Endpoint Protection

We are currently implementing Application Whitelisting in our environment.

I have imported a file list of .exe’s from our server, yet when I run it in test mode cscript.exe, amongst others, shows up as an unapproved application even though it, and the others, have any entry as an approved application. I am unsure why this is happening.

Any help would be appreciated.

hello,

Just review this artical

What is SYSTEM LOCKDOWN ? What Stages do I Implement SYSTEM LOCKDOWN in Symantec Endpoint Protection (SEP) ?

https://www-secure.symantec.com/connect/articles/what-system-lockdown-what-stages-do-i-implement-system-lockdown-symantec-endpoint-protectio

see this thread

https://www-secure.symantec.com/connect/forums/sep-application-whitelisting

what is the method you used to whitelist?

can you double check if at the exe name is same.

Did you create a hash of all approved excecutables using checksum.exe and import into SEPM? Can you post the Control log from the affected client?

Thanks for your replies,

@ManishS -: I have implemented system lockdown as per the symantec methods, so your post, whilst informative does not really help me.

@pete_4u2002 -: I did a scan of our baseline computer and gathered all the executable names into a text file imported this text file into the system lockdown policy and enabled test mode. I keep getting multiple instances of executable names showing as unapproved, even though their name has been added as an approved application. I did the same thing with checksum, created a fingerprint list on our baseline server, imported it into system lockdown, and was still seeing some anomalies with certain files and executables showing in the log as unapproved applications, even though their checksum was in the list. I am confused.

Is the file fingerprint for, example, C:\Windows\System32\cscript.exe on Server1 the same as C:\Windows\System32\cscript.exe on Server2? I would assume that they are.

By using an executable name, is it safe to assume that all components associated with the exe automatically become approved, ie dll's etc?

Thanks for your replies.

By using an executable name, is it safe to assume that all components associated with the exe automatically become approved, ie dll's etc?

I do not believe this is true. I have a similar setup, when I try to run an installer, say test.exe, I can exclude test.exe but if it spawns another process, that process is blocked. So basically if any child process of the parent is not on the exclusion list, it will be unapproved to run.

You can check the hash of cscript.exe from Server1 and Server2 and compare. If they are different, than the one not in the list is blocked. But if you added by name, it should run without issue.

if the cscript have different version and have different fingerprint then yes it could be the case. check the checksum value for the application running on 2 different machines.

@pete_4u2002-: I can see how that would create a different hash, but our version of cscript is consistent accross our fleet.

@Brian81 -: Thanks for that, still does not explain if cscript.exe has been added as an approved file then all instances of cscript.exe should be allowed regardless of version etc. I can see how a child process may not be on the approved list, but any dll's or system files accessed by csript.exe should not be showing up as an exception. See above for an entry from my test log.

Well here is the update, I am still getting anomalies in my unapproved application logs.

I have created a checksum against one server, imported that checksum file and created a fingerprint list for that server. I then moved that server into a group of its own, and applied the secure lockdown policy in log mode using the fingerprint file created on that server.

I am still getting entries in my unapproved application list that have a valid checksum in the fingerprint file. This is why I am confused.

Is there anything that needs to be done in the management console to ensure that the policy is getting applied to all the objects in the group, or is that dynamic. Is there something I am doing wrong?

As always any help would be appreciated.