Tag Archives: Security

Microsoft Security Intelligence Report Volume 22 is now available

The latest volume of the Microsoft Security Intelligence Report is now available for free download at www.microsoft.com/sir.

This new volume of the report includes threat data from the first quarter of 2017. The report also provides specific threat data for over 100 countries/regions. As mentioned in a recent blog, using the tremendous breadth and depth of signal and intelligence from our various cloud and on-premises solutions deployed globally, we investigate threats and vulnerabilities and regularly publish this report to educate enterprise organizations on the current state of threats and recommended best practices and solutions.

In this 22nd volume, we’ve made two significant changes:

  • We have organized the data sets into two categories, cloud and endpoint. Today, most enterprises now have hybrid environments and it’s important to provide more holistic visibility.
  • We are sharing data from a shorter time period, one quarter (January 2017 – March 2017), instead of the typical six months, as we shift our focus to delivering improved and more frequent updates in the future.

The threat landscape is constantly changing. Going forward, we plan to improve how we share the insights, and plan to share data on a more frequent basis – so that you can have more timely visibility into the latest threat insights. We are committed to continuing our investment in researching and sharing the latest security intelligence with you, as we have for over a decade. This shift in our approach is rooted in a principle that guides Microsoft technology investments: to leverage vast data and unique intelligence to help our customers respond to threats faster.

Here are 3 key findings from the report:

As organizations migrate more and more to the cloud, the frequency and sophistication of attacks on consumer and enterprise accounts in the cloud is growing.

  • There was a 300 percent increase in Microsoft cloud-based user accounts attacked year-over-year (Q1-2016 to Q1-2017).
  • The number of account sign-ins attempted from malicious IP addresses has increased by 44 percent year over year in Q1-2017.

Cloud services such as Microsoft Azure are perennial targets for attackers seeking to compromise and weaponize virtual machines and other services, and these attacks are taking place across the globe.

  • Over two-thirds of incoming attacks on Azure services in Q1-2017 came from IP addresses in China and the United States, at 35.1 percent and 32.5 percent, respectively. Korea was third at 3.1 percent, followed by 116 other countries and regions.

Ransomware is affecting different parts of the world to varying degrees.

  • Ransomware encounter rates are the lowest in Japan (0.012 percent in March 2017), China (0.014 percent), and the United States (0.02 percent).
  • Ransomware encounter rates are the highest in Europe vs. the rest of the world in Q1-2017.
    • Multiple European countries, including the Czech Republic (0.17 percent), Italy (0.14 percent), Hungary (0.14 percent), Spain (0.14 percent), Romania (0.13 percent), Croatia (0.13 percent), and Greece (0.12 percent) had much higher ransomware encounter rates than the worldwide average in March 2017.

Download Volume 22 of the Microsoft Security Intelligence Report today to access additional insights: www.microsoft.com/sir.

About the Author

Few own up to source code theft cybersecurity threats

Application security isn’t enough. Though we design software to limit a malicious attack from hijacking processing logic or stealing data, a glaring omission exists: security against stealing the program source code itself. Few will discuss the problem. Fewer will admit to being victimized.

“The physical security of source code does not get the attention it demands,” said Michael Facemire, a Forrester Research vice president and principal analyst who serves application development and delivery professionals. “Protecting source code is no less important than protecting data.”

In a 2014 white paper that examined the scourge of trade-secret theft, consultancy PwC said, “Cybercrime is not strictly speaking a technology problem. It is a strategy problem, a human problem and a process problem.”

In other words, source code theft, a trade secret in the eyes of the law, has never been more alluring — or easier. The bulky decks of Hollerith cards, rolls of punched paper tape or program printouts of greenbar paper — tools of a bygone era — aren’t needed. For a developer jumping ship to the latest startup, or an operations staffer feeling underappreciated, a USB thumb drive, email attachment or surreptitious transmission via FTP will do just fine.

No one is immune from source code theft, not even the big guys. Source code for Adobe Acrobat was stolen in 2013, raising the specter of malware being embedded in PDF documents. Just a year earlier, Symantec — itself a cybersecurity company — had to deal with extortion attempts to keep the source code for Norton Antivirus private. In 2004, hackers set up shop to sell stolen source code for Cisco’s PIX firewall. None of these thefts involved credit card numbers of other customer data.

The Goldman Sachs case

No one is immune from source code theft, not even the big guys.

The magnitude of source code theft — and the impotence of the legal system to deal with it adequately — was highlighted with great alarm in the 72-page report, “Administration Strategy on Mitigating the Theft of U.S. Trade Secrets,” published in February 2013 by the Executive Office of the President of the United States.

That report recounts a major software development project by Wall Street brokerage firm Goldman Sachs, which spent a half-billion dollars to develop a system to support high-frequency trading.

On his final day of employment in 2009 before jumping to a competitor, Goldman Sachs developer Sergey Aleynikov “transferred this extremely valuable proprietary computer code to an external computer server,” along with thousands of other proprietary source code files to his home computers. Investigated by the FBI and prosecuted by the U.S. Attorney’s Office of the Southern District of New York, he was convicted and sentenced to 97 months in federal prison.

In February 2012, the conviction was overturned. The problem: The theft was not of physical goods. In its opinion, the 2nd Circuit Court of Appeals wrote, “Because Aleynikov did not ‘assume physical control’ over anything when he took the source code, and because he did not thereby ‘deprive [Goldman] of its use,’ Aleynikov did not violate the [National Stolen Property Act].”

It wasn’t until Dec. 28, 2012, that the loophole was closed when then-President Barack Obama signed Public Law 112-236, The Theft of Trade Secrets Clarification Act of 2012. As noted in the opinion, it was never Aleynikov’s intention to impede Goldman Sachs from running the code.

A second conviction, in a New York state court, was tossed in 2015, because the trial judge believed the source code had to be printed on paper for a guilty finding. The conviction was reinstated in January 2017 by a unanimous vote of a New York state appeals court. “It would be incongruous to allow defendant to escape criminal liability merely because he made a digital copy of the misappropriated source code instead of printing it onto a piece of paper,” wrote Justice Rosalyn Richter.

The federal report also identified numerous other cases of theft of trade secrets for the benefit of private companies and governmental organizations in China.

DevOps swims upstream

Dealing with potential source code theft needs to start long before a single line of code is ever written, according to  Judith Hurwitz, a cloud consultant and CEO of Hurwitz & Associates in Needham, Mass. “If the first question is, ‘What should an app do?’ the second question must be, ‘How do we keep the code, the processes and the data secure?'” she said.

One simple tactic — watermarking source code with strings that can be searched for later — doesn’t prevent theft, but may facilitate the task of tracking down wayward code.

For WSM, a St. Clair Shores, Mich., consultancy that has been providing source code and to-the-cloud server migration services since 2003, the answer is a renewed emphasis on DevOps that gets the ops portion involved earlier in the dev process than stipulated by tradition.

“We’re helping to consult on a ‘left shift’ in security, moving security practices further upstream into the development process to ensure that potential issues are caught before reaching production,” said Jeremy Steinert, WSM’s CTO. “This includes securing your code repository, continuous integration pipelines and development environments to ensure source code theft and security vulnerabilities are managed at every layer of the development process.”

WSM has helped several companies recently with data-intrusion incidents intended to scrap customer data. “This isn’t theft of code, but rather manipulation of it for the theft of customer data,” Steinert said. The principles behind securing the codebase, repositories and processes around development are the same in both situations, he said.

Joel Shore is news writer for TechTarget’s Business Applications and Architecture Media Group. Write to him at jshore@techtarget.com or follow @JshoreTT on Twitter.

How threat actors weaponized Mia Ash for a social media attack

Who is Mia Ash?

That was the question security analysts at Dell SecureWorks found themselves pondering earlier this year while investigating a flurry of phishing attacks against targets in the Middle East. Analysts believed a sophisticated advanced persistent threat (APT) group was behind the attack, for two reasons. First, the emails contained PupyRAT, a cross-platform remote access Trojan that was first discovered in 2015 and had been used by an Iranian threat actor group Dell refers to as “Cobalt Gypsy” (also known as Threat Group 2889 or “OilRig”). And second, the email addresses used in the attacks weren’t spoofed.  

“Many of the phishing emails were coming from legitimate addresses at other companies, which led us to believe those companies had been compromised,” Allison Wikoff, intelligence analyst at Dell SecureWorks, told SearchSecurity.

The email addresses used by the attackers belonged to Saudi Arabian IT supplier National Technology Group and Egyptian IT services firm ITWorx. But as sophisticated as the phishing attacks were, the targeted companies — which included energy, telecommunications, and financial services firms, as well as government agencies in the EMEA region — were largely successful in repelling the attacks and preventing the spread of PupyRAT in their environments.

But after the unsuccessful phishing attacks, Dell SecureWorks’ Counter Threat Unit (CTU) observed something else that alarmed them. Instead of another wave of phishing emails, CTU tracked a complex social media attack that indicated a resourceful, patient and knowledgeable nation-state threat actor.

Who is Mia Ash?

On Jan. 13, after the phishing attacks had ended, an employee at one of the companies targeted by Cobalt Gypsy received a message via LinkedIn from Mia Ash, a London-based photographer in her mid-20s, who said she was reaching out to various people as part of a global exercise. The employee, who SecureWorks researchers refer to anonymously as “Victim B,” connected to the photographer’s LinkedIn profile. To Victim B or the casual observer, Ash’s profile seemed legitimate; it contained a detailed work history and had more than 500 connections to professionals in the photography field, as well as individuals in the same regions and industries as Victim B.

The attackers spent a lot of time and effort building this persona, and they knew how to avoid detection.
Allison Wikoffintelligence analyst, Dell SecureWorks

After about a week of exchanged messages about photography and travel, Ash requested that Victim B add her as a friend on Facebook so the two could continue their conversation on that platform. According to SecureWorks’ new report, Victim B instead moved the correspondence to WhatsApp, a messaging service owned by Facebook, as well as email. Then on Feb. 12, Ash sent an email to Victim B’s personal email account with a Microsoft Excel file that was purportedly a photography survey. Ash requested that Victim B open the file at work in his corporate environment so that the file could run properly.

Victim B honored the request and opened the Excel on his company workstation; the Excel file contained macros that downloaded the same PupyRAT that Cobalt Gypsy used in the barrage of phishing attacks several weeks earlier. “It was the same organization that was hit before, within a month, and that was a big red flag,” Wikoff said.

Luckily, Victim B’s company antimalware defenses blocked the PupyRAT download. But the incident alarmed the company; Dell SecureWorks was asked to investigate the matter, and the CTU team soon discovered that “Mia Ash” wasn’t a professional photographer — in fact, she likely didn’t exist at all — and that another person was targeted long before Victim B.

Mia Ash Facebook page
The now-deleted Facebook page of ‘Mia Ash’

Behind the online persona

When CTU researchers started digging into the Mia Ash online persona, they discovered more red flags. While Ash’s LinkedIn profile was populated with connections to legitimate professionals, half of the connections bore striking similarities: all male individuals, between their early 20s and 40s, who work in midlevel positions as software developers, engineers and IT administrators. In addition, these connections worked at various oil and gas, financial services and aerospace companies in countries such as Saudi Arabia, India and Israel — all of which had been targeted by the Iranian APT group Cobalt Gypsy.

“We saw a good cross section of LinkedIn connections — half of them were what looked like legitimate photographers and photography professionals, and the other half appeared to be potential targets,” Wikoff said.

This wasn’t the first time threat actors used fake social media accounts for malicious purposes, but this was one of the most complex efforts the researchers had ever seen. The CTU team discovered Mia Ash had been active long before January and that Victim B wasn’t actually the first target to fall prey to this complex social media attack. The CTU team discovered a Blogger website called “Mia’s Photography” that had been created in April 2016. They also found that two other domains apparently belonging to Ash were registered in June and September of last year using a combination of Ash’s information and that of a third party, whom CTU refers to as “Victim A.”

It’s unclear why the domains were registered — they don’t contain malware or any malicious operations — or why Victim A participated. Wikoff said there are a number of possibilities; it’s likely that either Victim A registered both domains as a friendly or romantic gesture to Ash, believing she was real, or that Victim A registered the first domain as a gift for Ash and then the attackers behind the persona registered the second on behalf of Victim A to reciprocate the gesture.

Whatever the case, it appears Victim A was used as a sort of “patient zero” from whom the attackers could establish other social media connections. Wikoff said SecureWorks made attempts to contact Victim A, who like other Mia Ash targets had worked in energy and aerospace companies in the Middle East/Asia region, but so far has not heard back from him. The ironic part is that Victim A is currently an information security manager for a large consulting company – and even he was apparently fooled by this online persona.

There was more to Mia Ash than just the LinkedIn profile and Blogger site; the persona’s Facebook account was populated with personal details (her relationship status, for example, was listed as “It’s complicated”), posts about photography and images of herself, as well as her own professional photos. However, the images were stolen from the social media accounts of a Romanian photographer (Dell SecureWorks did not disclose the woman’s identity in order to protect her privacy).

“At first pass, it looks like a legitimate Facebook profile,” Wikoff said. “The attackers spent a lot of time and effort building this persona, and they knew how to avoid detection.”

For example, Wikoff said, the threat actors rotated or flipped many of the images stolen from the Romanian woman so the pictures would not show up in a reverse image search. The attackers also kept the social media accounts active with fresh postings and content to make them appear authentic and to lure potential targets like Victim A to interact with them; in fact, Victim A interacted with Mia Ash’s Facebook page as recently as March.

Online personas as social media attacks

The CTU team determined with a high confidence level that Mia Ash was a fake online persona created by threat actors to befriend employees at targeted organizations and lure those individuals into executing malware in their corporate environments. The CTU team also believes with “moderate confidence” (according to the scale used by the U.S. Office of the Director of National Intelligence) that Mia Ash was created and managed by the Cobalt Gypsy APT group.

The Mia Ash LinkedIn account disappeared before the CTU team could contact LinkedIn; the team alerted Facebook, which removed the Mia Ash profile. The CTU team wasn’t able to determine what Cobalt Gypsy’s ultimate goal was with this social media attack; they only know the threat actors were attempting to harvest midlevel network credentials with the PupyRAT malware.

While the motive for Mia Ash campaign is still a mystery, Wikoff said it was clear the APT group had done its homework on both the organizations it was targeting, as well as what was required to build and maintain a convincing online persona. In addition, the threat actors specifically targeted employees they knew had the desired network credentials and would likely respond to and engage the Mia Ash persona.

This isn’t the first time Cobalt Gypsy has used social media attacks; in 2015, SecureWorks reported the APT group used 25 fake LinkedIn accounts in a social engineering scheme. In that case, the attackers created profiles of employment recruits for major companies like Teledyne and Northrop Grumman and used them as malicious honeypots or “honey traps.” Once victims made contact with the fake profiles, attackers would lure them into filling out fraudulent employment applications.

The Mia Ash campaign demonstrates the evolution of such social media attacks. Instead of just composing a single LinkedIn profile, the attackers expanded their online footprint with other social media accounts. And the larger the online presence, Wikoff said, the more convincing the persona becomes.

“Cobalt Gypsy’s continued social media use reinforces the importance of recurring social engineering training,” the SecureWorks report states. “Organizations must provide employees with clear social media guidance and instructions for reporting potential phishing messages received through corporate email, personal email, and social media platforms.”

But Wikoff said awareness training isn’t enough to stop advanced social engineering attacks like the Mia Ash campaign. “You can train people with security awareness, but someone is always going to click,” she said. “And the attackers know this.”

In the case of Victim A, the campaign would have been successful if not for antimalware defenses that prevented PupyRAT (which, it should be noted, was a known malware signature) from downloading. But other organizations might not be as lucky, especially if these attacks use new malware types with no known signatures.

In addition, social media services offer an enormous opportunity for threat actors. Wikoff said attacks can easily set up accounts for LinkedIn, Facebook, Twitter and other services, free of charge, and use them for malicious purposes without running afoul of the sites’ terms of service. While the Mia Ash profiles for LinkedIn and Facebook were removed after the fact, Wikoff said it’s difficult for social media services to spot APT activity like the Mia Ash campaign before a user is victimized.

SecureWorks believes that Cobalt Gypsy has more online personas actively engaged in malicious activity, but finding them before they compromise their potential targets will be a challenge.

“It shows how much bigger the threat landscape has gotten,” Wikoff said. “It’s a case study on persistent threat actors and the effort they will go to in order to achieve their goals.”

Cloud App Security new auto-remediation feature

Immediate session log off for suspicious users

Real-time remediation for security threats is a key challenge for companies, where attackers can move quickly to access critical data. The Cloud App Security team is excited to introduce a new feature for threat protection through integration with Azure Active Directory: when a suspicious activity is identified in Cloud App Security portal, you can now initiate an auto-remediation action logging off these users and requiring users to sign in again to Office 365 as well as all apps accessed through Azure Active Directory.

Let’s explore two key reaction capabilities of this feature:

Respond to anomalous behavior

External sharing of sensitive files, download of sensitive files from unrecognized locations, or any activity that’s considered abnormal can trigger alerts in Cloud App Security portal. These alerts provide immediate notification of potential security incidents and assist admins with proactive investigation.

In the event of suspicious user behavior, the new auto-remediation feature allows the security admin to take immediate action, triggering a revocation of all user sessions, and requiring the user to sign-in again to all apps.

React to account takeover

When an attacker gains unauthorized access to an account, a common industry practice is to disable the account. But this is not enough! If the account is actively being used to exfiltrate data, gain elevated privileges in the organization, or any other method that keeps the attacker’s session active, they can still use the compromised account.

The new Cloud App Security capability allows an admin to revoke the compromised account’s sessions and fully mitigate the attack. Cloud App Security invalidates all the user’s refresh tokens issued to cloud apps.

How to implement this feature

Requiring the user to sign in again can be set during the policy creation phase, or initiated directly from an alert as part of the resolution options for a user. Initiating governance actions directly from the policy allow for automatic remediation. In this case, the admin needs only to select this option and it will be enforced.


Policy setting: require user to sign-in again

Alternatively, an admin can select to require another sign in as part of the reactive investigation of an alert as seen below. In either case, to ensure secure productivity, the user is protected and can continue working with minimal interruption.


Require user to sign in again during investigation of a specific alert

Better together

Our goal is to provide a holistic and innovative security approach with Enterprise Mobility + Security. Cloud App Security and Azure Active Directory together offer unique value that help you gain better control over your cloud, by identifying suspicious activities which may be indicative of a breach and then respond immediately.

Learn more and give us feedback

We know how important visibility, control and threat protection are for you, especially when it comes to cloud apps. Our goal is to continuously innovate to provide a top-notch user experience, visibility, data control and threat protection for your cloud apps. If you would like to learn more about our solution, please visit our technical documentation page.

We’d also love to hear your feedback. If you have any questions, comments or feedback, please leave a comment or visit our Microsoft Cloud App Security Tech Community page.

Continue on PC, Timeline features raise Windows 10 security concerns

New Windows 10 syncing features should be popular among users but could lead to IT security risks.

Microsoft’s upcoming Windows 10 Fall Creators Update will include the Continue on PC feature, which allows users to start web browsing on their Apple iPhones or Google Android smartphones and then continuing where they left off on their PCs. A similar feature called Timeline, which will allow users to access some apps and documents across their smartphones and PCs, is also in the works. IT will have to pay close attention to both of these features, because linking PCs to other devices can threaten security.

“It does have the potential to be a real mess,” said Willem Bagchus, messaging and collaboration specialist at United Bank in Parkersburg, W.Va. “To pick up data on another device, you have to do it securely. This has to be properly protected.”

How Continue on PC works

Continue on PC syncs browser sessions through an app for iPhones and Android smartphones. Users must be logged into the same Microsoft account in the app and on their Windows 10 PC.

When on a webpage, smartphone users can select the Share option in the browser and choose Continue on PC, which syncs the browsing session through the app. The feature is currently available as part of a preview build leading up to the Windows 10 Fall Creators Update, and the iOS app is already available in the Apple App Store.

To pick up data on another device, you have to do it securely. This has to be properly protected.
Willem Bagchusmessaging and collaboration specialist, United Bank

Microsoft did not say if the feature will allow users to continue a browsing session on their smartphone that started on their PC. Apple’s Continuity feature offers this capability, and the Google Chrome browser lets users share tabs and browsing history across multiple devices as well.  

Continue on PC could expose sensitive data when sharing web applications through synced devices, said Jack Gold, founder and principal analyst of J. Gold Associates, a mobile analyst firm in Northborough, Mass.

For example, if a user’s personal laptop is stolen that is synced to a corporate phone, the thief could access business web apps through a synced browsing session, exposing company data. If the feature is expanded to share browsing sessions from a PC to a smartphone, all it would take is someone to steal a user’s smartphone to have access to the web apps the employee used on their PC.

“It could be something to worry about if a user loses their phone,” Gold said. “I can’t lose that device because it can sync to my PC.”

To avoid this problem, IT could use enterprise mobility management (EMM) software to blacklist the Continue on PC app altogether, or simply prevent users from sharing the browser session through the app.   

Timeline shares security issues

Originally, Timeline was supposed to be part of the Windows 10 Fall Creators Update, but now it will come out in a preview build shortly afterward, Microsoft said.

Timeline suggests recent documents and apps a user accessed on a synced smartphone and allows them to pull some of them up on their PC, and vice versa. Microsoft hasn’t disclosed which apps the feature will support.

This feature could also cause a security problem if a user loses their PC or smartphone and it gets in the wrong hands. Timeline is basically a dashboard displaying every app, document and webpage the user was in across multiple devices, so someone could access documents, apps and web apps that contain work data on the stolen device.

“Security is needed across the board,” said Bagchus, whose company plans to move to Windows 10 next year. “It absolutely has to be managed.”

EMM software should also come into play when managing this feature, he said.

IT needs to force users to have passwords on all PCs and mobile devices to protect from these instances, said Jim Davies, IT director at Ongweoweh Corp., a pallet and packing management company in Ithaca, N.Y.

“This is something that will be used by a lot of people in a lot of companies,” Davies said. “People won’t need to email themselves a link because this makes it simpler. That being said, your password is that much more important now.”

Ongweoweh Corp. plans to migrate to Windows 10 in the first quarter of 2018.

It is likely that these Windows 10 syncing features won’t be limited to smartphones, and iPads and Android tablets could gain this ability in the future, Bagchus said.

“This feature … makes productivity easier,” Bagchus said. “This will be huge.” 

Powered by WPeMatico

MalwareTech arrested for Kronos banking Trojan connection

The FBI detained and arrested a security researcher who allegedly created the Kronos banking Trojan.

Martin Hutchins, also known as “MalwareTech,” was arrested in Las Vegas following the DEFCON 2017 conference after what the FBI said was a two-year investigation. Hutchins, a UK citizen, gained notoriety during the WannaCry ransomware outbreak when he and fellow security researcher Matt Suiche found hardcoded command-and-control servers in the WannaCry code. The two researchers registered the C&C domains and effectively broke the ransomware.

However, the U.S. Department of Justice alleges that Hutchins, who also works for cybersecurity vendor Kryptos Logic, was one of two people behind the Kronos banking Trojan.

“Hutchins was charged with one count of conspiracy to commit computer fraud and abuse, three counts of distributing and advertising an electronic communication interception device, one count of endeavoring to intercept electronic communications, and one count of attempting to access a computer without authorization,” Gregory J. Haanstad, U.S. attorney for the eastern district of Wisconsin, wrote in a statement. “The alleged conduct for which Hutchins was arrested occurred between in or around July 2014 and July 2015.”

According to the indictment obtained by CNN Tech, the FBI claims Hutchins created the Kronos banking Trojan, a co-defendant (name redacted) released a video demonstration of the malware on July 13, 2014, Hutchins and the co-defendant updated the Kronos banking Trojan in February 2015, and then the co-defendant posted and sold the Trojan on the AlphaBay darknet marketplace in mid-2015.

AlphaBay was seized and shut down by the FBI and DEA in the early July and European law enforcement used that closure to lure users to the Hansa darknet market, which was also shut down last month.

However, because Hutchins tweeted on July 13, 2014, asking for a malware sample of the banking Trojan, Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said on Twitter that “it doesn’t add up that he wrote it in 2014 and asked for a sample of it in the same time frame.”

The news of Hutchins’ arrest was first reported by Motherboard, which wrote that Hutchins was first detained at the Henderson Detention Center in Nevada.

Andrew Mabbitt, a friend of Hutchins and founder of Fidus Information Security, said on Twitter that he initially didn’t know where Hutchins had been taken, but ultimately found him at the FBI’s field office in Las Vegas. Mabbitt also said the Electronic Frontier Foundation has arranged legal representation for Hutchins.

Powered by WPeMatico

Symantec Endpoint Protection and the details for buyers to know

Symantec Endpoint Protection is a client-server software platform that provides layered security for physical and virtual endpoints aimed at environments with more than 250 users.

A similar product, Symantec Endpoint Protection Small Business Edition, is designed for smaller environments with more limited administrative support. A cloud-based version — Symantec Endpoint Protection Cloud — is also available for small to medium-sized organizations.

This article focuses on version 14 of Symantec Endpoint Protection.

Feature set

Symantec Endpoint Protection includes antivirus and antimalware, a firewall and intrusion prevention component, host integrity checking, external media control, application control, network access control, and website browsing protection. Behavioral monitoring uses machine learning to prevent most zero-day attacks, as well as to stop the spread of an infection if an attack breaches network or system security. The Power Eraser component enables administrators to scan an endpoint from the management console to remove an infection remotely, and System Lockdown handles application whitelisting and blacklisting.

Endpoint Protection does not protect mobile devices, and Endpoint Protection Small Business Edition does not include email protection, application control or support for virtual environments.

The Symantec Global Intelligence Network, one of the largest of its kind, analyzes data from hundreds of millions of users and sensors and works with Symantec’s Insight and SONAR (Symantec Online Network for Advanced Response) technologies to identify and categorize current threats.

To increase performance, Endpoint Protection uses scan elimination and deduplication techniques to reduce the number of files it must scan on each pass. Additional Endpoint Protection features then prevent malware and other threats from affecting customer endpoints.

Platform coverage

Symantec Endpoint Protection supports Microsoft Windows Vista through Microsoft Windows 10 client systems, macOS and several Linux distributions. Supported server systems include Microsoft Windows Server 2008 through Server 2016, Microsoft Windows Essential Business Server, Microsoft Windows Small Business Server and several flavors of Linux (Red Hat Linux Enterprise and SUSE Linux Enterprise, among others).

For virtual environments, the solution supports Amazon WorkSpaces, Citrix XenServer, VMware vSphere Server (ESXi), VMware ESX, Windows Azure, Microsoft Hyper-V and VirtualBox by Oracle.

Symantec Endpoint Protection Small Business Edition does not support Linux operating systems, virtual environments or mobile.


In tests conducted by AV-Test in November and December 2016 on Windows 10, Symantec Endpoint Security 14 scored 17 out of 18 when evaluated for protection, performance and usability.

The highest-ranking products during that period were Kaspersky Small Office Security and Bitdefender Endpoint Security, which both scored 18. Symantec Endpoint Security won the AV-Test Best Protection 2016 award for delivering outstanding protection performance.


Symantec Endpoint Protection for on-premises includes a management console that runs on a server and pushes agent software to each client. Administrators can view and manage Windows, Mac, Linux and virtual machine clients and make policy configurations using the console.

Small Business Edition works similarly, but is designed for easier setup and administration. This product enables customers to use a cloud-based host, or to install the management console on an on-premises server.

Pricing and licensing

Symantec Endpoint Protection products are licensed per endpoint with essential support included. Customers can purchase licenses online at the Symantec Store or through a partner for quantities higher than those offered online. The following table lists the manufacturer’s suggested retail price per license; additional quantities are available at special pricing. Symantec offers a 45-day money-back guarantee on Endpoint Protection purchases.

Licensing and pricing

A free, fully functioning 30-day trial of Symantec Endpoint Security or Endpoint Protection Small Business Edition is available from each product’s respective website.


General support for Symantec Endpoint Protection includes access to the company’s online knowledge base, eLibrary, support videos, a community forum, the SymDiag diagnostic tool, product documentation, and downloadable updates and upgrades.

Endpoint Protection customers may open a support ticket by visiting Symantec’s technical support website or by contacting a Symantec support technician by telephone 24/7. Paid support plans, which include direct access to support engineers, faster response times and so on, are available through Symantec resellers.

Support for Small Business Edition includes maintenance, service updates and 24/7 telephone support.

Powered by WPeMatico

Test your knowledge of Office 365 ATP

Microsoft stepped up its security game when it introduced Office 365 Advanced Threat Protection in 2015. The product brings more to the table than Exchange Online Protection, which provides antimalware protection. With more complex security threats appearing daily, customers need more protection.

Office 365 ATP is an optional email filtering service that blocks advanced threats, such as malicious URLs and new malware. Take this quiz to test your knowledge of the latest Microsoft Office 365 ATP features.

Powered by WPeMatico