Pretty interesting read on several vulnerabilities relating to Symantec Endpoint Protection
http://codewhitesec.blogspot.be/2015/07/symantec-endpoint-protection.html
The article discuss various means to remotely compromise the management console and plant code in the distribution package.
There are several takeaways here:
- Given that your security product is supposed to be securing your entire environment, your management console must be locked down, patched, etc.
- If you haven’t performed an audit on your management console settings, you are asking for trouble. At the very least, explain why you have certain rules in place (file/folder exceptions come to mind)
- Does your management console have a auditing function? Do you check it?
- Are the endpoint packages that you create, verified and signed?
- (To the vendors) Do services really require local SYSTEM to run?
- If your endpoint product is compromised, you can no longer trust it or the system that it is protecting.