Video Screencast Help

Application blocking using Finger print

Created: 25 Jul 2013 | 7 comments

Hi,

 

We tried blocking some applications through the application and device control policy in SEPM(12.1).For some porducts when we rename app file, symantec is not able to block that particular application.To block that app we need to get the file finger print of that app.When the app version changes the file finger print value also changes.

Every time do we need to check for the file finger print when the app version changes???? or is there any way to block without checking the file finger print when the version changes?

Or symantec can provide some in built signatures through updates to block those apps.

 

Please advise 

Operating Systems:

Comments 7 CommentsJump to latest comment

Ambesh_444's picture

Hello,

Please check with below article and let me know if any more help required.

Block Software By Fingerprint

https://www-secure.symantec.com/connect/articles/block-software-fingerprint

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

Ashish-Sharma's picture

 

Hi,

Here is some artical hope help you.

 

Importing or merging file fingerprint lists in Symantec Endpoint Protection Manager

 

Article:HOWTO55138 | Created: 2011-06-29 | Updated: 2011-12-16 | Article URL http://www.symantec.com/docs/HOWTO55138

Managing file fingerprint lists

 

Article:HOWTO55133 | Created: 2011-06-29 | Updated: 2011-12-16 | Article URL http://www.symantec.com/docs/HOWTO55133

 

 

Thanks In Advance

Ashish Sharma

 

 

SMLatCST's picture

Unfortunately, the changing fingerprint does mean that a new entry needs to be added for each version of the application.

I've seen some customers block a single application under multiple file names and fingerprints, and it is a fair amount of administrative effort to make sure the list is up to date with each new version of the blocked application.

Depending on how restrictive you want to be, you may have better results using SEP's "System Lockdon" feature.  There is a lot of effort involved in the initial setup, but it does allow you to lock down your endpoints so that only approved applications can run (or vice versa).

http://www.symantec.com/docs/HOWTO80848
http://www.symantec.com/docs/HOWTO81094
http://www.symantec.com/docs/HOWTO81100

.Brian's picture

"Thumbs Up" to SMLatCST in regards to system lockdown

Enabling system lockdown to run in blacklist mode

Article:HOWTO81100  |  Created: 2012-10-24  |  Updated: 2013-06-06  |  Article URL http://www.symantec.com/docs/HOWTO8110

You can also enable the blacklist in System Lockdown to block the bad file only. It may make it a little easier for you.

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Do you want to block an application because it is malicious in nature?

Check these Articles on how to configure SEP to block software.

Block Software By Fingerprint

https://www-secure.symantec.com/connect/articles/block-software-fingerprint

How to use Symantec Endpoint Protection to block or log legitimate but unauthorized software usage

http://www.symantec.com/docs/TECH97618

Configuring system lockdown

http://www.symantec.com/docs/HOWTO80848

In case, you want Symantec to block those malicious application, you can also submit these suspicious files to the Symantec Security Response Team on : 

https://submit.symantec.com/websubmit/essential.cgi

We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it.

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

http://www.symantec.com/docs/TECH99222

Check this Article:

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Beppe's picture

Dear ravishankar_m02,

the fingerprint is a good way to distinguish files and and act on them (block, allow, detect, etc). The file name is not.

If there's a new version of a file (hence the fingerprint changes), what is the common property between the old and the new version that the Application Control should be able to identify to meet your needs?

Further, we provide signatures to black-list malicious files and white-list well known good files, what kind of application you're talking about?

 

Regards,

Giuseppe

Chetan Savade's picture

Hi ravishankar_m02,

Thank you for posting in Symantec community.

I would be glad to answer your query.

Every time do we need to check for the file finger print when the app version changes????

or is there any way to block without checking the file finger print when the version changes?

 File finger list.png

Reference: Managing file fingerprint lists

http://www.symantec.com/docs/HOWTO55133

Can refer the following forum articles as well:

https://www-secure.symantec.com/connect/articles/what-file-fingerprint-list-symantec-endpoint-protection-sep

https://www-secure.symantec.com/connect/articles/it-possible-edit-append-or-merge-file-fingerprint-symantec-endpoint-protection-manager-sepm

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<