Video Screencast Help

Application Logging

Created: 11 Jan 2013 | 5 comments

I just wanted to ask the forum about whether or not they block/log applications from the system32 folder?

My thought was that the general sales/ HR/ finance person does not need to use cmd.exe etc.

That if that ran on their machine it woudl be worth investigating.

thoughts?
 

Comments 5 CommentsJump to latest comment

.Brian's picture

This is a pretty important directory which I would not block. You can setup logging with an ADC policy to monitor it. I suppose standard users wouldn't need to use some of the apps in there but there are others that are needed in order for the OS to function properly.

I would just block the apps they shouldn't be using but wouldn't block apps from running in this directory.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

mtju's picture

We are only logging at this point, but I was wondering if some folks were doing any blocking. Yes some of the apps are needed for the OS to function, but not all of fthem. I was trying to think of something more targeted.

.Brian's picture

I'm sure some are, especially in government facilities.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ashish-Sharma's picture

HI,

Follow the steps to block cmd.exe

 

Open the Symantec Endpoint Protection Manager.

Select the Policies tab from the left side.

Select Application and Device Control from under the View Policies menu.

Select Add and Application and Device Control from under the Tasks menu.

A new window will open.

Select Application Control from under the Application and Device Control menu on the left side.

Select Add a new window will appear.

Select Add next to the field labeled Apply this rule to the following process.

With in the box type * .

Leave all other settings the same. Click OK.

On the left side there will be a box labeled Rules. Within it, you should see the rule listed you are working with.

Right click the rule and select Add Condition.

Select Launch Process Attempts, a new window will open.

Select Add next to the field labeled Apply this rule to the following process.

With in the box type <process name>.exe. This will be the exact name of the executable that is going to be blocked.

From the same window, select the Actions tab from the top middle.

From within the Launch Process Attempt box select Block access.

Select OK.

Select OK again from the Application Control screen.

If you have not assigned your policy to a group, a new window will pop up asking you to do so. Please select all groups that apply.

If you would like to double check what groups the policy is assigned to, or would like to change what groups it applies to, Right Click the policy under the Application and Device Control Policies window.

Select Assign.

From the new window select all groups that apply.

Thanks In Advance

Ashish Sharma

 

 

pete_4u2002's picture

are these logged events monitored and set appropriate actions?