Endpoint Protection

 View Only

  • 1.  Application Control policy does not block changes to hosts file

    Posted Oct 20, 2010 12:46 PM

    I have implemented an Application and Device Control policy to block changes to the hosts file.  I used the policies provided by Kedar (https://www-secure.symantec.com/connect/downloads/how-do-i-block-hosts-file-modification-using-symantec-endpoint-protection-sep-application-) and by ShadowPapa.

    The policy does block any changes to the hosts file for the user that is logged into the computer.  That is, if I am sitting at a computer and try to modify c:\windows\system32\drivers\etc\hosts the changes will be blocked, a pop-up will appear on the screen, and an email alert will be sent.  So in this regard it works just as expected.

    But one of my Windows admins discovered that if he opens the shares on a remote computer (\\computer\c$) that he is able to make changes to the hosts file.   I was able to duplicate what he did to prove it worked.   Can anyone comment on this?  It seems like a huge problem.

    RU6 MP1 on both server and clients.



  • 2.  RE: Application Control policy does not block changes to hosts file

    Posted Oct 20, 2010 12:52 PM

    I am not sure we have the ability to block something like this. A few notes:

    -No one but admins should have the option of remoting in like this. Obviously this brings the trust that the admins wont be making changes

    -Alternative is to lock the file/folder via modifying permissions to ensure it is not touched

    -Second alternative is to employ Network Threat Protection to prevent any unauthorized users from remoting into the machine

    I don't really have the tech details regarding this to give a valid explanation as to why this is allowed, I am sure someone can chime in.



  • 3.  RE: Application Control policy does not block changes to hosts file

    Posted Oct 20, 2010 12:53 PM

    Is the system a 64bit computer. If so, application control will not work on 64bit OS.



  • 4.  RE: Application Control policy does not block changes to hosts file

    Posted Oct 20, 2010 01:11 PM

    As John mentioned, no one but Admin's should be able to get to $ shares at least in a default state.  If not, it should be locked down anyways as per Microsoft's best practices, general security best practices, and even Symantec recommends it too.  leaving shares open is actually a vulnerability for viruses to exploit.  Do you know how many viruses these days exploit open shares?  A lot.

    That said, SEP can't be a fix all, and I don't think it can stop this in it's current build.  But I also don't think SEP should be a catch-all for bad security practices either.  

     

    I love the ease of use and flexibility to use a $ share as much as anyone else, but with convenience, comes lax security...