Endpoint Protection

Hi everyone,

I'm using Application and device control feature to detect any unknown malware coming in the registry.

Unfortunately, details about process and registry path aren't very detailed: just the path ! (no key name, no value...)

And the caller process name isn't enough to know if it's a malware or not. We need to have the full command line ! (ie: VBS script are just showing wscript.exe...).

Do you think it mights be possible to have more accurate log in application and device control ?

Hello,

I would suggest you to check these Articles below which may assist you a lot

Creating an Application and Device Control Policy 

http://seer.entsupport.symantec.com/docs/331049.htm

Using Application and Device Control to stop registry entries added by a threat or risk

http://www.symantec.com/docs/TECH95124

How to use Application and Device Control to limit the spread of a threat

http://www.symantec.com/docs/TECH93451

How to use Symantec Endpoint Protection to block or log legitimate but unauthorized software usage

http://www.symantec.com/docs/TECH97618

Symantec Endpoint Protection Application and Device Control

http://www.symantec.com/security_response/securityupdates/list.jsp?fid=adc

Merging Application and Device Control Policies 

http://www.symantec.com/docs/TECH132346

Hope that helps!!

Hello Mithun

No, it's not helping and answering my question ;) But thank you for the links.

My goal isn't to avoid a specific threat, but by doing a large inventory of what/who is trying to write in some registry path, we can easily report unknown threats with application and device control feature !

How Application and Device Control works

  Application Control is an advanced security feature included in Symantec Endpoint Protection 11.0. Application Control provides administrators with the ability to monitor and/or control the behavior of applications.

How to use Application and Device Control (ADC) to limit the spread of a threat.

Symptoms

Hello,

In your case, what you could try is activating the Rule "Protect client files and registry keys" under Test / Production.

A Rule Set is a set of controls that allow administrators to allow or block an action. In the example below, you will note that there are currently four rule sets defined. You will also notice that Administrators can choose to create as many rule sets as they would like in a policy. Even though multiple rule sets can be in a given policy, administrators can choose which rule sets are active by toggling the Enabled option. In this example, you will note that none of the rule sets are enabled.

To the right of the rule set name there is an option to configure Test/Production. This feature allows administrators to test rules before actually enabling them. In the Test (log only) configuration, no actions will be applied in the rule, but the action is logged. This allows administrators to see what would have happened if this rule would have been active. All new rule sets are created with the default option configured to test. This reduces potential accidents an administrator may make by not considering all possibilities of the rule. 

Hope that helps!!

Are you reading my sentences before answering ? I'm really asking because yours answers are far away from the topic...I know and understand how to use Application and Device Control.

I'm asking if there is a way to have more accurate logs than ones we've got. Because they are not enough acccurate to really understand unknown behaviors.

"Do you think it mights be possible to have more accurate log in application and device control ?"

What you see is what you get within the SEPM for ADC.

I would suggest creating an Idea for this topic:

https://www-secure.symantec.com/connect/node/add/idea

Hi Brian81,

Already done :)