains the keyword test_vontu_secret_keyword.
iii) In the Enforce Server administration console, go to Incidents > Network and click Incidents - New. Look for the resulting incident. For example, search for an incident entry that includes the appropriate timestamp and policy name.
iv) Click on the relevant incident entry to see the complete incident snapshot.

On SCSP agent, there is a script named getagentinfo.bat under the installation folder. The end-user can use this script to collect the information that needed by support to troubleshoot SCSP agent issue.

But, if you need to collect the information about a agent to which you do not have login access, or, you need to collect the information for many agents at the same time, you can use CSP_Agent_Diagnostics detection policy.

A version of this policy is available for Windows and UNIX agents.

Here are the graphical steps to collect agent information from SCSP management console:

1. Log on to the management console as an administrator.

2. In the management console, select 'Policies' view, then select the 'Detection' page, on the left panel, expend the 'Workspace' --> 'Symantec'. There is a policy named CSP_Agent_Diagnostics:

3. Open to edit this policy, select 'Diagnostic functions':

4. Enable the option 'Select a function to run on the agent', then expand the +, and select 'Run the Collect Info Script' for the Value field:

5. Save the policy, then right click it to apply this policy:

6. Select the agent to apply this detection policy:

7. You can check the policy assignment on the Assets view:

8. The policy run the collect info script immediately after being applied to agent.

You can check the status of the task and results on the monitors.

Click 'Monitors' view, then select 'Events' page, there will be an event informed that the agent diagnostics task run successfully. 

9. The task will be finished in minutes.

You can monitor the events on the Monitors page to determine if the collect info output file was uploaded to the management server. Just look for management events of type Agent Status. 

The event message contains the name of the collect info output file.

10. The collect info output file will be located on this folder:

C:\Program Files (x86)\Symantec\Critical System Protection\Server\logfiles:

You can now send this zip file to the support engineer.

Introduction

This is the fifth of an informal series on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions). 

• The first article, Using SEPM Alerts and Reports to Combat a Malware Outbreak, demonstrated how to use reporting features of SEP 12.1's SONAR component to identify Suspicious files for which there were no AntiVirus signatures yet created.
• The second, Recovering Ransomlocked Files Using Built-In Windows Tools, deals with a few possible ways how to prevent and recover from one of today's most-destructive threats, should it infect your network and hold your data hostage.
• Third came Two Reasons why IPS is a "Must Have" for your Network, which illustrated how SEP's optional Intrusion Prevention System (IPS) component can help security admins keep their organization secure and track down infected computers on the network
• The Day After: Necessary Steps after a Virus Outbreak is for use after the attacks have ended.  This fouth article intends to help admins prevent further attacks and make recovery from any future infection as painless as possible. 

This fifth article hopes to give admins the techniques they need to eliminate one of their network's most persistent pests: W32.Downadup, also known as the Conficker worm. 

What is Downadup and Why won't it go away?

Installing that patch alone will not make a computer invulnerable.  Exploiting that vulnerability is just one of its methods of spreading.

Help!  Hundreds of Computers are Infected!!

Tracking Down the Infected Computers

What is Risk Tracer?
Article URL http://www.symantec.com/docs/TECH102539

If Risk Tracer is not enabled in your organization or is not functioning, then the logs of SEP's IPS component serve as an excellent indicator.  The "Identifying Unprotected Computers" section of the article Two Reasons why IPS is a "Must Have" for your Network provides an illustration of how to identify the Remote Hosts which are sending out W32.Downadup's malicious traffic.  If you are seeing “[SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked." entries, then W32.Downadup is the cause. 

[SID: 23179] Intrusion Detection alerts received on a Symantec Endpoint Protection client for ntoskrnl.exe
Article URL http://www.symantec.com/docs/TECH131438

If neither Risk Tracer nor IPS logs is a possibility, the job is more difficult. Enabling Task Scheduler logging in Windows Event Logs and hen studying their entries will let you know which remote computer has created W32.Downadup's scheduled task on a victim.

How to determine which remote computer has created a malicious scheduled task
Article URL http://www.symantec.com/docs/HOWTO95062

Effectively Cleaning Machines

Monitoring!

One positive note: if there are any lingering traces of the threat still in your network, your users will let you know!  Helpdesk calls about accounts being locked out are often a sign that W32.Downadup is present and attempting to spread. 

Conclusion

Many thanks for reading!  Please do leave comments and feedback below. 

Symantec Protection Center (SPC) is a common user interface which lets you centralize data and management of Symantec and third-party security products on one web console. This consolidation provides increased visibility into the status of the security of your enterprise systems by letting you see many aspects of security at one time.

Using SPC you can:

View reports.

View notifications.

Perform remediation tasks.

Configure SPC settings.

Manage integrated products.

SPC leverages the power of the Symantec Global Intelligence Network (GIN) to provide customers with real-time feedback on the security of their enterprise systems, offering information on detected vulnerabilities, known threats within customer networks, and malicious traffic exiting customer networks. SPC also offers intelligent prioritization of security risks to let customers prioritize risk resolution through integration with patching systems and ticketing systems or change configuration settings in the security products.

By integrating Symantec Data Loss Prevention with Symantec Protection Center (SPC), you can administer Data Loss Prevention servers, manage policies, and remediate incidents from within the SPC interface. This single console is especially useful if you have other Symantec products that integrate with SPC. For example, if you also use Symantec Messaging Gateway, you can integrate both it and Data Loss Prevention with SPC. Doing so would enable you to sign on once for both products (single sign-on) and monitor and manage both product configurations from the same SPC interface.

In addition, you can also integration non-Symantec security-related products with SPC. Refer to the SPC documentation for this type of use.

Note: Integrating your Enforce Server with SPC does not affect the operation of Symantec Data Loss Prevention. You can still access and use Data Loss Prevention from the standalone instance of the Enforce Server administration console if you so choose.
 

Considerations and requirements for integrating the Enforce Server with SPC :

Before integrating the Enforce Server with SPC, keep in mind the following considerations:

i] Symantec Data Loss Prevention version 11.1 integration with SPC is only at the interface level. There is no reporting integration for Symantec Data Loss Prevention through SPC.

ii] Integration with SPC is not compatible with the certificate authentication installation mode of Symantec Data Loss Prevention.

If you have already installed or enabled Symantec Data Loss Prevention for certificate authentication mode, and you want to integrate the Enforce  Server with SPC:

             a] Disable certificate authentication mode for the Enforce Server.

             b] Integrate the Enforce Server with SPC.

             c] Renew certificate authentication mode for the Enforce Server.

iii] The ability to integrate the Enforce Server with SPC is enabled by default.

You can disable this feature by changing the SPC authentication setting in the file \Protect\configManager.properties.

Before integrating the Enforce Server with SPC, adhere to the following requirements:

i] Synchronize the system clocks to within the same minute for both the SPC appliance host and any Enforce Server host you want to integrate with SPC.

ii] Make sure you can ping the SPC host from the host where the Enforce Server is installed, and vice versa.

iii] Create a dedicated Data Loss Prevention role and user that is granted the "Symantec Protection Center Registration" privilege.

This privilege allows a user to instruct the Enforce Server to trust a certificate. This is a significant privilege and is only necessary for registering and unregistering the Enforce Server with SPC. It is recommended that you revoke this privilege after you complete the registration of the Enforce Server with SPC. At the least, you should limit the number of users who are added to this dedicated role and granted this privilege. Note that the "Symantec Protection Center Registration" privilege by itself does not allow a user to log on to the Enforce Server.

vi] To give Data Loss Prevention users access to the Enforce Server through SPC, you must map the Data Loss Prevention users to SPC.

To simplify user access, it is recommended that you create a user in SPC with the same name and password as the corresponding user account in the Enforce Server.

The following steps assume that you have already installed Symantec Protection Center (SPC). If you do not have an instance of SPC installed, refer to the Symantec Protection Center Getting Started Guide that is available here http://www.symantec.com/business/protection-center to obtain and install SPC.

There are two methods for integrating the Enforce Server with SPC:

1] By adding a single known Enforce Server instance to SPC.

  2] By discovering and registering one or more Enforce Server instances with SPC. 

Now,

1] By adding a single known Enforce Server instance to SPC.

Complete the following steps to integrate a single known Enforce Server instance with SPC.

Procedure Step 1: Create a dedicated Data Loss Prevention role and user with the SPC privilege.

To add or register the Enforce Server administration console with SPC, you must first grant the SPC Registration privilege to a Data Loss Prevention role and assign a user to that role. It is recommended that you create a dedicated role and user for the specific purpose of integrating the Enforce Server with SPC.

To create a dedicated role for integrating the Enforce Server with SPC:

a] Log on to the Enforce Server administration console as a user with User Administration privileges.

b] Create a new role.

c] To this role grant the Symantec Protection Center Registration privilege.

d] There is no need to grant this role any other privileges.

e] Create a new user account.

f] Add the new user to the newly created role.

Note: The Symantec Protection Center Registration privilege does not allow a user to log on to the Enforce Server.
 

Procedure Step 2 : Add and enable the Symantec Data Loss Prevention product in SPC.

To add the Data Loss Prevention product to SPC:

i] Logon to the SPC appliance as a user with SPC administrator credentials.

ii] Select the Admin tab.

iii] Click Add Product.

iv] At the Add and Enable Product Instance screen enter the following information:

a] Product

Select Symantec Data Loss Prevention from the drop-down menu.

b] Host name or IP address

Enter the host name or IP address of the system where the Enforce Server administration console is installed.

c] Product user name

Enter the name of the user you created in Step 1 who is granted the "Symantec Protection Center" privilege.

d] Password

Enter the password for this user.

e] Click Enable.

The system indicates successful enablement.

f] Click Finish.

 Procedure Step 3 : Verify that Symantec Data Loss Prevention was added to SPC and enabled.
 

 Complete the following steps to discover and registers one or more Enforce Server instances for integration with SPC, and to troubleshoot any integration issues you may encounter.

Procedure Step 1 : Grant the SPC Registration privilege to a Data Loss Prevention role and user.
 

Refer to Step 1 in Table: Add a single known Enforce Server instance to SPC.

Procedure Step 2 : Discover one or more Enforce Server instances.

Procedure Step 3 : Register one or more Enforce Server instances with SPC.

Procedure Step 4 : Verify that one or more Enforce Server instances were registered with SPC.

Refer to Step 3 in Table: Add a single known Enforce Server instance to SPC.

Procedure Step 5 : Provide user access to Symantec Data Loss Prevention from SPC.

Refer to Step 4 in Table: Add a single known Enforce Server instance to SPC.

Procedure Step 6 : Verify Symantec Data Loss Prevention integration with SPC.

Refer to Step 5 in Table: Add a single known Enforce Server instance to SPC.

Procedure Step 7 : Troubleshoot any connection issues.

 Refer to Step 6 in Table: Add a single known Enforce Server instance to SPC.

Procedure Step 8 : Revoke the SPC Registration privilege.

Refer to Step 7 in Table: Add a single known Enforce Server instance to SPC.

************The following steps provide instructions for unregistering an Enforce Server instance from SPC.**************

Procedure Step 1 : Log on to SPC as an administrator.

Logon to the SPC appliance as a user with SPC administrator credentials.

Procedure Step 2 : Unregister the Enforce Server instance from SPC.

The following document may be an introduction to Symantec Protection Engine for NAS (SPE for NAS) and Symantec Protection Engine for Cloud Services. The most current version of this product available is 7.0.2.4. Documents presented in this article are split in several categories to allow you fast browsing and search for interesting topics. Both Symantec official KB resources and Symantec Connects resources included.
The official webpages for the both products can be accessed under following links:

Symantec Protection Engine for Cloud Services
http://www.symantec.com/protection-engine-for-cloud-services
Symantec Protection Engine for Network Attached Storage
http://www.symantec.com/protection-engine-network-attached-storage

In the download section of this article I have placed Datasheets for both SPE for NAS and SPE for Cloud Services. Beside this two documents you will find as well .pdf version of configuration guides for SPE for NAS on following NAS platforms: NetApp, IBM, EMC and Hitachi.

Symantec Protection Engine for Cloud Services 7.0

...is a flexible and feature rich client/server application that allows customers to incorporate malware and threat detection technologies into almost any application. Protection Engine includes Symantec's proprietary,patented URL categorization technology and industry-leading malware protection for fast, scalable, and reliable content scanning services helping organizations protect their data and storage systems against the ever growing malware threat landscape. (source: SPE for Cloud Services Datasheet)

Symantec Protection Engine for Network Attached Storage 7.0

...provides scalable, high-performance threat detection services to protect valuable data stored on network attached storage (NAS) devices. This solution provides increased scanning performance and improved detection capabilities for protection against multi-blended threats.(source: SPE for NAS Datasheet)

Symantec Protection Engine system requirements:

Supported Operating Systems
32-bit OS

    Windows® 2008 (English and Japanese)
    Windows Server® 2003 R2 (English and Japanese)
    Windows® 2003 (English and Japanese)
    Red Hat® Enterprise Linux 5.x
    Red Hat® Enterprise Linux 6.x
    SUSE® Linux Enterprise Server 11

64-bit OS

    Windows® 2012 (English and Japanese)
    Windows® 2008 (English and Japanese)
    Windows® 2008 R2 (English and Japanese)
    Windows Server® 2003 R2 (English and Japanese)
    Windows® 2003 (English and Japanese)
    Solaris (SPARC) 10 and 11
    Red Hat® Enterprise Linux 6.x
    Red Hat® Enterprise Linux 5.x
    SUSE® Linux Enterprise Server 11

All the supported operating systems (Windows and Linux) are supported under:

    VMware® vSphere Hypervisor™ v4.1 or later

Supported Browsers

    Mozilla Firefox® 10 or later
    Microsoft® Internet Explorer® 8 (SP1) or later

Important notes about the product:

• Symantec Protection engine allows following authentication modes:

1. Symantec Protection Engine-based authentication
2. Windows Active Directory-based authentication

• Symantec Protection Engine 7.0 supports JRE 7.0

• Since version 7.0 of SPE supports as well Windows 2012 Server

• Symantec Protection Engine for NAS uses following protocols to interface with NAS devices:

1. SPE native protocol
2. ICAP
3. RPC

• Symantec Protection Engine definitions can be updated from internal Symantec Liveupdate Administrator

• SPE events may be integrated with System Center Operations Manager (SCOM).

• SPE console can be accessed in a Web browser by typing following address: https://<servername>:8004

• Migration to SPE version 7.0 is only supported with version of Scan Engine 5.1 or higher. Upgrade from earlier versions is unsupported.

• Symantec Protection Engine uses following tools to detect risks:

1. Definition-based detection for threat components like viruses, worms and trojans
2. Bloodhound heuristics technology to scan for unusual behaviors where no known definitions exist yet
3. Container file decomposer - extracts container files so that they can be scanned for risks.

• Partner Devices Certified with Symantec Protection Engine for NAS include:

• IBM SONAS
• IBM Storwize v7000 Unified Systems
• EMC Isilon OneFS
• NetApp Data ONTAP
• Hitachi File OS
• Hitachi HNAS

• SPE Definitions may be download in a self-executable Intelligent Updater from following link:

http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=pe
 

SYMANTEC KB ARTICLES

BEST PRACTICES:

Sizing Guide for Symantec Protection Engine for Network Attached Storage (SPE for NAS)
http://www.symantec.com/docs/TECH196906
Best Practices: Installing Scan Engine 5.2.x or Symantec Protection Engine 7.0.x on Red Hat Enterprise Linux 5.x
http://www.symantec.com/docs/HOWTO35969
Best Practices for initial installation and testing of Symantec Scan Engine 5.x and Protection Engine 7.x in a CAVA 3.6.x environment
http://www.symantec.com/docs/TECH89267
Best practices for file types exclusions on Symantec Protection for Network Attached Storage.
http://www.symantec.com/docs/TECH96713
How to configure SAV for NAS 5.x for use with NetApp Filer
http://www.symantec.com/docs/TECH89560

GENERAL:

What's new in Symantec Protection Engine
http://www.symantec.com/docs/HOWTO79586
Support Matrix for Partner Devices Certified with Symantec Protection Engine (SPE) for Network Attached Storage (NAS) 7.0.x
http://www.symantec.com/docs/HOWTO83461
Release notes for Symantec Protection Engine for Network Attached Storage 7.0
http://www.symantec.com/docs/TECH196149
Release notes for Symantec Protection Engine for Cloud Services 7.0
http://www.symantec.com/docs/TECH196148
About threat categorization and risk ratings
http://www.symantec.com/docs/HOWTO79817
About authentication modes in Symantec Protection Engine
http://www.symantec.com/docs/HOWTO79822
How Symantec Protection Engine detects risks
http://www.symantec.com/docs/HOWTO79651
TCP/UPD ports used for communication between Symantec Protection Engine (SPE) and NetApp Filer (Data ONTAP)
http://www.symantec.com/docs/TECH214539
Available RuleSpace Categories for Symantec Scan Engine 5.2.10 and later and Symantec Protecion Engine 7.0.x
http://www.symantec.com/docs/TECH213808

INSTALLATION:

Before you install Symantec Protection Engine
http://www.symantec.com/docs/HOWTO79593
Symantec Protection Engine post-installation tasks
http://www.symantec.com/docs/HOWTO79616
About installing Symantec Protection Engine
http://www.symantec.com/docs/HOWTO79612
Installing Symantec Protection Engine on Windows
http://www.symantec.com/docs/HOWTO79613
About implementing a silent installation for Windows
http://www.symantec.com/docs/HOWTO79722
Installing Symantec Protection Engine on Linux
http://www.symantec.com/docs/HOWTO79614
Installing Symantec Protection Engine on Solaris
http://www.symantec.com/docs/HOWTO79615
Migrating to version 7.0
http://www.symantec.com/docs/HOWTO79627

CONFIGURATION:

Managing user accounts
http://www.symantec.com/docs/HOWTO79771
Accessing the Symantec Protection Engine console
http://www.symantec.com/docs/HOWTO79619
Changing the console settings
http://www.symantec.com/docs/HOWTO79777
Edit the Symantec Protection Engine configuration files
http://www.symantec.com/docs/HOWTO79738
Notifying a file server when definitions are updated
http://www.symantec.com/docs/HOWTO79647

About container files in Symantec Protection Engine
http://www.symantec.com/docs/HOWTO79657
Configuring Symantec Protection Engine to handle partial container files
http://www.symantec.com/docs/HOWTO79793
Configuring Symantec Protection Engine to handle encrypted container files
http://www.symantec.com/docs/HOWTO79791
Configuring Symantec Protection Engine to handle malformed container files
http://www.symantec.com/docs/HOWTO79792

About configuration options
http://www.symantec.com/docs/HOWTO79742
Enabling threat detection in Symantec Protection Engine
http://www.symantec.com/docs/HOWTO79652
Enabling non-viral threat detection in Symantec Protection Engine
http://www.symantec.com/docs/HOWTO79655
Change authentication mode settings for accessing Symantec Protection Engine console
http://www.symantec.com/docs/HOWTO79802
Importing keys from a third-party certificate
http://www.symantec.com/docs/HOWTO79623
Configuring file name filtering in Symantec Protection Engine
http://www.symantec.com/docs/HOWTO79658

Verifying, stopping, and restarting the Symantec Protection Engine daemon on Linux and Solaris
http://www.symantec.com/docs/HOWTO79617
Verifying, stopping, and restarting the Symantec Protection Engine service on Windows
http://www.symantec.com/docs/HOWTO79626

COMMAND-LINE SCANNING:

About the Symantec Protection Engine command-line scanner
http://www.symantec.com/docs/HOWTO79603
Setting up a computer to submit files to Symantec Protection Engine for scanning
http://www.symantec.com/docs/HOWTO79725
Java-based command-line scanner syntax and usage
http://www.symantec.com/docs/HOWTO79783
Supported command-line options for Java-based command-line scanner
http://www.symantec.com/docs/HOWTO79784
C-based command-line scanner syntax and usage
http://www.symantec.com/docs/HOWTO79726
Supported command-line options for C-based command-line scanner
http://www.symantec.com/docs/HOWTO79727

PERFORMANCE:

Obtaining Performance Monitor statistics from Protection Engine
http://www.symantec.com/docs/TECH214136
Improving network performance: Scan Engine 5.2.x and Protection Engine 7.x for NAS and RPC Filers
http://www.symantec.com/docs/TECH96735
Ways to improve Symantec Protection Engine performance
http://www.symantec.com/docs/HOWTO79764
Deployment considerations and recommendations
http://www.symantec.com/docs/HOWTO79765
Enhance performance by limiting scanning
http://www.symantec.com/docs/HOWTO79767
Configuration settings that can conserve and enhance performance
http://www.symantec.com/docs/HOWTO79766
Allocating resources for Symantec Protection Engine
http://www.symantec.com/docs/HOWTO79625

Specifying the maximum file or message size to scan
http://www.symantec.com/docs/HOWTO79768
Setting container file limits
http://www.symantec.com/docs/HOWTO79770
Specifying which files to scan
http://www.symantec.com/docs/HOWTO79769

LOGGING:

Logging levels and events
http://www.symantec.com/docs/HOWTO79681
Logging destinations
http://www.symantec.com/docs/HOWTO79680
Configuring Symantec Protection Engine to log events to SSIM
http://www.symantec.com/docs/HOWTO79696

SYMANTEC TECHNICAL SOLUTIONS FOR SPE 7.0:

Symantec Scan Engine or Symantec Protection Engine do not receive scan requests from EMC storage using Event Enabler (ex CAVA agent) 64bit version
http://www.symantec.com/docs/TECH170861
Issues setting the correct Quarantine Port in Symantec Protection Engine 7.x to work with Symantec Central Quarantine Server
http://www.symantec.com/docs/TECH209232
Access to PDF files is blocked due to the files are incorrectly decomposed to contain a zero byte javascript file.
http://www.symantec.com/docs/TECH210613
Decomposer ID 27 While scanning files with paths lengths over 260 characters on a Celerra Filer.
http://www.symantec.com/docs/TECH211020
Symantec Protection Engine service will not start after installation on Solaris 11
http://www.symantec.com/docs/TECH211908
Java LiveUpdate fails with Return code = 232 after upgrading to Symantec Protection Engine 7.x from Scan Engine 5.2.7 or earlier
http://www.symantec.com/docs/TECH211921
Symantec Scan Engine (SSE) / Protection Engine (SPE) does not start anymore on your Linux / Solaris server and the ScanEngineAbortLog.txt reports "400 CSAPI failed to initialize"
http://www.symantec.com/docs/TECH212465
Symantec Scan Engine (SSE) 5.2.x, Symantec Protection Engine (SPE) 7.0.x won't start if Java Runtime Environment (JRE) is updated AFTER the SSE/SPE installation
http://www.symantec.com/docs/TECH212732
Symantec Scan Engine (SSE) and Symantec Protection Engine (SPE) Web console page shows a Java security warning which suggests blocking SSE/SPE applets with a future version of Java
http://www.symantec.com/docs/TECH213129
Virus file is shown in quarantine page although Symantec Protection for SharePoint (SPSS) failed to quarantine the file as it is locked by workflow process.
http://www.symantec.com/docs/TECH213736
After upgrading to Java 7 Update 51 you are no longer able to launch the Scan Engine / Protection Engine Console
http://www.symantec.com/docs/TECH214308

SYMANTEC CONNECT RESSOURCES:

Introduction to Symantec Protection Engine for Network Attached Storage
https://www-secure.symantec.com/connect/articles/introduction-symantec-protection-engine-network-attached-storage
Installation of the Symantec Protection Engine - Graphical Steps
https://www-secure.symantec.com/connect/articles/installation-symantec-protection-engine-graphical-steps

SCAN ENGINE VERSION 5 REFERENCES:

Scan Engine Product Documentation
http://www.symantec.com/docs/DOC2277
Best Practices for implementing Symantec AntiVirus for Network Attached Storage with a NetApp Filer
http://www.symantec.com/docs/TECH132123
Best Practice for Symantec AntiVirus for Network Attached Storage 5.x with EMC Celerra Filer
http://www.symantec.com/docs/TECH132270
Best practices for using software firewalls on Scan Engine hosts in RPC/Netapp environments
http://www.symantec.com/docs/TECH146058
XPath location of Symantec Scan Engine parameters in the Scan Engine xml configuration files
http://www.symantec.com/docs/TECH161296
Recommending client-side exclusions for large files when using Symantec AntiVirus (SAV) for Network Attached Storage (NAS)
http://www.symantec.com/docs/TECH159835
Excluding large files from scanning to improve scan and network performance in Scan Engine 5.2.5 and later
http://www.symantec.com/docs/TECH170128

Symantec Endpoint Protection はあらゆる規模の企業に対して最善のエンドポイントセキュリティを提供します。このホワイトペーパーでは、Symantec Endpoint Protection 環境を正しくサイジングして配備し、最適な保護と有用性を実現するためのベストプラクティスを説明します。