Video Screencast Help
Search Video Help Close Back
to help
Not able to make it to Vision this year? Get a sampling in the Best of Vision on Demand group.

Application + Device Control policy -- getting started

Updated: 22 May 2010 | 5 comments
Frosty's picture
Frosty
0 0 Votes
Login to vote
This issue has been solved. See solution.

I recently decided to follow some of the advice here and began implementation of our first ever Application+Device Control Policy.  I used the template that someone else kindly posted, and cut out the bits I didn't think I needed.  It has been successfully deployed in "Log Only" mode and I've begun getting reports in the logs from PCs.  A typical report I've seen in the last 24 hours:

26/02/2010 09:00:32 Continue Default
tramgr		 None Info Built-in rule SysPlant None

Research tells me that SysPlant is the process that implements the Application + Device Control Policy on the client.  Is that correct? 
It looks to me like I am getting one of these reports per-PC that adopts the policy.  Is that also correct?

Another example of the type of reports I received in the logs:

10:26:14 Block Default
tramgr		 hcaruana Critical File and Folder Access Attempts_Write File C:/Program Files/Internet Explorer/iexplore.exe C:/Documents and Settings/hcaruana/Application Data/alot/toolbar.xml  
10:26:09 Block Default
tramgr		 hcaruana Critical File and Folder Access Attempts_Write File C:/Program Files/Internet Explorer/iexplore.exe C:/Documents and Settings/hcaruana/Application Data/alot/toolbar.xml  
10:26:03 Block Default
tramgr		 hcaruana Critical File and Folder Access Attempts_Write File C:/Program Files/Internet Explorer/iexplore.exe C:/Documents and Settings/hcaruana/Application Data/alot/toolbar.xml  
10:25:41 Block Default
tramgr		 hcaruana Critical File and Folder Access Attempts_Write File C:/Documents and Settings/hcaruana/Local Settings/Temporary Internet Files/Content.IE5/I0JQBJL6/ALOT_Toolbar_maps_en-gb_Installer[1].exe C:/Documents and Settings/hcaruana/Application Data/alot/toolbar.xml

Damn, but that's good; it looks to me like the new policy is indeed picking up stuff correctly.  I'd really like to just go ahead and implement it fully right away, but am trying to be cautious.  Some users on my network only log on once/week, so I figured I would take a couple of weeks to monitor this before activating it fully.  Wondering if anyone could offer an opinion on that?

Discussion Filed Under:
,

Comments

Frosty's picture
25
Feb
2010
0 Votes 0
Login to vote
Frosty

Some feedback on this log

Some feedback on this log entry would also be appreciated:

13:16:08 Block Default
OSV-GRV-SALE		 slejudge Minor   C:/WINDOWS/system32/dumprep.exe C:/Program Files/Symantec/Symantec Endpoint Protection/SymCorpUI.exe

dumprep.exe seems to be a Windows process for error reporting.  What does it mean that SymCorpUI.exe is the "target" of this process?  Sounds like SymCorpUI.exe probably crashed and dumprep.exe was trying to catch data from it.  Wondering therefore if I should be exempting dumprep.exe from my Application Control Policy?

sandip_sali's picture
25
Feb
2010
1 Vote +1
Login to vote
sandip_sali
Technical Support

Application & Device Control Policy

Research tells me that SysPlant is the process that implements the Application + Device Control Policy on the client.  Is that correct?   Yes

It looks to me like I am getting one of these reports per-PC that adopts the policy.  Is that also correct?  Yes

dumprep.exe seems to be a Windows process for error reporting.  What does it mean that SymCorpUI.exe is the "target" of this process?

If you are referring to C:\WINDOWS\system32\dumprep.exe   its right.

Thanks & Regards Sandip C Sali

SOLUTION
AravindKM's picture
25
Feb
2010
0 Votes 0
Login to vote
AravindKM

SymCorpUI.exe is is process

SymCorpUI.exe is is process which will display you the client GUI 

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

AravindKM's picture
25
Feb
2010
0 Votes 0
Login to vote
AravindKM

Processes and Services used

Processes and Services used by Symantec Endpoint Protection

 

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Frosty's picture
28
Feb
2010
0 Votes 0
Login to vote
Frosty

Thanks!

Thanks for the info.  Just so I am absolutely clear on what you mean:

I wrote:
>>>> dumprep.exe seems to be a Windows process for error reporting. 
>>>> What does it mean that SymCorpUI.exe is the "target" of this process?
>>>> Sounds like SymCorpUI.exe probably crashed and dumprep.exe was trying to catch data from it. 
>>>> Wondering therefore if I should be exempting dumprep.exe from my Application Control Policy?

You wrote:
>> If you are referring to C:\WINDOWS\system32\dumprep.exe   its right

Does "its right" mean that I have nothing to be concerned about, or does it mean that I should exempt dumprep.exe from the policy?

Cheers,

Steve
 

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
270,017