Endpoint Protection

Looking to convert to SEP from another tool that was providing app/device control.  When it comes to application control, they already have a large database of over 300 applications (without even considering versions of applications) that they block in their environment.  In SEP the options seem to be by process (executable name) or via the file fingerprint (MD5 checksum of executable).  With doing this by process, it is easy enough for the user to change the executable from notepad.exe to notepad2.exe and bypass that capability.  With file fingerprint, you are required to explicity provide each MD5 hash - this isn't really feasible considering that would require installing all 300+ applications and getting the MD5 checksum of the file.  Not to mention when you consider each version/release of a particular software would have a new checksum - thus 300 turn into thousands. 

Anyone have a good way with dealing with this?  Other platforms have repositories to pull from versus creating everything from scratch (i.e. I believe Altiris actually has a central repository/database of applications or categories to block).

Thanks in advance.

Read the post by Citlali,  "There is an easier way" on this thread.

https://www-secure.symantec.com/connect/forums/how-block-applications-sep-using-md5

Thomas

Unfortunately this option means you have to open up your network to applications being executed and until they are explicitly added to the blocked list.  That's a lot of exposure for a corporate network.   I know about that option, but was hoping there was something better out there. 

Hi Blenkey

I really like the idea of having a database of the MD5's for our users to look through. I think this could be helpful to quite a few of our users. I think you should suggest this in the idea's part of this site. I can also suggest it for you, but seeing as it was your thought i figured you might want to do it so you can completely explain what you wanted. Cheers

Grant

I've been told that there is something like this on the Altiris side.  Not sure that it is based on an MD5 hash, but at least a database or collection of some sort that is used as a reference to block applications.

I'll definitely suggest it because realistically, anyone coming over from another product as a competitive takeout would have this issue. 

MD5 or signaure blocking equals to always being behind. Developers will always update their code, rendering your checksum only as relevant as the latest fingerprint you use. Also, consider performance impact: let's say you're blocking 50 applications with 10 MD5 checksums for each version it ever had. Every time an EXE launches on your system, it needs to be checked against 500 MD5 signatures just to be passed onto the "on-access scanner" for regular signature-based detection. Result is poor performance we all love so much.
Behavior detection is the route to go. Like with Ultrasurf thread last week, all Symantec has to do is classify application properly based on its bahaviour and group known processes in that class. For example, you can have a class called "Unwanted Proxy Applications", where bad thinhs like Tor and Ultrasurf will reside, and, more importingly, new programs that have the same behavior will automatically be added to this class. Same would be done for "IP Scanners" where SuperScan, Angry IP Scanner, netcat and others would live.
Unfortunately, Symantec's behavior detection is pretty useless with TruScan, and this would have to be a superior behavioral engine to that of TruScan. Maybe in a future something like this would become available?

Do you guys ever feel guilty about being such narcs?  It seems like we'd save ourselves a lot of hassle if we just educated our end users about risks rather than trying to continually compensate for the ways they find to sneak out of the playpens we build for them. 

Because it's not like we play by the exclusionary rules we set up for users.