The solution involves three main steps: Creating a new group to isolate the clients, creating a series of policies and assigning those policies to the new group, then assigning clients to the group.
1. Create a group in the SEPM that will be used to isolate the clients
- Click on Clients
- Click on Add Group and give the group a name that will stand out such as "At Risk Systems"
- Create policies to limit the scope of the threat Block access to the URL or IP address the threat is communicating with
- Click on Policies >Firewall
- Click on Add a Firewall Policy Alternately, you can modify an existing policy
- Select that policy
- Choose Copy the Policy
- Click on Paste a Poicy
- Highlight the copy Choose Edit the policy
- Change the Policy Name (i.e. "At Risk Systems Firewall policy")
- Click on Rules
- Click Add a Blank Rule
- With the new rule highlighted, click on Move Up multiple times until it is at the top of the list
- Right-click in the Host column for this new rule, and select Edit
- In the remote section click Add
- If the threat is using URL names for communication, select DNS domain, enter the URL, then click OK. Repeat this step if there are multiple URLs in use.
- If the threat is using multiple different IP addresses, select IP address, enter the address, then click OK. Repeat this step for each different IP address.
- If the threat uses a range of IP addresses, select IP Range, enter the range of IP addresses, then click OK.
- Click OK
- Right-click in the Action column for this rule, and select Block
- (Optional) Right-click in the Logging column for this rule, and select Write to Packet Log
- Click OK
- Right-click on the Policy, and choose Assign
- Check the box for the group created earlier, and click Assign
If you see excessive traffic to or from particular ports related to a threat, you can block those ports with Firewall rules
- Click on Policies > Firewall
- Click on Add a Firewall Policy Alternately, you can modify an existing policy:
- Select that policy
- Choose Copy the Policy
- Click onPaste a Policy
- Highlight the copy
- Choose Edit the Policy
- Change the Policy Name (i.e. "At Risk Systems Firewall policy")
- Click on Rules
- Click Add a Blank Rule
- With the new rule highlighted, click on Move Up multiple times until it is at the top of the list Add a Service for the rule to trigger on: Right-click in the Service column for this new rule Click Add Verify the Protocol is set to TCP, and that Local/Remote is selected In the Remote Port field, enter the port that is being used by the threat (i.e. 12345) For Direction , select Outgoing Click OK Right-click in the Action column for this rule,
- Select Block (Optional) Right-click in the Logging column for this rule, and select Write to Packet Log Click OK Right-click on the Policy, and choose Assign Check the box for the group created earlier, and click Assign.
- Assign the clients to the new group Click on Clients, On the Clients tab select the client(s) to be moved ,Choose Move Clients ,Select the group created earlier Click OK
Notes:
- If the traffic is inbound to a local port, create the rule as above, but enter the port number in the Local Port field (leaving Remote Port empty), and select Incoming as the direction
- If the threat spreads through open shares, block all incoming traffic to ports 137 and 445
- Be careful when blocking the ports needed by SEP for communication (Ports used for communication in Symantec Endpoint Protection), or any ports necessary for other types of communication ( i.e. 20, 21, 80, etc.). This can cause critical applications not to communicate as needed
If Application and Device Control (ADC) is installed, and a filename is known, you can create an ADC rule to prevent the suspected file from executing.
Refer to How to use Application and Device Control .
To limit the spread of a threat for details. If the threat uses autorun.inf (aka AutoPlay), disable it. See How to prevent a virus from spreading using the "AutoRun" feature