Endpoint Protection

  • Private Community
 View Only

  • 1.  Unable to block LogMeIn

    Posted Apr 07, 2011 03:59 PM

    Please refer to https://www-secure.symantec.com/connect/forums/blocked-application-it-still-use for background information.

     

    I did the following:

    - download LogMeIn

    - determine hash of various components, i.e. the .exe files in the installation folder

    - go to Policies > Application and Device Control > Application Control > Added "Block LogMeIn" to Rule Set and made it Production

     

    See attached screenshots

    - rule_to_block_logmein.PNG

    - condition_for_logmein.PNG

    - action_to_perform_for_logmein.PNG

     

    When I go to Home > Action Summary by Detection Count > Under "Suspicious" and "Security Risk", it shows LogMeIn was detected by "Forced TruScan proactive threat"

     

    Help!



  • 2.  RE: Unable to block LogMeIn

    Posted Apr 07, 2011 05:10 PM

    Are these clients 64bit? If so, application and device control will not work.

    http://www.symantec.com/business/support/index?page=content&id=TECH102267&actp=search&viewlocale=en_US&searchid=1285779583171



  • 3.  RE: Unable to block LogMeIn

    Posted Apr 07, 2011 06:13 PM

    Put the asterisk (*) in the rule and the LogMeIn fingerprints in the condition.

    You want Application Control to prevent arbitrary applications (such as Windows Explorer) from launching LogMeIn. Therefore, the rule must be for these launching applications, not for LogMeIn.

    The action "Block access" is correct. Never use "Terminate process" -- you'll terminate the launching application (e.g. Windows Explorer crying).



  • 4.  RE: Unable to block LogMeIn

    Posted Apr 08, 2011 08:23 AM

    Client it 32-bit. Will interchange rule and condition and keep you posted.



  • 5.  RE: Unable to block LogMeIn

    Posted Apr 08, 2011 09:36 AM

    Greg12 is right, you will need to interchange the rule and condition.



  • 6.  RE: Unable to block LogMeIn

    Trusted Advisor
    Posted Apr 11, 2011 08:00 AM

    Hello,

    Have you tried working on these Steps provided below: (Try considering these steps below to Block the Traffic of an Application)

     

     

    Best Practices Guide to Application Learning in Symantec Endpoint Protection Manager (SEPM)
     
    http://www.symantec.com/business/support/index?page=content&id=TECH134367
     
    How to set up learned applications in the Symantec Endpoint Protection Manager
     
    http://www.symantec.com/business/support/index?page=content&id=TECH102994
     
    You can set the default policy when Endpoint Protection detects changes in an executable. Choose between Ask, Block the Traffic, or Allow and Log.
     
     
     
     


  • 7.  RE: Unable to block LogMeIn

    Posted Apr 12, 2011 10:50 AM

    I interchanged the rule and condition, still no luck!

     

    Will check links posted by Mr. Mithun



  • 8.  RE: Unable to block LogMeIn
    Best Answer

    Posted Apr 18, 2011 11:13 AM

    I worked with Technical Support and got a solution that works

    Create Ruleset

    Create Rule >> Properties >> Apply this rule to the following processes: *

    Under the Rule you created, Create Launch Process Attempts

    Launch Process Attempts >> Properties >> Apply to the following processes: <list of executables>

    Launch Process Attempts >> Actions >> Block access

     

    So far, this has worked