Windows 10 Upgrade: What This Means for Your Endpoint Security

Posted on Updated on

On July 29th, Microsoft will be releasing their next major operating system, Windows 10. Unlike previous OS upgrades, this version does not require users to purchase the new OS. The existing Windows 7 and 8 end users might initiate an upgrade directly on their computers, making it more difficult for IT admins to enforce version control.

At Symantec, we are committed to ensuring our customers: Symantec Endpoint Protection 12.1, Symantec Endpoint Protection Small Business Edition (hosted version) and Symantec Endpoint Protection Small Business Edition (on-prem), remain fully protected across all operating systems.

For Symantec Endpoint Protection 12.1, a maintenance patch release will be available on July 29, 2015. Customers will need to be current on maintenance to receive the maintenance patch update. For more information, visit our SEP 12.1 Windows 10 Knowledge Base.

Customers using Symantec Endpoint Protection Small Business Edition (hosted version) will experience an automatic system update on computers via Live Update targeted for July 29th. From July 29th onwards, any new endpoint installs of the hosted version of Symantec Endpoint Protection Small Business Edition will automatically have their machines protected should they wish to upgrade to Windows 10. Similarly, from July 29th onwards, any existing Symantec Endpoint Protection Small Business Edition customers will receive targeted patch updates to protect their machines on the new Windows 10 platform. These patch updates will automatically be rolled out later via Live Update to all endpoints, whether they are moving to Windows 10 now or at some point in the future.  This effectively allows IT  Administrators to proactively protect endpoints that move to Windows 10 at a later date. Existing customers must be on a current subscription to take advantage of these patch updates. Symantec Endpoint Protection Small Business Edition will automatically notify IT Administrators if any users decide to upgrade to Windows 10 without informing IT. In these instances, a new patch for Windows 10 will be pushed out to protect these user’s machines within a 1-2 hour window.  Symantec will also provide guidance for IT Administrators who wish to avoid this 1-2 hour window and push out the patch update immediately – this guidance can be found on Symantec Knowledge Base.

For customers currently running Symantec Endpoint Protection Small Business Edition 12.1 (on-prem), which has now reached End-of-Life and will not support Windows 10, you will need to migrate to the hosted edition in order to receive protection for Windows 10 systems.  Endpoint Protection Small Business Edition (on-prem) customers can migrate to the hosted edition.  For information on our automated migration process, visit: go.symantec.com/sbemigration


What are malware, viruses, Spyware, and cookies, and what differentiates them ?

Posted on Updated on

“Malware” is short for malicious software and used as a single term to refer to virus, spy ware, worm etc. Malware is designed to cause damage to a stand alone computer or a networked pc. So wherever a malware term is used it means a program which is designed to damage your computer it may be a virus, worm or Trojan.

Worms are malicious programs that make copies of themselves again and again on the local drive, network shares, etc. The only purpose of the worm is to reproduce itself again and again. It doesn’t harm any data/file on the computer. Unlike a virus, it does not need to attach itself to an existing program. Worms spread by exploiting vulnerabilities in operating systems

Examples of worm are: – W32.SillyFDC.BBY

Due to its replication nature it takes a lot of space in the hard drive and consumes more cpu uses which in turn makes the pc too slow also consumes more network bandwidth.

Virus is a program written to enter to your computer and damage/alter your files/data. A virus might corrupt or delete data on your computer. Viruses can also replicate themselves. A computer Virus is more dangerous than a computer worm as it makes changes or deletes your files while worms only replicates itself with out making changes to your files/data.

Examples of virus are: – W32.Sfc!mod

Viruses can enter to your computer as an attachment of images, greeting, or audio / video files. Viruses also enters through downloads on the Internet. They can be hidden in a free/trial softwares or other files that you download.

So before you download anything from internet be sure about it first. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it actually cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, such as running an infected program to keep it going.

Virus is of different types which are as follows.

1) File viruses
2) Macro viruses
3) Master boot record viruses
4) Boot sector viruses
5) Multipartite viruses
6) Polymorphic viruses
7) Stealth viruses

File Virus:-This type of virus normally infects program files such as .exe, .com, .bat. Once this virus stays in memory it tries to infect all programs that load on to memory.

Macro Virus: – These type of virus infects word, excel, PowerPoint, access and other data files. Once infected repairing of these files is very much difficult.

Master boot record files: – MBR viruses are memory-resident viruses and copy itself to the first sector of a storage device which is used for partition tables or OS loading programs .A MBR virus will infect this particular area of Storage device instead of normal files. The easiest way to remove a MBR virus is to clean the MBR area,

Boot sector virus: – Boot sector virus infects the boot sector of a HDD or FDD. These are also memory resident in nature. As soon as the computer starts it gets infected from the boot sector.
Cleaning this type of virus is very difficult.

Multipartite virus: – A hybrid of Boot and Program/file viruses. They infect program files and when the infected program is executed, these viruses infect the boot record. When you boot the computer next time the virus from the boot record loads in memory and then start infecting other program files on disk

Polymorphic viruses: – A virus that can encrypt its code in different ways so that it appears differently in each infection. These viruses are more difficult to detect.

Stealth viruses: – These types of viruses use different kind of techniques to avoid detection. They either redirect the disk head to read another sector instead of the one in which they reside or they may alter the reading of the infected file’s size shown in the directory listing. For example, the Whale virus adds 9216 bytes to an infected file; then the virus subtracts the same number of bytes (9216) from the size given in the directory.

Trojans: – A Trojan horse is not a virus. It is a destructive program that looks as a genuine application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. Trojans also open a backdoor entry to your computer which gives malicious users/programs access to your system, allowing confidential and personal information to be theft.

Example: – JS.Debeski.Trojan

Trojan horses are broken down in classification based on how they infect the systems and the damage caused by them. The seven main types of Trojan horses are:
• Remote Access Trojans
• Data Sending Trojans
• Destructive Trojans
• Proxy Trojans
• FTP Trojans
• security software disabler Trojans
• denial-of-service attack Trojans

Adware: – Generically adware is a software application in which advertising banners are displayed while any program is running. Adware can automatically get downloaded to your system while browsing any website and can be viewed through pop-up windows or through a bar that appears on a computer screen automatically. Adwares are used by companies for marketing purpose.

Spywares: – Spyware is a type of program that is installed with or without your permission on your personal computers to collect information about users, their computer or browsing habits tracks each and everything that you do without your knowledge and send it to remote user. It also can download other malicious programs from internet and install it on the computer.Spyware works like adware but is usually a separate program that is installed unknowingly when you install another freeware type program or application.

Spam: – Spamming is a method of flooding the Internet with copies of the same message. Most spams are commercial advertisements which are sent as an unwanted email to users. Spams are also known as Electronic junk mails or junk newsgroup postings. These spam mails are very annoying as it keeps coming every day and keeps your mailbox full.

Tracking cookies: – A cookie is a plain text file that is stored on your computer in a cookies folder and it stores data about your browsing session. Cookies are used by many websites to track visitor information A tracking cookie is a cookie which keeps tracks of all your browsing information and this is used by hackers and companies to know all your personal details like bank account details, your credit card information etc. which is dangerous .

Misleading applications: – Misleading applications misguide you about the security status of your computer and shows you that your computer is infected by some malware and you have to download the tool to remove the threat. As you download the tool it shows some threats in your computer and to remove it you have to buy the product for which it asks some personal information like credit card information etc. which is dangerous.

SEP Times in the City: A Helpful Symantec Endpoint Protection Analogy

Posted on Updated on

Quoted from a Symantec employee’s article. very nice read.


This is the eighth of an informal series on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions).

In the spirit of A Helpful LiveUpdate Administrator 2.x Analogy, here is an offbeat way to understand the various components that comprise the Symantec Endpoint Protection suite of security.

Wait, SEP is Not Just Antivirus?

AV alone is not enough against today’s sophisticated threats.  Symantec AntiVirus (an AV alone product) reached its end of life years ago.  Today’s SEP is a whole collection of security technologies that complement each other.  A flashy video introduction to each of the technologies:

Move Beyond Antivirus with Intelligent Security (3:05)

But, I am a crime fiction fan and like to image it differently….

Think of your Computer as a City.

Your computer has resources, pathways, people and cars running around, new stuff, old stuff, infrastructure, laws, onramps to the good old Information Superhighway.  There’s usually an Irish pub to be found in there, too (or at least vacation photos from one).  There’s work done in this place, and fun, and important business.  Some of it is frequently visited and kept shiny and new.  Some of its districts were built many years ago and are seldom visited.  Other regions became defunct and are no longer used for their original purpose but have not yet been knocked down.  Bad things happen in these places, even in broad daylight.

Is this a Walled City or Wide-Open?

A traditional Windows XP machine, freshly installed, is wide-open.  (The original releases of it were really not designed with security in mind.)  Think of it as on a plain with rivers, roads, hiking trails running into and out of it.  It’s easy for legitimate traffic and illegitimate to slip in and out.

Now install Network Threat Protection, SEP’s Firewall component.  This has thrown a big wall up around it, a control to ensure that connections are only made through approved points of entry.

Beyond Antivirus with NTP

A Ha! I’ve Heard a Story About A Trojan Horse and a Walled City.

You’re catching on to the analogy!

Who’s Keeping Watch inside the City?

The AntiVirus component is like the city’s police force.  There are patrols on watch, pouncing on any dangerous actor or illegal process as soon as it kicks off (Auto-Protect).   Hopefully the force is also carrying out raids on a suspicious premises and manhunts searching for suspicious activity (scheduled scans and manual scans).  This police department is briefed several times per day on the latest dodgy characters to watch for (new definitions) but they also have street sense that can tell when something’s not right, even without a specific mug shot (heuristics).

Of course, the most important cop in town is the Chief of Police (security admin of the computer).  There may be national laws that guide how the Chief can work (company policies and security configurations) but all reports and information should ultimately cross the Chief’s desk, prompting any necessary reactions.

What’s Stopping Bad Stuff from Coming into Town?

One of the most powerful tools is IPS.  Think of this as the (unfairly underrated) Postal Inspection Service: it inspects all the packets on the way into or out of the city and stops what it knows to be malicious before any harm is done.  PIS (and IPS) can work efficiently on a massive scale without interfering with legitimate traffic.  Not only that, it has the power to determine who sent the dangerous package so that it can be tracked down.

IPS is absolutely crucial.  It is the most effective defense against drive-by downloads.

Blocked by Symantec Endpoint Protection

Not all Security in a City belongs to the Police Force.

True.  Think of all the bouncers on duty at all the pubs, clubs, shops and bars.  SEP’s SONAR component  (also known as BASH and as Proactive Threat Protection) is similarly behavioral based.  It jumps into action whenever a process starts making trouble.  “I don’t care who you are, you’re not acting like that in here!”

It can also be an excellent source of intelligence about which residents of the city should be on the chief’s radar.

Using SEPM Alerts and Reports to Combat a Malware Outbreak

ADC?  Is that like FBI?

Well, it’s three letters.  Application and Device Control (ADC) is SEP’s optional component which lets the administrator create powerful custom policies for their environment.

For example: say there is a problem with hoodie-wearing skateboard kids hanging out in public squares.  Skateboarding is not a crime (the program that does not meet Symantec’s criteria for detection), but the Chief of police wants to block this.  It’s possible to put through a local ordinance (ADC policy) that will prevent that behavior from running within city limits.

All About Grayware

So Where’s the FBI in this Analogy?

In SEP 12.1 RU5 and above, it is possible for an administrator to remotely send in a special on-demand in-depth kind of scan called Power Eraser.  Like the FBI, this can identify malicious material that other components did not.

Starting Power Eraser analysis from Symantec Endpoint Protection Manager
Article URL: http://www.symantec.com/docs/HOWTO101778

What to do in an Emergency?

If there’s a cataclysmic event, it’s possible for the Chief to lock the city down.  Putting the National Guard or Army on the streets enforcing a strict curfew is an extreme measure, but it is sometimes done.   SEP offers the ability to take similar drastic action with System Lockdown.

How to utilize SEP 12.1 for Incident Response – PART 2

What about Download Insight?  And the Mail Plug-In Components?

These are speciailized divisions of the police force, whose duties focus them on one specific area.   Think of that as Special Branch watching the train station, questioning shady-looking newcomers to ensure they are not up to no-good.  (Download Insight scans certain executable file types when they arrive through particular portals, stepping in to block those who have a bad or unknown reputation)

Symantec Endpoint Protection 12: Insight

SEP’s mail plug-ins focus in on scanning the incoming email traffic.  They are a line of defense against mail-borne threats the same way that transit police maintain a presence only on the subway.

How about Private Investigators?

In certain instances it can be useful for third-party tools to be used to identify and bring down especially crafty adversaries.  Tools from Microsoft’s Sysinternals are an excellent example: they can provide a researcher with unbeatable insight into the murky depths of Windows Operating Systems.

Just like in countless books and movies, though, these third-parties can sometimes conflict with the official investigators.  It is a bad idea to attempt running more than one file-based scanning tool on a computer at one time, for instance.

Does all this Eliminate Crime?

There will be some level of crime even in a real-world walled city with a robust police force, FBI, border guards, bouncers and every other form of security personnel.  Incidents will occasionally happen.  The same is true of computers.

Cybercrime, like all crime, cannot ever completely be stamped out.  No matter what Symantec or any other security vendor does, there will be malware authors who will (for instance) send out mails with malicious “Financial Trojan” attachments designed to steal banking information.  These are sophisticated operations with their own QA departments who test that the newly-minted malware can evade the latest security products. Some of these new samples inevitably slip past defenses, for a short while at least.

What SEP (and real-world security) can do is reduce the risk.  A city defended only by a police force has a degree of security, but one protected by police, walls, and several agencies with specific focused missions is far safer.  The more components there are involved in the effort, the more effective it will be at preventing harm.  Use every protection you can!

Add or remove features to existing Endpoint Protection clients
Article URL: http://www.symantec.com/docs/TECH90936

The organized gangs of bad guys are unlikely to settle down and take up legitimate jobs, but ample defenses can prompt them move on to another town.

Back to the Real World: After Deploying All SEP Compoennts, What Else Can We Do?

  • Don’t be an easy target. Ultimately it is up to you to make sure that your doors and windows are locked, your valuables are secured, and that careless behavior does not make crime easy.  The computer equivalent is to keep computers patched, ensure passwords are unique and strong, and that employees are trained against the approaches that malware takes today.
  • Be familiar with what’s going on in the threat landscape.  To be aware of the your attackers’ tactics, techniques and trends, read sources of information like the annual Internet Security Threat Report, the monthly Symantec Intelligence Report and Symantec’s Security Response Blog.
  • Be familiar with what is going on in your environment.  The Symantec Endpoint Protection Manager (SEPM) is a fantastic source of intelligence about malicious and suspicious activity in your network.  Its reporting and alerting capabilities can inform administrators of suspicious files and infected computers in the network.  See Using SEPM Alerts and Reports to Combat a Malware Outbreak for examples.
  • Have a plan in place.  Respond to threats. If suspicious activity is seen, react to it!

Virus removal and troubleshooting on a network

  • Identify and submit undetected samples to Security Response.  There are approximately one million new malicious files created per day.  Security Response can build defenses against them once we have received a copy.   See Symantec Insider Tip: Successful Submissions for details, and be aware that new Rapid Release definitions are released approximately every hour in response to the latest known malicious files.  Definitely a good idea to implement these at your mail gateway!
  • Learn from incidents and developments so you do not get hit again.

The Day After: Necessary Steps after a Virus Outbreak


Many thanks for reading!  If you’d like to do some additional reading, this article’s title is a play on Gold Dagger Award winner Gene Kerrigan’s fantastic crime novel Dark Times in the City. Well worth tracking down!

Symantec SEP 12.1 RU6 is now available!

Posted on

SEP 12.1 RU6 (12.1.6168.6000) is now available on Flexnet to download.

New fixes in Symantec Endpoint Protection 12.1.6:

Some fixes, for what I have concern:

1. Blue screen appears on SEP client machines

Fix ID: 3584396

Symptom: Symantec Endpoint Protection client computer experiences a blue screen error with BugCheck 50.

Solution: Resolved an issue with a change in the SRTSP (AP) module that caused the blue screen.

2. GUP fails to retrieve content from SEPM with error: “GUProxy – not enough memory”

Fix ID: 3652490

Symptom: The Symantec Endpoint Protection client cannot download the full definition contents (full.zip) when multiple concurrent full.zip downloads are in progress from the Group Update Provider.

Solution: Added support for multiple concurrent full.zip content downloads from the Group Update Provider.

3. Blue screen error after upgrading SEP

Fix ID: 3649959

Symptom: A blue screen occurs with BugCheck 3b on Symantec Endpoint Protection client, which points to a SymEFA component.

Solution: Fixed a performance issue which caused the blue screen.

more to see: