Updates to Symantec on software-central and background information

To the Micronet community,

The software-central website has now been updated to clearly state the
log collecting nature of the "UCB Custom" client and the available
alternatives for opting out. The kb article linked on the download pages
provides additional details on what we are collecting and how we use the
information: https://kb.berkeley.edu/kb1525.

I thought it might also be helpful to offer some history behind this
project for those who are interested in learning why we are offering
this service:

Back in May 2006 a serious vulnerability in Symantec AntiVirus was
announced that would allow an attacker to execute code on a remote
machine listening on the port Symantec uses to communicate with a
management server. When SNS became aware of the vulnerability, we sent
several notices out through the standard channels. Several months later
exploits to this vulnerability appeared on campus, and once again we
notified administrators of the seriousness of the threat. Despite these
efforts, hundreds of machines across the campus were compromised over
the course of many weeks. Due to the nature of the exploits each
compromise required a complete rebuild, and in several cases the rebuild
included the vulnerable Symantec software, resulting in another
compromise. This experience showed us that keeping track of Symantec
installations and making sure they are secured against current threats
is a challenge on this campus.

We discussed the situation with our Symantec reps and were told of some
of the solutions the company has planned, and were given advice on best
practices. One of those best practices was running a central management
console where we can keep track of version and virus definition levels.
After further discussion we began piloting a central Symantec management
and reporting service. The service would allow us to 1) get a better
view into the current threats to campus systems and 2) notify security
contacts of problems with Symantec, such as out-of-date software and
virus definitions. This pilot was announced to Micronet, UCB-security,
and iNews along with the kb article for additional details.

The pilot as been running for several months now, and we have
approximately 1000 clients reporting to the reporting server. Despite
the name "management service" we do not manage the Symantec software,
other than to distribute it with a set of default settings. We collect
log and client status information. We recently implemented a
notification system where security contacts are notified if a Symantec
client reports to the manager with out-of-date virus definitions or with
a virus that Symantec was unable to clean.

I hope that administrators will find this service useful, and that if
another serious vulnerability in the Symantec software is announced, we
will be able to use the service to help you identify your vulnerable
clients before they are compromised. While the pilot period is now
completed and the service is full production, I would still like to hear
comments from administrators on how the service works for your client
systems.

Please let me know if you have any additional questions about Symantec
services,

-- 
Allison Henry
System and Network Security
University of California, Berkeley
http://security.berkeley.edu
 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:
To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
http://micronet.berkeley.edu
Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.