University of Texas at Arlington

Personal Configuration Guide for Symantec Endpoint Protection

(Draft 0)

20090506

University of Texas at Arlington Office of Information Technology Information Security Office Personal Configuration Guide for Symantec Endpoint Protection

This guide is provided by the Office of Information Technology (OIT), Information Security Office as a basic and introductory guide for configuring the Symantec Endpoint Protection (SEP) software on personal devices. This guide is intended for use by UT Arlington Students, Staff, and Faculty on their personally owned computers. UT Arlington provides active students, faculty and staff one free copy of the SEP software for installation and use on their personally owned computer to help prevent and mitigate cross contamination of information and computing resources. The SEP client for personal use is preconfigured with the recommended default settings as specified by Symantec. However, these settings may not provide optimal security protection for all users. Each individual is encouraged to familiarize themselves with the settings and options for any software package in use on their personally owned computer. For example by default Symantec will detect spyware but will nor remove or quarantine said spyware. This guide will show the user where to configure this setting and many more. This guide does not provide a comprehensive summary of the settings and capabilities within SEP. The user is encouraged to read the official Symantec users guide for the software.

UT Arlington - Windows XP Operating System Security Guide

Contents Section 1 1.1 1.2 Section 2 2.1 2.2 2.3 Section 3 3.1 3.2 3.3 Section 4 4.1 Section 5 5.1 5.2 5.3 5.4 5.5 Section 6 What is SEP Symantec Endpoint Protection SEP Client Getting the Software On-Line BlazeWare Report Piracy Installation Installation First Time Installation Update Installation The SEP GUI GUI Client Configuration Default Configuration Scheduled Scan Antivirus Spyware Configuration Proactive Threat Configuration Other Settings Links and References pg. 4 pg. 4 pg. 5 pg. 5 pg. 5 pg. 6 pg. 7 pg. 12 pg. 17 pg. 19 pg. 19 pg. 25 pg. 28 pg. 30 pg. 31

UT Arlington - Windows XP Operating System Security Guide

1 - What is SEP
------------------------------------------------------------------------------------------------

1.1 - Symantec Endpoint Protection

SEP is the evolutionary replacement to Symantec Antivirus (SAV). SEP is a bundled software suite that includes antivirus, antispyware, firewall, intrusion prevention, and proprietary malware detection features. SEP is currently available for the Windows family of operating systems. Individuals with Linux and/or Mac must continue to use the appropriate versions of SAV for their computer. The SEP suite is modular in fashion and most features can be enabled and/or disabled independently to allow for a multitude of configuration options. The separate components within SEP include Antivirus and Spyware Protection Antivirus Spyware Email Proactive Threat Protection Heuristics Anti-Keylogger Network Threat Protection Firewall Intrusion Prevention (IPS) Application Detection and Control ------------------------------------------------------------------------------------------------

1.2 - SEP Client

The SEP client is the end-user application that is installed on the local computing device that is to be protected. The SEP client has active and passive operations with the active operation being enabled by default. Passive operations can be scheduled to occur at regular intervals or can be left to the user to perform manually. System performance in SEP has been reported to be greatly improved over that of SAV. SEP has a reported memory utilization of 24MB down 62% from SAV which had a memory utilization of 62MB. SEP also reports a smaller physical footprint on the hard drive as compared to SAV. During normal operations on a clean computer the user will not see obvious activity on the part of the SEP software. This can be changed so that the user receives more or less event notifications about various actions performed by the software. The SEP client is fairly intuitive and beginner users should find the Graphical User Interface (GUI) ease to navigate and use.

------------------------------------------------------------------------------------------------

UT Arlington - Windows XP Operating System Security Guide

2 - Getting the Software

------------------------------------------------------------------------------------------------

2.1 - On-Line
OIT will maintain a password protected web site with the most current software version available for personal use. The web site can be found at www.uta.edu/antivirus. Once you have opened the web site in a browser, navigate to the option for the Personal / Home version and follow the link to the file download. You will be prompted for your UTA NetID and password. Lastly, save the file to a location of your choosing. Individuals that are active students, faculty, or staff of UT Arlington are permitted one copy of SEP for use on their personally owned computer. ------------------------------------------------------------------------------------------------

2.2 - BlazeWare
OIT provides the campus with a software and documentation distribution CD named BlazeWare. BlazeWare can be obtained at the UT Arlington Computer Store in Ransom Hall for the ultra low cost of $5. * The fee charged is for the physical media and printing services, all software on the BlazeWare CD is free to active UT Arlington students, faculty and staff. BlazeWare can also be obtained at various campus and security events throughout the year, such as student orientation and the student activities fair. ------------------------------------------------------------------------------------------------

2.3 - Report Piracy

SEP, Blazeware and other software covered by UT Arlington software agreements should never be purchased from anyone on-line or in person. If you know of any UT Arlington branded software being sold by an entity other than the UT Arlington Computer Store at Ransom Hall, or any UT Arlington branded software being distributed to individuals that are not active UT Arlington students, faculty or staff, please report the activity to the Information Security Office, security@uta.edu. ------------------------------------------------------------------------------------------------

UT Arlington - Windows XP Operating System Security Guide

3 - Installation
------------------------------------------------------------------------------------------------

3.1 - Installation
Before installing SEP on your computer it is recommended that you fully uninstall and delete any pre-existing antivirus and/or host based security products that may be on your computer. If you are currently using a security software package from Symantecs Norton product line it is recommended that this also be removed prior to installing SEP. ** SEP will work with passive spyware programs such as LavaSoft Ad-Aware or Safer Networking Spybot Search and Destroy. However SEP will have conflicts with active antivirus and firewall programs like McAfee Antivirus, TrendMicro Internet Security, and avast! Antivirus to name a few. After removing any conflicting antivirus and/or host based security products your computer should be rebooted. Installation of the SEP software is your typical Windows double click and follow the prompts installation. For our demonstration we will assume you are installing SEP from the latest version of the BlazeWare CD. The exact file name may vary. If you have downloaded the software file to your desktop you should see an icon as in figure 00.

Figure 00

UT Arlington - Windows XP Operating System Security Guide

Or if you prefer to install directly from the BlazeWare CD you should see a Windows Explorer window as in figure 01.

Figure 01 ------------------------------------------------------------------------------------------------

3.2 - First Time Installation

If you are installing SEP for the first time ever it is recommended that you remove any preexisting antivirus and/or host based security products that may be on your computer. Double click on the software file icon to initiate the installation. You will briefly see a Preparing to install message.

Figure 02

UT Arlington - Windows XP Operating System Security Guide

Followed by a Welcome message. Select Next

Figure 03 You will be prompted with the Symantec End Users License Agreement (EULA). Select your acceptance choice Select Next

Figure 04
8 UT Arlington - Windows XP Operating System Security Guide

You will be prompted to install the software Select Install

Figure 05 You will see a status screen with various messages throughout the install process.

Figure 06

UT Arlington - Windows XP Operating System Security Guide

Once the installation has completed you will be prompted with the finish prompt. Select Finish.

Figure 07 Immediately following the software installation SEP will initiate a LiveUpdate of the software. During this process your computer will attempt to contact the servers at Symantec.com to download the latest virus and content definitions.

Figure 08

10

UT Arlington - Windows XP Operating System Security Guide

Finally you will be prompted to reboot you computer. The antivirus components of SEP will begin protecting your computer before it is rebooted however the network components like the firewall and IPS will not take effect until after a reboot.

Figure 09 Once you have completely installed SEP and logged back into your computer following the reboot you will see a new icon in the lower right corner of your task bar.

SEP will also add itself to the Windows Start menu

Figure 10 -----------------------------------------------------------------------------------------------11 UT Arlington - Windows XP Operating System Security Guide

3.3 - Update Installation

If you have installed a previous version of SEP on your computer and you are re-installing or upgrading to the newest version you can install over top of the old version of SEP. Double click on the software file icon to initiate the installation. You will briefly see a Preparing to install message.

Figure 11 At the Welcome message select Next

Figure 12

12

UT Arlington - Windows XP Operating System Security Guide

You will be prompted for the type of software install. Most users will select Modify to upgrade the older version of SEP.

Figure 13 You will be prompted to select the components for installation. By default your installation should have all components enabled with the exception of Outlook and Lotus Notes protection.

Figure 14
13 UT Arlington - Windows XP Operating System Security Guide

Select Next

Figure 15 You will be prompted to install the software Select Install

Figure 16

14

UT Arlington - Windows XP Operating System Security Guide

You will see a status screen with various messages throughout the install process.

Figure 17 Once the installation has completed you will be prompted with the finish prompt. Select Finish.

Figure 18

15

UT Arlington - Windows XP Operating System Security Guide

Immediately following the software installation SEP will initiate a LiveUpdate of the software. During this process your computer will attempt to contact the servers at Symantec.com to download the latest virus and content definitions.

Figure 19 Finally you will be prompted to reboot you computer. The antivirus components of SEP will begin protecting your computer before it is rebooted however the network components like the firewall and IPS will not take effect until after a reboot.

Figure 20 ------------------------------------------------------------------------------------------------

16

UT Arlington - Windows XP Operating System Security Guide

4 - The SEP GUI

------------------------------------------------------------------------------------------------

4.1 - GUI
You can open the SEP GUI by double clicking on the gold shield on the system task bar or by using the Start menu option (Start Programs Symantec Endpoint Protection Symantec Endpoint Protection).

Figure 21 The main view of the SEP GUI is your typical dashboard style interface with green, yellow, and red color indicators. As you can see in figure 22 our SEP client is all green and therefore a happy fully updated client.

Figure 22 To explore the GUI you can use the menu options on the left frame which are static and remain the same on each view of the GUI. Optionally you can choose the individual Options buttons on the right side of each of the three major components.

17

UT Arlington - Windows XP Operating System Security Guide

In the event you need assistance with your SEP software the first thing you will need to know is how to find the version number. To do this... Select the yellow Help and Support button in the upper right of the main window.

Figure 23 Then select About The version number will be immediately under the software name. In our example we have version 11.0.4.4014.26

Figure 24 ------------------------------------------------------------------------------------------------

18

UT Arlington - Windows XP Operating System Security Guide

5 - Client Configuration
------------------------------------------------------------------------------------------------

5.1 - Default Configuration

SEP will install with the recommended default settings as specified by Symantec. However, these settings may not provide optimal security protection for all users. Each individual is encouraged to familiarize themselves with the settings and options for any software package in use on their personally owned computer. For example by default Symantec will detect spyware but will nor remove or quarantine said spyware. Lets modify the client and tighten up some of the settings to provide your computer better protection against becoming infected. ------------------------------------------------------------------------------------------------

5.2 - Scheduled Scan

By default SEP only attempts to scan files as you use them via the Auto-Protect feature. While this is fine for files that you get today, it is not so good for all the files that are already on your computer. To create a schedule scan select Scan for threats, the second option on the left-hand frame of the GUI. Then select Create a New Scan

Figure 25

19

UT Arlington - Windows XP Operating System Security Guide

It is recommended that the system perform an Active Scan once a day and a Full Scan once a week as a minimum. SEP is configurable to run an Active Scan at the time the computer is booted up as seen in Figure 25. **Note this scan is present but disabled by default. This however may add time to the boot process of your computer depending on how many other applications are also running at startup. You can optionally configure SEP to run an active scan each time that new definitions are downloaded. **This is a default action. With the system performing an Active Scan with each new definition set we can simply add a Weekly Full Scan. The Active Scan only looks at certain locations on the hard drive, it is sometimes referred to as a quick scan. A Full Scan looks at the entire hard drive, although it is more complete it will take longer to run. With this in mind you will want to choose a time for your Weekly Full Scan that your computer will be powered up but possibly while you are not actively using. For example if you are the active socialite something like Friday night at 8 PM while you are going out to eat. Or if you are a gamer something like 6 AM Saturday morning while you are still asleep after the Friday night tournament. Select Full Scan and Next

Figure 26

20

UT Arlington - Windows XP Operating System Security Guide

One the following screen we can delve into Actions and define if SEP logs, quarantines, or removes various types of detected risks. On the Notifications menu we can define how much we want SEP to talk to us. Do we want SEP to perform its functions silently or do we want to see a message every step along the way. With the Advanced and Centralized Exceptions we can further control how SEP behaves and remove specific files or folders from a scan. First select Actions

Figure 27 Recommended Settings Macro virus First Action: Clean risk / If first action fails: Quarantine risk. Non-macro virus First Action: Clean risk / If first action fails: Delete risk. Security Risks First Action: Delete risk / If first action fails: Quarantine risk. Select OK

Figure 28

21

UT Arlington - Windows XP Operating System Security Guide

Now lets enable notifications so that we get a warning if a virus is detected. Select Notifications Then select all three options Display a notification message when a security risk is detected: Terminate processes automatically Stop services automatically Select OK and Next

Figure 29 Next we will select the time for the scan Select At specified times and Next

Figure 30
22 UT Arlington - Windows XP Operating System Security Guide

In figure 31 we have selected Friday at 10 PM. Enter your preferred time. Select Next

Figure 31 Give your scan a name and description. Select Finish

Figure 32

23

UT Arlington - Windows XP Operating System Security Guide

Your GUI should now display your newly configured scan

Figure 33 ------------------------------------------------------------------------------------------------

24

UT Arlington - Windows XP Operating System Security Guide

5.3 - Antivirus and Spyware Configuration

Within the Antivirus and Spyware Protection configuration most of the default settings will be sufficient for the average computer. However we want to tighten up the actions that SEP will take when it identifies a risk. Lets dig in to the configuration and change the default actions. This is very similar to the action sets you defined in the scheduled scan. The only difference it that there are two specific action sets that need to be configured. One set for the file system and one set for Email. From the main GUI interface select Change Settings on the left frame. Select Configure Settings to the right of Antivirus and Spyware Protection.

Figure 34

25

UT Arlington - Windows XP Operating System Security Guide

Select the File System Auto-Protect tab Select Actions

Figure 35 Recommended Settings Macro virus First Action: Clean risk / If first action fails: Quarantine risk. Non-macro virus First Action: Clean risk / If first action fails: Delete risk. Security Risks First Action: Delete risk / If first action fails: Quarantine risk. Select OK

Figure 36
26 UT Arlington - Windows XP Operating System Security Guide

Select the Internet Email Auto-Protect tab Select Actions

Figure 37 Recommended Settings Macro virus First Action: Clean risk / If first action fails: Quarantine risk. Non-macro virus First Action: Clean risk / If first action fails: Delete risk. Security Risks First Action: Delete risk / If first action fails: Quarantine risk. Select OK

Figure 38
27 UT Arlington - Windows XP Operating System Security Guide

------------------------------------------------------------------------------------------------

5.4 - Proactive Threat Configuration

Within the Proactive Threat Protection configuration it is highly recommend that the actions for identified keyloggers are increased. By default SEP will only log the fact that a keylogger was found. Since keyloggers can be used to steal data from your system we want to set this action to quarantine. From the main GUI interface select Change Settings on the left frame. Select Configure Settings to the right of Proactive Threat Protection.

Figure 39

28

UT Arlington - Windows XP Operating System Security Guide

In the lower right corner of the window. Change the setting for When a commercial keylogger is detected from Log to Quarantine Select OK

Figure 40 ------------------------------------------------------------------------------------------------

29

UT Arlington - Windows XP Operating System Security Guide

5.5 - Other Settings

SEP is a powerful software product and has lots of configuration options. Take some time to explore the interface and the various options. Be careful particularly with the Network Threat Protection options as some of them can significantly impact the ability of your computer to communicate with other devices on the network. If you wish to do more with the SEP firewall make sure you understand how the changes will affect your system and make sure you know how to remove the changes made in the event something breaks. For more information about features and setting of SEP Use the built in SEP help. Select the yellow Help and Support button in the upper right of the main window.

Figure 41 Or see the SEP Client Users Guide available on BlazeWare, client_guide.pdf ------------------------------------------------------------------------------------------------

30

UT Arlington - Windows XP Operating System Security Guide

6 - LINKS AND REFERENCES

-----------------------------------------------------------------------------------------------Links: UT Arlington Antivirus (Symantec) - http://www.uta.edu/antivirus BlazeWare - http://blog.uta.edu/security/2008/10/20/blazeware-fall-2008/ Symantec Threat Explorer (vendor site) - http://www.symantec.com/norton/security_response/threatexplorer/index.jsp Symantec Endpoint Protection (vendor site) - http://www.symantec.com/business/endpoint-protection Symantec Endpoint Protection FAQ (vendor site) - http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007071909500548

31

UT Arlington - Windows XP Operating System Security Guide