Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Application and Device Control Policy Query

Created: 18 Jun 2012 • Updated: 20 Jun 2012 | 5 comments
This issue has been solved. See solution.

In ADC policy, where/what is the control implemented on the desktop that prevents registry change or any change that is blocked by ADC policy.
For example- if we apply USB write disable policy through SEP ADC, then if we try to change the registry setting to allow USB write, then what is the control of SEP that will not allow us to do so? Even if registry change (for allowing USB write) is allowed, which control and what is the time by when, USB write will again be disabled?

Comments 5 CommentsJump to latest comment

NRaj's picture

The below should help.

How to configure Application Control in Symantec Endpoint Protection 11.0 : Configuring Application Control Policies

http://www.symantec.com/business/support/index?page=content&id=TECH102525

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection.
http://service1.symantec.com/support/ent-security.nsf/docid/2008102008020548

How to use Application and Device Control to block all USB devices except those I specifically want to allow
http://service1.symantec.com/support/ent-security.nsf/docid/2008083110540548

Mithun Sanghavi's picture

Hello,

Question arises, how would you override the ADC policy of Blocking USB write and allow the USB write policy?

Application Control is an advanced security feature included in Symantec Endpoint Protection 11.0. Application Control provides administrators with the ability to monitor and/or control the behavior of applications. Documentation on how to take full advantage of Application Control Policies is available here: http://www.symantec.com/avcenter/security/ADC/Configuring_Application_Control_1.1.pdf

The driver responsible for Application and Device Control is SysPlant.sys

Again, 

Using Application and Device Control to stop registry entries added by a threat or risk

http://www.symantec.com/docs/TECH95124

Symantec Endpoint Protection –Few Registry Tweaks..

http://www.symantec.com/connect/articles/symantec-endpoint-protection-few-registry-tweaks

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Vikram Kumar-SAV to SEP's picture

Application and Device Control driver sysplant.sys with other files are sitting above kernel and monitoring each windows API calls and based on the rule and policies definied by SEP, these drivers blocks these API requests.

When you push a policy from SEPm to SEP the policy stays at the SEP client at all time and ADC blocking is realtime.

Hope that answers your question.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

SOLUTION
Jason1222's picture

If you like, you can do the test.  Although, modifying the registry directly, will appear to work, the system (SEP client) will automatically revert it back to the settings as defined by it's policies.

Vikram Kumar-SAV to SEP's picture

That correct, though in Registry GUI it shows you were able to change the value SEP will block the API call hence the value will not be updated in registry, if you refresh the registry you will see the old value.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.