This article is a continuation of my three previous articles:
- How to utilize SEP 12.1 for Incident Response - PART 1
- How to utilize SEP 12.1 for Incident Response - PART 2
- How to utilize SEP 12.1 for Incident Response - PART 3
In it, we will look at using Application Learning in an incident response situation. The purpose of application learning is for the SEP client to collect and monitor the applications and services that run on client PCs. I do want to point out that I only use this for incident response. While it is perfectly acceptable to use this in a normal situation, if you have many clients, your database can grow quite rapidly. If you do decide to use this on a regular basis, you should check out the Best Practices Guide to Application Learning in Symantec Endpoint Protection Manager
Now, let's get started. From time to time I come across a problem user who is no stranger to re-infection. I have a special purpose group setup for such cases. Application learning is enabled for this group. Enabling application learning is a two step process.
Log in to the SEPM:
- Navigate to Admin page >> select your Local Site and select Edit Site Properties. Tick the checkbox for "Keep track of every application that the clients run". This will enable the feature.
- Go to the Clients page and create your special purpose group and uncheck inheritance. Go to the Policies tab at the top and under Settings select Communications Settings. Under Upload tick the checkbox for "Learn applications that run on the client computers". This tells the SEP client to monitor all applications and upload it to the SEPM.
Now, this process will not be completed immediately. Logs will start to come in but it will depend on what you have your heartbeat set to. For this special purpose group, I like to set the heartbeat from anywhere from 5-15 minutes. Since this is usually done for one or two clients at a time, this should not be a problem. I like to give the entire process a few hours to take shape before I really dig into it. Once you feel enough time has passed, you can begin reviewing what applications are running on the PC.
To do this, go to the Policies page and under Tasks select Search for Applications
A new box will come up which will allow you to do some filtering:
Feel free to edit as you see fit and select Search when completed. You will get a similar result if all is working correctly:
Now, what I like to do is export the results and compare it to a list of known good process that are on our golden image(s). This can be a tedious task although it makes it slighly easier to find bad processes when you have a list of what you know contain good ones. When I find what I believe are bad processes I will submit them to ThreatExpert and Virustotal for analysis. If it's found to be malicious, I submit to Symantec Security Reponse so they can create a signature for it.
I hope this article has been helpful for you. Please post any feedback or questions that you may have.
Brian