Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

How to block known virus executables that run from %UserProfile% using Application and Device Control

Created: 15 Apr 2010 • Updated: 29 Apr 2010 | 7 comments
Language Translations
Vikas Rajole's picture
+5 5 Votes
Login to vote

Often threats use the "C:\Documents and Settings\%UserProfile%\Local Settings\Application Data" location to lauch the files.
It is easy to allow few known Exe's than blocking new threats as and when they are detected.
 
You may choose either option that best suits you.
Option 1: If you wish to block all Exe's and allow known Exe's from %UserProfile%, follow the steps mentioned in Part 1 and Part 2.
Option 2: If you wish to block known Exe's from %UserProfile% follow the steps mentioned only in Part 1 with a slight change in Step 9. Type the name of the known file to be blocked. For example if the file name is FakeAv.exe the string would be %userprofile%\*\FakeAv.exe
 
You might consider to go with Option 1 if the threat is mutating itself.
 
Warning:
If you choose to go with Option 1, please implement the policy on a test machine and test your business applications as the policy might crash the application in production environment. The application might use the UserProfile Temp folder to launch some Exe's.
 
 
Configuring the policy.
Part 1: Blocking all Exe's from %userprofile%
Part 2: Excluding or allowing genuine or legitimate Exe's from %userprofile%
 
Requirements:

1. Managed SEP 11.0 client with Proactive Threat Protection and Network Threat Protection. 
 
Part 1: Blocking all Exe's from %userprofile%
Please refer the screenshot.
Login to SEPM Console and Open the Application and Device Control Policy. Edit or create a new policy.
 
Step 1: Login to the SEPM console and click on the Policies tab.
Step 2: Click on Application and Device Control.
Step 3: Edit the existing policy or Add a new policy by right clicking.

 
Step 4: Click on Application Control.
Step 5: Check the Block application from running.
Step 6: Click Edit.
Step 7: Click on Block these applications
Step 8: Click on Add
Step 9: Type %userprofile%\*\*.exe in the text box. (This means any exe found in any folder under %userprofile%).
Step 10: Click on Ok.
 

 
Part 2: Excluding or allowing genuine or legitimate Exe's from %userprofile%
 
Step 11: Click Add
Step 12: Type the name of the geniune application. For example %userprofile%\*\notepad.exe
Step 13: Click Ok.
Step 14: Click Ok.
Step 15: Click Ok. If you have edited an existing policy in Step 3, the policy is applied to the existing group with the changes. If you added a new policy, you will get a prompt saying "Would you like to assign this policy" Click Yes and select the desired group.
 
 

 
 
Note: If you want this policy for an unmanaged client then, create a test group and assign the policy to the group. Export unmanaged client including the policies of the group. Please review the LiveUpdate policy as well for the test group.
 

Comments 7 CommentsJump to latest comment

_Brian's picture

Have you gotten ADC to work on unmanaged clients? I have not. I tried creating a group and set up ADC for that group and exported policies but it did not work.

0
Login to vote
Vikas Rajole's picture

What version of SEP did you use?

 

I'll try and let you know..

-

Vikas -- Don't forget to mark your thread as 'solved' with the answer that best helped you!

0
Login to vote
Tommy Myo Min Aung's picture

I am getting tourble with the SEPM 11 RU6 Application and device control. I created the Policy as following to prevent domain user running portable application and game from "user profile" and it works. But the problem is when user rignt click on that file and use "Run as" command, it bypass the policy.  Please help me to solve it.  Many Thanks, Tommy

policy.JPG
0
Login to vote
EDFT_Support's picture

Hi All

Hope you all find this useful

I have implemented this on my system and i must say, the amount of cases which we now experience has now decreased to the point of where viruses seem to no longer being a problem (now iv said that, iv probably cursed myself to all manor of infections and outbreaks) (hopefully not touch wood)!!

HOWEVER with that said, i did have a virus yesterday that installed itself to the local user profile (C:\Documents and Settings\USERNAME), but RAN the EXE from the C:\Documents and Settings\ALL USERS directory. So in addition, i would suggest that you also add C:\Documents and Settings\All Users\*\*.exe to your list of process to be included/blocked.

Hope you all find this useful

0
Login to vote