Video Screencast Help

How to utilize SEP 12.1 for Incident Response - PART 2

Created: 28 Aug 2013 • Updated: 28 Aug 2013 | 6 comments
Language Translations
_Brian's picture
+15 15 Votes
Login to vote

In a continuation from my previous article, this article will look at using SEP 12.1 System Lockdown in blacklist mode to stop the spread of a malicious actor on your network. In order for System Lockdown to work properly, you do need to have the Application and Device Control component installed.

1_1.JPG

 

You do not, however, need to have an ADC policy assigned to the group the machines reside in that will use this feature.

Moving on, did you know System Lockdown has a Blacklist mode? If not, let's get started.

When you go into the System Lockdown settings, blacklist mode does not appear:

2_1.JPG

 

How do we make it appear? Stop the SEPM service and navigate to: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc and open the conf.properties file in a text editor. Add the following line at the end of the file:

scm.systemlockdown.blacklist.enabled=1

Save the changes and restart your SEPM service. Blacklist mode should now appear:

3_1.JPG

 

Much better. The objective of Blacklist mode is to block any file(s) that are in the Unapproved Applications list.

This can be utilised in the event of an attack and/or outbreak on your network. For instance, you notice a suspicious file appearing on multiple PCs but have no idea where it came from. It appears to be opening other suspicious processes. SEP is up to date and running a full scan reveals no infections. You upload the suspicious piece to multiple virus checker websites and only or two say that this is malicious. You decide to use System Lockdown in blacklist mode to stop it from spreading until you can figure out exactly what is going on.

Enable Blacklist Mode, enable System Lockdown, and add the filename to the Unapproved Applications list. Click OK and ensure your clients update their policy:

4_1.JPG

 

When the file attempts to execute, it will be stopped dead in its tracks:

5_1.JPG

 

This is a quick and dirty way but very useful for incident response and will allow you to quickly get a handle on the situation.

I hope this article will be helpful for you. Comments/Questions/Criticisms are encouraged.

Brian

 

Comments 6 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Finally the second part is here. Good piece of information.

Well done. Keep it up.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

+2
Login to vote
_Brian's picture

I know, I know, I've been busy cheeky

I'll try to get the next one out much more quickly.

+1
Login to vote
_Brian's picture

Part 3 is now available:

How to utilize SEP 12.1 for Incident Response - PART 3

https://www-secure.symantec.com/connect/articles/h...

+1
Login to vote
_Brian's picture

Part 4 is out:

How to utilize SEP 12.1 for Incident Response - PART 4

https://www-secure.symantec.com/connect/articles/h...

0
Login to vote
Chetan Savade's picture

Good Job, Brian!!!

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+1
Login to vote