Host Integrity (HI) is a feature of Symantec Endpoint Protection (SEP) that can be used to ensure that client computers are protected and compliant with a company's security policies. Host Integrity policies can used to define, enforce, and remediate the security of clients as defined by the policy. For example, an HI policy can be used to check if a specific Microsoft patch, or set of patches are installed on a client. If a client fails to meet the requirements, the client can be quarantined from certain network access until the client meets those requirements. More details About Host Integrity requirements.
To configure a Host Integrity policy
A Host Integrity policy has three sections
The Requirements section has two sections: When you want HI checks to run and the HI Requirements. Clicking the Add button towards the bottom of the page brings up the Add Requirement Wizard. To check if a specific Microsoft patch is installed you can use two different options: Patch requirement and Custom requirement.
Note: Always test newly created policies against a small set of clients before applying the policy to the entire environment.
This requirement is a good option if you only need to verify that a specific patch is installed. In this example below, we'll use Patch requirement to check if the Microsoft patch KB1234567 is installed on any Windows 7 device.
This creates an HI check to see if KB1234567 is installed on any Windows 7 machine. If it is, the HI check will return a "PASS" result, if not, it will return a "FAIL" result. Additional requirements can be added, for instance, if there is a different patch for another version of Windows. Each requirement is validated individually. If one requirement is not met, it will return a "FAIL" result.
This requirement allows you to customize your HI requirements using IF/THEN/ELSE and AND/OR logic. This facilitates complex checking that can't be accomplished using the other types of requirements. The document Writing a customized requirement script contains generic steps, a specific example is below.
In this example we'll use Custom requirement to check if either Microsoft patch KB1234567 or KB2345678 is installed on any Windows 7 device.
This custom requirement first evaluates if the Operating System is Windows 7. If so, it then checks if KB1234567 or KB2345678 is installed. If either are, then HI will return a "PASS" result. At the very end of the lf statement it returns a "FAIL" result if the OS/patch conditions were not met. You'll likely want to check for a different set of patches on other Operating Systems. You can do that within the same Custom requirement. Click on the first THEN statement, click the Add button, then choose ELSE. From within the ELSE statement, you can add another IF..THEN statement to check for a different OS and set of patches. Attached to this document is an example HI policy using Custom requirement.
If a client fails an HI check because it doesn't have certain Microsoft patches installed, you may want to quarantine the vulnerable device by restricting its network access until it has the patches in place. This can be accomplished by using Quarantine Policies. This allows you to apply a different set of policies to clients which have failed their HI check. Once a client passes the HI check, it will be moved automatically out of quarantine. The document Creating a Quarantine policy for a failed Host Integrity check describes how to apply a specific policy (or set of policies) to quarantined clients. A specific example can be found below with more detail.
In this example we'll use a Quarantine Firewall policy to block RDP using a copy of our existing firewall policy only adding an extra rule to block RDP access. These steps could also be used to restrict any other type of network access desired by customizing the firewall rules to suite your needs.
***Note: The SEPM has a default Quarantine Firewall policy. The policy only allows traffic to Symantec domains and blocks all other traffic.
Next, we need to apply the firewall rule to the Quarantine location.
When a client fails its HI check it will have the new, more restrictive firewall policy applied to it.
Once a HI policy has been created and applied to check if a Microsoft patch is installed, you'll want to know which clients are failing the HI check. On the SEPM Home page in the Endpoint Status widget, there is a "Host Integrity Failed" category. Clicking on it will bring up a report of all clients that have failed an HI check. Further details and an exportable report can be found on the Monitors page.
This Compliance Log will list every Host Integrity failed event within the time range given. This log can be exported using Export in the upper left to a .csv file. The list of computers can then be used to determine which devices in a network still need a Microsoft patch installed.