How to Block Known Virus Executables that run from %UserProfile% using Application and Device Control

Article:TECH131741  |  Created: 2010-01-15  |  Updated: 2012-04-02  |  Article URL http://www.symantec.com/docs/TECH131741
Article Type
Technical Solution


Issue



How to configure Symantec Endpoint Protection to block applications on managed Symantec Endpoint Protection clients using Application and Device Control.

 


Cause



Control virus outbreak in network environment.


Solution



Many current threats use the "C:\Documents and Settings\%UserProfile%\Local Settings\Application Data" location to launch the files.
It is easy to allow few known Exe's than blocking new threats as and when they are detected.

Choose the most suitable option:  
Option 1: To block all [exe] files and allow known [exe] files from %UserProfile%, follow the steps listed in Part 1 and Part 2.
Option 2: To block known [exe] files from %UserProfile% follow the steps listed in Part 1 only and modify Step 9 by typing ping the name of the file to be blocked. For example, if the file name is FakeAv.exe, use the string  %UserProfile%\*\FakeAv.exe

Consider selecting Option 1 if the threat is one capable of mutation.  

Warning:
If selecting Option 1, test first by deploying the new policy to a machine in a test Machine Group.  Verify that your legitimate applications are not prevented from functioning in a production environment. The application might use the UserProfile Temp folder to launch some executables. 


Configuring the policy.
Part 1: Blocking all Exe's from %UserProfile%
Part 2: Excluding or allowing genuine or legitimate Exe's from %userprofile%

Requirements:
1. Managed SEP 11.0 client with Proactive Threat Protection and Network Threat Protection.


Part 1: Blocking all [exe] files from %userprofile%
Refer the screen-shot.
Login to SEPM Console and Open the Application and Device Control Policy. Edit or create a new policy.

Step 1: Login to the Symantec Endpoint Protection Manager console and click on the Policies tab.
Step 2: Click on Application and Device Control.
Step 3: Edit the existing policy or Add a new policy by right clicking.


Step 4: Click on Application Control.
Step 5: Check the Block application from running.
Step 6: Click Edit.
Step 7: Click on Block these applications
Step 8: Click on Add
Step 9: Type %UserProfile%\*\*.exe in the text box. (This means any exe found in any folder under %UserProfile%).
Step 10: Click on Ok.



Part 2: Excluding or allowing genuine or legitimate Exe's from %userprofile%

Step 11: Click Add
Step 12: Type the name of the genuine application. For example %userprofile%\*\notepad.exe
Step 13: Click Ok.
Step 14: Click Ok.
Step 15: Click Ok. An edited existing policy in Step 3 will be applied to the Machine Group(s) with the changes. An added policy will generate the prompt:  "Would you like to assign this policy?"  Click Yes and select the appropriate Machine Group(s).  





Note: To apply this policy for an Unmanaged client, create a test Machine Group and assign the policy to that group. Export an unmanaged client package that includes the policies of the group.  In addition, review the LiveUpdate policy for the test group. 
 



Legacy ID



2010041522100248


Article URL http://www.symantec.com/docs/TECH131741


Terms of use for this information are found in Legal Notices