Endpoint Protection

 View Only

  • 1.  Application and Device Control whitelist scalability for malware protection

    Posted May 24, 2016 08:35 PM

    Hi,

    I was wondering if Symantec (or anyone else) has done any scalability testing on the Application and Device Control rule sets, in particular around implementing whitelisting of applciations.

    We're in the data collection phase of implementing whitelisting for the user's AppData folder to assist with the prevention of malware, and general lockdown of our environment to maintain control and stability.

     

    We've found two types of data that work within the AppData folder:

    1. Installed programs (typically when the user selects for it to be available for them only as well as web browser plugins etc)

    2. Temporary files for setup.exe's when programs are being installed into 'Program Files' (etc) folders

     

    It's the second one i'm focusing on as the whitelist for these is starting to look large. So far I've found around 300 individual temporary files, this can be reduced somewhat by using paths rather than MD5 hashes (but in doing this, we reduce the security offered by whitelisting.)

    Has anyone tested the performance of SEP when you have hundreds of files in the exclusions (particuarly the 'Launch Process Attempts' rule)? 

    Our rule is currently set up as follows (more so for varying the types of logging we get):

    One rule with two 'Launch Process Attempts' sub-rules.

    1. Whitelisting for temporary installer based files (Playing with MD5 hashes and file paths located in the 'Apply to the following processes' box)

    2. Broad blacklisting (Apply to the following processes) & exceptions (Do not apply to the following processes)

     

    Thanks,

    Steve



  • 2.  RE: Application and Device Control whitelist scalability for malware protection

    Posted May 24, 2016 08:40 PM

    Symantec does have some recommendations in their KB article:

    http://www.symantec.com/docs/TECH145973

    But that's mostly around the number of rules although this one may be of interest:

    Number of entries in a e.g. “File and Folder Access” condition for files and folder do apply (or not apply) this rule to
    Symantec Technical Support does not recommend configuring a value greater than 200.

    There is also the System Lockdown component of SEP which may come into play here and could be helpful.



  • 3.  RE: Application and Device Control whitelist scalability for malware protection

    Trusted Advisor
    Posted May 25, 2016 01:03 AM
      |   view attached

    Hello,

    Check these Articles on how Symantec decides the Reputation of Files.

    How Symantec Endpoint Protection uses reputation data to make decisions about files

    http://www.symantec.com/docs/HOWTO55275

    How does Insight Lookup work?

    http://www.symantec.com/docs/TECH169282

    In case if he wants to block the Application, then he could use the System Lockdown feature which is available in the SEP 12.1 Enterprise Edition.

    https://support.symantec.com/en_US/article.HOWTO80848.html

    https://www-secure.symantec.com/connect/articles/what-system-lockdown-what-stages-do-i-implement-system-lockdown-symantec-endpoint-protectio

    In case, you want to Whitelist an Application, then check this Article:

    Software developer would like to add his/her software to the Symantec White-List.

    https://support.symantec.com/en_US/article.TECH132220.html

    Secondly, I would recommend you to check the attached PDF, to help you get some ideas - 

     

     

    Hope that helps!!