SEPM AppDevCtrl acts as a versatile swiss army-knife, and can be used as a precision tool as well as a general solution. Take care when using it, as it's easy to break your system with a misconfigured rule.
The policies described here place strong rules in effect, it is recommended, that only „Testing mode” is active first – and also on a test system.
After testing, mass distribution of this ruleset can be orchestrated with SEPM Group Management.
Here follows, how to defend critical files (Word and Excel documents, etc.) of an enterprise, from unauthorized access, like a CryptoLocker or Ransomware encryption. Make an Application Control rule with the following in mind:
Monitor every process, except Word, Excel, Windows processes, SEP processes, and legit enterprise applications, like a filing app
Monitor the non-whitelisted processes's file accesses. If the file is a *.doc, *.docx, *.xls or *.xlsx block the access, else allow it.
From testing logs, we can tune our whitelist. After there are no denies in the log on valid applications, distribute the rule to the production system. It is also recommended to run only in test mode for a few days on the live system – there might be legit processes trying to access these files, that did not occur in the test environment.
Naturally the surveilled files/extensions can be broadened, but keep in mind to broaden the whitelisted applications also – and re-test the rule after changes.
You can find the settings for sending mail to administrators at the following link:
https://www-secure.symantec.com/connect/articles/detecting-cryptolocker-activity-symantec-endpoint-protection
at section 2: "Create a "Notification condition" under Monitors/Notifications:"
Hi,
Did you change this policy from test to production?
https://www.symantec.com/connect/sites/default/files/users/user-3632631/encoding_deny_3.jpg
can someone guide how to create any policy for sepm manager ? like stpes
can we test policy perticular one system
?
We have an application and device control policy in place to block *.Zepto, *.Crypto, *.Cerber.
We have tested the policy manually by trying to create a file with the mentioned extensions. Symantec AV client is killing the process as its recognizing the file extensions that should not be allowed to execute.
However, this is not working in real scenario. We had Ransomware infections eventhough this policy is active on the machines. Ransomware is abl to change the file extensions to *.Zepto, *.Crypto, *.Cerber.
I suspect the application policy is not effectively working when the actual attack happens. It is somehow bypassing Symantec AV application policy and changing the file extensions after encrypting.
Any suggestions pls...
I think, yes.
+info:
https://www.symantec.com/connect/articles/detecting-cryptolocker-activity-symantec-endpoint-protection
add *.zepto to list
HI Viktor,
u able to restrict Zepto ransomware attacks using this?
Yes, we use it since April 2016, in the production enviroment. It is very useful. Since there no ransomware infections.
Anyone using this policy in the production enviroment? How useful is it ? Appreciate your feedback. Thanks