Endpoint Protection

 View Only

Block Software By Fingerprint 

Nov 10, 2009 09:11 AM

How to block applications in SEP using MD5

 

1.       Firstly we need to obtain the file Checksum.exe .
The file is located on the root folder of the SEP client (%programfiles%\Symantec\Symantec Endpoint Protection\Checksum.exe)

2.       After we obtained the file and we need to have the program that we want to block installed (or if the program doesn't need installation then we need the executable file).

3.       I would suggest copying the Checksum.exe program to c:\ to make the procedure easier.

4.       Assuming that the file is in C:\ then what we do is:

·         click Start-->Run-->CMD.EXE

·         A command line will appear.

·          Navigate to the folder where the Checksum file is located.

·         Run the following command:
Checksum.exe **result file location** **application location**
**Result file location** = the location and name of the result file
**application location** = the location of the application we want to extract its fingerprint.
For example: Checksum.exe c:\result.txt c:\programfiles\ Symantec\Symantec Endpoint Protection\smcgui.exe

·         As you can see I wanted to find out what is the checksum of savui.exe and exported the result file to result.txt

·         The procedure should take only a couple of seconds and you should see "Checksummed 1 file".

·         When we open the output file this is the answer we will get:
9213d1c5f877272231f6763f143d554c c:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SavUI.exe

·         The part with the unique ID is the Fingerprint of the file and we also have the path of the file.

5.       Using the Fingerprint extracted with SEP:

·         Open the SEPM

·         Go to Policies and click on Application and Device control policies

·         Right click on the Policy and click edit (I decided to use the default application control policy but you could create your own if you'd like).

·         Click on Application control "Block application from running" and "edit"

·         Go to "apply this rule to the following processes" and click on "Add"

·         click on "Options" and then 2 new fields will come out.


·         click on Match the fingerprint and there paste the Unique ID we have foung earlier: 9213d1c5f877272231f6763f143d554c

·         Click on OK and that is it. SEP will block the program that you want.

·         One Reminder: you need to apply the policy on clients and make sure that the Application policy is on production so that it would block the software.

 I have also uploaded the file here.

Enjoy,

Naor Penso
Security Engineer
Netcom Malam-Team
 

Statistics
0 Favorited
33 Views
1 Files
0 Shares
1 Downloads
Attachment(s)
zip file
Checksum.zip   147 KB   1 version
Uploaded - Feb 25, 2020

Tags and Keywords

Comments

May 28, 2014 11:56 AM

You can use HashCalc (see Mick's post) or another free tool. It can create fingerprints (MD5 hashes)  from arbitrary files.

May 27, 2014 08:13 AM

hi

May 27, 2014 08:13 AM

Hi all,

 

What about non.exe programs How can we block them? I want to block apache jmeter. It have a batch file (jmeter.bat). I am unable to create fingerprint of that bat file using checksum. Could you please help on this.

Regards,

Anoop Jeevan.K

Jan 03, 2014 07:04 AM

Just adding another helpful cross-ref:

How to use Symantec Endpoint Protection to block or log legitimate but unauthorized software usage
http://www.symantec.com/docs/TECH97618

Oct 07, 2013 03:03 PM

Mohd,

 

Different versions of the same product will each have a unique fingerprint (MD5 hash). You would need to collect the fingerprint from each version of executable you wish to block.

PeterWndell's method does make this easier to do, but it is reactive. That is, a user has to have run that program first before you can see it in the list. There are also some reasons not for learning applications all the time, which should be considered. See: http://www.symantec.com/docs/TECH134367 for best practces on application learning.

Sep 18, 2013 04:00 AM

thanks..using this i have done blokcing..but for different versions of same product how to block?

Please reply ASAP.

 

 

Jul 30, 2013 01:17 AM

how to monitor the USB activity in computer

Jul 26, 2013 02:50 AM

Really nice post..My vote goes to you.

Thumbsup!!!!!!!!!!!!!!!!!!!!!!!

Dec 02, 2011 05:07 AM

"Thumbs up" to the excellent material, above. 

Here is Symantec's official article on the subject:

How to use Application and Device Control to limit the spread of a threat.
Article: TECH93451 | Created: 2009-01-15 | Updated: 2010-12-13 |
Article URL http://www.symantec.com/docs/TECH93451

My personal favorite third-party tool for calculating a file's MD5 is called HashCalc from SlavaSoft.

Sep 22, 2011 04:43 AM

Thanks peter,

using your method it is easy for me now to block the softwares..and now iam successfully blocked many unwanted softwares with the help of this

Sep 09, 2011 05:48 AM

thanks..using this i have done blokcing..but for different versions of same product how to block?

Mar 17, 2010 02:08 PM

You could block/allow by group.
Today there is no possibility to enforce policies on a single machine unless you move it to another group.
But you can create any amount of policies and enforce them on groups.
Regards,
Naor Penso

Jan 13, 2010 01:12 PM

Can we block/allow by fingerprint or other condition just on one device\user in a client group?My guess would be that we cannot do it on a single machine, but put machine in a new group and apply it there - I just thought I should ask.

Thanks

Nov 16, 2009 05:40 PM

There is also a way to obtain the MD5 checksum of an executable WITHOUT running the checksum.exe program on a client. In order to do this you need to:

1. In the SEPM, click on the ADMIN button in the left pane and then select the SERVERS tab.
2. Check the Properties for the SITE (the root of the tree) and make sure that 'Keep track of every application that the clients run' is checked. It is UNCHECKED by default. Close the properties window.
3. If it was unchecked, you will need to wait a while for the clients to start reporting the applications they use.
4. Now you can click on the POLICIES button in the left pane and choose 'Search for Applications' in the tasks menu. You will see the Query Window.
 
The image below shows a query for 'iexplore' in one of my groups. If you select one of the results and press the 'View Details' button, you will see the following image. The query accepts wildcards and will return unique entries for every version of the file found. You could easily find every version of any file being run in a group or groups and use the fingerprints to block one version, or all of them.


Query.jpg
 

details.JPG

.                                I hope that's useful.


Nov 16, 2009 02:44 AM

Nice information 

Nov 12, 2009 12:54 AM

Good one.... 

Related Entries and Links

No Related Resource entered.