With SDDC, there is even more demand for application to be made available at the speed of business leading to automation in orchestration and deployment. This has enabled IT organization to be agile and lower their time to market. However we continue to see security as a bottleneck.
Symantec Datacenter Secuity:Server removes this bottle neck by lowering security tax by providing threat protection with best in class AV scan engine of Symantec. It leverages VMware NSX Service Composer to automate and orchestrate security policies i.e. mapped to security groups. It follows the best practices of VMware NSX to deliver agentless malware protection for workloads on Software Defined Data Center.
2. Table of Contents
HOL-PRT-1464 - Applying Data Center Security with Symantec & VMware NSX............................... 3
Lab Overview ............................................................................................................................ 4
Configuring policies, Test Virtual Machine and NSX Security Group................................................... 5
Introduction ............................................................................................................................... 6
Prepare Test Virtual Machine.................................................................................................... 7
Deploy Virtual Machine Threat Protection Policy .................................................................... 10
Create a NSX Security Group ................................................................................................. 17
Module 1 - Demonstrate Symantec's Virtual Machine Threat Protection and Quarantine Features .. 21
Introduction ............................................................................................................................. 22
Threat Detection and Quarantine............................................................................................ 23
Purging.................................................................................................................................... 37
Rescan and Whitelisting.......................................................................................................... 41
Module 2 - Demonstrate Symantec's Virtual Machine Network Security Introspection ..................... 58
Introduction ............................................................................................................................. 59
Create New NSX Security Policy with Network Introspection Services .................................. 60
Simulate Inbound Network Threat in Log Only Mode ............................................................ 68
Simulate Inbound Network Threat and Block It....................................................................... 71
HOL-PRT-1464
Page 2HOL-PRT-1464
3. HOL-PRT-1464 - Applying Data
Center Security with Symantec
& VMware NSX
HOL-PRT-1464
Page 3HOL-PRT-1464
4. Lab Overview
With SDDC, there is even more demand for application to be made available at the speed of
business leading to automation in orchestration and deployment. This has enabled IT organization to
be agile and lower their time to market. However we continue to see security as a bottleneck.
Symantec Datacenter Secuity:Server removes this bottle neck by lowering security tax by providing
threat protection with best in class AV scan engine of Symantec. It leverages VMware NSX Service
Composer to automate and orchestrate security policies i.e. mapped to security groups. It follows the
best practices of VMware NSX to deliver agentless malware protection for workloads on Software
Defined Data Center.
HOL-PRT-1464
Page 4HOL-PRT-1464
6. Introduction
In this section you will do the prep work that is required for the both the module. As part of this you
will:
• Prepare the Test Guest Virtual Machine
• Access Symantec Data Center: Server management console to create threat protection
policy and publish them to VMware NSX.
• Use VMware NSX Service Composer to create security groups, add virtual machines to this
group.
HOL-PRT-1464
Page 6HOL-PRT-1464
7. Prepare Test Virtual Machine
To begin with these steps ,make sure you are in the Controlcenter VM.
Access the Test Virtual Machine via RDP
Double-click on the "TestGvm.RDP" shortcut on the Desktop.
Unzip the Eicar text file
Double-click on the eicar.zip on the Desktop. Notice that inside this zip file there is a text file called
"eicar.txt". Eicar files are used to test threat protection engines. While real malware could do
damage, this test file allows you to test anti-virus software without having to use a real virus file.
Eicar files are set as verified virus file.
For this test, the Eicar test file will be used to test threat protection features of Symantec Data Center
Security:Server scan engine. This file will be copy to several locations in the next steps. Leave the
window up.
HOL-PRT-1464
Page 7HOL-PRT-1464
8. Create first demo folder
Go to the C: drive and create a folder called "TP_Demo1".
Add Eicar text file to first demo folder
Drag and drop the eicar.txt inside the archive to the "TP_Demo1" folder.
Create second demo folder
Go back to the C: drive and create another folder called "TP_Demo2".
HOL-PRT-1464
Page 8HOL-PRT-1464
9. Add Eicar text file to second demo folder
Drag and drop the eicar.txt inside the archive to the "TP_Demo2" folder.
Clean up all of the remaining Eicar files
There are several other locations where the Eicar test file(s) are located. Removing these files will
allow for less false positives.
Delete EICAR zip file from Desktop
Right-click on the eicar.zip on the Desktop and select Delete.
Close all folder and files
To prevent the On-Access Scan on test files close all folder and files opened.
Minimize the Test Virtual Machine RDP session
The preparation for the Test Virtual Machine is now completed. Minimize the TestGvm RDP session.
HOL-PRT-1464
Page 9HOL-PRT-1464
10. Deploy Virtual Machine Threat Protection
Policy
To begin with this steps return to the Controlcenter VM.
Access the Symantec Data Center Security: Server Management
Server
Double-click on the "Symantec DCS.RDP" shortcut on the Desktop of the Controlcenter.
Symantec Data Center Security: Server Management Console
Click on the "Management Console" shortcut on the Desktop of the Symantec DCS RDP session.
HOL-PRT-1464
Page 10HOL-PRT-1464
11. Log into the Management Console
Credentials to access the Management Console are:
• User name: symadmin
• Password: VMware1!
Click on the "Log On" button
Access the Virtual Machine Threat Protection policies
Go to Policies > Virtual Machine Threat Protection.
HOL-PRT-1464
Page 11HOL-PRT-1464
12. Access the Symantec default policies workspace folder
Click on Policies > Workspace > Symantec folder on the the left panel.
Edit the existing Virtual Machine Threat Protection Policy
Right-click on the "Virtual Machine Threat Protection Policy" and select "Edit".
HOL-PRT-1464
Page 12HOL-PRT-1464
13. Disable the Rescan policy option
On the Policy's General Settings, uncheck the box next to "Rescan Quarantine files
when On-Demand scans runs" option. This feature will be enabled in a later step.
HOL-PRT-1464
Page 13HOL-PRT-1464
14. Verify proper Network Security Settings
Verify that the checkbox next to "Block connection when threats are found..." option is
unchecked. Notice that this setting will allow the policy to only log threats. In a later
module this feature will be enabled to test Symantec's Network Threat Protection
Services.
Save Policy Settings
Click the "OK" button to save policy settings.
HOL-PRT-1464
Page 14HOL-PRT-1464
15. Submit policy changes
1. Type "1" as the new Revision number
2. Click on the "submit" button to finalize and submit policy changes
Publish Policy
Right-Click on the "Virtual Machine Threat Protection Policy" and select "Publish Policy".
HOL-PRT-1464
Page 15HOL-PRT-1464
16. Accept Threat Protection Policy overwrite warning
A pop-up informing you that the new changes to the policy will overwrite the existing
published policy will appear. Click the "Ok" button. The same policy will be used
through out the lab so overwriting the policy is part of the normal process.
Accept Threat Protection policy published successfully pop-up
After allowing the policy to be overwritten you will receive a pop-up informing you that
the Threat Protection Policy was successfully published. Click on the "Ok" button to
confirm. You will now see a green dot next to the "Virtual Machine Threat Protection
Policy" reaffirming the action.
Minimize the Symantec DCS RDP session
The configuration changes and deployment of the Threat Protection Policy are now completed.
Minimize the Symantec DCS RDP session.
HOL-PRT-1464
Page 16HOL-PRT-1464
17. Create a NSX Security Group
In this section you will :
• Create security group which will contain the Test virtual machine. This NSX security group(s)
will be used for the upcoming modules.
To begin with this steps make sure are in the Controlcenter VM.
Acces Google Chrome Web Browser
On the ControlCenter VM, click on the Google Chrome web browser shortcut on the Desktop. Feel
free to select another browser if desire.
Access the vSphere Web Client homepage
Click on the Google Chrome's link shortcut displayed below.
HOL-PRT-1464
Page 17HOL-PRT-1464
18. Login to the vSphere Web Client Home Page
Use the following credentials...
• User name: root
• Password: VMware1!
Do not use Windows session authentication.
Access the Network & Security panel (NSX)
On the vSphere Web Client home page select the "Network and Security" tab to access the VMware
NSX appliance settings.
HOL-PRT-1464
Page 18HOL-PRT-1464
19. Access the Service Composer
On the "Network and Security" home page select the "Service Composer" tab.
Access the Security Groups tab
Click on the "Security Groups" tab.
Create a new Security Group
Click on the "New Security Group" icon.
HOL-PRT-1464
Page 19HOL-PRT-1464
20. Name the Security Group
Name the security group "Symantec Protected Group". No need to add a description.
Include Test Virtual Machine to new Security Group
1. Select the 3rd option "Select objects to include".
2. Scroll through the filters until you find "Virtual Machine" and click on it.
3. Select the Test Virtual Machine (Win7-DCS-TestGvm)
4. Click the "Finish" button.
HOL-PRT-1464
Page 20HOL-PRT-1464
21. Module 1 - Demonstrate
Symantec's Virtual Machine
Threat Protection and
Quarantine Features
HOL-PRT-1464
Page 21HOL-PRT-1464
22. Introduction
In this module you will learn how to :
• Create security policies using VMware NSX Service Composer.
• Add endpoint service for Anti-Virus
• Use VMware NSX Service Composer to consume policy created by Symantec Data Center
Security:Server
• Map this policy to a security group thats used to protect a Guest Virtual Machine (GVM)
• Use Data Center Security:Server manger console to verify the GVM's that are monitored and
protected
• Evaluate the flexibility of Data Center Security:Server by creating targeted scan
• Review quarantined files and their event description.
HOL-PRT-1464
Page 22HOL-PRT-1464
23. Threat Detection and Quarantine
To begin this module access the vSphere Web Client and go to the "Network and Security" home
page.
Access the Service Composer
On the "Network and Security" home page select the "Service Composer" tab.
Access the Security Policies tab
Click on the "Security Policies" tab.
HOL-PRT-1464
Page 23HOL-PRT-1464
24. Create new Security Policy
Click on the "Create Security Policy" icon.
Name the Security Policy
Name the Security Policy "DCS AV Security Policy". Leave all the defaults. Click on
the "Next" button.
HOL-PRT-1464
Page 24HOL-PRT-1464
25. Add an Endpoint Service
Click on the "Add endpoint service" icon.
HOL-PRT-1464
Page 25HOL-PRT-1464
26. Provide appropriate entries and selections for new Endpoint Service
1. Name: "DCS AV Policy"
2. Action: "Apply"
3. Service Type: "Anti Virus"
4. Service Name: "Symantec DataCenter Security for VMware NSX
5. Service Configuration: "Virtual Machine Threat Protection Policy"
6. State: "Enabled"
7. Enforce: "Yes"
8. Click the "OK" button
HOL-PRT-1464
Page 26HOL-PRT-1464
27. Complete the new Security Policy
Click on the "Finish" Button to complete the policy.
Apply new Security Policy to existing Security Group
Right-click on the new "DCS AV Security Policy" and select "Apply Policy".
HOL-PRT-1464
Page 27HOL-PRT-1464
28. Select the Security Group to which Security Policy will be apply to
From the resulting pop-up check the security group "Symantec Protected Group" and
click on the "OK" button.
HOL-PRT-1464
Page 28HOL-PRT-1464
29. Check Security Groups in the Symantec Data Center Security: Server
Management Console
1. Go back to your Symantec DCS RDP session by maximizing the Window
2. Go to Assets > Virtual Machine Threat Protection > Guest VM View > Security Groups
3. Click "Refresh"
4. Once the refresh completes the "Symantec Protected Group" should appear in the list of
Security Groups
Verify that Test Virtual Machine is protected
Double-click on the "Symantec Protected Group" to check if the test virtual machine is under the
Protected Guest VMs.
HOL-PRT-1464
Page 29HOL-PRT-1464
30. Activate a scan on the Test Virtual Machine
Right-click on the Test Virtual Machine "Win7-DCS-TestGvm" and select "Scan Now".
HOL-PRT-1464
Page 30HOL-PRT-1464
31. Select scan type option
In the resulting pop-up, select "Scan Targeted Paths".
HOL-PRT-1464
Page 31HOL-PRT-1464
32. Add folder Path
Click on the "Add" button and enter the path "C:TP_Demo1". Click on the "OK"
button.
Start Scan
Click on the "Scan Now" to trigger the threat protection scan. Click "Ok" on the
success pop-up.
HOL-PRT-1464
Page 32HOL-PRT-1464
33. Verify path on Test Virtual Machine to see if EICAR test was detected
Return to the TestGvm RDP session (Test Virtual Machine), go to C:TP_Demo1 and verify the
eicar.txt file is missing.
HOL-PRT-1464
Page 33HOL-PRT-1464
34. Find the quarantined file
Go to "C:VirtualAgentQuarantine" and verify a file exists. This is the quarantined Eicar test file.
Note: Several other files could be present in this folder. Make sure you check the date of the
modified date of the file(s) present. The name of the file in this quarantine folder will also differ.
Verify data inside quarantine file is obfuscated
Open this file in notepad. Verify the data is obfuscated (i.e. Eicar string is not readable).
HOL-PRT-1464
Page 34HOL-PRT-1464
35. Verify that "Endpoint malware threat detected" event exist in the
Symantec Data Center Security: Server Management Console
1. Minimize the current TestGvm RDP session and return back to the Symantec DCS RDP
session
2. Go to Monitors > Events tab > Monitor Types > Virtual Machine Threat Protection Events
3. Refresh and verify a "Endpoint malware threat detected" event exists.
HOL-PRT-1464
Page 35HOL-PRT-1464
36. Check "Endpoint malware threat detected" event details
Double-click on the "Endpoint malware threat detected" event. Verify you see the infected file is
"C:TP_Demo1eicar.txt".
HOL-PRT-1464
Page 36HOL-PRT-1464
37. Purging
In the previous section a eicar.txt file was quarantined. In this section, you will see how Data Center
Security: Server can be configured to purge quarantined files after a specific time.
Confirm purge quarantine files time interval
Per the "Virtual Machine Threat Protection Policy", the quarantine file feature was enabled and the
default for purging quarantine files was left to purge files older than 30 days. In the next set of steps
the Test Virtual Machine's time and date will be modify to make sure that the quarantined file
(C:TP_Demo1eicar.txt) is successfully purged from the system after the set time interval.
Note the date on the Test Virtual Machine
Open the date/time pop-up on the bottom right of the screen. Note the date (i.e. July 16, 2014).
HOL-PRT-1464
Page 37HOL-PRT-1464
38. Advance date on Test Virtual Machine 30 days forward
1. Click on the start menu and type "PowerShell"
2. Right-click on the first result and select "Run as administrator"
3. Run the following command in PowerShell:
Set-Date -Date (Get-Date).AddDays(30)
HOL-PRT-1464
Page 38HOL-PRT-1464
39. Verify files are purged from the Quarantine folder
Note that the date moved forward 30 days (i.e. August 15, 2014). Within 2 minutes, the files in the
quarantine folder will be purged/deleted per the configuration on the "Virtual Machine Threat
Protection Policy".
HOL-PRT-1464
Page 39HOL-PRT-1464
40. Reset time on the Test Virtual Machine
Run the following command in PowerShell:
Set-Date -Date (Get-Date).AddDays(-30)
Confirm that machine is back to original date (i.e. July 16, 2014).
HOL-PRT-1464
Page 40HOL-PRT-1464
41. Rescan and Whitelisting
The rescan option in the Threat Protection Policy’s Quarantine settings rescans the quarantined files
when On-Demand Scans are run. Quarantined files are released/restored to original location if they
are no longer classified as threats either based on the new definitions or if they are exclusively
whitelisted in the Scan Settings of the Security Virtual Appliance configuration base policy
(SVA_Config_Base_Policy). In this section you will Rescan after Whitelisting the Eicar test file.
Activate a second scan on the Test Virtual Machine
1. Go back to your Symantec DCS RDP session by maximizing the Window
2. Go to Assets > Virtual Machine Threat Protection > Guest VM View > Security Groups >
Symantec Protected Group
3. Right-click on the Test Virtual Machine "Win7-DCS-TestGvm" and select "Scan Now"
HOL-PRT-1464
Page 41HOL-PRT-1464
42. Select scan type option
In the resulting pop-up, select "Scan Targeted Paths".
HOL-PRT-1464
Page 42HOL-PRT-1464
43. Add folder Path
1. Click on the "Add" button
2. Enter the path "C:TP_Demo2"
3. Click on the "OK" button.
Start Scan
Click on the "Scan Now" to trigger the threat protection scan. Click "Ok" on the
success pop-up.
HOL-PRT-1464
Page 43HOL-PRT-1464
44. Verify path on Test Virtual Machine to see if Eicar test was detected
Return to the TestGvm RDP session (Test Virtual Machine), go to C:TP_Demo2 and verify the
eicar.txt file is missing.
Verify Eicar test file is in quarantine folder
Go to "C:VirtualAgentQuarantine" and verify the the eicar.txt quarantined file exists.
HOL-PRT-1464
Page 44HOL-PRT-1464
45. Edit Virtual Machine Threat Protection Policy
1. Return to your Symantec DCS RDP session
2. Go to Policies > Virtual Threat Machine Protection > Workspace >Symantec folder
3. Right-click on the "Virtual Machine Threat Protection Policy" and select "Edit"
HOL-PRT-1464
Page 45HOL-PRT-1464
46. Enable Rescan in the Virtual Machine Threat Protection Policy
Check the ‘Rescan quarantined files...” option and click the "Ok" button.
HOL-PRT-1464
Page 46HOL-PRT-1464
47. Edit policy revision number
In the resulting "submit changes" pop-up, edit Revision number from 2 to 1. (This
avoids steps to reconfigure Security Policy on the vSphere Web Client)
Publish Virtual Machine Threat Protection Policy
Right-Click on the "Virtual Machine Threat Protection Policy" and select "Publish Policy". Click OK
when asked to over-write existing policy. A second pop-up will appear stating that the policy won't
take effect until you apply to a Security Group. Click OK to finalize action.
HOL-PRT-1464
Page 47HOL-PRT-1464
48. Find latest "Endpoint threat malware threat detected" event
1. Go to Monitors > Events > Monitor Types > Virtual Machine Threat Protection Events
2. Notice the latest "Endpoint threat malware threat detected" event. Double-click on the event
to see event details
HOL-PRT-1464
Page 48HOL-PRT-1464
49. Copy the Eicar test file hash
1. Copy the file hash value by double-clicking on it to highlight it and using keyboard shortcut
CTRL + c
2. Close the event detail window
HOL-PRT-1464
Page 49HOL-PRT-1464
50. Edit Security Virtual Appliance Configuration Base Policy
1. Go back to Policies > Virtual Threat Machine Protection > Workspace >Symantec folder
2. Right-click on the "SVA_Config_Base_Policy" and select "Edit"
HOL-PRT-1464
Page 50HOL-PRT-1464
51. Whitelist the Eicar test file
1. Go to the "Scan Settings" tab
2. Click on "Edit[+]" to see the list of whitelisted files
3. Click on the "Add" button
4. In "SHA-256 Digest" field, paste the file has copied using the keyboard shortcut
CTRL + v
5. In the "Description" field, type "EICAR Test Demo File"
6. Click "OK" to enter the new entry into the list
7. Click on the "OK" button on the policy to save the change
8. Click on the "Submit" button to submit changes (Note: no need to modify
Revision number here)
HOL-PRT-1464
Page 51HOL-PRT-1464
53. Publish Security Virtual Appliance Configuration Base Policy
Right-click on the "SVA_Config_Based_Policy" and select "Publish". Click OK on the success pop-
up.
HOL-PRT-1464
Page 53HOL-PRT-1464
54. Activate a third scan on the Test Virtual Machine
1. Go to back to Assets > Virtual Machine Threat Protection > Guest VM View > Security
Groups > Symantec Protected Group
2. Click on the "Refresh" Button
3. Right-click on the Test Virtual Machine "Win7-DCS-TestGvm" and select "Scan Now"
HOL-PRT-1464
Page 54HOL-PRT-1464
55. Select scan type option
In the resulting pop-up, select "Scan Targeted Paths".
HOL-PRT-1464
Page 55HOL-PRT-1464
56. Add folder Path
1. Click on the "Add" button
2. Enter the path "C:TP_Demo2"
3. Click on the "OK" button.
Start Scan
Click on the "Scan Now" to trigger the threat protection scan. Click "Ok" on the
success pop-up.
HOL-PRT-1464
Page 56HOL-PRT-1464
57. Verified Whitelisted file was restored
1. Go back to the TestGvm (Test Virtual Machine) RDP session
2. Make sure that the eicar.txt test file in C:TP_Demo2 was restored
3. The Quarantine folder in C:VirtuaAgentQuarantine should be empty
HOL-PRT-1464
Page 57HOL-PRT-1464
59. Introduction
This module discusses:
• Registering DCS: Server 6.0 with vCenter and NSX
• Register SVA with NSX
• Configure Auto-Deployment of vCenter Endpoint Service
• Configure Auto-Deployment of Symantec Anti-malware Service
• Verify Status of Service Deployment
HOL-PRT-1464
Page 59HOL-PRT-1464
60. Create New NSX Security Policy with Network
Introspection Services
To begin this module access the vSphere Web Client and go to the "Network and Security" home
page.
Access the Service Composer
On the "Network and Security" home page select the "Service Composer" tab.
Access the Security Policies tab
Click on the "Security Policies" tab.
HOL-PRT-1464
Page 60HOL-PRT-1464
61. Create new Security Policy
Click on the "Create Security Policy" icon.
Name the new Security Policy
Name the Security Policy "DCS Network Threat Protection".
HOL-PRT-1464
Page 61HOL-PRT-1464
62. Add a new Network Introspection Service option
1. Click on the 4th option on the left side panel named "Network Introspection
Services"
2. Click on the green plus (+) icon to add a new Network Introspection Service
HOL-PRT-1464
Page 62HOL-PRT-1464
63. Provide appropriate entries and selections for new Network Introspection
Service
1. Name: "DCS Network Threat"
2. Service Name: "Symantec DataCenter Security Service for VMware NSX"
3. Profile: "Virtual Machine Threat Protection Policy profile"
4. Source: Click on "Change...", on the source pop-up select "Any"
5. Destination: Leave as "Policy's Security Groups"
6. Click the "OK" button
• The "Source" and "Destination" selection will apply to “Incoming” traffic from
"Any" to the security group where this policy gets applied.
• Leave the remaining default settings.
HOL-PRT-1464
Page 63HOL-PRT-1464
65. Finalize changes to the existing Security Policy
Click on the "Finish" Button to save and finalize the new "DCS Network Threat"
security policy.
HOL-PRT-1464
Page 65HOL-PRT-1464
66. Apply new Security Policy to existing Security Group
Right-click on the new "DCS Network Threat Protection" and select "Apply Policy".
HOL-PRT-1464
Page 66HOL-PRT-1464
67. Select the Security Group to which Security Policy will be apply to
From the resulting pop-up check the security group "Symantec Protected Group" and
click on the "OK" button.
HOL-PRT-1464
Page 67HOL-PRT-1464
68. Simulate Inbound Network Threat in Log Only
Mode
In this section you will perform the simulation of a network threat, specifically a SQL Injection, to an
SQL web front end. The test virtual Machine (TestGvm) is hosting an implementation of PHP for
Windows running on an Internet Information Services (IIS) server. The victim website hosted in the
Test Virtual machine contains a table with dummy personal identifiable information (PII). A URL with
a crafted SQL injection query will be used to test whether the attack is allowed or denied.
In this step, the SQL injection simulation will be succesful since the Virtual Machine Threat Detection
Policy is set to log only mode.
Refresher of Network Security Settings in Virtual Machine Threat
Protection policy
In an earlier step it was verified that the "Block connection when threats are found (Threats will only
be logged when left unchecked)" option was uncheck. There is no need to modify the "Virtual
Machine Threat Protection Policy" for this steps since the policy is already modified to only log when
the threat is found.
Type the URL with a crafted SQL injection query and explore results
• From the Controlcenter access the Google Chrome web browser
• Click on the "Access PHP File from..." bookmark in the bookmarks bar
• or type the URL directly:
http://192.168.120.30/ax/gettprojectnodes.php?test=1&root_node=selectfromwhere
HOL-PRT-1464
Page 68HOL-PRT-1464
69. Notice how the URL is structured and the results you get in the web browser. The PII data is now
exposed.
Verify that "Guest network threat detected" event exist in the
Symantec Data Center Security: Server Management Console
1. Return back to the Symantec DCS RDP session
2. Go to Monitors> Events tab > Monitor Types > Virtual Machine Threat Protection Events
3. Refresh and verify a ‘Guest network threat detected’ event exists.
HOL-PRT-1464
Page 69HOL-PRT-1464
70. Check "Guest network threat detected" event details
The remediation status is “Guest network threat logged” since the Virtual Machine Threat Protection
Policy is configured to only log when the threat is found. Some of the information logged in the event
include: threat name, source and destination IP address and port of the network traffic, among
others.
HOL-PRT-1464
Page 70HOL-PRT-1464
71. Simulate Inbound Network Threat and Block It
In this step the network threat (SQL injection) will be activated one more time. This time the SQL
injection simulation will fail as we will make changes on the Virtual Machine Threat Protection Policy
to prevent the attack from occurring.
Access the Virtual Machine Threat Protection policies
Go to Policies > Virtual Machine Threat Protection.
Access the Symantec default policies workspace folder
Click on Policies > Workspace > Symantec folder on the the left panel.
HOL-PRT-1464
Page 71HOL-PRT-1464
72. Edit the Virtual Machine Threat Protection Policy
Right-click on the "Virtual Machine Threat Protection Policy" and select "Edit".
HOL-PRT-1464
Page 72HOL-PRT-1464
73. Modify Network Security Settings to enable the blockage of threats
1. Check the box next to "Block connection when threats are found..." option.
2. Click on the "Ok" button
Submit policy changes
1. Type "1" as the new Revision number
2. Click on the "submit" button to finalize and submit policy changes.
HOL-PRT-1464
Page 73HOL-PRT-1464
74. Publish Policy
Right-Click on the "Virtual Machine Threat Protection Policy" and select "Publish Policy".
Accept Threat Protection policy overwrite warning
A pop-up informing you that the new changes to the policy will overwrite the existing
publish policy will appear. Click the "Ok" button.
HOL-PRT-1464
Page 74HOL-PRT-1464
75. Accept Threat Protection Policy published successfully pop-up
After allowing the policy to be overwritten you will receive a pop-up informing you that
the Threat Protection was successfully published. Click on the "Ok" button to confirm.
You will now see a green dot next to the "Virtual Machine Threat Protection Policy"
reaffirming the action.
HOL-PRT-1464
Page 75HOL-PRT-1464
76. Type the URL with a crafted SQL injection query and explore results
• From the Controlcenter access the Google Chrome web browser
• Click on the "Access PHP File from..." bookmark in the bookmarks bar
• or type the URL directly:
http://192.168.120.30/ax/gettprojectnodes.php?test=1&root_node=selectfromwhere
Notice how the URL is now blocked. The Virtual Machine Threat Protection Policy is now actively
blocking network threats.
HOL-PRT-1464
Page 76HOL-PRT-1464
77. Verify that "Guest network threat detected" event exist in the
Symantec Data Center Security: Server Management Console
1. Return back to the Symantec DCS RDP session
2. Go to Monitors> Events tab > Monitor Types > Virtual Machine Threat Protection Events
3. Refresh and verify a ‘Guest network threat detected’ event exists.
HOL-PRT-1464
Page 77HOL-PRT-1464
78. Check "Guest network threat detected" event details
The remediation status this time is “Guest network threat blocked” since the Virtual Machine Threat
Protection Policy is configured to block the connection when threat is found.
HOL-PRT-1464
Page 78HOL-PRT-1464