Video Screencast Help

Block Software By Fingerprint

Created: 10 Nov 2009 • Updated: 17 Nov 2009 | 16 comments
Language Translations
Naor Penso's picture
+10 10 Votes
Login to vote

How to block applications in SEP using MD5

1.      

Firstly we need to obtain the file Checksum.exe .
The file is located on the root folder of the SEP client (%programfiles%\Symantec\Symantec Endpoint Protection\Checksum.exe)

2.      

After we obtained the file and we need to have the program that we want to block installed (or if the program doesn't need installation then we need the executable file).

3.      

I would suggest copying the Checksum.exe program to c:\ to make the procedure easier.

4.      

Assuming that the file is in C:\ then what we do is:

·        

click Start-->Run-->CMD.EXE

·        

A command line will appear.

·        

 Navigate to the folder where the Checksum file is located.

·        

Run the following command:
Checksum.exe **result file location** **application location**
**Result file location** = the location and name of the result file
**application location** = the location of the application we want to extract its fingerprint.
For example: Checksum.exe c:\result.txt c:\programfiles\ Symantec\Symantec Endpoint Protection\smcgui.exe

·        

As you can see I wanted to find out what is the checksum of savui.exe and exported the result file to result.txt

·        

The procedure should take only a couple of seconds and you should see "Checksummed 1 file".

·        

When we open the output file this is the answer we will get:
9213d1c5f877272231f6763f143d554c c:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SavUI.exe

·        

The part with the unique ID is the Fingerprint of the file and we also have the path of the file.

5.      

Using the Fingerprint extracted with SEP:


·        

Open the SEPM

·        

Go to Policies and click on Application and Device control policies

·        

Right click on the Policy and click edit (I decided to use the default application control policy but you could create your own if you'd like).

·        

Click on Application control "Block application from running" and "edit"

·        

Go to "apply this rule to the following processes" and click on "Add"



·        

click on "Options" and then 2 new fields will come out.

·        

click on Match the fingerprint and there paste the Unique ID we have foung earlier: 9213d1c5f877272231f6763f143d554c

·        

Click on OK and that is it. SEP will block the program that you want.

·        

One Reminder: you need to apply the policy on clients and make sure that the Application policy is on production so that it would block the software.

 I have also uploaded the file here.

Enjoy,

Naor Penso
Security Engineer
Netcom Malam-Team
 

Comments 16 CommentsJump to latest comment

shp's picture

Good one.... 

Regards,
Srinivas H.P.
HCL Infosystems Ltd

0
Login to vote
AravindKM's picture

Nice information 

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

0
Login to vote
PeterWendell's picture

There is also a way to obtain the MD5 checksum of an executable WITHOUT running the checksum.exe program on a client. In order to do this you need to:

1. In the SEPM, click on the ADMIN button in the left pane and then select the SERVERS tab.
2. Check the Properties for the SITE (the root of the tree) and make sure that 'Keep track of every application that the clients run' is checked. It is UNCHECKED by default. Close the properties window.
3. If it was unchecked, you will need to wait a while for the clients to start reporting the applications they use.
4. Now you can click on the POLICIES button in the left pane and choose 'Search for Applications' in the tasks menu. You will see the Query Window.
 
The image below shows a query for 'iexplore' in one of my groups. If you select one of the results and press the 'View Details' button, you will see the following image. The query accepts wildcards and will return unique entries for every version of the file found. You could easily find every version of any file being run in a group or groups and use the fingerprints to block one version, or all of them.

Query.jpg
 

details.JPG

.                                I hope that's useful.

+3
Login to vote
Srikanth_Subra's picture

Thanks peter,

using your method it is easy for me now to block the softwares..and now iam successfully blocked many unwanted softwares with the help of this

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

0
Login to vote
Pink Panther's picture

Can we block/allow by fingerprint or other condition just on one device\user in a client group?My guess would be that we cannot do it on a single machine, but put machine in a new group and apply it there - I just thought I should ask.

Thanks

0
Login to vote
Naor Penso's picture

You could block/allow by group.
Today there is no possibility to enforce policies on a single machine unless you move it to another group.
But you can create any amount of policies and enforce them on groups.
Regards,
Naor Penso

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

0
Login to vote
Srikanth_Subra's picture

thanks..using this i have done blokcing..but for different versions of same product how to block?

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

0
Login to vote
Mick2009's picture

"Thumbs up" to the excellent material, above. 

Here is Symantec's official article on the subject:

How to use Application and Device Control to limit the spread of a threat.
Article: TECH93451 | Created: 2009-01-15 | Updated: 2010-12-13 |
Article URL http://www.symantec.com/docs/TECH93451

My personal favorite third-party tool for calculating a file's MD5 is called HashCalc from SlavaSoft.

With thanks and best regards,

Mick

0
Login to vote
Ambesh_444's picture

Really nice post..My vote goes to you.

Thumbsup!!!!!!!!!!!!!!!!!!!!!!!

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

0
Login to vote
Srikanth_Subra's picture

how to monitor the USB activity in computer

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

0
Login to vote
Mohd Saleem's picture

thanks..using this i have done blokcing..but for different versions of same product how to block?

Please reply ASAP.

Thanks and Regards--

Mohd Saleem

0
Login to vote
Shawn T.'s picture

Mohd,

Different versions of the same product will each have a unique fingerprint (MD5 hash). You would need to collect the fingerprint from each version of executable you wish to block.

PeterWndell's method does make this easier to do, but it is reactive. That is, a user has to have run that program first before you can see it in the list. There are also some reasons not for learning applications all the time, which should be considered. See: http://www.symantec.com/docs/TECH134367 for best practces on application learning.

0
Login to vote
Mick2009's picture

Just adding another helpful cross-ref:

How to use Symantec Endpoint Protection to block or log legitimate but unauthorized software usage
http://www.symantec.com/docs/TECH97618

With thanks and best regards,

Mick

0
Login to vote
anoopjeevan's picture

Hi all,

What about non.exe programs How can we block them? I want to block apache jmeter. It have a batch file (jmeter.bat). I am unable to create fingerprint of that bat file using checksum. Could you please help on this.

Regards,

Anoop Jeevan.K

0
Login to vote
greg12's picture

You can use HashCalc (see Mick's post) or another free tool. It can create fingerprints (MD5 hashes)  from arbitrary files.

0
Login to vote