How to create a rule that will block or log Browser Helper Objects in Symantec Endpoint Protection

Article:TECH94965  |  Created: 2009-01-09  |  Updated: 2010-01-05  |  Article URL http://www.symantec.com/docs/TECH94965
Article Type
Technical Solution


Environment

Issue



Is there a way to block or log Browser Helper Objects (BHOs) from loading by creating a rule in Symantec Endpoint Protection?

Symptoms

1. You have a BHO that loads when user logs in and you want to know how to block it.
2. You want to be able to prevent new BHOs from loading.
3. You want to log all BHOs in the environment.


Cause



Undesirable Browser Helper Objects are loading on machines. You are dealing with a threat in the environment.

Solution




How to block BHO’s using Application and Device Control
  1. Log into Symantec Endpoint Protection Manager console
  2. Navigate to your Application and Device control policy. (Log only as a test)( Production will test for block)
  3. In application control, add a rule set. "Block BHOs"
  4. Make it apply to all processes using the * in the upper dialog
  5. Under Rules click to Add and choose Add Condition
  6. Choose Registry Access Attempts
  7. Under Apply to the following registry keys click Add
  8. In Registry key add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
  9. Click OK
  10. In the Actions tab
  11. Set Read Attempt to "Continue processing other rules"
  12. Set Create, Delete, or Write Attempt to "Block access"
  13. Click the boxes for Enable Logging
  14. Click OK




How to log BHO’s using Application and Device Control
  1. Log into Symantec Endpoint Protection Manager console
  2. Navigate to your Application and Device control policy. (Log only as a test)( Production will test for block)
  3. In application control, add a rule set. "Log BHOs"
  4. Make it apply to all processes using the * in the upper dialog
  5. Under Rules click to Add and choose Add Condition
  6. Choose Registry Access Attempts
  7. Under Apply to the following registry keys click Add
  8. In Registry key add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
  9. Click OK
  10. In the Actions tab
  11. Set Read Attempt to "Allow access"
  12. Set Create, Delete, or Write Attempt to "Allow access"
  13. Click the boxes for Enable Logging
  14. Click OK







Legacy ID



2009070915452948


Article URL http://www.symantec.com/docs/TECH94965


Terms of use for this information are found in Legal Notices