How to create custom policies to prevent a threat from spreading
search cancel

How to create custom policies to prevent a threat from spreading

book

Article ID: 178118

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

There is a threat in your environment, and you want to know how best to use Symantec Endpoint Protection Manager (SEPM) to keep the threat from spreading to other systems.
 
Symptoms - You have systems in your environment that are suspected or known to be infected. You would like to isolate the clients to prevent the spread of any malware that may be present on those systems.

Resolution

The solution involves three main steps: Creating a new group to isolate the clients, creating a series of policies and assigning those policies to the new group, then assigning clients to the group.

1. Create a group in the SEPM that will be used to isolate the clients

  1. Click on Clients
  2. Click on Add Group and give the group a name that will stand out such as "At Risk Systems"
  3. Create policies to limit the scope of the threat Block access to the URL or IP address the threat is communicating with
  4. Click on Policies >Firewall
  5. Click on Add a Firewall Policy Alternately, you can modify an existing policy
  6. Select that policy
  7. Choose Copy the Policy
  8. Click on Paste a Poicy
  9. Highlight the copy Choose Edit the policy
  10. Change the Policy Name (i.e. "At Risk Systems Firewall policy")
  11. Click on Rules
  12. Click Add a Blank Rule
  13. With the new rule highlighted, click on Move Up multiple times until it is at the top of the list
  14. Right-click in the Host column for this new rule, and select Edit
  15. In the remote section click Add 

- If the threat is using URL names for communication, select DNS domain, enter the    URL, then click OK. Repeat this step if there are multiple URLs in use.

- If the threat is using multiple different IP addresses, select IP address, enter the address, then click OK. Repeat this step for each different IP address.

- If the threat uses a range of IP addresses, select IP Range, enter the range of IP addresses, then click OK.

  1. Click OK
  2. Right-click in the Action column for this rule, and select Block
  3. (Optional) Right-click in the Logging column for this rule, and select Write to Packet Log
  4. Click OK
  5. Right-click on the Policy, and choose Assign
  6. Check the box for the group created earlier, and click Assign

If you see excessive traffic to or from particular ports related to a threat, you can block those ports with Firewall rules

  1. Click on Policies > Firewall
  2. Click on Add a Firewall Policy Alternately, you can modify an existing policy:
  3. Select that policy
  4. Choose Copy the Policy
  5. Click onPaste a Policy
  6. Highlight the copy
  7. Choose Edit the Policy
  8. Change the Policy Name (i.e. "At Risk Systems Firewall policy")
  9. Click on Rules
  10. Click Add a Blank Rule
  11. With the new rule highlighted, click on Move Up multiple times until it is at the top of the list  Add a Service for the rule to trigger on: Right-click in the Service column for this new rule Click Add Verify the Protocol is set to TCP, and that Local/Remote is selected  In the Remote Port field, enter the port that is being used by the threat (i.e. 12345)  For Direction , select Outgoing  Click OK Right-click in the Action column for this rule, 
  12. Select Block  (Optional) Right-click in the Logging column for this rule, and select Write to Packet Log  Click OK Right-click on the Policy, and choose Assign Check the box for the group created earlier, and click Assign.
  13. Assign the clients to the new group Click on Clients, On the Clients tab select the client(s) to be moved ,Choose Move Clients ,Select the group created earlier Click OK

Notes:

      • If the traffic is inbound to a local port, create the rule as above, but enter the port number in the Local Port field (leaving Remote Port empty), and select Incoming as the direction
      • If the threat spreads through open shares, block all incoming traffic to ports 137 and 445
      • Be careful when blocking the ports needed by SEP for communication (Ports used for communication in Symantec Endpoint Protection), or any ports necessary for other types of communication ( i.e. 20, 21, 80, etc.). This can cause critical applications not to communicate as needed

If Application and Device Control (ADC) is installed, and a filename is known, you can create an ADC rule to prevent the suspected file from executing.

Refer to How to use Application and Device Control .

To limit the spread of a threat for details. If the threat uses autorun.inf (aka AutoPlay), disable it. See  How to prevent a virus from spreading using the "AutoRun" feature