Anti-Virus Security Standards

This document is provided without warranty, always vet out what works best for you and your organization.

Anti-Virus Security Standards

Anti-Virus Standard

Corporate’s business functions rely upon the integrity, confidentiality, and availability of its computer systems and the information assets stored within them. Responsibilities and procedures for the management, operation and security of all information processing facilities must be established. This Policy supports the stated objectives.

Signature File: Latest version of the signature file as is stated by Corporate IT.

Anti-Virus software must be running an active scan at all times while a system is turned on and connected to the network. Anti-Virus software should not be disabled.

Heuristic scanning must be enabled where available.

All Anti-Virus software must log significant activity to the appropriate log file.

Enabled configuration of software, based upon Symantec Endpoint Protection:

Workstations

Administrator-Defined Scans

o Scheduled Scans

o Scan Details (Edit Button)

o Scan Type: Full Scan

o Scanning

o Scan the following folders: ALL

o File Types

o Scan all files

o Enhance the scan by checking:

o Memory

o Common infection locations

o Well-known virus and security risk locations

o Advanced Scanning Options

o Compressed Files

o Scan files inside of compressed files (locked)

o Number of levels to expand within compressed file: 3

o Storage Migration

o Configure scans maintained by HSM and offline backup systems: Skip

o Tuning Options: Balanced Performance

o Schedule: Scan Enabled, Weekly, 8:00 PM, Monday

o Missed Scheduled Scans

o Specify the time to wait before retrying (in days): 1

o Actions

o Macro-virus

o First Action: Clean

o If First Action Fails: Quarantine

o Non-Macro virus

o First Action: Clean

o If First Action Fails: Quarantine

o Security Risks

o First Action: Delete

o If First Action Fails: Quarantine

o Adware

o First Action: Same

o If First Action Fails: Same

o Dialers

o First Action: Same

o If First Action Fails: Same

o Hack Tools

o First Action: Same

o If First Action Fails: Same

o Joke Programs

o First Action: Same

o If First Action Fails: Same

o Other

o First Action: Same

o If First Action Fails: Same

o Remote Access

o First Action: Same

o If First Action Fails: Same

o Spyware

o First Action: Same

o If First Action Fails: Same

o Trackware

o First Action: Same

o If First Action Fails: Same

o Remediation

o Back up files before attempting to repair them (locked)

o Notifications

o Display a notification message on the computer (locked)

o Scan type [LoggedBy] Scan

o Event [Event]

o Security risk detected [SecurityRiskName]

o File [PathandFilename]

o Location [Location]

o Computer [Computer]

o User [User]

o Action taken [ActionTaken]

o Date found [DateFound]

Administrator On-demand Scan

o Scan Details (Edit Button)

o Scanning

o Scan the following folders: ALL

o File Types

o Scan all files

o Enhance the scan by checking:

o Memory

o Common infection locations

o Well-known virus and security risk locations

o Advanced Scanning Options

o Compressed Files

o Scan files inside of compressed files

o Number of levels to expand within compressed file: 3

o Storage Migration

o Configure scans maintained by HSM and offline backup systems: Skip

o Tuning Options: Balanced Performance

o Schedule: Scan Enabled, Weekly, 8:00 PM, Monday

o Missed Scheduled Scans

o Specify the time to wait before retrying (in days): 1

o Actions

o Macro-virus

o First Action: Clean

o If First Action Fails: Quarantine

o Non-Macro virus

o First Action: Clean

o If First Action Fails: Quarantine

o Security Risks

o First Action: Delete

o If First Action Fails: Quarantine

o Adware

o First Action: Same

o If First Action Fails: Same

o Dialers

o First Action: Same

o If First Action Fails: Same

o Hack Tools

o First Action: Same

o If First Action Fails: Same

o Joke Programs

o First Action: Same

o If First Action Fails: Same

o Other

o First Action: Same

o If First Action Fails: Same

o Remote Access

o First Action: Same

o If First Action Fails: Same

o Spyware

o First Action: Same

o If First Action Fails: Same

o Trackware

o First Action: Same

o If First Action Fails: Same

o Remediation

o Back up files before attempting to repair them (locked)

o Notifications

o Display a notification message on the computer (locked)

o Scan type [LoggedBy] Scan

o Event [Event]

o Security risk detected [SecurityRiskName]

o File [PathandFilename]

o Location [Location]

o Computer [Computer]

o User [User]

o Action taken [ActionTaken]

o Date found [DateFound]

o Advanced

o Scheduled Scans

o Delay scheduled scan when on batteries

o Allow user-defined scheduled scans to run when scan author is not logged on

o Startup and Triggered Scans

o Run Active Scan when new definitions arrive

o Scan Progress Options

o Select scan progress option: Do Not Show

File System Auto-Protect

o Enable File System Auto-Protect (locked)

o Scanning

o Scan all files (locked)

o Scan for security risks (locked)

o Block security risks from being installed (locked)

o Advanced Scanning and Monitoring

o Scan when a file is accessed or modified

o Preserve file times

o Enable Bloodhound heuristic virus detection

o Level of protection to use: Default

o Network Settings

o Trust files on remote computers running Auto-Protect

o Network cache

o Keep 30 entries

o Delete entries after 600 seconds

o Floppy Settings

o Check floppies for boot viruses when accessed (locked)

o When a boot virus is found: Log Only

o Actions

o Macro-virus

o First Action: Clean (locked)

o If First Action Fails: Quarantine (locked)

o Non-Macro virus

o First Action: Clean (locked)

o If First Action Fails: Quarantine (locked)

o Security Risks

o First Action: Delete (locked)

o If First Action Fails: Quarantine (locked)

o Adware

o First Action: Same

o If First Action Fails: Same

o Dialers

o First Action: Same

o If First Action Fails: Same

o Hack Tools

o First Action: Same

o If First Action Fails: Same

o Joke Programs

o First Action: Same

o If First Action Fails: Same

o Other

o First Action: Same

o If First Action Fails: Same

o Remote Access

o First Action: Same

o If First Action Fails: Same

o Spyware

o First Action: Same

o If First Action Fails: Same

o Trackware

o First Action: Same

o If First Action Fails: Same

o Remediation

o Back up files before attempting to repair them (locked)

o Terminate processes automatically

o Stop services automatically

o Notifications

o Display a notification message on the computer (locked)

o Scan type [LoggedBy] Scan

o Event [Event]

o Security risk detected [SecurityRiskName]

o File [PathandFilename]

o Location [Location]

o Computer [Computer]

o User [User]

o Action taken [ActionTaken]

o Date found [DateFound]

o Advanced

o Startup and Shutdown

o Load Auto-protect when: Computer starts (locked)

o Check floppies when the computer shuts down (locked)

o Auto-Protect Reloading

o When Auto-Protect must be reloaded: Stop and reload Auto-Protect

o When Auto-Protect is disabled enable after 5 minutes (locked)

o Additional Options

o Enable the file cache (locked)

o Use the default file cache size

o Enable Risk Tracer (locked)

o Resolve the source computer IP address

Internet Email Auto-Protect

o Scan Details

o Enable Internet Email Auto-Protect (locked)

o Scanning

o Scan all files (locked)

o Scan files inside compressed files (locked)

o Number of levels to expand if there are compressed files inside: 3

o Actions

o Macro-virus

o First Action: Clean (locked)

o If First Action Fails: Quarantine (locked)

o Non-Macro virus

o First Action: Clean (locked)

o If First Action Fails: Quarantine (locked)

o Security Risks

o First Action: Delete (locked)

o If First Action Fails: Quarantine (locked)

o Adware

o First Action: Same

o If First Action Fails: Same

o Dialers

o First Action: Same

o If First Action Fails: Same

o Hack Tools

o First Action: Same

o If First Action Fails: Same

o Joke Programs

o First Action: Same

o If First Action Fails: Same

o Other

o First Action: Same

o If First Action Fails: Same

o Remote Access

o First Action: Same

o If First Action Fails: Same

o Spyware

o First Action: Same

o If First Action Fails: Same

o Trackware

o First Action: Same

o If First Action Fails: Same

o Remediation

o Back up files before attempting to repair them

o Terminate processes automatically

o Stop services automatically

o Notifications

o Display a notification message on the computer (locked)

o Scan type [LoggedBy] Scan

o Event [Event]

o Security risk detected [SecurityRiskName]

o File [PathandFilename]

o Location [Location]

o Computer [Computer]

o User [User]

o Action taken [ActionTaken]

o Date found [DateFound]

o Email Notification

o Insert a warning into the email message (locked)

o Connection Settings

o Incoming mail server (POP3): 110 (locked)

o Outgoing mail server (SMTP): 25

o Encrypted Connections

o Allow encrypted POP3 connections (locked)

o All encrypted SMTP connections (locked)

o Mass Mailing Worm Heuristics

o Outbound Worm Heuristics: Enable (locked)

o First Action: Quarantine (locked)

o If first action fails, then Delete (locked)

Microsoft Oulook Auto-Protect

o Scan Details

o Enable Microsoft Outlook Auto-Protect (locked)

o Scanning

o Scan all files (locked)

o Scan files inside compressed files

o Number of levels to expand if there are compressed files inside: 3 (locked)

o Actions

o Macro-virus

o First Action: Clean (locked)

o If First Action Fails: Quarantine (locked)

o Non-Macro virus

o First Action: Clean (locked)

o If First Action Fails: Quarantine (locked)

o Security Risks

o First Action: Delete (locked)

o If First Action Fails: Quarantine (locked)

o Adware

o First Action: Same

o If First Action Fails: Same

o Dialers

o First Action: Same

o If First Action Fails: Same

o Hack Tools

o First Action: Same

o If First Action Fails: Same

o Joke Programs

o First Action: Same

o If First Action Fails: Same

o Other

o First Action: Same

o If First Action Fails: Same

o Remote Access

o First Action: Same

o If First Action Fails: Same

o Spyware

o First Action: Same

o If First Action Fails: Same

o Trackware

o First Action: Same

o If First Action Fails: Same

o Remediation

o Back up files before attempting to repair them

o Terminate processes automatically

o Stop services automatically

o Notifications

o Display a notification message on the computer (locked)

o Scan type [LoggedBy] Scan

o Event [Event]

o Security risk detected [SecurityRiskName]

o File [PathandFilename]

o Location [Location]

o Computer [Computer]

o User [User]

o Action taken [ActionTaken]

o Date found [DateFound]

o Email Notification

o Insert a warning into the email message (locked)

Lotus Notes Auto-Protect

o Scan Details

o Enable Lotus Notes Auto-Protect (locked)

o Scanning

o Scan all files (locked)

o Scan files inside compressed files (locked)

o Number of levels to expand if there are compressed files inside: 3

o Actions

o Macro-virus

o First Action: Clean (locked)

o If First Action Fails: Quarantine (locked)

o Non-Macro virus

o First Action: Clean (locked)

o If First Action Fails: Quarantine (locked)

o Security Risks

o First Action: Delete (locked)

o If First Action Fails: Quarantine (locked)

o Adware

o First Action: Same

o If First Action Fails: Same

o Dialers

o First Action: Same

o If First Action Fails: Same

o Hack Tools

o First Action: Same

o If First Action Fails: Same

o Joke Programs

o First Action: Same

o If First Action Fails: Same

o Other

o First Action: Same

o If First Action Fails: Same

o Remote Access

o First Action: Same

o If First Action Fails: Same

o Spyware

o First Action: Same

o If First Action Fails: Same

o Trackware

o First Action: Same

o If First Action Fails: Same

o Remediation

o Back up files before attempting to repair them

o Terminate processes automatically

o Stop services automatically

o Notifications

o Display a notification message on the computer (locked)

o Scan type [LoggedBy] Scan

o Event [Event]

o Security risk detected [SecurityRiskName]

o File [PathandFilename]

o Location [Location]

o Computer [Computer]

o User [User]

o Action taken [ActionTaken]

o Date found [DateFound]

o Email Notification

o Insert a warning into the email message (locked)

TruScan Proactive Threat Scans

o Scanning

o Scan for Trojans and worms (locked)

o Use defaults defined by Symantec (locked)

o Scan for keyloggers (locked)

o Use defaults defined by Symantec (locked)

o Detecting Commercial Applications

o When a commercial keylogger is detected: Quarantine (locked)

o When a commercial remote control application is detected: Log Only (locked)

o Notifications

o Display a message when there is a detection (locked)

o Scan Frequency

o Specify how often the scan should run: At the default scanning frequency (locked)

Miscellaneous

o Windows Security Center

o Disable Windows Security Center: Never

o Display antivirus alerts within Windows Security Center: Enable

o Display message when definitions are older than 14 days

o Log Handling

o Antivirus and Antispyware Log Event Filtering:

o Scan aborted

o Scan started

o Scan stopped

o Security Risk side effect repair failed

o Client running without virus definitions

o New virus definitions assigned

o Virus definitions rollback

o Antivirus installed

o Uninstall

o Uninstall rolled back

o Error loading services

o Service shutdown

o Service startup

o Scanning and infection events

o Scan aborted

o Scan started

o Scan stopped

o Security Risk side effect repair failed

o Virus definition events

o Client running without virus definitions

o New virus definitions assigned

o Virus definition rollback

o Management and configuration events

o Antivirus is installed

o Uninstall

o Uninstall rolled back

o Startup and shutdown events

o Error loading services

o Service shutdown

o Services startup

o Log Retention

o Delete logs older than 90 days

o Log Event Aggregation

o Send aggregated events every 5 minutes

o Notifications

o Display a warning message when definitions are outdated

o Warn after 14 days

o Display a warning when SEP is running without virus definitions

o Warn after 2 remediation attempts

o Display an error message with a URL to a solution

o Display the URL to a Symantec Technical Support Knowledge Base

Firewall Policies

o Predefined Rules

o Allow fragmented packets

o Allow all applications

o Custom rules

o Allow ping requests

o Allow incoming ICMP

o Allow outgoing ICMP

o Allow Active Directory DNS

o Allow Inbound Loopback Requests

o Allow Outbound Loopback Requests

o Allow VPN

o Allow EPMAP from Symantec Exchange Servers

o Allow Incoming RPC, File & Printer Sharing

o Allow Outgoing RPC, File & Printer Sharing

o Allow Remote Desktop Connection

o Allow Active Directory LDAP

o Allow Outgoing WINS

o Allow Incoming WINS

o Allow Kerberos

o Allow NTP

o Allow BOOTP

o Allow Access to Symantec IT Security Scanners

o Allow Access to Symantec IT Security Scanners via host list

o Allow Access to Cisco IP Communicator Servers

o Block UPnP

o Block IP Multicast and Unknown Broadcast

o Block and Log Unchecked IP Packets

o Block Other Unchecked Traffic

o Smart Traffic Filtering

o Enable Smart DHCP

o Enable Smart DNS

o Enable Smart WINS

o Traffic and Stealth Settings

o Allow token ring traffic

o Enable reverse DNS lookup

Intrusion Prevention Policies

o Settings

o Enable Intrusion Prevention

o Enable denial of service detection

o Enable port scan detection

o Enable excluded hosts

o Active Response

o Automatically block an attacker’s IP address for 600 seconds

Centralized Exception Policies

o Ignore detected processes or paths

o macros.exe

o phtray.exe

o syntplpr.exe

o cclient.exe

o _prog.exe

o tpkmapmn.exe

o syntplpr.exe

o unlockerassistant.exe

o ComExec.exe

o c:\build-temp

Servers

Administrator-Defined Scans

o Scheduled Scans

o Scan Details (Edit Button)

o Scan Type: Full Scan

o Scanning

o Scan the following folders: ALL

o File Types

o Scan all files

o Enhance the scan by checking:

o Memory

o Common infection locations

o Well-known virus and security risk locations

o Advanced Scanning Options

o Compressed Files

o Scan files inside of compressed files (locked)

o Number of levels to expand within compressed file: 3

o Storage Migration

o Configure scans maintained by HSM and offline backup systems: Skip

o Tuning Options: Best Application Performance

o Schedule: Scan Enabled, Monthly, 8:00 PM, 1st Day

o Missed Scheduled Scans

o Specify the time to wait before retrying (in days): 1

o Actions

o Macro-virus

o First Action: Clean

o If First Action Fails: Quarantine

o Non-Macro virus

o First Action: Clean

o If First Action Fails: Quarantine

o Security Risks

o First Action: Delete

o If First Action Fails: Quarantine

o Adware

o First Action: Same

o If First Action Fails: Same

o Dialers

o First Action: Same

o If First Action Fails: Same

o Hack Tools

o First Action: Same

o If First Action Fails: Same

o Joke Programs

o First Action: Same

o If First Action Fails: Same

o Other

o First Action: Same

o If First Action Fails: Same

o Remote Access

o First Action: Same

o If First Action Fails: Same

o Spyware

o First Action: Same

o If First Action Fails: Same

o Trackware