Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Forcing Detection of a File on SEP

  • 1.  Forcing Detection of a File on SEP

    Posted Mar 18, 2016 07:12 AM

    Hell all , I need to know is there any way we can force detection of a file i.e *.exe , *.dll or *.bat on SEP for either low reputation , Sonar or AP forcefully.

     

    I have a scenerio in which I need to forcefully create an incidenet on SEP for few files. Is there any way I can do this through some way ?

     

    Regards

     

     



  • 2.  RE: Forcing Detection of a File on SEP
    Best Answer

    Posted Mar 18, 2016 07:28 AM

    Use the 'Application to Monitor' option:

    https://www-secure.symantec.com/connect/articles/how-utilize-sep-121-incident-response-part-1

    Only works for EXEs



  • 3.  RE: Forcing Detection of a File on SEP

    Posted Mar 18, 2016 07:29 AM

    For auto protect all you need is to just access the file path, then AP will kick in. but for Sonar its all depends on how the application behaves and if I am not wrong it will kick in automatically when the file is acting suspiciously.



  • 4.  RE: Forcing Detection of a File on SEP

    Posted Mar 18, 2016 07:55 AM

    Hi Praveen , for any file I access i.e .exe , .dll or .bat AP will kick in and scan everyfile when it is executed regardless of its extension ?

     

     



  • 5.  RE: Forcing Detection of a File on SEP

    Posted Mar 18, 2016 07:56 AM

    That's one of the SEP options is to scan a file when accessed or modified.

    Why don't you just right click on it and invoke the scan for viruses option? What are you needing exactly?



  • 6.  RE: Forcing Detection of a File on SEP

    Posted Mar 18, 2016 08:19 AM

    yes regardless of the extension AP will kick in if you have enabled " scan when a file is accessed or modified"



  • 7.  RE: Forcing Detection of a File on SEP

    Posted Mar 18, 2016 08:43 AM

    Well the thing is we have ATP integrated with SEP, ideally SEP is supposed to to do the is the insight lookup when it scans the file if it doesn't have anything in its local reputation about the file itself . So what we want to achieve is we want to forcefully create an incident on the client for this file so this information will show up in the ATP console and from there we can take the further action upon that.

     

    As you already know that SEP wont do anyything about 0 days files for which it doesn't have the signature ( Traditional AV scanning ) . Sonar also needs to have the behavioral analysis or characteristics of the file or process before it convicts it as malicious. so this is why we want to have all the info availble on the ATP console. 

    I can achieve it for DLLs and Exe's but I am looking for a way to do it for other file extensions like .bat etc and batch files. 



  • 8.  RE: Forcing Detection of a File on SEP

    Posted Mar 21, 2016 08:40 AM
    Hi guys can you please reply on my above query . Appreciate your help and suggestions . Thanks


  • 9.  RE: Forcing Detection of a File on SEP

    Posted Mar 21, 2016 08:43 AM

    Not many folks around here run ATP. Best off calling support or engaging someone on the partner side.



  • 10.  RE: Forcing Detection of a File on SEP

    Posted Mar 21, 2016 11:49 AM
    Hi Brian thanks for the reply . Actually this is something related to SEP because we are trying to force a detection to create an incident on SEP. All I can see is SEP can only perform an insight lookup for exe, msi and dll files. Nor it will perform lookup for files that it has scanned.


  • 11.  RE: Forcing Detection of a File on SEP

    Posted Mar 21, 2016 12:39 PM

    Download Insight scans executable files ( .bat, .com, .dll, .drv, .exe, .msi, .ocx, .sys ) when they are downloaded through or launched by a portal application