How to create custom policies in SEPM to prevent a threat from spreading

Article Id: 178118
Status: Published
Updated On: 12-01-2010 03:57
Legacy Id: TECH97909
Products:
Endpoint Protection
Issue/Introduction:

There is a threat in your environment, and you want to know how best to use SEPM to keep the threat from spreading to other systems.

Symptoms
You have systems in your environment that are suspected or known to be infected. You would like to isolate the clients to prevent the spread of any malware that may be present on those systems.


Resolution:

The solution involves three main steps: Creating a new group to isolate the clients, creating a series of policies and assigning those policies to the new group, then assigning clients to the group.


1. Create a group in the SEPM that will be used to isolate the clients

    1. Click on Clients
    2. Click on Add Group... and give the group a name that will stand out such as "At Risk Systems"

2. Create policies to limit the scope of the threat
    Block access to the URL or IP address the threat is communicating with
    1. Click on Policies > Firewall
    2. Click on Add a Firewall Policy
      Alternately, you can modify an existing policy
      1. Select that policy
      2. Choose Copy the Policy
      3. Click on Paste a Poicy
      4. Highlight the copy
      5. Choose Edit the policy
    3. Change the Policy Name (i.e. "At Risk Systems Firewall policy")
    4. Click on Rules
    5. Click Add a Blank Rule
    6. With the new rule highlighted, click on Move Up multiple times until it is at the top of the list
    7. Right-click in the Host column for this new rule, and select Edit
    8. In the remote section click Add
      - If the threat is using URL names for communication, select DNS domain, enter the URL, then click OK. Repeat this step if there are multiple URLs in use.
      - If the threat is using multiple different IP addresses, select IP address, enter the address, then click OK. Repeat this step for each different IP address.
      - If the threat uses a range of IP addresses, select IP Range, enter the range of IP addresses, then click OK.
    9. Click OK
    10. Right-click in the Action column for this rule, and select Block
    11. (Optional) Right-click in the Logging column for this rule, and select Write to Packet Log
    12. Click OK
    13. Right-click on the Policy, and choose Assign
    14. Check the box for the group created earlier, and click Assign

    If you see excessive traffic to or from particular ports related to a threat, you can block those ports with Firewall rules
    1. Click on Policies > Firewall
    2. Click on Add a Firewall Policy
      Alternately, you can modify an existing policy:
      1. Select that policy
      2. Choose Copy the Policy
      3. Click on Paste a Poicy
      4. Highlight the copy
      5. Choose Edit the Policy
    3. Change the Policy Name (i.e. "At Risk Systems Firewall policy")
    4. Click on Rules
    5. Click Add a Blank Rule
    6. With the new rule highlighted, click on Move Up multiple times until it is at the top of the list
    7. Add a Service for the rule to trigger on:
      1. Right-click in the Service column for this new rule
      2. Click Add
      3. Verify the Protocol is set to TCP, and that Local/Remote is selected
      4. In the Remote Port field, enter the port that is being used by the threat (i.e. 12345)
      5. For Direction, select Outgoing
      6. Click OK
    8. Right-click in the Action column for this rule, and select Block
    9. (Optional) Right-click in the Logging column for this rule, and select Write to Packet Log
    10. Click OK
    11. Right-click on the Policy, and choose Assign
    12. Check the box for the group created earlier, and click Assign

    Notes:
    • If the traffic is inbound to a local port, create the rule as above, but enter the port number in the Local Port field (leaving Remote Port empty), and select Incoming as the direction
    • If the threat spreads through open shares, block all incoming traffic to ports 137 and 445
    • Be careful when blocking the ports needed by SEP for communication (Ports used for communication in Symantec Endpoint Protection 11.0), or any ports necessary for other types of communication ( i.e. 20, 21, 80, etc.). This can cause critical applications not to communicate as needed

    If Application and Device Control (ADC) is installed, and a filename is known, you can create an ADC rule to prevent the suspected file from executing. Refer to How to use Application and Device Control to limit the spread of a threat for details.

    If the threat uses autorun.inf (aka AutoPlay), disable it. See How to prevent a virus from spreading using the "AutoRun" feature for more information.

3. Assign the clients to the new group
    1. Click on Clients
    2. On the Clients tab, select the client(s) to be moved
    3. Choose Move Clients
    4. Select the group created earlier
    5. Click OK