Endpoint Protection

 View Only

  • 1.  SEP Hardening Policy - Application control Problems

    Posted May 25, 2011 03:35 AM

    Hi there,

    i have many Problems, general Fail-Functions and Questions about Application Control, but dont want to open another case.

    I like to hear your experience, refered to: Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase securityhttp://www.symantec.com/docs/TECH132337
     

    1. Our Windows XP SP3 Update installations gets interrupted by Protect client files and registry keys [AC1]

    2. Internet Explorer 8 installation gets interrupted by Prevent changes to system using Internet Explorer (IPS) [AC14]

    3. IE: Manual and On close cleaning of Histroy an Chache gets blocked by Prevent changes to system using Internet Explorer (IPS) [AC14] -1.2 cause of rundll32.exe.
     

     

    Can someone can give me useful tips for expending these and/or the other Symantec Policys to avoid more Problems?
    Maybe its helpful to open an separate forum space for completing and updating these rulesets?

    regards,
    stephan



  • 2.  RE: SEP Hardening Policy - Application control Problems

    Posted May 25, 2011 04:45 AM

    are these from Symantec endpoint?

    Do u have network threat protection component installed?



  • 3.  RE: SEP Hardening Policy - Application control Problems

    Posted May 25, 2011 05:16 AM

    Im using SEP(M) 11.0.6300 with all components installed.



  • 4.  RE: SEP Hardening Policy - Application control Problems

    Trusted Advisor
    Posted May 25, 2011 06:40 AM

    Hello,

    Basically the Application and Device Control Policy - Enables all the Protection which it carries. Providing the Maximum Protection.

    If you want to Disable the same OR View it, Please check the following:

    1) Login to the SEPM

    2) Go to Application and Device Conrtol Policy and check if the Protect client files and registry keys is checked. If yes, make sure you uncheck the same.

     

    3) Inregards to the IE issue, Check if you have any Intrusion Prevention Policy applied for IE, if any please make sure you remove the same.

     

     

     

    Basically, When you apply this Policy; it checks all the check boxes shown above.

    When Reading the Article " Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase security" ----

    http://www.symantec.com/docs/TECH132337

     

    These policies are for Better Security ---

    1. Protects Symantec Endpoint Protection files and registry keys

     

    Numerous threats attack Symantec Endpoint Protection in an attempt to gain access to protected machines. This rule set protects Symantec Endpoint Protection’s registry keys, files, processes and services from outside interference. Enabling this rule could interfere with any non-Symantec products that attempt to integrate with Symantec Endpoint Protection.

     

     

    2. Prevents Internet Explorer and Firefox from writing code to WINDIR and Program Files, including subdirectories/ Prevents Internet Explorer from launching code except in WINDIR and Program Files
     
    Internet Explorer drive by downloads is a very common threat vector. This rule prevents many such attacks by blocking access to locations typically written to by threats. Users also will be unable to download executables to WINDIR or anywhere in Program Files, but can continue to download to the Desktop, My Documents, or Downloads directories.
    Exclusions are already in place for Windows Updates.
     
    Extra care should be used when rolling out this rule. It has been included in this set due to its power to block threats, but it has consequences that should be considered. First, this rule can interfere with new ActiveX controls, which are effectively code Internet Explorer downloads and runs. Second, users will no longer be able to Run downloaded executables directly from the browser. Instead they will be required to Save As to disk before running.
     
     
    3. Prevents IE from running commonly exploited system code such as wscript, telnet, mshta, cmd, ftp, rundll32, reg, and at.
     
    This rule blocks some common ways threats run after triggering a browser exploit. Legitimate use of these programs by browsers is rare.
     
    4. Prevents registration of new browser helper objects.
     
    Browser Helper Objects, also known as BHOs, are commonly used by threats to spy on or interfere with web browsing. This rule is useful if your organization does not allow BHOs or has a pre-installed set of allowed BHOs.
     
    5. Prevents registration of new browser toolbars.
     
    Browser toolbars, like BHOs, are used to spy on or interfere with web browsing. This rule is useful if your organization does not allow browser toolbars or has a pre-installed set of allowed browser toolbars.

     

     

     

    I would suggest a must read Article:

    How the Application and Device Control Hardening policy works

    http://www.symantec.com/docs/TECH132307



  • 5.  RE: SEP Hardening Policy - Application control Problems

    Posted May 25, 2011 07:58 AM

    thanks for your answers, i know these KB´s and know how the Policys are applied and work.

    But the explaination and function is a little bit confusion

    In Mithuns "These policies are for Better Security" 2. it says:
    * Exclusions are already in place for Windows Updates.

    IE Version Updates comes through Windows Update. Ok, i know that this is a big installations.


    In 3. it says :
    * Prevents IE from running commonly exploited system code.... Legitimate use of these programs by browsers is rare.

    I dont think that cleaning histroy or deleting cookies is rare, its also an easy to activate
    feature to clean those files when closing the browser. With rundll32.exe in this rule, these files are not deleted and will remain forever on that System.
    The cleaning Process is initilized by following command:
    RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255 (delete all)



  • 6.  RE: SEP Hardening Policy - Application control Problems

    Posted Nov 08, 2011 10:18 AM

    I am trying to use the hardening policy on my network.  Could someone point me in the right direction as to how to allow MS Live Meeting when this policy is active?



  • 7.  RE: SEP Hardening Policy - Application control Problems

    Posted Feb 08, 2012 01:51 PM

    I am also agree with all the points you mentioned above.I had the same issue but since I allowed msiexec.exe file to run by client computers . Now I can instal update without intruption.

    But you just need to find the rule for the time being because I an leave and I do not remember in which number rule it was . As soon I join the office I can than reply you with details.

    Please let me know once you find the rule.

    good luck

    Hakeem