Endpoint Protection

 View Only
  • 1.  Application and Device Control Policy Query

    Posted Jun 18, 2012 08:14 AM

    In ADC policy, where/what is the control implemented on the desktop that prevents registry change or any change that is blocked by ADC policy.
    For example- if we apply USB write disable policy through SEP ADC, then if we try to change the registry setting to allow USB write, then what is the control of SEP that will not allow us to do so? Even if registry change (for allowing USB write) is allowed, which control and what is the time by when, USB write will again be disabled?



  • 2.  RE: Application and Device Control Policy Query

    Posted Jun 18, 2012 08:43 AM

    The below should help.

    How to configure Application Control in Symantec Endpoint Protection 11.0 : Configuring Application Control Policies

    http://www.symantec.com/business/support/index?page=content&id=TECH102525

     

    How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.
    http://service1.symantec.com/support/ent-security.nsf/docid/2008102008020548

     

    How to use Application and Device Control to block all USB devices except those I specifically want to allow
    http://service1.symantec.com/support/ent-security.nsf/docid/2008083110540548



  • 3.  RE: Application and Device Control Policy Query

    Trusted Advisor
    Posted Jun 18, 2012 09:01 AM

    Hello,

    Question arises, how would you override the ADC policy of Blocking USB write and allow the USB write policy?

    Application Control is an advanced security feature included in Symantec Endpoint Protection 11.0. Application Control provides administrators with the ability to monitor and/or control the behavior of applications. Documentation on how to take full advantage of Application Control Policies is available here: http://www.symantec.com/avcenter/security/ADC/Configuring_Application_Control_1.1.pdf

    The driver responsible for Application and Device Control is SysPlant.sys

     

    Again, 

    Using Application and Device Control to stop registry entries added by a threat or risk

    http://www.symantec.com/docs/TECH95124

    Symantec Endpoint Protection –Few Registry Tweaks..

    http://www.symantec.com/connect/articles/symantec-endpoint-protection-few-registry-tweaks

     

    Hope that helps!!

     



  • 4.  RE: Application and Device Control Policy Query
    Best Answer

    Posted Jun 18, 2012 12:01 PM

    Application and Device Control driver sysplant.sys with other files are sitting above kernel and monitoring each windows API calls and based on the rule and policies definied by SEP, these drivers blocks these API requests.

    When you push a policy from SEPm to SEP the policy stays at the SEP client at all time and ADC blocking is realtime.

    Hope that answers your question.



  • 5.  RE: Application and Device Control Policy Query

    Posted Jun 18, 2012 12:21 PM

    If you like, you can do the test.  Although, modifying the registry directly, will appear to work, the system (SEP client) will automatically revert it back to the settings as defined by it's policies.

     



  • 6.  RE: Application and Device Control Policy Query

    Posted Jun 18, 2012 12:29 PM

    That correct, though in Registry GUI it shows you were able to change the value SEP will block the API call hence the value will not be updated in registry, if you refresh the registry you will see the old value.