Application and Device Control Policy Query
Created: 18 Jun 2012 | Updated: 20 Jun 2012 | 5 comments
This issue has been solved. See solution.
In ADC policy, where/what is the control implemented on the desktop that prevents registry change or any change that is blocked by ADC policy.
For example- if we apply USB write disable policy through SEP ADC, then if we try to change the registry setting to allow USB write, then what is the control of SEP that will not allow us to do so? Even if registry change (for allowing USB write) is allowed, which control and what is the time by when, USB write will again be disabled?
Discussion Filed Under:
Comments 5 Comments • Jump to latest comment
The below should help.
How to configure Application Control in Symantec Endpoint Protection 11.0 : Configuring Application Control Policies
http://www.symantec.com/business/support/index?page=content&id=TECH102525
How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.
http://service1.symantec.com/support/ent-security.nsf/docid/2008102008020548
How to use Application and Device Control to block all USB devices except those I specifically want to allow
http://service1.symantec.com/support/ent-security.nsf/docid/2008083110540548
Hello,
Question arises, how would you override the ADC policy of Blocking USB write and allow the USB write policy?
Application Control is an advanced security feature included in Symantec Endpoint Protection 11.0. Application Control provides administrators with the ability to monitor and/or control the behavior of applications. Documentation on how to take full advantage of Application Control Policies is available here: http://www.symantec.com/avcenter/security/ADC/Configuring_Application_Control_1.1.pdf
The driver responsible for Application and Device Control is SysPlant.sys
Again,
Using Application and Device Control to stop registry entries added by a threat or risk
http://www.symantec.com/docs/TECH95124
Symantec Endpoint Protection –Few Registry Tweaks..
http://www.symantec.com/connect/articles/symantec-endpoint-protection-few-registry-tweaks
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
Application and Device Control driver sysplant.sys with other files are sitting above kernel and monitoring each windows API calls and based on the rule and policies definied by SEP, these drivers blocks these API requests.
When you push a policy from SEPm to SEP the policy stays at the SEP client at all time and ADC blocking is realtime.
Hope that answers your question.
Vikram Kumar
Symantec Consultant
The most helpful part of entire Symantec connect is the Search button..do use it.
If you like, you can do the test. Although, modifying the registry directly, will appear to work, the system (SEP client) will automatically revert it back to the settings as defined by it's policies.
That correct, though in Registry GUI it shows you were able to change the value SEP will block the API call hence the value will not be updated in registry, if you refresh the registry you will see the old value.
Vikram Kumar
Symantec Consultant
The most helpful part of entire Symantec connect is the Search button..do use it.
Would you like to reply?
Login or Register to post your comment.