Tuesday 30 October 2018

Two Reasons why IPS is a "Must Have" for your Network

Introduction

This is the third in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated in December 2017.
This third article illustrates how Symantec Endpoint Protection's optional Intrusion Prevention System (IPS) component can help security admins keep their organization secure and track down infected computers on the network.
Please also see this important post from Security Response..... What Symantec’s Intrusion Prevention System did for you in 2015

IP What?

Unlike AntiVirus, which looks for known malicious files, IPS scans the network traffic stream in order to find threats using known exploits and attack vectors. IPS does not detect specific files, but rather specific methods that can be used to get malicious files onto your network. This allows IPS to protect against both known and unknown threats, even before antivirus signatures can be created for them.  It’s very cool.
SEP’s IPS component greatly increases the number of threats that can be blocked, so the use of IPS is strongly recommended on almost all endpoints.  More details are contained in:
Best practices regarding Intrusion Prevention System technology
http://www.symantec.com/docs/TECH95347

Not Just for Windows Any More!

IPS has been an optional component of SEP for Windows since the beginning.  In order to enable IPS in Symantec Endpoint Protection 11.x, the client firewall portion (Network Threat Protection) must be installed and running. In SEP 12.1 and above, the client firewall function is separate and does not need to be installed or enabled for IPS to function. 
SEP 12.1 RU4 brought many new features to the SEP client that runs on Macintosh (“SEP for Mac”).  An overview of these enhancements can be found in:
Overview for Symantec Endpoint Protection 12.1.4 for Mac
http://www.symantec.com/docs/HOWTO92146
One of the best of these enhancements is that IPS can now defend Mac machines as well as the Windows boxes on the network.  So, definitely upgrade the protection on your Macs!

How IPS Defends Clients

For an excellent illustration of how IPS can protect against a very dangerous threat, see Recovering Ransomlocked Files Using Built-In Windows Tools.  Even if the initial Trojan.Cryptolocker .exe is not detected by SEP’s AntiVirus components, IPS attack signatures can still block the network traffic that this threat relies upon in order to generate the keys necessary to sabotage a computer’s files.  If you see a pop-up “System Infected: Trojan.Cryptolocker” then IPS has just blocked the Trojan’s network activity (and saved you a load of grief).  Get that computer isolated and perform a load point diagnostic to identify any unidentified malware files!

Generating SEPM Reports of Network Attacks

As detailed in my first article, your Symantec Endpoint Protection Manager contains advanced capabilities for reporting and alerting.  It can often tell you exactly what is going on with the security of your network, if you know how to look.
One report that it can generate on demand is Network Threat Protection: Attacks.  (Remember: in SEP 12.1, it is not necessary to have the NTP component of SEP installed in order to take advantage of IPS.  IPS can be installed without NTP.  The report of all IPS attacks is still listed under Network Threat Protection as a legacy inherited from SEP 11 days.)
Just click on Monitors, Logs tab, and pick the "Network Threat Protection" option for Log type.  Choose “Attacks” to see all the IPS events that have occurred on managed SEP clients and been forwarded to the SEPM.
Logs.jpg
The logs for all the attack events will be displayed on screen, and can be exported for more advanced parsing and analysis with your favorite spreadsheet program.

Identifying Unprotected Computers

One example of how these can be useful: in a recent real-world case, an administrator had been fighting a never-ending battle to eradicate W32.Downadup from the corporate network.  There were constant detections of this threat being stopped, but somewhere out there were infected computers which constantly tried to re-infect others.  Examining the Risk Reports failed to show any instances where the threat was being detected by AV but “left alone,” so where were they?
Examining the exported Network Attack logs, it was pretty clear that IPS was also blocking infection attempts (traffic that attempted exploit of the vulnerability that W32.Downadup uses to spread).  These logs, though, showed what IP addresses involved with each “[SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked. Traffic has been blocked for this application: SYSTEM”
traffic.jpg
Examining the Remote Hosts that were responsible for all that traffic was the solution to this case.  There were a handful of infected computers that had no AV product on them at all. Installing SEP ended the persistent W32.Downadup troubles for good.

Identifying Infected Machines

In another recent real-world example: hundreds of Auto-Protect virus events (Event ID 51) were seen on the shared directory of a file server.  Several days were spent examining the load points of the server itself, with nothing malicious found.  The reason: the infection was on one of the 400 clients which connect daily to that mapped drive.  Some client in the network had attempted to do the damage- but which one?  It would not be possible to examine load point diagnostics from all those hundreds of clients.
Luckily, that file server had IPS installed.  The IPS logs were examined and a large number of ”Incoming Auto-Block Event” entries were spotted, coming from one particular IP Address.  This activity might have been a coincidence, but in this case it was a very big clue as to which mapped client was infected.  That computer was isolated, cleaned, patched and returned to the network.  Problem solved.  
.

Conclusion

IPS can protect your computers- and everything on them-  in ways that AV alone cannot.  And, its logs can provide valuable intelligence about which computers in the network are infected.
Moral of this story: it’s much easier to deploy the SEP IPS client and read its logs than to examine 400 load point diagnostics.  &: )
One final recommendation: it is always a good time to ensure that the organization's defenses are in good order. There is a great deal of malware in circulation, and it is guaranteed that tomorrow the baddies will come up with new code and techniques.  Take precautions now!
Symantec Endpoint Protection – Best Practices
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0
Many thanks for reading!  Please do leave comments and feedback below. 

source :  https://www.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

multiple Firefox.exe processes

Whenever I open Firefox, there are two firefox.exe running the background whenever I open the browser. Whenever I try to close the second one, it crashes all of the tabs that are on the browser, and whenever I reload the tabs, it pops up again.
I've scanned my computer multiple times with multiple anti-viruses, but there was no viruses to be found. I've also disabled the plugins that I thought were the issue, and refreshed Firefox, but it was still there. I restarted my computer, no luck in doing that. Uninstalling and reinstalling Firefox didn't even do the trick either.
The double processes sky-rockets my RAM and CPU, and it's starting to get annoying. Please help! I appreciate any cooperation!
Modified by TheCameraEye97

Chosen solution

This could indicate that your Firefox is using a new "multiprocess" feature.
e10s
One of the headline changes in Firefox 48+ is e10s, which separates the browser interface process from the page content process. The performance impact of this can vary a lot between systems: many users find it faster, some find it slower, for many it's neutral. There probably is somewhat more memory use than when everything runs in a single firefox.exe process.
Are you using e10s?
You can check whether you have this feature turned on as follows. Either:
  • "3-bar" menu button > "?" button > Troubleshooting Information
  • (menu bar) Help > Troubleshooting Information
  • type or paste about:support in the address bar and press Enter
In the first table on the page, check the row for "Multiprocess Windows" and see whether the number on the left side of the fraction is greater than zero. If so, you are using e10s.
If you are using e10s:
If you think Firefox is not performing well or is using an unreasonable amount of resources now, you could evaluate whether e10s is causing this problem by turning it off as follows:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.
(2) In the search box above the list, type or paste autos and pause while the list is filtered
(3) Double-click the browser.tabs.remote.autostart.2 preference to switch the value from true to false
Note: the exact name of the preference may vary, but it will start with browser.tabs.remote.autostart
At your next Firefox startup, it should run in the traditional way. Any difference?

Two Reasons why IPS is a "Must Have" for your Network

Introduction This is the third in my Security Series of Connect articles.  For more information on how to keep your enterprise environm...