Endpoint Protection

Application Control: Log programs which run from removable drives and get a report by e-mail  

02-20-2010 01:09 PM

SEP is a unique product which allows you to create effective application and device control policies to stop threats. Today I'm going to show you how to log applications which run from removable drives and receive a scheduled report by e-mail. Such a report will proactively assist in detecting new malware samples which passed through SEP undetected.  

SEPM uses two types of databases, embedded or SQL server. This article will cover "MS SQL 2005" since the customized query requires some built-in procedures which are not available in the embedded DB. To start working you need to do the following:

1) Configure MS SQL 2005 Database Mail

http://marslert.com/blog/2009/03/16/configure-mssql-2005-database-mail/

http://www.databasejournal.com/features/mssql/article.php/3626056/Database-Mail-in-SQL-Server-2005.htm


2) Import "Log programs which run from removable drives" application control policy (Attached)

Enable the policy and assign to a SEP group which you want to monitor USB activity

3) Import MS SQL Query (Attached)

It may take some time to get the first results, so it depends on users' USB activity. You can copy some applications on your USB and plug it in any computer (it should be a member of a group which has the "Application Control" policy) then run them one by one. After 5-10 minutes open MS SQL Management Studio and execute the SQL query. What do you have now? 

4) Import MS SQL Query - HTML (Attached)

It does the same thing except it will send the query results to a defined recipient in the query formatted in HTML / XML

5) To schedule the query you should create a new SQL Job

In SQL Server Management Studio, expand the tree...

<SQL Server Name>
      SQL Server Agent
            Jobs

Right click the Jobs node to add a new one .

Application Control Policy

2.jpg


3.jpg




5.jpg


6.jpg

7.jpg


8.jpg



The final result:


4.jpg

Statistics
0 Favorited
0 Views
1 Files
0 Shares
0 Downloads
Attachment(s)
zip file
Log programs policy and SQL.zip   3K   1 version
Uploaded - 02-25-2020

Tags and Keywords

Comments

11-20-2011 12:18 PM

Thank you for giving this solution .

11-16-2011 11:49 AM

Great Worksround Solution !!!!

07-20-2010 05:26 AM


nice work.. me too will test this....

04-04-2010 04:23 AM

will be helpfull in corporate networks.

03-05-2010 03:07 PM

 Very Helpful..

03-05-2010 03:04 PM

good idea man..

02-24-2010 03:30 AM

What an  Idea....

I  have to test it once.

02-23-2010 04:52 AM

Genius!

Thanks alot :)

Related Entries and Links

No Related Resource entered.