LEMSS AntiVirus Total Track Evaluation Guide

© Copyright 2009, Lumension

Lumension Endpoint Management and Security Suite v7.1

AntiVirus Module Evaluation Guide

April 2011 v1.0

www.lumension.com

Vulnerability Management | Endpoint Protection | Data Protection | Reporting and Compliance

2

Lumension Endpoint Management and Security Suite: AntiVirus Module

Table of Contents

Contents Table of Contents ......................................................................................................................... 2

Introduction ...................................................................................................................................... 3 Module Description ...................................................................................................................... 3 Objective ...................................................................................................................................... 3

Evaluation Scenarios ....................................................................................................................... 4 Prepare Test Environment ........................................................................................................... 4

Server Tasks ............................................................................................................................ 4 Endpoint Tasks ......................................................................................................................... 6 Review Results ......................................................................................................................... 6

Use “Scan Now” to Detect Malware ............................................................................................. 7 Server Tasks ............................................................................................................................ 7 Endpoint Tasks ......................................................................................................................... 8 Review Results ......................................................................................................................... 9

Enable Real-Time Monitoring .................................................................................................... 10 Server Tasks .......................................................................................................................... 10 Endpoint Tasks ....................................................................................................................... 11 Review Results ....................................................................................................................... 12

Scheduled Scanning .................................................................................................................. 12 Server Tasks .......................................................................................................................... 12 Endpoint Tasks ....................................................................................................................... 14 Review Results ....................................................................................................................... 14

Review Custom Dashboard ...................................................................................................... 14 Server Tasks .......................................................................................................................... 14 Endpoint Tasks ....................................................................................................................... 15 Review Results ....................................................................................................................... 15

www.lumension.com


3


Introduction This document is designed to assist you in implementing the Lumension Endpoint Management and Security Suite (L.E.M.S.S.) v7.1 AntiVirus Module and to use as an ongoing record of your observations and feedback during the evaluation process.

Module Description

Lumension® AntiVirus is based on proven technology that incorporates a pioneering and industry-leading anti-malware engine to provide protection against all malware, including viruses, Trojans, rootkits, spyware and adware. It provides advanced protection via traditional signature-matching capabilities as well as innovative proactive technologies which provide protection against zero-day threats. These include the following capacities:

• DNA Matching (partial signature matching) detects components of malware that have been re-used from previous attacks.

• Exploit Detection (hidden malware search) detects and stops concealed malware that has been injected into otherwise benign file types such as .PDFs.

• SandBox (behavioral analysis) runs suspect executables in a safe emulation environment to look for malicious behavior and identify sophisticated zero-day malware.

Lumension® AntiVirus provides an important layer in a comprehensive defense-in-depth endpoint security strategy:

• Block Known and Unknown Malware Prevent viruses, worms, Trojans and other types of malware such as keyloggers, hijackers and rootkits from wreaking havoc on endpoints.

• Comprehensive Malware Removal Ensure that any detected malware is removed or quarantined and not allowed to remain on network assets.

• Integrated Module for Defense-in-Depth Improve endpoint security effectiveness without impacting productivity via the industry's first intelligent application whitelisting solution.

Objective

The plan is to implement this solution on a small group of endpoints. The task list includes the following:

1. Prepare the test environment 2. Scan endpoints for virus and malware and review alerts 3. Set up a real-time AV monitoring policy 4. Set up a scheduled AV scanning policy 5. Set up a custom dashboard to monitor AV policy results

http://www.lumension.com/anti-virus-software.aspx�

www.lumension.com


4


Evaluation Scenarios Prepare Test Environment

Business Context: Install the L.E.M.S.S. v7.1 software onto the server and L.E.M.S.S. agent onto a small group of endpoints, per the L.E.M.S.S. v7.1 platform evaluation guide. Once installed, create an additional “AV Administrator” role for someone to be in charge of AntiVirus policies. Next, deploy AntiVirus agent update to endpoint agents. Finally, create custom groups for test endpoints.

Expected Outcome: L.E.M.S.S. v7.1 and the AntiVirus module are fully operational and ready for evaluation on the server and a small group of endpoints. A new role has been defined on the server for the purpose of enforcing IT security and administration of AntiVirus policies. A custom group of endpoints has been created for group management purposes.

SERVER TASKS � 1. Navigate to Tools > Users/Roles and select the Roles tab � 2. Click the Create button � 3. Enter a name for the role (i.e. AV Manager) and use the Manager role as a template � 4. On the access rights tab remove all rights in the Jobs, content, application control, and

application library sections � 5. Click OK � 6. Verify that the new role was created � 7. Go to the Users tab and click Create � 8. Click Next and enter the user name “AVpolicyManager” � 9. Enter any password you like and select the newly created role � 10. Click Finish � 11. Verify that the new user has been created

www.lumension.com


5


� 12. Next, Navigate to Manage > Endpoints and select the endpoint(s) where you want to

install the Anti-Virus components � 13. Click on the Manage Modules menu option and select the Anti-Virus module � 14. Click OK � 15. Verify on the Manage > Endpoint screen that the LAV module changes from No to

Pending � 19. When complete, the module is installed on the endpoint

www.lumension.com


6


ENDPOINT TASKS

� 1. Log on to an endpoint which you selected to add the Anti-Virus module � 2. Click on the “Lumension EMSS Agent Control Panel” icon in the system tray � 3. Validate that the Virus and Malware component has been installed

REVIEW RESULTS

www.lumension.com


7


Use “Scan Now” to Detect Malware

Business Challenge: Endpoints which have been in use for any length of time are likely to have gathered some amount of malware. As we prepare to implement new endpoint security, it is important to detect and remove any known malware which resides on the endpoints.

Business Context: Now that the environments have been set up, run a detailed scan to make sure they are clean of known malware. This clean-up procedure is an important first step in the Lumension® Intelligent Whitelisting™ process.

Expected Outcome: The AV scan is initiated and running (perhaps not yet completed). The scan will be a thorough scan (memory, boot sectors, all attached drives, etc.) and will run one time only. This in-depth scan should complete on all endpoints and any alerts found should be viewable on the L.E.M.S.S. v7.1 server.

SERVER TASKS

� 1. From the navigation menu, select “Discover > Scan now – Virus and Malware Scan” to display the Scan Now wizard

a. Give your policy a unique name b. Select “Immediately” from the scheduling settings

� 2. Press “Next” and add your endpoint group to the target list to be included in the scan a. Use the default settings already selected

� 3. Press “Next” to move to the Scan Options page a. Select “Override the endpoint virus and malware scan policy with the

following:” b. Select “Attempt to clean then quarantine then delete” from the dropdown –

this will ensure that the endpoint is completely cleaned of known malware c. Check the “Use sandbox” box – this will detect previously unknown malware

based on its behavior d. Check the “Scan boot sectors” box – this will protect against malware which

attempts to evade AV by hiding in the boot sector, which is a very common attack vector

e. Check the “Scan archives” box – this will ensure that no latent malware escapes undetected

f. Check the “Scan memory” box – this will protect against malware which is resident in memory, another common attack vector

g. Select “Detailed logging level” – this will provide the AV admin with the details needed to triage the response, ascertain root cause, and track trends

� 4. Press “Next” to move to the Exclude Files or Paths page a. Select “Scan all local drives excluding the following paths/files:” b. Enter in the file name “wsusscn2.cab” & press “Exclude” – this will reduce

scanning time by omitting known good files c. Select “Scan locally-attached media” from the optional drives settings – this will

ensure that any and all drives (e.g., removable HD) are also scanned � 5. Press “Finish” and validate that the AV Scan Now task has been created � 6. Navigate to “Manage > Deployments and Tasks” & validate that your AV Scan Now

task has been created and that it is running

http://www.lumension.com/Solutions/Intelligent-Whitelisting.aspx�

www.lumension.com


8


ENDPOINT TASKS

� 1. Log on to an endpoint which you selected as a target in the Scan Now task � 2. Click on the “Lumension EMSS Agent Control Panel” icon in the system tray � 3. Validate that the Virus and Malware Scan is in progress

a. Header should state the “Virus and Malware Scan in progress” b. “Files Scanned” should be increasing c. “Infections found” will contain if the test virus files were discovered d. Expand the “Virus and Malware scan summary” section to see the status of

infected files

www.lumension.com


9


REVIEW RESULTS

� 1. Navigate to “Review > Virus and Malware Event Alerts” page � 2. Confirm alerts were received from the target endpoint(s)

www.lumension.com


10


Enable Real-Time Monitoring

Business Challenge: The malware threat faced by your organization is often targeted at employees via phishing emails or poisoned websites. In order to protect your organization, you must prevent infected files from getting onto the endpoints. While scheduled scans do a good job of preventing and cleaning malware, you need continuous detection and removal protection against suspect files which an end user might download or open on an everyday basis.

Business Context: Create an AntiVirus policy to review files as they are opened, and to automatically clean any infected files. Use the SandBox technology to augment protection against malware without an existing signature (e.g., zero-day threat).

Expected Outcome: The “real-time” scan is assigned to all common-use computers as well as the L.E.M.S.S. v7.1 server. The scan policy is applied and all endpoints have real-time scanning enabled and active (as reflected by the contents of the AV tab in the agent control panel.)

SERVER TASKS

� 1. Navigate to “Manage > AntiVirus Policies” � 2. Press the “Create” button and select “Real-time Monitoring Policy…” to create a

Real-time Monitoring policy for your Public Use Desktops group. Use the following settings:

a. Give your policy a unique name b. Select “Attempt to clean then quarantine then delete” from the “Scanning”

options – this will ensure that the endpoint is completely cleaned of known malware

www.lumension.com


11


c. Check the “Use sandbox” box from the “Scanning” options, and change “Normal” to “Extended” in the associated dropdown – this will detect previously unknown malware based on its behavior

d. Select “Scan on both read/execute“ from the “Local user” settings – this will protect against all end user actions

e. Select “Scan on write” from the “Services and Remote users” settings – this will protect against certain types of remote attacks

f. Enable this policy for immediate activation � 3. Press “Next” to move to the Exclude Files or Paths page

a. Enter a path to be excluded from the policy (c:\AVtest\) b. Press “Exclude” button to confirm the path entered above c. Select “Scan locally-attached media” to be included in the real-time monitoring

– this will ensure that any and all drives (e.g., removable HD) are also scanned � 4. Press “Next” and assign the policy to the custom group you just created � 5. Press “Finish” and validate that the policy has been created and that it has been

assigned � 6. Review the policy and confirm the creation date and policy assignments are correct � 7. Navigate to “Manage > Groups”, select your test group and confirm that the policy is

assigned properly

ENDPOINT TASKS

� 1. Log on to an endpoint in your group (one of the endpoints that you assigned Real-time Monitoring Policy )

� 2. Click on the “Lumension EMSS Agent Control Panel” icon in the system tray � 3. Validate that Real-time Monitoring policy has been applied to this endpoint by selecting

the “AntiVirus” tab

www.lumension.com


12


� 4. Create a new folder in the excluded path directory created in the Real-time Monitoring policy (c:\AVtest\) and place an infected file here & open it

a. You can obtain a test virus file at http://eicar.org/anti_virus_test_file.htm � 5. Confirm no notification was display – balloon or pop-up

REVIEW RESULTS

Veried that Test Virus file exists in AVtest Directory

Scheduled Scanning

Business Challenge: Malware infections can lead to performance and productivity issues, and may even lead to a data breach which compromises your valuable corporate IP or customer data. Real-time scanning is an important layer of defense against malware, but is generally not as in-depth due to performance concerns. So it is important to include a periodic deep scan which ensures a clean environment.

Business Context: To provide another layer of defense against infected applications, a periodic in-depth scan of the endpoint is necessary.

Expected Outcome: The re-occurring scan is assigned to all common-use computers as well as the L.E.M.S.S. v7.1 server. The scan policy is applied and all endpoints have a re-occurring scheduled scan enabled and active.

SERVER TASKS

� 1. Navigate to “Manage > AntiVirus Policies” � 2. Press the “Create” button and select “Recurring Virus and Malware scan…” to

create a scheduled scanning policy for your Public Use Desktops group. Use the following settings:

a. Give your policy a unique name b. Set the Scheduling interval; for purposes of this evaluation, run it every other day c. Set the Activation to “Enable” so that this policy takes effect immediately (per the

schedule selected above) once this creation process is finished � 3. Press “Next” and set the scan options

a. Scanning options for virus detection Select Attempt to clean then quarantine then delete from the

dropdown – this will ensure that the endpoint is completely cleaned of known malware

Check Use sandbox – this will detect previously unknown malware based on its behavior

http://eicar.org/anti_virus_test_file.htm�

www.lumension.com


13


Check Scan Boot Sectors – this will protect against malware which attempts to evade AV by hiding in the boot sector, which is a very common attack vector

Check Scan archives – this will ensure that no latent malware escapes undetected

Uncheck Scan memory – this will protect against malware which is resident in memory, another common attack vector

b. Logging level Select Detailed logging level – this will provide the AV admin with the

details needed to triage the response, ascertain root cause, and track trends

� 4. Select “Scan all local drives” in order to ensure no malware is resident on secondary drives (e.g., external HD). Alternatively, select “Scan all local drives excluding the following paths/files” to overall scan time.

a. Enter a path to be excluded from the policy (c:\AVtest\) b. Press “Exclude” button to confirm the path entered above. Note that you could

“Import” an XML file containing multiple files/paths for exclusion instead; this is especially useful in large environments

� 5. Select “Scan locally-attached media” – this will ensure that any and all drives (e.g., removable HD) are also scanned

� 6. Press “Next” and assign the policy to the custom group you just created � 7. Press “Finish” and validate that the policy has been created and that it has been

assigned � 8. Review the policy and confirm the creation date, logging settings and policy

assignments are correct � 9. Navigate to “Manage > Groups”, select your test group and confirm that the policy is

assigned properly a. Right click on this group and select “AntiVirus Policies”

www.lumension.com


14


ENDPOINT TASKS

� 1. Create a new folder in the excluded path directory created in the Real-time Monitoring policy (c:\AVtest\) and place an infected file here & open it

a. You can obtain a test virus file at http://eicar.org/anti_virus_test_file.htm � 2. After the scheduled time, confirm were no notifications of virus infection � 3. Move the AVTest folder to another location on the endpoint

a. Validate the virus removal after the next scheduled scan

REVIEW RESULTS

AVtest folder has been cleaned of the test virus

Review Custom Dashboard

Business Challenge: As the number of point security solutions proliferate, so do the number of consoles and the amount of data which must be reviewed. Organizations need to have all the right information at their fingertips in order to maintain a secure network.

Business Context: To provide the right information to the right people, customizable dashboards which address the issues of particular interest are crucial. In organizations where a single admin monitors multiple solutions, having the most important information from them all in a single dashboard is desirable; in organizations where each admin monitors their own area, the ability to limit the flow to only relevant information is desirable.

Expected Outcome: A customized dashboard with all relevant information located where desired.

SERVER TASKS

� 1. Click on the Configure dashboard settings… option in the upper right corner of the screen

http://eicar.org/anti_virus_test_file.htm�

www.lumension.com


15


� 2. Select the dashboard elements you would like on your dashboard � 3. Place the elements where you would like them to be on your dashboard

ENDPOINT TASKS N/A

REVIEW RESULTS

LEMSS AntiVirus Total Track Evaluation Guide

Documents

Transcript of LEMSS AntiVirus Total Track Evaluation Guide