hello,

Just review this artical

What is SYSTEM LOCKDOWN ? What Stages do I Implement SYSTEM LOCKDOWN in Symantec Endpoint Protection (SEP) ?

https://www-secure.symantec.com/connect/articles/what-system-lockdown-what-stages-do-i-implement-system-lockdown-symantec-endpoint-protectio

see this thread

https://www-secure.symantec.com/connect/forums/sep-application-whitelisting

what is the method you used to whitelist?

can you double check if at the exe name is same.

Did you create a hash of all approved excecutables using checksum.exe and import into SEPM? Can you post the Control log from the affected client?

Thanks for your replies,

@ManishS -: I have implemented system lockdown as per the symantec methods, so your post, whilst informative does not really help me.

@pete_4u2002 -: I did a scan of our baseline computer and gathered all the executable names into a text file imported this text file into the system lockdown policy and enabled test mode. I keep getting multiple instances of executable names showing as unapproved, even though their name has been added as an approved application. I did the same thing with checksum, created a fingerprint list on our baseline server, imported it into system lockdown, and was still seeing some anomalies with certain files and executables showing in the log as unapproved applications, even though their checksum was in the list. I am confused.

Is the file fingerprint for, example, C:\Windows\System32\cscript.exe on Server1 the same as C:\Windows\System32\cscript.exe on Server2? I would assume that they are.

By using an executable name, is it safe to assume that all components associated with the exe automatically become approved, ie dll's etc?

Thanks for your replies.

if the cscript have different version and have different fingerprint then yes it could be the case. check the checksum value for the application running on 2 different machines.

@pete_4u2002-: I can see how that would create a different hash, but our version of cscript is consistent accross our fleet.

@Brian81 -: Thanks for that, still does not explain if cscript.exe has been added as an approved file then all instances of cscript.exe should be allowed regardless of version etc. I can see how a child process may not be on the approved list, but any dll's or system files accessed by csript.exe should not be showing up as an exception. See above for an entry from my test log.