HP t5740 User Manual

Symantec™ Endpoint Protection for

®

Microsoft

Windows Embedded Standard
2009 (WES) and Windows
(XPe) User Guide

HP thin clients

®

XP Embedded

© Copyright 2008–2009 Hewlett-Packard
Development Company, L.P.

Microsoft and Windows are U.S. registered
trademarks of Microsoft Corporation.
Internet Explorer is either a registered
trademark or trademark of Microsoft
Corporation in the United States and/or other
countries.

Intel and Pentium are trademarks of Intel
Corporation in the U.S. and other countries.

The information contained herein is subject
to change without notice.

The only warranties for HP products and
services are set forth in the express warranty
statements accompanying such products
and services. Nothing herein should be
construed as constituting an additional
warranty. HP shall not be liable for technical
or editorial errors or omissions contained
herein.

Symantec™ Endpoint Protection for
Microsoft® Windows Embedded
Standard 2009 (WES) and Windows® XP
Embedded (XPe) User Guide

HP thin clients

Second Edition (March 2009)

First Edition (August 2008)

506030-002

About this book

The software described in this book is furnished under a license agreement and may be used only in
accordance with the terms of the agreement.

Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014,

http://www.symantec.com

iii

iv About this book

Table of contents

1 System requirements

Hardware requirements ........................................................................................................................ 1

Software requirements ......................................................................................................................... 1

2 Introducing the agent

About the Symantec Endpoint Protection for WES and XPe ............................................................... 2

About security policies .......................................................................................................................... 2

Key features of the agent ..................................................................................................................... 3

3 Agent basics

Opening the agent ................................................................................................................................ 4

Navigating the main window ................................................................................................................. 4

Using the menus and the toolbar ......................................................................................................... 5

Viewing traffic history ........................................................................................................... 6

Displaying broadcast traffic .................................................................................................. 6

Viewing currently running applications and services ........................................................... 6

Displaying or hiding the message area ................................................................................ 7

Viewing current security policy and communication status .................................................. 7

About the notification area icon ............................................................................................................ 8

About responding to the flashing icon .................................................................................. 8

Displaying the shortcut menu .............................................................................................. 8

Disabling protection temporarily .......................................................................................... 9

Changing security levels ...................................................................................................... 9

Enabling password protection .............................................................................................. 9

Testing your endpoint ......................................................................................................................... 10

4 Responding to messages and warnings

About message types ......................................................................................................................... 11

Application messages ........................................................................................................ 11

Changed application messages ......................................................................................... 12

Responding to application messages ................................................................................................. 12

Responding to Trojan horse warnings ................................................................................................ 13

Responding to blocked traffic messages ............................................................................................ 14

v

Responding to permission status messages ...................................................................................... 14

5 Monitoring and logging

About logs .......................................................................................................................................... 15

About the Security log ........................................................................................................ 16

About the Traffic log ........................................................................................................... 17

About the Packet log .......................................................................................................... 18

About the System log ......................................................................................................... 19

Viewing logs ....................................................................................................................................... 19

Back tracing logged events ................................................................................................................ 20

Exporting logs ..................................................................................................................................... 21

Filtering logged events ....................................................................................................................... 21

Stopping an active response .............................................................................................................. 22

6 Command Line Management

The command-line interface for the client service .............................................................................. 23

Typing a parameter if the agent is password-protected ..................................................................... 24

Index ................................................................................................................................................................... 26

vi

1 System requirements

This chapter includes the following topics:

Hardware requirements on page 1

●

Software requirements on page 1

●

Hardware requirements

The agent requires the following minimum hardware:

®

Pentium® 133 MHz or equivalent

Intel

●

256 MB RAM

●

40 MB available hard disk space

●

One Ethernet adapter (with TCP/IP installed)

●

Software requirements

The agent requires the following software:

Windows Embedded Standard 2009 (WES) operating system or

●

Windows XP Embedded (XPe) operating system or

●

Windows Embedded Point of Service operating system

●

Windows Internet Explorer

●

TCP/IP Networking

●

COM Base

●

IP Security Services

●

NDIS & NDSI User-mode I/O Driver

●

OLE Dialog Interfaces

●

User Interface Core

●

®

6.0

Hardware requirements 1

2 Introducing the agent

This chapter includes the following topics:

About the Symantec Endpoint Protection for WES and XPe on page 2

●

About security policies on page 2

●

Key features of the agent on page 3

●

About the Symantec Endpoint Protection for WES and XPe

The Symantec Endpoint Protection for WES and XPe (the agent) is security software that is installed
on embedded endpoints, such as ATMs, Point of Service systems, and thin clients, that run the WES,
XPe, or the XPe Point of Service operating system.

The agent provides a customizable firewall that protects the endpoint from intrusion and misuse, whether
malicious or unintentional. It detects and identifies known Trojan horses, port scans, and other common
attacks. In response, it selectively allows or blocks traffic, or various networking services, applications,
ports, and components.

About security policies

The agent uses security policies, which include firewall rules, and security settings. These policies
protect an individual endpoint from network traffic and the viruses that can cause harm. Firewall rules
determine whether your endpoint allows or blocks an incoming or outgoing application or service from
gaining access through your network connection. Firewall rules allow the agent to systematically allow
or block incoming or outgoing applications and traffic from or to specific IP addresses and ports. Security
settings detect and identify common attacks, send e-mail messages after an attack, display
customizable messages, and accomplish other related security tasks. The configuration of firewall rules
with other security and antivirus settings results in a security agent that protects your endpoint.

2 Chapter 2 Introducing the agent

Key features of the agent

The agent can be used in the following networking environments:

Directly connected to the local area network or wireless network

●

Remotely connected using Virtual Private Network (VPN) or dial-up

●

Completely disconnected from any network

●

The agent does not support location awareness or host integrity. Host integrity will be supported in a
later release.

Key features of the agent 3

3 Agent basics

This chapter includes the following topics:

Opening the agent on page 4

●

Navigating the main window on page 4

●

Using the menus and the toolbar on page 5

●

About the notification area icon on page 8

●

Testing your endpoint on page 10

●

Opening the agent

The agent is designed to start automatically when you turn on your endpoint, protecting you immediately.
To configure your agent or review logs of potential attacks on your agent, you open the agent first.

To open the agent

1. On the Windows taskbar, click Start > Programs.

2. Click Symantec > Symantec Endpoint Protection for Windows XP Embedded agent.

Navigating the main window

Once you open the agent, you see the main screen. The main screen provides real-time network traffic
updates, online status, links to logs, and access to various advanced rules, security settings, and
antivirus settings.

The user interface changes depending on the different control modes of the agent, including user mode,
admin mode, or mixed mode. In addition, some icons may not appear, depending on how your system
administrator configured the agent.

The agent is resizable, so you can view it as a full-screen or part-screen image.

4 Chapter 3 Agent basics

Using the menus and the toolbar

The top of the screen displays a standard menu and toolbar. The toolbar icons can be used to quickly
access logs, view the Help file, or test your system.

Some icons are either disabled or may not appear. This status depends on how the agent is configured
or which control mode the agent is in.

The toolbar icons that are located below the menus provide shortcuts. These shortcuts can be used to
do the following:

Block all applications

●

Change your security policy

●

Access the logs

●

Test the agent’s effectiveness

●

View the Help file

●

The File menu commands include Exit Symantec Endpoint Protection agent, which exits the agent and
turns off security on your endpoint.

The Location menu displays the default Office location.

The Tools menu commands include the following:

Applications Opens the Applications List

Options Opens the Options dialog box, which contains many security options, including e-mail alerts, Network

Neighborhood browsing rights, 802.1x authentication, AV/IPS signature update,and log file
configurations.

This option appears in Power User mode only.

Advanced Rules Opens the Advanced Rules dialog box, where you can set up firewall rules

Logs Opens the logs

Automatically Start
Service

Test Your System
Security

Not enabled for the agent

Opens a Web site so that you can scan and test the effectiveness of the agent

The View menu gives users the option to change the display of software programs in the Running
Applications field. The View menu commands include the following:

Large Icons Displays 32x32 icons in the field. Each icon represents a software application or a system service

Small Icons Displays 16x16 icons. Both the large and small icon displays provide the full name of the application

List Provides small icon representations, with the icons displayed in a standard list

Applications Details Provides a list of all running applications and their version numbers and paths

Connection Details Provides further information on the type of connection that each application makes when accessing

the network adapter and other details

Using the menus and the toolbar 5

Hide Windows
Services

Hide Broadcast Traffic Toggles the display of broadcast traffic

Toggles the display of Windows Services

Viewing traffic history

You can view a real-time picture of the last two minutes of your traffic history in the main window. The
graphs reload new information every second, providing instant data, as measured in bytes, about your
incoming and outgoing network traffic.

The Traffic History graphs are broken down into three sections. The Incoming and Outgoing Traffic
History graphs are on the left side of the graphs section. These provide a visual assessment of the
current traffic that enters and leaves your endpoint through a network interface. This traffic includes the
traffic that is allowed and the traffic that is blocked. The green lines and bars indicate the traffic that is
allowed to pass through. The red coloring indicates the traffic that the agent has blocked traffic.

The Attack History graph on the right side of the screen provides information on attempted attacks
against your computer.

Displaying broadcast traffic

Broadcast traffic is the network traffic that is sent to every endpoint in a particular subnet. It is not directed
specifically to your endpoint. If you do not want to see this traffic, you can remove it from this graphical
view by checking Hide Broadcast Traffic. You then only see unicast traffic in this graph, which is the
traffic that is directed specifically to your endpoint. To redisplay broadcast traffic, uncheck Hide
Broadcast Traffic.

Viewing currently running applications and services

The Running Applications field provides a list of all applications and system services that currently run
on your system.

Permission status refers to the permissions that you allow an application. It shows whether it:

Can access your Internet connection or network

●

Is blocked from accessing the Internet or network altogether

●

Asks your permission before it accesses that connection

●

You can change the status of applications from the Running Applications field by right-clicking an
application’s icon and selecting the desired status.

Table 3-1 Running Applications field on page 6 displays how each application icon appears,

depending on the permission status.

Table 3-1 Running Applications field

Status Description

Allow Icon appears normal, with no marks. The icon displays a small blue dot on the lower left corner if it

Ask Icon appears with a small, yellow question mark.

Block Icon appears with a red circle and cross-out mark.

receives traffic. It displays a small blue dot on the lower right corner if it sends traffic.

6 Chapter 3 Agent basics

There are a number of services running at any given time. Since they are often crucial to the operation
of your endpoint, you may want to allow them. You can show or hide them from the message console.

To hide system services

Click Hide Windows Services.

▲

To change the display of applications

Right-click the Running Applications field and select the desired view.

▲

To stop an application or service from running

In the Running Applications field, right-click the application and click Terminate.

▲

Displaying or hiding the message area

The message area is located at the bottom of the main screen. It provides a real-time update of the
server-agent communication status. This update includes when the latest security policy is downloaded
and the number of the policy serial numbers.

The message area is hidden by default.

To show or hide the message area

1. Below the Running Applications field, click Show Message Console. The message area

appears.

2. To hide the message area from view, click Hide Message Console. The message area collapses

and displays the Show Message Console icon.

Viewing current security policy and communication status

This section explains how to view current security policy and communication status.

To view the current policy information

On the bottom of the main screen, look for the status bar.

▲

You can view a real-time update of the agent’s communication with the server. If green, the light indicates
that the agent is online and communicating with the management server. If gray, the agent is not
connected to the management server.

To view the communication status

In the right-hand corner of the status bar, look for the status icon.

▲

Using the menus and the toolbar 7

About the notification area icon

RED The agent has blocked traffic.

GREEN Traffic flows uninterrupted by the agent.

GRAY No traffic flows in that direction. A green dot means that the agent is connected to the Symantec Policy

Manager.

About responding to the flashing icon

If you see a flashing icon, the endpoint may be responding to an attempted attack. When you rest your
mouse over the flashing icon, a tool tip appears telling you that you are under an attack.

To make the icon stop flashing, double-click the icon. The Security log opens, displaying a new log entry.
The icon stops flashing after one minute.

Displaying the shortcut menu

The agent has a notification area icon that is located in the lower-right corner of your desktop. Right­click this icon to show frequently used commands.

Table 3-2 Notification area icon shortcut menu on page 8 displays the following notification area icon

shortcut menu and commands for the Server Control mode and Client Control mode. Commands on
the shortcut menu for the Power User mode vary depending on what options are set on the server.

Table 3-2 Notification area icon shortcut menu

Menu command Description Server Control mode Client Control mode

Symantec Protection Agent Opens the agent’s main

screen

Normal Allows network traffic to flow

as normal

Block All Blocks all network traffic X

Applications pens the Applications list X X

Logs Opens the agent logs X X

Options Opens the Options dialog box,

where you can configure the
settings for the agent

Advanced Rules Opens the Advanced Rules

dialog box, where you can
write specific rules for
allowing or blocking network
access

X X

X

X

X

Help Topics Opens the online Help system X X

8 Chapter 3 Agent basics

Table 3-2 Notification area icon shortcut menu (continued)

Menu command Description Server Control mode Client Control mode

About Opens the About dialog box,

providing information on your
version of the agent

Exit Symantec Protection
Agent

Stops the agent from running.
You need to restart the agent
to protect your system

NOTE: This option may

appear dimmed or not at all.

Disabling protection temporarily

You may need to disable security on the agent so that the agent does not block outbound traffic. You
disable security from the management server. You cannot do it from the agent. If you must disable
security from the agent, exit the agent.

To temporarily disable blocking

Exit the agent.

▲

Changing security levels

The agent supports two security levels: Normal and Block All.

To change your security level

X X

XX

1. Click Security.

2. Click Block All or Normal.

Enabling password protection

You can set your agent to require a password before you make any security changes or before you exit
the agent.

To enable password protection

1. Click the Tools > Options > General tab.

2. Click Set Password.

3. In the Password dialog box, type your new password in the New Password and Confirm New

Password fields. You can disable password protection by leaving both fields blank.

4. Click OK.

5. To have the agent prompt you for a password before you exit the agent, on the General tab,

click Ask password while exiting.

About the notification area icon 9

Testing your endpoint

You can test the vulnerability of your system to outside threats by scanning your system. Assessing
your vulnerability to an attack is one of the most important steps that you can take. With what you learn
from the tests, you can more effectively set the various options on your agent to protect your endpoint
from attack.

To test your endpoint

1. Do one of the following:

On the toolbar, click Security Test.

●

On the Tools menu, click Test Your System Security.

●

The Symantec Security Check scans your endpoint and tries to determine your IP address,
operating system, Web browser, and other information about your system.

2. Choose one of the following scans:

Security Scan

●

Virus Detection

●

3. Click Start.

10 Chapter 3 Agent basics

4 Responding to messages and

warnings

This chapter includes the following topics:

About message types on page 11

●

Responding to application messages on page 12

●

Responding to Trojan horse warnings on page 13

●

Responding to blocked traffic messages on page 14

●

Responding to permission status messages on page 14

●

About message types

You may see several different types of messages on the endpoint. These messages usually describe
a situation and indicate how the agent tries to resolve the issue.

You may see the following types of messages:

Application messages

●

Changed application messages

●

Fast user switch messages

●

Application messages

An application-related message occurs for one of the following reasons:

An application that the agent has never seen before, or that has been assigned the status of Ask,

●

tries to access your network connection.

An application that normally accesses your network connection has changed, possibly because of

●

a product upgrade.

Your agent software is being updated.

●

Your agent has detected a Trojan horse on your endpoint.

●

For example, you may see the following type of message when an application or service tries to access
your endpoint, the port, and other information.

About message types 11

Internet Explorer (IEXPLORE.EXE) is trying to connect to www.symantec.com
using remote port 80 (HTTP - World Wide Web). Do you want to allow this
program to access the network?

This message appears because the application has been opened, either directly or indirectly by you, or
by another application.

If you didn’t open any program or click any link and an application tries to access your network
connection, there may be a number of different reasons. However, if you cannot see any reason that
application should try to access your network connection, it is always safest to click No. This message
might indicate the presence of a Trojan horse on your endpoint, something that needs to be checked
immediately.

Changed application messages

Occasionally, you might see a message that indicates an application has changed.

Telnet Program has changed since the last time you opened it, this could

●

be because you have updated it recently. Do you want to allow it to
access the network?

The application that is listed on the message is trying to access your network connection. Although the
agent recognizes the name of the application, something about the application has changed since the
last time the agent encountered it.

This change could be because you have upgraded the product recently. The agent uses an MD5
checksum to determine the legitimacy of an application. An upgraded version might not pass the
checksum test because it may to have a different checksum value.

If you have not recently upgraded the application, your network may be under attack by a Trojan horse.

Responding to application messages

You can change the status of the application at any time, either in the Running Applications field or in
the Applications List.

To respond to application messages

1. Click Detail to view more information about the application, including the file name, version number,

and path name. The Detail section also displays whether the application tries to connect locally to
your endpoint or remotely to an outside destination. It shows the local and remote port numbers
and IP addresses.

2. If you want the agent to remember your choice for the next time this application tries to access your

network connection, click Remember my answer, and do not ask me again for this
application.

3. Do one of the following actions: Depending on whether you select or don’t select the Remember

my answer, and do not ask me again for this application option and click the Yes or No icons,

the application is assigned the following permission statuses.

To allow the application to access the network connection, click Yes.

●

To block the application from accessing the network connection, click No.

●

12 Chapter 4 Responding to messages and warnings

Responding to Trojan horse warnings

If the agent detects a known Trojan horse on your endpoint, it blocks the Trojan horse from accessing
your system and displays a message such as the following:

“C:\WINNT\System32\UMGR32.EXE, a Trojan horse application has been

●

detected on your computer. It has been blocked by the Symantec
Protection Agent.”

This message means that a Trojan horse is present on your system and has been activated. Either you
tried to open the program that was identified as a Trojan horse, or it has been triggered by another
program on your endpoint. It is possible that the Trojan horse was on your endpoint when you installed
the agent. It is also possible that you have recently downloaded it through a legitimate application, such
as a Web browser. The Trojan horse tried to access your network connection, and has been blocked
by the agent.

To respond to a Trojan horse warning

1. Click OK.

2. Immediately notify your IT department. The agent blocks the Trojan horse from sending any

information out of or into your endpoint. However, it is still important to remove it from your system
as soon as possible. The agent terminates the Trojan horse process automatically, but removal
requires the assistance of your IT department.

Responding to Trojan horse warnings 13

Responding to blocked traffic messages

Security messages display a message box when applications are blocked:

Blocked application message An application that has been launched from your computer has

been blocked in accordance with rules set by your system
administrator. For example, you may see the following text:

Application Internet Explorer has been
blocked, file name is IEXPLORE.EXE.

These messages indicate that your agent has blocked traffic
that you have specified as not trusted. If the agent is operating
under Block All mode, these messages appear quite often. If
you are operating in Allow All mode, these messages do not
appear.

If you or the system administrator configures the agent to display a message when either the agent
blocks the endpoint from accessing an application or when an attack is launched, a message appears
above the notification area.

To respond to security messages

In the message box, click Do not show this window again.

▲

Responding to permission status messages

If you or your system administrator have set an applications’ permission status to Ask or Block, a
message appears when an incoming application accesses your endpoint.

Table 4-1 Application permission status messages on page 14 displays how you can respond to an

application or permission status message.

Table 4-1 Application permission status messages

If you check Remember my answer
box?

Yes Yes Allows the application and won’t ask

No Yes Allows the application and ask you every

Yes No Blocks the application and ask you every

No No Blocks the application and won’t ask you

You can change an application’s permission status from the Applications List.

If you click Your agent

again.

time.

time.

again.

14 Chapter 4 Responding to messages and warnings

5 Monitoring and logging

This chapter includes the following topics:

About logs on page 15

●

Viewing logs on page 19

●

Back tracing logged events on page 20

●

Exporting logs on page 21

●

Filtering logged events on page 21

●

Stopping an active response on page 22

●

About logs

The agent’s logs are an important method for tracking your endpoint’s activity and its interaction with
other endpoints and networks. The logs record information about the agent’s status and about the traffic
that tries to enter or exit your endpoint through your network connection.

The agent’s logs perform the following tasks:

Record information about the agent’s status and about the traffic that tries to enter or exit your

●

endpoint through your network connection.

Track your endpoint’s activity and interaction with other endpoints and networks.

●

Detect potentially threatening activity, such as port scanning.

●

Help you troubleshoot connectivity problems or possible network attacks.

●

Record the results of the management policies that are applied to your endpoint.

●

The agent includes the following types of logs:

Security Records potentially threatening activity that is directed towards your endpoint, denial-of-service

attacks, port scans, executable file alterations, and Trojan horse attacks.

Traffic Records every connection your endpoint makes through the network.

Packet Captures every packet of data that enters or leaves a port on your endpoint.

System Records all operational changes for the agent, such as starting and stopping services, detecting

network applications, and configuring software.

About logs 15

About the Security log

The Security log records potentially threatening activity that is directed towards your endpoint, such as
port scanning, virus attacks, or denial-of-service attacks. The Security log is probably the most important
log in the agent.

The Security log records attacks in the following categories:

Critical attack

Major attack

Minor attack

Information

The Security log records the following information about each activity:

Time The exact date and time that the event was logged

Security Type Type of security alert, such as a DoS attack, executable file, Ping of Death, or virus attack

Severity The severity of the attack (either Critical, Major, Minor, or Information)

Direction Direction that the traffic was traveling in (incoming, outgoing, or unknown)—Most attacks are

incoming, that is, they originate in another endpoint. Other attacks, like Trojan horses, are
programs that have been downloaded to your endpoint and therefore are already present; they
are considered outgoing. Still other attacks are unknown in direction; they include Active
Response or application executable changed.

Protocol Type of protocol—UDP, TCP, and ICMP

Remote Host IP address of the remote endpoint (only appears in Local View - this is the default)

Remote MAC MAC address of the remote endpoint. If outside the subnet, it is the MAC address of the router.

Local Host IP address of the local endpoint (only appears in Local View - this is the default)

Local MAC MAC address of the local endpoint (only appears in Local View - this is the default)

Application Name Name of the application associated with the attack

User Name User or endpoint that sent or received the traffic

Domain Domain of the user

Occurrences Number of occurrences of the attack method

(only appears in Local View - this is the default)

Begin Time Time the attack began

End Time Time the attack ended

16 Chapter 5 Monitoring and logging

About the Traffic log

Whenever your endpoint makes a connection through the network, this transaction is recorded in the
Traffic log. The Traffic log includes information about incoming and outgoing traffic.

The Traffic log categorize different types of traffic as:

Incoming traffic; passed through the agent

Incoming traffic; blocked by the agent

Outgoing traffic; passed through the agent

Outgoing traffic; blocked by the agent

Traffic direction unknown; passed through the agent

Traffic direction unknown; blocked by the agent

The Traffic log records the following information about each activity:

Time The exact date and time that the event was logged

Severity The severity of the traffic

Direction Direction that the traffic travels (incoming or outgoing)

Protocol Type of protocol - UDP, TCP, and ICMP

Remote Host IP address of the remote endpoint (only appears in Local View

- this is the default)

Remote MAC MAC address of the remote endpoint. If outside the subnet, it

is the MAC address of the router. (only appears in Local View

- this is the default)

Remote Port Port on the remote endpoint (only appears in Local View - this

is the default)

Local Host IP address of the local endpoint (only appears in Local View -

this is the default)

Local MAC MAC address of the local endpoint (only appears in Local View

- this is the default)

Local Port Port used on the endpoint (only appears in Local View - this is

the default)

Application Name Name of the application that is associated with the attack

User User’s log on name

About logs 17

Domain User’s domain name

Location The Location (Normal or Block All) that was in effect at the time

of the attack

Occurrences Number of packets each piece of traffic sends between the

Begin Time Time traffic starts matching the rule

End Time Time traffic stops matching the rule

Rule Name The rule that determined the passing or blockage of this traffic

About the Packet log

The Packet log captures every packet of data that enters or leaves a port on your endpoint. The Packet
log is disabled by default in the agent because of its potentially large size. You must enable the Packet
log before you can use it.

The Packet log uses the following icons to categorize data packets:

Full data packet captured

The Packet log records the following information about each data packet:

Time The exact date and time that the packet was logged

beginning and ending time

Remote Host Name of the remote endpoint (only appears in Local View - this is the default)

Remote Port Port on the remote host that sent/received the traffic (only appears in Local View - this is the default)

Local Host IP Address of the local endpoint (only appears in Local View - this is the default)

Local Port Port used on the endpoint for this packet (only appears in Local View - this is the default)

Source Host Name of the source endpoint (only appears in Source View)

Source Port Port on the source host that sent/received the traffic (only appears in Source View)

Destination Host IP Address of the destination endpoint (only appears in Source View)

Destination Port Port used on the destination endpoint for this packet (only appears in Source View)

Direction Direction that the traffic was traveling in (incoming or outgoing)

Action Action taken by the agent: Blocked or Allowed

Application Name Name of the application that is associated with the packet

Below the Log Viewer are two additional data fields that provide further detail regarding the selected
event. The left field provides data on the type of packet logged. The right field displays the actual data
packet.

18 Chapter 5 Monitoring and logging

About the System log

The System log records all operational changes, such as the starting and stopping of services, detection
of network applications, software configuration modifications, and software execution errors. It also logs
communication with the Symantec Policy Manager, including connection and downloads. All information
that is provided in the System log also appears in real time in the message area. The System log is
especially useful for troubleshooting the agent.

The System log records the following information about each system error:

Time The date and time that the event was logged

Type Type of event can be an error, warning, or information regarding the Symantec Policy Manager. An

ID ID assigned to the event by the agent

Summary Description of the event

Viewing logs

The following procedure explains how to view logs.

To view logs

error indicates a problem with the source; a warning indicates a potential problem; and an information
point provides information about an event involving the agent.

1. Do one of the following:

Click Tools > Logs.

●

On the toolbar, click the drop-down arrow next to the Logs icon.

●

2. Click one of the log types. Each log opens the Log Viewer dialog box. The Log Viewer is a table

where each row represents a logged event and each column displays information regarding the
event.

3. In the Log Viewer dialog box, click the View menu and then click either Local View or Source

View. The fields in the log change depending on whether you choose the local view or source view.

4. To view a description of each event, select an event row

5. Click Refresh, or press F5 to update the log that you are viewing.

6. Click File > Exit.

Viewing logs 19

Back tracing logged events

Back tracing enables you to pinpoint the source of data from a logged event. Back tracing shows the
exact steps, or hops, that incoming traffic has made before reaching your endpoint. A hop is a transition
point, usually a router, which a packet of information travels through on a public network. Back tracing
follows a data packet backwards; discovering which routers the data took to reach your endpoint.

Figure 5-1 Back tracing a packet on page 20 shows how the agent back traces a packet.

Figure 5-1 Back tracing a packet

For each log entry, you can trace a data packet that was used in an attack attempt. Each router that a
data packet passes through has an IP address. You can view the IP address and other details. The
information that appears does not guarantee that you have discovered who the hacker is. The final hop’s
IP address lists the owner of the router that the hackers connected through, and not necessarily the
hackers themselves.

You can back trace a logged event in the Security, Traffic, and System logs

To back trace a logged event

1. Open the log file and click an event so that the entire row is selected.

The agent begins back tracing the event.

2. Do one of the following:

Right-click and click BackTrace.

●

Click Action > BackTrace.

●

3. In the Back Trace Information dialog box, click Whois to view detailed information on each hop.

A drop panel displays detailed information about the owner of the IP address from which the traffic
event originated. You can cut and paste the information in the Detail information panel. Press Ctrl
+C to copy the information into the Clipboard. Then press (Ctrl+V) to paste it into an e-mail
message to your system administrator.

4. Click Whois again to hide the information.

5. Click OK.

6. Click OK.

20 Chapter 5 Monitoring and logging

Exporting logs

You can save and export the contents of the logs to different locations. You may want to export logs to
save space or to perform a security review.

To export a log file

1. Open the log in the Log Viewer.

2. Click File > Export.

3. In the Save As dialog box, select the location and format type for the log file.

4. Click OK.

Filtering logged events

You can view the recorded events in the Log Viewer by the severity level of the attack and by a previous
period of time.

To filter log events by severity

1. In the Log Viewer dialog box, click the Filter menu.

2. Click File > Export > Severity.

3. Click Severity.

4. In the Save As dialog box, select the location and format type for the log file.

You can view more than one type of event at one time. The Log Viewer is automatically reloaded.

5. Click the severity level(s) so that a check mark appears to the left of the severity level name. You

have the following options:

Critical (Security log only)

●

Major

●

Minor

●

Error (System log only)

●

Warning (System log only)

●

Information

●

To filter log events by time period

1. In the Log Viewer dialog box, click the Filter menu.

2. Select the time period for which you want to view log events. For example, 2 Week Logs displays

the events that were recorded over the past 14 days.

Exporting logs 21

Stopping an active response

If the agent detects an attack, it triggers an active response. The active response automatically blocks
the IP address of a known intruder for a specific amount of time (from 1 to 2,147,483,647 seconds). The
default amount of time is 10 minutes. If you don’t want to wait the default amount of time to unblock the
IP address, you can stop the active response immediately.

An active response can also be triggered by IPS signatures that are updated weekly and by denial of
service signatures that can be updated with new builds, port scans, and MAC spoofing. However, a
Trojan horse is not considered an attack because it is a program that runs on the same endpoint where
it was detected. It is considered a security alert rather than an attack.

You can stop active responses in the Security log only.

To stop an active response

1. Click Tools > Logs > Security.

2. Select the row for the application or service you want to unblock. Blocked traffic is specified as

Blocked in the Action column.

3. On the Action menu, click Stop Active Response to block the selected application, or click Stop

All Active Response if you want to unblock all blocked traffic.

4. When the Active Response dialog box appears, click OK.

22 Chapter 5 Monitoring and logging

6 Command Line Management

This chapter includes the following topics:

The command-line interface for the client service

●

Typing a parameter if the agent is password-protected

●

The command-line interface for the client service

You can manipulate the agent directly from the command line on the agent computer by using the smc
command for the client service. You may want to use this command in a script that runs the parameters
remotely. For example, if you need to stop the agent to install an application on multiple agents, you
can stop and restart each client service.

With the exception of smc -start, the client service must run to use the command-line parameters.
The command-line parameters are not case sensitive.

Table 6-1 Parameters that administrators can use

Parameter Description

smc -importadvrule Replaces the imported firewall rules to the agent's list of existing firewall rules.

These rules overwrite the existing rules. The client service must run to import the
profile file's contents.

To import firewall rules, you import a .sar file. For example, you can type the following
command:

To import firewall rules, you import a .sar file. For example, you can type the following
command:

smc -importadvrule

C:\config\AllowExplorerRule.sar

An entry is added to the System log after you import the rules.

smc –appendadvrule Adds the imported rules to the bottom of an existing advanced rules list. This

command does not overwrite existing Advanced rules.

To append firewall rules, you import a .sar file. For example, you can type the
following command:

smc –appendadvrule

C:\config\AllowExplorerRule.sar

An entry is added to the System log after you append the rules.

The command-line interface for the client service 23

Table 6-1 Parameters that administrators can use (continued)

Parameter Description

smc -exportadvrule Exports the agent's firewall rules to a .sar file.

Agent rules are only exported from the agent when in Server Control mode.

You must specify the path name and file name. For example, you can type the
following command:

smc -exportadvrule

C:\config\AllowExplorerRule.sar

smc -importallconfig Imports the server and client profiles to the agent. The source folder must contain

both serdef.xml and cltdef.xml.

This command replaces the current profile file's contents. Therefore, you can deploy
the most current profile file without having to remove out-of-date firewall rules,
antivirus scans, security settings, and user interface settings.

You must specify the path name and file name and extension. Any name or extension
is acceptable. For example, you can type the following command:

smc -importallconfig

C:\profile\source_folder\OfficeRules.xml

smc -exportallconfig Exports the server and client profiles to file and folder of your choice.

Exports the server and client profiles to file and folder of your choice.

You must specify the path name and file name and extension.
Any name or extension is acceptable. For example, you can
type the following command:

C:\profile\dest_folder\OfficeRules.xml

smc -start Starts the client service.

smc -stop Stops the client service.

When you import profile files and firewall rules, note that the following rules apply:

You cannot import profile files or firewall rule files directly from a mapped network drive.

●

The agent does not support UNC (universal naming convention) paths.

●

Typing a parameter if the agent is password-protected

You can password-protect the agent computer for the following parameters:

-stop The agent asks for a password before you or the user stops the agent.

-importconfig The agent asks for a password before you can import the profile file.

-exportconfig The agent asks for a password before you can export the profile file.

NOTE: The password is limited to 15 characters or less.

24 Chapter 6 Command Line Management

To type a parameter if the agent is password-protected, perform the following steps:

1. On the agent computer, on the taskbar, click Start > Run.

2. In the Run dialog box, type cmd.

3. In the Windows MS-DOS prompt, type either one of the following:

smc -parameter -p password

smc -p password -parameter

Where:

parameter is -stop, -importconfig, or -exportconfig.

password is the password you specified in the console.

For example, you can type either:

smc -exportallconfig c:\profile.xml -p password or

smc -p password -exportallconfig c:\profile.xml

4. Close the command prompt.

Typing a parameter if the agent is password-protected 25

Index

A

active response, stopping 15
agent

about 2
basics 4
commands 23
features 2
opening 4

password-protected 24
application messages 11
application messages,

changed 12

applications, viewing running 6

B

back tracing logged events 15
broadcast traffic 6

C

changed application

messages 12
changing security levels 9
client service, command-line

interface for 23
CMD 23
command line management 23
command-line interface 23
communication status, viewing 7

D

disabling protection 9

E

endpoint, testing 4
events, filtering logged 15

F

File menu 5
filtering logged events 15
flashing icon 8

H

hardware requirements 1
history, traffic 6

I

icon

flashing 8
notification area 4

L

Location menu 5
log

Packet 18
Security 16
System 19
Traffic 17

logged events

back tracing 15

filtering 15
logging 15
logs

about 15

exporting 15

viewing 15

M

menu

File 5

Location 5

shortcut 8

Tools 5

View 5
menus, using 4
message area

displaying 7

hiding 7
messages

application 11

blocked traffic 11

changed application 12

permission status 11
responding to 11
responding to application 11
types 11

monitoring 15

N

navigating main window 4
notification area icon 4

O

opening agent 4

P

Packet log, about 18
parameter, typing 24
password protection 9
password-protected agent 24
policies, security 2
protection, disabling 9

R

requirements

hardware 1
software 1
system 1

responding to

application messages 11
blocked traffic messages 11
flashing icon 8
messages 11
permission status

messages 11
Trojan horse warnings 11
warnings 11

response, stopping active 15

S

security

changing levels 9

26 Index

disabling protection 9
enabling password

protection 9
policies 2
viewing policy 7

Security log, about 16
shortcut menu 8
software requirements 1
stopping active response 15
System log, about 19
system requirements 1

T

testing endpoint 4
toolbar, using 4
Tools menu 5
traffic

blocked messages 11
broadcast 6
history 6

Traffic log, about 17
Trojan horse warnings 11
typing parameter 24

V

View menu 5
viewing

communication status 7
logs 15
running applications 6
security policy 7

W

warnings, responding to 11

Index 27