Endpoint Protection

Overview: 
While you may not realize it, any .dat policy exported from the Symantec Endpoint Protection Manager is simply a compressed XML file. By changing the extension from .dat to .zip, you gain access to the actual input values for the policies. By having direct access to these values, you are provided with a more granular way to control how your policy works.* One such example is creating  administrator-defined scans based on drive letter (C:\, D:\, etc). 

Exploring the policies in their XML formats can provide a better understanding of the way that policies are constructed on the backend. In this document, I'll walk through the process of creating a custom scanning policy that relies on the drive letter to assign a new scan. This is just one of the many possibilities that editing the XML policies creates.** 




Requirements:
Symantec Endpoint Protection 12.1.x***
Symantec Endpoint Protection Manager 12.1.x***




Difficulty Level:
Intermediate-Advanced

Instructions:


 

1. First, we need to export a policy from the Symantec Endpoint Protection Manager (SEPM). Open the SEPM console and click the “Policies” tab.  
   
   
   
   
   
   
   
   
   
    
2. Highlight the Virus and Spyware Protection policy. 
   
   
   
   
   
   
   
   
   
   
   
    
3. Select one of the three default policies. We'll choose Virus and Spyware Protection policy- Balanced. Right click the policy and click Edit.
   
   
   
   
   
   
   
   
   
   
    
4. Highlight “Administrator-Defined Scans” on the left-hand side. 
   
   
   
   
   
   
   
   
   
   
   
    
5. For this next step, we will create new “template scans”. These are going to be the values which we will later edit in the XML code itself. This is the most important step for creating new, custom policies. You may add as many as you like. For this example, we’ll just add the first three letters of the alphabet, A:\. B:\. and C:\. Let’s start by adding C:\, where most people choose to install their Windows files.
   
   To begin, click “Add” in the Scheduled Scans section.
   
   
   
   
   
   
   
    
6.  Ensure the “Create a new scheduled scan” radio button is selected, and click Ok.
   
   
   
   
   
   
   
   
   
   
   
    
7.  Name the policy “C:\”. (You may name the policy whatever you like, but this will make the XML editing process much easier. For now, let's just use C:\). Enter your description. Select “Custom Scan” from the Scan Type drop down bar.
   
   
    
   
   
   
   
   
   
   
   
    
8. Select Edit Folders.
   
   
   
   
   
   
   
   
   
   
    
9. Select the Scan selected folders radio button, and check the COMMON_APPDATA. Click Ok to exit the Edit Folders window.
   
   
   
   
   
   
   
   
   
   
   
    
10. Observe the key change.  Previously, the Scan the following folders text area displayed ALL_FOLDERS. Now it displays COMMON_APPDATA.  
    This is a crucial difference. This box must not read ALL_FOLDERS.
    
    
    
    
    
    
    
    
    
     
11. De-select Memory, Common infection locations, and Well-known virus and security risk locations.
    
    
    
    
    
    
    
    
    
    
     
12. Check the “Save a copy as a scheduled Scan Template”, and click Ok to exit the Edit Scheduled Scan window.
    
    
    
    
    
    
    
    
    
     
13. Your scheduled scan C:\ has been created. Proceed to the next step.
    
    
    
    
    
    
    
    
     
14. At this point, you must decide how many drives you would like to be able to scan discretely. You may use as many as you like, but in this example, we’ll use just three: A:\, B:\, and C:\. This means that we’ll need to add two new scans from template. Click the Add button and select Create a scheduled scan from a Scheduled Scan Template. Check the policy you just created, C:\. Click Ok to exit the window.
    
    
    
    
    
    
    
    
    
    
     
15. Complete step 14 n times, where n is the number of drives you wish to be able to scan discretely. For our example, we’ll create our three policies and name them respectively: A:\, B:\, and C:\. (A pre-built policy for SEPM 12.1.4 is available here, with all 26-drive letters accessible). When your scan window matches the image below, you are ready to proceed. Click OK to exit the policy edit window.
    
    
    
    
    
    
    
    
    
     
16. Ensure that the Balanced policy is highlighted, and select “Export the policy” on the lower left-hand Tasks panel.
    
    
    
    
    
    
    
    
     
17. Select Export.
    
    
    
    
    
    
    
    
    
     
18. Navigate to the folder where you have exported your policy. Change the file extension from .dat to .zip.
    
    
    
    Note: If you do not see file extensions in the file name, ensure that the option in Windows “Show or hide file name extensions” has been enabled. (Click here for more information on configuring this setting)
    
    
    
    
    
     
19. Unzip the folder and extract main.xml. Open this file with a text-editor such as Notepad or Notepad++, but not a word processor like Microsoft Word.
    
    
    
    
    
    
    
    
    
    
    
    
     
20. Once you have opened the file, quickly find the policies we have created by running a Find command.  Let’s run a find command on the on the document to search for the string A:\. This will help us home in on the exact string we're trying to replace. 
    
    ​
    
    
     
21. Near the string A:\ which you have located in step 20, there is another string ScanDirectories="[COMMON_APPDATA]" nearby, usually one line down. This is the string that will be modified. Replace COMMON_APPDATA with your drive letter, A:\. Ensure you remove the brackets.
    
    
    
    
    
    
    
     
22. Repeat steps 20 through 21for the remaining number of drives (Run a Find command for B:\ and C:\ and replace them as above).
     When you have made all of the string replacements, save your work. Then, exit your text editor and re-compress your main.xml file.
    
    
    
    
    
    
     
23. Rename the file main.zip to New Policy.dat. This file is now ready for import in the SEPM.
    
    
    
    
    
    
    
    
    
     
24. Open your SEP Manager and navigate to the Policies tab.
    
     
    
    
    
    
    
    
    
     
25. Select Import a Virus and Spyware Protection Policy.
    
    
    
    
    
    
    
     
26. Navigate to the directory where New Policy.dat exists. Select the file and click Import.
    
    
    
    
    
    
    
    
     
27. You will receive a prompt alerting you that this policy already exists. Type New Policy in the Specify a different name field. Click Ok to exit the Input window.
    
    
    
    
    
    
    
    
    
     
28. Right click on your new policy and click Edit, the click Administrator-defined scans in the policy edit window.
    
    
    
    
    
    
     
29. Right click on A:\ to open the Edit Scheduled Scan window.
    
    
    
    
    
    
    
     
30. Observe the change. Where the Scan the following folders text area used to display [COMMON_APPDATA];, it now displays the drive letter A:\;.
    
    
    
    
    
    
     
31. Congratulations! You can now create custom scans based on drive letter. These policies can integrate with your other administrator-defined scan policies as well.

Thank you for reading this article, please leave a comment below on your experience with this process.



 

*The information in this article is for education purposes only: editing policies in this way may create unexpected behavior in your environment or cause the product to malfunction. XML customized policies may not be compatible between versions of SEP.

**Please be responsible and test your policies thoroughly before deploying them to your production network. 

***Policies are not likely compatible between versions (e.g. policies created in 12.1.4 SEPM may not necessarily be deployable to 12.1.3 clients)