PCG20090506 - Software Downloads
advertisement
University of Texas at Arlington Personal Configuration Guide for Symantec Endpoint Protection (Draft 0) 20090506 University of Texas at Arlington Office of Information Technology Information Security Office Personal Configuration Guide for Symantec Endpoint Protection This guide is provided by the Office of Information Technology (OIT), Information Security Office as a basic and introductory guide for configuring the Symantec Endpoint Protection (SEP) software on personal devices. This guide is intended for use by UT Arlington Students, Staff, and Faculty on their personally owned computers. UT Arlington provides active students, faculty and staff one free copy of the SEP software for installation and use on their personally owned computer to help prevent and mitigate cross contamination of information and computing resources. The SEP client for personal use is preconfigured with the recommended default settings as specified by Symantec. However, these settings may not provide optimal security protection for all users. Each individual is encouraged to familiarize themselves with the settings and options for any software package in use on their personally owned computer. For example by default Symantec will detect spyware but will nor remove or quarantine said spyware. This guide will show the user where to configure this setting and many more. This guide does not provide a comprehensive summary of the settings and capabilities within SEP. The user is encouraged to read the official Symantec user’s guide for the software. 2 UT Arlington - Windows XP Operating System Security Guide Contents Section 1 1.1 1.2 - What is SEP Symantec Endpoint Protection SEP Client pg. 4 pg. 4 Section 2 2.1 2.2 2.3 - Getting the Software On-Line BlazeWare Report Piracy pg. 5 pg. 5 pg. 5 Section 3 3.1 3.2 3.3 - Installation Installation First Time Installation Update Installation pg. 6 pg. 7 pg. 12 Section 4 4.1 - The SEP GUI GUI pg. 17 Section 5 5.1 5.2 5.3 5.4 5.5 - Client Configuration Default Configuration Scheduled Scan Antivirus Spyware Configuration Proactive Threat Configuration Other Settings pg. 19 pg. 19 pg. 25 pg. 28 pg. 30 Section 6 - Links and References pg. 31 3 UT Arlington - Windows XP Operating System Security Guide 1 - What is SEP ------------------------------------------------------------------------------------------------ 1.1 - Symantec Endpoint Protection SEP is the evolutionary replacement to Symantec Antivirus (SAV). SEP is a bundled software suite that includes antivirus, antispyware, firewall, intrusion prevention, and proprietary malware detection features. SEP is currently available for the Windows family of operating systems. Individuals with Linux and/or Mac must continue to use the appropriate versions of SAV for their computer. The SEP suite is modular in fashion and most features can be enabled and/or disabled independently to allow for a multitude of configuration options. The separate components within SEP include ‘Antivirus and Spyware Protection’ Antivirus Spyware Email ‘Proactive Threat Protection’ Heuristics Anti-Keylogger ‘Network Threat Protection’ Firewall Intrusion Prevention (IPS) Application Detection and Control ------------------------------------------------------------------------------------------------ 1.2 - SEP Client The SEP client is the end-user application that is installed on the local computing device that is to be protected. The SEP client has active and passive operations with the active operation being enabled by default. Passive operations can be scheduled to occur at regular intervals or can be left to the user to perform manually. System performance in SEP has been reported to be greatly improved over that of SAV. SEP has a reported memory utilization of 24MB down 62% from SAV which had a memory utilization of 62MB. SEP also reports a smaller physical footprint on the hard drive as compared to SAV. During normal operations on a clean computer the user will not see obvious activity on the part of the SEP software. This can be changed so that the user receives more or less event notifications about various actions performed by the software. The SEP client is fairly intuitive and beginner users should find the Graphical User Interface (GUI) ease to navigate and use. ------------------------------------------------------------------------------------------------ 4 UT Arlington - Windows XP Operating System Security Guide 2 - Getting the Software ------------------------------------------------------------------------------------------------ 2.1 - On-Line OIT will maintain a password protected web site with the most current software version available for personal use. The web site can be found at www.uta.edu/antivirus. Once you have opened the web site in a browser, navigate to the option for the Personal / Home version and follow the link to the file download. You will be prompted for your UTA NetID and password. Lastly, save the file to a location of your choosing. Individuals that are active students, faculty, or staff of UT Arlington are permitted one copy of SEP for use on their personally owned computer. ------------------------------------------------------------------------------------------------ 2.2 - BlazeWare OIT provides the campus with a software and documentation distribution CD named ‘BlazeWare’. BlazeWare can be obtained at the UT Arlington Computer Store in Ransom Hall for the ultra low cost of $5. * The fee charged is for the physical media and printing services, all software on the BlazeWare CD is free to active UT Arlington students, faculty and staff. BlazeWare can also be obtained at various campus and security events throughout the year, such as student orientation and the student activities fair. ------------------------------------------------------------------------------------------------ 2.3 - Report Piracy SEP, Blazeware and other software covered by UT Arlington software agreements should never be purchased from anyone on-line or in person. If you know of any UT Arlington branded software being sold by an entity other than the UT Arlington Computer Store at Ransom Hall, or any UT Arlington branded software being distributed to individuals that are not active UT Arlington students, faculty or staff, please report the activity to the Information Security Office, security@uta.edu. ------------------------------------------------------------------------------------------------ 5 UT Arlington - Windows XP Operating System Security Guide 3 - Installation ------------------------------------------------------------------------------------------------ 3.1 - Installation Before installing SEP on your computer it is recommended that you fully uninstall and delete any pre-existing antivirus and/or host based security products that may be on your computer. If you are currently using a security software package from Symantec’s ‘Norton’ product line it is recommended that this also be removed prior to installing SEP. ** SEP will work with passive spyware programs such as LavaSoft Ad-Aware or Safer Networking Spybot Search and Destroy. However SEP will have conflicts with active antivirus and firewall programs like McAfee Antivirus, TrendMicro Internet Security, and avast! Antivirus to name a few. After removing any conflicting antivirus and/or host based security products your computer should be rebooted. Installation of the SEP software is your typical Windows double click and follow the prompts installation. For our demonstration we will assume you are installing SEP from the latest version of the BlazeWare CD. The exact file name may vary. If you have downloaded the software file to your desktop you should see an icon as in figure 00. Figure 00 6 UT Arlington - Windows XP Operating System Security Guide Or if you prefer to install directly from the BlazeWare CD you should see a Windows Explorer window as in figure 01. Figure 01 ------------------------------------------------------------------------------------------------ 3.2 - First Time Installation If you are installing SEP for the first time ever it is recommended that you remove any preexisting antivirus and/or host based security products that may be on your computer. Double click on the software file icon to initiate the installation. You will briefly see a ‘Preparing to install’ message. Figure 02 7 UT Arlington - Windows XP Operating System Security Guide Followed by a ‘Welcome’ message. Select ‘Next’ Figure 03 You will be prompted with the Symantec End Users License Agreement (EULA). Select your acceptance choice Select ‘Next’ Figure 04 8 UT Arlington - Windows XP Operating System Security Guide You will be prompted to install the software Select ‘Install’ Figure 05 You will see a status screen with various messages throughout the install process. Figure 06 9 UT Arlington - Windows XP Operating System Security Guide Once the installation has completed you will be prompted with the finish prompt. Select ‘Finish’. Figure 07 Immediately following the software installation SEP will initiate a LiveUpdate of the software. During this process your computer will attempt to contact the servers at Symantec.com to download the latest virus and content definitions. Figure 08 10 UT Arlington - Windows XP Operating System Security Guide Finally you will be prompted to reboot you computer. The antivirus components of SEP will begin protecting your computer before it is rebooted however the network components like the firewall and IPS will not take effect until after a reboot. Figure 09 Once you have completely installed SEP and logged back into your computer following the reboot you will see a new icon in the lower right corner of your task bar. SEP will also add itself to the Windows Start menu Figure 10 -----------------------------------------------------------------------------------------------11 UT Arlington - Windows XP Operating System Security Guide 3.3 - Update Installation If you have installed a previous version of SEP on your computer and you are re-installing or upgrading to the newest version you can install over top of the old version of SEP. Double click on the software file icon to initiate the installation. You will briefly see a ‘Preparing to install’ message. Figure 11 At the ‘Welcome’ message select ‘Next’ Figure 12 12 UT Arlington - Windows XP Operating System Security Guide You will be prompted for the type of software install. Most users will select ‘Modify’ to upgrade the older version of SEP. Figure 13 You will be prompted to select the components for installation. By default your installation should have all components enabled with the exception of Outlook and Lotus Notes protection. Figure 14 13 UT Arlington - Windows XP Operating System Security Guide Select ‘Next’ Figure 15 You will be prompted to install the software Select ‘Install’ Figure 16 14 UT Arlington - Windows XP Operating System Security Guide You will see a status screen with various messages throughout the install process. Figure 17 Once the installation has completed you will be prompted with the finish prompt. Select ‘Finish’. Figure 18 15 UT Arlington - Windows XP Operating System Security Guide Immediately following the software installation SEP will initiate a LiveUpdate of the software. During this process your computer will attempt to contact the servers at Symantec.com to download the latest virus and content definitions. Figure 19 Finally you will be prompted to reboot you computer. The antivirus components of SEP will begin protecting your computer before it is rebooted however the network components like the firewall and IPS will not take effect until after a reboot. Figure 20 ------------------------------------------------------------------------------------------------ 16 UT Arlington - Windows XP Operating System Security Guide 4 - The SEP GUI ------------------------------------------------------------------------------------------------ 4.1 - GUI You can open the SEP GUI by double clicking on the gold shield on the system task bar or by using the Start menu option (Start Programs Symantec Endpoint Protection Symantec Endpoint Protection). Figure 21 The main view of the SEP GUI is your typical dashboard style interface with green, yellow, and red color indicators. As you can see in figure 22 our SEP client is all green and therefore a happy fully updated client. Figure 22 To explore the GUI you can use the menu options on the left frame which are static and remain the same on each view of the GUI. Optionally you can choose the individual ‘Options’ buttons on the right side of each of the three major components. 17 UT Arlington - Windows XP Operating System Security Guide In the event you need assistance with your SEP software the first thing you will need to know is how to find the version number. To do this... Select the yellow ‘Help and Support’ button in the upper right of the main window. Figure 23 Then select ‘About…’ The version number will be immediately under the software name. In our example we have version 11.0.4.4014.26 Figure 24 ------------------------------------------------------------------------------------------------ 18 UT Arlington - Windows XP Operating System Security Guide 5 - Client Configuration ------------------------------------------------------------------------------------------------ 5.1 - Default Configuration SEP will install with the recommended default settings as specified by Symantec. However, these settings may not provide optimal security protection for all users. Each individual is encouraged to familiarize themselves with the settings and options for any software package in use on their personally owned computer. For example by default Symantec will detect spyware but will nor remove or quarantine said spyware. Let’s modify the client and tighten up some of the settings to provide your computer better protection against becoming infected. ------------------------------------------------------------------------------------------------ 5.2 - Scheduled Scan By default SEP only attempts to scan files as you use them via the Auto-Protect feature. While this is fine for files that you get today, it is not so good for all the files that are already on your computer. To create a schedule scan select ‘Scan for threats’, the second option on the left-hand frame of the GUI. Then select ‘Create a New Scan’ Figure 25 19 UT Arlington - Windows XP Operating System Security Guide It is recommended that the system perform an Active Scan once a day and a Full Scan once a week as a minimum. SEP is configurable to run an Active Scan at the time the computer is booted up as seen in Figure 25. **Note this scan is present but disabled by default. This however may add time to the boot process of your computer depending on how many other applications are also running at startup. You can optionally configure SEP to run an active scan each time that new definitions are downloaded. **This is a default action. With the system performing an Active Scan with each new definition set we can simply add a Weekly Full Scan. The Active Scan only looks at certain locations on the hard drive, it is sometimes referred to as a quick scan. A Full Scan looks at the entire hard drive, although it is more complete it will take longer to run. With this in mind you will want to choose a time for your Weekly Full Scan that your computer will be powered up but possibly while you are not actively using. For example if you are the active socialite something like Friday night at 8 PM while you are going out to eat. Or if you are a gamer something like 6 AM Saturday morning while you are still asleep after the Friday night tournament. Select ‘Full Scan’ and ‘Next’ Figure 26 20 UT Arlington - Windows XP Operating System Security Guide One the following screen we can delve into ‘Actions’ and define if SEP logs, quarantines, or removes various types of detected risks. On the ‘Notifications’ menu we can define how much we want SEP to talk to us. Do we want SEP to perform its functions silently or do we want to see a message every step along the way. With the ‘Advanced’ and ‘Centralized Exceptions’ we can further control how SEP behaves and remove specific files or folders from a scan. First select Actions Figure 27 Recommended Settings Macro virus – First Action: Clean risk / If first action fails: Quarantine risk. Non-macro virus – First Action: Clean risk / If first action fails: Delete risk. Security Risks – First Action: Delete risk / If first action fails: Quarantine risk. Select ‘OK’ Figure 28 21 UT Arlington - Windows XP Operating System Security Guide Now let’s enable notifications so that we get a warning if a virus is detected. Select ‘Notifications’ Then select all three options ‘Display a notification message when a security risk is detected:’ ‘Terminate processes automatically’ ‘Stop services automatically’ Select ‘OK’ and ‘Next’ Figure 29 Next we will select the time for the scan Select ‘At specified times’ and ‘Next’ Figure 30 22 UT Arlington - Windows XP Operating System Security Guide In figure 31 we have selected Friday at 10 PM. Enter your preferred time. Select ‘Next’ Figure 31 Give your scan a name and description. Select ‘Finish’ Figure 32 23 UT Arlington - Windows XP Operating System Security Guide Your GUI should now display your newly configured scan Figure 33 ------------------------------------------------------------------------------------------------ 24 UT Arlington - Windows XP Operating System Security Guide 5.3 - Antivirus and Spyware Configuration Within the Antivirus and Spyware Protection configuration most of the default settings will be sufficient for the average computer. However we want to tighten up the actions that SEP will take when it identifies a risk. Let’s dig in to the configuration and change the default actions. This is very similar to the action sets you defined in the scheduled scan. The only difference it that there are two specific action sets that need to be configured. One set for the file system and one set for Email. From the main GUI interface select ‘Change Settings’ on the left frame. Select ‘Configure Settings’ to the right of ‘Antivirus and Spyware Protection’. Figure 34 25 UT Arlington - Windows XP Operating System Security Guide Select the ‘File System Auto-Protect’ tab Select ‘Actions’ Figure 35 Recommended Settings Macro virus – First Action: Clean risk / If first action fails: Quarantine risk. Non-macro virus – First Action: Clean risk / If first action fails: Delete risk. Security Risks – First Action: Delete risk / If first action fails: Quarantine risk. Select ‘OK’ Figure 36 26 UT Arlington - Windows XP Operating System Security Guide Select the ‘Internet Email Auto-Protect’ tab Select ‘Actions’ Figure 37 Recommended Settings Macro virus – First Action: Clean risk / If first action fails: Quarantine risk. Non-macro virus – First Action: Clean risk / If first action fails: Delete risk. Security Risks – First Action: Delete risk / If first action fails: Quarantine risk. Select ‘OK’ Figure 38 27 UT Arlington - Windows XP Operating System Security Guide ------------------------------------------------------------------------------------------------ 5.4 - Proactive Threat Configuration Within the Proactive Threat Protection configuration it is highly recommend that the actions for identified keyloggers are increased. By default SEP will only log the fact that a keylogger was found. Since keyloggers can be used to steal data from your system we want to set this action to quarantine. From the main GUI interface select ‘Change Settings’ on the left frame. Select ‘Configure Settings’ to the right of ‘Proactive Threat Protection’. Figure 39 28 UT Arlington - Windows XP Operating System Security Guide In the lower right corner of the window. Change the setting for ‘When a commercial keylogger is detected’ from ‘Log’ to ‘Quarantine’ Select ‘OK’ Figure 40 ------------------------------------------------------------------------------------------------ 29 UT Arlington - Windows XP Operating System Security Guide 5.5 - Other Settings SEP is a powerful software product and has lots of configuration options. Take some time to explore the interface and the various options. Be careful particularly with the Network Threat Protection options as some of them can significantly impact the ability of your computer to communicate with other devices on the network. If you wish to do more with the SEP firewall make sure you understand how the changes will affect your system and make sure you know how to remove the changes made in the event something breaks. For more information about features and setting of SEP Use the built in SEP help. Select the yellow ‘Help and Support’ button in the upper right of the main window. Figure 41 Or see the SEP Client User’s Guide available on BlazeWare, client_guide.pdf ------------------------------------------------------------------------------------------------ 30 UT Arlington - Windows XP Operating System Security Guide 6 - LINKS AND REFERENCES -----------------------------------------------------------------------------------------------Links: UT Arlington Antivirus (Symantec) - http://www.uta.edu/antivirus BlazeWare - http://blog.uta.edu/security/2008/10/20/blazeware-fall-2008/ Symantec Threat Explorer (vendor site) - http://www.symantec.com/norton/security_response/threatexplorer/index.jsp Symantec Endpoint Protection (vendor site) - http://www.symantec.com/business/endpoint-protection Symantec Endpoint Protection FAQ (vendor site) - http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007071909500548 31 UT Arlington - Windows XP Operating System Security Guide
