Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

What do P2P Applications do and How to block Peer to Peer Applications (P2P) using Symantec Endpoint Protection?

Created: 13 Oct 2009 • Updated: 12 Nov 2009 | 26 comments
Language Translations
Vikram Kumar-SAV to SEP's picture
+39 39 Votes
Login to vote

 What is Peer to Peer (P2P) Application?

 P2P is nothing but just Peer to Peer networking. As we have Server - Client Model and Peer to Peer network in the same way these P2P applications work. You need a P2P program that will be installed on your computer it creates a community of P2P application users and it creates a virtual network between these users. For the user it will look as it is in a Peer to Peer network and he can share files from his local computer and download files shared by other users. It is very similar to our Instant Messaging like Yahoo, AOL or GTalk where even though to whom we are taking to are on a different network but a virtual network is created where it looks we are on a same network and we can share files and chat. The P2P application has been very much in demand from last couple of years. A P2P application is mainly used for sharing Music, Movies, Games and other files.

 What are the disadvantages of Peer to Peer (P2P) Application?

Is it estimated that for any given ISP 60 to 80% of their traffic is consumed by P2P traffic. So even in your office if people are using P2P application they will consume a huge amount of bandwidth without production.P2P application is very famous for distributing Pirated software. Your users might be using pirated software on their computers and Auditors will never appreciate that. Symantec Underground Economy says that "The annual global cost to businesses of software piracy in one 2007 study puts the cost at nearly $40 billion"

You can never trust the file you are downloading from a remote user in P2P environment.90% of the files contain malwares. Thus if your users are using P2P application there is very high rate of Virus Outbreak in your network that too very frequently. In 2008 10% of malware were propagated via P2P applications. Even the very infamous W32.Downadup also propagated and updated itself via P2P applications.

P2P is a very famous mechanism for distributing Bots, Spywares, Adware, Trojans, Rootkits, Worms and other types of malwares.

Since it is very easy to change the port for these P2P applications it is very difficult to block this traffic. It is strictly not advised to have P2P application allowed in your network. Enterprises should take measures to prevent P2P clients from being installed on any computers on the network. End users who download files from P2P networks should scan all such files with a regularly updated antivirus product.

 

 

How to block Peer to Peer Applications (P2P) using Symantec Endpoint Protection ?

There are 3 ways of blocking Peer to Peer Applications on your network using Symantec Endpoint Protection.

1. Blocking Peer to Peer Applications using Intrusion Prevention System

 Open Symantec Endpoint Protection Manager

Click on Policies -> Intrusion Prevention -> Edit Intrusion Prevention Policies .go to Exceptions -> Click on Add.

Then under Show Category scroll it down and Select Peer to Peer.

On the bottom right hand side of the policy click on Select all -> click next

Action -Block

Log - Log the Traffic

Click OK then Click OK on the policy and assign it to all the client groups.

Then Select All ->Click Next

Click Ok then OK on the Policy and then assign it to all the groups.

2.Blocking Peer to Peer Applications using Application Control of Application and Device Control

 
Since these Peer to Peer (P2P) Application is software installed on your computer so you can block the Process used for running these applications. As they are complete software so if the user tries to rename the main process name the application will not work. So you can block these processes using Application control.

 

For more help you can refer this Document:http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092616264848

 

3. Blocking Peer to Peer Traffic using Symantec Endpoint Protection Firewall.

You can block the P2P traffic using Symantec Endpoint Firewall in this case even if the user has any P2P applications installed those applications won't be allowed to connect to the internet. Since it is very difficult to track the port number for the application as they can be easily changed by the user. So you can block the Inbound/Outbound traffic from the P2P processes.

In the Symantec Endpoint Protection Manager go to Policies -Firewall -Edit Firewall Policy - Rules- Add Rule -Click Next

In the Rule type select Application and click next

Select Define an Application and Click Next

In the File Name type the name of the process and click Next

Click Add More and add the name of other P2P application processes.

Click Finish.

Rename the rule to something like "Blocking P2P" so that you can identify.

Under Action change Allow to Block.

Under Logging Change it to "Write to Traffic Log".

 

                                                                    

Note : Most of the P2P application use Torrent file to download files from other P2P application so make sure when Creating a Firewall rule or Application Control rule block *.torrent file.
                                                                          

    List of Known Peer to Peer Applications and its main Process

Executables
Client Name
Catagory
LimeWire.exe LimeWire p2p
emule.exe eMule p2p
kazaa.exe KaZaA p2p
zultrax.exe Zultrax p2p
Shareaza.exe Shareaza p2p
morpheus.exe Morpheus p2p
mlnet.exe MLNET Malware
kiwialpha.exe KiwiAlpha Spyware
KCeasy.exe KCeasy p2p
imesh.exe iMesh p2p
gnucleus.exe GNUCLEUS Malware
gift.exe Gift Virus/Worm
aMule.exe    
edonkey.exe eDonkey Malware/p2p
edonkey2000.exe eDonkey Malware/p2p
dc++.exe    
bittorrent.exe Bittorrent Torrent
BCDC++ .exe    
Ares.exe Ares Malware/p2p
warez.exe    
abc.exe ABC Virus/Worm/Torrent
Azureus.exe  Vuze  p2p
bitcomet.exe BitComet Torrent/Malware
BitSpirit.exe    
BITTORNADO.exe    
bitlord.exe    
burst.exe    
utorrent.exe    
qtorrent.exe    
tribler.exe    
DCPlusPlus.exe    
ApexDC++.exe    
STRONGDC.EXE    
hydranode.exe    
Jubster.exe    
Pruna.exe Pruna Malware
grokster.exe    
entropy.exe    
Acquisition.exe Acquisition p2p/Malware
bearshare.exe    
Cabos.exe    
gnucleus.exe    
Grokster.exe    
FrostWire.exe    
xolox.exe    
swapper.exe    
Phex.exe    
Piolet.exe    
Blubster.exe    
Napigator.exe    
Overnet.exe    
TVUPlayer.exe    
tvprunner.exe    
coolstreaming.exe Cool Streaming Malware/Torrent
ctv.exe CTV p2p/Malware
Tvants.exe Tvants Torrent
PPlive.exe PPlive p2p
peercast.exe Peercast p2p
iceshare.exe IceShare p2p
 

ref:https://security.health.ufl.edu/p2p/p2p.shtml
I have attached the Firewall and Application & Device Control policy to block P2P Applications.

Comments 26 CommentsJump to latest comment

shp's picture

Nice article... 

Regards,
Srinivas H.P.
HCL Infosystems Ltd

+3
Login to vote
Thomas K's picture

Great article Vikram. I am always telling my kids and their friends how they put their systems and home networks at risk when using P2P.  Most kids don't seem to care about these threats until their parents have been hit by something that they allowed into their home network by using some P2P application. I will make sure my teenager continues to spread the word at school about the threats of P2P filesharing.

Thanks,
Thomas

Ooyala - Check us out!

+3
Login to vote
Dushan Gomez's picture

Yes that sounds great idea, but unfortunately it is impossible to do that by installing the SEP client v 12.1 as Unmanaged. am I right ?

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

0
Login to vote
P_K_'s picture

This is really very helpful

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

+1
Login to vote
Nel Ramos's picture

Thanks for the article...
This is truly benificial...

Nel Ramos

+2
Login to vote
jomargonzales's picture

is there a way wherein I will not input the exe file one by one in the Application control config?

Jomar Gonzales

0
Login to vote
Paul Mapacpac's picture

I dont think it accepts importing or exporting a list, but I think it's better to add it one by one, so that it is controlled and for documentation purposes.

0
Login to vote
Oscar2564's picture

I have taken this information and added it to my production envirionment and have made life easier and for myself. Thanks a million.

Oscar H. Castañeda
Sr. Solutions Architect
XCEND Group Inc. -- Symantec Platinum Partner

+1
Login to vote
Ryk_8472's picture

thank you very much just implimented in our network you would be i was shocked by the sheer number of people using these in a work enviorment.

+2
Login to vote
Fatih Teke's picture

Thank you vikram ist very useful for us.

 Everything works better when everything works together.

+1
Login to vote
kristopherjturner's picture

 Vikram,

Thanks for posting this and many other articles!!!!!   

+1
Login to vote
snekul's picture

Sorry to beat a dead horse, but your pre-made policies saved me a lot of time!

Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa

0
Login to vote
baldygb's picture

Thanks for the article especially for providing the zipped policies, it helped decrease garbage in our bandwidth.

0
Login to vote
Aaron Walkhouse's picture

If it was true that "90% of the files contain malwares [sic]", then P2P networks wouldn't be as popular as they are after a full decade on line. There are plenty of falsified, exaggerated and disingenuously presented statistics in the arguments of lobby groups so a good rule of thumb to keep in mind is that any factoid or number obviously intended to raise or work on people's fears deserves a healthy dose of scepticism and a hard second look at their source. Before quoting such numbers I would strongly advise any writer to consider the source and check to see if any authoritative and reliable research backs such claims. Simply repeating such claims as fact tends to erode one's own reputation and weaken one's arguments on their face; directly impairing your authority to enact policy on behalf of your company.

The real concerns about P2P for a business should be bandwidth usage as a matter of ownership and responsibility, not as a theoretical risk which could be doubted. On the topic of bandwidth many percentages are thrown about and extreme numbers such as "60 to 80%" reliably serve to identify those with a political agenda against P2P, nothing more. In a business environment bandwidth is to be used for business, not entertainment, and it is for that reason there should be no P2P usage at work at all, not for fears that it could theoretically have a negative effect. When you express it as a matter of present responsibility instead of as a theoretical risk against resources it becomes impossible to dispute or disagree on how much bandwidth is too much for personal use; because the possibility of personal use is no longer pitted against the needs of the company.

Malware is generally well covered by anti-virus defences and operating system policy enforcement against software installation by unqualified staff, which naturally would stop employees from installing P2P software as well. Such software-based policy enforcement would also reduce or eliminate the ability of malware to spread itself in a local network without human assistance. The greatest threat from malware remains to be targeted email attachments, the most recent example of which were directed against journalists in China and the military forces of India. Specifically crafted attacks tend to evade detection by anti-virus defences because nobody has signatures with which to recognize the custom software. Malware languishing on P2P networks does not enjoy such obscurity as alert eyes such as mine find and report them before they spread.

It is always easy to play on fears while advocating secure practices but it is far more effective to use sound reasoning and actual, supportable facts. You won't get full cooperation by employing weak arguments that only fool some of the people involved. Trying to work on fears with unreliable and unsupported statistics only results in resistance from the more intellectually mature and technologically knowledgeable members of your company, precisely the persons you should rely upon to show leadership and maturity in the workplace. That approach only results in a lack of grassroots support for policy, allowing resentment and distrust to grow when imposing a restriction or limit on the use of company resources. An approach which invites cooperation and trust with those that others look to for leadership is far more effective. Though it takes more care and thought at the start it tends to make your staff do most of your work for you by making security consciousness a part of your company culture, creating a positive environment where P2P usage becomes impossible and without creating resentment or resistance against policy.

Fear can be a powerful motivator for the moment but it's a bad foundation for company policy because it fades, healthy people are hard-wired to resist it and it rests on information which can be doubted or disproved. Make it a matter of ownership and responsibility and there's no struggle involved because you're not inviting debate on the facts.

P2P in itself is not risky. It is just another means of communication. When you manage your basic security needs such as keeping your anti-virus software current, only letting qualified staff install software and using only trusted sources for your software then you are properly protected from malware from all sources, no matter the form. If a company is not using this form of communication, such as for mass distribution of media or software updates, it does not belong on the company network. It's as simple as that. There's no need to rest on misinformation which was crafted to work on your fears.

+1
Login to vote
VK@tvm's picture

Hi,

Please do help me to block the p2p on my network, I am using Symantec Endpoint Protection manager, i configured SEP manager as detailed above, but still its not blocked.

0
Login to vote
Thomas K's picture

@ VK,

 

Please see this post - Firewall and Application Control Policy to Block Peer to Peer Applications

https://www-secure.symantec.com/connect/downloads/...

Make sure you apply the policy to your client(s). Note that you should also be running a client to protect your manager.

 

Best,

Thomas

Ooyala - Check us out!

0
Login to vote
AR Sharma's picture

Can it also be applied to IP Messanger? Pls check and let us know.

Thanks & Regards,

AR Sharma, CISSP

IBM Certified System Admin- Lotus Domino V7

ITIL V2 Certified

0
Login to vote
Bernice Voorhees's picture

I don't know that there are soooo many p2p out there. I only knew limewire and utorrent.

Regards,

Bernice,

0
Login to vote
Amit S's picture

I imported attached application and device control .dat file to block P2P applications. Applied to some group and then tested by installing and launching P2P applications e.g. bearshare.exe, utorrent.exe  on some Windows 2008 64 bit and I SEP client didn't block these applications.

 

Correct me if I'm testing it in wrong way?

 

Thnaks.

0
Login to vote
Mick2009's picture

"Thumbs up," adding another helpful cross-reference....

How to use Symantec Endpoint Protection to block or log legitimate but unauthorized software usage
http://www.symantec.com/docs/TECH97618

With thanks and best regards,

Mick

0
Login to vote
hsis's picture

Hi,

I don't have P2P rules in the dropdown, is there an update I should apply or download the ruleset from somewhere?

0
Login to vote