Using Application and Device Control in Symantec Endpoint Protection (SEP) to block activity in common loading points for threats

Article:TECH96766  |  Created: 2009-01-14  |  Updated: 2009-01-15  |  Article URL http://www.symantec.com/docs/TECH96766
Article Type
Technical Solution


Environment

Issue



How do you leverage Application and Device Control in SEP to help block new threats by monitoring places where threats typically install and load from and blocking modifications in those locations?


Solution



This Application and Device Control rule will block any process tries to create, delete or write to the registry keys or folder locations listed. This has the potential of causing serious complications with normal computer operations and should be used only in emergency situations and closely monitored.

Create an Application and Device Control rule to block activities in common loading points

1.) Log into the Symantec Endpoint Protection Manager (SEPM).
2.) Click Policies.
3.) Click Application and Device Control.
4.) Click Add an Application and Device Control Policy...
5.) Specify a name for the policy. Symantec recommends that policies be named to reflect what the policy is trying to accomplish to help administrators manage their SEP environments.
6.) Click Application Control.
7.) Click Add...
8.) Specify a name for the rule set.
9.) Ensure that Enable logging is checked.
10.) In Apply this rule to the following processes:, click Add...
11.) In the Process name to match field, enter *. This will cause any process that attempts to use a common loading point will be logged. It is important that you do this, as trying to filter at this level can cause threats to be missed.
12.) Click OK.
13.) Under Rules, click Add, then Add Condition, then Registry Access Attempts.
14.) Under Apply to the following registry keys:, click Add...
15.) Under Registry key, enter this data:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

16.) Click OK.
17.) Repeat steps 14 to 16 for the following values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\comfile\shell\open\command
HKEY_CLASSES_ROOT\txtfile\shell\open\command

18.) Under Apply to the following registry keys:, click Add...
19.) Under Registry key, enter this data:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

20.) Under Registry value name, enter this data:

Local Page

21.) Click OK.
22.) Repeat these steps for the following values (Registry key and Registry value name separated by a hyphen below for easier reading):

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main - Search Page
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - VmApplet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows - AppInit_DLLs

23.) Click OK.
24.) Click Actions.
25.) Click Continue processing other rules for Read Attempt.
26.) Click Block access for Create, Delete, or Write Attempt.
27.) Check Enable logging under Create, Delete or Write Attempt. If you check Send Email Alert, an email will be sent to the email listed in the SEPM for reports.

Note:
  • The Severity level is merely a value that can be assigned by an administrator to help filter reports. This has no bearing on the traffic itself, and is only there to allow administrators to filter the data from the SEPM.
  • If Notify user is checked, whenever that action (read attempt or create, delete, or write) occurs, the user will get a pop-up in the lower right corner of the screen showing whatever is in the text box. This is an extremely useful tool if doing limited testing. Symantec recommends putting very verbose information into these boxes if used (such as "Read attempt on blocked registry keys"), however, this will pop up on every machine who has the policy, assuming the event happens. As such, this should be used with care.

28.) Under Rules, click Add, then Add Condition, then File and Folder Access Attempts.
29.) Click File and Folder Access Attempts.
30.) Under Apply to the following files and folders:, click Add...
31.) Enter this value:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

32.) Click OK.
33.) Repeat steps 30 to 32 for the following values:

C:\Windows
C:\Windows\System32

34.) Click Continue processing other rules for Read Attempt.
35.) Click Block access for Create, Delete, or Write Attempt.
36.) Check Enable logging under Create, Delete or Write Attempt. If you check Send Email Alert, an email will be sent to the email listed in the SEPM for reports.
37.) Click OK.
38.) Change Test/Production to Production for your new rule. Because we're not blocking anything, there's no danger.
39.) Click OK. You will be prompted to assign the policy. You may do this if you wish from here, or you can assign the rule on your own.


View logs generated by this rule
  • To view the logs on the SEPM:
    1.) Log into the SEPM.
    2.) Click Monitors.
    3.) Click Logs.
    4.) Select Application and Device Control for Log Type.
    5.) Select Application Control for the Log content.
    6.) Modify the Time range, if needed.
    7.) Click View Log.

    Information found here can be broken down thusly:

    Time: When did the process attempt to run?
    Action: Did Application and Device Control allow it, or block it?
    Domain/Computer: Which Domain, and what's the host name of the computer?
    User: What account tried to run the program?
    Severity: This is where you can sort by severity...again, this is only to help administrators, and has no bearing on the functionality of SEP.
    Rule Name: Name of the Application and Device control rule that was matched by the action.
    Caller Process: What tried to perform an action?
    Target: What was the process trying to access?
  • To view the logs on the client:
    1.) Open the SEP client.
    2.) Click View logs.
    3.) Under Client Management, click View Logs, then Control Log....

    Information here can be broken down thusly:

    Date and time: When did the process attempt to run?
    Severity Level: This is where you can sort by severity...again, this is only to help administrators, and has no bearing on the functionality of SEP.
    Action: Did Application and Device Control allow it, or block it?
    Test/Production: Is this rule in Test/Production mode (and thus just testing), or is it in Production mode (and thus logging/blocking)?
    Description: This column isn't used by the rules themselves, and can be ignored.
    API Class: What happened? Was the process trying to read a file? Write a registry key?
    Rule: Name of the Application and Device control rule that was matched by the action.
    Caller Process: Which program was actually trying to do something?
    Parameter: What was the process trying to touch?
    User: What account tried to run the program?
    User Domain: What domain is the user running from?
    Location: What location is SEP currently in (if Location Awareness is being used)?





Legacy ID



2009101410542148


Article URL http://www.symantec.com/docs/TECH96766


Terms of use for this information are found in Legal Notices