Friday, October 26, 2007

Marketers should strategize for data loss prevention.

As data loss continues to grow, prevention is a serious issue for companies, according to a new report by e-mail services firm Ironport Systems Inc.

In a new report titled “Data Loss Prevention Best Practices, Managing Sensitive Data in the Enterprise,” IronPort Systems, a business unit of Cisco, delineates best practices that companies can use to prevent leaks and to be compliant.

“We are seeing more and more complications in being compliant with data loss prevention,” said Tom Gillis, SVP of marketing at IronPort Systems. “We focus on data in motion, or data that is transferred over the Internet and came up with a set of best practices for companies to follow to make sure that their information is not being stolen.”

Whether it’s e-mail, instant messaging, a Web site form or a file transfer, electronic communications that are unmonitored have the potential for confidential information to be stolen. To address these issues, Ironport created a best practices checklist to help marketers deal with these systems.

The first step towards solving the data loss problem is to develop an understanding and inventory of the types of sensitive data that exist within the organization and what policies are needed to control and enforce how that data can be shared.

Secondly, the report urges marketers to focus on all areas of data loss prevention starting with the most vulnerable areas.

In addition, the report encourages marketers to use data loss prevention software that tracks policy violations and includes multi-protocol monitoring and prevention, content-level analysis of all major file and attachment types, selective blocking and/or quarantining of messages and automatic enforcement of corporate encryption policies. This software should be unobtrusive, so that consumers need not concern themselves with any extra steps.

Finally, according to the report, a data loss prevention platform should include detailed reports of all suspected violations. Administrators and policy officers should have the ability to receive reports outlining detected violations including information such as the message sender, contents, attachments, intended recipients and information about the violating content.

Monday, October 22, 2007

BotNet - one day in the life.

A bot network tends to fluctuate such that the number of members of the network wax and wane over time. I base this understanding on my regular observation of modern botnets and the observations of my peers (please see pg. 41 of ISTR Volume X). In the past, IRC protocol-based botnets fell victim to an “Achilles Heel” situation if the single central server being used to control the network was taken down, because the network without a controller would fall apart.

The miscreants that choose to build and control these bot networks began to develop innovative methods that could bolster their reliability. With this goal, Fast-flux DNS tactics were employed to provide redundancy so that these networks were more difficult to take down. Trojan.Peacomm (also known as “Storm Worm”) employed the Overnet protocol – a robust, decentralized, peer-to-peer network that is based on the Kademlia algorithm.

However, all of these advancements in bot network technology still do not make the network bulletproof. These advancements do not protect the botnet from bot losses that occur because the bot-infected computer is taken offline or the infection is detected by antivirus and cleaned. There is little question that Trojan.Peacomm is a sophisticated peer-to-peer bot network that is difficult to disable completely, but it cannot be immune to property fluctuations. Perhaps this is why some of the static numbers for the Peacomm network size are so difficult to digest. According to MessageLabs there are 2 million bots. (They are quoted as reporting that at 2 million bots, it is operating only at 10% capacity, implying that the true size is 20 million bots. This article also goes on to report observations of 50 million Peacomm bots.) A botnet of 20 million bots was also reported on zdnet.com. Are these metrics based on active bot infected computers? Or, on a cumulative total that was observed since Peacomm was first detected?

Personally, I believe in applying Occam’s Razor when estimating the size of a given botnet. It is better to assume nothing about the current size of the network and instead gauge the network size based only on the number of active bots that can be observed for a period of time where the network size is least likely to fluctuate. According to the recently published Symantec Internet Security Threat Report (pg. 47), "The average lifespan of a bot-infected computer during the first six months of 2007 was four days, up from three days in the second half of 2006." This means that an accurate metric for a given bot network, if all of the bots join the network at exactly the same time, at very best can remain accurate for only four days. In reality the bot network will constantly fluctuate, so metrics for longer periods should at least be graphed at points over time to represent this fluctuation.

The "snapshot" approach, where activity is observed only for a reasonable period of time, should deliver a more accurate picture of the known and verifiable state of the botnet at that point in time, but only at that point. It will likely be a partial image, but it is based on accurate and verifiable activity. If many of these “snapshots” are taken, it might provide a more accurate impression of the bot network when graphed. For a dynamic network that can radically change in size from week to week, estimating the size of that network based on a cumulative number generated based on observed IPs over a long period of time might yield an inaccurate perception of the studied network.

Other researchers are reporting lower metrics for Peacomm network size than the 20 million nodes figure. For example, Secure Science Corp report an average of just over 53,000 active Peacomm bots at 7:00 a.m. ET, October 1, 2007. Secure Science Corp used the “snapshot” approach to graph metrics for the Peacomm network over the period of a week, and the undulating metric is fascinating.

Microsoft’s anti-malware team also reported lower metrics. In a recent blog they discuss that Peacomm ranks in only third for the total malware cleaned by the Microsoft anti-malware team. They also report a component of Peacomm was detected on 274,372 computers as of September 18, 2007, at 2:00 p.m. PDT.

Symantec’s DeepSight Threat Analyst Team decided to use this "snapshot" approach in order to gather a geographical picture of a 24-hour period of Peacomm spam activity. Based on spam messages that were captured over a 24-hour period by Symantec antispam sensors on August 18 and September 18, 2007, we observed 4,375 unique Peacomm IPs for August 18; 2,131 of these IPs were acting as Peacomm SMTP servers and 2,244 IPs were acting as Peacomm HTTP servers (these are the servers that serve exploits and Peacomm binaries to innocent victims, as well as Peacomm propagation spam). Contrast that with 6,081 unique IPs for September 18, 2007, with 3,408 SMTP IPs and 2,673 HTTP IPs. Given those two sample sets, only 1,610 IPs intersect. So, for just a month’s time-span we observed a respectable fluctuation in Peacomm IP metrics, reinforcing the understanding that the Peacomm network is consistently in a state of fluctuation.

This Peacomm snapshot was mapped based on the geo-location of the involved IP addresses and an interesting image developed. It seemed that English-speaking countries were most affected by the Peacomm activity. Based on conjecture, this could be because the majority of Peacomm spam is delivered in the English language, but this has not been verified and other factors are definitely involved. (Note: That the markers on the below map represent groups of IP addresses that are related geographically.)

I am sure that the debate about the Peacomm network size will rage on for some time, but I feel that we have to maintain some degree of sensibility before hysteria-inducing claims, such as “Storm worm more powerful than top supercomputers” can be proclaimed. Given the nature of Peacomm, an exact size metric is difficult to derive, although it is important that this is known. Peacomm presents an interesting enigma with regards to the size of the network. On one hand, many researchers (including myself) agree that it is indeed a large network given the sophistication of Peacomm. On the other hand the Peacomm network is impacted by daily bot losses as computers are disinfected or taken offline. My initial research suggests that the network is smaller than some think, leading me to believe that, at least currently, the Peacomm network size is closer to the more conservative estimates that are being published.

Thursday, October 18, 2007

6 hot items on the hacker's holiday shopping list

Here, according to Jackson and Schipka, are some the items likely to be in high demand by hackers shopping in this underground marketplace this coming holiday season:

1. Build A Storm Botnet: This new and uniquely crafted malware tool has been designed with the really high-end hacker in mind and is likely to be one of the hottest items this season, according to Jackson. For prices starting at $100,000, spammers and other malicious attackers can now buy their very own Storm botnet, complete with fast flux DNS and hosting capabilities. Making it possible is a smart new 40-byte encryption feature supported on the latest Storm variants that hackers can basically use to segment compromised machines into their own little Storm botnets.

"Think of this as an FAO Schwarz kind of item," Jackson says. "Rather than leasing a botnet service and paying bot by bot for a good e-mail run or iFrame blast, you can pay for it all at once and have your own little Storm botnet ," Jackson said. The people who would buy such services are those who have already made their loot using leased services and are looking to start owning infrastructure, he said.

2. Rent-A-Bot services: Who needs to buy a botnet when you can lease a perfectly good one by the hour at a fraction of the price? Available in abundance this season, such botnet services are designed to let average spammers deliver a gazillion copies of their malware without them having to invest in the infrastructure needed to do so, Schipka said. For as little as $100 to $200 per hour, spammers can get access to a fully functional botnet capable of delivering the finest image spam and body part enhancement ads to millions at the click of a button, he said.

And such rent-a-bots aren't just for spammers anymore, Jackson said. What makes these versatile services so broadly appealing to bad guys is that they can be easily adapted to deliver the malware of choice or to launch distributed denial of service (DDOS) attacks against extortion targets. One example is the BlackEnergy botnet, which can be used to launch DDOS attacks against specific targets for about $80 per hour, according to Jackson. For those not willing to spend even that much, low-cost options starting at $10 per hour for one million bots are readily available for conveniently distributing smaller spam loads and malware.

All an enterprising hacker needs to take advantage of such services is a plan, Schipka said. "You would need to figure out your business model and draw up a business plan," he said. "If you were renting a bot for three hours at a $100 per hour to deliver spam it means you need to make more than that to benefit from the use of the service." If it's some other sort of malware being seeded via a botnet -- such as a keylogger or Trojan -- the cost of purchasing the code would have to be included as well, Schipka he said. "...They'd need to be looking for a botnet with the highest quality and the lowest amount of money."

3. Ye Olde Malware tools: Do-it-yourself enthusiasts have a wider range than ever before of malware tools, including Trojans, zero-day exploits, rootkits, spyware programs and keyloggers, according to Jackson and Schipka. For around $3,000 to $3,500, serious shoppers can find sophisticated polymorphic malware capable of delivering all sorts of nasty code on vulnerable computers while constantly morphing to evade detection. Variants can be purchased separately for less than $10 on average to about $20 a piece. In some cases, variants can be delivered at the rate of one new variant every 59 minutes, or precisely one minute less than the hourly cycles many anti-virus vendors use to push out new virus signatures, said Schipka.

Likely to be in high-demand are customized Trojan programs specifically designed to steal identity and patient data from systems belonging to health care providers, Jackson said. Current black-market rates for this kind of ID information, which is typically used to defraud health insurers, is about $200 per patient profile.

In the stocking stuffer class are tools such as the Webattacker malware creation kits, exploits from sites such as WabiSabiLabi and numerous one-click phishing kits available from groups such as the Russian Business Network, Jackson said.

4. Data providers: These consumer-friendly service providers are targeted at intrepid entrepreneurs looking to use someone else's identity and financial information for their own gain. As an industry niche that's been around longer than many others, data providers today cater to a wide-ranging audience with disparate needs. Some specialized services offer identity information, complete with driver's license photos, passport scans, credit card numbers, e-mail and street addresses -- all for as little as $5 a pop, according to Schipka. At the higher end, health-care related identity data or information belonging to high-level corporate executives can go for nearly $200 per victim. And then there are services that let individuals buy stolen credit card data at between 2% to 4% of the credit balance left on the cards, Schipka said.

5. Drop services: These specialized services have been developed expressly for the harried online shopper who purchases items online -- especially high-ticket electronics gadgets -- with stolen credit cards but has no place to send them. Drop services can provide thieves with convenient and reliable addresses to mail stolen goods in the country from where the online purchase is made, Schipka said. "Sometimes, these are people who know they are receiving stolen goods," he said. "Sometimes, they just sort of receive these parcels and either send them somewhere else or make them available in person" to pre-specified locations. People in the latter category don't often know they are handling stolen goods and are hired via phony work-at-home advertisements that promise to pay them specific amounts of money for simply receiving and forwarding goods, he said. Drop services typically get the stolen goods for about 30% or less of the retail value of the product, he said.

6. Escrow, anyone? Forget all those quaint notions about honor among thieves. In the online underground, it's more often about scammers looking to scam other scammers, Schipka said. That's where referrals and escrow services can play a key role, he said. For fees ranging from about 2% to 4% of the total transaction, service providers will act as a "trusted" intermediary between a seller and buyer of malware and other illegal services. Such services can hold purchase money in escrow until a buyer has had a chance to see whether the goods or services are okay and performing as billed. And sellers are assured they get paid for delivering what they promised, Schipka said.

Symantec ships next-gen SRM software

Symantec recently released the next generation of its Veritas CommandCentral storage resource management (SRM) software, with added support for both physical and virtual environments, advanced process automation and reporting features, and increased scalability.

Version 5.0 of Veritas CommandCentral enables administrators to peer into physical and virtual server and storage environments and manage storage capacity at an application level due to added support for VMware, Hitachi Data Systems’ Tagma-Store, and IBM’s SAN Volume Controller (SVC) virtualization platforms. The software analyzes storage consumption in the physical and virtual worlds to identify capacity that can be reclaimed in order to boost utilization rates.

The suite includes CommandCentral Storage 5.0, CommandCentral Enterprise Reporter 5.0, and Veritas Process Automation Manager 5.0. The combination of Command- Central Storage and Enterprise Reporter delivers business-level reporting capabilities and a global view of storage with the ability to roll up information from multiple data centers into a single view, organized by lines of business, geography, or other customized views.

Veritas Process Automation Manager 5.0 is an IT process automation platform that enables standardization of storage management processes and operational policies, which can ultimately help users automate complex setup and provisioning tasks. With Process Automation Manager, organizations can improve efficiency of storage operations, reduce storage provisioning time, and manage service levels, according to Rob Soderbery, senior vice president in Symantec’s Storage Foundation Group.

Soderbery says CommandCentral has evolved from a tool that provides a historical view of SAN management into an operational tool that can improve overall system performance and deliver storage as a service. “Enabling storage as a service is about understanding which business owners and which applications are consuming storage resources, what that costs, and the service levels that need to be met,” says Soderbery.

In terms of scalability, Symantec claims that CommandCentral can handle up to 3,000 servers, 6PB of storage capacity, and 12,000 switch ports.

Symantec has also extended support for physical storage devices in a variety of ways, including compliance with the SMI-S 1.1 specification through a number of multi-vendor API agreements. Symantec has added support for disk arrays from 3PAR and Fujitsu, HP’s Enterprise Virtual Array (EVA) family, IBM’s DS4000 arrays, and Network Appliance’s iSCSI systems. Software support now includes EMC’s Symmetrix Remote Data Facility (SRDF); Clariion SnapShot, MirrorView, and SnapView; NetApp’s Snap Mirror; and Hitachi’s Shadow Image replication software.

Veritas CommandCentral 5.0 is licensed on a per-server basis. Command- Central Storage 5.0 and Process Automation Manager 5.0 are available now. Enterprise Reporter 5.0 is due in the next 60 days.

Enterprise Strategy Group analyst Bob Laliberte says CommandCentral 5.0’s support for virtualized server and storage environments and the new enterprise-wide reporting capabilities are key additions to the software.

Laliberte notes that, while storage virtualization isn’t getting the same exposure as server virtualization, it is still playing an important role in helping IT provide higher service levels. “The key part of this announcement is that CommandCentral can support both server and storage virtualization,” says Laliberte. “The software will also provide HDS and IBM customers with an alternative solution for management, especially those looking to combine storage virtualization with server virtualization.”

CommandCentral 5.0 represents the second leg of Symantec’s Storage United initiative, which is a software-oriented approach to help IT managers deliver storage as a service by uniting disparate resources. The initiative was launched in June with the debut of NetBackup 6.5. The idea behind Storage United is to give users an integrated suite of data protection, storage management, and archiving software that supports all major server and storage systems.

You’ve Got MP3 Mail! Be carefull!

McAfee Avert Labs has observed a new wave of pump-and-dump spam today that we believe to be originating from the Storm worm botnet. The spammed .mp3 attachments promote a company enjoying huge success in Canada and expecting amazing results in the USA.

These audio files are of very poor quality and one has to literally strain one’s ears to hear what’s being announced. The spammed .mp3 files have been encoded using “LAME 3.97“–an open-source mp3 encoder. The filenames are pretty dynamic; here’s a list:

Filenames used

In the last year or so we have seen multiple file types being used in spam runs in an attempt to subvert traditional anti-spam detection techniques. From plain text to ASCII art, image spam, DOC, FDF, PDF, RAR, and XLS–thinking out of the box has given stunning results for these creative spammers.

New way for virus

My girlfriend recently bought an mp3 player through eBay. The slim 8GB player, dubbed ”MP3 Player“ by the no-name brand vendor, reminded me of some other well known player – I… I… I just can’t remember the name. But, since it was offered at half the price of an iPod, we though it wasn’t a bad deal and ordered it. Last week it was finally delivered and while checking it out I connected it through USB to my laptop. A moment later my Norton Internet Security informed me that the removable device was infected with Backdoor.Graybird. Using a hidden autorun.inf file the back door tried to infect the PC the player was connected to – if the user was careless enough to open the drive unprotected. ;-) Not that I believed that we would no longer see any Backdoor.Graybirds after the farewell from the authors.

Nor did I believe that everyone would learn from the mistakes other manufacturers suffered in similar cases (see previous Symantec blogs: "Playing on a blog near you." and "Would you like a virus with that?"). I guess we have to face it: more and more USB devices will become infected by malware in the future. Some unintentionally during careless manufacturing, and others deliberately infected by the attackers.

There are just too many ways to prepare USB drives to autorun and infect machines. Some attacks rely heavily on social engineering, such as the method of adding an extra “open with” menu entry as shown in the screenshot here:

CW_moretibf.jpeg

If the user doesn’t notice the extra menu entry, he or she will run the malware instead of opening the drive. So, be wary of any unknown USB device that you plug in your machine; in fact, you should always be vigilant with any new device that you use.

Friday, October 12, 2007

5 steps for E-mail Security Assurance. CONCLUSION

Email security is an ongoing endeavor. Because spam, viruses and fraud are a profitable business, the resources and tactics employed by those who generate this scourge are ever changing. As a result, your email security vendor needs to be committed to innovation. IronPort Systems leads the industry in technical innovation—with the largest research and development team in the industry and the world’s most demanding networks as customers. IronPort has a full range of products that use its advanced email security engines, packaged in affordable and easy to use 1U appliances. These appliances allow administrators to “plug it in and make spam and viruses go away”. Regardless of whether or not you select an IronPort appliance, there are five essential steps to safer email:

1. Use a leading edge spam filtering system that combines reputation and content analysis.

A leading edge spam filter should be accurate enough to avoid the need for an end user quarantine or end user white-list and blacklist controls. These end user facing features just create work for end users and tickets for the IT team.

2. Traditional signature based anti-virus systems are not sufficient.

These systems are widely deployed and yet the world is still plagued by email viruses. The IT team should look for a solution that includes an outbreak control mechanism—it can pay for itself in one outbreak. IronPort Virus Outbreak Filters leads the industry in response time.

3. Scan outbound email.

Healthcare and Financial Services companies have very specific email filtering requirements. All other industries have light requirements, but some safe guards need to be employed to stop good people from doing bad or dumb things.

4. Protect your identity and reputation.

Conversational bounces expose the directory. Delayed bounces lead to blacklisting or DDoS attacks. IronPort has a unique “secure bounce” solution that mitigates this problem. Segment outbound mail. Put commercial mail on one outbound IP, employee mail on another, delayed bounces on a third. This practice will protect your reputation on the Internet.

5. Look to the future and stay ahead of the game. Set up a Sender ID record for outbound mail, and look for a solution that supports outbound DomainKeys (DK) signing. Lack of authentication will look increasingly suspicious in the coming 12 months and will lead to disruptions in outbound mail delivery. Look for a vendor that has the R&D resources to stay ahead of email threats. Spam, viruses and fraud email is “good” business and is fueling innovation. Look for a vendor that can out innovate the “bad guys” and keep your email system running trouble free.

1. Stopping Spam
2. Stopping Viruses
3. Protecting Your Identity
4. Outbound Scanning
5. Fixing Email

5 steps for E-mail Security Assurance. Step 5: FIXING MAIL

Spam, viruses and fraudulent email have put a massive stress on email infrastructure. The root cause behind this scourge lies in the email protocol itself, SMTP. SMTP was developed in the late 1980’s when the Internet was primarily a tool used for technical people, such as university professors, to collaborate and share information over unreliable data links. To facilitate this, SMTP has provisions that allow an email message to be forwarded from one machine to another, hopping its way to a final destination. At the time this was a trusted network, there was never reason to believe that a message wasn’t actually being sent from the person it purports to be from. As a result, the protocol has no capability to validate a sender. So when a message arrives at a mail server at a company and says that it is from george.bush@whitehouse.gov, there is no way for that receiving mail server to know if it really is or isn’t from whitehouse.gov. This core weakness is what allows spam to come from a seemingly legitimate sender, or viruses appear to come from someone an end user knows, or fraudulent email to appear from a trusted bank or trading site.

Plugging this hole in the email protocol SMTP will go a long way towards attacking spam and viruses at their core. But it turns out that adding authentication into the email protocol is a relatively complex undertaking, mostly because there are more than 20 million email servers active on the Internet. The approach that the Internet community has been taking is to create an overlay protocol that sits on top of SMTP. The two leading proposals are called “Sender ID” and “DomainKeys”. These two proposals are very different and largely complimentary. But they are fundamentally changing the way email works. Sender ID uses a “path based” approach, were the sender publishes a list of all IP addresses that are allowed to send mail on their behalf. This approach has the advantage of being light weight and easy to implement. At a bare minimum, a corporation should publish the IP addresses of its outbound mail servers as Sender ID records. If the corporation uses an email service bureau, the IP addresses of this entity should be included as well. Receiving mail servers will scan incoming messages and go back to the purported sender to see if the Sender ID record includes the IP address of the server that actually delivered the message. So for example, if whitehouse.gov published a Sender ID record of 1.2.3.4, the receiving mail server that just got a message from george.bush@whitehouse.gov can verify that the server that delivered the message was actually 1.2.3.4. The big challenge with Sender ID is known as “the forwarding problem”. Many people maintain permanent email addresses at their universities or other institutions. So if George Bush was sending an email to joe@university.edu, but that message got forwarded to joe@acme.com, acme.com would see a message from george.bush@whitehouse.gov but it would not be delivered by IP address 1.2.3.4—the server identified in whitehouse.gov’s Sender ID record. The forwarding problem prevents the receiving mail server from taking definitive action when incoming mail does not match a Sender ID record. However, as Sender ID is gaining in acceptance, an intelligent receiving mail server will view a positive Sender ID authentication as a very good thing and weight the message towards “not spam”. Sender ID failure does not mean for sure a message is spam—but it will be a mark against the message as the receiving mail server looks at a variety of factors and scores the message as either spam or not.

The other emerging standard is known as DomainKeys or DK for short. DK uses a cryptographic stamp embedded in the message header. Invisible to the end user, this stamp allows the receiving mail server to definitively authenticate

a message. The stamp is applied by the sending mail server which uses a “private key” to make the stamp. When a receiving mail server sees the stamp, it goes back to the purported sender and gets the public key. If the stamp decrypts properly, the message is known to be legitimate. If the stamp doesn’t decrypt properly, the message is known to be fraudulent.

DK solves the forwarding problem because the message can be forwarded many times and the stamp travels along with it. The main challenge to DK is that it requires a fairly significant change to both the sending and receiving mail servers. IronPort appliances make it simple to start applying DK stamps to outgoing mail. Major ISPs such as

Yahoo! are now looking for DK stamps. When they see a DK stamp that authenticates properly, they expose an icon to the end user stating “this sender is trusted”. A user can see the DK stamp system in action if they have a Yahoo! mail account and get messages from Amazon.com. Amazon is using IronPort appliances to do DK stamping, and Yahoo! decrypts this messages and displays the trust icon.

The important thing for companies to realize is that spam, viruses, and fraud are forcing the Internet community to change the way email works. These new authentication technologies will take years to implement globally.

However, as consumers and mail users begin to become aware of the trusted aspects of authenticated mail, the absence of authentication will become more and more suspicious. Consider this analogy: Email authentication is like having a driver’s license. An individual does not have to have a license to get on an airplane. But the lack of a license and the unwillingness to authenticate makes an individual suspicious, and they may be subject to searches, delays and disruptions. Similarly, as the adoption of email authentication grows, the unwillingness of a corporate mail server to authenticate will make it increasingly suspicious and subject the sender to delays and disruptions in their mail flow. IronPort Systems has made it easy for busy IT staffs to implement authenticated email, and make sure their email infrastructure will keep working—today and tomorrow.

5 steps for E-mail Security Assurance. Step 4: PROTECTING YOUR IDENTITY

There are two major email pitfalls that every IT manager needs to be aware of—bounce handling and outbound commercial mail.

Bounce handling refers to how a mail gateway responds to incoming mail that has an invalid address. There are two modes of response—conversational bounces and delayed bounces. A conversational bounce occurs during the SMTP conversation. This means that before the receiving mail server has acknowledged receipt, it checks a directory (such as Microsoft Active Directory) to make sure the address is valid. If the address is valid the receiving mail server responds with “OK I have it” or if the address is not valid the receiving mail server says “Sorry I can’t accept it”. The advantage of this approach is that the bounce message that is being delivered directly to the sending mail server using the same connection or “conversation” that the message arrived in, so the bounce message cannot be redirected or spoofed.

The disadvantage is that it effectively exposes the corporate directory to anyone. Spammers will routinely launch “dictionary attacks” where they guess at likely email addresses to see what gets through (e.g. bob@acme.com, charly@acme.com, etc.). Since a valid/invalid message is delivered in the conversation, in a matter of minutes a spammer can have a full list of valid email addresses at a corporation, which in turn can be sold on the internet for $50 or so, resulting in huge volumes of spam.

To protect their directories, most companies have chosen to issue delayed bounces. With a delayed bounce, the receiving mail server accepts all incoming mail. Then it checks for valid addresses. If the address is invalid, it will generate a separate email message back to the sender with a notification of why the message couldn’t be delivered.

This separate email coming back is much harder for a spammer to use to automatically harvest a corporate directory, thus delayed bounces protect the corporate directory.

Since spammers send mail at large volumes, they don’t want millions of delayed bounces coming back to them. So they will typically forge the return address of their spam. This is the root of the “misdirected bounce” problem.

One common spammer tactic is to use the address of a known spam trap as the return address. Thus when the legitimate corporate mail server proceeds to respond to a spam with a delayed bounce message, that bounce message

is sent to a spam trap operated by a blacklist—and the corporation finds itself blacklisted for being a spammer. This is a very common problem, and a huge source of frustration for the IT department. It can be very difficult to get “un-blacklisted” since many blacklists are run by volunteers and don’t provide customer service. The other danger with misdirected bounces is they can be used to create distributed denial of service attacks. If a spammer sends out one million messages with a return address of postmaster@acme.com, acme.com is likely to get 750,000 delayed bounce messages from 750,000 different mail servers on the Internet. These misdirected bounce attacks have caused multi-day mail outages at major banks and ISPs, but also at small and medium businesses that did nothing to instigate it.

IronPort appliances have a unique solution to this problem. IronPort has a “secure bounce” mode where it will issue a conversational bounce to a trusted sender, but not issue a bounce at all to a suspicious sender. It keeps track of the number of invalid address attempts from a given sender. When the sender exceeds the threshold, the IronPort appliance knows it is a directory harvest attack and continues to accept messages, but does not issue a response at all— fooling the attacker and protecting the directory. The number of invalidattempts allowed is tied to the reputation of the sender. A reputable sender like a Fortune 500 company is allowed many invalid address attempts; an unknown or disreputable sender is allowed only a few invalid address attempts. This advanced technology operates totally autonomously to make the headache of bounce handling just “go away”, without exposing the corporate directory.

The other email pitfall facing most IT teams is the handling of commercial email. Most companies have some type of commercial email—newsletters, transactions confirmations, investor updates, etc. These emails are typically produced by a database and sent out automatically.When machines generate and send mail, mistakes can sometimes happen. A new operator might hit the send button 10 times, thinking it wasn’t working. Or the marketing department might get a great new list of names they downloaded for $50 (see previous section on directory attacks). Either way, the receiving mail servers might view this incoming mail as spam—and begin dropping all mail from the corporate sender.

An excellent practice is to separate machine generated commercial mail from employee mail. With traditional equipment, this requires installing and maintaining two mail gateways, an unacceptable cost for many companies.

But the IronPort appliances have a unique capability called Ironport Virtual Gateways™ which can segment different classes of mail and put them on different outbound IP addresses. So employee generated mail goes on one IP address, machine generated mail on another, and delayed bounces (if used) can be put on a third IP address. Think of this as powerful segmentation that will limit damage to only one IP address and not allow an accident to impact the reliable delivery of vital employee generated mail.

5 steps for E-mail Security Assurance. Step 3: OUTBOUND SCANNING

There are two factors at work that are driving interest in outbound scanning —regulatory compliance and protection of intellectual property. Regulatory compliance can be put into three basic buckets—the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLB) and the Sarbanes-Oxley Act (SOX).

HIPAA requires that any entity dealing with personal healthcare information (PHI) put very specific safeguards in place to ensure this information is protected. The language around “safeguards” is open to interpretation, but in plain English it means any company that is transmitting patient health information such as doctor’s appointments, medical charts, etc., put in place encryption and access controls to make sure this information isn’t accidentally or intentionally exposed to unauthorized eyes. The intent of this act is to ensure that if an employee has a serious illness and leaves a job, they won’t be denied health coverage at their new employer.

For any company in the health care or insurance industry, this is a very significant regulation that requires a deep understanding of the act itself and a thorough review of enterprise wide workflow to ensure safeguards are in place, back to front. But, for small or medium sized business that are not specifically in the healthcare industry, there are still potential risks— especially since the HR team at a smaller enterprise may not have experience with the specifics of HIPAA. It’s not inconceivable that an HR generalist may email a patient’s history to an insurance provider—a clear HIPAA violation.

The IronPort appliances have built-in logic to provide basic safeguards against HIPAA violations. There is a pre-populated dictionary that looks for data that would appear on a patient healthcare record, such as treatment codes, medical names, and codes of drugs. These are very specific data types, so it is relatively easy for the system to identify healthcare information entering or leaving the firewall—and to flag it for encryption or review.

Having this type of protection in place is excellent practice to ensure someone doesn’t unknowingly violate HIPAA requirements and expose the enterprise to legal liability.

There are similar requirements for GLB. GLB applies to financial institutions (banks, mortgage companies, credit unions, etc.). It has specific guidelines for safeguarding personal financial information. The IronPort appliance has a

set of pre-populated filter terms to look for GLB triggers—things like social security numbers or credit card numbers. It is unlikely that a small or medium sized enterprise outside of the financial industry would need GLB filters, but this is a must have item for any enterprise dealing with financial services.

The third act is much more broad—Sarbanes Oxley. The spirit behind Sarbanes Oxley is intended to protect the market from inaccurate financial reporting in the wake of the Enron scandal. The majority of these regulations apply to internal finance and accounting procedures. However, there are some steps that can be taken with outbound email. Email coming to and from certain groups, such as legal or finance, should all be archived. This can be done with a few simple mouse clicks in IronPort Email Security Manager™. Beyond this, filters that look for financial indicators, such as social security numbers, can be employed.

However, this is a coarse protection layer (and likely to snag legitimate mail) so it is not recommended outside of the financial regulations driven by GLB.

Many small and medium sized businesses are looking for the lowest cost and easiest way to comply with regulations. IronPort email security appliances offer capabilities that meet this need. For more sophisticated compliance capability, IronPort has partnered with industry specialists such as PostX and PGP corporation. Together with PostX and PGP, IronPort can yield a fully integrated solution which can identify mail that needs special handling, and automatically take the appropriate measures such as archiving or encrypting the messages.These more sophisticated solutions tend to apply to the specific requirements called out in the healthcare and financial services industries.

Beyond compliance, there is growing interest in protecting the intellectual property of the enterprise. There have been many high profile cases of accidentally releasing sensitive information, such as press releases or earnings announcements. There is an important element of common sense that needs to be applied here. If an employee is intent on stealing and distributing information, it is very difficult to stop them. Information can leave the enterprise

on a USB drive or even on the back of a napkin. However, in many of the most publicized cases, the information leak was done accidentally. This is a problem that can be greatly reduced with some simple safeguards. The IronPort appliance has the ability to implement basic rules which look for sensitive information that should not be destined for the outside world.

These rules can be tied to information about the employee sending the mail (e.g. are they from the engineering department?) and to the destination of the mail (e.g. is it destined to a competitor?). Having simple rules that look

for mail coming from engineering going to a competitor, or a rule that looks for mail coming from the marketing team that contains the words “press release draft” can be very useful in detecting accidental dissemination of information. Think of it as a goalie for your private information.

These rules are easy to implement using IronPort Email Security Manager. Email Security Manager provides a graphical representation of the various rules being implemented for various groups, making it easy and quick to implement policies that ensure good housekeeping and prevent good people from doing bad things.

5 steps for E-mail Security Assurance. Step 2: STOPPING VIRUS

It may not be common knowledge, but spam and viruses are originated by the same people. 90 percent of the viruses in the past year have been designed to leave behind a small SMTP engine that is used to hijack an unsuspecting consumer PC and send out spam. So it’s ironic that the biggest sources of spam on the Internet might be the PC your mom or dad have connected to a cable modem, spewing out spam unbeknownst to them.

These “zombie” PCs have proven to be very effective tools to help spammers fool less sophisticated spam filters. So in order to keep their army of zombie PCs alive and growing, spammers need to create new viruses to infect in suspecting PCs.

The traditional defense against viruses rely on a “signature” or a series of bits that identify malicious attachments. While signatures remain a critical component of any virus defense system, they have an inherent weakness. No

matter how good the anti-virus signature vendor, it takes a finite amount of time—usually about 13 hours—to detect, isolate, characterize, and create a signature for a new virus outbreak. So the bad guys simply design new virus variants every few weeks and get them to spread rapidly in the window when signatures are being developed. This is why, despite the widespread use of signatures, email-borne viruses continue to be a major problem for IT teams.

To contain the rise in rapid outbreaks, a two layer filtering system is needed, similar in nature to the two layer spam filtering systems found in leading edge solutions. The inner layer is a signature based anti-virus filter. The outer

layer is a preventive anti-virus solution. With IronPort’s solution, the outer layer of virus defense is known as IronPort Virus Outbreak Filters™. The concept is to identify a new outbreak based on a traffic anomaly and then quarantine or “pause” suspicious mail until the traditional anti-virus signatures have been developed.

IronPort has a unique asset that is used to battle these outbreaks—the SenderBase Network. Because SenderBase measures such a large population of email—more than 25% of the world’s email traffic—IronPort can detect the propagation of a new virus the instant it begins. These rapid outbreaks are designed to spread around the world in a matter of hours, in an attempt to beat the signatures. There is no form of human communication that mirrors this type of massive propagation.

IronPort has created a Threat Operations Center (TOC) to monitor SenderBase and look for anomalies in global email traffic that indicate a new outbreak.

For example, a good outbreak indicator might be a sudden increase in password protected zip files, corresponding with an increase in mail coming from IP addresses that have never sent mail before, because these are really infected PCs spreading the virus.The TOC is staffed with technicians and statisticians that create algorithms to automatically detect these anomalies, and also to provide manual oversight to an automated system to ensure it isn’t being manipulated by the engineers that created and propagated the virus.

Having IronPort’s highly trained analysts in the loop means that the IT team at every corporation doesn’t need to be reviewing and reacting to every new outbreak—IronPort takes care of that effort.

When the TOC team issues a new outbreak alert, it automatically pushes a rule out to the IronPort appliances. The appliances have a unique dynamic quarantine that scans and re-scans mail as more fined grained information becomes available. For example, the moment an outbreak occurs, the TOC may issue a very course rule such as “quarantine all .zip files”. This rule is automatically sent to the IronPort appliances in the field and, at any time of the day or night, initial virus defenses are activated—.zip files are put in a special quarantine on the appliance. Within five minutes the TOC technicians may determine that the outbreak is associated with .zip files that are sized between 50 and 55 KB.A

new rule is created and pushed out to the appliances. The dynamic quarantine then re-scans all quarantined messages, releasing anything that isn’t a .zip between 50 and 55 KB. As the outbreak rages around the world, the TOC team

may create another (more fine grained) rule—the outbreak is .zip between 50 and 55KB and contains the word price in the file name. This rule is pushed out and the dynamic quarantine re-scans, narrowing in on the outbreak. The concept is illustrated in Figure 1.

Figure 1 : Dynamic Quarantine in Action

Dynamic Quarantine in Action

The TOC team also coordinates with IronPort’s anti-virus signature partner, Sophos. Both teams share information on the outbreak and coordinate the release of the updated signature. When the signature is known to have been updated on the remote IronPort appliance, the TOC will issue a rule that says “scan quarantine with Sophos” and the Sophos engine will scrub all messages in the quarantine, deleting or stripping all messages that match the signatures.

Table A: IronPort’s Virus Outbreak Filters Lead the Industry

IronPort Virus Outbreak Filter

*June 2005 – July 2006. Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro,
Computer Associates, F-Secure, Symantec and McAfee. If signature time is not available, first publicly published alert time is used.

This two layer filtering system with a preventive outer layer and a content-based reactive inner layer represents comprehensive virus protection. IronPort Virus Outbreak Filters have been in production for more than a year and have stopped over 150 outbreaks an average of 13 hours ahead of signature availability, providing state of the art protection for corporate networks and admin free defense for the IT team. An outline of IronPort’s response to recent outbreaks is provided in Table A.

No system can provide perfect security against spam or viruses (although some vendors make claims and guarantees to this effect). IronPort Virus Outbreak Filter technology, combined with Sophos anti-virus signatures, yields the most effective virus defense system on the market—in production at more than 20 percent of the world’s largest enterprises. The same engine that protects companies like Cisco, Juniper, Network Appliance, Dell and Intel is powering IronPort C10 email security appliance designed for small and medium sized businesses. Plug it in, and spam and viruses just go away.

5 steps for E-mail Security Assurance. Step 1: STOPPING SPAM

The first generation of email security solutions used a simple approach to stopping spam—keyword analysis. These early filters would look for words typically found in spam (words like “free”, “Viagra”, or other more spicy language). The filters would typically use a scoring algorithm—if the word “free” occurs next to “Viagra” than it’s probably spam. The problem with this approach was twofold. The first issue being that it would frequently trap legitimate messages—Viagra is actually a product used in business, and the word free is almost unavoidable in the business lexicon. The other drawback to keyword filtering is it is relatively easy for spammers to defeat by using a zero instead of the letter o (I L0ve Y0u) or adding blocks of text that would fool the filters.

Nearly all modern spam systems have moved to a two-layer defense. The outer layer is known as a reputation filter. A reputation filter asks the simple question, “who is sending this email?” before accepting it. By examining the reputation or sending history of a given sender, the vast majority of spam can be eliminated before it even enters the network.

At the heart of any reputation system is a database that identifies “good guys” from “bad guys”. As might be expected, the quality and accuracy of a reputation filter is directly tied to the quality and accuracy of the underlying database. Ironport Systems invented the concept of reputation filtering in 2003. The underlying database behind IronPort’s solution is SenderBase®— the world’s first, largest, and most accurate reputation database. Senderbase collects data from more than 100,000 networks that make up over 30 percent of the entire world’s email traffic. This massive data footprint means that SenderBase can detect the sending patterns of literally every mail server on the Internet, in real time.

IronPort is the only company in the industry that shares this valuable data with entities outside of its customer base. IronPort has made SenderBase available to select ISPs and open source programs. IronPort also makes SenderBase data available via a web portal at www.senderbase.org. This open policy has lead to widespread adoption of

SenderBase as the default reputation service— and the more entities that use the SenderBase data, the better the quality of data. Note that SenderBase is not licensed to other commercial solutions—it is embedded into the IronPort

appliances. SenderBase measures objective parameters about a given mail server. In total, more than 150 different parameters are measured, such as how much mail does an IP send, do they accept mail in return, how long have they been sending mail from a given IP address, and what is their country of origin. This data is then rolled up into a score, using a statistical algorithm. The score is made available to all IronPort appliances. The appliances then use the score to determine how much, if any, mail to accept from a given sender. Coupling the reputation score with the ability to rate limit a given sender is another IronPort innovation. The system has the capacity to “push back” and slow down senders that appear suspicious, but not necessarily block them outright. This capability allows the IronPort appliance to deal with questionable senders—senders that appear to be spamming, but not conclusively. By rate limiting these senders the most hostile mail can be kept out of the system, without introducing the false positive problems associated with first generation systems.

The process of reputation filtering is very similar to consumer credit systems. Every sender has a reputation, and the email transactions of that sender are tracked, just like the transaction history of any individual is tracked by a credit bureau. These transactions are rolled into a score, and the score is made available to merchants in the credit example, and to receiving mail servers in the email example. The merchant then makes a determination on how much credit (if any) to extend, just like the receiving IronPort appliance makes a determination of how much (if any) mail to accept. This simple but powerful concept is very effective—blocking as much as 80 percent of incoming spam at the connection level, before it even enters the network. Network level blocking has the added benefit of saving bandwidth and system resources.

IronPort Reputation Filters™ take known good, trusted senders and will route them directly to the anti-virus scanners. Known bad senders are (typically) blocked. Senders in the middle are rate limited and sent to a second stage of filtering, known as context analysis. IronPort has developed a Context Adaptive Scanning Engine (CASE). CASE technology does a second examination of messages, asking 4 basic questions—who sent it, what does it contain, where does it direct the user, and how was it constructed. It’s almost a rule set of common sense: examine who, what, where and how of a message. For example, if the CASE is analyzing a message that contains multiple references to “Viagra” (the what?), this message is considered suspicious. But if the message in question is coming from a known pharmaceutical company (who?) and doesn’t contain any links to an external online pharmacy (where?), then the CASE will determine the message is valid. If this message had been examined without the benefit of a full context analysis it would likely have been marked as spam.

The combination of reputation filtering to sort out the obvious good from bad and then the more careful context filtering to evaluate a message in its full context makes for a “1-2 punch” against spam. This architecture has been deployed at more than 25 percent of the world’s largest enterprises and has proven to be very effective at stopping spam, without suffering from false positives. Many small and medium businesses have had experience with first generation spam filters that rely on simple key words to identify spam. As discussed earlier, these filters have proven to be fairly inaccurate, letting spam in and occasionally blocking legitimate messages. To account for this, first generation solutions include complex end user controls that allow end users to white-list or blacklist certain senders. End users also need to check a quarantine to review spam messages and make sure none are legitimate. These tools are really a work-around for an inaccurate spam filter. While the IronPort solution supports much of this end user facing functionality, most IronPort users choose not to enable it. Therefore, all the end users know is that email works again—and their IT team is genius.

5 steps for E-mail Security Assurance - Introduction

It almost goes without saying that email is the most critical application in use by organizations large and small. Email is used in virtually every organization by at least some, if not all, employees—and its use is growing at a rapid pace. Organizations increasingly use email as the primary method for communicating with employees, managers, customers and prospects. Four out of five organizations use email for critical activities like transmitting and accepting proposals, finalizing agreements and transmitting business-critical records of all sorts. Email has become the de facto file transport mechanism for almost all organizations and the best way for employees to communicate while at home, traveling, and at their desks. The Growing Problem with Inbound Email.
The dominance of email for corporate communication has been driven in large part by its extremely low variable cost, its ease of use and the fact that the SMTP standard has made email interoperable worldwide. However, these factors have also made email one of the most vulnerable infrastructure elements currently running on corporate networks and the avenue through which an enormous number of threats have entered these networks. For example, email is the primary avenue by which viruses, worms and Trojan horses enter corporate networks, causing problems that range from irritating pop-ups to the complete destruction of corporate data. Email has become dominated by spam with the result that three out of every five email messages received by the typical email user is an unwanted message. More insidiously, email is also the vehicle used by criminals to fraudulently obtain sensitive personal information like credit card or bank account numbers through what are known as phishing attacks.
Problems Start Inside the Organization, As Well.
The problem for those charged with maintaining the integrity of their corporate email systems, as well as those who use those systems, does not stop there. In addition to viruses, spam and phishing attacks, organizations are increasingly vulnerable to information that is sent not only to their users, but also by them. Audits of email content sent from corporate networks reveal that email users often—and typically inadvertently—send messages that contain sensitive corporate data like passwords, credit card numbers, intellectual property, and financial information. Further, many employees will say things in email that can have a serious impact on corporate reputations, often with embarrassing results for their employers when this information is leaked to third parties or is brought out during a legal action. Further complicating the issue is the growing array of regulations, such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA), that focus on the security and preservation of email content.
Email is Relied on More and Trusted Less.
Serious problems are being caused by this growing array of email threats. For example, while email is an excellent method for legitimate marketers to inform prospective customers about their offerings, spam has caused recipients to be very distrustful of any sort of marketing message received via email. Users increasingly employ email for sending file attachments, but viruses and other threats carried in attachments have forced organizations to increasingly block email attachments. The net result is that email is becoming increasingly important as a critical business tool, and trusted less by the people who need it.
Changes in the Email Landscape.
To combat the growing threats posed by viruses, worms, Trojan horses, spam, phishing, spyware, and other threats introduced to the organization through email; and to protect organizations from employees who often inadvertently send sensitive content out of the organization; people who manage email systems for their organizations must do more simply to maintain email’s usability and utility. A number of new protocols, techniques and best practices are emerging for protecting organizations from the growing variety of external and internal email threats, including domain authentication, traffic shaping, development of better email policies, user education, and other techniques and practices. New offerings from a growing array of vendors promise to combat email threats more effectively—while reducing the quite serious problem of false positives (tagging messages as threats when they are, in fact, valid messages), the bane of email threat management systems.
The Bottom Line for Messaging Managers.
IT staff and others charged with maintaining the integrity of their corporate email systems must continually do more with resources that typically do not grow as quickly as the threats that face them. Consequently, they must become more effective with the tools and techniques they have available. The good news is that vendors, like IronPort Systems, are responding to this challenge by introducing increasingly sophisticated systems that more effectively prevent threats from entering or leaving networks and that allow those who manage email systems to handle these threats more efficiently. In addition to deploying more capable systems, however, those who manage email systems must become more proactive by educating users about the dangers of email, establishing corporate policies about email use, and ensuring that users are familiar with and comply with these policies. In short, the combination of effective technology and a focus on best practices can help messaging managers to maintain email’s role as the corporate world’s most critical application. The booklet that you’re about to read will help you understand the key issues involved in protecting your email system—helping your users to get the most out of email and helping those who manage email for your organization to do so efficiently and effectively.

Email has become the world’s most important form of business communication. The low cost, high efficiency, and ubiquity of email makes us wonder what life was like before its widespread adoption. Today the question is no longer “do you have an email address?”, but rather “what’s your email address?”.
But email is a victim of its own success. The very attributes that make it so compelling for business communication, have also made it attractive to those who use it for illicit and illegal forms of marketing.
Today’s business email systems must contend with an ever growing volume of spam, viruses, fraudulent or “phishing” email, and (the latest scourge) email borne spyware. In addition to these inbound threats, companies are growing increasingly aware of the need to stop outbound threats— intellectual property leaving the company by email or outbound email subject to regulatory requirements.
Sagging under the weight of these unending threats, the infrastructure used to send and receive mail is entering a period of rapid change. New authentication protocols are being developed to attack the spam and virus problems at their core. Also, new techniques and standards are being developed for the handling of bounce messages, a huge headache for the entire Internet community.
This report will attempt to cover the basics needed for a modern email security solution:
1. Stopping Spam
2. Stopping Viruses
3. Protecting Your Identity
4. Outbound Scanning
5. Fixing Email

Thursday, October 11, 2007

Symantec Endpoint Security

Symantec Endpoint Protection 11.0 combines Symantec AntiVirus with advanced threat prevention to deliver unmatched defense against malware for laptops, desktops and servers. It seamlessly integrates essential security technologies in a single agent and management console, increasing protection and helping lower total cost of ownership.

Key Features

* Seamlessly integrates essential technologies such as antivirus, antispyware, firewall, intrusion prevention, device control.
* Requires only a single agent that is managed by a single management console.
* Provides unmatched endpoint protection from the market leader in endpoint security.
* Enables instant NAC upgrade without additional software deployment for each endpoint.

Key Benefits

* Stops malware such as viruses, worms, Trojans, spyware, adware, bots, zero-day threats and rootkits.
* Prevents security outbreaks thus reducing administrative overhead.
* Lowers total cost of ownership for endpoint security.


New Features
Single Agent and Single Console
Delivers a single agent for all Symantec Endpoint Protection technologies and Symantec Network Access Control. Delivers a single integrated interface for managing all Symantec Endpoint Protection technologies and Symantec Network Access Control. All allow for a single communication method and content delivery system across all technologies.

* Provides operational efficiencies such as single software updates, single policy updates.
* Provides unified and central reporting.
* Provides unified licensing and maintenance.
* Requires no change to the client when adding Symantec Network Access Control enforcement.
* Lowers Total Cost of Ownership for endpoint security.
* Reduces administrative effort.

Proactive Threat Scanning
Behavioral-based protection that protects against zero-day threats and threats not seen before. Unlike other heuristic-based technologies, Proactive Threat Scan scores both the good and bad behavior of unknown applications, providing a more accurate malware detection.

* Accurately detects malware without the need to set up rule-based configurations.
* Helps lower the number of false positives.

Advanced Rootkit Detection and Removal
Provides superior rootkit detection and removal by integrating VxMS (Veritas Mapping Service—a Veritas technology), thereby providing access below the operating system to allow thorough analysis and repair.

* Detects and removes the most difficult rootkits.
* Saves time and money and productivity lossses associated with re-imaging infected machines.

Application Control
Allows administrators to control access to specific processes, files, and folders by users and other applications. It provides application analysis, process control, file and registry access control, and module and DLL control. It enables administrators to restrict certain activities deemed as suspicious or high risk.

* Prevents malware from spreading or harming endpoints.
* Locks down endpoints to prevent data leakage.

Device Control
Controls which peripherals can be connected to a machine and how the peripherals are used. It locks down an endpoints to prevent connections from thumb drives, CD burners, printers, and other USB devices.

* Prevents sensitive and confidential data from being extracted or stolen from endpoints (data leakage).
* Prevents endpoints from being infected by viruses spread from peripheral devices.


Symantec Endpoint Protection Client (32-bit)
Minimum requirements

* Windows 2000 SP3+, Windows XP, Windows Server 2003, Windows Vista (x86)
* Pentium III 300 MHz (1GHz for Windows Vista)
* 256MB RAM
* 180 MB disk (plus an additional 440 MB during installation)

Symantec Endpoint Protection Client (64-bit)
Minimum requirements

* Windows XP Professional (x64) SP1+, Windows Server 2003 (x64), Windows Vista (x64)
* 1 GHz with one of the following processors: Intel Xeon with Intel EM64T support, Intel Pentium IV with EM64T support, AMD 64-bit Opteron, AMD 64-bit Athlon (Note: Itanium is not supported)
* 256MB RAM
* 180 MB disk (plus an additional 440 MB during installation)

Symantec AntiVirus for Linux Client
Linux distribution supported: Red Hat Enterprise Linux, SuSE Linux Enterprise (server/desktop), Novell Open Enterprise Server, VMWare ESX. Not centrally managed by Symantec Endpoint Protection Manager.
Symantec Endpoint Protection Manager
Central Administration Server

Minumum requirements

* Windows XP Professional SP2; Windows Server 2003 Standard/Enterprise
* Microsoft Internet Information Services (web server)
* Microsoft SQL Server 2000 SP3 or SQL Server 2005 (optional)
* 2GB RAM
* 1GB free disk space

Symantec Endpoint Protection Console
Remote administration console (optional)

Minimum Requirements

* Windows Vista; Windows XP Professional; Windows Server 2003 Standard or Enterprise; Windows 2000 Professional/Server/Advanced Server
* Sun Java Runtime Environment (JRE) 1.5
* Microsoft Internet Explorer 6.0 SP2
* 512MB RAM