Testing and Validating Symantec Security Technology and Response (STAR) Protection Technologies in Symantec Endpoint Protection
search cancel

Testing and Validating Symantec Security Technology and Response (STAR) Protection Technologies in Symantec Endpoint Protection

book

Article ID: 154226

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Detection and Response

Issue/Introduction

Symantec now includes four key anti-malware protection technologies, File-Based Protection, Network-Based Protection, Behavior-Based Protection and Reputation-Based Protection in Symantec Endpoint Protection.  How to validate if the protection technology is enabled, and what do the corresponding alerts look like?  

How the detections for cloudcar and socar appear in the SEP "Threat log".

Resolution

File-Based Detection Testing and Validation:

Symantec’s File-Based protection includes multiple protection engines including the file-based antivirus engine, our Malheur engine and our Bloodhound technology. To trigger an alert with the antivirus engine, use the EICAR file mentioned below.

The standard for testing file-based anti-virus is called EICAR (European Institute for Computer Antivirus Research).  This file is not malicious and is the agreed upon string and file for testing across many anti-virus vendors.  The file for testing File-Based anti-virus can be downloaded from the EICAR website here.  There is a .txt file as well as versions embedded in a .zip archive (one level and multiple levels deep).  Symantec's Testing a Virus and Spyware Protection policy offers exact steps on how to use EICAR to test AV.

 

Network-Based Protection Testing and Validation:

Symantec’s Network-Based Protection is a set of technologies designed to block malicious attacks before they have a chance to introduce malware onto a system. Unlike file-based protection which must wait until a file is physically created on a user’s computer, network-based protection starts to analyze the incoming data streams that arrive onto a user’s machine via network connections.  There are three primary engines:

  1. Network IPS Engine
  2. Browser Protection Engine
  3. UXP Engine

To validate that the IPS engine or Browser Protection is working, you need to actually exploit an underlying vulnerability in the Operating System or Browser.   There are two ways to test the IPS and Browser Protection engines.  For maximum alerts and notification, it helps to have a vulnerable browser, plug-ins and operating system.  You can either use a program such as Metasploit, Core Impact, or Immunity Sec’s Canvas to actually exploit the underlying operating system, browser and third-party application vulnerabilities.

Using a test tool like Metasploit, Core Impact, or Canvas to test your IPS and Browser protection solutions is the most effective at mimicking a real attack similar to a web attack toolkit.  When running tests, it is recommended to use a virtual environment so you can roll-back tests easily.  Setup server-side exploits (tests to exploit the MS-RPC and LSASS services) to exploit the operating system and also setup the client-side tests where an actual webserver is running and you will navigate the endpoint under test to the URL to exploit a vulnerability in the browser or browser plug-in.

Note:  Running an NMAP scan or a Nessus Vulnerability scan does NOT do anything malicious and will not trigger the IPS or Browser protection engines – even when set to exclude “Safe” checks.

You can use nmap -A to scan a computer and it will create post scan alert for NTP (Network Threat Protection - firewall ) component.

UXP stands for Un-Authorized Download Protection
Within the Network-based protection layer, this last line of defense helps mitigate unknown and unpatched vulnerabilities, without the use of signatures, providing a further layer of insurance against zero-day attacks.

Behavioral-Based Protection Testing and Validation:

Symantec’s Behavioral-Based Protection technology provides an effective and non-invasive protection from previously unseen zero-day computer threats. The Symantec Online Network for Advanced Response (SONAR) is the main engine of our behavior-based technology and features: a classification engine based in artificial intelligence, human-authored behavioral signatures, and a behavioral policy lockdown engine. Together these components combine to provide industry-leading security protection against threats that are most often social engineered and targeted attacks.  The latest version of this technology is called our Sonar 3 technology.

To test the Sonar 3 technology and see an alert from the Sonar 3 technology, you can unpack the socar.zip file (similar to sonar Eicar, password is “infected”) and launch the non-malicious “SOCAR.EXE” executable.  You should see an alert with the title “SONAR has removed the security risk socar.exe  Your computer is secure.”    You can then view details to see “A program was behaving suspiciously on your computer. This program was blocked and removed”.

See Using the Socar.exe test file to verify that SONAR functionality for additional information on testing SONAR.

 

Reputation-Based Protection Testing and Validation:

Symantec’s Reputation-Based Protection technology is the newest addition to the suite of protection technologies developed by STAR.  Reputation-based security, addresses the latest development in the threat landscape, that of micro-distributed malware. Using the combined wisdom of over 130 million contributing users, our reputation system learns which applications are good and bad based on the anonymous adoption patterns of our users. It then uses this intelligence to automatically classify virtually every software file on the planet. This reputation data is utilized by all of Symantec's products to automatically block new malware and, conversely, to identify and allow new legitimate applications.

To test the Reputation technology, you can first test without the cloud/Reputation technology to confirm that no detections will occur.  Open the non-malicious cloudcar.zip (similar to cloud eicar).  Unzip to get the Cloudcar.exe (password is symantec) file.  Disconnect the system from the internet and then right-click on the “File Insight” menu.  No “bad” reputation will be detected.   Reconnect the internet connection. While connected to the internet and our Reputation cloud technology, right-click on the file and select “File Insight”.  The reputation of this file will be “Bad – There are indications that this file is untrustworthy”.

 

 

 

Attachments

1634319783473__socar.zip get_app
cloudcar.zip get_app