Creating Application Control Exclusions in Symantec Endpoint Protection 12.1
Here come the ADC's...
Symantec Endpoint Protection 11 and 12.1 have a fantastic feature called Application and Device Control (ADC). Administrators can use this optional SEP component to block an unwanted process, whether it is a suspicious/malicious application or just a tool that admins would rather not have their managed endpoints running. It can also be used to block unauthorized devices (USB thumb drives, smartphones, and so on). Here is an overview article about ADC:
About application and device control
Article URL http://www.symantec.com/docs/HOWTO27048
SEP 12.1 brought a couple of important ADC enhancements: it can now be used with 64-bit OS's, and there is now the ability to create an exception that will apply only to ADC and leave AntiVirus Auto-Protect functioning. This article illustrates one instance in which this new Application Control exclusion enabled SEP 12.1 to interact with a legacy software component crucial to an important customer's business.
An Important Warning
|Please Note! ADC is a powerful security tool. If misconfigured, it can prevent important Windows processes from executing- potentially turning computers into big, heavy paperweights. USE APPLICATION AND DEVICE CONTROL WITH CAUTION!|
Ask Mr. Computer Science Guy
Application Control works by injecting a Symantec library (sysfer.dll) into every process launched on controlled SEP clients. This library monitors key process function calls. It can allow, deny and/or log process activity, depending on how the administrator has configured it.
Using the excellent Process Monitor tool from Sysinternals, it is possible to see the SYSFER.DLL module in a sample process...
Sysfer usually gets along well with other programs on a computer. Historically, there have been some instances where there was a conflict. As there are countless software programs developed every day by coders of mixed ability, there will doubtless be conflicts in the future. Let me provide an example...
A legacy web application had been working for many years. After SEP 12.1 RU2 was installed onto computers, however, it stopped functioning. Application and Device Control was one of the SEP components deployed. Tests confirmed that after this component was removed, the old application could function.
The Windows event logs contained Application Errors like the following:
[date][time] Application Error Application Error win7.domain.local 1000
Faulting application name: iexplore.exe, version: 8.0.7601.17514, time stamp: 0x4ce79912
Faulting module name: jvm.dll, version: 0.0.0.0, time stamp: 0x42527311
Exception code: 0xc0000005
Fault offset: 0x00050b58
Faulting process id: 0x6a0
Faulting application start time: 0x01ce4d5a8b411f08
Faulting application path: C:\Program Files\Internet Explorer\iexplore.exe
Faulting module path: C:\PROGRA~1\Oracle\JINITI~1.22\bin\hotspot\jvm.dll
Report Id: d403dc08-b94d-11e2-b198-0019b90b7215
This custom web application was built to rely upon Oracle's Jinitiator, a JVM discontinued in January 2008. In the long term, a new web application would be written to replace it. In the short term, though, if business was to continue it would be necessary to find a workaround- hopefully one that did not mean removing ADC from the endpoints completely.
There was no way that Jinitiator could be updated as it was no longer under development. If there was to be a way around the incompatibility, it would have to come from the SEP side.
The administrator logged into the Symantec Endpoint Protection Manager (SEPM) console and clicked on Policies, Exceptions. A new Exception was added to the policy that was deployed to all the affected clients. This new File Exception was created not for the module which was crashing (C:\PROGRA~1\Oracle\JINITI~1.22\bin\hotspot\jvm.dll) but created for the application which launched that module - C:\Program Files\Internet Explorer\iexplore.exe.
Note that the exception / exclusion was created for Application Control alone. "Security Risk" and "SONAR" were not checked- meaning that there were still robust protection technologies monitoring IE and protecting it against evilness.
Once this policy was in place on the SEP clients, the legacy application functioned and ADC was protecting every process on the computer except for Internet Explorer.
|One note: as a general security best practice, it is best not to tick “Also exclude child processes.” Check if the application works with this unticked.|
Tell Me More!
Details on ADC and creation of exclusions can be found in the following articles:
Symantec Endpoint Protection Manager 12.1 - Application and Device Control (ADC) - Policies explained
Article URL http://www.symantec.com/docs/TECH188597
Creating Centralized Exceptions Policies in the Symantec Endpoint Protection Manager 12.1
Article URL http://www.symantec.com/docs/TECH183201
Excluding a file or a folder from scans
Article URL http://www.symantec.com/docs/HOWTO80920
Excluding applications from application control
Article URL http://www.symantec.com/docs/HOWTO55212
Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies
Article URL http://www.symantec.com/docs/TECH181679
How to block or allow device's in Symantec Endpoint Protection
Many thanks for reading! Please do leave comments and feedback below.