Endpoint Protection

 View Only

  • 1.  SEP 12 App & Dev control polict to block renaming of .exe files

    Posted Feb 08, 2012 12:06 AM

    Hi

    I had implemented application and device control policy to block some apllications from running.

    The problem is that .exe once renemd he policy doesn't work.

    So i was figuring out a policy which will block user's from renaming the .exe files.

    If you find anything , please share.



  • 2.  RE: SEP 12 App & Dev control polict to block renaming of .exe files

    Posted Feb 08, 2012 02:24 AM

    Hi,

    Use below URL which met your requirement:

    http://www.symantec.com/business/support/index?page=content&id=TECH93451



  • 3.  RE: SEP 12 App & Dev control polict to block renaming of .exe files

    Posted Feb 08, 2012 02:26 AM

    from above ready document you can block application using their MD5, so user cannot renamed any files which are blovked through Application blocking.



  • 4.  RE: SEP 12 App & Dev control polict to block renaming of .exe files

    Posted Feb 08, 2012 03:27 AM

    You are right, I also have tried out blocking with MD5 , but the issue is that the File Fingerprint list is different for different versions of the same software.

    Hence maintaing a list of MD5 for a single software increases maintainance.

    Hence thought would block files by theit .exe name and make a policy which avoids renaming of exe files to successfully block app's by their .exe names.



  • 5.  RE: SEP 12 App & Dev control polict to block renaming of .exe files

    Posted Feb 08, 2012 05:38 AM

    But through hash MD5 is good option to configure. I have configured the same in out environment for some applications.



  • 6.  RE: SEP 12 App & Dev control polict to block renaming of .exe files

    Posted Feb 10, 2012 01:41 AM

    we can use the filefinger print option to block the exe files..at starting iam also faced the same issue, users rename the files and used it..but now it is not possible..

    use file fingerprint option..search the application value in symantec itself..search application..



  • 7.  RE: SEP 12 App & Dev control polict to block renaming of .exe files

    Posted Feb 10, 2012 08:44 AM

     But if the software is stored in differnt place , the MD5 changes and the policy doesn't take effect.

    for e.g if we calculate the MD5 of vlc.exe in C:XYZ folder and C:ABC folder MD5 hash is different.

    I would like to know how you configured the policy.Please share so that I can get a better idea.

    Also if you do know a policy that prevents renaming of .exe files stored anywhere in your drives , please let me know



  • 8.  RE: SEP 12 App & Dev control polict to block renaming of .exe files

    Posted Feb 10, 2012 10:52 AM

    Dlls are harder to rename, relocate and change less frequently. 



  • 9.  RE: SEP 12 App & Dev control polict to block renaming of .exe files

    Posted Feb 13, 2012 04:43 AM

    1. Go to the computer that contains the image for which you want to create a file fingerprint list. The computer must have Symantec Endpoint Protection client software installed.

    2. Open a command prompt window.
    3. Navigate to the directory that contains the file Checksum.exe. By default, this file is located in the following location:

      C:\Program Files\Symantec\Symantec Endpoint Protection

    4. Type the following command:

      checksum.exe outputfile drive

      where outputfile is the name of the text file that contains the checksums for all the executables that are located on the specified drive. The output file is a text file (outputfile.txt).

      The following is an example of the syntax you use:

      checksum.exe cdrive.txt c:\

      This command creates a file that is called cdrive.txt. It contains the checksums and file paths of all the executables and DLLs found on the C drive of the client computer on which it was run.

    To Assign the policy follow the following:

    1. Log into the Symantec Endpoint Protection Manager (SEPM).
    2. Click on the Policies.
    3. Select edit the Application and Device control policy.
    4. Click on Application Control in left hand pane. In the right hand pane, right click and select ADD.
    5. Type in a context relevant name for the new rule in the Rule set name field.
    6. Click on the ADD button at the bottom and select ADD Rule.
    7. Right click newly created rule and choose Add Condition > Launch Process Attempts.
    8. Click on the ADD button for Apply to following files and folders.
    9. Click on Options at the bottom and select Match the file finger print and provide the value: 30deaf54a9755bb8546168cfe8a6b5e1 (This is for Windows XP. Please find below the procedure to find the file fingerprint).
    10. Click on OK.
    11. Click on the Actions tab and select Block Access in either of the "Read Attempt" and "Create, Delete, or Write Attempt" sections.
    12. Click on OK.
    13. Click on OK.
    14. Ensure that the newly edited policy is selected/highlighted and select Assign the Policy under "Tasks" in the left hand pane.
    15. In the new window, under the "Assign Policy" field, select the respective groups to assign the policy to.

     

    Regards

    Mark as a solution if it works



  • 10.  RE: SEP 12 App & Dev control polict to block renaming of .exe files

    Posted Mar 01, 2012 06:41 AM

    Hi All

    I was successful in creating a new policy which blocks renaming of .exe files.

    Now  user's  cann't rename the blocked applicatios exe file.

    So now any applicaton can be blocked by their .exe name.

    Thanks for all your inputs.