Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Application Whitelisting

Created: 07 Mar 2013 • Updated: 07 Mar 2013 | 8 comments

We are currently implementing Application Whitelisting in our environment.

I have imported a file list of .exe’s from our server, yet when I run it in test mode cscript.exe, amongst others, shows up as an unapproved application even though it, and the others, have any entry as an approved application. I am unsure why this is happening.

Any help would be appreciated.

Operating Systems:

Comments 8 CommentsJump to latest comment

W007's picture

hello,

Just review this artical

What is SYSTEM LOCKDOWN ? What Stages do I Implement SYSTEM LOCKDOWN in Symantec Endpoint Protection (SEP) ?

https://www-secure.symantec.com/connect/articles/what-system-lockdown-what-stages-do-i-implement-system-lockdown-symantec-endpoint-protectio

see this thread

https://www-secure.symantec.com/connect/forums/sep-application-whitelisting

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

pete_4u2002's picture

what is the method you used to whitelist?

can you double check if at the exe name is same.

.Brian's picture

Did you create a hash of all approved excecutables using checksum.exe and import into SEPM? Can you post the Control log from the affected client?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Matt Berresford's picture

Thanks for your replies,

@ManishS -: I have implemented system lockdown as per the symantec methods, so your post, whilst informative does not really help me.

@pete_4u2002 -: I did a scan of our baseline computer and gathered all the executable names into a text file imported this text file into the system lockdown policy and enabled test mode. I keep getting multiple instances of executable names showing as unapproved, even though their name has been added as an approved application. I did the same thing with checksum, created a fingerprint list on our baseline server, imported it into system lockdown, and was still seeing some anomalies with certain files and executables showing in the log as unapproved applications, even though their checksum was in the list. I am confused.

Is the file fingerprint for, example, C:\Windows\System32\cscript.exe on Server1 the same as C:\Windows\System32\cscript.exe on Server2? I would assume that they are.

By using an executable name, is it safe to assume that all components associated with the exe automatically become approved, ie dll's etc?

Thanks for your replies.

.Brian's picture

By using an executable name, is it safe to assume that all components associated with the exe automatically become approved, ie dll's etc?

I do not believe this is true. I have a similar setup, when I try to run an installer, say test.exe, I can exclude test.exe but if it spawns another process, that process is blocked. So basically if any child process of the parent is not on the exclusion list, it will be unapproved to run.

You can check the hash of cscript.exe from Server1 and Server2 and compare. If they are different, than the one not in the list is blocked. But if you added by name, it should run without issue.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

if the cscript have different version and have different fingerprint then yes it could be the case. check the checksum value for the application running on 2 different machines.

Matt Berresford's picture

@pete_4u2002-: I can see how that would create a different hash, but our version of cscript is consistent accross our fleet.

8 March 2013 11:19:53 AM ........ SYSTEM C:\Windows\System32\advapi32.dll C:\Windows\System32\cscript.exe

@Brian81 -: Thanks for that, still does not explain if cscript.exe has been added as an approved file then all instances of cscript.exe should be allowed regardless of version etc. I can see how a child process may not be on the approved list, but any dll's or system files accessed by csript.exe should not be showing up as an exception. See above for an entry from my test log.

Matt Berresford's picture

Well here is the update, I am still getting anomalies in my unapproved application logs.

I have created a checksum against one server, imported that checksum file and created a fingerprint list for that server. I then moved that server into a group of its own, and applied the secure lockdown policy in log mode using the fingerprint file created on that server.

I am still getting entries in my unapproved application list that have a valid checksum in the fingerprint file. This is why I am confused.

Is there anything that needs to be done in the management console to ensure that the policy is getting applied to all the objects in the group, or is that dynamic. Is there something I am doing wrong?

As always any help would be appreciated.