Lafflin
asked on
Does anyone know of a way to make Symantec Endpoint actually stop viruses?
Just Curious, I'm rolling out win 7 to several hundred PCs....all with Endpoint.
Of the first 40, several already have viruses within the first 24 hours.
So I ask, is there a way to make Symantec Endpoint actually stop viruses?
Are there any customizations I can configure to make effective at all?
Also why I'm on the subject, I haven't actually seen a way to stop it from scanning GPO's, bonus if anyone can answer me that as well. It really seems like a terrible product after having used it at over the years....but I've left everything at almost defaults, perhaps I'm doing something wrong?
Of the first 40, several already have viruses within the first 24 hours.
So I ask, is there a way to make Symantec Endpoint actually stop viruses?
Are there any customizations I can configure to make effective at all?
Also why I'm on the subject, I haven't actually seen a way to stop it from scanning GPO's, bonus if anyone can answer me that as well. It really seems like a terrible product after having used it at over the years....but I've left everything at almost defaults, perhaps I'm doing something wrong?
Symantec is hopeless. We used to go in to sites that had Corporate Edition that were riddled with viruses and use stinger or sysclean to scan infected computers. As soon as sysclean touched an infected file, Symantec would pop up and say "Oh look! I've found a virus!"
If you are going to stick with Symantec, you have to run a full scan of all files every day. I'd uninstall it and use something else. Even the free ones like AVG or Microsoft Security Essentials is better. And no, I'm not a MS/AVG employee...
If you are going to stick with Symantec, you have to run a full scan of all files every day. I'd uninstall it and use something else. Even the free ones like AVG or Microsoft Security Essentials is better. And no, I'm not a MS/AVG employee...
Years ago, I spoke with Symantec regarding their antivirus. The way it worked back then, and still sounds like it works is like this. If the virus, pest, or some other malicious software exists on the hard drive and it is dormant, where it is not running, a mouse over the file didn't touch it, or some other application touching the file in some way, the file is not a threat and Symantec will not detect it. I had this call with them, because after performing a full system scan, I discovered one particular computer contained literally hundreds of virus bodies.
For corporate environments, I have used CA successfully, where McAfee and Symantec had failed. CA also offers a PestPatrol which is a secondary product that worked quite well.
For personal use, AVG, Avira, however, Avast is a personal favorite (It doesn't seem to hog down system resources).
For corporate environments, I have used CA successfully, where McAfee and Symantec had failed. CA also offers a PestPatrol which is a secondary product that worked quite well.
For personal use, AVG, Avira, however, Avast is a personal favorite (It doesn't seem to hog down system resources).
ASKER
My CTO won't go for a new AV, I am looking into the policies to see if I can make them a bit stronger, if I find anything effective I'll be sure to post back.
Ok, when you write that several already had virus', are these new infections or is Endpoint finding existing infections, either active or on a full system scan? If Endpoint is finding existing infections, it sounds like it is working. If these are new infections, Endpoint must have identified them, as a virus generally does not identify itself.
ASKER
Clarification: several PCs were infected within the first 24 hours, not identified by Endpoint. These are newly imaged clean machines. Endpoint never seems to identify any viruses. It just seems entirely ineffective.
ASKER
When I say "Virus" I'm using it in the general sense to mean "maleware"....everything from Alias Alureon to fake Security Eseentials to link redirects etc.
Can you restrict your users download or application install rights? Don't think much tweaking inside of Symantec is going to help. Good luck, tough situation.
Symantec AV lags behind updates, lives along with stealthy viruses for years, its updater outdates and stops updating, it is extremely slow...
It does not scan in safe mode, so it is hopeless against most of today's malware
It does not scan in safe mode, so it is hopeless against most of today's malware
What version of SEP are you using? Any version prior to RU6 (11.0.6) did not use strong defaults. What features of SEP are you using as well? Anti-Virus/Anti-Spyware alone does not cover today's threat landscape, and will only benefit you after the risk has been saved to the filesystem and/or executed where it already exists on a filesystem.
SEP is most successful when all features are used together. AV/AS, Proactive Threat Protection and Network Threat Protection. PTP covers the 0-day behavior based type risks. NTP provides you with Intrusion Prevention, download protection, application/device control and a firewall. All these components together give your endpoints the best chance at thwarting risks.
Also, an earlier comment was made about if a risk is dormant on the filesystem, SEP would not detect it outside of a full scan. This is true of any auto-protect/real-time anti-virus application. A risk cannot be detected by that feature if it is not executed. This is why it's equally important to perform weekly full scans regardless of the protection application you're using.
So, how can you make SEP run better? Use all of the features for starters. In the AV/AS policy, make sure all primary actions are clean or quarantine, and all secondary actions are quarantine or delete. In the Truscan section of the AV/AS policy, turn the sensitivity up to at least 50% and scan processes at least every 30 minutes, and check to scan new processes immediately.
You'll also want to add an Intrusion Prevention policy that blocks attackers automatically. While I also recommend a firewall policy, you don't have to use one right away if you're not already doing so. There's more involved with using a FW policy and you can wait until you're more comfortable with the product before jumping to it. But at least get the NTP feature installed so you can take advantage of the IPS policy.
Lastly, SEP can scan in safe mode. The earlier comment that it doesn't is not true. If you have infected systems now: disable System Restore, make sure SEP is up-to-date, boot to safe mode and perform a full scan.
SEP is most successful when all features are used together. AV/AS, Proactive Threat Protection and Network Threat Protection. PTP covers the 0-day behavior based type risks. NTP provides you with Intrusion Prevention, download protection, application/device control and a firewall. All these components together give your endpoints the best chance at thwarting risks.
Also, an earlier comment was made about if a risk is dormant on the filesystem, SEP would not detect it outside of a full scan. This is true of any auto-protect/real-time anti-virus application. A risk cannot be detected by that feature if it is not executed. This is why it's equally important to perform weekly full scans regardless of the protection application you're using.
So, how can you make SEP run better? Use all of the features for starters. In the AV/AS policy, make sure all primary actions are clean or quarantine, and all secondary actions are quarantine or delete. In the Truscan section of the AV/AS policy, turn the sensitivity up to at least 50% and scan processes at least every 30 minutes, and check to scan new processes immediately.
You'll also want to add an Intrusion Prevention policy that blocks attackers automatically. While I also recommend a firewall policy, you don't have to use one right away if you're not already doing so. There's more involved with using a FW policy and you can wait until you're more comfortable with the product before jumping to it. But at least get the NTP feature installed so you can take advantage of the IPS policy.
Lastly, SEP can scan in safe mode. The earlier comment that it doesn't is not true. If you have infected systems now: disable System Restore, make sure SEP is up-to-date, boot to safe mode and perform a full scan.
ASKER
That is very much along the lines of what I was looking for in an answer, I thank you very much. I will need to spend some time into looking into the policies we're using as I have inherited this network recently.
You're welcome; glad it gives you a place to start. I will logon to my SEP environment in the morning to provide you additional specifics on policy configuration.
Another easy one to make sure is on, Tamper Protection. On and set to block. TP settings are located under General Settings of each client group. Also make sure you padlock (lock icon next to settings in a given policy) any setting you don't want your users (or a risk) to be able to change.
Another easy one to make sure is on, Tamper Protection. On and set to block. TP settings are located under General Settings of each client group. Also make sure you padlock (lock icon next to settings in a given policy) any setting you don't want your users (or a risk) to be able to change.
What did you use to tell you that the newly imaged machines had viruses on them?
What version of SEP are you using? (This has been asked before, but you haven't answered this so far.)
Have you adjusted any of the default settings since the software was installed?
Are definitions up-to-date on the server and clients with the infections?
How often have you set the server to update definitions and can the clients manually launch LiveUpdate to update definitions themselves?
Alan
What version of SEP are you using? (This has been asked before, but you haven't answered this so far.)
Have you adjusted any of the default settings since the software was installed?
Are definitions up-to-date on the server and clients with the infections?
How often have you set the server to update definitions and can the clients manually launch LiveUpdate to update definitions themselves?
Alan
ASKER
Sorry, I should answer if someone's going to be cool enough to try to help.
version 11.0.6
I actually just reverted back to the default settings as there were settings other than default configured by the last admin.
Definitions are up to date.
version 11.0.6
I actually just reverted back to the default settings as there were settings other than default configured by the last admin.
Definitions are up to date.
Thanks for the version. Any feedback to the other questions?
Alan
Alan
ASKER
Sorry, I'm working through this while in the middle of a roll out. I've got them updating every eight hours, they're all running on defaults now, and client definitions are up to date for the most part, although I should qualify that statement with 1) once the PC becomes infected endpoint usually breaks and appears with the yellow dot in the sys tray, and 2) I have not been looking at these most recent infections myself.
As for whether or not they're able to manually update, they are.
I will say also that my installation of the Endpoint Management Console is installed on a virtual machine which has very poor performance. I do not however want to touch that in this post. I was really looking for some best practices, or "common mistakes are usually" type of advice. I do that everyone who has taken the time to lend advice thus far.
As for whether or not they're able to manually update, they are.
I will say also that my installation of the Endpoint Management Console is installed on a virtual machine which has very poor performance. I do not however want to touch that in this post. I was really looking for some best practices, or "common mistakes are usually" type of advice. I do that everyone who has taken the time to lend advice thus far.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Okay - thanks for the answers.
Whenever I install SEP - I usually lock the majority of Padlocks and adjust Liveupdate so that it runs every 4 hours or so and allows the clients to launch manually, other than that - it is pretty much left at default.
All the installations I have have never complained about viruses and as that is the product on pretty much every LAN we support, that is quite a few installations.
In all my years supporting Symantec A/V products and the last 2-3 with SEP - I have never come across the problems you are experiencing.
What might prove to be quite useful is to know the type of virus that you are dealing with and narrowing down where it has come from. It may already be on your LAN somewhere. Do you know the name . type of the virus as this could give a massive clue?
Whenever I install SEP - I usually lock the majority of Padlocks and adjust Liveupdate so that it runs every 4 hours or so and allows the clients to launch manually, other than that - it is pretty much left at default.
All the installations I have have never complained about viruses and as that is the product on pretty much every LAN we support, that is quite a few installations.
In all my years supporting Symantec A/V products and the last 2-3 with SEP - I have never come across the problems you are experiencing.
What might prove to be quite useful is to know the type of virus that you are dealing with and narrowing down where it has come from. It may already be on your LAN somewhere. Do you know the name . type of the virus as this could give a massive clue?
Sometimes you need to reinstall latest version of liveupdate to get updates at all.
ASKER
Thanks for the links.
If you don't like symantec and can make a change, move to something like AVG or one with a better rep. If you are stuck with it, try adding an anti-virus appliance on your Internet connection and try to manage USB and untrusted devices that can bring in viruses.