Video Screencast Help

Best Practices for Deploying Application and Device Control In Symantec

Created: 23 Aug 2012 • Updated: 11 Sep 2012 | 4 comments
This issue has been solved. See solution.

What are the recommendations for using Application and Device Control in SEPM?

Comments 4 CommentsJump to latest comment

Sayan's picture

Application and Device Control configuration errors can disable a computer or a server. The client computer can fail, or its communication with the Symantec Endpoint Protection Manager can be blocked, when you implement an Application and Device Control Policy.

Application and Device Control is an advanced security feature that only experienced administrators should configure.

Known Limitations of ADC
1.In SEP 11, Application and Device Control functions only on 32-bit Operating Systems. ADC is not possible on 64-bit computers.
2.ADC cannot block burning to CD/DVD drives, though a workaround may be possible.
3.ADC cannot block files accessed via NetBIOS.
4.ADC shares drivers with Network Threat Protection, SEP's firewall component. ADC will only function if the NTP component is also installed.

ADC and Threat Outbreaks

Symantec Security Response has developed ADC policies to protect against the activities associated with certain particular threats. These policies are useful in reducing the risk of a threat infecting a computer, the unintentional removal of data, and to restrict the programs that are run on a computer. Administrators combating an outbreak can download, import, and distribute these policies as an additional protective measure. These policies, in .dat format, are referenced in the threat write-ups for W32.Sality.AE, W32.Imsolk.B@mm, W32.Virut.CF, Trojan.Pidief.E, W32.Changeup.C, W32.Qakbot and more.

Please note that these ADC policies are recommended for use in outbreak situations. While useful in such situations, due to their restrictive nature they may cause disruptions to normal business activities. After the threat has been eradicated, these policies should be withdrawn from use.

It is also possible to use ADC to limit the spread of threats for which Symantec does not yet have Antivirus signatures. If the MD5 (unique identifier) of the suspicious file is known, a policy can be created to block that MD5. For full details please see How to use Application and Device Control to limit the spread of a threat.

Configuring ADC

Rule sets consist of rules and their conditions. A rule is a set of conditions and actions that apply to a given process or processes. A best practice is to create one rule set that includes all of the actions that allow, block, and monitor one given task.

You can create multiple rules and add them to a single application control rule set. Create as many rules and as many rule sets as you need to implement the protection you want, but be aware that serious performance issues arise from the use of rule sets of excessive length.

Application control rules work similarly to most network-based firewall rules in that both use the first rule match feature. When there are multiple rules where the conditions are true, the top rule is the only one that is applied unless the action that is configured for the rule is to Continue processing other rules. You should consider the order of the rules and their conditions when you configure them to avoid unexpected consequences.

When you apply a condition to all entities in a particular folder, a best practice is to use folder_name\* or folder_name\*\*. One asterisk includes all the files and folders in the named folder. Use folder_name\*\* to include every file and folder in the named folder plus every file and folder in every subfolder.

Note: A best practice is to use the Block access action to prevent a condition rather than to use the Terminate process action. Terminate Process Kills the application that has made the request. The Terminate process action should be used only in advanced configurations.

Note: When creating rules and conditions: remember that using complex regular expression ("regex") queries for matching may be much more CPU-intensive than plain string matching.

Recommended Limits

While there are no hard-coded limitations with regards to the number of conditions in policies, performance will be seriously impacted if policies are configured in an overly-complex manner. Please abide by the below recommendations on estimated limits.
1.Number of DeviceIDs that can be added manually to Hardware Devices in the Policy Components:
Symantec Technical Support does not recommend configuring a value greater than 1000.

2.Number of excluded devices in a Device Control policy:
Symantec Technical Support does not recommend configuring a value greater than 1000.

3.Number of Rule Sets in an Application Control policy
Symantec Technical Support does not recommend configuring a value greater than 200.

4.Number of Rules in a Rule Set in an Application Control policy
Symantec Technical Support does not recommend configuring a value greater than 200.

5.Number of Conditions in a Rule
Symantec Technical Support does not recommend configuring a value greater than 200.

6.Number of entries in a e.g. “File and Folder Access” condition for files and folder do apply (or not apply) this rule to
Symantec Technical Support does not recommend configuring a value greater than 200.

If the Application Control rule sets or conditions are very large, they will cause several performance problems:
1.The SEP client will take longer to load
2.The SEP client will take longer to switch locations
3.The SEP client will start to consume more memory
4.If there is an exceptionally large list, SEP's ADC component may even start to slow down other applications.

pete_4u2002's picture

check this link

Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies

 http://www.symantec.com/docs/TECH181679

 

Symantec Endpoint Protection Manager - Application and Device Control - Policies explained

http://www.symantec.com/docs/TECH104431

 

 

 

WhitePaper on Application and Device Control:

http://www.symantec.com/avcenter/security/ADC/Configuring_Application_Control_1.1.pdf

Ashish-Sharma's picture

Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies

http://www.symantec.com/business/support/index?page=content&id=TECH145973

Thanks In Advance

Ashish Sharma

 

 

Sayan's picture

Symantec Endpoint Protection Application and Device Control enables extra security protection for client systems. Simple rules created with Application and Device Control can enforce security policies and stop unknown malware. This page is a resource for those looking to get the most out of this feature. How Application and Device Control works   Application Control is an advanced security feature included in Symantec Endpoint Protection 11.0. Application Control provides administrators with the ability to monitor and/or control the behavior of applications. Documentation on how to take full advantage of Application Control Policies is available here: http://www.symantec.com/avcenter/security/ADC/Conf... NEW! W32.Stuxnet protection Application Control rule to block Stuxnet infections. download: http://www.symantec.com/avcenter/security/ADC/CVE-... This policy monitors '.lnk' files being READ by all processes on the following: * Removable drives * CD/DVD drive * Network drives * RAM drives Create/write/delete are allowed but logged The following process may read lnk files * rtvscan.exe On blocking action, the user is alerted with the following message: See 'Vulnerability in Windows Shell Could Allow Remote Code Execution' (see Microsoft Security Advisory 2286198 for further information). Examples of what Application Control can do Block Attacks from removable drives Network worms take advantage of USB and other types of removable drives. Application Control can be used to block this attack vector while still allowing an organization to use removable media like USB drives. Prevent unknown PDF attacks Web-based attacks are often hiding inside a PDF file. An Application Control rule can easily stop known and known attacks that hide in PDF files by preventing Acrobat and Acrobat Reader from writing code to a machine. Prevent registration of new browser helper objects. Browser Helper Objects, also known as BHOs, are commonly used by threats to spy on or interfere with web browsing. If your organization does not allow BHOs or has a pre-installed set of allowed BHOs, you can block all unwanted BHOs. These and other rules sets, created for Symantec Endpoint Protection clients, can be downloaded from here: http://service1.symantec.com/SUPPORT/ent-security.... Community Resources The Symantec user community has created some very useful rule sets. This page provides links to some of the best. http://www.symantec.com/connect/security/downloads Additional Documentation Configuring Application and Device Control http://service1.symantec.com/support/ent-security.... Creating an Application and Device Control Policy http://seer.entsupport.symantec.com/docs/331049.htm Using Application and Device Control to stop registry entries added by a threat or risk http://service1.symantec.com/support/ent-security.... How to use Application and Device Control to limit the spread of a threat http://service1.symantec.com/support/ent-security.... How to use Symantec Endpoint Protection to block or log legitimate but unauthorized software usage http://service1.symantec.com/support/ent-security.... Merging Application and Device Control Policies http://service1.symantec.com/SUPPORT/ent-security....

SOLUTION