How the Application and Device Control Hardening policy works

Article:TECH132307  |  Created: 2010-01-07  |  Updated: 2013-06-25  |  Article URL http://www.symantec.com/docs/TECH132307
Article Type
Technical Solution


Issue



You want to know the locations of files, folders and registry entries that have been applied to the Application and Device Control (ADC) hardening policy.


Solution





AC1 Rule Set: Protect client files and registry keys

(Rule) > Allow client processes

    • #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path#*.exe
    • #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec EndpointProtection\SMC\smc_install_path#*\*.exe
    • %ProgramFiles%\Symantec\LiveUpdate\LU*.exe
    • %ProgramFiles%\Symantec\LiveUpdate\lsetup.exe
    • %ProgramFiles%\Common Files\Symantec Shared\*.exe
    • %ProgramFiles%\Common Files\Symantec Shared\*\*.exe


(Condition) > AC1-1.1 Client services registry

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ccEvtMgr\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ccSetMgr\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ccSetMgr\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EraserUtilRebootDrv\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SmcService\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNAC\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SnacNp\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPBBCDrv\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SRTSP\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SRTSPL\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SRTSPX\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Symantec AntiVirus\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymEvent\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SYMREDRV\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SYMTDI\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysPlant\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Teefer2\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPS\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpsHelper\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WGX\*\*.

(Condition) > AC1-1.2 Registry access

    • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec AntiVirus
    • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec AntiVirus\*\*
    • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection
    • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\*\*.

(Condition) > AC1-1.3 File and folder access

    • #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path#*
    • #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path#*\*

(Condition) > AC1-1.4 Client drivers

    • %windir%\system32\drivers\COH_Mon.sys
    • %windir%\system32\drivers\srtsp.sys
    • %windir%\system32\drivers\srtspl.sys
    • %windir%\system32\drivers\srtspx.sys
    • %windir%\system32\drivers\symdns.sys
    • %windir%\system32\drivers\SYMEVENT.SYS
    • %windir%\system32\drivers\symfw.sys
    • %windir%\system32\drivers\symids.sys
    • %windir%\system32\drivers\symndis.sys
    • %windir%\system32\drivers\symndisv.sys
    • %windir%\system32\drivers\symredrv.sys
    • %windir%\system32\drivers\symtdi.sys
    • %windir%\system32\drivers\SysPlant.sys
    • %windir%\system32\drivers\teefer2.sys
    • %windir%\system32\drivers\WGX.SYS
    • %windir%\system32\drivers\WPSDRVnt.sys
    • %windir%\system32\drivers\WpsHelper.sys

(Condition) > AC1-1.5 System files

    • %windir%\system32\s32evnt1.dll
    • %windir%\system32\symneti.dll
    • %windir%\system32\symredir.dll
    • %windir%\system32\sysfer.dll
    • %windir%\system32\symvpn.dll

(Condition) > AC1-1.6 Prevent process termination

    • ccApp.exe
    • ccSvcHst.exe
    • Rtvscan.exe
    • smc.exe
    • smcgui.exe
    • snac.exe
    • SymCorpUI.exe
    • #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path#*.exe
    • %ProgramFiles%\LiveUpdate\LU*.exe
    • %ProgramFiles%\LiveUpdate\lsetup.exe
    • %ProgramFiles%\Common Files\Symantec Shared\*.exe
    • %ProgramFiles%\Common Files\Symantec Shared\*\*.exe

(Rule) > Protect client files and registry keys

    • *
    • %windir%\system32\services.exe

(Condition) > AC1-2.1 Client services

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ccEvtMgr\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ccSetMgr\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ccSetMgr\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EraserUtilRebootDrv\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SmcService\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNAC\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SnacNp\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPBBCDrv\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SRTSP\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SRTSPL\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SRTSPX\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Symantec AntiVirus\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymEvent\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SYMREDRV\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SYMTDI\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysPlant\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Teefer2\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPS\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpsHelper\*\*
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WGX\*\*.

(Condition) > AC1-2.2 Registry access

    • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec AntiVirus
    • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec AntiVirus\*\*
    • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection
    • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\*\*.

(Condition) > AC1-2.3 File and folder access

    • #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path#*
    • #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path#*\*

(Condition) > AC1-2.4 Client drivers

    • %windir%\system32\drivers\COH_Mon.sys
    • %windir%\system32\drivers\srtsp.sys
    • %windir%\system32\drivers\srtspl.sys
    • %windir%\system32\drivers\srtspx.sys
    • %windir%\system32\drivers\symdns.sys
    • %windir%\system32\drivers\SYMEVENT.SYS
    • %windir%\system32\drivers\symfw.sys
    • %windir%\system32\drivers\symids.sys
    • %windir%\system32\drivers\symndis.sys
    • %windir%\system32\drivers\symndisv.sys
    • %windir%\system32\drivers\symredrv.sys
    • %windir%\system32\drivers\symtdi.sys
    • %windir%\system32\drivers\SysPlant.sys
    • %windir%\system32\drivers\teefer2.sys
    • %windir%\system32\drivers\WGX.SYS
    • %windir%\system32\drivers\WPSDRVnt.sys
    • %windir%\system32\drivers\WpsHelper.sys

(Condition) > AC1-2.5 System files

    • %windir%\system32\s32evnt1.dll
    • %windir%\system32\symneti.dll
    • %windir%\system32\symredir.dll
    • %windir%\system32\sysfer.dll
    • %windir%\system32\symvpn.dll

(Condition) > AC1-2.6 Prevent process termination

    • ccApp.exe
    • ccSvcHst.exe
    • Rtvscan.exe
    • smc.exe
    • smcgui.exe
    • snac.exe
    • SymCorpUI.exe
    • #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path#*.exe
    • %ProgramFiles%\LiveUpdate\LU*.exe
    • %ProgramFiles%\LiveUpdate\lsetup.exe
    • %ProgramFiles%\Common Files\Symantec Shared\*.exe
    • %ProgramFiles%\Common Files\Symantec Shared\*\*.exe




AC7-1 Rule Set: Blocks modifications to hosts file

(Rule) > Block modifications to hosts file

    • *


(Condition) > AC7-1.1 Block etc hosts file modifications

    • %windir%\system32\drivers\etc\hosts


AC10-1 Rule Set: Blocks Access to Windows AutoPlay

(Rule) > Symantec Applications

      • rtvscan.exe
      • *\*\*\Symantec*\*\*


(Condition) > AC10-1.1 Autorun.inf

      • *\*\*\Autorun.inf


(Rule)> All Applications

    • *(enable drive types)


(Condition) > AC10-2.1 Autorun.inf

    • *\*\*\Autorun.inf (enable drive types)


AC13 Rule Set: Prevent changes to Windows shell load points (IPS)

(Rule) > Registry Clases

(Condition) > AC13-1.1 Protect SHELL ASSOCIATIONS

    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command\.


AC14 Rule Set: Prevent changes to system using Internet Explorer (IPS)

(Rule) > Internet Explorer Protection

    • iexplore.exe
    • firefox.exe
    Note: applies to processes matching iexplore.exe and firefox.exe

(Condititon) > AC14-1.1 Block writing to system folders

    • %windir%*\*
    • %programfiles%*\*
    Excluded Files and folders
    • *\*softwaredistribution*
    • *\*softwaredistribution*\*\*
    • *\*windowsupdate*
    • *\*windowsupdate*\*\*
    • %windir%\profile*\*\*.


(Condititon) > AC14-1.2 Allow IE to launch system process

    • %windir%*\*
    • %programfiles%*\*
    Excluded Processes
    • *script*.exe
    • telnet.exe
    • mshta.exe
    • cmd.exe
    • ftp.exe
    • rundll32.exe
    • reg.exe
    • at.exe


(Condititon) > AC14-1.3 Block IE from launching other processes

    • *


(Condititon) > AC14-1.4 Allow IE to load system DLLs

    • %windir%*\*
    • %programfiles%*\*

(Condititon) > AC14-1.5 Block IE from loading other DLLs

    • *

    Prevent registration of new Browser Helper Objects (IPS) [AC16]

    Prevent registration of new Browser Helper Objects applies to processes matching *


AC16 Prevent registration of new Browser Helper Objects

(Rule) > Prevent registration of new Browser Helper Objects

    • *

(Condition) > AC16-1.1 Prevent registration of new Browser Helper Objects

    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*\*.


AC17 Prevent registration of new Toolbars (IPS)

(Rule) > Prevent registration of new Toolbars

    • *

(Condition) > AC17-1.1 Prevent registration of new Toolbars

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\*\*.


AC19 Rule Set: Prevent vulnerable Windows processes from writing code

(Rule) > Windows processes protection

    • lsass.exe
    • spoolsv.exe
    • csrss.exe
    • smss.exe


(Condition) > AC19-1.1 Block writing code applies to files and folders matching

    • *.exe
    • *.dll
    • *.com
    • *.ocx
    • *.bat
    • *.cmd


AC20: Rule Set: Protect against Adobe Acrobat Vulnerabilities

(Rule) > Acrobat vulnerability protection

    • acrord*.exe
    • acrobat*.exe
    This excludes
    • *update*.exe
    • AdobeARM.exe


(Condition) > AC20-1.1 Prevent code creation

    • *.exe
    • *.dll
    • *.com
    • *.ocx
    • *.bat


(Condition) > AC20-1.2 Prevent process launching

    • *
    This excludes
    • *update*.exe
    • AdobeARM.exe





Legacy ID



2010050710072448


Article URL http://www.symantec.com/docs/TECH132307


Terms of use for this information are found in Legal Notices