Best Practices for network vulnerability scans with Endpoint Protection clients
search cancel

Best Practices for network vulnerability scans with Endpoint Protection clients

book

Article ID: 164710

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

This document describes the challenges of running network vulnerability scans when the Symantec Endpoint Protection (SEP) client is installed on the scanner computer, and/or the target computers of the scan.

Cause

Vulnerability scanners test computers and applications for vulnerabilities. They probe target computers to find open network ports and send network traffic to determine what applications and services are listening on those ports. They interrogate the applications and services to detect version and configuration information and send simulated exploits of known vulnerabilities. If an application or service shows evidence it is running a vulnerable version or configuration, or responds to the simulated attacks as if it were vulnerable, the scanner provides feedback, usually in the form of a report showing this.

Since the SEP client protects computers against vulnerabilities. It uses several protection technologies to detect network traffic that appear to be related to known threats and vulnerability exploits, as well as application behaviors that appear suspicious. The SEP client will detect and block this activity, causing false negatives for the vulnerability scanner, and notifications to users and administrators that appear to show a compromised computer or application.

If SEP is installed on the vulnerability scanner computer, the Intrusion Prevention System (IPS) component will block outbound network connections to target computers once it has determined the traffic appears malicious. The IPS component on the target computers will block network traffic to or from the vulnerability scanner computer that appears malicious as well. If the network traffic doesn't trigger an IPS detection, it may trigger a Behavior-Based Protection (SONAR) detection based on apparent malicious process activity.

Resolution

Review these methods to see which will work best in your environment.

Excluded Hosts exceptions

Adding an Excluded Hosts list to the scanner and target computers IPS policy is the simplest method, and can be accomplished with little administrative overhead. If possible, the excluded hosts lists should be removed during normal operation.

This method prevents the SEP client from blocking network traffic, so the SEP client's Auto-Protect Network scanning can still block Server Message Blocks (SMB) based communications, and the SONAR engine can still block suspicious process activity triggered by the scan. It also prevents IPS from blocking legitimate attacks to/from the computers in the Excluded Hosts list. Because of this, it's only recommended when the other methods in this document are not feasible.

To use Excluded Hosts exceptions:

  1. Create an IPS policy for the vulnerability scan target computer(s) that includes the vulnerability scanner(s) IP addresses in the Excluded Hosts list
  2. Temporarily turn off IPS on scanner(s) while performing the scans.

For more information on configuring Excluded Hosts, see Setting up a list of excluded computers (broadcom.com).

Note: Port Scan tests will not be excluded by using Excluded Hosts in ICDm/SES. For more information see Handling Port Scan Detections in Symantec Endpoint Protection 14.x (broadcom.com) 

SEP location-based policy method

You can isolate the target computers by creating a location within the Symantec Endpoint Protection Manager (SEPM) with a set of policies that disable the protection technologies that will potentially block the vulnerability scanner.

  1. Create a "quarantine" firewall policy with the following rules:
    1. Allow all traffic from remote hosts that match the vulnerability scanner(s) IP addresses
    2. Block all other traffic
  2. Create a "quarantine" Intrusion Prevention policy with IPS disabled
  3. Create a "quarantine" Virus and Spyware Protection with Auto-Protect and SONAR disabled

Move the target computers into the location that applies the above policies during the vulnerability scan. After the scan completes, move the clients back into their default location.

Isolated network segment method

This method relies in 3rd party network equipment that is capable of supporting Virtual Lan (VLAN) capabilities. Create an isolated VLAN and move the scanner computers into that VLAN. When necessary, move target computers into the same isolated VLAN and disable the Firewall, IPS, Auto-Protect and SONAR components during the scan. After the scan completes, re-enable all protection technologies on the target computers and move them out of the isolated VLAN.