Video Screencast Help

Creating Application Control Exclusions in Symantec Endpoint Protection 12.1

Created: 24 Jun 2013 • Updated: 25 Jun 2013 | 3 comments
Language Translations
Mick2009's picture
+11 11 Votes
Login to vote

Here come the ADC's...

Symantec Endpoint Protection 11 and 12.1 have a fantastic feature called Application and Device Control (ADC).  Administrators can use this optional SEP component to block an unwanted process, whether it is a suspicious/malicious application or just a tool that admins would rather not have their managed endpoints running.  It can also be used to block unauthorized devices (USB thumb drives, smartphones, and so on).  Here is an overview article about ADC:

About application and device control
Article URL http://www.symantec.com/docs/HOWTO27048 
 

SEP 12.1 brought a couple of important ADC enhancements: it can now be used with 64-bit OS's, and there is now the ability to create an exception that will apply only to ADC and leave AntiVirus Auto-Protect functioning.  This article illustrates one instance in which this new Application Control exclusion enabled SEP 12.1 to interact with a legacy software component crucial to an important customer's business.

 

An Important Warning

Please Note! ADC is a powerful security tool.  If misconfigured, it can prevent important Windows processes from executing- potentially turning computers into big, heavy paperweights.  USE APPLICATION AND DEVICE CONTROL WITH CAUTION!

 

Ask Mr. Computer Science Guy

Application Control works by injecting a Symantec library (sysfer.dll) into every process launched on controlled SEP clients. This library monitors key process function calls.  It can allow, deny and/or log process activity, depending on how the administrator has configured it.

Using the excellent Process Monitor tool from Sysinternals, it is possible to see the SYSFER.DLL module in a sample process...

SYSFER_HERE.png

Sysfer usually gets along well with other programs on a computer.  Historically, there have been some instances where there was a conflict.  As there are countless software programs developed every day by coders of mixed ability, there will doubtless be conflicts in the future.  Let me provide an example...
 

CRASH!

A legacy web application had been working for many years.  After SEP 12.1 RU2 was installed onto computers, however, it stopped functioning.  Application and Device Control was one of the SEP components deployed.  Tests confirmed that after this component was removed, the old application could function.

The Windows event logs contained Application Errors like the following:   

[date][time] Application Error Application Error win7.domain.local     1000 
Faulting application name: iexplore.exe, version: 8.0.7601.17514, time stamp: 0x4ce79912
Faulting module name: jvm.dll, version: 0.0.0.0, time stamp: 0x42527311
Exception code: 0xc0000005
Fault offset: 0x00050b58
Faulting process id: 0x6a0
Faulting application start time: 0x01ce4d5a8b411f08
Faulting application path: C:\Program Files\Internet Explorer\iexplore.exe
Faulting module path: C:\PROGRA~1\Oracle\JINITI~1.22\bin\hotspot\jvm.dll

Report Id: d403dc08-b94d-11e2-b198-0019b90b7215
 

This custom web application was built to rely upon Oracle's Jinitiator, a JVM discontinued in January 2008.  In the long term, a new web application would be written to replace it.  In the short term, though, if business was to continue it would be necessary to find a workaround- hopefully one that did not mean removing ADC from the endpoints completely.

 

Solution!

There was no way that Jinitiator could be updated as it was no longer under development.  If there was to be a way around the incompatibility, it would have to come from the SEP side.

The administrator logged into the Symantec Endpoint Protection Manager (SEPM) console and clicked on Policies, Exceptions.  A new Exception was added to the policy that was deployed to all the affected clients.  This new File Exception was created not for the module which was crashing (C:\PROGRA~1\Oracle\JINITI~1.22\bin\hotspot\jvm.dll) but created for the application which launched that module - C:\Program Files\Internet Explorer\iexplore.exe. 
 

 exception_policy_1.jpg

Note that the exception / exclusion was created for Application Control alone.  "Security Risk" and "SONAR" were not checked- meaning that there were still robust protection technologies monitoring IE and protecting it against evilness. 

Once this policy was in place on the SEP clients, the legacy application functioned and ADC was protecting every process on the computer except for Internet Explorer. 

One note: as a general security best practice, it is best not to tick “Also exclude child processes.” Check if the application works with this unticked.  

 

 

Tell Me More!  

Details on ADC and creation of exclusions can be found in the following articles:

Symantec Endpoint Protection Manager 12.1 - Application and Device Control (ADC) - Policies explained
Article URL http://www.symantec.com/docs/TECH188597 
 

Creating Centralized Exceptions Policies in the Symantec Endpoint Protection Manager 12.1
Article URL http://www.symantec.com/docs/TECH183201 
 

Excluding a file or a folder from scans
Article URL http://www.symantec.com/docs/HOWTO80920 
 

Excluding applications from application control
Article URL http://www.symantec.com/docs/HOWTO55212 
 

Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies
Article URL http://www.symantec.com/docs/TECH181679

How to block or allow device's in Symantec Endpoint Protection
https://www-secure.symantec.com/connect/articles/how-block-or-allow-devices-symantec-endpoint-protection
 

 

Many thanks for reading!  Please do leave comments and feedback below.

 

Comments 3 CommentsJump to latest comment

_Brian's picture

Pretty slick, thanks for posting.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

+1
Login to vote
Ambesh_444's picture

Nice Dude.!!!!

Best of luck for next..!!!!!!!!

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

+1
Login to vote
Mick2009's picture

Here is another good illustrated KB on the subject:

How to create an Application Control exception or stop sysfer.dll injection into a process with SEP
http://www.symantec.com/docs/HOWTO95454

With thanks and best regards,

Mick

0
Login to vote