I would like some advice on optimum security settings. As I stated in another thread I only have av deployed right now and do not have defense+ or firewall on.
The biggest threat in my network right now is rogue AV’s; they slip in and only affect one user profile. I have got very good a removing them by hand. There are continually mutating and AV definitions cannot keep up. What is the best protection for these?
I want to enable firewall but I add global rule to allow any traffic from my network to my network but I still get alerts and blocked when I try to use VNC or remote desktop. I have to create a rule for each application. Am I doing something wrong on the config? Will firewall be a good defense for rogue AV?
I enable defense+ trust an application and still get alerts about it?? Printing is an issue with defense+ application wanting to create a spool file.
In this new version I have sandbox? Is this the best defense for rogue AV? What happens if I leave a good application in the sandbox? Will that application be able to print or save documents?
The new trusted vendor looks promising but doesn’t seem to work well. Is that only for defense+ or can those vendor trusts extend to firewall and sandbox?
RM CIS 4.0 support trusted vendor list.
It is a good idea to add your trusted vendors to CIS list (use Append Action) - you need to enter Vendor name there, for example “Winamp”. Then if D+ is in safe mode it would not ask about Trusted Vendors.
Application would not be sent to sandbox if it is digitally signed and is present in the trusted vendors list.
So it’s a good idea to use Sandbox for this purpose.
You can change Sandbox settings to virtualize file system and registry. It means that changes made by application on disk or registry will be ignored.
Yeah I have had issues with trusted vendors still asking what to do in the CESM. Even with sandbox. For example it throws Outlook into the sandbox everytime. I haven’t been able to use the firewall on the network either. I set allow LAN subnets and set ports any, but it still blocks everything. Currently I am only using the A/V.
On another note, is there anything going on with CDE? I would like to use that on our laptops, but I don’t trust it at the moment. I sent a list of thoughts on the CESM including CDE to sales staff a while back, but I will be more than happy to send it to you if you for review.
Is the option “Trust the application digitally signed by Trusted vendors” enabled in D+ settings?