To Be A CyberMan: 1 Malware Defenses Control Project Management Log

To Be A CyberMan: 1 Malware Defenses Control Project Management Log

 

I am working for my company as an IT Support/System Admin role now. But I am managing all their Cybersecurity applications and provide my suggestion to improve their security protection.

Here is the Malware Defenses control project Management log I have done before for the company. 

We are using the ESET Endpoint Security product.

ESET Antivirus, Antimalware & Internet Security Solutions | ESET

 

01 Project Management

    1.1 Project Goals:

Regarding the Corporate Antimalware Policies, need to reach the main goals as following:

         Develop ESET Endpoint Security to all PCs.

         Implement ESET centralistic control server

         Set up regular update/scan policy from the control panel

         Match the setting with CIS-Controls-Version-7-1

8 8 8 8 8 8 Malware Defenses Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use Of automation to enable rapid updating Of defense, data gathering, and corrective action. 8.1 82 84 87 Protect Detect Detect Detect Detect I-Rilize Centrally Managed Anti- malware Software Ensure Anti-Malware Software and Signatures are Updated Enable Operating System Anti- Exploitation Features/ Deploy Explot Tec hnologies Configure Anti-llalware Scanning of Removable Devices Configure Devices Not TO Auto- Run Content Centralize Anti-Malware Loggng Enable DNS Query Logging Enable Command-Line Audit Utilize centrally managed anti-matware software to continuously monitor and defend each of the organization's workstations and servers. Ensure that the organization's anti-malware software updates its scanning engine and signature database on a regular basis Enable anti-exploitation features such as Data Execution prevention (DEP) or Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set Of applications and executables Configure devices so that they automatically conduct an anti-malware scan of removable media when nsened or connected. Configure devices to not auto-run content from removable media. Send all malware detection events to enterprise anti-malware administration tools and event servers for and alerti Enable Domaln Name System (DNS) query logging to detect hostname lookups for known malicious domains. Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash

  

Check more details on item 2.1 Main Goals and Requirement

 

    1.2 Time-line(Completed time log)

         Stage one

        11/04/2019 Project Started

        11/04/2019 Communicated with IT Director, get main goals idea

        11/04/2019 Set main goals 

         Stage two

        11/05/2019 Identified ESET AV Issues

        11/05/2019 Checked Admin Documents and websites help Documents 

        11/06/2019 Called ESET support got a remote assist from ESET

        11/06/2019 Based on Documents and ESET support suggestions made a proposal      

        for stage one Issue

        11/06/2019 Sent ticket got approval

        11/07/2019 Devolved stage one solution

         Stage three

        11/18/2019 Identified ESET AV Issues

        11/20/2019 Checked Admin Documents and websites help Documents 

        11/22/2019 Called ESET support got a remote assist from ESET

        11/25/2019 Based on Documents and ESET support suggestions made a proposal for stage one Issue

        11/25/2019 Sent ticket got approval

        11/26/2019 Devolved stage two solution

        12/19/2019 finished ESET development (working property now)

         Stage four

        12/19/2019 Maintaining/Monitoring

          Deliverables:

             Anti-Virus policy upgrade

             ESET Best Practice

             ESET configuration guide

             ESET help resource 

 

02 Main Goals

    2.1 Main Goals and Requirement

Properly deployed and up-to-date, centralized manage/monitoring antivirus software

         Requirement details

         All PCs/servers should install Anti-Virus included the first part and Third Part.

         update on a daily

         Centralized control

         Centralized logs review

         Only control by authorized personnel

         Update/scan/log Policy 

         Auto-update

         Regular scan

         Log save and review

 

03 Fresh Environment

    3.1 Current situation(11-04-2019)

         The company has 600 computers, 500 users.

         They purchased 400 ESET Endpoint Security product licenses, has installed the management console in the server but didn't config it property, still use individual key to activate the AV application. 

         More than half of computers didn't install the AV(or agents has uninstalled it), some of that did not activate.

    3.2 More issues(11-06-2019)

         ESET End-point License is not enough.

         Have Centerline control console but only 2 end-point users show up in manage the web.

         They need to install End-point application individual

         They need to active end-point application individual

         Does not have centerline management 

         Does not have centerline logs view and monitoring

         Agents have access to config the AV 

         Agents have permission to uninstall AV

 

04 Solution Suggestions 

     The computer has been installed the AV but didn't show up in the Management control web.

        Solution:

        The computer needs to install the ESET management agent application

             Local install

             Remotely deploy

             Use GPO to push the installer

             Use management center to push installer(require to close the host computer firewall, can ping                        reach)

     Some of the computers do not have ESET endpoint-security applications (>30%).

        Solutions:

        After all the computers install the management agents, we can make s task to push the endpoint-                    security installer.

             Use GPO to push the ESET Endpoint Security installer.

             Use the compliance check to make sure every the computer has been installed ESET Endpoint                         Security (firewall, access control). 

     Some of the computers' use an old version of ESET endpoint-security.

        Solutions:

        After all the computers install the management agents, we can update it to the latest version.

                 Set up an auto-update policy from the Management console.

     Some of the computers' ESET endpoint-security, not activity.

        Solutions:

            After all the computers install the management agents, we can activate them from the management center.

                 Set up auto license activate policy from Management console.

     Need open 445, 4114, 4116, 4135, 4136 port in ESET endpoint-security in all computers.

        Solutions:

                After all the computers install the management agents, we can remotely administer this                                     configuration in the management center.

                     Set up auto firewall whitelist ports policy from Management console.

     Some of the computer users use a local administrator account to login to the computer, have access to uninstall the ESET.

        Solutions:

                After all the computers install the management agents, we will create a password policy to encrypt                 ESET.

                     Try to force agents only to use the AD account to login in the computer.

                     Change all computers' Administrator password.

                     Set up ESET management/configuration password policy from the Management console.

 

05 Deployment issue logs

    1. How can I get the ESET End-Point Updated Status report from EMC by time?

        Solutions:

            Click “Reports”- “reach” – “Last update (left click)” – “edit” – “Updated Status report”.

    2. ESET all-in-one the installer still couldn't create.

        Solutions:

            Put IPs into firewall whitelist, Check the firewall web filter. 

    3. ESET can't register by license code/internal network firewall blocked it.

        Solutions:

            Put IPs into firewall whitelist.

    4. The ESET Endpoint Security Software/Module Updating causes network crush.

        Solutions:

             Checked WatchGuard logs & it shows 66GB of data by repository.eset.com & that each endpoint                     connected directly to ESET servers instead of going to the HTTP proxy for its updates.

             Checked HTTP proxy policy & the agent configuration > advanced settings > HTTP proxy > proxy                     configuration type is a different proxy per service.

             There are hundreds of machines still running ERAv6.5 & EESv5. Created a dynamic group for                            machines with v6 agents. Created components upgrade task for upgrading the agent to v7.

    5. What's the difference between the ESET firewall and windows firewall?

        Solutions:

            After installed the ESET Firewall, ESET Firewall will replace the windows firewall. The MSF default                     denies ping. 

    6. How Can I block a certain computer's internet by ESET MC?

        Solutions:

            Policy-firewall setting

    7.  How to set up a local updated server (clients pc updated from local server)

        Solutions:

            Same as Q4 

    8. We get ESET, user, from the domain but domain user list often change, how can I Synchronous user             Data.

        Solutions:

            Tags

    9. I add the computer user from AD first, then I installed the agent in the computer, EMC show up two computers with the same name.

        Solutions:

            Set up a policy to delete the old one.

    10. Changed the computer name which has managed by ESET EMC, not able to connect the new PC.

        Solutions:

            Reconfigured the AD sync task to better reflect the current AD. changed settings from "skip, skip, skip" to "move, remove, remove" 

    11. Get HIPS reports.

        Solutions:

            Create new HIPS reports

    12. The EMC log files' time is not correct.

        Solutions:

            It uses the default time zoom, can't change.

 

06 Documentation Deliverables

     Anti-Virus policy upgrade

     ESET Best Practice

     ESET configuration guide

     ESET help resource

 

07 Knowledgebase

 

 



Comments

Post a Comment

Popular posts from this blog

To Be A CyberMan: Installing PfSense on a WatchGuard Firebox

Image
OX01 Preface My company recently upgraded its firewall to FortiGate Firewall.  They eliminated 3 of the licenses expired WatchGuard Firebox Firewalls. The WatchGuard FireBox models are XTM5 Series, M400, and M470. I was wondering if I can install the opensource Firewall application such as PfSense on FireBox to use as Testing Lab Environment. 0X02 Information      XTM5 Series comes with a 1GB CF card, free space is not enough for the lastest Pfsense,  need to add additional Hard Disk as PfSense system booting drive.     M400 comes with a 4 GB CF card, can use CF card as a PfSense system booting drive.     M470 comes with mSTAT SSD.  can SSD as a PfSense system booting drive. 0X03 Installing PfSense on M400 1. Preparation:           WatchGuard Firebox M400 Appliance          A USB Flash Drive          A CF Card USB reader          A co...
Read more

How I passed the CSX Fundamentals within one month

Image
  How I passed the CSX Fundamentals within one month Hi Guys, My name is Trevor Shi. I just passed the CSX within one month. I would like to share some experience maybe it will help you guys to prepare the exam. One of the funny things was, I used one month to learn it. But I spent the other one month to book the exam. I re-booked 5 times of exam as ISACA PSI online exam application has lots of issues.  I met every situation you can imagine. The first-time ISACA website down, the second-time they canceled my booked without excuse, the third-time application couldn't open, and the Fourth time was my fault, I just missed the exam. Finally, I got this certificate. We had a small group named CyberRookie, It just like an unorganized cyber knowledge self-studying group, we are trying to be more organized. So t he purpose of this article is as a guideline of the CyberRookie Project CSX certification learning method . A. The Cybersecurity Fundamentals Certific...
Read more

To Be A CyberMan: The 0365 email/ADFS Troubleshooting - Http status 500 error

Image
 To Be A CyberMan: The O365 email/ADFS Troubleshooting - Http status 500 error    0x00: Preview Knowlege ADFS: Active Directory Federation Services (ADFS) is a Microsoft Single Sign-On (SSO) solution. It provides users with authenticated access to applications that are not capable of using Integrated Windows Authentication (IWA) through Active Directory (AD).   Reference: https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services   0x01: Symptoms Some users reported they were not able to log into the email from Web console, the error shows: HTTP status 500:internal server error   0x02: Troubleshooting We tested some accounts email, The issue only affected some of the user's web-based Outlook applications. So we sent the email to our outlook service provider, got confirmation that the outlook service is working. From the error message, we can see the error is the internal serv...
Read more