Push Notification is the communication method used within Symantec Endpoint Security (SES) to

facilitate real-time management. This method enables:

Immediate Updates: SES can instantly push policy changes, updates, or commands to endpoints

without waiting for a standard polling interval.

Efficient Response to Threats: Push notifications allow for faster reaction times to emerging threats,

as instructions can be delivered to endpoints immediately.

Reduced Resource Usage: Unlike continuous polling, push notifications are triggered as needed,

reducing network and system resource demands.

Push Notification is crucial for achieving real-time management in SES, providing timely responses

and updates to enhance endpoint security.

Dark Corners alarms are part of Threat Defense for Active Directory and are triggered when domain

misconfigurations or hidden backdoors are detected within the directory environment. Here’s how

this alarm functions:

Detection of Hidden Threats: Dark Corners identifies and alerts administrators to hidden

vulnerabilities within the Active Directory, such as unauthorized access paths or misconfigurations

that could be exploited.

Security Assurance: By identifying these issues, administrators can proactively address and rectify

potential risks that are otherwise challenging to detect.

Improved Active Directory Security: The Dark Corners alarm helps ensure that backdoors and

misconfigurations do not provide attackers with hidden access points, strengthening the overall

security posture of Active Directory.

This feature allows for a deeper level of inspection within Active Directory, safeguarding against

subtle yet critical security risks.

The Endpoint Communication Channel (ECC) 2.0 enables Symantec Endpoint Detection and

Response (EDR) to establish a direct connection with the Symantec Endpoint Protection Manager

(SEPM). This connection allows for:

Efficient Data Exchange: ECC 2.0 facilitates real-time communication and data exchange between

SEPM and Symantec EDR.

Enhanced Endpoint Visibility: By directly connecting with SEPM, Symantec EDR can monitor endpoint

activity more closely, improving threat detection and response.

Integrated Threat Management: ECC 2.0 supports coordinated efforts between SEPM and EDR,

allowing for more effective containment and mitigation of threats.

This direct communication with SEPM enhances EDR’s capability to manage and protect endpoints

effectively.

Within Symantec Endpoint Protection’s Intrusion Prevention System (IPS), Attack signatures are

specifically designed to identify and block known patterns of malicious network traffic. Attack

signatures focus on:

Recognizing Malicious Patterns: These signatures detect traffic associated with exploitation attempts,

such as buffer overflow attacks, SQL injection attempts, or other common attack techniques.

Real-Time Blocking: Once identified, the IPS can immediately block the traffic, preventing the attack

from reaching its target.

High Accuracy in Targeted Threats: Attack signatures are tailored to match malicious activities

precisely, making them effective for detecting and mitigating specific types of unwanted or harmful

network traffic.

Attack signatures, therefore, serve as a primary layer of defense in identifying and managing

unwanted network threats.

When a threat is detected within an organization’s environment, preventing its spread becomes

crucial. Symantec Endpoint Protection (SEP) allows administrators to create Application and Device

Control policies that target specific threat files to block them across the network. To block a known

malicious file, the administrator should:

Identify the File MD5 Hash: The MD5 hash serves as a unique "fingerprint" for the malicious file,

ensuring that the specific file version can be accurately identified across systems.

Create an Application Content Rule: Using the Application and Device Control feature, the

administrator can create a content rule that targets the identified file by its MD5 hash, effectively

blocking it based on its fingerprint.

Apply the Rule Across Endpoints: Once created, this rule is applied to endpoints, preventing the file

from executing or spreading.

This method ensures precise blocking of the threat without impacting other files or processes.

To ensure that users cannot inadvertently block a custom internal application, the Symantec

Endpoint Protection (SEP) administrator should create an Allow Firewall rule for the application and

place it at the bottom of the firewall rules, above the blue line.

Explanation of Firewall Rule Placement:

Placing the allow rule above the blue line ensures it remains prioritized in SEP’s firewall policy,

meaning that user-created rules cannot override it.

This setup guarantees that the internal application is allowed through the firewall without

disruption, while users can still create other firewall rules without affecting this critical application.

Why Other Options Are Less Effective:

Placing the rule below the blue line (Option A) would allow user-created rules to override it.

Creating an Allow All rule (Option C) could inadvertently allow other unnecessary traffic, which is a

security risk.

Setting a rule based on network adapter type (Option D) does not guarantee that it will cover all

instances of the custom application.

Reference: In SEP firewall configurations, placing critical allow rules above the blue line protects

essential applications from being unintentionally blocked​.

To prevent ransomware variants, such as Cryptolocker, from executing with double executable file

names, an administrator should enable SONAR (Symantec Online Network for Advanced Response).

SONAR detects and blocks suspicious behaviors based on file characteristics and real-time

monitoring, which is effective in identifying malicious patterns associated with ransomware. By

analyzing unusual behaviors, such as double executable file names, SONAR provides proactive

protection against ransomware threats before they can cause harm to the system.

If an administrator has enabled the setting to manage policies from the cloud and needs to reverse

this, they must follow these steps:

Unenroll the SEPM (Symantec Endpoint Protection Manager) from the cloud management (ICDm).

Disable the cloud policy management setting within the SEPM.

Re-enroll the SEPM back into the cloud if required.

This process ensures that policy control is reverted from cloud management to local management on

the SEPM. By following these steps, administrators restore full local control over policies, disabling

any cloud-based management settings previously in effect.

To reduce the risk of unauthorized access when administrators forget to log off, the setting "Allow

users to save credentials when logging on" should be disabled in Symantec Endpoint Protection

Manager (SEPM). Disabling this option ensures that administrators are required to enter their

credentials each time they access the SEPM console, preventing automatic logins and reducing the

chance of someone else gaining access without permission.

Purpose of Disabling Saved Credentials:

By preventing credential saving, SEPM forces each administrator to authenticate manually on every

session, thus improving security.

This setting is particularly useful in shared environments, as it prevents the console from retaining

login information when an administrator fails to log out.

Why Other Options Are Less Relevant:

Delete clients that have not connected (Option B) pertains to endpoint clients, not administrator

logins.

Lock account after unsuccessful attempts (Option C) protects against brute-force attempts but does

not address saved credentials.

Allow administrators to reset passwords (Option D) is related to password management rather than

login persistence.

Reference: Disabling saved credentials is a best practice to enforce unique logins for each session,

enhancing security in shared console environments​.

The Process Lineage Widget in the Incident View of Symantec Endpoint Security provides a visual

representation of the parent-child relationship among related security events, such as processes or

activities stemming from a primary malicious action. This widget is valuable for tracing the origins

and propagation paths of potential threats within a system, allowing security teams to identify the

initial process that triggered subsequent actions. By displaying this hierarchical relationship, the

Process Lineage Widget supports in-depth forensic analysis, helping administrators understand how

an incident unfolded and assess the impact of each related security event in context.