Learn how to deploy Symantec Endpoint Protection 14 in a retail point-of-sale (POS) environment with fixed function endpoints.
This document describes the recommended configuration for running Symantec Endpoint Protection 12.1 on Windows point-of-sale (PoS) devices. Symantec recommends that PoS devices use the following Symantec Endpoint Protection technologies:
Point-of-sale devices may have different operating systems. Symantec Endpoint Protection 12.1 fully supports different Windows operating systems, including Windows Embedded, which is commonly used on PoS devices.
Note: If the PoS device is running a non-Windows operating system, Symantec Embedded Security: Critical System Protection product may be used as an alternative.
One of the most important security practices to implement on a PoS device is to restrict the use of unapproved applications that are allowed to run on the PoS device. You can restrict unapproved applications using Application Control and System Lockdown.
System Lockdown enables blacklisting or whitelisting capabilities. The whitelisting mode allows you to tightly control which applications are allowed to run on the endpoint. Approved applications are contained in a list of fingerprints that include checksums and locations of applications that are approved for use.
Implementing System Lockdown is a two-step process. First, you create a fingerprint list, and then you import the list into the Symantec Endpoint Protection Manager (SEPM) for use in the System Lockdown policy.
To generate the file fingerprint list, use the checksum tool included in the Symantec Endpoint Protection client installation. Symantec recommends that you create a software image that includes all of the applications to whitelist on the PoS devices, and then use this image to create a file fingerprint list.
For more information on enabling System Lockdown for whitelisting, see Configuring system lockdown.
For more information on excluding Symantec Endpoint Protection definition files, see Symantec Endpoint Protection system lockdown blocks definitions updates.
Applications can be restricted with Application Control. Application Control must include not only the PoS applications, but also the required operating system applications that the PoS device runs at startup. You configure Application Control to first monitor which applications the device runs, and then create a rule that allows these applications to run. You allow an application by specifying its full path and name.
Using these three rules will allow only specific known applications to run by file name and path. It will block other applications on the PoS device from running, even if the other applications are valid applications. The advantage of this blocking is that attackers will sometimes use valid applications that are on the PoS device, but are not normally used, to attack the system. As an example, they may use applications like cmd.exe, cscript.exe, or even telnet.exe.
For more information, see Configuring Application and Device Control.
In addition to fully restricting unapproved applications, you can use Application Control to limit the attack surface on the device. The Application Control policy includes templates with predefined rule sets to block behaviors known to be malicious. Best practices would include enabling some of these rule sets on your PoS device to block malicious application behaviors.
For information on what these rule sets do, see Hardening Symantec Endpoint Protection (SEP) with an Application and Device Control Policy to increase security.
In most PoS devices, there are only few applications that require access to network. These applications need access to specific ports only, either inbound or outbound. As a rule of thumb, you should restrict which applications are allowed to communicateon the network and what they are allowed to do. When communication is restricted, even if an untrusted application gets on the system, it will not be allowed to send any data from the PoS device.
For more information on creating and managing the firewall rules, see Managing firewall protection.
Restricting which applications are allowed to run can offer enhanced protection. However, Symantec recommends that you also enable anti-malware protection to detect known malware files. This is useful for a number of reasons. First, when Application Control or System Lockdown blocks an application, only the file attributes, such as name, path, and size, are stored. However, if the file is a known malware file, Symantec Endpoint Protection can detect and log the file as malware by using anti-malware technologies. Furthermore, anti-malware technologies block malware other than applications, such as scripts and macros, whereas Application Control and System Lockdown may not be configured to block those scripts or macros.
For advanced anti-malware protection, installing just the antivirus component won’t be enough. You should also enable memory exploit mitigation, SONAR, Insight, and IPS. Symantec Endpoint Protection installs and enables all of these technologies by default.
Note: Both Insight and SONAR require Internet access to leverage reputation data from Symantec’s Global Intelligence Network. Depending on your policy, it may not be optimal for PoS devices to access the Internet for reputation data. In this case, install and set up Symantec Insight for Private Clouds. Symantec Insight for Private Clouds allows PoS devices to look for reputation data without requiring access to the Internet.
For more information on how to configure Symantec Insight for Private Clouds, see Configuring Symantec Endpoint Protection Manager to work with a private Insight server.
Starting with Symantec Endpoint Protection 12.1.6 Symantec introduced options for a reduced-size installation package for Windows Embedded clients and virtual desktop infrastructure (VDI) clients. The reduced-size client is approximately 80 percent to 90 percent smaller on disk than standard-size Windows clients. The following articles provide more information on the reduced size client installation packages as well as information on Embedded support.
The Symantec Endpoint Protection client uses signatures and virus definition files as part of the antivirus engine. These signatures and virus definition files are referred to as content. All content is available on LiveUpdate™ and is periodically updated. If you do not install all of the technologies of the Symantec Endpoint Protection client, you can remove some of the content from the client installation package.
You can remove the largest content files when you export the client package from Symantec Endpoint Protection Manager using the Basic Content option on the Export a Client Install Package task. In addition, you can remove all content from the client installation package. The client then downloads only the required content when LiveUpdate runs on the PoS device. Since only the required content is downloaded, the client requires less disk space on the PoS device.
For version 12.1.6 and later, install a reduced-size installation package for Windows Embedded clients and virtual desktop infrastructure (VDI) clients. The reduced-size client is approximately 80 percent to 90 percent smaller on disk than standard-size Windows clients.
The Write Filter is a feature of the Windows Embedded client that may be enabled on different PoS devices. It can prevent changes to the disk (or flash) drive to ensure that the device is the same as the last time it started. When the Write Filter is enabled, any changes made are lost when the device restarts. In case an embedded system encounters an issue, you can simply restart the device to reset it.
For details on the Write Filter, see About Write Filters in Windows Embedded on Microsoft.com.
Symantec Endpoint Protection 12.1 has the ability to work with the Write Filter, but requires some changes. See Installing Endpoint Protection 12.1.5 and earlier on Windows Embedded Standard 7 with File Based Write Filter (FBWF).
If you are going to build an embedded image for redeployment, you need to remove some of the duplicate client identifiers. See Prepare Endpoint Protection clients for cloning
Point of Sale and other fixed function devices often perform critical functions and one needs use additional care when rolling out updates. Our engineers develop and deploys new security content (malware fingerprints, reputation data, behavioral rules, new heuristics, etc.) to Symantec’s tens of millions of customers, around-the-clock. Using all of this data and intelligence, the Security Response team generates virus definitions and signature content for all of our core security technologies (e.g spyware, adware, viruses, spam, etc). This content is maintained in the cloud-based infrastructure, and, where appropriate, pushed out to our customers computers via our patented LiveUpdate™ technology.Updates happen multiple times a day and include the latest threat definitions and occasionally new functionality or patches to the engines.
The use case and connectivity of the endpoint will determine how frequently one needs to update it with the latest content. For example a publicly accessible kiosk or ATM machine that is subject to physical as well as network based attacks may need to be updated more frequently than a device that sits deep in your network behind multiple layers of security.
The Symantec Endpoint Protection Manager and Symantec Endpoint Protection client support the following standard Windows operating systems:
Symantec Endpoint Protection supports the following Windows embedded operating systems:
Windows Embedded 8.1 Pro (32-bit and 64-bit) Support for Windows Embedded for Symantec Endpoint Protection, see Support for Windows Embedded for Symantec Endpoint Protection
This Symantec product may contain third-party software for which Symantec is required to provide attribution to the third party (“Third-Party Programs”). Some of the Third-Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third-Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third-Party Programs.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.