Endpoint Protection

 View Only

Batten Down the Hatches with System Lockdown 

Feb 26, 2009 05:44 PM

Static servers that are not used or updated frequently can be susceptible to malware or spyware from the Internet or the network.  Endpoint devices such as XP devices or point of sale (POS) systems are particularly susceptible to malware trying to damage or destroy data. 

You can run antivirus and anti-spyware modules on embedded devices to guard against malware, but memory requirements increase as new definitions are added  to protect them against the latest threats.  An alternate solution is to use the System Lockdown feature of Symantec Endpoint Protection.

System Lockdown is a functionality that leverages off the application control feature of Symantec Endpoint Protection, and it's very easy to use.  It allows you to create a white list of all the applications on a system or a group of systems to allow only those executables and prevent any other applications from running. 

Lots of insight from a little utility
To use System Lockdown on a system, start at the DOS prompt and run checksum.exe to create a snapshot of all the executable files on the system.   The utility will create an output file that contains a listing of all the hash files and executable binaries it finds on the system.  That file is imported into the Protection Manager console, and when you look into the policy components the system prompts you to do a file fingerprint list.  The wizard will walk you through how to review the list of executables to check for unapproved or missing applications.

f you use System Lockdown on a group of computers, you need to run checksum.exe on the local client and then import the output file into the policy component of the Protection Manager console.  In the client section of the console, click on the Policies tab and select System Lockdown.  There are three options:  Disable, Log Unapproved Applications Only, and Enable System Lockdown.

Select the output list you want to use, apply the policies, and then check to see if there are any applications that aren't supposed to be there.  The best practice for using System Lockdown is to run the checksum utility, clear up any application problems, then 24-48 hours later run checksum again.  Check the output file again to be sure it contains any applications that have been installed since the most recent time checksum was run.  Once the output file shows exactly the application listing you require, you can enable the System Lockdown feature and then decide if you want the user to know if an unapproved application was added. 

To use System Lockdown to its best advantage, you need to create a client package that doesn't have any of the other protection technologies installed, such as antirust/antispyware, the truth scan module, or the device control module.  If you have the System Lockdown feature enabled, you won't need any of these additional modules and the application will have a lighter footprint on the client.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Apr 30, 2009 07:18 PM

"To use System Lockdown to its best advantage, you need to create a client package that doesn't have any of the other protection technologies installed, such as antirust/antispyware, the truth scan module, or the device control module"

What does that mean?  What is Antitrust?

The only options for installation I see for MR4MP1 are:

All Features
Only Antivirus and Antispyware
Only Network Threat Protection
Antivirus, Antispyware and TruScan Proactive Threat Scan

Which choice do you use with System Lockdown?

 

Related Entries and Links

No Related Resource entered.