The purpose of this article is to provide insight on how to use the various features within SEP 12.1 for Incident Response. This will be the first in a series of articles showing you various ways to utilize SEP 12.1 for this purpose. I make no assumptions regarding your environment so this is provided "As-is." You should always test before deploying into your production environment or at the very least, understand the consequences associated with it. Let's get started.
PROBLEM: You receive a call in the middle of the night that a virus is loose on your network. SEP 12.1 appears to only be stopping a few infected files but some still remain. The technician who first noticed the infection performed a quick analysis and sent you a file which SEP does not appear to remediate. You quickly confirm this by submitting to https://www.virustotal.com and see that Symantec does not yet have a signature for this piece of malware. You head to the office and get to work. After submitting the file to Symantec Security Response, you decide to use the "Application to Monitor" feature which is inside the Exceptions policy.
As we can see, for the purposes of this article, the undetected malicous file running on PCs is called apt.exe
This filename needs to be added so that is can be monitored and reported back to the SEPM any time it executes.
To add, open your Exception policy and select the Exceptions tab
Click Add >> Windows Exceptions >> Application to Monitor
The "Add an Application to Monitor" windows appears and we add the filename and click "Add"
After being added, click OK to save to the policy. Once the clients check in and pickup the latest policy, this application will be monitored (Log Only) when it is executed and reported back to the SEPM. This process can take some time depending on how often your clients are configured to heart beat in so be wary of this if you don't see logs for awhile. This feature is better used in situations where the heart beat is set at a lower time interval (5-15 minutes) or especially if the clients are in Push mode. After we have waited for some time, we need to check our Application log to see if the process has showed up so we can configure an action to be taken on it when it tries to execute.
Go back to your Exception policy and select the Exceptions tab again. This time, select Add >> Windows Exception >> Application
The "Add Application Exception" window will come up, set the View to "Watched Applications"
This view will only show applications that you specifically added to be monitored and filters out all the others that you don't need to see at this point.
Now, we can select the apt.exe file and to the Action of your choice. I will set it to "Terminate"
Click OK to add to the Exception policy and you will see the new exception added using the Hash of the executable. Click OK to save to the policy
Once your clients pickup the new policy, SEP will now block the file from executing
This feature is very useful in cases where SEP is not yet detecting a malicious executable. You can use it for Incident Response purposes while Symantec creates a signature. And it will stop the further spreading of malware throughout your network.
I hope this article will be helpful for you. Comments/Questions/Criticisms are welcome!
Brian