Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies

Article:TECH145973  |  Created: 2010-12-10  |  Updated: 2014-11-05  |  Article URL http://www.symantec.com/docs/TECH145973
Article Type
Technical Solution


Issue



What are Symantec's recommendations for using Symantec Endpoint Protection's (SEP) Application and Device Control (ADC) policies?  How can ADC best be put into use?  What practices should be avoided?


Solution



An Application and Device Control Policy is a powerful tool that lets you create custom enforcement policies for your environment.  Chapter 32 "Configuring application and device control"  and Chapter 33 "Customizing Application and Device Control Policies" of the Administration Guide for Symantec™ Endpoint Protection and Symantec Network Access Control cover ADC in depth.
 

Warnings 

Application and Device Control configuration errors can disable a computer or a server. The client computer can fail, or its communication with the Symantec Endpoint Protection Manager can be blocked, when you implement an Application and Device Control Policy.

Application and Device Control is an advanced security feature that only experienced administrators should configure.

Known Limitations of ADC

  1. In SEP 11, Application and Device Control functions only on 32-bit Operating Systems.  ADC is not possible on 64-bit computers. In 12.1 both 32bit and 64bit Operating Systems are supported.
  2. ADC cannot block burning to CD/DVD drives, though a workaround may be possible.
  3. ADC cannot block files accessed via NetBIOS.
  4. In SEP 11, ADC shares drivers with Network Threat Protection, SEP's firewall component.  ADC will only function if the NTP component is also installed.


 

ADC and Threat Outbreaks

Symantec Security Response has developed ADC policies to protect against the activities associated with certain particular threats. These policies are useful in reducing the risk of a threat infecting a computer, the unintentional removal of data, and to restrict the programs that are run on a computer.  Administrators combating an outbreak can download, import, and distribute these policies as an additional protective measure.  These policies, in .dat format, are referenced in the threat write-ups for W32.Sality.AE, W32.Imsolk.B@mmW32.Virut.CF, Trojan.Pidief.E, W32.Changeup.C, W32.Qakbot and more. 

Please note that these ADC policies are recommended for use in outbreak situations. While useful in such situations, due to their restrictive nature they may cause disruptions to normal business activities.  After the threat has been eradicated, these policies should be withdrawn from use.

It is also possible to use ADC to limit the spread of threats for which Symantec does not yet have Antivirus signatures.  If the MD5 (unique identifier) of the suspicious file is known, a policy can be created to block that MD5.  For full details please see How to use Application and Device Control to limit the spread of a threat.

Configuring ADC

Rule sets consist of rules and their conditions. A rule is a set of conditions and actions that apply to a given process or processes. A best practice is to create one rule set that includes all of the actions that allow, block, and monitor one given task.

You can create multiple rules and add them to a single application control rule set. Create as many rules and as many rule sets as you need to implement the protection you want, but be aware that serious performance issues arise from the use of rule sets of excessive length.

Application control rules work similarly to most network-based firewall rules in that both use the first rule match feature. When there are multiple rules where the conditions are true, the top rule is the only one that is applied unless the action that is configured for the rule is to Continue processing other rules.  You should consider the order of the rules and their conditions when you configure them to avoid unexpected consequences.

When you apply a condition to all entities in a particular folder, a best practice is to use folder_name\* or folder_name\*\*. One asterisk includes all the files and folders in the named folder. Use folder_name\*\* to include every file and folder in the named folder plus every file and folder in every subfolder.

Note: A best practice is to use the Block access action to prevent a condition rather than to use the Terminate process action. Terminate Process Kills the application that has made the request. The Terminate process action should be used only in advanced configurations.

Note: When creating rules and conditions: remember that using complex regular expression ("regex") queries for matching may be much more CPU-intensive than plain string matching.

Recommended Limits

While there are no hard-coded limitations with regards to the number of conditions in policies, performance will be seriously impacted if policies are configured in an overly-complex manner. Please abide by the below recommendations on estimated limits.

  1. Number of DeviceIDs that can be added manually to Hardware Devices in the Policy Components:
    Symantec Technical Support does not recommend configuring a value greater than 1000.
     
  2. Number of excluded devices in a Device Control policy:
    Symantec Technical Support does not recommend configuring a value greater than 1000.
     
  3. Number of Rule Sets in an Application Control policy
    Symantec Technical Support does not recommend configuring a value greater than 200.
     
  4. Number of Rules in a Rule Set in an Application Control policy
    Symantec Technical Support does not recommend configuring a value greater than 200.
     
  5. Number of Conditions in a Rule
    Symantec Technical Support does not recommend configuring a value greater than 200.                                 
     
  6. Number of entries in a e.g. “File and Folder Access” condition for files and folder do apply (or not apply) this rule to
    Symantec Technical Support does not recommend configuring a value greater than 200.
     

If the Application Control rule sets or conditions are very large, they will cause several performance problems:                           

  1. The SEP client will take longer to load.
  2. The SEP client will take longer to switch locations.
  3. The SEP client will start to consume more memory.
  4. If there is an exceptionally large list, SEP's ADC component may even start to slow down other applications.                                          

 





Article URL http://www.symantec.com/docs/TECH145973


Terms of use for this information are found in Legal Notices