IN-DEPTH TEST AND ANALYSIS OF SYMANTEC’S ENDPOINT PROTECTION (SEP) CAPABILITIES

Daniel Ajiginni

Abstract

2020 has been an eye opener for organizations and small businesses alike, as cyber threat actors saw the pandemic and the resulting “work from home” adopted approach as an opportunity not to be passed up on. The cyber security community witnessed a lot of bold moves from threat actors in an alarming rate, from ransomware gangs calling victims directly, large scale phishing campaigns to the dumping of breached victim sensitive data on multiple public domains. This has led to the scramble for a more secured and effective way of ensuring staffs and clients working from home are constantly protected.

1 Introduction

There has been an exponential growth in the use of information technology resources for eased access, productivity and safety as it is in the case of 2020’s pandemic reality. With the ever-growing challenge of maintaining basic security principles of confidentiality, integrity, and availability (CIA). This has been continuously put to test in other to prevent threat actors from infiltrating, tampering and exfiltrating sensitive data within organizations.

Symantec Endpoint protection (SEP) 14

As the complexity of cyberattacks continue to increase it has become very difficult to ensure the security of all endpoints within organizations. Symantec Endpoint protection is a software solution developed to meet this highly sort after need , with protection that covers servers, desktops, laptops, and Virtual environments from a wide range of threats.

Noteworthy Features:

· Prevention and detection.

· Response .

· Investigates and contains .

· Resolves

· Deception

· Adaptation

· Global threat intelligence

Fig 1: SEP features

Attack scenarios covered

* Zero-day attacks .

*Web malicious URLs and downloads.

* Virus, Spyware, Ransomware, Adware, Rootkit and Worms

*Malicious port scanning (reconnaissance) and Exploit attacks .

*Insider and external attacks .

*Application vulnerability exploits .

*Network Intrusion.

2 Test

A secured virtualization environment was created with the use of VirtualBox, that consisted of two vm’s made up of a Windows 10 pro machine (Client) and a Windows server 2012 machine (manager) . We had the SEP manager installed on our windows server and created a SEP client agent installation package which was installed on the windows 10 pro machine .

Fig 2: Virtual lab setup

After finalizing all setups between both machines we proceed to download a large number of malwares of different variants for this I use “VirusSign”.

Fig 3: VirusSign

Fig 4: Malware samples

After getting the zipped samples downloaded on the windows 10 pro machine, I disabled real time protection and unzipped the malware bundle. Next, I copied all malware variants into a single folder named “Malwares” , this folder consisted of 274 virus, ransomware, adware, trojan malwares in PDF,DLL,EXE, Docx and a couple of unknown formats.

Test against malwares includes:

· Disabled real-time protection

· With enabled real-time protection

· Behavioral analysis

2.1 Malware detection capabilities without/with real time protection and behavioral analysis test.

Fig 5: 1st Malware scan without real-time protection

Fig 6: Malware detected

The scan has picked up signatures of a large amount of malicious files and automatically switched to enhanced scan mode to enable it to handle them quickly . Malicious files were deleted and quarantined .

Fig 7: 1st scan result

After our first scan 56 files were left undetected , so we go on to enable real time protection and carried out a second scan on the remaining files .

Fig 8 : 2nd scan results

After the second scan, we have 39 files left undetected , next up we test out Symantec’s malicious execution detection capabilities (Zero-day) with the use of ”MelTester2.exe” . This will be used to run the executable (exe) files left for us to see how Symantec’s behavioral analysis responds to it.

Fig 9: MelTester run

Fig 9: MelTester run

The result from Symantec’s behavioral analysis is highly impressive , with an 84.62% detection rate. Accurately blocking 11 out of 13 executable files ran within the system, would make Symantec a more superior zero-day detection security software.

We confirmed the remaining malwares were indeed malicious with the help of “Virus total”.

Results show that they are indeed malicious files , no surprises there as our samples were gotten from the most recent cultivated malware samples . A perfect example of attackers constantly trying to bypass detection .

2.2 Web browser security test

Next up we quickly test out the web protection capabilities of our SEP by visiting a known malicious domain. We used a popular free movie and tv series streaming site that has a large amount of redirections and invincible documents embedded into frames . “Fmovies.to” was picked amongst the list of options and as soon as the domain was visited, we started receiving alerts about the potential dangers associated with the visited domain along with the ports on my machine it sent requests to.

Fig 10: Malicious domain detection

The security policy setting for our web intrusion prevention is set to only notify and not block request , but our results clearly shows how effective this feature is .

2.3 Port scanning detection and prevention.

Here we use zenmap to scan the IP address of our target machine to see how Symantec detects and responds to our port scan.

Fig 11: Kali zenmap port scan

Fig 12: Symantec detection and response

The port scan was detected by SEP, it responded by blocking the attempt as well as the attacker’s IP address for a specified period of time and logged the event .

SEP Manager

On our SEP manager a lot of activities had been logged from the managed windows 10 pro machine . From the beginning of our tests to the remediation.

SEP manager home overview

A quick overview of managed system health found in the home tab

Risk distribution

Monitor tab gives us risk distribution, risk distribution by source , risk distribution by group and new risk as test was being carried out .

Network and host exploit event report

Network and host mitigation logged events

* Results of our network port scanning exploit attempt logged / broken for analysis . Viewing the log for network and host exploit mitigation attacks ,we can approve the IP address associated with the port scan if it is an administrator trying to audit the hosts on the organization’s network.

Notifications logged

Email alert to admin

Email alert sent out to the admin of an ongoing threat on a managed client

Remediation and activity summary

After remediation we are given an updated report on the health of our managed devices.

3. Pros and Cons

Pros

*A wide range of features that complements each other to enable a formidable endpoint security.

* Fast and effective zero-day protection.

*Corporate level suitability.

*Includes a personal firewall .

*A great notification , report, and analysis breakdown .

Cons

*Lengthy scan duration.

*Requires a restart after threats are detected .

*Uses a lot of system resources (a high-end system should be considered for its running to ensure uninterrupted user productivity ).

*A lot of functions are not available for the 32bit version of SEP.