- Microsoft
Anti-Malware Scan Interface (AMSI): The AMSI detection function is one of the most critical to enable. Make sure that you deselect Observe mode. This setting is found in the ENS Threat Prevention, On-Access Scan policy, and ENS Adaptive Threat Protection (ATP) Options (under Real Protect). For more information about AMSI, see section "How AMSI integration with Threat Prevention improves security" in the Endpoint Security 10.7 Product Guide. - Self-Protection: Verify that Self-Protection is enabled within ENS and Trellix Agent.
- Password protection: Verify that a password is set for GUI access and product removal.
- Global Threat Intelligence (GTI): Set GTI to "High" during an incident. Then, continue to maintain GTI at "Medium" after an incident, and once a stable state is reached. This setting is found in the following policies:
- ENS Threat Prevention On-Access Scan and On-Demand Scan
- ENS ATP Options (under Real Protect)
- Access Protection: Create rules for any indicators of compromise (IOCs) found in the environment. For example, a file extension that ransomware creates. Other tools can also be used if present, such as Threat Intelligence Exchange (TIE) reputations.
- ePO snapshot: Make sure that you take a regular ePO snapshot, the passphrase is known, and the SQL backup is occurring. These backups help you recover after a loss of ePO. Make sure that the KeyStore is backed up if you need to perform a manual recovery. In virtual environments, a best practice is to periodically perform a restore of the database from a backup and reinstallation of the ePO server. This restore makes sure that this whole process works.
- System coverage: Review systems for product coverage and updates. This review is especially important for
AMCore content and Real Protect rules. A good starting point is to use the default dashboards labeled beginning with "Endpoint Security:". - Rogue Sensor Detection: Unmanaged systems are detrimental in an environment when trying to achieve containment and eradication of a threat. These systems can attack and reinfect systems previously restored. It's important to find and remediate such systems on the network. Rogue Sensor Detection can help with this process. Consider implementing it on key networks.
- False positives: As all environments differ, for example, with in-house applications or varying solutions within a network, false positives occur. A false positive is simply a detection that's then determined to be non-malicious or legitimate. It's in our experience that with these recommendations, generally speaking, the number of false positives experienced is minimal. But, it's suggested (as with any other implementation within an environment) to monitor and tune as needed.
Best practices for tuning and using Endpoint Security to prevent and respond to threat incidents
Technical Articles ID:
KB94048
Last Modified: 2023-03-24 13:41:32 Etc/GMT
Last Modified: 2023-03-24 13:41:32 Etc/GMT
Affected Products
- Best Practices
- Configuration
- Endpoint Security Adaptive Threat Protection
- Endpoint Security Firewall 10.7.x
- Endpoint Security Firewall 10.6.x (EOL)
- Endpoint Security Threat Prevention 10.7.x
- Endpoint Security Threat Prevention 10.6.x (EOL)
- Endpoint Security Web Control 10.7.x
- Endpoint Security Web Control 10.6.x (EOL)
- Threat Prevention and Removal
Languages:
This article is available in the following languages: