Symantec today announced the next version of Symantec Endpoint Protection. This release, version 12.1, will ship later this year. You can sign up for the beta at http://go.symantec.com/sep12beta/ .
Long in coming, this release is a major milestone. On the face of it, that statement is odd; after all, SEP is mature product and its feature set hasn't at a fundamental level, changed. It is still offers the critical elements of endpoint security, - malware protection, access control, device control, application control, firewall and IPS. It “kinda, sorta” looks like nothing has changed.
Well, don't believe it. There are countless new features in this release, and in subsequent blog posts I will dive into them. The real change, however, is under the covers and in the test results. SEP 12 is built on a powerful new stack of security technologies – which not only offer state-of-the-art protection, but which also position SEP to continue to provide great protection in a world with hundreds of millions, even billions of unique malicious programs.
Last year, Symantec identified 286 million different pieces of malware. Think about scanning each of the thousands of scanable objects on your computer for any one of 286 million malware signatures. Ok, the problem isn’t really that bad – that 286,000,000 figure represents mostly minor variants of a much smaller number of malware samples. But still, we are talking about over 10 million virus signatures.
Powered by Insight, SEP knows the reputation of up to 70% of the executables on your system – which means it need not scan those files unless they have changed. By reputation, I don’t just mean that we can identify bad files with signatures in the cloud (which, by the way, is the secret sauce behind McAfee’s Artemis/ Global Threat Intelligence technology). Insight does has something unique, well, 2 things. First, for every file we track (over 2.5 billion files), we have a security rating. Second, WE TRACK 2.5 BILLION FILES – 31 MILLION NEW FILES EVERY WEEK. Sorry for shouting, but that is a huge database. It is large enough that we can derive the context and the associations of the file – its "reputation" if you will, with great confidence. We are tracking the presence, age and security rating of nearly every executable on the internet. No-one else can do that. It is not even close.
Insight isn’t the only new security feature in SEP. The other half of the story is Sonar.
Sonar is an AI driven driven technology that tracks file behaviour in real time. Where older generations of heuristic scanners ran on file open/close/modify and on periodic scans, Sonar runs all the time – watching file behaviours and rating them on over 400 attributes.
The other big change in SEP is its enhanced support for virtualization. I look into the new virtualization technology in a later post.
You can see how effective SEP is in latest detection and performance test reports. We have posted them on the SEP Beta page - http://go.symantec.com/sep12beta/ . Take a look.
Friday, March 18, 2011
Thursday, March 17, 2011
Restrict/Limit Users using (/etc/security/)
User limitations are set in the following files:
- File: /etc/security/limits.conf :
- core - limits the core file size (KB)
- data - max data size (KB)
- fsize - maximum filesize (KB)
- memlock - max locked-in-memory address space (KB)
- nofile - max number of open files
- rss - max resident set size (KB)
- stack - max stack size (KB)
- cpu - max CPU time (MIN)
- nproc - max number of processes
- as - address space limit
- maxlogins - max number of logins for this user
- priority - the priority to run user process with
- locks - max number of file locks the user can hold
- File: /etc/security/access.conf :
Limit access by network or local console logins.
- File: /etc/security/group.conf :
Grant/restrict group device access.
- File: /etc/security/time.conf :
Restrict user access by time, day.
System Monitor Commands
Basic command line:
pstree Processes and parent-child relationships top Show top processes iostat Report CPU statistics and input/output statistics for devices and partitions. ps -auxw process status uname -a print system information cat /proc/version Display Linux kernel version in use. cat /etc/redhat-release Display Red Hat Linux Release. (also /etc/issue) uptime Tell how long the system has been running. Also number of users and system's load average. w Show who is logged on and what they are doing. /sbin/lsmod List all currently loaded kernel modules.
Same as cat /proc/modules/sbin/runlevel Displays the system's current runlevel. hostname Displays/changes the system's node name. (Must also manually change hostname setting in /etc/sysconfig/network. Command will change entry in /etc/hosts) service Red Hat/Fedora command to display status of system services.
Example: service --status-all
Help: service --help
gnome-system-monitor Operating system monitor and usage graphing. gkrellm Graphical system monitor. (Additional RPM package: gkrellm) ps3 3D load meter. Very cool 3-D graphics. xosview Operating system monitor: load, memory, swap, net, disk, ...
Monday, March 14, 2011
Activating a VG when quorum is lost
Normally, volume groups are automatically activated during system startup. Unless you intentionally deactivate a volume group using vgchange, you will probably not need to reactivate a volume group.
However, LVM does require that a "quorum" of disks in a volume group be available. During normal system operation, LVM needs a quorum of more than half of the disks in a volume group for activation. If, during run time, a disk fails and causes quorum to be lost, LVM alerts you with a message to the console, but keeps the volume group active.
If there is no other way to make a quorum available, the -q option to the vgchange command will override the quorum check.
EXAMPLE:
vgchange -a y -q n /dev/vg01
When you replace a disk that was not online when you originally activated the volume group, use the activation command again to attach the now accessible disks to the volume group.
EXAMPLE:
vgchange -a y /dev/vg01
However, LVM does require that a "quorum" of disks in a volume group be available. During normal system operation, LVM needs a quorum of more than half of the disks in a volume group for activation. If, during run time, a disk fails and causes quorum to be lost, LVM alerts you with a message to the console, but keeps the volume group active.
If there is no other way to make a quorum available, the -q option to the vgchange command will override the quorum check.
EXAMPLE:
vgchange -a y -q n /dev/vg01
When you replace a disk that was not online when you originally activated the volume group, use the activation command again to attach the now accessible disks to the volume group.
EXAMPLE:
vgchange -a y /dev/vg01
Monday, February 21, 2011
Apache on Solaris 10
The apache web server is included with solaris 10. Follow these steps to enable it.
The apache server config files are in /etc/apache2. To quickly get up and running, you can just use the sample config file by doing the following:
Check to see if apache is already running:
You will probably see the following, indicating that apache is NOT running:
Use the svcadm command to start the webserver. This will also make it automatically start if your machine reboots.
Put your html webpage(index.html) in the /var/apache2/htdocs directory. If everything went OK, you should have a functioning apache webserver.
If the svcs -p command from the above step doesn't show a STATE of online, do the followig:
You'll probably see that it's in maintenance mode:
Step 1: Create a working default apache config file
The apache server config files are in /etc/apache2. To quickly get up and running, you can just use the sample config file by doing the following:
cd /etc/apache2 cp httpd.conf-example httpd.conf
Step 2: Enable the apache/httpd service
Check to see if apache is already running:
svcs -a | grep -i http
You will probably see the following, indicating that apache is NOT running:
disabled Apr_20 svc:/network/http:apache2
Use the svcadm command to start the webserver. This will also make it automatically start if your machine reboots.
svcadm -v enable /network/http:apache2
Use the following svcs command to make sure it worked:svcs -p /network/http:apache2 STATE STIME FMRI online 15:32:44 svc:/network/http:apache2 15:32:44 28711 httpd 15:32:45 28712 httpd 15:32:45 28713 httpd 15:32:45 28714 httpd 15:32:45 28715 httpd 15:32:45 28716 httpdThis is showing that the webserver is online and working.
Step 3: Add your web content
Put your html webpage(index.html) in the /var/apache2/htdocs directory. If everything went OK, you should have a functioning apache webserver.
Debugging / Troubleshooting
If the svcs -p command from the above step doesn't show a STATE of online, do the followig:
svcs -a | grep -i http
You'll probably see that it's in maintenance mode:
maintenance 15:16:12 svc:/network/http:apache2For more detailed info run:
svcs -l httpOR
svcs -x http svc:/network/http:apache2 (Apache 2 HTTP server) State: maintenance since May 8, 2007 3:16:12 PM EDT Reason: Start method failed repeatedly, last exited with status 1. See: http://sun.com/msg/SMF-8000-KS See: httpd(8) See: /var/svc/log/network-http:apache2.log Impact: This service is not running.Note that the second to last line tells you where the log file is, so take a look at that. Once you've fixed the problem, you can restart apache with:
svcadm restart /network/http:apache2If for some reason you want to shut off apache, use this:
svcadm disable /network/http:apache2
svcs -p /network/http:apache2
STATE STIME FMRI
disabled 15:36:33 svc:/network/http:apache2
svcs -l http fmri svc:/network/http:apache2 name Apache 2 HTTP server enabled false state disabled next_state none state_time May 8, 2007 3:36:33 PM EDT logfile /var/svc/log/network-http:apache2.log restarter svc:/system/svc/restarter:default contract_id dependency require_all/error svc:/milestone/network:default (online) dependency require_all/none svc:/system/filesystem/local:default (online) dependency optional_all/error svc:/system/filesystem/autofs:default (online)
SSH on Solaris 10
To generate your keys:
ssh-keygen -t dsa
ssh-keygen -t rda
ssh-keygen -t rda
Then, save the public (NOT the private keys!) keys that you just generated.
#cat *.pub keys >> authorized_keys
The newly created authorized_keys file can then be copied to the destination system. This will allow you to log in without providing a password.
To stop and start sshd:
svcadm disable ssh
svcadm enable ssh
svcadm enable ssh
Debugging tips:
Server side debugging - Once ssh service is disabled (svcadm disable ssh), you can start manually in debug mode:
cd /usr/lib/ssh
./sshd -dd
./sshd -v will available command-line options
ssh -v will turn on client debugging
sshd config file for the entire server is in /etc/ssh/sshd_config
permissions on your home directory MUST be 750
cd /usr/lib/ssh
./sshd -dd
./sshd -v will available command-line options
ssh -v will turn on client debugging
sshd config file for the entire server is in /etc/ssh/sshd_config
permissions on your home directory MUST be 750
Monday, February 14, 2011
Friday, January 28, 2011
Reinstall GRUB using Ubuntu 9.10 livecd or higher
Here assuming the Ubuntu partition is sda7,and /boot partition is sda6 (if you have a separate /boot partition).
Boot up ubuntu from the livecd,open terminal and run:
If you miss “grub.cfg” file,use following to recreate:
Boot up ubuntu from the livecd,open terminal and run:
sudo -i mount /dev/sda7 /mnt mount /dev/sda6 /mnt/boot #skip this one if not have a separate /boot partition grub-install --root-directory=/mnt/ /dev/sda
If you miss “grub.cfg” file,use following to recreate:
mount --bind /proc /mnt/proc mount --bind /dev /mnt/dev mount --bind /sys /mnt/sys chroot /mnt update-grub umount /mnt/sys umount /mnt/dev umount /mnt/proc exit
Subscribe to:
Posts (Atom)