Presentation is loading. Please wait.

Presentation is loading. Please wait.

ADMINISTRATION HANDS-ON. Page 2 Agenda Task 1: Initial Configuration Task 2: Testing disinfection with eicar.com HTTP traffic scanning, manual scanning.

Published byEleanore Sims Modified over 9 years ago

Similar presentations

Presentation on theme: "ADMINISTRATION HANDS-ON. Page 2 Agenda Task 1: Initial Configuration Task 2: Testing disinfection with eicar.com HTTP traffic scanning, manual scanning."— Presentation transcript:

1 ADMINISTRATION HANDS-ON

2 Page 2 Agenda Task 1: Initial Configuration Task 2: Testing disinfection with eicar.com HTTP traffic scanning, manual scanning and real-time scanning Task 3: Testing email scanning Task 4: Automatic Update Setup Task 5: Advanced Anti-Virus Management Task 6: Spyware Scanning Task 7: Using Browser Control Task 8: Manage Spyware Centrally Task 9: Using System Control

3 Page 3 Task 1: Initial Configuration Configure your AVCS client from the Policy Manager Console with the following settings Real-time scanning and email scanning should be enabled and the settings should be locked Check that archives are not scanned in real-time scanning, but are scanned in manual scans and email scans Enable HTTP traffic scanning Scanned file types: ”All files” in manual scanning, ”All attachements” in email scanning and only ”files with certain extension” in real-time scanning Disable the firewall Configure the console in such way so that security alerts are sent to userXX@example.com, with email server 192.168.100.50 (XX is the number of your workstation) Task continues on next page…

4 Page 4 Task 1: Initial Configuration Create two different policies on sub-domain level Under “Accounting/HEL”, set real-time scanning “Action on infection” to ”Disinfect Automatically” Your workstation should be part of this domain Under “Development/HEL”, set real-time scanning “Action on infection” to “Ask After Scan” =>After task is completed, continue to page 13

5 Page 5 Walk Through: Initial Configuration In Real-Time Scanning, check if the most critical settings are locked (select the root domain level) Real-Time scanning = enabled Files to scan = Files with these extensions Included extensions list should be locked

6 Page 6 Walk Through: Initial Configuration In Manual scanning, check that the most important settings are locked aswell and that they are configured correctly Files to scan = All Files Scan inside compressed files = Enabled

7 Page 7 Walk Through: Initial Configuration In Email scanning, check that the most important settings are locked and that they are configured correctly Incoming and out going email scanning = enabled Action on infected attachments locked Attachments to scan = All attachments

8 Page 8 Walk Through: Initial Configuration Enable HTTP scanning and lock the setting

9 Page 9 Walk Through: Initial Configuration Setup email alert sending Server address = 192.168.100.50 Sender address = admin@example.com Recipient address = userXX@example.com

10 Page 10 Walk Through: Initial Configuration Disable Internet Shield (on root domain level)

11 Page 11 Walk Through: Initial Configuration Create two different policies on sub-domain level Under “Accounting/HEL”, set real-time scanning “Action on infection” to ”Disinfect Automatically” Under “Development/HEL”, set real-time scanning “Action on infection” to “Ask After Scan”

12 Page 12 Walk Through: Initial Configuration Place your workstation in the “Accounting/HEL” sub-domain Use context menu (right-click, cut and paste) Distribute the policies

13 Page 13 Task 2: Testing Disinfection with eicar.com Download eicar.com test file from www.eicar.org and test web traffic, real-time and manual virus scanning Test downloading eicar zipped and unzipped Test real-time scanning in sub-domains ”Accounting/HEL” and ”Development/HEL” (any differences?) Test manual scanning Check the reports on the local host and on Policy Manager Console => After task is completed, continue to page 22

14 Page 14 Walk Through: Testing Disinfection Attempt to download the eicar test file Download eicar.txt from http://www.eicar.org/ Test downloading different alternatives

15 Page 15 Walk Through: Testing Disinfection Web traffic scanner should pick up the file when downloading (using HTTP) Note that real-time scanner would prevent saving the file save, if malware was downloaded using HTTPs (SSL) File is disinfected (deleted) automatically as the workstation is currently in the “Accounting/HEL” sub-domain

16 Page 16 Walk Through: Testing Disinfection In order to test real-time scanning, manual scanning and email scanning, create a text file with Notepad, including the eicar text string First move the workstation to the ”Development/HEL” sub-domain and distribute the policies Then create the eicar.txt file When real-time scanner warns about the infection, select “Do nothing”

17 Page 17 Walk Through: Testing Disinfection Test the real-time protection by renaming the file to eicar.com Notice that the recommended action on this test file is “Delete” (similar to trojan horse removal)

18 Page 18 Walk Through: Testing Disinfection Run a Manual scan of the folder where eicar.txt is located If you deleted eicar.com, you need to recreate it Launch the scan for example through the system tray AVCS icon

19 Page 19 Walk Through: Testing Disinfection Check also the Scanning Report created by the Manual scan

20 Page 20 Walk Through: Testing Disinfection Check the security alerts on Policy Manager Console

21 Page 21 Walk Through: Testing Disinfection Launch a scan for Viruses and Spyware from the Policy Manager Console Operations tab Check the Report this creates in a few minutes

22 Page 22 Task 3: Testing Email Scanning Configure Outlook Express and send email to yourself (attach eicar.com) E-mail address: userXX@example.com Incoming mail server: 192.168.100.50 Outgoing mail server: 192.168.100.50 Check the alerts that have been forwarded to that address as well => After task is completed, continue to page 31

23 Page 23 Walk Through: Testing E-mail Scanning Check that e-mail scanning works Open and configure Outlook Express

24 Page 24 Walk Through: Testing E-mail Scanning E-mail address: userXX@example.com Incoming mail server: 192.168.100.50 Outgoing mail server: 192.168.100.50

25 Page 25 Walk Through: Testing E-mail Scanning Account name: userXX, where XX is the number of the workstation Password: password

26 Page 26 Walk Through: Testing E-mail Scanning Download your emails from the server There should be some alert for the administration as this is the address where email alerts are sent

27 Page 27 Walk Through: Testing E-mail Scanning Send a email to yourself Disable “real-time scanning” from PMC (distribute policies) Attach eicar.txt to your e-mail and send it

28 Page 28 Walk Through: Testing E-mail Scanning An e-mail scanning report appears (the email is blocked) Check the statistics and reports on the Policy Manager Console

29 Page 29 Walk Through: Testing E-mail Scanning Test incoming email scanning In order to test incoming email scanning you need to disable outgoing email scanning, Do so from the Policy Manager Console (distribute the policies) Send another email

30 Page 30 Walk Through: Testing E-mail Scanning Re-enable Virus & Spy Protection Turn real-time scanning back on Enable outgoing email scanning Remember to lock the settings

31 Page 31 Task 4: Automatic Update Confirmation In case the hosts AUA cannot connect to PMS, then it will automatically fetch virus definitions from the F-Secure Root Update Server. Try to come up with a way to test the fail-over mechanism => After task is completed, continue to page 37

32 Page 32 Walk Through: Automatic Update Confirmation In order to test the automatic fail-over, we need to shut down the Policy Manager Server service Close the Policy Manager Console Stop the Policy Manager Server service from Start/Settings/Control Panel/Administrative Tools/Services

33 Page 33 Walk Through: Automatic Update Confirmation On the host, check that the PMS is unreachable In the basic user interface, click “Check Now” under “Central Management” Now Management Agent will attempt to fetch the policy and fail

34 Page 34 Walk Through: Automatic Update Confirmation Check the Logfile.log for a possible connection problem reason Logfile.log can either be launched from the Advanced User interface (under Central Management) or it can be found from c:\Program Files\F- Secure\Common\

35 Page 35 Walk Through: Automatic Update Confirmation Trigger the virus definitions update from the Advanced User Interface Under Automatic updates, click “Check now” At first the connection fails (to PMS), but as soon as it has failed, another connection is opened (UDP connection to the F-Secure Root Update Server)

36 Page 36 Allowing F-Secure Automatic Update Agent Through a Firewall Local Host F-Secure Root Update Server AVCS Automatic Update Agent Polite Protocol should be allowed by the Firewall: Other option is to allow HTTP

37 Page 37 Task 5: Advanced Mode Management Set up a scheduled scan that takes place weekly and add a custom message, that is shown to end users on local infections => After task is completed, continue to page 42

38 Page 38 Walk Through: Advanced Mode Management Define a custom message shown to users when infections are found F-Secure Anti-Virus/Settings/Visual/ Custom Message = Show Custom Message when Virus Found = Enabled

39 Page 39 Walk Through: Advanced Mode Management Add a scheduled task F-Secure Anti-Virus/Settings/Scheduler/Scheduled Task Choose Add

40 Page 40 Walk Through: Advanced Mode Management Choose Scheduling Parameters Read the help text for instructions Schedule a scan task to start in a few minutes (24 hour format!), which will from now on run once a week Distribute the policies

41 Page 41 Walk Through: Advanced Mode Management Check the scanning report created by the scheduled task on the Policy Manager Console

42 Page 42 Internet Explorer Configuration Windows XP service pack 2 has enhanced Internet Explorer with several security features. In order to be able to test all Spyware Protection features (incl. Browser Control and System Control), we need to disable some features Open Internet Explorer and goto Tools/Internet Options Adjust the Internet Security Level (click “Custom Level”) Download Signed ActiveX Controls: Enabled Adjust the “Privacy” settings Lower the privacy settings to “Accept all Cookies” Disable the XP SP2 popup blocker => After task is completed, continue to page 47

43 Page 43 Task 6: Spyware Scanning Try out spyware scanning Run a spyware scan on the host Check the logfiles and alerts => After task is completed, continue to page 47

44 Page 44 Walk Through: Spyware Scanning Execute a spyware scan on the local host Launch the scan from system tray Usually there is some spyware to be found on a Windows computer Once the scan is complete, select “I want to decide item by item”

45 Page 45 Walk Through: Spyware Scanning Get rid of the spyware Select the file and either delete them or quarantine them

46 Page 46 Walk Through: Spyware Scanning Check also the scanning report

47 Page 47 Walk Through: Spyware Scanning Now test, how easy it is to get infected with tracking cookies Browse through some high profile commercial sites like www.msn.com, www.yahoo.com, www.foxnews.com, www.cnet.com etc… Most of these push tracking cookies on your local disk Open logfile.log and search for spyware detections

48 Page 48 Task 7: Using Browser Control Test Browser Control Enable Browser Control Simulate an attack on your hosts file Attempt to change the start page on Internet Explorer Test ActiveX protection using F-Secure Online Scanner => After task is completed, continue to page 54

49 Page 49 Walk Through: Using Browser Control Test Browser Control Enable Browser Control either from the local user interface (if current policy allows this) or from Policy Manager Console Advanced Mode Then browse to http://www.popuptest.com/ => “Multi- PopUp Test #2” and test the popup blocker http://www.popuptest.com/

50 Page 50 Walk Through: Using Browser Control Simulate a redirection attempt Add the following line to your HOSTS file (in the folder C:\WINDOWS\system32\drivers \etc) to simulate a network re- direction attempt: 127.0.0.1 www.f-secure.com This will cause, that you now longer can use DNS names to access the F-Secure Webpage IP addresses still work!

51 Page 51 Walk Through: Using Browser Control The hosts file redirection will be detected by the Spyware real- time scanner Accept the recommended action (Quarantine the object) Wait for the item being processed

52 Page 52 Walk Through: Using Browser Control Check the logfile and hosts file Open the logfile.log to confirm that FSAVCS noticed the hosts file redirection Also open the hosts file and check, if malicious entry has been removed

53 Page 53 Walk Through: Using Browser Control Now try to change the start page of the Internet Explorer Open Tools/Internet Options on Internet Explorer Change the default home page Browser Control will prevent the change

54 Page 54 Walk Through: Using Browser Control Browser Control also prevents ActiveX installations Test this with the F-Secure Online Scanner http://support.f- secure.com/enu/home/ols.shtml This application is actually white listed, so the installation goes through, but if you open the logfile.log you’ll notice that Browser Control has noticed the operation

55 Page 55 Task 8: Manage Spyware Centrally On the Policy Manager Console, manage the spyware reported by your host (test the spyware exclusion function) => After task is completed, continue to page 56

56 Page 56 Walk Through: Spyware Scanning On Policy Manager Console, manage spyware reported by the hosts In Spyware Control, check what spyware has been reported by the your host If you choose ”Exclude Spyware”, then the same application will not longer be monitored by the real-time scanner!

57 Page 57 Task 9: Using System Control Enable System Control and test it by tampering directly with the registry Some of the monitored registry sections HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES (file extension associations) HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ RUN (and ”RUNONCE”, applications launched at each startup) => After task is completed, continue to page 60

58 Page 58 Walk Through: Using System Control Enable System Control System Control can be enabled either from the local user interface (if the current policy allows) or from the Policy Manager Console (Advanced Mode only!)

59 Page 59 Walk Through: Using System Control Attempt to change the registry values class associations Open Regedit (Start/Run/Regedit) Go to HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.exe) Attempt to modify (Default), change it for example to jpgfiles

60 Page 60 Walk Through: Using System Control System Control doesn’t allow the change and will prompt for your decision Depending on the policy configuration, changes monitored by System Control might be automatically allowed or denied Note that user decisions are not reported to the Policy Manager Console

61 HANDS-ON FINISHED!

Download ppt "ADMINISTRATION HANDS-ON. Page 2 Agenda Task 1: Initial Configuration Task 2: Testing disinfection with eicar.com HTTP traffic scanning, manual scanning."

Similar presentations

®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.

®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.
Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
IMS Client Installation Procedures 1. Copy the Voicemail Pro from the shared folder on the Voicemail Pro server. Go to Start, Run, and \\ or \\

IMS Client Installation Procedures 1. Copy the Voic Pro from the shared folder on the Voic Pro server. Go to Start, Run, and \\ or \\
Internet Safety Topic 2 Malware This presentation by Tim Fraser Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other.

Internet Safety Topic 2 Malware This presentation by Tim Fraser Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other.
DNR-322L & DNR-326.

DNR-322L & DNR-326.
Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.

Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.
Operating System Customization

Operating System Customization
AVG Internet Security 7.5 Product presentation.

AVG Internet Security 7.5 Product presentation.
TROUBLESHOOTING. Page 2 Agenda This section covers Most common cases Disinfection related problems Installation problems General tips Specific cases.

TROUBLESHOOTING. Page 2 Agenda This section covers Most common cases Disinfection related problems Installation problems General tips Specific cases.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.

Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.

Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
Spring 2008 www.umsl.edu/~iclabs. Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.

Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
What’s New in WatchGuard XCS 10.0 Update 2 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 2 WatchGuard Training.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
File sharing. Connect the two win 7 systems with LAN card Open the network.

File sharing. Connect the two win 7 systems with LAN card Open the network.
How to Get The Most Out of Outlook 2003 Michele Schwartzman Division of Customer Support 301-594-6248 Summer 2006.

How to Get The Most Out of Outlook 2003 Michele Schwartzman Division of Customer Support Summer 2006.
Sending and receiving emails Section 6. Objectives Students will deal with messages, send and receive messages, reply to emails, sorting emails and how.

Sending and receiving s Section 6. Objectives Students will deal with messages, send and receive messages, reply to s, sorting s and how.
MS System Setup Securing A System. Use Automatic Updates For a workstation or server, schedule the updates to occur regularly. –Control panel click on.

MS System Setup Securing A System. Use Automatic Updates For a workstation or server, schedule the updates to occur regularly. –Control panel click on.

Similar presentations

Ads by Google