Using Application and Device Control to stop registry entries added by a threat or risk

Article:TECH95124  |  Created: 2009-01-21  |  Updated: 2014-04-29  |  Article URL http://www.symantec.com/docs/TECH95124
Article Type
Technical Solution


Issue



How do I write an application and device control rule to keep a virus or trojan from modifying registry keys.

Symptoms
A threat has modified the registry for malicious intent.


 


Solution



Use Application and Device Control to block registry changes that are associated with the threat.

Note: In SEP 11.x, Application and Device Control Policies do not work with 64-bit client computers. In SEP 12.1, Application and Device Control is fully supported across 32-bit and 64-bit architecture.


Create the Application and Device Control policy
 

  1. Log on to the Symantec Endpoint Protection Manager.
  2. Click Policies, then click Application and Device Control.
  3. Click Add an Application and Device Control Policy.


Create the Application Control Rule Set
 

  1. Click Application Control.
  2. Click Add.

    On the properties tab:
  3. Change the Rule name field to Allow Symantec processes and applications.
  4. Define the rule by adding the following values to the Apply this rule to the following processes box:

    #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path#*.exe
    #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path#*\*.exe
    %ProgramFiles%\Symantec\LiveUpdate\LU*.exe
    %ProgramFiles%\Symantec\LiveUpdate\setup.exe
    %ProgramFiles%\Common Files\Symantec Shared\*.exe
    %ProgramFiles%\Common Files\Symantec Shared\*\*.exe


Define the rule conditions

  1. Still in the Application and Device Control policy, under the Rules tree click the Add... button, then click Add Condition > Registry Access Attempts.

    On the Properties tab:
  2. Define the condition by adding the following value to the Apply to the following registry keys box:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost

    On the Actions tab:
  3. Click Allow access under Read Attempt.
  4. Click Continue processing other rules under Create, Delete, or Write Attempt.
  5. Define any other settings you would like, for example if events are logged or if clients will be notified by a pop-up.


Create the rule to block registry access
 

  1. Under the Rules tree, click the Add... button, then click Add Rule.

    On the properties tab of the newly created rule:
  2. Change the Rule name field to block all other processes and applications from accessing the registry.
  3. Define the rule by adding the following value to the Apply this rule to the following processes box:

    *
     
  4. Under the Rules tree, click the Add... button, then click Add condition > Registry Access Attempts.

    On the properties tab of the newly created condition:
  5. Change the Name field to reflect the purpose of the condition, for example "Block Trojan.Clampi."
  6. Define the condition by adding registry values you would like to limit access to. As an example the following registry entries are commonly changed by Trojan.Clampi:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"GID"
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"GatesList"
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"KeyM"
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"KeyE"
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"PID"
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"M*"

    To define the registry values:
  7. Click Add.
  8. In the Add Registry Key Definition box, add a value to the Registry Key field, for example: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\
  9. Add the value for one key to the Value box without quotations, for example GID.
  10. Perform these steps for each value.

    On the Actions tab:
  11. Click Allow access under Read Attempt.
  12. Click Block access under Create, Delete, or Write Attempt.
  13. Define any other settings you would like, for example if events are logged or if clients will be notified by a pop-up.
     
  14. When all values have been defined click OK then click OK again.


Assign the policy
 

  1. Right-click the new Application and Device control value, then click Assign... to assign the policy to the desired groups.
  2. Click Yes when prompted to Assign Application and Device Control Policy changes?



Example

For an example of this type of policy please download and Import the following example policy:

Block changes common to Trojan.Clampi.dat




 



Legacy ID



2009072113270148


Article URL http://www.symantec.com/docs/TECH95124


Terms of use for this information are found in Legal Notices