1. No category

Symantec Endpoint Protection (SEP)

SYMANTEC TECHNOLOGY NETWORK: SECURITY
Symantec Endpoint Protection
(SEP) 11.0
Configuring the SEP Client for Self-Protection
Symantec Endpoint Protection 11.0
Configuring the SEP Client for Self-protection
Purpose of this Whitepaper: ............................................................................................................... 3
Overview.............................................................................................................................................. 4
The SEP Client Interface ..................................................................................................................... 5
Changing Policy Configuration Settings............................................................................................... 5
Accessing the SEP Client Interface ...................................................................................................... 9
Disabling/Uninstalling the SEP Client from outside the Client Interface ......................................... 11
Stopping SEP Services.......................................................................................................................11
Uninstalling the Client.......................................................................................................................12
Additional Technologies for Protecting the SEP client ..................................................................... 14
Tamper Protection – Protecting SEP Processes ...................................................................................14
Application Control – Protect Client files and registry keys ..................................................................15
Appendix A – One Page Overview ..................................................................................................... 16
Symantec Technology Network
2 / 17
Symantec Endpoint Protection 11.0
Configuring the SEP Client for Self-protection
Purpose of this Whitepaper:
This Whitepaper provides guidance on the different ways to control access to specific parts of the Symantec
Endpoint Protection (SEP) client. Many organizations do not allow administrative users to make changes to
installed security software. Since the SEP client has many different security technologies in a single client,
there are various ways to ensure that administrative users cannot make changes to the client software.
This paper provides guidance for administrators who would like to ensure SEP client installations are
protected from intended and/or unintended changes.
Symantec Technology Network
3 / 17
Symantec Endpoint Protection 11.0
Configuring the SEP Client for Self-protection
Overview
There are different ways that a SEP client can be protected from intentional or unintentional changes. This
Whitepaper describes three main approaches to protecting the SEP client and describes details about any
limitations. This Whitepaper intends to provide guidance in protecting the SEP client from being tampered
with by administrative users with administrative privileges on a system.
Throughout this paper, the assumption is that administrative users should be prevented from making
changes to the SEP client. By default, a restricted user cannot make changes to the SEP client. In cases
where a restricted user can make changes, this will be noted in the document.
Accessing the SEP client interface and changing policy configurations
Administrators can control which parts of the SEP client interface are accessible or whether to hide it
completely. In addition, administrators can control whether or not administrative can make changes to
their policy configuration.
When protecting a standard configuration from being changed, consider the following Pol icies:






Antivirus and Antispyware policy
Firewall Policy
Intrusion Prevention Policy
Application and Device Control policy
LiveUpdate Policy
Centralized Exceptions
Stopping SEP client services or uninstalling of the SEP Client
When the SEP client is installed, there are various ways to prevent administrative users from uninstalling
the client, or stopping SEP Client Services. The following services are listed in the Microsoft Windows
Services Manager:
 Symantec Endpoint Protection
 Symantec Management Client
 Symantec Event Manager
 Symantec Settings Manager
Additional Technologies for protecting the integrity of the SEP client
In addition to configuring Policies and Settings to prevent altering the SEP client, there are additional
mechanisms to further protect the client from tampering.
 Application Control
 Tamper Protection
Symantec Technology Network
4 / 17
Symantec Endpoint Protection 11.0
Configuring the SEP Client for Self-protection
The SEP Client Interface
This section provides an overview of what settings an administrator can set with respect to what a
user is allowed to change. It is broken down into two main categories, changing policies, and
accessing the User Interface
Changing Policy Configuration Settings
Please see each individual policy listed here for information on default settings and what needs to
be done to lock down settings so they cannot be changed by administrative users.
Antivirus and Antispyware policies
By default administrative users can change Antivirus policy settings, including disabling AutoProtect real-time scanning. In order to prevent administrative users from changing Antivirus and
Antispyware settings each individual setting in the Antivirus and Antispyware policy must be
locked. This is accomplished by clicking on the lock icon next to a given setting as shown in the
screenshots below.
“Enable File System Auto-Protect” unlocked (default setting)
“Enable File System Auto-Protect” locked after clicking on lock icon
A client with a locked Antivirus and Antispyware policy setting will still display the setting in the
client User Interface but it will be grayed out and the user will not be able to change it. In order to
lock all settings, each lock icon must be closed as shown in the screenshots above.
The above example displays how to prevent administrative users from disabling Antivirus and
Antispyware File System Auto-Protect.
Symantec Technology Network
5 / 17
Symantec Endpoint Protection 11.0
Configuring the SEP Client for Self-protection
Truscan Proactive Threat Protection
Truscan Proactive Threat can be locked within the Antivirus and Antispyware policies. Truscan is
the behavioral scanning component in Symantec Endpoint Protection. To lock administrative users
from disabling Truscan Proactive, edit the Antivirus and Antispyware policy and configure as
shown in the screenshot below.
Symantec Technology Network
6 / 17
Symantec Endpoint Protection 11.0
Configuring the SEP Client for Self-protection
Firewall Policies
By default, Firewall policies rules and configurations cannot be changed in the Client Interface.
By default, administrative users can disable Network Threat Protection (by right-clicking the tray
icon and selecting “Disable Symantec Endpoint Protection”).
In order to prevent administrative users from disabling Network Threat Protection do the following
steps in the SEPM.
1. Go to the Clients page and select the Policies tab.
2. Expand “Location-specific Settings” and click “Client User Interface Control Settings.”
3. Ensure the Server-Control radio button is selected and click “Customize.”
4. Uncheck the box next to “Allow administrative users to enable or disable Network
Threat Protection” as shown below.
Note: In order for this setting to take effect, it is required to block administrative users from
disabling Antivirus and Antispyware Auto-Protect scanning and Truscan Proactive threat scanning
through the configurations shown above.
Symantec Technology Network
7 / 17
Symantec Endpoint Protection 11.0
Configuring the SEP Client for Self-protection
Intrusion Prevention Policies
Intrusion Prevention policies cannot be changed in the Client Interface by default. By taking the
above steps to prevent administrative users from disabling Network Threat Protection,
administrative users are prevented from disabling Intrusion Prevention scanning.
Application and Device Control Policies
Application and Device Control policies cannot be changed or disabled in the Client Interface by
default.
LiveUpdate Policies
By default LiveUpdate policies cannot be changed in the Client Interface. Administrative users are
also not allowed to run LiveUpdate manually from the user interface.
If administrative users should be allowed to run LiveUpdate manually or change the LiveUpdate
schedule this is done in the LiveUpdate Settings policy under the “Advanced” dialogue.
Centralized Exceptions Policies
By default, administrative users are able to add Exceptions to exclude files, folders, or threats from
being scanned.
In order to prevent administrative users from adding exceptions you must create a Centralized
Exception policy and explicitly not allow administrative users to add their own exceptions as
shown below.
Symantec Technology Network
8 / 17
Symantec Endpoint Protection 11.0
Configuring the SEP Client for Self-protection
Accessing the SEP Client Interface
Administrators can control to what extent a user has access to the SEP Client interface. It is
possible to provide granular control to administrative users using Mixed Control mode, however in
this paper, only the option to hide the UI and/or System Tray icon completely will be discussed. By
default a restricted user can open the SEP client interface.
To access settings to configure access to the SEP client interface do the following steps:
1. Go to the Clients Page and select the Policies Tab.
2. Expand “Location-specific Settings” and click “Client User Interface Control Settings.”
3. Ensure the “Server-Control” radio button is selected and click “Customize.”
This will show the below dialogue with options to hide the Tray icon and/or hide the Client
Interface completely. Each option is described below.
Symantec Technology Network
9 / 17
Symantec Endpoint Protection 11.0
Configuring the SEP Client for Self-protection
Display the Client: By default, the SEP Client Interface will be shown if launched from the Tray
icon or from the Start>Programs group. To hide the client, uncheck the box next to “Display the
Client.”
If the user tries to launch the SEP Client from Start>Programs>Symantec Endpoint Protection,
they will get the following dialogue:
Display the notification area icon: By default the System Tray icon is shown (
clicking the icon launches the SEP User Interface.
). Double-
In order to hide the icon, uncheck the box next to “Display the notification area icon.” The SEP
tray icon will not be displayed.
Symantec Technology Network
10 / 17
Symantec Endpoint Protection 11.0
Configuring the SEP Client for Self-protection
Disabling/Uninstalling the SEP Client from outside the Client Interface
Aside from disabling the client through configurations in the interface many organizations wish to
prevent the disabling of SEP via other methods (Task Manager, Services Manager., etc . . . ) or even
uninstalling the client completely.
Stopping SEP Services
SEP client services can be seen in the Windows Services Control Manager. At this time the only
service that can be prevented from being stopped manually is the Symantec Management Client.
Although other services can be stopped, these do not disable antivirus protection because AutoProtect is still active.
It is important to note that restricted users cannot stop Windows services. It is best practices to
provide employees with restricted user access unless it is necessary to allow administrative
privileges. Administrative users can disable services within the Windows Service Control Manager
because an Administrative user has root access to the Operating System.
Here is an overview of SEP client services along with descriptions as to why stopping some services
does not impact Antivirus protection:

Symantec Endpoint Protection (rtvscan.exe)– User mode antivirus functions (notifications,
logging). There is no way to prevent administrative users from stopping this service. However,
stopping this service does not disable Auto-Protect!

Symantec Management Client (smc.exe) – Network Threat Protection and client server
communication functions. By default, it is not possible to stop this service in the Services Manager.
If a user disables the service in the Services Control Manager, on shutdown the service will
automatically be reset to “Automatic.”
By default, Administrator administrative users can stop smc.exe by command line. In order to
require a password for administrator administrative users to stop smc.exe by command line, do the
following steps:
1. Go to the Clients page and select the Policies Tab.
2. Click “General Settings” and select the “Security Settings” tab.
3. Place a check in the box next to “Require a password to stop the client service” as shown
in the screenshot below:
Symantec Technology Network
11 / 17
Symantec Endpoint Protection 11.0
Configuring the SEP Client for Self-protection


Symantec Event Manager (ccsvchst.exe) – Common client component for Event Manager. There is
no way to prevent administrative users from stopping this service. However, stopping this service
does not affect Auto-Protect!
Symantec Settings Manager (ccsvchst.exe) – Common client component for Settings Manager.
There is no way to prevent administrative users from stopping this service. However, stopping this
service does not affect Auto-Protect!
Additional protection for preventing SEP client services from being disabled by malicious programs is
available in Tamper Protection, and is described below.
Uninstalling the Client
To prevent an administrative user from uninstalling the SEP client it is possible to require a password when
uninstalling the client. To require a password do the following steps:
1. Go to the Clients page and select the Policies Tab.
2. Click “General Settings” and select the “Security Settings” tab.
3. Place a check in the box next to “Require a password to uninstall the client” as shown in the
screenshot below:
Symantec Technology Network
12 / 17
Symantec Endpoint Protection 11.0
Configuring the SEP Client for Self-protection
Symantec Technology Network
13 / 17
Symantec Endpoint Protection 11.0
Configuring the SEP Client for Self-protection
Additional Technologies for Protecting the SEP client
In addition to the steps listed above to protect the SEP client, there are technologies that provide
additional ways of protecting the SEP client. Note that both of these features currently do not
support 64 bit operating systems.
Tamper Protection – Protecting SEP Processes
Tamper protection is a process that monitors SEP processes and prevents them from being
shutdown forcefully from an external source, such as malicious code. By default this feature is
enabled but set to “log only” and does not block processes.
In order to activate Tamper Protection to block attempts to terminate SEP client services do the
following stesp:
1. Go to the Clients page and select the Policies tab.
2. Click “General Settings”.
3. On the Tamper Protection tab, select “Block it and log the event” from the drop down box.
4. Click the Lock icon to prevent administrative users from disabling Tamper Protection as
shown in the screenshot below:
Note: Before configuring to block applications, be sure to monitor Tamper Protection logs to
ensure that legitimate programs, such as software distribution software, doesn’t stop SEP services
for legitimate purposes. It is possible to exclude certain processes from triggering Tamper
Protection.
Symantec Technology Network
14 / 17
Symantec Endpoint Protection 11.0
Configuring the SEP Client for Self-protection
Application Control – Protect Client files and registry keys
Symantec provides a pre-configured rule in Application Control policies to protect the client files
and registry keys. When this rule is enabled, administrative users cannot manually delete SEP
client files and/or registry keys.
Enable this Application rule by creating an Application and Device Control policy and enabling as
shown below:
Note: This Application control rule is active on the local system. It does not prevent files
from being deleted remotely.
Symantec Technology Network
15 / 17
Symantec Endpoint Protection 11.0
Configuring the SEP Client for Self-protection
Appendix A – One Page Overview
This check-list provides a summary of the components that organizations may wish to secure when
hardening a client. Some options, such as hiding the Client User Interface completely, may not be
a desired setting but is included here to provide an overview of available options.
Preventing Administrative users from changing policies
Lock Policies
Antivirus and Antisypware
Firewall
IPS
Application and Device Control
LiveUpdate Policy
Centralized Exceptions
Manual Steps Required to lock policies?
Yes
No
No
No
No
Yes
Disabling/uninstalling the SEP Client from outside the Client Interface
Hardening Step
Require Password to open User
Interface
Require Password when
uninstalling SEP Client
Require Password when
stopping SEP service by
command line (smc.exe –stop)
Require Password to import or
export a policy
Hide System Tray Icon
Prevent Administrative users
from disabling SEP network
threat protection in client UI
Prevent Administrative users
from stopping SEP client
service in Service Control
Manager
Prevent Administrative users
from stopping other SEP
Services in Service Control
Manager
Manual Steps Required?
Yes
Yes
Yes
Yes
Yes
Yes
No
Not possible at this time. Stopping other services does not
disable Auto-Protect Antivirus protection
Additional technologies to prevent tampering with the SEP Client
Hardening Step
Tamper Protection
Manual Steps Required?
Yes
Application Control Default
Rule to protect client files and
registry keys.
Yes
Symantec Technology Network
16 / 17
Symantec Endpoint Protection 11.0
Configuring the SEP Client for Self-protection
About Symantec
Symantec is the world leader
in providing solutions to help
individuals and enterprises
assure the security, availability,
and integrity of their information.
Headquartered in Cupertino,
Calif., Symantec has operations
in more than 40 countries.
More information is available at
www.symantec.com.
For specific country offices and
contact numbers, please visit our
Web site. For product
information in the U.S., call tollfree 800 745 6054.
Symantec Corporation
World Headquarters
20330 Stevens Creek Boulevard
Cupertino, CA 95014 USA
408 517 8000
800 721 3934
17 / 17
www.symantec.com
Symantec and the Symantec logo are U.S.
registered trademarks of Symantec
Corporation. Other brands and products are
trademarks of their respective holder/s. Any
technical information that is made available by
Symantec Corporation is the copyrighted work
of Symantec Corporation and is owned by
Symantec Corporation. NO WARRANTY. The
technical information is being delivered to you
as-is and Symantec Corporation make s no
warranty as to its accuracy or use. Any use of
Symantec
the
technical Technology
documentationNetwork
or the
information contained herein is at the risk of
the user. Copyright © 2007 Symantec
Corporation. All rights reserved. 09/04
10318317

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz