Video Screencast Help

Anti-virus Standard Protection

Created: 11 Apr 2013 | 7 comments

In Mcafee , there is Anti-virus Standard Protection:Prevent remote creation/modification of executable and configuration files
May we know if there is same policy or rule in Symantec 12.1.2015 ? In Application and Device Control or in Firewall rule ?
How to configure?
Sample log in Mcafee
1/14/2013 11:12:42 AM Would be blocked by Access Protection rule  (rule is currently not enforced)  Domain\username System:Remote D:\share\Bank\Passwords.exe Anti-virus Standard Protection:Prevent remote creation/modification of executable and configuration files Action blocked : Delete

Operating Systems:

Comments 7 CommentsJump to latest comment

W007's picture

Hello,

SEPM 12.1 default firewall policy

Default Symantec Endpoint Protection 12.1 RU1 Firewall Policy explanation

Article:TECH180569  |  Created: 2012-02-02  |  Updated: 2012-02-02  |  Article URL http://www.symantec.com/docs/TECH180569

Symantec Endpoint Protection Manager - Firewall - Policies explained

Article:TECH104433  |  Created: 2008-01-20  |  Updated: 2010-11-30  |  Article URL http://www.symantec.com/docs/TECH104433

 

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SymQNA's picture

May I know if Symantec support can answer my question? Many thanks.

 

Rafeeq's picture

There is already a built in policy which you can import.

Add your extensions to the list.

 

Hardening Symantec Endpoint Protection (SEP) with an Application and Device Control Policy to increase security

SymQNA's picture

The answer provided by Rafeeq, for Application and Device Control Policy, seems are all for locally and partial. 

Any symantec support can help?

Mithun Sanghavi's picture

Hello,

Yes, you could try the Hardening the SEP with Application and Device Control - 

Check these Articles:

Hardening Symantec Endpoint Protection (SEP) with an Application and Device Control Policy to increase security

http://www.symantec.com/business/support/index?page=content&id=TECH132337

This prevents changes to EXE, COM, and BAT shell associations, which allow a program to run any time an EXE, COM, or BAT file is run.

Threats use this technique to run code and to block execution of programs that may interfere with the threat.  Legitimate use is rare.

 

How the Application and Device Control Hardening policy works

http://www.symantec.com/docs/TECH132307

AC19 Rule Set: Prevent vulnerable Windows processes from writing code

(Rule) > Windows processes protection

    • lsass.exe
    • spoolsv.exe
    • csrss.exe
    • smss.exe

(Condition) > AC19-1.1 Block writing code applies to files and folders matching

    • *.exe
    • *.dll
    • *.com
    • *.ocx
    • *.bat
    • *.cmd

 

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

.Brian's picture

To add, Symantec has an entire collection of very useful Application and Device Control policies which can be downloaded and applied (test first). Please see this link:

https://www.symantec.com/security_response/securit...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.