Using Application and Device Control in Symantec Endpoint Protection (SEP) to log activity to common loading points for threats

Article:TECH96690  |  Created: 2009-01-12  |  Updated: 2012-09-20  |  Article URL http://www.symantec.com/docs/TECH96690
Article Type
Technical Solution


Environment

Issue



How do you leverage Application and Device Control in SEP to help identify new threats by monitoring places where threats typically install and load from?


Solution



This Application and Device Control rule will log any time any process tries to read, create, delete or write to the registry keys or folder locations listed. This has the potential of generating large volumes of logs whenever something touches a location that is being logged, particularly in C:\Windows and C:\Windows\System32.


Create an Application and Device Control rule to log activities in common loading points

1.) Log into the Symantec Endpoint Protection Manager (SEPM).
2.) Click Policies.
3.) Click Application and Device Control.
4.) Click Add an Application and Device Control Policy...
5.) Specify a name for the policy. Symantec recommends that policies be named to reflect what the policy is trying to accomplish to help administrators manage their SEP environments.
6.) Click Application Control.
7.) Click Add...
8.) Specify a name for the rule set.
9.) Ensure that Enable logging is checked.
10.) In Apply this rule to the following processes:, click Add...
11.) In the Process name to match field, enter *. This will cause any process that attempts to use a common loading point will be logged. It is important that you do this, as trying to filter at this level can cause threats to be missed.
12.) Click OK.
13.) Under Rules, click Add, then Add Condition, then Registry Access Attempts.
14.) Under Apply to the following registry keys:, click Add...
15.) Under Registry key, enter this data:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

16.) Click OK.
17.) Repeat steps 14 to 16 for the following values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\comfile\shell\open\command
HKEY_CLASSES_ROOT\txtfile\shell\open\command

18.) Under Apply to the following registry keys:, click Add...
19.) Under Registry key, enter this data:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

20.) Under Registry value name, enter this data:

Local Page

21.) Click OK.
22.) Repeat these steps for the following values (Registry key and Registry value name separated by a hyphen below for easier reading):

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main - Search Page
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - VmApplet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows - AppInit_DLLs

23.) Click OK.
24.) Click Actions.
25.) Check both Enable logging boxes. If you check Send Email Alert, an email will be sent to the email listed in the SEPM for reports.

Note:

  • The Severity level is merely a value that can be assigned by an administrator to help filter reports. This has no bearing on the traffic itself, and is only there to allow administrators to filter the data from the SEPM.
  • If Notify user is checked, whenever that action (read attempt or create, delete, or write) occurs, the user will get a pop-up in the lower right corner of the screen showing whatever is in the text box. This is an extremely useful tool if doing limited testing. Symantec recommends putting very verbose information into these boxes if used (such as "Read attempt on blocked registry keys"), however, this will pop up on every machine who has the policy, assuming the event happens. As such, this should be used with care.


26.) Click Allow access for both Read Attempt as well as Create, Delete, or Write Attempt.
27.) Under Rules, click Add, then Add Condition, then File and Folder Access Attempts.
28.) Click File and Folder Access Attempts.
29.) Under Apply to the following files and folders:, click Add...
30.) Enter this value:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

31.) Click OK.
32.) Repeat steps 29 to 31 for the following values:

C:\Windows
C:\Windows\System32

33.) Click Actions.
34.) Check both Enable logging boxes. If you check Send Email Alert, an email will be sent to the email listed in the SEPM for reports.
35.) Click OK.
36.) Change Test/Production to Production for your new rule. Because we're not blocking anything, there's no danger.
37.) Click OK. You will be prompted to assign the policy. You may do this if you wish from here, or you can assign the rule on your own.


View logs generated by this rule

  • To view the logs on the SEPM:
    1.) Log into the SEPM.
    2.) Click Monitors.
    3.) Click Logs.
    4.) Select Application and Device Control for Log Type.
    5.) Select Application Control for the Log content.
    6.) Modify the Time range, if needed.
    7.) Click View Log.

    Information found here can be broken down thusly:

    Time: When did the process attempt to run?
    Action: Did Application and Device Control allow it, or block it?
    Domain/Computer: Which Domain, and what's the host name of the computer?
    User: What account tried to run the program?
    Severity: This is where you can sort by severity...again, this is only to help administrators, and has no bearing on the functionality of SEP.
    Rule Name: Name of the Application and Device control rule that was matched by the action.
    Caller Process: What tried to perform an action?
    Target: What was the process trying to access?
  • To view the logs on the client:
    1.) Open the SEP client.
    2.) Click View logs.
    3.) Under Client Management, click View Logs, then Control Log....


Information here can be broken down as follows:

Date and time: When did the process attempt to run?
Severity Level: This is where you can sort by severity...again, this is only to help administrators, and has no bearing on the functionality of SEP.
Action: Did Application and Device Control allow it, or block it?
Test/Production: Is this rule in Test/Production mode (and thus just testing), or is it in Production mode (and thus logging/blocking)?
Description: This column isn't used by the rules themselves, and can be ignored.
API Class: What happened? Was the process trying to read a file? Write a registry key?
Rule: Name of the Application and Device control rule that was matched by the action.
Caller Process: Which program was actually trying to do something?
Parameter: What was the process trying to touch?
User: What account tried to run the program?
User Domain: What domain is the user running from?
Location: What location is SEP currently in (if Location Awareness is being used)?



Legacy ID



2009101207390448


Article URL http://www.symantec.com/docs/TECH96690


Terms of use for this information are found in Legal Notices