Professional Documents
Culture Documents
1
AntiVirus Module Evaluation Guide
April 2011
v1.0
www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance
Introduction
This document is designed to assist you in implementing the Lumension Endpoint Management and Security Suite (L.E.M.S.S.) v7.1 AntiVirus Module and to use as an ongoing record of your observations and feedback during the evaluation process.
Module Description
Lumension AntiVirus is based on proven technology that incorporates a pioneering and industry-leading anti-malware engine to provide protection against all malware, including viruses, Trojans, rootkits, spyware and adware. It provides advanced protection via traditional signaturematching capabilities as well as innovative proactive technologies which provide protection against zero-day threats. These include the following capacities: DNA Matching (partial signature matching) detects components of malware that have been re-used from previous attacks. Exploit Detection (hidden malware search) detects and stops concealed malware that has been injected into otherwise benign file types such as .PDFs. SandBox (behavioral analysis) runs suspect executables in a safe emulation environment to look for malicious behavior and identify sophisticated zero-day malware.
Lumension AntiVirus provides an important layer in a comprehensive defense-in-depth endpoint security strategy: Block Known and Unknown Malware Prevent viruses, worms, Trojans and other types of malware such as keyloggers, hijackers and rootkits from wreaking havoc on endpoints. Comprehensive Malware Removal Ensure that any detected malware is removed or quarantined and not allowed to remain on network assets. Integrated Module for Defense-in-Depth Improve endpoint security effectiveness without impacting productivity via the industry's first intelligent application whitelisting solution.
Objective
The plan is to implement this solution on a small group of endpoints. The task list includes the following: 1. 2. 3. 4. 5. Prepare the test environment Scan endpoints for virus and malware and review alerts Set up a real-time AV monitoring policy Set up a scheduled AV scanning policy Set up a custom dashboard to monitor AV policy results
www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance
Evaluation Scenarios
Prepare Test Environment
Business Context: Install the L.E.M.S.S. v7.1 software onto the server and L.E.M.S.S. agent onto a small group of endpoints, per the L.E.M.S.S. v7.1 platform evaluation guide. Once installed, create an additional AV Administrator role for someone to be in charge of AntiVirus policies. Next, deploy AntiVirus agent update to endpoint agents. Finally, create custom groups for test endpoints. Expected Outcome: L.E.M.S.S. v7.1 and the AntiVirus module are fully operational and ready for evaluation on the server and a small group of endpoints. A new role has been defined on the server for the purpose of enforcing IT security and administration of AntiVirus policies. A custom group of endpoints has been created for group management purposes.
SERVER TASKS
1. Navigate to Tools > Users/Roles and select the Roles tab 2. Click the Create button 3. Enter a name for the role (i.e. AV Manager) and use the Manager role as a template 4. On the access rights tab remove all rights in the Jobs, content, application control, and application library sections 5. Click OK 6. Verify that the new role was created 7. Go to the Users tab and click Create 8. Click Next and enter the user name AVpolicyManager 9. Enter any password you like and select the newly created role 10. Click Finish 11. Verify that the new user has been created
www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance
12. Next, Navigate to Manage > Endpoints and select the endpoint(s) where you want to install the Anti-Virus components 13. Click on the Manage Modules menu option and select the Anti-Virus module 14. Click OK 15. Verify on the Manage > Endpoint screen that the LAV module changes from No to Pending 19. When complete, the module is installed on the endpoint www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance
ENDPOINT TASKS
1. Log on to an endpoint which you selected to add the Anti-Virus module 2. Click on the Lumension EMSS Agent Control Panel icon in the system tray 3. Validate that the Virus and Malware component has been installed
REVIEW RESULTS
www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance
SERVER TASKS
1. From the navigation menu, select Discover > Scan now Virus and Malware Scan to display the Scan Now wizard a. Give your policy a unique name b. Select Immediately from the scheduling settings 2. Press Next and add your endpoint group to the target list to be included in the scan a. Use the default settings already selected 3. Press Next to move to the Scan Options page a. Select Override the endpoint virus and malware scan policy with the following: b. Select Attempt to clean then quarantine then delete from the dropdown this will ensure that the endpoint is completely cleaned of known malware c. Check the Use sandbox box this will detect previously unknown malware based on its behavior d. Check the Scan boot sectors box this will protect against malware which attempts to evade AV by hiding in the boot sector, which is a very common attack vector e. Check the Scan archives box this will ensure that no latent malware escapes undetected f. Check the Scan memory box this will protect against malware which is resident in memory, another common attack vector g. Select Detailed logging level this will provide the AV admin with the details needed to triage the response, ascertain root cause, and track trends 4. Press Next to move to the Exclude Files or Paths page a. Select Scan all local drives excluding the following paths/files: b. Enter in the file name wsusscn2.cab & press Exclude this will reduce scanning time by omitting known good files c. Select Scan locally-attached media from the optional drives settings this will ensure that any and all drives (e.g., removable HD) are also scanned 5. Press Finish and validate that the AV Scan Now task has been created 6. Navigate to Manage > Deployments and Tasks & validate that your AV Scan Now task has been created and that it is running
www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance
ENDPOINT TASKS
1. Log on to an endpoint which you selected as a target in the Scan Now task 2. Click on the Lumension EMSS Agent Control Panel icon in the system tray 3. Validate that the Virus and Malware Scan is in progress a. Header should state the Virus and Malware Scan in progress b. Files Scanned should be increasing c. Infections found will contain if the test virus files were discovered d. Expand the Virus and Malware scan summary section to see the status of infected files
www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance
REVIEW RESULTS
1. Navigate to Review > Virus and Malware Event Alerts page 2. Confirm alerts were received from the target endpoint(s)
www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance
SERVER TASKS
1. Navigate to Manage > AntiVirus Policies 2. Press the Create button and select Real-time Monitoring Policy to create a Real-time Monitoring policy for your Public Use Desktops group. Use the following settings: a. Give your policy a unique name b. Select Attempt to clean then quarantine then delete from the Scanning options this will ensure that the endpoint is completely cleaned of known malware
www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance
10
Check the Use sandbox box from the Scanning options, and change Normal to Extended in the associated dropdown this will detect previously unknown malware based on its behavior d. Select Scan on both read/execute from the Local user settings this will protect against all end user actions e. Select Scan on write from the Services and Remote users settings this will protect against certain types of remote attacks f. Enable this policy for immediate activation 3. Press Next to move to the Exclude Files or Paths page a. Enter a path to be excluded from the policy (c:\AVtest\) b. Press Exclude button to confirm the path entered above c. Select Scan locally-attached media to be included in the real-time monitoring this will ensure that any and all drives (e.g., removable HD) are also scanned 4. Press Next and assign the policy to the custom group you just created 5. Press Finish and validate that the policy has been created and that it has been assigned 6. Review the policy and confirm the creation date and policy assignments are correct 7. Navigate to Manage > Groups, select your test group and confirm that the policy is assigned properly
ENDPOINT TASKS
1. Log on to an endpoint in your group (one of the endpoints that you assigned Realtime Monitoring Policy ) 2. Click on the Lumension EMSS Agent Control Panel icon in the system tray 3. Validate that Real-time Monitoring policy has been applied to this endpoint by selecting the AntiVirus tab www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance 11
4. Create a new folder in the excluded path directory created in the Real-time Monitoring policy (c:\AVtest\) and place an infected file here & open it a. You can obtain a test virus file at http://eicar.org/anti_virus_test_file.htm 5. Confirm no notification was display balloon or pop-up
REVIEW RESULTS
Scheduled Scanning
Business Challenge: Malware infections can lead to performance and productivity issues, and may even lead to a data breach which compromises your valuable corporate IP or customer data. Real-time scanning is an important layer of defense against malware, but is generally not as indepth due to performance concerns. So it is important to include a periodic deep scan which ensures a clean environment. Business Context: To provide another layer of defense against infected applications, a periodic in-depth scan of the endpoint is necessary. Expected Outcome: The re-occurring scan is assigned to all common-use computers as well as the L.E.M.S.S. v7.1 server. The scan policy is applied and all endpoints have a re-occurring scheduled scan enabled and active.
SERVER TASKS
1. Navigate to Manage > AntiVirus Policies 2. Press the Create button and select Recurring Virus and Malware scan to create a scheduled scanning policy for your Public Use Desktops group. Use the following settings: a. Give your policy a unique name b. Set the Scheduling interval; for purposes of this evaluation, run it every other day c. Set the Activation to Enable so that this policy takes effect immediately (per the schedule selected above) once this creation process is finished 3. Press Next and set the scan options a. Scanning options for virus detection Select Attempt to clean then quarantine then delete from the dropdown this will ensure that the endpoint is completely cleaned of known malware Check Use sandbox this will detect previously unknown malware based on its behavior
www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance
12
Check Scan Boot Sectors this will protect against malware which attempts to evade AV by hiding in the boot sector, which is a very common attack vector Check Scan archives this will ensure that no latent malware escapes undetected Uncheck Scan memory this will protect against malware which is resident in memory, another common attack vector b. Logging level Select Detailed logging level this will provide the AV admin with the details needed to triage the response, ascertain root cause, and track trends 4. Select Scan all local drives in order to ensure no malware is resident on secondary drives (e.g., external HD). Alternatively, select Scan all local drives excluding the following paths/files to overall scan time. a. Enter a path to be excluded from the policy (c:\AVtest\) b. Press Exclude button to confirm the path entered above. Note that you could Import an XML file containing multiple files/paths for exclusion instead; this is especially useful in large environments 5. Select Scan locally-attached media this will ensure that any and all drives (e.g., removable HD) are also scanned 6. Press Next and assign the policy to the custom group you just created 7. Press Finish and validate that the policy has been created and that it has been assigned 8. Review the policy and confirm the creation date, logging settings and policy assignments are correct 9. Navigate to Manage > Groups, select your test group and confirm that the policy is assigned properly a. Right click on this group and select AntiVirus Policies
www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance
13
ENDPOINT TASKS
1. Create a new folder in the excluded path directory created in the Real-time Monitoring policy (c:\AVtest\) and place an infected file here & open it a. You can obtain a test virus file at http://eicar.org/anti_virus_test_file.htm 2. After the scheduled time, confirm were no notifications of virus infection 3. Move the AVTest folder to another location on the endpoint a. Validate the virus removal after the next scheduled scan
REVIEW RESULTS
SERVER TASKS
1. Click on the Configure dashboard settings option in the upper right corner of the screen www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance
14
2. Select the dashboard elements you would like on your dashboard 3. Place the elements where you would like them to be on your dashboard
ENDPOINT TASKS
N/A
REVIEW RESULTS
www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance
15