Solved

SEPM - Are built-in Antivirus and Antispyware Policies any good?

Posted on 2009-04-04
7
1,236 Views
Last Modified: 2013-12-09
There are 3 built-in Antivirus and Antispyware Policies in SEPM 11. I find them rather quirky in many respects. Here are my questions about them in general:

1. Is once a week admin scan enough? I am used to doing them daily during lunch hour.
2. Is there need to scan files inside compressed files -- to 3 levels? I rather have no scaning within zipped files.
3. Warn when virus definitions are outdated by 30 days? Is that not too long? How about 3 days?
4. Why should we ask passwords for mapped drive? Why make scanning so interactive? If a drive is mapped, logged on user must have authenticated.
5. Why just log, and not clean, when boot virus is detected?
6. Why Auto-protect is not set to Enable itself, after say 5 minutes of disable state, by default?
7. What is Windows Security center mentioned in Misc. tab of SEP AV policies?

And two other, but similar, questions about SEPM:
A. Is "Admin > Client Install package" feature most useful to upgrade and modify installation on computers which are already in a client group in SEPM? (See related question below.) Otherwise Migration and Deployment Wizard would be redundant?
B. What is the buzz on AD sync feature? Our deployment is working OK without it. Is it worth bothering with? Probably it will make Deployment Wizard unnecessary, right?

Thanks for sharing your knowledge.

Jay
0
Comment
Question by:nkulsh
  • 4
  • 3
7 Comments
 
LVL 15

Accepted Solution

by:
xmachine earned 500 total points
ID: 24070319
Hi,

SEPM default settings may not meet your requirements and security policy, so you should fine-tune them.

My answers to your questions:

1. Is once a week admin scan enough? I am used to doing them daily during lunch hour.

It depends on many factors:

A) Do you have a lot of virus infections in your network ? If yes, you should make 2-3 scheduled full scan / Week

B) Do you receive many files from untrusted sources (ex. customers/contractors/..etc) ? If yes, you should configure it to run 2-3 scheduled full scan / Week

If non of the above is happening in your environment, then I think the default value is enough

2. Is there need to scan files inside compressed files -- to 3 levels? I rather have no scaning within zipped files.

It's not recommended to disable this feature, a lot of malwares are being packed and compressed to evade virus scanning, so there is no reasonable reason behind stopping this kind of scanning !


3. Warn when virus definitions are outdated by 30 days? Is that not too long? How about 3 days?

Due to the high number of variants which are being generated on daily basis, you are advised to keep it within the accepted level of risk (ex. 10 days)

4. Why should we ask passwords for mapped drive? Why make scanning so interactive? If a drive is mapped, logged on user must have authenticated.

Because it may be configured to ask users when they want to access these mapped drives, and SEP is the same, it has to authenticate (user/pass logging) to access them and scan files.

5. Why just log, and not clean, when boot virus is detected?

You should enable this

6. Why Auto-protect is not set to Enable itself, after say 5 minutes of disable state, by default?

Again, you need to fine-tune and enable any settings you may see them as important

7. What is Windows Security center mentioned in Misc. tab of SEP AV policies?

Check these links:

http://en.wikipedia.org/wiki/Windows_Security_Center
http://www.microsoft.com/windowsxp/using/security/internet/sp2_wscintro.mspx
http://www.microsoft.com/windows/windows-vista/features/security-center.aspx

A. Is "Admin > Client Install package" feature most useful to upgrade and modify installation on computers which are already in a client group in SEPM? (See related question below.) Otherwise Migration and Deployment Wizard would be redundant?

Yes, that's correct. Client Install package is used when you want to upgrade or modify installation on computers. Migration and Deployment Wizard is used when you want to upgrade legacy clients and push SEP packages for the first time.

B. What is the buzz on AD sync feature? Our deployment is working OK without it. Is it worth bothering with? Probably it will make Deployment Wizard unnecessary, right?

AD Sync is used when you want to import OU's and Users from AD. SEP supports two operation modes, Computer mode (SEP policies are applied to all users who logged on to the computers), and User mode (SEP policies are applied to different users).

Check these KB articles:

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/e60e56a868d83bde88257378005984f0?OpenDocument

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/764895bfaa16fed6802573630071d2d0?OpenDocument

A Symantec Certified Specialist @ your service
0
 
LVL 1

Author Comment

by:nkulsh
ID: 24070375
Dear Xmachine,
Your responses are very good. I thank you sincerely. However, I will let the question remain open for a while as other experts may offer somewhat different opinions about the first few questions.
About (2), our users sometimes send executables within zipped file. How can they do this if such files are blocked? By renaming the extensions?
About (4), the mapped drives are there from logon script and don't ask for password each time you access them. So will the enabling of this feature prompt users?
Of course, I am familiar with Windows Security center interface. I missed to make the connection.
Thanks again.
Jay
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24070382
(2) our users sometimes send executables within zipped file. How can they do this if such files are blocked? By renaming the extensions?

Can you be more specific, you mean sending attachments by e-mails ? It depends on your antispam product configuration. Endpoint will scan outlook/lotus notes for malicious attachments and take an action (Delete/quarantine).

(4) the mapped drives are there from logon script and don't ask for password each time you access them. So will the enabling of this feature prompt users?

No, it shouldn't

You're welcome :)
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:nkulsh
ID: 24070411
(2) Yes, of course, I meant as email attachments in Outlook. SEP would quarantine those attachments if I enable compressed file scanning. So how can these files be sent -- by renaming extensions?
Jay
0
 
LVL 1

Author Comment

by:nkulsh
ID: 24070466
(4) On further investigation, I will have to disagree with you on this. It seems that this setting wants you to specify one password that will be used to access any mapped network drive.
One password for all? I rather not enable this. I think default is blank.
Jay
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24070535
(4) From Symantec Knowledge base:

Ask for a password before scanning a mapped network drive:
 Specifies whether or not clients prompt users for a password when the client scans network drives.

The default password is symantec. You can change the password by clicking Change Password and setting the password.
 
0
 
LVL 1

Author Closing Comment

by:nkulsh
ID: 31566701
Quite Helpful.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now