Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Application Whitelisting

Created: 11 Jan 2013 | 10 comments

Has anyone tried to go down the road of application white listing suing the SEP client?

I know this can be a logistical nightmare given the number of applications available, and depending on the size of your organization.

Just curious as to the forums thoughts.

 

Comments 10 CommentsJump to latest comment

.Brian's picture

Yes and it is a very painful process for a large organisation. Especially because users want to install apps such as firefox and chrome or weatherbug and they can't. So you need to have a good policy in place to make sure they understand they cannot do this.

If you have a base image, than you can run the the hash check to get a hash of every program on the image that should be allowed. But if you have multiple images it can be a pain.

Than you have to let logging run for some time until you're confident you can turn on blocking.

Great feature and will keep protected against alot of threats but tough to implement for a large organisation.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

if there is need then only enable it else you simply putting bit of load on SEPM .

mtju's picture

not worried about th eload on the server, more just the implementation. Not being able to mark down "families" of apps really woudl make this very difficult. (i.e. Adobe, MS, Mozilla.)

Having to get he hash of each application, dll, etc. and then having to redo it everytime a new patch or version is released sounds like it would be almost too difficult to implement. Windows updates, and you would need all new hashes for the files that were updated. Ouch!

pete_4u2002's picture

it can be used, note that more the application in the environment more the size of DB.

mtju's picture

Does this DB get loaded on the clients as well? How much network impact woudl we be talkin gfor a large dB and roughly 4,000+ clients?

pete_4u2002's picture

no, clients does not load DB. client sends information to SEPM. cannot commit on DB unless you see yourself.

whats th DB?

mtju's picture

hmmmm. so it would need to communicate with the SEPM server before it can authorise the application? What if the machine is not on the corporate network/ VPN'ed in? Does the application run or fail? Is their a default block action then?

we haven't started doing this yet, just investigating if this is a path we want to go down. THe extra protection is very appealing, but with a very small staff the workload is not.

.Brian's picture

No, the DB is is where all the info is stored. It doesn't play into any authorisation.

Pete is just saying you need to take into consideration the size and scalability of the DB before using this. There is a lot of logging involved and the DB can grow quickly.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.