Pretty interesting read on several vulnerabilities relating to Symantec Endpoint Protection
The article discuss various means to remotely compromise the management console and plant code in the distribution package.
There are several takeaways here:
- Given that your security product is supposed to be securing your entire environment, your management console must be locked down, patched, etc.
- If you haven’t performed an audit on your management console settings, you are asking for trouble. At the very least, explain why you have certain rules in place (file/folder exceptions come to mind)
- Does your management console have a auditing function? Do you check it?
- Are the endpoint packages that you create, verified and signed?
- (To the vendors) Do services really require local SYSTEM to run?
- If your endpoint product is compromised, you can no longer trust it or the system that it is protecting.