How to configure Application Control in Symantec Endpoint Protection 11.0 : Configuring Application Control Policies

Article:TECH102525  |  Created: 2007-01-26  |  Updated: 2010-12-08  |  Article URL http://www.symantec.com/docs/TECH102525
Article Type
Technical Solution


Environment

Issue



You would like to know how to configure Application and Device Control (ADC) Application policies.

 


Solution



Application and Device Control Policies

An Application and Device Control Policy offers two types of control, or protection, over client computers: application control and device control. Administrators use:

    • Application control to monitor Windows API calls to client computers and control access to client computers' files, registry keys, and processes.
    • Device control to manage the peripheral devices which users can attach to desktop computers.

Note: Application and Device Control Policies do not work on 64-bit client computers.
 

About Application Control

Application control blocks or allows the defined applications that try to access system resources on a client computer. Application control is implemented using application control rule sets. An application control rule set contains one or more rules that you create. Each rule contains one or more conditions. Use application control rule sets to define the application control part of your Application and Device Control Policy. Five categories of conditions are available. The categories are as follows:

Condition Description
Registry Access Attempts Allow or block access to a client computer's registry settings.
File and Folder Access Attempts Allow or block access to defined files or folders on a client computer.
Launch Process Attempts Allow or block the ability to launch a process on a client computer.
Terminate Process Attempts Allow or block the ability to terminate a process on a client computer. For example, you may want to block a particular application from being stopped.
Load DLL Attempts Allow or block the ability to load a DLL on a client computer.

 

Launch Process Attempts example

In this example, I have configured a policy to prevent Textpad from launching Firefox:

 

    • First configure the process that should be monitored and add the desired condition. (Textpad.exe)

Application_Control_Rulset2.jpg

 

    • Next, select the process that should not be launched by the process you're monitoring

Application_Control_Rulset3.jpg

 

    • Then, select the action to take. The example below is to terminate Textpad if it tries to launch Firefox:

Application_Control_Rulset4.jpg

 

    • Finally, deploy the policy to the clients and try to open in weblink from within a Textpad document:


You can also select the action to be Block Access instead of Terminate:

Application_Device_blocked_TP.JPG

Application_Device_blocked1.JPG
 

For security reasons, you might consider using the applications' checksums rather than the file path, or even the file name.

 

    • Configure the process that should be monitored (Textpad checksum)

Textpad_checksum1.jpg

Textpad_checksum_0.jpg

 

    • Next, select the process that should not be launched by the process you're monitoring

Firefox_checksum_0.jpg
 

The driver responsible for Application and Device Control is SysPlant.sys


Generating the file fingerprint list:

    • Open a command prompt window.
    • Navigate to the directory that contains the file checksum.exe. By default, this file is located in the following location: C:\Program Files\Symantec\Symantec Endpoint Protection
    • Type the following command: checksum.exe outputfile drive
          where outputfile is the name of the text file that contains the checksums for all the executables that are located on the specified drive. The output file is a text file (outputfile.txt).
    • The following is an example of the syntax you use: checksum.exe cdrive.txt c:\
          This command creates a file that is called cdrive.txt. It contains the checksums and file paths of all the executables and DLLs found on the C drive of the client computer on which it was run.
    • Sample checksum.exe output

          A sample of a checksum.exe output file that was run on a computer image follows. The format of each line is <checksum of the file> <space> <full pathname of the exe or DLL> 

          8394abfc1be196a62c9f532511936df7 c:\Documents and Settings\Administrator\Local Settings\Temp\pft1~tmp\Reader\ActiveX\AcroIEHelper.ocx
          95f2fe2432c55862d7436aeba8ee162f c:\Documents and Settings\Administrator\Local Settings\Temp\pft1~tmp\Reader\ActiveX\pdf.ocx
          12179617805161ee22ceef37699ee4e6 c:\Documents and Settings\Administrator\Local Settings\Temp\pft1~tmp\Reader\Browser\nppdf32.dll




References
This document is available in the following languages:




Technical Information
This information is extracted from the Administration Guide for Symantec™ Endpoint Protection and Symantec Network Access Control.  Also see:

  • Configuring application and device control
  • About the structure of an Application and Device Control Policy


Note: The information in this chapter applies only to 32-bit client computers.
Application and Device Control Policies do not work on 64-bit client computers.

 



Legacy ID



2007092616264848


Article URL http://www.symantec.com/docs/TECH102525


Terms of use for this information are found in Legal Notices