Using Endpoint Protection's Host Integrity feature to check if a Microsoft patch is installed

book

Article ID: 179348

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

About

Host Integrity (HI) is a feature of Symantec Endpoint Protection (SEP) that can be used to ensure that client computers are protected and compliant with a company's security policies.  Host Integrity policies can used to define, enforce, and remediate the security of clients as defined by the policy.  For example, an HI policy can be used to check if a specific Microsoft patch, or set of patches are installed on a client.  If a client fails to meet the requirements, the client can be quarantined from certain network access until the client meets those requirements.  More details About Host Integrity requirements.

Configuring a Host Integrity policy

To configure a Host Integrity policy

  1. Log into the Symantec Endpoint Protection Manager (SEPM).
  2. Click on Policies.
  3. Select Host Integrity on the left.
  4. Select the desired HI policy, then edit it.

A Host Integrity policy has three sections

  • Overview - Includes the policy name, description and whether it's enabled or not.
  • Requirements - The main section where specific requirements are defined.
  • Advanced Settings - HI checking options, remediation dialog options and notifications.

The Requirements section has two sections: When you want HI checks to run and the HI Requirements.  Clicking the Add button towards the bottom of the page brings up the Add Requirement Wizard.  To check if a specific Microsoft patch is installed you can use two different options: Patch requirement and Custom requirement. 

  • Patch requirement - Simple requirement useful for checking a single patch per requirement. 
  • Custom Requirement - Better suited for checking for the presence of one patch out of a set of patches. 
    • Example:  A CVE is addressed in a Microsoft Security Update and Monthly Rollup.  The Security Update and Monthly Rollup have different KB numbers and having either installed address the CVE.  A Patch Requirement can only only check against one Patch Name and return a PASS/FAIL, whereas a Custom Requirement can use OR logic to determine if either of the KBs are installed.

Note: Always test newly created policies against a small set of clients before applying the policy to the entire environment.

Patch Requirement

This requirement is a good option if you only need to verify that a specific patch is installed.  In this example below, we'll use Patch requirement to check if the Microsoft patch KB1234567 is installed on any Windows 7 device.

  1. In the HI policy, on the Requirement section, click the Add button at the bottom.
  2. Under Select requirement, click on Patch requirement, click OK.
  3. Give the requirement a descriptive name.
  4. In the Patch Name field, enter the name of the patch.  Example: KB1234567
  5. Next, select the operating systems that apply to the patch  Example:  Select all Windows 7 operating systems.
  6. Click OK.

This creates an HI check to see if KB1234567 is installed on any Windows 7 machine.  If it is, the HI check will return a "PASS" result, if not, it will return a "FAIL" result.  Additional requirements can be added, for instance, if there is a different patch for another version of Windows.  Each requirement is validated individually.  If one requirement is not met, it will return a "FAIL" result.

Custom Requirement

This requirement allows you to customize your HI requirements using IF/THEN/ELSE and AND/OR logic.  This facilitates complex checking that can't be accomplished using the other types of requirements.  The document Writing a customized requirement script contains generic steps, a specific example is below.  

In this example we'll use Custom requirement to check if either Microsoft patch KB1234567 or KB2345678 is installed on any Windows 7 device.

  1. In the HI policy, on the Requirement section, click the Add button at the bottom.
  2. Under Select requirement, click on Custom requirement, click OK.
  3. Give the Custom requirement a descriptive name.
  4. Under Customized Requirement Script, click on //insert statements below, this is a comment, remove the existing text in the comment field and add Check for Microsoft patch.
  5. Click the Add button, select If..Then.
  6. In the Select a condition dropdown, choose Utility: Operating system is, then select all the Windows 7 versions.
  7. Under the THEN section, remove the //insert statements here comment, replace it with This device is running Windows 7.
  8. Click on the THEN section just above our last comment, click Add, choose If..Then.
  9. In the Select a condition dropdown, choose Patch: Patch is installed, in the Patch name field, enter KB1234567.
  10. While the Patch: Patch is installed condition is selected, click the Add button, select OR, then select the Patch: Patch is installed condition again, then enter KB2345678.
  11. Select the THEN after the Patch checks, click Add, choose Return, leave it on Pass.  Within the same THEN section, change the comment to read KB1234567 or KB2345678 is installed.
  12. Select the END IF, click Add, choose Return, change it to Fail.

This custom requirement first evaluates if the Operating System is Windows 7.  If so, it then checks if KB1234567 or KB2345678 is installed.  If either are, then HI will return a "PASS" result.  At the very end of the lf statement it returns a "FAIL" result if the OS/patch conditions were not met.  You'll likely want to check for a different set of patches on other Operating Systems.  You can do that within the same Custom requirement.  Click on the first THEN statement, click the Add button, then choose ELSE.  From within the ELSE statement, you can add another IF..THEN statement to check for a different OS and set of patches.  Attached to this document is an example HI policy using Custom requirement.

Quarantining a SEP client that fails the HI check

If a client fails an HI check because it doesn't have certain Microsoft patches installed, you may want to quarantine the vulnerable device by restricting its network access until it has the patches in place.  This can be accomplished by using Quarantine Policies.  This allows you to apply a different set of policies to clients which have failed their HI check.  Once a client passes the HI check, it will be moved automatically out of quarantine.  The document Creating a Quarantine policy for a failed Host Integrity check describes how to apply a specific policy (or set of policies) to quarantined clients.  A specific example can be found below with more detail.

In this example we'll use a Quarantine Firewall policy to block RDP using a copy of our existing firewall policy only adding an extra rule to block RDP access.  These steps could also be used to restrict any other type of network access desired by customizing the firewall rules to suite your needs.

***Note:  The SEPM has a default Quarantine Firewall policy.  The policy only allows traffic to Symantec domains and blocks all other traffic.

  1. In the SEPM on the Policies page, click on Firewall.
  2. Select an existing Firewall policy in use, right-click on it choose Copy, then in the white space on the page right-click, choose Paste.
  3. Modify the newly created Firewall rule, rename the policy.
  4. Follow the steps in How to block RDP with a firewall rule.
  5. Once the rule is added, save the policy.

Next, we need to apply the firewall rule to the Quarantine location.

  1. In the SEPM, on the Clients page, click the Policies tab.
  2. Under Location-specific Policies and Settings there is a section called Quarantine Policies when Host Integrity Fails, Click Add a policy... to the right.
  3. Select Quarantine Firewall policy, then click Next.
  4. Select Use an existing shared policy, then click Next.
  5. In the Policy drop down box, select the policy you just added the block RDP rule to, click OK.

When a client fails its HI check it will have the new, more restrictive firewall policy applied to it.

Generating a list of clients where a Host Integrity check has failed

Once a HI policy has been created and applied to check if a Microsoft patch is installed, you'll want to know which clients are failing the HI check.  On the SEPM Home page in the Endpoint Status widget, there is a "Host Integrity Failed" category.  Clicking on it will bring up a report of all clients that have failed an HI check.  Further details and an exportable report can be found on the Monitors page.

  1. In the SEPM, click on Monitors.
  2. Select the Logs tab.
  3. Change the Log type: to Compliance.
  4. Change the Log content: to Client Host Integrity.
  5. Click Additional Settings >> at the bottom.
  6. Change the Event type: to Host Integrity failed.
  7. Adjust the Time range: as desired.
  8. Click View Log.

This Compliance Log will list every Host Integrity failed event within the time range given.  This log can be exported using Export in the upper left to a .csv file.  The list of computers can then be used to determine which devices in a network still need a Microsoft patch installed.

Attachments

Example Host Integrity policy for Microsoft patch.dat get_app