Chicago Security User Group

I wanted to ask this of the forum, to see if anyone else is doing this. we have been thinking of using a SEP Application & Device Control Policy to monitor for executables launching from temp space. I figure we could monitor places like:

%AppData%\*

%LocalAppData%\*

C:\ProgramData\*

%ProgramData%\*

........ [etc]

The idea would be we would be able to see "strange" executables that get launched on an endpoint from this space. I know that a lot of these would be false positives, but we would be able to see malicious executables that get launched from these locations as well.

We were also thinking of adding the .exe, .dll, etc. files that metasploit, SET, BEEF, PowerSploit, etc..... use as well. That way we could see if any of these malicious files start running on endpoints.

Any one have any luck with this?

I monnitor those and other directories all the time. Malware is known to hide in a few of the above places. It's a good start for what you're wanting to do.

I have a list of 10 such places that we are going to monitor. I know that c:\windows\system32 is another popular spot, but that seems like it would be hell to monitor.

That was our initial plan as well. Trying to run reports in the SEPM console is painful at best.

Thanks!

Yea, logging/reporting in SEPM leaves a lot to be desired

Hi mtju,

Don't know if you have seen this--- might be of interest, if you are using SONAR with SEP 12.1....

Using SEPM Alerts and Reports to Combat a Malware Outbreak
https://www-secure.symantec.com/connect/articles/using-sepm-alerts-and-reports-combat-malware-outbreak