Lumension Endpoint Management and Security Suite v7.

1
AntiVirus Module Evaluation Guide

April 2011
v1.0

Copyright 2009, Lumension

Lumension Endpoint Management and Security Suite: AntiVirus Module

Table of Contents Contents

Table of Contents ......................................................................................................................... 2 Introduction ...................................................................................................................................... 3 Module Description ...................................................................................................................... 3 Objective ...................................................................................................................................... 3 Evaluation Scenarios ....................................................................................................................... 4 Prepare Test Environment ........................................................................................................... 4 Server Tasks ............................................................................................................................ 4 Endpoint Tasks ......................................................................................................................... 6 Review Results ......................................................................................................................... 6 Use Scan Now to Detect Malware ............................................................................................. 7 Server Tasks ............................................................................................................................ 7 Endpoint Tasks ......................................................................................................................... 8 Review Results ......................................................................................................................... 9 Enable Real-Time Monitoring .................................................................................................... 10 Server Tasks .......................................................................................................................... 10 Endpoint Tasks ....................................................................................................................... 11 Review Results ....................................................................................................................... 12 Scheduled Scanning .................................................................................................................. 12 Server Tasks .......................................................................................................................... 12 Endpoint Tasks ....................................................................................................................... 14 Review Results ....................................................................................................................... 14 Review Custom Dashboard ...................................................................................................... 14 Server Tasks .......................................................................................................................... 14 Endpoint Tasks ....................................................................................................................... 15 Review Results ....................................................................................................................... 15

www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance

Lumension Endpoint Management and Security Suite: AntiVirus Module

Introduction
This document is designed to assist you in implementing the Lumension Endpoint Management and Security Suite (L.E.M.S.S.) v7.1 AntiVirus Module and to use as an ongoing record of your observations and feedback during the evaluation process.

Module Description
Lumension AntiVirus is based on proven technology that incorporates a pioneering and industry-leading anti-malware engine to provide protection against all malware, including viruses, Trojans, rootkits, spyware and adware. It provides advanced protection via traditional signaturematching capabilities as well as innovative proactive technologies which provide protection against zero-day threats. These include the following capacities: DNA Matching (partial signature matching) detects components of malware that have been re-used from previous attacks. Exploit Detection (hidden malware search) detects and stops concealed malware that has been injected into otherwise benign file types such as .PDFs. SandBox (behavioral analysis) runs suspect executables in a safe emulation environment to look for malicious behavior and identify sophisticated zero-day malware.

Lumension AntiVirus provides an important layer in a comprehensive defense-in-depth endpoint security strategy: Block Known and Unknown Malware Prevent viruses, worms, Trojans and other types of malware such as keyloggers, hijackers and rootkits from wreaking havoc on endpoints. Comprehensive Malware Removal Ensure that any detected malware is removed or quarantined and not allowed to remain on network assets. Integrated Module for Defense-in-Depth Improve endpoint security effectiveness without impacting productivity via the industry's first intelligent application whitelisting solution.

Objective
The plan is to implement this solution on a small group of endpoints. The task list includes the following: 1. 2. 3. 4. 5. Prepare the test environment Scan endpoints for virus and malware and review alerts Set up a real-time AV monitoring policy Set up a scheduled AV scanning policy Set up a custom dashboard to monitor AV policy results

www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance

Lumension Endpoint Management and Security Suite: AntiVirus Module

Evaluation Scenarios
Prepare Test Environment
Business Context: Install the L.E.M.S.S. v7.1 software onto the server and L.E.M.S.S. agent onto a small group of endpoints, per the L.E.M.S.S. v7.1 platform evaluation guide. Once installed, create an additional AV Administrator role for someone to be in charge of AntiVirus policies. Next, deploy AntiVirus agent update to endpoint agents. Finally, create custom groups for test endpoints. Expected Outcome: L.E.M.S.S. v7.1 and the AntiVirus module are fully operational and ready for evaluation on the server and a small group of endpoints. A new role has been defined on the server for the purpose of enforcing IT security and administration of AntiVirus policies. A custom group of endpoints has been created for group management purposes.

SERVER TASKS
1. Navigate to Tools > Users/Roles and select the Roles tab 2. Click the Create button 3. Enter a name for the role (i.e. AV Manager) and use the Manager role as a template 4. On the access rights tab remove all rights in the Jobs, content, application control, and application library sections 5. Click OK 6. Verify that the new role was created 7. Go to the Users tab and click Create 8. Click Next and enter the user name AVpolicyManager 9. Enter any password you like and select the newly created role 10. Click Finish 11. Verify that the new user has been created

www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance

Lumension Endpoint Management and Security Suite: AntiVirus Module

12. Next, Navigate to Manage > Endpoints and select the endpoint(s) where you want to install the Anti-Virus components 13. Click on the Manage Modules menu option and select the Anti-Virus module 14. Click OK 15. Verify on the Manage > Endpoint screen that the LAV module changes from No to Pending 19. When complete, the module is installed on the endpoint www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance

Lumension Endpoint Management and Security Suite: AntiVirus Module

ENDPOINT TASKS
1. Log on to an endpoint which you selected to add the Anti-Virus module 2. Click on the Lumension EMSS Agent Control Panel icon in the system tray 3. Validate that the Virus and Malware component has been installed

REVIEW RESULTS

www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance

Lumension Endpoint Management and Security Suite: AntiVirus Module

Use Scan Now to Detect Malware

Business Challenge: Endpoints which have been in use for any length of time are likely to have gathered some amount of malware. As we prepare to implement new endpoint security, it is important to detect and remove any known malware which resides on the endpoints. Business Context: Now that the environments have been set up, run a detailed scan to make sure they are clean of known malware. This clean-up procedure is an important first step in the Lumension Intelligent Whitelisting process. Expected Outcome: The AV scan is initiated and running (perhaps not yet completed). The scan will be a thorough scan (memory, boot sectors, all attached drives, etc.) and will run one time only. This in-depth scan should complete on all endpoints and any alerts found should be viewable on the L.E.M.S.S. v7.1 server.

SERVER TASKS
1. From the navigation menu, select Discover > Scan now Virus and Malware Scan to display the Scan Now wizard a. Give your policy a unique name b. Select Immediately from the scheduling settings 2. Press Next and add your endpoint group to the target list to be included in the scan a. Use the default settings already selected 3. Press Next to move to the Scan Options page a. Select Override the endpoint virus and malware scan policy with the following: b. Select Attempt to clean then quarantine then delete from the dropdown this will ensure that the endpoint is completely cleaned of known malware c. Check the Use sandbox box this will detect previously unknown malware based on its behavior d. Check the Scan boot sectors box this will protect against malware which attempts to evade AV by hiding in the boot sector, which is a very common attack vector e. Check the Scan archives box this will ensure that no latent malware escapes undetected f. Check the Scan memory box this will protect against malware which is resident in memory, another common attack vector g. Select Detailed logging level this will provide the AV admin with the details needed to triage the response, ascertain root cause, and track trends 4. Press Next to move to the Exclude Files or Paths page a. Select Scan all local drives excluding the following paths/files: b. Enter in the file name wsusscn2.cab & press Exclude this will reduce scanning time by omitting known good files c. Select Scan locally-attached media from the optional drives settings this will ensure that any and all drives (e.g., removable HD) are also scanned 5. Press Finish and validate that the AV Scan Now task has been created 6. Navigate to Manage > Deployments and Tasks & validate that your AV Scan Now task has been created and that it is running

www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance

Lumension Endpoint Management and Security Suite: AntiVirus Module

ENDPOINT TASKS
1. Log on to an endpoint which you selected as a target in the Scan Now task 2. Click on the Lumension EMSS Agent Control Panel icon in the system tray 3. Validate that the Virus and Malware Scan is in progress a. Header should state the Virus and Malware Scan in progress b. Files Scanned should be increasing c. Infections found will contain if the test virus files were discovered d. Expand the Virus and Malware scan summary section to see the status of infected files

www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance

Lumension Endpoint Management and Security Suite: AntiVirus Module

REVIEW RESULTS
1. Navigate to Review > Virus and Malware Event Alerts page 2. Confirm alerts were received from the target endpoint(s)

www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance

Lumension Endpoint Management and Security Suite: AntiVirus Module

Enable Real-Time Monitoring

Business Challenge: The malware threat faced by your organization is often targeted at employees via phishing emails or poisoned websites. In order to protect your organization, you must prevent infected files from getting onto the endpoints. While scheduled scans do a good job of preventing and cleaning malware, you need continuous detection and removal protection against suspect files which an end user might download or open on an everyday basis. Business Context: Create an AntiVirus policy to review files as they are opened, and to automatically clean any infected files. Use the SandBox technology to augment protection against malware without an existing signature (e.g., zero-day threat). Expected Outcome: The real-time scan is assigned to all common-use computers as well as the L.E.M.S.S. v7.1 server. The scan policy is applied and all endpoints have real-time scanning enabled and active (as reflected by the contents of the AV tab in the agent control panel.)

SERVER TASKS
1. Navigate to Manage > AntiVirus Policies 2. Press the Create button and select Real-time Monitoring Policy to create a Real-time Monitoring policy for your Public Use Desktops group. Use the following settings: a. Give your policy a unique name b. Select Attempt to clean then quarantine then delete from the Scanning options this will ensure that the endpoint is completely cleaned of known malware

www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance

10

Lumension Endpoint Management and Security Suite: AntiVirus Module

c.

Check the Use sandbox box from the Scanning options, and change Normal to Extended in the associated dropdown this will detect previously unknown malware based on its behavior d. Select Scan on both read/execute from the Local user settings this will protect against all end user actions e. Select Scan on write from the Services and Remote users settings this will protect against certain types of remote attacks f. Enable this policy for immediate activation 3. Press Next to move to the Exclude Files or Paths page a. Enter a path to be excluded from the policy (c:\AVtest\) b. Press Exclude button to confirm the path entered above c. Select Scan locally-attached media to be included in the real-time monitoring this will ensure that any and all drives (e.g., removable HD) are also scanned 4. Press Next and assign the policy to the custom group you just created 5. Press Finish and validate that the policy has been created and that it has been assigned 6. Review the policy and confirm the creation date and policy assignments are correct 7. Navigate to Manage > Groups, select your test group and confirm that the policy is assigned properly

ENDPOINT TASKS
1. Log on to an endpoint in your group (one of the endpoints that you assigned Realtime Monitoring Policy ) 2. Click on the Lumension EMSS Agent Control Panel icon in the system tray 3. Validate that Real-time Monitoring policy has been applied to this endpoint by selecting the AntiVirus tab www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance 11

Lumension Endpoint Management and Security Suite: AntiVirus Module

4. Create a new folder in the excluded path directory created in the Real-time Monitoring policy (c:\AVtest\) and place an infected file here & open it a. You can obtain a test virus file at http://eicar.org/anti_virus_test_file.htm 5. Confirm no notification was display balloon or pop-up

REVIEW RESULTS

Veried that Test Virus file exists in AVtest Directory

Scheduled Scanning
Business Challenge: Malware infections can lead to performance and productivity issues, and may even lead to a data breach which compromises your valuable corporate IP or customer data. Real-time scanning is an important layer of defense against malware, but is generally not as indepth due to performance concerns. So it is important to include a periodic deep scan which ensures a clean environment. Business Context: To provide another layer of defense against infected applications, a periodic in-depth scan of the endpoint is necessary. Expected Outcome: The re-occurring scan is assigned to all common-use computers as well as the L.E.M.S.S. v7.1 server. The scan policy is applied and all endpoints have a re-occurring scheduled scan enabled and active.

SERVER TASKS
1. Navigate to Manage > AntiVirus Policies 2. Press the Create button and select Recurring Virus and Malware scan to create a scheduled scanning policy for your Public Use Desktops group. Use the following settings: a. Give your policy a unique name b. Set the Scheduling interval; for purposes of this evaluation, run it every other day c. Set the Activation to Enable so that this policy takes effect immediately (per the schedule selected above) once this creation process is finished 3. Press Next and set the scan options a. Scanning options for virus detection Select Attempt to clean then quarantine then delete from the dropdown this will ensure that the endpoint is completely cleaned of known malware Check Use sandbox this will detect previously unknown malware based on its behavior

www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance

12

Lumension Endpoint Management and Security Suite: AntiVirus Module

Check Scan Boot Sectors this will protect against malware which attempts to evade AV by hiding in the boot sector, which is a very common attack vector Check Scan archives this will ensure that no latent malware escapes undetected Uncheck Scan memory this will protect against malware which is resident in memory, another common attack vector b. Logging level Select Detailed logging level this will provide the AV admin with the details needed to triage the response, ascertain root cause, and track trends 4. Select Scan all local drives in order to ensure no malware is resident on secondary drives (e.g., external HD). Alternatively, select Scan all local drives excluding the following paths/files to overall scan time. a. Enter a path to be excluded from the policy (c:\AVtest\) b. Press Exclude button to confirm the path entered above. Note that you could Import an XML file containing multiple files/paths for exclusion instead; this is especially useful in large environments 5. Select Scan locally-attached media this will ensure that any and all drives (e.g., removable HD) are also scanned 6. Press Next and assign the policy to the custom group you just created 7. Press Finish and validate that the policy has been created and that it has been assigned 8. Review the policy and confirm the creation date, logging settings and policy assignments are correct 9. Navigate to Manage > Groups, select your test group and confirm that the policy is assigned properly a. Right click on this group and select AntiVirus Policies

www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance

13

Lumension Endpoint Management and Security Suite: AntiVirus Module

ENDPOINT TASKS
1. Create a new folder in the excluded path directory created in the Real-time Monitoring policy (c:\AVtest\) and place an infected file here & open it a. You can obtain a test virus file at http://eicar.org/anti_virus_test_file.htm 2. After the scheduled time, confirm were no notifications of virus infection 3. Move the AVTest folder to another location on the endpoint a. Validate the virus removal after the next scheduled scan

REVIEW RESULTS

AVtest folder has been cleaned of the test virus

Review Custom Dashboard

Business Challenge: As the number of point security solutions proliferate, so do the number of consoles and the amount of data which must be reviewed. Organizations need to have all the right information at their fingertips in order to maintain a secure network. Business Context: To provide the right information to the right people, customizable dashboards which address the issues of particular interest are crucial. In organizations where a single admin monitors multiple solutions, having the most important information from them all in a single dashboard is desirable; in organizations where each admin monitors their own area, the ability to limit the flow to only relevant information is desirable. Expected Outcome: A customized dashboard with all relevant information located where desired.

SERVER TASKS
1. Click on the Configure dashboard settings option in the upper right corner of the screen www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance

14

Lumension Endpoint Management and Security Suite: AntiVirus Module

2. Select the dashboard elements you would like on your dashboard 3. Place the elements where you would like them to be on your dashboard

ENDPOINT TASKS
N/A

REVIEW RESULTS

www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance

15