Protect Symantec DCS agent

I do not need a solution (just sharing information)

Good day to all Symantec DCS admins.

I want to provide you with a solution to one problem.

I hope that my decision is correct and will be useful.

Sincerely.

Dima

Recently, I came to the client to solve a rather simple task:

  1. Install Symantec DCS in a test environment.
  2. Install DCS agent on eight servers.
  3. Customize and verify only detection .

After a successful installation, configuration and verification I was asked: How can we protect the Symantec DCS agent from stoping or change configuration?

To be honest, all my previous installations of Symantec DCS included first of all Prevention opportunities and as an optional Detection.

Not finding anything in the documentation and on the internet, I decided to open case in Symantec support.

First, I asked the question: How to protect the DCS agent if only the Detection policy is applied.

The answer:  Unfortunately, if only the IDS (Detection) Policy has been applied then the Prevention is disabled and there is no possibility to protect the Agent. Only IPS (Prevention) Policy is able to protect the Agent. There is also no mechanism available like in SEP Client to protect the Agent with a password.

Then, I asked: Maybe there is a Prevention policy that protects only the DCS agent?

The answer: Unfortunately there is no IPS Policy which protects only the DCS Agent, because by default each IPS Policy is protecting the OS files, so there is no possibility to indicate only the files belonging to the Agent. This is a result of design which has been introduced in the product at the very beginning, therefore the only way to change it is to submit the Request For Enhancement to Product Management.

Not satisfied with the answer, I decided to check it myself in my lab and it seems I did it.

The Lab infrustracture

Symantec DCS Server  Advanced 6.8

Installed on Windows Server 2012 R2

Symantec DCS agent

Deployed to  Windows 10 with many software preinstalled.

Detection Policy based on “Windows_Template_Policy”

Rules: File Watch, Registry Watch, NT_Event_Log, Text_Log

Prevention Policy based on “sym_win_targeted_prevention_sbp”

Configuration:

  1. Prevention Enabled
  2. Global Policy Option
    1. Policy Ovveride
      1. User Ovveride
        1. Allow cpecific users to Disable prevention copletely
          1. Add user “User”
      2. SDCSS Agent Tools
        1. Ensure cpecific users are allowed to run thr SDCSS Configuration Tools
          1. Add user “User”
  3. Sundboxes
    1. Kernel Driver Options – Disabled
    2. Remote File Access Options – Disabled
    3. Symantec Data Center Security Server Agent – Enabled
    4. Symantec Data Center Security Server Manager – Disabled
    5. Default Pset Options – Enabled
      1. Enable SDCSS Selfe Protection

After checking the logs for several days on the server console and on the agent, everything looks so that the policy does not pay attention to the processes of the Operating System and the installed software but does not give access to the agent to anyone except the configured user.

0

Related:

  • No Related Posts

Leave a Reply