How to block applications in SEP using MD5
mon_raralio
June 2nd, 2009
Hi all,
This threat is for the use of SEP in blocking applications using the MD5 file fingerprint.
The procedures are written below:
Open SEPM
- Clients - select group to apply policy to
- Click on Policies tab on right window pane
- Click on Application and Device Control policy - new window will open
- Click on Application Control
- Enable Block applications from Running and select it then click on Edit... button - new window will open
- Click on Add... in the Rules tab [I'd like to leave the default in there]
Modify the Properties
- Add Rule Name
- Click on Enable this rule
- Add the application in the Apply this rule to the following process - new window will open
- Click on Options>> to expand window
- Click on Match file fingerprint
- Copy MD5 hash in text field.
- Click on 'OK'
- Click on Actions tab
- Select desired action to take on the monitored process, click on ok.
Go to main client window (click on Ok to get there)
- Update clients and make sure that the policies are updated.
This link would is the discussions we made and how the solution was made.
Thanks for the initial contributions of (in no particular order): RickJDS, SysAdmin1979, Paul Mapacpac, dimitri limanovski, Grant_Hall, Nel Ramos, Cycletech, delifeath, Jobert, Ms. Gracie...and those who voted!
Rules for replying: (because I want to make this easier for new users to read this thread)
If you have an MD5 you'll post here, follow this format.
- Title is the application name
- body contains the version number and the md5 associated with it and a short description of the application.
- If it works or not, vote using the thumbs icons.
For Requests
- Title should contain the word request and the application name
- body contains additional information and possibly link to where you got the application if availably.
- Reply to request if you have the MD5 so that it will immediately be under the request threat for ease of search.
- If you want an MD5 for this aps, vote.
Link to discussion for the solution
https://www-secure.symantec.com/connect/forums/ult...
How to get the MD5
Nice post mon_raralio,
I think it would be helpful to define how to get the MD5 value or file fingerprint (taken from SEPM help file):
Creating a file fingerprint list
You can use Checksum.exe to create a file fingerprint list. The file fingerprint list names each file and corresponding checksum that resides on the client computer image. This tool is provided with Symantec Endpoint Protection on the client.
To create a file fingerprint list
Go to the computer that contains the image for which you want to create a file fingerprint list. The computer must have Symantec Endpoint Protection client software installed.
Open a command prompt window.
Navigate to the directory that contains the file Checksum.exe. By default, this file is located in the following location:
C:\Program Files\Symantec\Symantec Endpoint Protection
Type the following command:
checksum.exe outputfile drive
where outputfile is the name of the text file that contains the checksums for all the executables that are located on the specified drive. The output file is a text file (outputfile.txt).
The following is an example of the syntax you use:
checksum.exe cdrive.txt c:\
This command creates a file that is called cdrive.txt. It contains the checksums and file paths of all the executables and DLLs found on the C drive of the client computer on which it was run.
Firefox
Firefox 3.0.10.
MD5: 7A2EE5713531A25CB3B2A516CD0E24BF
An Open Source web browser.
UltraVNC
Ultr@VNC 1.0.2 - Win32 - June 2006 (from the readme.txt file)
vncviewer.exe MD5: 95973838df1345ab4a28f346443f1cf3
winvnc.exe MD5: 913ff5a608de6a2ab320eb919092049a
Application used for remote desktop access. Requires a server and a client.
The information provided by
The information provided by you is good.
But first we need to have the MD5 value of the application or the exe to be blocked.
Checksum Batch File
For running the checksum utility I've created a simple batch file that runs it and places a text file to the root of the C drive for me.
"C:\Program Files\Symantec\Symantec Endpoint Protection\checksum.exe" "C:"\%computername%.Apps.txt
The runs the checksum for you against all drives and drops the text file with the name of the computer.apps - you can configure the locations as you like. This also depends on whether you have SEP installed to the default directory, adjust as needed.
If you want to only scan a specific drive then simply add the specific drive to the end like this:
"C:\Program Files\Symantec\Symantec Endpoint Protection\checksum.exe" "C:"\%computername%.Apps.txt D:\
To scan a specific folder:
"C:\Program Files\Symantec\Symantec Endpoint Protection\checksum.exe" "C:"\%computername%.Apps.txt "C:\Documents and Settings\Chuck Yeager\Desktop\Ultrasurf Versions"
Just copy the first line into a text file and save it as a .bat file and you are good to go. Just drop the batch file onto the machine you want to scan and off you go!
Ultrasurf
Ultrasurf MD5's to date that I've found:
8.6 or u86 = f53597f07ad9425d64a1eccd440e7b54
9.0 or u90 = faf9418cc0d4d4ff0a78f61283a9d29a
9.1 or u91 = 13f51c8c42e44bcb459c62e1c0e0e93b
8.7 or u87 = b6d9db95e947705eeaa98544de5647ce
8.8 or u88 = 4e3a66482ef96368251d91b4f5ae0fda
9.2 or u92 = 4b498bcac14da546f420cd08bae1894b
9.4 or u94 = 11bc744801b516d0b84fba5850ec8789
8.9 or u89 = f556271e1338dfc224cbebf6fe8f8eae
Looks like the Ultrasurf team lists the MD5's of the new versions as they are released on their website. This will be a good place to check for new versions and their MD5's.
http://www.ultrareach.com/download_en.htm
Ultrasurf is an application that creates a local proxy setting on a users' system in order to bypass a corporation, school or country wide firewall. Uses the ultrasurf servers as the proxies to hide all the users' internet traffic and deletes all the users' internet browsing history and related files.
9.5 Beta
9.5 Beta or U95a = a2cd6e4821eb21432ebe73df8d76cf86
9.5 Release Version or U95 = 88a02758a8359def232956ef028b2b77
Note: SEP can fingerprint
Note: SEP can fingerprint (and use the fingerprints in APPLICATION access control rules) EXEs only. Fingerprinting other types of files does nothing, you can not use that fingerprint in application access control rules, which is somewhat supid, as applications can have other extensions then EXE, like VBS, VBE, HTA, etc.
Blocking non-EXEs should be done via file and folder access control rule, but you will lose a fingerprint option.
Request: Instant messenger clients
Request for the MD5 of various Instant Messenger clients.
Like Yahoo version 8 and 9.
Yahoo Messenger 9.0.0.2152
MD5: db06b12e8de572ab8b8c482e3ee574f5
Yahoo Messenger Client Version 9.00.2152
Please don't forget to mark your thread solved with whatever answer helped you : )
found MD5 for
found MD5 for Thor:
5C53D9693F661E6A748157D766D362B3
thanks..
Nel Ramos
IMSMS
mon_raralio@ :
IMSMS is a tool that allows mobile to send and recieve IM..
MD5 for IMSMS is 1E6005419BBF5DDE53CED6C4D73DEBDB
LInk below:
http:\\dsosoftware07.googlepages.com/imsms-instantmessagingsms
Nel Ramos
how does checksum.exe
how does checksum.exe works?
sorry for asking since i am just new to symantec...
would it work in SAV10.1?
if not, is there a counterpart?
thanks...
checksum.exe is only
checksum.exe is only available in SEP and can only be used there. Sorry, mate. Can't think of a counterpart for that. Why not considering an upgrade if you're willing to buy another security application. This is only part of what SEP can offer. And I'm not sucking up to the product when I say this.
There is an easier way...
I just want to say that I don't see the point in posting a bunch of MD5's in this thread. You can simply go to communication settings for your group under Clients > Policies and check the "Learn applications that run on client computers" box. As per the description, "Clients will keep track of every application that is run and send the collected data to the management server." Once the logs are uploaded to the server, you can simply search for the application under Policies > Expand Policy Components > File Fingerprint Lists > Search for Applications. Once in this screen you can search by application name, file fingerprint, path, or you can list all the applications for specific computers, groups, etc. Once you find the application it should list the file fingerprint/md5.
You're right on that there is
You're right on that there is an easier way to do things. One explanation I could give you is that having the MD5 in advance would prevent the users from even installing or copying the application to your network. This is where we become proactive. :D
And not every company or admin would be willing to just enable an application or feature. Based from experience, users almost always blame the AV software whenever their PCs gets slower. I just don't want to give them another excuse.
Isn't this a standard best practice?
In my experience, this is a standard best practice if management needs to track these applications for HIPPA.
Citlali might be right .. but
Citlali might be right .. but will it make the network slow... while in learning mode...
if it does... might welll use it during off peaks..
do you have the md5 for
do you have the md5 for chikamail...
thanks..
Please post a link to the
Please post a link to the download page of the application. Thanks.
How to get the MD5 Value for an Application
How to get the MD5 Value for an Application
One of the easiest way to download the Hastab tool from the link below :-
http://beeblebrox.org/hashtab/
Run that tool and after that you just have to right click on any application and you will get a tab for Hash Tab and in there you will get the MD5 value.
It also provides SHA-1 and CRC32 value as well
thanks for the info.. I shall
thanks for the info..
I shall download it and check...
will give you update later..
thanks...
Nel Ramos
Firefox
This is what was "learned" in my environment by SEP (Executable, Name of Application, Version, MD5):
firefox.exe Firefox 1.9.0.3399 CA2AC84AA6C67F742D9785E553848927
firefox.exe Firefox 1.9.0.3105 A6D64056AD6CA84534143757FD782D7A
firefox.exe Firefox 1.9.0.3257 8DA0A66CB74FCBB393038E37E0F691BA
firefox.exe Firefox 1.9.0.3372 7E4B0BB3B1E87D2B0F07DFACBD5B3F0B
firefox.exe Firefox 1.9.0.3306 A4458CA176309C9358E8DF3FE88B33D5
firefox.exe Firefox 1.9.0.3384 4D9F3D6B4FA21D68B66C657D556B97A5
Firefox_Portable_3.0.10_en-us.paf.exe Mozilla Firefox, Portable Edition 3.0.10.0 5F57D760F9B0D23560B1EA09731D2349
FirefoxPortable.exe Mozilla Firefox, Portable Edition 1.6.4.0 153352 E20C8F15F66DF72F3FB1FDC4FCBCDDAC
FirefoxPortable.exe Firefox Portable 1.3.3.0 133730 B866D4C78B4F0C076FB79F5AC78FD508
hi... Where i got list of all
hi...
Where i got list of all md5 file fingerprient...
plz help me.
Thanx....
Aside from the MD5s posted
Aside from the MD5s posted here, follow the instructions posted on the first few threads of this discussion.
Hi Mon... are there new
Hi Mon...
are there new updates on new MD5s for the exclusion list..?
thanks...
If you want something to be
If you want something to be added. Just post the program and download link for that program. Use the program name as the title.
Oh, and FYI to the rest. Good news! For those who want to block all Yahoo Messenger clients, you may want to read this blog:
http://www.ymessengerblog.com/blog/2009/06/09/we%E...
great mon.. surely this will
great mon..
surely this will make the clients go mad..
hahaha..
good for us..
Additional note on YM
Additional note on YM clients. This also nullifies some third party IM applications like Pidgin.
Freegate
Another firewall bypass software: Freegate from Dynaweb / Dynamic Internet Technology Inc. (DIT).
See http://us.dongtaiwang.com/home_en.php
MD5's that I have:
d299132bd15f0b3cab3b8f58846a2272 = Freegate 6.6
7590226aee7d99a754648ca04acbbc64 = Freegate 6.77
1ff2260a91b5b858389a33ed2e889116 = Freegate 6.79 Emergency Version
fbfb1ddb7fcfc4c4b45b4651dc1853eb = Freegate 6.79
2b948ee506f99d6c096c6fb8d0fce4e6 = Freegate 6.80
80ade9e5a7cb72a2dd9b8fe768a9602d = Stunnel - looks like a freegate add on
hi
hey chack update....
thanks..........
Well, seems like we've
Well, seems like we've blocked almost all the popular softwares that endusers want to use on their office terminals regardless of company rules. :D
I'm just curious as to why no one requested to have msn blocked. :D Maybe because its built in emoticons aren't that good. lol
hello
i want to block msn. please show me how to block msn.
Monkeyhead just follow the
Monkeyhead just follow the intruction of mon_raralio and you will find a good result on your problem
:-)
Block msn
I can block the user but when they arrived home they cannot use msn messenger. They disable the symantec endpoint protection but they cannot login to msnmessenger.please help me how to configure.
If that's the case, undo the
If that's the case, undo the changes made from your SEP and use the firewall to block the network traffic to msn instead.
The easiest way to obtain the MD5 checksum of any exe
There are several tools that calculates the md5 hash of any provided exe file :)
you can download this simple free one called "MD5 Check utility" from this link:
http://www.midwavi.com/MD5.exe
just choose any application you want, and it will calculate the MD5 checksum :) Cheers
The quieter you become, the more you are able to hear!
http://www.mjeed.com
Great work Rule Breaker... 2
Great work Rule Breaker...
2 thumbs up for you...
will be using this cool link and check all other apps used illigitimately...
Nel Ramos
Too many application to post
Too many application to post and to have its equivalent MD5 value... why not have a copy of MD5 application?
If you meant to get an
If you meant to get an application to get the MD5 hash from your PC, Symantec already has that. See the 2nd post of this thread.
BTW, if you ran the program yourself. It is a big list because aside from getting the executables, it also gets the dlls, system files...
And based on the turnout on this thread, there aren't many applications that people want blocked. And don't get me started with all the games that endusers will install on the system. :D
nice thread!
nice thread here, a helpful one :)
Favor guys do you have some basic test criteria for implementation sep? I do need it. Thanks!
John Optimus
Hi Mon... just monitored that
Hi Mon... just monitored that enduser games are internet based...
Farmtown and the likes in facebook...
We had detected a zombie apps that was traced and deleted...
just an FYI...
thanks...
Nel Ramos
Torrent
Here's some for the installers of some of the most famous peer-to-peer sharing applications that hogs your company's bandwidth:
The MD5's I placed here are for the installers to prevent the users from even installing them on the harddrive. I also used Linux to get the MD5 so I didn't have the chance to install them.
(site,file,md5)
www.utorrent.com
utorrent.exe
036b08a28e47478807b56000b8e0e127
www.bittorrent.com
BitTorrent-6.2b.exe
adb22fb1110db5be4be35784aa26c142
www.Bearshare.com
BearShareV8.exe
436cd80a04eb9dfea9359409ade5869b
Thanks Mon... Do you also
Thanks Mon...
Do you also have endusers bypassing the firewalls using Firefox portables...
they use IP addresses that support proxies...
Thnaks...
Nel Ramos
Hi Nel,
We can have an MD5 for Firefox portable. But the IP addresses they use will need to be blocked by a different feature. That's for SEP's firewall or a different security appliance to effectively handle.
I'm not sure what you mean by IP addresses supporting proxies.
Ultrasurf v 95 and 96
New proxy versions
http://ultrasurf.en.softonic.com/
406d754ad3baabdaa89338555482c9e9 ud_u95.exe
http://www.ultrareach.com/
e303bb009064e63e470326201da509d0 u96.exe
Looks good. It is exactly the
Looks good. It is exactly the info on MD5 that what I was looking for.
Pet Fish
Would you like to reply?
Login or Register to post your comment.