Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Application and Device control - more details needed !

Created: 05 Nov 2012 | 7 comments

Hi everyone,

I'm using Application and device control feature to detect any unknown malware coming in the registry.

Unfortunately, details about process and registry path aren't very detailed: just the path ! (no key name, no value...)

And the caller process name isn't enough to know if it's a malware or not. We need to have the full command line ! (ie: VBS script are just showing wscript.exe...).

Do you think it mights be possible to have more accurate log in application and device control ?

Comments 7 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

I would suggest you to check these Articles below which may assist you a lot

Creating an Application and Device Control Policy 

http://seer.entsupport.symantec.com/docs/331049.htm

Using Application and Device Control to stop registry entries added by a threat or risk

http://www.symantec.com/docs/TECH95124

How to use Application and Device Control to limit the spread of a threat

http://www.symantec.com/docs/TECH93451

How to use Symantec Endpoint Protection to block or log legitimate but unauthorized software usage

http://www.symantec.com/docs/TECH97618

Symantec Endpoint Protection Application and Device Control

http://www.symantec.com/security_response/securityupdates/list.jsp?fid=adc

Merging Application and Device Control Policies 

http://www.symantec.com/docs/TECH132346

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Yoann WYFFELS's picture

Hello Mithun

No, it's not helping and answering my question ;) But thank you for the links.

My goal isn't to avoid a specific threat, but by doing a large inventory of what/who is trying to write in some registry path, we can easily report unknown threats with application and device control feature !

Mithun Sanghavi's picture

Hello,

In your case, what you could try is activating the Rule "Protect client files and registry keys" under Test / Production.

A Rule Set is a set of controls that allow administrators to allow or block an action. In the example below, you will note that there are currently four rule sets defined. You will also notice that Administrators can choose to create as many rule sets as they would like in a policy. Even though multiple rule sets can be in a given policy, administrators can choose which rule sets are active by toggling the Enabled option. In this example, you will note that none of the rule sets are enabled.

 

To the right of the rule set name there is an option to configure Test/Production. This feature allows administrators to test rules before actually enabling them. In the Test (log only) configuration, no actions will be applied in the rule, but the action is logged. This allows administrators to see what would have happened if this rule would have been active. All new rule sets are created with the default option configured to test. This reduces potential accidents an administrator may make by not considering all possibilities of the rule. 

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Simpson Homer's picture

 

How Application and Device Control works

  Application Control is an advanced security feature included in Symantec Endpoint Protection 11.0. Application Control provides administrators with the ability to monitor and/or control the behavior of applications.

 

How to use Application and Device Control (ADC) to limit the spread of a threat.

 

Symptoms

There is a threat in the environment that is not being mitigated by the Antivirus functionality on the Symantec Endpoint Protection client.

The Application and Device Control feature is installed on the clients and functioning normally.
A suspicious file has been identified as a threat.

Please Note:
The Application and Device Control is designed for use on 32-bit operating systems. These steps will not help 64-bit clients. 
There are some threats that mutate and change the files that they use to launch infections. This behavior can change the fingerprint of the file. These steps may not be completely effective against all threats.

 

Solution

The first step is to identify the MD5 hash of the threat. There are several ways to find this information.

Configuring the Policy

Once the MD5 hash is known, the Application and Device Control policy can be configured to prevent that specific file from launching on the clients and beginning an active infection. The following steps demonstrate how to create a new Application and Device Control policy to block the specific threat and assign it to clients.

 

Yoann WYFFELS's picture

Are you reading my sentences before answering ? I'm really asking because yours answers are far away from the topic...I know and understand how to use Application and Device Control.

I'm asking if there is a way to have more accurate logs than ones we've got. Because they are not enough acccurate to really understand unknown behaviors.

"Do you think it mights be possible to have more accurate log in application and device control ?"

.Brian's picture

What you see is what you get within the SEPM for ADC.

I would suggest creating an Idea for this topic:

https://www-secure.symantec.com/connect/node/add/idea

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.