According to Microsoft engineers, attackers recently began targeting Internet Explorer with an exploit aimed at a critical, unpatched vulnerability in current versions of the browser. The attackers hijacked Windows PCs by getting users to visit a malicious page on a legitimate website, making the threat a “drive-by” attack that can instantly commandeer a machine with a vulnerable version of IE. No user interaction was required.
Symantec researcher Vikram Thakur said the company first saw exploits aimed at the bug when it encountered some spam, posing as hotel reservation notifications, being sent to a group of targeted organizations. Thakur said hackers were able to gain access to the legitimate website and upload malicious content without the owners’ knowledge. (The server that hosted the site has since been taken offline.)
The moral of the story? You can’t rely solely on desktop antivirus technology to protect your machines. Follow these Best Practices to improve the protection of desktops running Symantec Endpoint Protection and stop malware.
- Use an IPS. As the story above demonstrates, today’s threats are Web-based. The Intrusion Prevention System in Symantec Endpoint Protection stops threats before they can infiltrate a machine. An IPS stops vulnerability exploits, drive-by downloads, and fake AV installations.
- Improve default Symantec Endpoint Protection settings. Get the most out of Symantec Endpoint Protection by improving its default settings. Just a few setting changes can make a big improvement in your security. Learn more.
- Make sure all endpoints are patched and updated. With attacks moving to the browser, it’s critical that attackers not be able to use Internet Explorer, or Adobe Reader/Acrobat/Flash vulnerabilities to get onto a system. Use each vendor’s auto-update or software distribution tools to install patches as soon as they become available.
- Block P2P usage. The simplest method for distributing malware is hidden inside files to be shared on peer-to-peer networks. Create and enforce a no-P2P policy, including home usage of a company machine. Enforce the policy at the gateway and/or desktop.
- Turn off AutoRun. Stop Conficker and other network-based worms from jumping from USB keys and network drives without changing company polices on Open Shares.
- Turn on enhanced security in Adobe Reader. Protect your machines from attacks hidden in PDF files by hardening Adobe Reader.
- Limit the use of network shares (mapped drives). Worms love to spread via networked drives. Unless there is a strong business requirement, close mapped drives. If possible, limit permissions to read-only rather than read-write.
- Review mail security and gateway blocking effectiveness. Catching threats before they get to the desktop can be done with effective mail and Web security scanning. Check that you have a mail security solution that updates frequently to detect the latest “bad sender” IPs, spam, and malware threats at the mail gateway. Consider implementing a Web security solution that will protect your organization against Web 2.0 threats, including malicious URLs and malware.
- Review your security content distribution schedule. Antivirus signatures are released multiple times a day, and IPS content roughly on a weekly basis or as needed. If possible, take advantage of these updates or at least update machines that are frequently infected.
- Switch from Windows XP to either Windows 7 or OS X. Both of these operating systems have had far fewer vulnerability reports and far lower rates of compromise than Windows XP.
- Eliminate Internet Explorer 6. This browser, which is still widely used in corporate environments, has significant security issues.
- Deploy and enforce network access control. This securely controls access to corporate networks and enforces endpoint security policy.
- Backup, backup, backup.
Today, more than ever before, you need protection against sophisticated attacks that evade traditional security measures, attacks such as rootkits, drive-by downloads, zero-day attacks, and mutating spyware. Symantec Endpoint Protection combines Symantec AntiVirus with advanced threat prevention to protect endpoints from targeted attacks and attacks not seen before. Following the Best Practices in this TechBrief will improve the protection of desktops running Symantec Endpoint Protection and stop malware.