Endpoint Protection

Hi,

I'm testing out SEP MR4 in a test environment and everything worked out fine. That is till I tried to stop any program or .exe to stop running from a USB or removable drive. Sounds pretty easy given the default controls provided in the Application and device control function.
The problem is that this policy that I created does not seem to have any affect on the clients even after policy sync or a restart. I even tried the basic disable all USB devices setting but still I can do anyhting on a USB drive on the client.
All other changes done on the server with regard to policies get effective on the client immediately. But this policy doesnt.
I enabled network threat protection and have truscan pro-active threat protection enabled. I've run out of options or solutions. Can someone please help me out by giving me all the requisites needed for this setting to work on the client? Maybe I missed something at installation. And how to disable .exe files running from USB drives.

Thanks in advance

Chris

Hello.
You can use wildcard for application and device policy. block *.exe from removable drives.
this client managed by your application and device policy which blocked *.exe ? maybe it take another application and device policy?
select the application and device policy and press right click and assing it which group you apply the policy.
and you can try it block all usb drives in this group. thats why you can understand your policy working or not.
Have a nice day.

Hi,

by any chance are we trying this on 64 bit OS?
Please note that the Device control policy does not support 64 bit platform.

Symantec Endpoint Protection 11.0 compatibility with 64-bit platform
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007022310384648

Thanks,

in our office we enable the application and device control feature from our SEPM, our policy that we created is to restrict the access of " autorun.inf from local drive and removable drive, we notice that policy applied is working but not to all pc's, even I was applied to all groups from our SEPM, I am so confused why is this happened, I restart and tried to reinstall the SEP client but it wont work?

Is Application and Device Control is enabled on these systems
Can you check what is the value of this registry key

In  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sysplant

Check the value of START --it should be 1.
If it is not there or if it is 4 that means it is disabled.

 

Is the value in the registry key will not automatically change? even you push the policy from the SEPM to the SEP client?

Hi All,

Thanks a lot. Here are the answers for your queries,

Yes I have used wildcards like *.exe to block files and i tried blocking ALL USB drives too but still only this policy fails to apply. I tested connectivity by allowing and disallowing users the ability to change some settings in the client and those settings were working on the client with no problem. Its just the app and device control policy thats not working.

The OS or SYStem is not 64 bit. It is 32 bit. The server is running on Win 2003 SP2 and the client is on XP SP2.

I checked the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sysplant BUT no such entry is there. So according to Vikram it is disabled. So how can I enable it then? If remotely it would be great.

PS - Guys I should let u know that since the virus def's are not updated proactive threat protection shows as being disabled in the client. Does this matter? Also the SEP was installed in a System that was already running SAV 10. I did not migrate groups and settings.

Hope this helps.

Thanks again

Chris

You need to  again push the package on these computers with all the featues enabled.
Application and Device control is not installed on them.

Hi Vikram,

Well you were right. I re-created a package with NW threat protection and the works and guess what it works. I mean only partially though... Well now I'm pretty sure the policy works on the client coz the deny all USB devices setting worked.

My that is not what I needed. What I need is for clients NOT to be able to run any programs from their removable drives. So i created the default rule and condition giving first * (all programs) and then *.exe to the processes list and set the action as block process, but still some programs DO run.

When i disable *.inf from running it works great. But *.exe does not stop a Skype installation from fully running from the USB (its an .exe). Some programs run but wont install fully. Maybe the blocking is not visible to me?

Can u pls let me know the rule and condition to create to server my purpose?

Thanks again

Chris

How to prevent programs from running by blocking the file extension types from removable drives.

service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/afefa878c528d1ed882575520076cd16

Hi Vikram,

Thanks a lot. It worked out perfectly. Hats off to u my friend...


Chris