Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Excluding VPN software folders from being blocked by SONAR/ flagged as security risks

  • 1.  Excluding VPN software folders from being blocked by SONAR/ flagged as security risks

    Posted Nov 20, 2012 01:54 PM

    Hello - 

    Under exceptions on SEPM if I add folders (and their sub folders) into the exclusions list exempting them from scans would that prevent SONAR from blocking DNS/hostname changes initiated by executables within those folders?

    I need to allow our VPN clients to initiate DNS changes/changes to the host file so that they continue to function properly but inspite of adding their folder paths to the exclusions list and applying the exception to the respective OU (SEPM syncd with AD) I still see that SONAR continues to block certain legit executables from within the excluded folders from performing DNS/hostname changes.

    I do not want to add DNS or hostname change exception to specific executables cos the SHA-256 values differ from language to language and version to version. I prefer excluding the folders themselves.

    Please bear in mind that for all other folders and files I want SONAR to behave the way it currently does so changing the System Change Events (SONAR)  under the Virus and Spyware Protection Policies to log only/ignore is not an option.

    Please advise.

     

     

     

     



  • 2.  RE: Excluding VPN software folders from being blocked by SONAR/ flagged as security risks

    Posted Nov 20, 2012 01:56 PM

    Using SEP 12.1 RU1 MP1....



  • 3.  RE: Excluding VPN software folders from being blocked by SONAR/ flagged as security risks

    Posted Nov 22, 2012 10:57 PM

    Check this KB article on exceptions in SEPM:

    http://www.symantec.com/business/support/index?page=content&id=HOWTO80919

    If you exclude a folder, it wil lbe excluded from SONAR scans

     

    Exclude a folder from scans

    Supported on Windows and Mac clients.

    Excludes a folder from virus and spyware scans, SONAR, or all scans on Windows clients. You can also exclude a folder from virus and spyware scans on Mac clients.

     



  • 4.  RE: Excluding VPN software folders from being blocked by SONAR/ flagged as security risks

    Posted Nov 23, 2012 06:27 AM

    I get that.. but does mean that SONAR will allow DNS changes initiated by executables from within the excluded folder? I think not.



  • 5.  RE: Excluding VPN software folders from being blocked by SONAR/ flagged as security risks

    Posted Nov 23, 2012 08:03 AM

    Nope that is completely separate. So yiu either need to set the dns/hostname change to allow or add via hash, neither of which want to/can do.



  • 6.  RE: Excluding VPN software folders from being blocked by SONAR/ flagged as security risks

    Posted Nov 23, 2012 08:23 AM

     

    Yes I understand that too... as mentioned in my original post if I have legit DNS changes being initiated by more than 1 executable within those folders and I have muliple versions of the VPN software running then that would result in creating multiple SHA-256 exceptions.

     

    Isn't there a simpler way? 



  • 7.  RE: Excluding VPN software folders from being blocked by SONAR/ flagged as security risks

    Posted Nov 23, 2012 11:42 AM

    If there is, I'm not aware of it. Only the two I mentioned above.



  • 8.  RE: Excluding VPN software folders from being blocked by SONAR/ flagged as security risks

    Posted Jan 18, 2013 09:36 AM

    I am having the same problem and am looking for a way to do this also because we run several VPN client versions.  Looking for a way to allow all versions of our current VPN client versions to do host/DNS changes, and also guard us against having future versions blocked as well.  So far putting in a folder exception for the VPN client folder does not work.  It excludes it from SONAR scans, but does not exclude it from host/DNS changes.

    Anybody know of a way to do this?  So far it doesn't look like it is possible and we don't want to disable SONAR.



  • 9.  RE: Excluding VPN software folders from being blocked by SONAR/ flagged as security risks

    Posted Jan 18, 2013 09:45 AM

    Go into your AV policy and access the SONAR tab

    Under System Change Events, set:

    DNS change detected to either Ignore or Log

    Host file change detected to either Ignore or Log



  • 10.  RE: Excluding VPN software folders from being blocked by SONAR/ flagged as security risks

    Posted Jan 18, 2013 09:53 AM

    Isn't that essentially the same as disabling SONAR protection for DNS/host changes?  We'd rather not disable this protection but rather allow an exception for all versions of our VPN client software.  Thanks for the reply.



  • 11.  RE: Excluding VPN software folders from being blocked by SONAR/ flagged as security risks

    Posted Jan 18, 2013 09:57 AM

    If you're on SEP 12.1 RU1 MP1 or above than you can set an exclusion per this KB article:

    Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above.

    Article:TECH194108  |  Created: 2012-07-31  |  Updated: 2012-10-15  |  Article URL http://www.symantec.com/docs/TECH194108

     

    If you're on a lower version than you need to do what I suggested in my first post to you.

    I would suggest upgrading to the latest version of 12.1, which is 12.1.2, if you can.



  • 12.  RE: Excluding VPN software folders from being blocked by SONAR/ flagged as security risks

    Posted Jan 18, 2013 12:16 PM

    We are on version 12.1 RU1 MP1.  We've done what the article states, but that uses the hash.  Our goal was to add an exception that does not include a hash (or see if it's possible) so that we can guard against installing future versions.  Thanks for your reply.



  • 13.  RE: Excluding VPN software folders from being blocked by SONAR/ flagged as security risks

    Posted Jan 18, 2013 12:19 PM

    Unfortunately, it is not currently possibly.