Michigan Security User Group

 View Only

  • 1.  SEP 11 Firewall Rule - Using Hash values to trigger alerts

    Posted Nov 09, 2011 12:46 PM

    Question -

    I want to look for specific files that initiate outbound communication through our SEP clients firewall.  I have a list of hash values that I have manually entered into a Firewall rule under the Application column and have set under logging, to send an email when it is detected.  I have also configured a client alert notification under logging.

    I do not have Network Application Monitoring set to ON for any of my client groups, nor do I have the "Learn applications that run on the client computers" enabled under any of my client groups communication settings. 

    My question is - Will the SEP firewall still be able to alert on those hash values without enabling these settings?  If the answer is yes, then I am led to believe that the SEP firewall must hash any application that attempts outbound communication "on the fly" as its said.  Is this correct?  My suspicion is that it will NOT work by nature of the options toggable under - Network Application Monitoring.

    I don't believe this is spelled out anywhere in documentation.

     

    Thanks!



  • 2.  RE: SEP 11 Firewall Rule - Using Hash values to trigger alerts

    Posted Nov 09, 2011 08:48 PM

    Hi Nardoni.

    Network Application Monitoring monitors changes made to files via the network as malwares are known to do. This is different to the rule you've made in the Firewall Policy that monitors applications that send outbound information. Hash tags is frequently used in SEPs components especially if you have them all installed/enabled.



  • 3.  RE: SEP 11 Firewall Rule - Using Hash values to trigger alerts

    Posted Nov 10, 2011 09:24 AM

    mon_raralio - I appreciate your attempt to communicate something to me, but my question still remains. 

    Can anyone from Symantec comment on this please?

    Thanks.



  • 4.  RE: SEP 11 Firewall Rule - Using Hash values to trigger alerts

    Posted Nov 10, 2011 02:50 PM

    Not a definitive "yes", but I believe the firewall can alert on those hashes without those settings acitvated (based on my experience).  I don't use the firewall component. However, I use Application and Device ControI to successfully block files with specific hash keys.  Like you, I do not have Network Application Monitoring, nor the 'Learn Application' features enabled.

    Hope that helps some.



  • 5.  RE: SEP 11 Firewall Rule - Using Hash values to trigger alerts

    Posted Nov 10, 2011 05:30 PM

    Yes, thanks justin_g for your input.  Much appreciated.



  • 6.  RE: SEP 11 Firewall Rule - Using Hash values to trigger alerts

    Posted Nov 10, 2011 07:17 PM

    Hi Nardoni, if you want someone from Symantec to clarify this for you, the best course would be to contact them directly if the information sought is really important and requires urgency. The Symantec employees posting in the forums are doing this 'pro bono' and most are doing this on their off work hours.

    Cheers.