Frequently asked questions about Symantec Critical System Protection 4.5 policies

Article:TECH112762  |  Created: 2005-01-10  |  Updated: 2007-01-18  |  Article URL http://www.symantec.com/docs/TECH112762
Article Type
Technical Solution


Issue



This document provides answers to frequently asked questions about Symantec Critical System Protection (Symantec CSP) 4.5 policies.


Solution



Questions about applying policies

Explanation of the "Do you wish to retain your current option settings for XXX?" question when applying a new policy
When you apply a new policy to an agent or group that already has a policy, you see the question "Do you wish to retain your current option settings for XXX?" when applying a new policy?" Here is an explanation of each of your choices at this prompt.
  • "Retain current option settings" keeps the current policy settings and applies new options or parameters from the new policy that do not exist in the current policy. This option does not change existing options or parameters in the current policy. This option is often appropriate to use when you assign a new revision of a policy to an agent or a group that already has a previous revision of the same policy.
  • "Merge the changed options" keeps the current policy settings, but applies all changes that are contained in the new policy. If you customized a policy, then your customizations are retained. In many circumstances; this is the most appropriate choice.
  • "Take the new option settings" discards the current policy and applies the new policy.This option is often appropriate to use when you assign a different policy to an agent or group than the agent or group's current policy.

For more information, read the "Updating policies" section on page 62 in the Symantec Critical System Protection 4.5 Administrator's Guide.

When I apply a software upgrade to an application, do I have to revise the policies for the application?
Usually, it is not necessary to revise a policy after applying a software upgrade. Software upgrades normally do not affect the activities and resources that are protected by a policy's behavior controls. This is because upgrades do not typically change the patterns for how system resources are accessed during normal operation. For example, the files and directories that are accessed by an application typically remain the same from one release to the next release, regardless of changes in how the application manipulates the data.

As part of the normal testing process, however, Symantec recommends that you run the existing Symantec CSP policy on the upgraded application before putting the upgrade into production.

When I upgrade the operating system to a new version, do I have to revise the policies for the operating system?
When you upgrade an operating system (OS) to a new version, such as from Windows 2000 to Windows 2003, it is necessary to reapply the policy so that the policy uses settings that are appropriate for the new version of the OS. In most cases, Symantec CSP does not need to re-learn typical system behavior. Reapplying the policy accounts for differences between the OS versions.

As part of the normal testing process, however, Symantec recommends that you run the Symantec CSP policy on the upgraded OS before putting the upgrade into production.

How can I ensure that policies do not block critical functions?
To ensure that policies do not block critical functions, run the policy in log-only mode first. Use the log-only mode to test various policy changes. After you apply the policy in log-only mode and each time that you make a change to the policy options, look at the events in the Event Monitor to determine which types of events you want to block, and adjust the policy options accordingly.

To apply log-only mode for testing, enable the global Disable Prevention option in each policy. This option is the same option as the Disable Prevention prompt that you see when you create a new policy and when you apply a policy to an agent.

After you use the log-only mode in your test environment to adjust the policy options, you can use the log-only mode to incrementally deploy protection mode. For instance, you can put the core operating system services, such as DFS, DNS, and others, in prevention, and leave all other policies in log-only mode. After you confirm that critical functions are not blocked, you can put another set of services in prevention. Policies have check boxes and lists for easy enabling and disabling of specific options.

For more information, read the "About verifying policies" section on page 60 in the Symantec Critical System Protection 4.5 Administrator's Guide.

When I use Microsoft Group Policy Objects (GPO), what takes precedence over a Windows policy, the Symantec CSP policies or the GPO?
Because Symantec CSP functions at a lower level than GPO, Symantec CSP takes precedence. For instance, if GPO opens a Windows policy and that policy is blocked by a Symantec CSP policy, then the Windows policy is blocked.

Symantec CSP does not have options or tools for correlating Windows policies between GPO and Symantec CSP. When you use Microsoft Windows policies, a good general rule is to use Symantec CSP for process level controls and to use GPO for user level controls. You can also use Symantec CSP user level controls to set additional restrictions, such as to de-escalate the privilege level from administrator or root, or to control specific user and process interactions.


Questions about problems after applying policies

Why can't I use the agent configuration tool after applying a protection policy?
After you apply a Windows prevention policy, you find that you cannot run the Agent Configuration command line tool. This situation happens because the default policy settings include protection against processes that modify Symantec Critical System Protection resources.

You can configure the policies to enable access for this tool. For more information, read the "Giving privileges to run the configuration tools" in Appendix B, "Customizing Windows prevention policies" in the Symantec Critical System Protection 4.5 Administrator's Guide.

I applied the Limited Execution policy and now I don't have access to anything. What can I do?
This policy is suitable for dedicated workstations that use a very small set of applications. By default, the Windows Limited Execution Protection policy permits only a limited set of interactive programs to run. It blocks execution of all interactive applications except for those that are explicitly listed by the administrator.

To regain access to applications that are blocked, open the management console and apply a different policy, or add those applications to the Permitted List for the Limited Execution policy.

Some programs such as cqmghost.exe try to write to the Symantec CSP registry key. Why does Symantec CSP deny this action?
Symantec CSP denies write access to management services, such as cqmghhost.exe and Microsoft Systems Management Server (SMS), in order to prevent Symantec CSP from being compromised.


Other questions

How often does Symantec issue updated policies? How are they distributed?
As of the initial release of Symantec CSP 4.5, no updated policies are available. However, unlike signature-based protection, Symantec CSP 4.5 does not require new policy updates in order to be effective. Most policy updates typically include additional options that are requested by customers to make policy enforcement and management easier.

How do policy updates compare to anti-virus signature updates?
Anti-virus programs that rely solely on signature updates cannot provide protection from a virus until the virus is created and the virus's signature is available. Until the signature update is applied, the anti-virus program cannot detect the virus and cannot provide protection against it.

In contrast, Symantec CSP provides more effective protection by blocking unusual activity well before the signature is available. Symantec CSP provides protection from unusual activity regardless of whether a virus or virus signature yet exists for that activity. After the virus is created, policy updates provide additional protections and management capabilities that are specific to the virus.

For instance, before a particular virus is created, the initial Symantec CSP installation may protect against four out of five steps of the potential payload of that virus. After the virus is released and you apply a policy update that further restricts activity, Symantec CSP may, for instance, also stop the fifth step of that virus's payload, identify the virus, and report on the virus's activity.

Policy updates increase protection incrementally by refining policy rules, adding new controls to improve security, and adding new features. New controls are typically designed to restrict a previously allowed activity or to further restrict an already restricted activity. New features may include, for instance, new policy options that security administrators can choose in the management console. These changes increase the level of protection for the affected processes.



References
Frequently asked questions about Symantec Critical System Protection 4.5

Frequently asked questions about Symantec Critical System Protection 4.5 installation
Frequently asked questions about how Symantec Critical System Protection 4.5 protects your computer
Frequently asked questions about configuring Symantec Critical System Protection 4.5 for upgrades to other products




Legacy ID



2005061010244953


Article URL http://www.symantec.com/docs/TECH112762


Terms of use for this information are found in Legal Notices