Symantec™ Endpoint Protection for Microsoft® Windows Embedded Standard 2009 (WES) and Windows® XP Embedded (XPe) User Guide HP thin clients
© Copyright 2008–2009 Hewlett-Packard Development Company, L.P. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. Internet Explorer is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. Intel and Pentium are trademarks of Intel Corporation in the U.S. and other countries. The information contained herein is subject to change without notice.
About this book The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014, http://www.symantec.
iv About this book
Table of contents 1 System requirements Hardware requirements ........................................................................................................................ 1 Software requirements ......................................................................................................................... 1 2 Introducing the agent About the Symantec Endpoint Protection for WES and XPe ............................................................... 2 About security policies ...........
Responding to permission status messages ...................................................................................... 14 5 Monitoring and logging About logs .......................................................................................................................................... 15 About the Security log ........................................................................................................ 16 About the Traffic log ..................................................
1 System requirements This chapter includes the following topics: ● Hardware requirements on page 1 ● Software requirements on page 1 Hardware requirements The agent requires the following minimum hardware: ● Intel® Pentium® 133 MHz or equivalent ● 256 MB RAM ● 40 MB available hard disk space ● One Ethernet adapter (with TCP/IP installed) Software requirements The agent requires the following software: ● Windows Embedded Standard 2009 (WES) operating system or ● Windows XP Embedded (XPe) op
2 Introducing the agent This chapter includes the following topics: ● About the Symantec Endpoint Protection for WES and XPe on page 2 ● About security policies on page 2 ● Key features of the agent on page 3 About the Symantec Endpoint Protection for WES and XPe The Symantec Endpoint Protection for WES and XPe (the agent) is security software that is installed on embedded endpoints, such as ATMs, Point of Service systems, and thin clients, that run the WES, XPe, or the XPe Point of Service operatin
Key features of the agent The agent can be used in the following networking environments: ● Directly connected to the local area network or wireless network ● Remotely connected using Virtual Private Network (VPN) or dial-up ● Completely disconnected from any network The agent does not support location awareness or host integrity. Host integrity will be supported in a later release.
3 Agent basics This chapter includes the following topics: ● Opening the agent on page 4 ● Navigating the main window on page 4 ● Using the menus and the toolbar on page 5 ● About the notification area icon on page 8 ● Testing your endpoint on page 10 Opening the agent The agent is designed to start automatically when you turn on your endpoint, protecting you immediately. To configure your agent or review logs of potential attacks on your agent, you open the agent first. To open the agent 1.
Using the menus and the toolbar The top of the screen displays a standard menu and toolbar. The toolbar icons can be used to quickly access logs, view the Help file, or test your system. Some icons are either disabled or may not appear. This status depends on how the agent is configured or which control mode the agent is in. The toolbar icons that are located below the menus provide shortcuts.
Hide Windows Services Toggles the display of Windows Services Hide Broadcast Traffic Toggles the display of broadcast traffic Viewing traffic history You can view a real-time picture of the last two minutes of your traffic history in the main window. The graphs reload new information every second, providing instant data, as measured in bytes, about your incoming and outgoing network traffic. The Traffic History graphs are broken down into three sections.
There are a number of services running at any given time. Since they are often crucial to the operation of your endpoint, you may want to allow them. You can show or hide them from the message console. To hide system services ▲ Click Hide Windows Services. To change the display of applications ▲ Right-click the Running Applications field and select the desired view. To stop an application or service from running ▲ In the Running Applications field, right-click the application and click Terminate.
About the notification area icon RED The agent has blocked traffic. GREEN Traffic flows uninterrupted by the agent. GRAY No traffic flows in that direction. A green dot means that the agent is connected to the Symantec Policy Manager. About responding to the flashing icon If you see a flashing icon, the endpoint may be responding to an attempted attack. When you rest your mouse over the flashing icon, a tool tip appears telling you that you are under an attack.
Table 3-2 Notification area icon shortcut menu (continued) Menu command Description Server Control mode Client Control mode About Opens the About dialog box, providing information on your version of the agent X X Exit Symantec Protection Agent Stops the agent from running. You need to restart the agent to protect your system X X NOTE: This option may appear dimmed or not at all.
Testing your endpoint You can test the vulnerability of your system to outside threats by scanning your system. Assessing your vulnerability to an attack is one of the most important steps that you can take. With what you learn from the tests, you can more effectively set the various options on your agent to protect your endpoint from attack. To test your endpoint 1. Do one of the following: ● On the toolbar, click Security Test. ● On the Tools menu, click Test Your System Security.
4 Responding to messages and warnings This chapter includes the following topics: ● About message types on page 11 ● Responding to application messages on page 12 ● Responding to Trojan horse warnings on page 13 ● Responding to blocked traffic messages on page 14 ● Responding to permission status messages on page 14 About message types You may see several different types of messages on the endpoint.
Internet Explorer (IEXPLORE.EXE) is trying to connect to www.symantec.com using remote port 80 (HTTP - World Wide Web). Do you want to allow this program to access the network? This message appears because the application has been opened, either directly or indirectly by you, or by another application. If you didn’t open any program or click any link and an application tries to access your network connection, there may be a number of different reasons.
Responding to Trojan horse warnings If the agent detects a known Trojan horse on your endpoint, it blocks the Trojan horse from accessing your system and displays a message such as the following: ● “C:\WINNT\System32\UMGR32.EXE, a Trojan horse application has been detected on your computer. It has been blocked by the Symantec Protection Agent.” This message means that a Trojan horse is present on your system and has been activated.
Responding to blocked traffic messages Security messages display a message box when applications are blocked: Blocked application message An application that has been launched from your computer has been blocked in accordance with rules set by your system administrator. For example, you may see the following text: Application Internet Explorer has been blocked, file name is IEXPLORE.EXE. These messages indicate that your agent has blocked traffic that you have specified as not trusted.
5 Monitoring and logging This chapter includes the following topics: ● About logs on page 15 ● Viewing logs on page 19 ● Back tracing logged events on page 20 ● Exporting logs on page 21 ● Filtering logged events on page 21 ● Stopping an active response on page 22 About logs The agent’s logs are an important method for tracking your endpoint’s activity and its interaction with other endpoints and networks.
About the Security log The Security log records potentially threatening activity that is directed towards your endpoint, such as port scanning, virus attacks, or denial-of-service attacks. The Security log is probably the most important log in the agent.
About the Traffic log Whenever your endpoint makes a connection through the network, this transaction is recorded in the Traffic log. The Traffic log includes information about incoming and outgoing traffic.
Domain User’s domain name Location The Location (Normal or Block All) that was in effect at the time of the attack Occurrences Number of packets each piece of traffic sends between the beginning and ending time Begin Time Time traffic starts matching the rule End Time Time traffic stops matching the rule Rule Name The rule that determined the passing or blockage of this traffic About the Packet log The Packet log captures every packet of data that enters or leaves a port on your endpoint.
About the System log The System log records all operational changes, such as the starting and stopping of services, detection of network applications, software configuration modifications, and software execution errors. It also logs communication with the Symantec Policy Manager, including connection and downloads. All information that is provided in the System log also appears in real time in the message area. The System log is especially useful for troubleshooting the agent.
Back tracing logged events Back tracing enables you to pinpoint the source of data from a logged event. Back tracing shows the exact steps, or hops, that incoming traffic has made before reaching your endpoint. A hop is a transition point, usually a router, which a packet of information travels through on a public network. Back tracing follows a data packet backwards; discovering which routers the data took to reach your endpoint.
Exporting logs You can save and export the contents of the logs to different locations. You may want to export logs to save space or to perform a security review. To export a log file 1. Open the log in the Log Viewer. 2. Click File > Export. 3. In the Save As dialog box, select the location and format type for the log file. 4. Click OK. Filtering logged events You can view the recorded events in the Log Viewer by the severity level of the attack and by a previous period of time.
Stopping an active response If the agent detects an attack, it triggers an active response. The active response automatically blocks the IP address of a known intruder for a specific amount of time (from 1 to 2,147,483,647 seconds). The default amount of time is 10 minutes. If you don’t want to wait the default amount of time to unblock the IP address, you can stop the active response immediately.
6 Command Line Management This chapter includes the following topics: ● The command-line interface for the client service ● Typing a parameter if the agent is password-protected The command-line interface for the client service You can manipulate the agent directly from the command line on the agent computer by using the smc command for the client service. You may want to use this command in a script that runs the parameters remotely.
Table 6-1 Parameters that administrators can use (continued) Parameter Description smc -exportadvrule Exports the agent's firewall rules to a .sar file. Agent rules are only exported from the agent when in Server Control mode. You must specify the path name and file name. For example, you can type the following command: smc -exportadvrule C:\config\AllowExplorerRule.sar smc -importallconfig Imports the server and client profiles to the agent. The source folder must contain both serdef.xml and cltdef.
To type a parameter if the agent is password-protected, perform the following steps: 1. On the agent computer, on the taskbar, click Start > Run. 2. In the Run dialog box, type cmd. 3. In the Windows MS-DOS prompt, type either one of the following: smc -parameter -p password smc -p password -parameter Where: parameter is -stop, -importconfig, or -exportconfig. password is the password you specified in the console. For example, you can type either: smc -exportallconfig c:\profile.
Index A active response, stopping 15 agent about 2 basics 4 commands 23 features 2 opening 4 password-protected 24 application messages 11 application messages, changed 12 applications, viewing running 6 B back tracing logged events 15 broadcast traffic 6 C changed application messages 12 changing security levels 9 client service, command-line interface for 23 CMD 23 command line management 23 command-line interface 23 communication status, viewing 7 D disabling protection 9 E endpoint, testing 4 events,
disabling protection 9 enabling password protection 9 policies 2 viewing policy 7 Security log, about 16 shortcut menu 8 software requirements 1 stopping active response 15 System log, about 19 system requirements 1 T testing endpoint 4 toolbar, using 4 Tools menu 5 traffic blocked messages 11 broadcast 6 history 6 Traffic log, about 17 Trojan horse warnings 11 typing parameter 24 V View menu 5 viewing communication status 7 logs 15 running applications 6 security policy 7 W warnings, responding to 11 Inde
