Endpoint Protection

Runing SEP 12.1.1000.157 RU1.  There's an Application and Device control policy that can be downloaded from Symantec here:

http://www.symantec.com/business/support/index?page=content&id=TECH132337

The webpage above says under point number 1: "Protects Symantec Endpoint Protection files and registry keys".  The webpage says it was updated 2012-03-13 so I thought there were some added policies and I just downloaded the .rar file and imported the .dat file to view the policy.  However, the rule that "Protects SEP files and registry keys" is nowhere to be found.  I remember when this first came out for SEP 11 the policy used to have that rule as number [AC1].

Does Symantec think this rule is no longer needed?

Hello,

Correct, This Policy is not needed.

Similar to this Thread:

https://www-secure.symantec.com/connect/forums/ac1-rule-set-protect-client-files-and-registry-keys-missing

Also, check this Article:

SEP Application Control policy to protect executable file registry configuration

http://www.symantec.com/docs/TECH171301

Hope that helps!!

Thanks, that helps a little.  I agree with JUSTICE's comment that having them both compliment each other.  And I'm not only citing x64 but x32 as well.

I had an x32 SEP 12.1 client get attacked by Smart Fortress 2012.  I had the client in "test mode" so All Users\Application Data didn't get blocked.  Looking at the log, the malware first tried to stop SEP... wait, I think I just answered my own question and confirmed greg12's comment.  I didn't have this [AC1] rule but yet SEP 12.1 prevented the malware from terminating the SEP processes anyway.  So, Tamper Protection must have worked.  However the malware continued because All Users\Application Data wasn't blocked.  Well, that's the risk of implementing rules.  You have to leave them in test to see if any legitimate programs get blocked.

Thanks, Tom.