In a continuation from my previous article, this article will look at using SEP 12.1 System Lockdown in blacklist mode to stop the spread of a malicious actor on your network. In order for System Lockdown to work properly, you do need to have the Application and Device Control component installed.
You do not, however, need to have an ADC policy assigned to the group the machines reside in that will use this feature.
Moving on, did you know System Lockdown has a Blacklist mode? If not, let's get started.
When you go into the System Lockdown settings, blacklist mode does not appear:
How do we make it appear? Stop the SEPM service and navigate to: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc and open the conf.properties file in a text editor. Add the following line at the end of the file:
Save the changes and restart your SEPM service. Blacklist mode should now appear:
Much better. The objective of Blacklist mode is to block any file(s) that are in the Unapproved Applications list.
This can be utilised in the event of an attack and/or outbreak on your network. For instance, you notice a suspicious file appearing on multiple PCs but have no idea where it came from. It appears to be opening other suspicious processes. SEP is up to date and running a full scan reveals no infections. You upload the suspicious piece to multiple virus checker websites and only or two say that this is malicious. You decide to use System Lockdown in blacklist mode to stop it from spreading until you can figure out exactly what is going on.
Enable Blacklist Mode, enable System Lockdown, and add the filename to the Unapproved Applications list. Click OK and ensure your clients update their policy:
When the file attempts to execute, it will be stopped dead in its tracks:
This is a quick and dirty way but very useful for incident response and will allow you to quickly get a handle on the situation.
I hope this article will be helpful for you. Comments/Questions/Criticisms are encouraged.