Endpoint Protection

 View Only

  • 1.  Application blocking using Finger print

    Posted Jul 26, 2013 02:24 AM

    Hi,

     

    We tried blocking some applications through the application and device control policy in SEPM(12.1).For some porducts when we rename app file, symantec is not able to block that particular application.To block that app we need to get the file finger print of that app.When the app version changes the file finger print value also changes.

    Every time do we need to check for the file finger print when the app version changes???? or is there any way to block without checking the file finger print when the version changes?

    Or symantec can provide some in built signatures through updates to block those apps.

     

    Please advise 



  • 2.  RE: Application blocking using Finger print

    Posted Jul 26, 2013 02:50 AM

    Hello,

    Please check with below article and let me know if any more help required.

    Block Software By Fingerprint

    https://www-secure.symantec.com/connect/articles/block-software-fingerprint



  • 3.  RE: Application blocking using Finger print

    Posted Jul 26, 2013 03:36 AM

     

    Hi,

    Here is some artical hope help you.

     

    Importing or merging file fingerprint lists in Symantec Endpoint Protection Manager

     

    Article:HOWTO55138 | Created: 2011-06-29 | Updated: 2011-12-16 | Article URL http://www.symantec.com/docs/HOWTO55138

    Managing file fingerprint lists

     

    Article:HOWTO55133 | Created: 2011-06-29 | Updated: 2011-12-16 | Article URL http://www.symantec.com/docs/HOWTO55133

     

     



  • 4.  RE: Application blocking using Finger print

    Posted Jul 26, 2013 04:35 AM

    Unfortunately, the changing fingerprint does mean that a new entry needs to be added for each version of the application.

    I've seen some customers block a single application under multiple file names and fingerprints, and it is a fair amount of administrative effort to make sure the list is up to date with each new version of the blocked application.

    Depending on how restrictive you want to be, you may have better results using SEP's "System Lockdon" feature.  There is a lot of effort involved in the initial setup, but it does allow you to lock down your endpoints so that only approved applications can run (or vice versa).

    http://www.symantec.com/docs/HOWTO80848
    http://www.symantec.com/docs/HOWTO81094
    http://www.symantec.com/docs/HOWTO81100



  • 5.  RE: Application blocking using Finger print

    Posted Jul 26, 2013 07:38 AM

    "Thumbs Up" to SMLatCST in regards to system lockdown

    Enabling system lockdown to run in blacklist mode

    Article:HOWTO81100  |  Created: 2012-10-24  |  Updated: 2013-06-06  |  Article URL http://www.symantec.com/docs/HOWTO8110

    You can also enable the blacklist in System Lockdown to block the bad file only. It may make it a little easier for you.

     



  • 6.  RE: Application blocking using Finger print

    Trusted Advisor
    Posted Jul 26, 2013 08:10 AM

    Hello,

    Do you want to block an application because it is malicious in nature?

    Check these Articles on how to configure SEP to block software.

    Block Software By Fingerprint

    https://www-secure.symantec.com/connect/articles/block-software-fingerprint

    How to use Symantec Endpoint Protection to block or log legitimate but unauthorized software usage

    http://www.symantec.com/docs/TECH97618

    Configuring system lockdown

    http://www.symantec.com/docs/HOWTO80848

    In case, you want Symantec to block those malicious application, you can also submit these suspicious files to the Symantec Security Response Team on : 

    https://submit.symantec.com/websubmit/essential.cgi

    We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it.

    What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

    http://www.symantec.com/docs/TECH99222

    Check this Article:

    Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

    Hope that helps!!


  • 7.  RE: Application blocking using Finger print

    Posted Jul 26, 2013 08:49 AM

    Dear ravishankar_m02,

    the fingerprint is a good way to distinguish files and and act on them (block, allow, detect, etc). The file name is not.

    If there's a new version of a file (hence the fingerprint changes), what is the common property between the old and the new version that the Application Control should be able to identify to meet your needs?

    Further, we provide signatures to black-list malicious files and white-list well known good files, what kind of application you're talking about?

     



  • 8.  RE: Application blocking using Finger print

    Broadcom Employee
    Posted Jul 26, 2013 10:42 AM

    Hi ravishankar_m02,

    Thank you for posting in Symantec community.

    I would be glad to answer your query.

    Every time do we need to check for the file finger print when the app version changes????

    or is there any way to block without checking the file finger print when the version changes?

     File finger list.png

    Reference: Managing file fingerprint lists

    http://www.symantec.com/docs/HOWTO55133

    Can refer the following forum articles as well:

    https://www-secure.symantec.com/connect/articles/what-file-fingerprint-list-symantec-endpoint-protection-sep

    https://www-secure.symantec.com/connect/articles/it-possible-edit-append-or-merge-file-fingerprint-symantec-endpoint-protection-manager-sepm