How to configure System Lockdown in Symantec Endpoint Protection 11.0

Article:TECH102526  |  Created: 2007-01-26  |  Updated: 2010-08-16  |  Article URL
Article Type
Technical Solution



You would like to know how to configure System Lockdown



System Lockdown

System Lockdown allows administrators to tightly control which applications users running the SEP Client can execute. The approved applications are contained in a so-called fingerprint list which contains checksums and locations of all applications that are approved for use.

Implementing System Lockdown is a two step process. First, a fingerprint list needs to be created, and then this fingerprint list needs to be imported into the Symantec Endpoint Protection Manager for use in Client Policies.

To generate the file fingerprint list, a tool is included in the Symantec Endpoint Protection Client installation. We recommend to create a software image that includes all of the applications you want users to be able to use on their computers, and to use this image to create a file fingerprint list.

Generating the file fingerprint list:


    • Open a command prompt window.
    • Navigate to the directory that contains the file checksum.exe. By default, this file is located in the following location: C:\Program Files\Symantec\Symantec Endpoint Protection
    • Type the following command: checksum.exe outputfile drive
          where outputfile is the name of the text file that contains the checksums for all the executables that are located on the specified drive. The output file is a text file (outputfile.txt).
    • The following is an example of the syntax you use: checksum.exe cdrive.txt c:\
          This command creates a file that is called cdrive.txt. It contains the checksums and file paths of all the executables and DLLs found on the C drive of the client computer on which it was run.
    • Sample checksum.exe output
          A sample of a checksum.exe output file that was run on a computer image follows. The format of each line is <checksum of the file> <space> <full pathname of the exe or DLL>.
          8394abfc1be196a62c9f532511936df7 c:\Documents and Settings\Administrator\Local Settings\Temp\pft1~tmp\Reader\ActiveX\AcroIEHelper.ocx
          95f2fe2432c55862d7436aeba8ee162f c:\Documents and Settings\Administrator\Local Settings\Temp\pft1~tmp\Reader\ActiveX\pdf.ocx
          12179617805161ee22ceef37699ee4e6 c:\Documents and Settings\Administrator\Local Settings\Temp\pft1~tmp\Reader\Browser\nppdf32.dll

Configuring System Lockdown in SEPM

    • Import the fingerprint list
    • In Policies, expand Policy Components and select File Fingerprint Lists:



    • Click on Add a File Fingerprint List and browse to the location of the desired file.
    • Navigate to the group you want to apply System Lockdown to:



    • Select System Lockdown, take note of the recommended steps. Select Step 1 and click Add in Approved Applications:



    • Select the fingerprint list imported earlier:



To complete the implementation Symantec recommends that you implement system lockdown in these stages:

    • Log unapproved applications: Enable system lockdown by logging applications not included in the file fingerprint list. You can then adjust your file fingerprint to include applications required by users or give them appropriate warning before blocking unapproved applications.
    • Add allowed applications: Add executables that you want to be allowed even if they are not in the file fingerprint.
    • Enable system lockdown: Enforce system lockdown and block unapproved applications.


Legacy ID


Article URL

Terms of use for this information are found in Legal Notices