SEP 12.1 Release Update 1 (RU1) Maintenance Patch 1 (MP1) added a new exclusion category: DNS or Host File Change Exception. This exclusion will prevent SONAR from taking any action on applications that have been excluded from these detections.
Follow the steps below for creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above.
- Login to the Symantec Endpoint Protection Manager (SEPM)
- Click on Policies TAB
- Click Exceptions under policies
- Either click on "Edit the Policy" OR "Add an Exception Policy" as per your requirements.
- Under Exceptions Policy, click on Exceptions and click on "Add" button and then click on Windows Exceptions and select "DNS or Host File Change Exception"
- Click on "Add an Application to Monitor". Add an application that is to be Monitored on the network. That can be an Applicaiton which is currently in use, or an application that you would like to monitor for its appearance. Once this Application has been added, it can take several hours to appear in the list of Application Exceptions. Once it appears on the list, you will be able to specify an action for an application.
- Click on Add
- Chose the Action ( Ignore, Log only, Prompt and Block ) Note: By default it is set to "Log only"
- Click on OK
- Click on OK
Make sure you assign the policy to the correct groups.
Error: "Security Risk Found! Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"
Symantec Endpoint Protection 12.1: Blocked System Change Events produce unexpected messages
Hope that helps!!