NetBackup Users,

Just wanted to let you know that a new release of SORT is available with new features relating to NetBackup.  For the full blog, including SORT features for Storage Foundation and Availability Solutions, please view:  New SORT Release on Feb 11, 2015

NetBackup Solutions:

• Supported NetBackup 7.6.1 and NetBackup Appliance 2.6.1 in I&U Checklist (https://sort.symantec.com/checklist/install ) and SORT Data Collectors (https://sort.symantec.com/data_collectors)
• Added client support for SUSE 12 x86-64 and z/Architecture in Installation Assessment Checklist  and SORT Data Collectors
• Enhanced the  Media Server System Requirements section in the HP-UX IA-64 reports to reference the VxFS tuning requirement, vxfs_bc_bufhwm
• Enhanced the UNIX Data Collector/Custom Report to check for an adequate value for the VxFS buffer cache high water mark, vxfs_bc_bufhwm, for the HP-UX IA-64 platform.
• Included the NetBackup Software Alerts web link in the LBN Hot Fix and Documentation sections of the I&U Checklist
• Enhanced the I&U Checklist to gather the Cluster compatibility data from a new section in the SCL. The Cluster CL document will no longer exist.  The data in it has now been added as a new section to the SCL.

February marks Black History Month, an opportunity to pay tribute to generations of African Americans who struggled with adversity to achieve full citizenship in American society. In this spirit, today we hear from Net Impact’s Dwight Smith about how Net Impact is organizing to bring the concept of “impact careers” to Historically Black Colleges and Universities (HBCUs).

Net Impact started on business school campuses more than 22 years ago. Back then, the concept that business should not only aim to create economic gains, but also embrace business models and strategies which generate social and environmental benefits, was still considered fringe. Early Net Impacters worked in chapters on their campuses and were made up of MBA students hungry to explore what an impact job could and should look like – a job that allowed them to use their future careers to drive transformational change in the workplace and the world.

Over the past two decades, due in large part to the efforts of Net Impact and other like-minded organizations, the concepts of sustainability, corporate responsibility, and social entrepreneurship have become more mainstream in the business world. Likewise, Net Impact has grown into a robust network of over 60,000 students and professionals in over 300 chapters around the world.

More diverse backgrounds, viewpoints, and life experiences in the workplace lead to better innovation, improved decision-making, and products and services that better meet the diverse needs of a global marketplace. Knowing this, many businesses, and business schools, have sought to diversify their ranks. And now, Net Impact has started to address the lack of diversity in the impact business world. Net Impact aims to ensure that future leaders from diverse backgrounds are inspired to incorporate social and environmental impact into their careers. 

In order to accomplish this, we have set a goal to increase the diversity of Net Impact’s network, and partnered with Symantec to establish undergraduate chapters at Historically Black Colleges and Universities (HBCUs) and women’s colleges. Historically, interested groups of students or professionals would take the initiative to start a chapter. To be successful in this new endeavor, we had to adopt an active approach to cultivating campus relationships with these new audiences.

Establishing chapters at HBCUs presents some unique challenges. HBCU’s were born in an era where young black boys and girls were denied even the most basic right to higher learning. They are small and beautifully tight-knit communities where the adage ‘It takes a village...” is exemplified in excellent fashion. As a result, faculty and staff can be wary of outside organizations and vet them to confirm that their intentions are in the student's best interest. It’s up to us to build trust. It is also up to us to learn, to listen and acknowledge the histories and injustices that contribute to that very valid vetting approach. We focus on the value Net Impact could bring to their students. We approach this work with a mindset that respects the legacy of HBCUs, and we work within the existing constructs and hierarchies to explore how Net Impact can fit on campus.

We make the case for the crucial role that the HBCU community can play in addressing the racial inequities and barriers that still exist in the business world today by bringing the voices of their institutions and most importantly, their students, to the table via the Net Impact network. Not only addressing issues stemming from past oppression but looking ahead, we submit that the impact sector and more broadly, the business sector, can play a pivotal role in helping to eradicate the systemic and structural race inequity that exists in many of our institutions today; inequities that in the past gave initial cause for the existence of HBCU’s.

All of our challenges have led us to amazing opportunities. When we sit down with administrators, we are having great conversations. More importantly, when we sit down with students, they are showing a lot of interest. The timing is right for these campuses – they’re eager to find ways to support students in both their academic lives as well as their future professional lives, and the students are eager for personal and professional development and the opportunity to turn their passions into action.

Last year, we launched 5 chapters, and had 10 more in the pipeline for launch. This year, with the continuation of Symantec’s grant, we plan to launch these 10 chapters, plus an additional 10. We’re starting to see some great success stories. The chapter at Spelman College showed enormous resiliency in getting their chapter off the ground despite the departure of their faculty advisor, and now has some really great collaborations planned with the Atlanta University Center. At Jackson State University, they’ve decided to focus on health and housing issues, and are working with Habitat for Humanity to build affordable housing in the communities around their school. It’s exciting to see these chapters’ efforts begin to bear fruit.

This is just our first step towards our goal to significantly diversify Net Impact’s network, and we’re learning as we go. For example, last year’s efforts taught us that the timeline of the chapter launch process from first contact to chapter launch is closer to a two year process than the one year we had initially estimated. We are working with Symantec support to iterate our process in light of that discovery. We want to continue our growth not only in depth but in breadth as well. We would like to continue building partnerships with other minority-serving institutions, as well as explore what Net Impact chapters for non-business majors could look like. For instance, think of the tremendous opportunity that STEM (science, technology, engineering, and math) majors have for driving sustainable transformation within a company, or industry.  

And finally, we are determined to find ways to further integrate a commitment to diversity into Net Impact’s culture and strategy. We’re not looking at this as a “project” – this is just the starting point for us and there is much work left to be done. We’ll be looking at ways to ingrain a pledge to diversity and racial equity across our existing chapters, and continue to highlight and encourage new chapters in new communities. All of our chapters are truly inspirational.

Together, we can pave the way for some really important work. Together, we can have an impact.

Dwight Smith is Net Impact’s Senior Associate, Undergraduate Programs.

When I think of the cyber security realm, three characteristics come top of mind- Velocity, Volume and Variety. These three facets of the attack landscape make security a consistently moving target. It’s one of the only verticals where an active attack actor can change the state of an industry with a touch of keyboard.

Over the last decade we have had a front row seat to witness the evolution of not just cyber attacks, but also, society’s growing realization and recognition of the impact these threats pose. Global organizations, corporations, small business and average citizens are all targets of interest – why? Because of the digital information and identity, which are valued assets by cybercriminals, either for financial gain, intellectual property theft or simply leverage.

That said, there is a limited pool of experienced professionals who have the know-how and capabilities to respond to cyber events, which is why I have focused on creating a global team comprised of folks who have unique skills, and, more importantly, vast experience in this realm. I don’t have the chance to quote Shakespeare often, but as he famously wrote, ”Experience is by industry achieved and perfected by the swift course of time.” The element of time controls the tipping point of an attack’s impact and amplifies the importance of speed with incident response.

Looking at the attack landscape from a practioner’s lens, the goals are to improve response times and effectiveness, lower response costs, and enable continuous improvement of an organization’s security posture by leveraging lessons learned from incidents.

The reality of this point in time is that data breaches are increasing, not decreasing, leading to the common saying among security professionals of “it’s not if, but when an organization will breached.” That said, the fighter in us says we can shift the balance between attack and victim, between waiting and chance, between reactive and proactive by preparing incident response strength.

To learn more about how to fight the cyber security war watch my discussion on ZDNet here.

Learn more about how Symantec’s Incident Response services team can help you prepare, detect and respond.

We need your help! We are looking for feedback on a new Quick Start Guide designed to help customers to better be able to install Symantec Endpoint Protection 12.1 without needing to contact support for assistance.

This new Quick Start Guide is intended to walk customers through a basic installation and configuration, and is a supplement to the larger, more in-depth Installation and Administration Guide.

We would be grateful if you could give us a bit of your time to review the guide and complete a short survey to provide feedback and share your thoughts to help us improve the guide.

Take the Survey Now

Thank you!

To make it easier to find past and upcoming webcasts related to Symantec Endpoint Management solutions, I'm creating this blog post and will keep it updated over time. The links below for past webcasts will include the recording and Q&A. The links for upcoming webcasts will send you to the registration page. Enjoy!

• Webcast Topic: Workspace Streaming 7.5 SP1
  • Date: March 19, 2014

• Webcast Topic: IT Management Suite 7.5 SP1
  • Date: June 12, 2014

• Webcast Topic: Cloud-enabled Management
  • Date: August 6, 2014

• Webcast Topic: Enabling Security and Compliance with IT Management Suite
  • Date: October 1, 2014

• Webcast Topic: Deployment Solution
  • Date: December 3, 2014

• Webcast Topic: Product Launch for IT Management Suite 7.6 and Ghost Solution Suite 3.0
  • Date: March 3, 2015

Version 10 is out today for 7.1 and 7.5, whilst the 7.6 download is in the Connect publishing workflow now as well as a new utility: PatchExclusion (which helps handling the content of the exclusion table - also in the Connect publishing workflow):

Standard documentation and 7.1 builds:

• {CWoC} ZeroDayPatch: Patch Automation Tool for PMS 7.1 SP2
• {CWoC} PatchAutomation - Automated patching with Full Test Life-cycle

7.5 Gold build (no longer supported)

• {CWoC} PatchAutomation and ZeroDayPatch with Patch Management 7.5 Native Support

7.5 SP1 builds:

• {CWoC} PatchAutomation and ZeroDayPatch builds for 7.5 SP1

7.6 Gold builds:

• {CWoC} PatchAutomation and ZeroDayPatch builds for 7.6

Patch Exclusion (7.1, 7.5 and 7.6 builds):

• {CWoC} PatchExclusion: a companion tool to ZeroDayPatch and PatchAutomation

Enjoy, and let me know if you encounter any issue _and_ if all goes well (I'm not averse to good news ;)

Just a few days ago, US President Barack Obama announced plans to withdraw most of the troops from West Africa after a 10-month long military mission to help contain the Ebola virus. The outbreak has been significantly contained from 1,000 new cases a week to roughly 150 a week. However, the fight is far from over. According to WHO, the Ebola virus has claimed over 9,000 lives in this current outbreak and despite the significant drop, continued efforts are required to bring us to zero not just from governments but the community at large.

The UN Global Compact, in partnership with the Ebola Private Sector Mobilization Group (EPSMG), have initiated a pledge calling for the private sector’s commitment to help eliminate Ebola. Companies have a role to play in responding to the virus, particularly businesses with operations or interests in the region. The UN Global Compact and EPSMG want to reach every company that has an imprint in Western Africa, and so far over 50 companies have demonstrated leadership by committing to actions. By signing this pledge, Symantec commits to taking the steps within our organization to train and prepare our staff as well as financially support the emergency response teams out in the field. Read our summary of actions below:

The past few years within the SSL certificate industry have been busy with changes.  1024-bit RSA certificates are long gone, using public SSL certificates on servers with internal domain names is starting to disappear, and the SHA-1 hash algorithm is starting to see its final days.  So what is next?

Starting 1 April 2015, Certification Authorities (CAs) are not permitted to issue SSL certificates (issued from a public root) with a validity period greater than 39 months.  SSL certificates have limited validity periods so that the certificate’s holder identity information is re-authenticated more frequently. Plus it’s a best practice to limit the amount of time that any key is used, to allow less time to attack it.

In line with the latest Certification Authority/Browser Forum Baseline Requirements, CAs will stop issuing 4 and 5-year SSL certificates in the near future.  Symantec plans on eliminating these options in late February 2015 on all SSL management consoles.  Extended Validation (EV) SSL certificates still have a max validity period of 27 months but Organizational Validated (OV) and Domain Validated (DV) certificates (DV not offered by Symantec) will have this new 39-month lifespan.

So how will this affect those who install SSL certificates?  The average person installing certificates in a large enterprise will have to go through the enrollment process a little more often.  If the organization on that level and scale finds this detracts from employee productivity they may want to look at leveraging Symantec Certificate Intelligence Center Automation.  To someone in a small organization who only issues SSL certificates on a very infrequent basis, they may find themselves looking for SSL installation instructions a little more often.  To help you, Symantec has always offered a wealth of information online via our Knowledge Base (the preceding site will be migrating to this location in the near future) and offers amazing support by phone.

Please let us know what you think below in the comment section.

Microsoft has issued a security advisory for a critical flaw in Windows that allows attackers to remotely gain full control of vulnerable computers. Referred to as "JASBUG", the Microsoft Windows Group Policy Remote Code Execution Vulnerability (CVE-2015-0008) affects all computers that are members of corporate Active Directories.

What Customers Need to Know

1. The flaw was discovered by security firm JAS Global Advisers, which reported the vulnerability to Microsoft in January last year. 

2.  The CVE-2015-0008 bug could allow an attacker to easily hijack a domain-configured Windows computer if it is connected to a wireless or wired malicious network. This gives attackers the ability to perform various actions on the affected computer, including installing programs; deleting, altering, or reading users' data; or creating new accounts with full user rights. The JASBUG vulnerability may not affect home users because their computers are not usually domain-configured.


3.  The CVE-2015-0008 bug exists on the following Windows operating systems: 

• Windows XP
• Windows 2000
• Windows Vista
• Windows 7
• Windows 8
• Windows RT
• Windows 8.1
• Windows RT 8.1
• Windows Server 2003
• Windows Server 2008
• Windows Server 2008 R2
• Windows Server 2012
• Windows Server 2012 R2

4. User interaction (other than normal web browsing, file opening, email viewing, etc.) is not required for attackers to exploit the bug.

5.  The vulnerability was disclosed to Microsoft in 2014.  However, it took Microsoft almost a year to issue the necessary patches for some (and not all) of the affected operating systems because this particular vulnerability is a design, and not an implementation problem. According to Jag:  “IT professionals administering Microsoft environments should immediately review the Microsoft documentation available at https://support.microsoft.com/kb/3000483. As remediation involves a new feature that must be configured on Active Directory Clients and Servers, it is important that systems administrators move rapidly but responsibly.”

6.  When the Microsoft security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been exploited to attack customers.

7.  Microsoft did not release a fix for Windows XP, Windows Server 2003, or Windows 2000. The architecture needed to support the fix that is provided in the update does not exist on Windows XP computers. This makes it impractical to build the fix for Windows XP, Windows Server 2003, and Windows 2000. To do this would require re-architecting a very significant amount of the operating system and not just the affected component. 
Also, customers that have purchased the custom and extended from Microsoft will still be unable to fix this particular vulnerability.

Symantec Recommendations:

As noted in the previous section, Microsoft did not release a patch for Windows XP, Windows Server 2003 and Windows 2000.  The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 2003. To do so would require re-architecting a very significant amount of the Windows Server 2003 operating system, not just the affected component.  There are no assurances that current applications running on Windows 2003 would continue to run on the re-architected system.  

Given these challenges, Symantec recommends that customers use Symantec Data Center Security: Server Advanced to protect their legacy windows systems against malicious attacks looking to exploit the CVE-2015-0008 vulnerability instead of relying on patches.

Here are the actions that customers should consider to protect their potentially vulnerable and unpatched systems:

1.  Turn on IPS Monitoring

Typically, turning on Symantec Data Center: Server Advanced IPS capabilities will be the first line of defense against zero-day threats. 

However, since there are no reports of this particular bug being exploited in the wild, we recommend that the customers use the IPS monitoring mode for the time being.  Setting the IPS to monitoring mode can alert the customer to detect and set alerts for unusual or suspicious activities without taxing application performance.  

2. Turn on Configuration Monitoring, file integrity monitoring, and file, system and admin lockdown.  

Customers can also set rules so that specific configuration files remain “read-only”. In addition, the customer can utilize DCS: Server Advanced to run privileged command, bash history monitor, and system hardening checks to help detect any unwanted activity.

For configuration monitoring, the Data Center Security: Server Advanced Windows Baseline Detection policy contains options to monitor the Active Directory authentication settings. Under the System Active Directory Change Monitor, Authentication and Encryption Configuration, the following options can be used to alert the user if the SMB Signing configuration is being modified on either the server or client:

• EnableSecuritySignature Changed
• RequireSecuritySignature Changed

3. Application-level Micro-segmentation

Given what we know, micro-segmentation cannot completely prevent the exploit but it can certainly minimize a customer’s exposure to the exploit.  Customers can utilize DCS: Server Advance ability to define and enforce application-level security settings to lock down and harden critical applications in the potentially vulnerable Windows server systems, until these can be migrated to a more secure platform.  Customers that have deployed VMware NSX can also take advantage of the DCS: Server Advance integration to extend the application-level lockdown to other third party security tools that are registered with NSX Service Composer. (Applicable only to DCS 6.5 customers).   This "application-level" security approach provides an additional layer of protection for mission-critical applications in the event that a potentially vulnerable Windows system is compromised.

4. Full Application Control and Sandboxing

IT can use DCS: SA to perform full application control, and block any unused web services running on the legacy platforms.  Customers can also set rules to limit the root user’s capabilities.

Key takeaways:

Customers using Symantec Data Center Security: Server Advanced will gain the following benefits:

• Improve the security posture of their legacy and unpatch Windows servers by protecting these against known and unknown (zero-day) malware.
• Reduce security incidents and remediation costs with continuous protection even if the server is unable to get the latest patches in a timely fashion.

Want to learn more about Enterprise Vault 11.0.1

In our earlier blog "No Normal Service Pack" we explained that EV11.0.1 is no ordinary service pack and told you all about the great new features which have been introduced with this release. We have recieved a lot of positive feedback from customers and know that many have upgraded or are now planning to do so to take advantage of the new features. Whether you're already upgraded, thinking about it or need more convincing, then the following video lessons will help to educate you about the various new features, so get clicking to learn more about EV11.0.1.

Ransomware threats such as CryptoLocker or CryptoWall are becoming more prevalent in enterprises. The purpose of these threats is quite simple; they are attempting to extort money from their victims with promises of restoring encrypted data.

We have seen a sharp rise in requests from customers with respect to Ransomware and it’s important to understand these risks, what to do, not to do and how to best prevent yourself from becoming a victim.

• My data’s been encrypted by Ransomware, what now?

  • Do not pay the ransom!

    • Paying the ransom may seem like a realistic response, but it is only encouraging and funding these attackers. Even if the ransom were paid, what guarantees do you have that you will actually regain access to your files? Remember that these are the same aggressors that are holding your files hostage in the first place. Paying the ransom can actually increase the likelyhood that you will be directly targeted for additional extortion attempts.

    • Remove the impacted system from the network and remove the threat.

    • With a multitude of variants it is unrealistic to list the exact steps, but most security vendors have detailed write-ups for the threats that include removal instructions. Removal is best done with the system off the networks to prevent any potential spread of the threat.

    • Restore any impacted files from a known good backup. Restoration of your files from a backup is the fastest way to regain access to your data.

  • Can I regain access to my files without paying the ransom or restoring from backup?

    The answer is most likely no. There are earlier variants of these threats that simply hid the ransomed files, left copies of the original files with the Volume Shadow Copy service or left copies of the private encryption keys locally or in memory. It is certainly worth the effort of researching the details of the variant you encountered to see if there are options for you, but for the majority of instances, these options are no longer the case as the threat writers have updated their methods using the funds from earlier rounds of extortion.

  • Can I “Brute-Force” my way into my encrypted files?

    • No, the current threats employ an RSA-2048 bit encryption key. Brute-forcing the key is simply not possible currently.

• What can I do to protect myself from ransomware?

  • Install, configure and maintain an endpoint security solution

    • With the endpoint being the final line of defense from any threat, a multi-faceted security solution should be employed. This solution should have protections for not just file based threats (traditional AV), but should also include download protection, browser protection, heuristic technologies, firewall and a community sourced file reputation scoring system.

    • Symantec Endpoint Protection 12.1 (SEP 12) users can leverage the supplied “High Security” Virus and Spyware Protection policy that was generated automatically during installation of SEP 12 to provide protection for ransomware threats. As the default policies are often edited directly, the details on the specifics settings contained in the policy can be found here.

    • For additional protection from new ransomware variants, the “High Security” policy can be edited and the Download Protection feature can be modified to act on files that have not been proven to be good by the Symantec user base. The options that would need to be altered are located in the “Download Protection” – “Download Insight” - “Also detect files as malicious based on their use in the Symantec Community” section. Enabling the two check boxes next to “Files with:” and “Files known by users for:” and using the default values of 5 and 2 respectively will force the SEP 12 client to treat any file that have not been reported to Symantec by more than 5 users or have been reported for less than 2 days to be treated as unproven files.

• The handling of these files is set on the “Actions” tab under “Unproven files” and the setting of “Specify actions for unproven files:” should be set to “Quarantine risk”.  

• People using another endpoint AntiVirus solution should refer to their vendor for information on how to configure their real-time scanning options to be in-line wherever possible with “High Security” Virus and Spyware policy and the prevalence of any files as determined by their user base.

  • User Education

    • One of the primary vectors of these threats is “Spear Phishing” attempts, where an unsolicited e-mail will come from an unknown sender with an attachment that is then executed. Educating your users as to proper handling of unknown or suspicious files is crucial.

  • Employ content scanning and filtering on your mail servers.

    • Inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat.

  • Maintain a current patch level for any operating systems and applications that have known vulnerabilities.

    • Exploit kits hosted on compromised websites are commonly used to spread malware. Regular patching of vulnerable software is necessary to help prevent infection.

  • Install and configure Host Intrusion Prevention

    • IDS or IPS systems can detect and prevent the communication attempts that the malware uses to create the public and private encryption keys required to encrypt the data.

    • The Symantec Endpoint Protection (SEP) client IPS system blocks this type of communication traffic by default.

  • Block your end users from being able to execute the malware

    • SEP users can leverage the Symantec supplied example Application and Device Control policies to prevent files from being run in the root and/or subfolders of the users %AppData% directory variable to prevent the downloaded threat from being launched. The policy prevents launch attempts of files that have been extracted from compression formats that the threat has been spreading in, blocks Auto-Run, access to script files and the execution of files from removable volumes.

    • Software restriction policies enforced via GPO can be created and configured to accomplish the similar tasks.

  • Limit end user access to mapped drives

    • The current ransomware threats are capable of browsing and encrypting data on any mapped drives that the end user has access to. Restricting the user permissions for the share or the underlying file system of a mapped drive will provide limits to what the threat has the ability to encrypt.

  • Deploy and maintain a comprehensive backup solution.

    • The fastest way to regain access to your critical files is to have a backup of your data. Backups of data should take place not only for files housed on a server, but also for files that reside localy on a workstation. If a dedicated peice of backup software is not an option, simply copying your important files to some sort of removable media and then removing that media from the system will provide a safeguard for your data being impacted by these types of threats.

The above information is provided to help you to avoid being taken advantage of by cybercriminals, and to prevent and protect against these types of attacks. This is in no way is a concise plan to protect you, but will certainly decrease your risk level.

For those of you, who have secured access to Internet on your Notification Servers, please be aware that download URL for FireFox has been changed without notice.

We realized this reactively, when bulletin FF15-002 failed to download on all our SMP servers, and our patching procedures failed.

That would affect all large enterprises, where each external link (URL) access must be requested and approved by security authorities.

• Till FF15-001 bulletin, download URL was like *.MOZILLA.ORG
• From FF15-002 bulletin, download URL has changed to *MOZILLA.NET

I hope that helps.