Endpoint Protection

hi Guyz 

i m using SEPM 12.1.3 and i was wondering is there a way to block file sharing on ony IM specially skype Yahoo lync etc? also the browser based IMs?

example of blocking msn application , similarly you can use to block the file/application you want

https://www-secure.symantec.com/connect/forums/block-msn

https://www-secure.symantec.com/connect/forums/how-block-applications-sep-using-md5

Defining variables in custom IPS signature

http://www.symantec.com/business/support/index?page=content&id=HOWTO55453

How to use Regular Expressions for creating custom Intrusion Prevention Signatures

Enable the application monitoring, Learned application..

it will list all the apps in your network, then in the firewall rule. select that app and block

http://www.symantec.com/connect/forums/how-block-skype-application-thru-sep-using-firewall-policy#comment-3353061

i have block the appliction but i m wishing to only block the file transfer .. so is there a way?

i mean to only block a feature 

I dont think there is a direct way. You need to find out what protocal or port they use during file transfer.

You can use wireshark to get those details. after that you can create IPS signature for the same.

Hi,

Blocking networked applications that might be under attack

Network application monitoring tracks an application's behavior in the security log. If an application's content is modified too frequently, it is likely that a Trojan horse attacked the application and the client computer is not safe. If an application's content is modified on an infrequent basis, it is likely that a patch was installed and the client computer is safe. You can use this information to create a firewall rule that allows or blocks an application.

You can configure the client to detect and monitor any application that runs on the client computer and that is networked. Network applications send and receive traffic. The client detects whether an application's content changes.

If you suspect that a Trojan horse has attacked an application, you can use network application monitoring to configure the client to block the application. You can also configure the client to ask users whether to allow or block the application.

An application's content changes for the following reasons:

·         A Trojan horse attacked the application.

·         The application was updated with a new version or an update.

You can add applications to a list so that the client does not monitor them. You may want to exclude the applications that you think are safe from a Trojan horse attack, but that have frequent and automatic patch updates.

You may want to disable network application monitoring if you are confident that the client computers receive adequate protection from antivirus and antispyware protection. You may also want to minimize the number of notifications that ask users to allow or block a network application.

To block networked applications that might be under attack

1.    In the console, click Clients.

2.    Under Clients, select a group, and then click Policies.

3.    On the Policies tab, under Location-independent Policies and Settings, click Network Application Monitoring.

4.    In the Network Application Monitoring for group name dialog box, click Enable Network Application Monitoring.

5.    In the When an application change is detected drop-down list, select the action that the firewall takes on the application that runs on the client as follows:

6.    If you selected Ask, click Additional Text.

7.    In the Additional Text dialog box, type the text that you want to appear under the standard message, and then click OK.

8.    To exclude an application from being monitored, under Unmonitored Application List, do one of the following tasks:

9.    Check the box beside the application to enable it; uncheck it to disable it.

10.  Click OK.

Regards

Ajin

Hello,

if you need to customized at enterprise level your IM solution, you need to contact the related vendor. This is related to the file sharing implementation within a specific IM application, a product feature, something SEP can't control, it's out of its scope.

ok can i block file sharing by team viewer through SEPM?

guyz need help :(

Hi,

If you goto Policies>App and Device Control. Then right click in the big empty space and 'Add' a new policy. From there the box that pops up, click application control, then Add or Edit if youve got one already.

This is where it is confusing. Make the name of the policy whatever you want, with a description. Now when it says 'Apply this rule to the following processes" Click Add and type in *. This means that whenever any process on the machine tries to open the process(the one that we havent defined yet) something is going to happen(even though we havent said what will happen or what process it is yet). That's it for this page.

Now in the left, there is a Rules column. The name of the policy you're making at this moment is there. At the bottom of this column is another Add button. Click that then Add Condition>Launch process attempts. Click on the Launch process attempts button, there should be a Properties and Actions tabs.

Now on this properties page, click Add for Apply to the following processes. Here is where you finally get to type in the name of the process you want to block. for example, C:\Program Files\Mozilla Firefox\firefox.exe. so type in the process name, then click the Actions tab. Click the 'block access' radio button, hit ok, then apply it to some user groups.

When someone tries to open firefox, they get an error saying "invalid handle" or something like that. It would be nice to not get an error, but that's about the only way i can get this to work.

Hi blackvirus009,

Actiance has a solution for controlling features at a very granular level wthin apps like Skype along with Lync, Sametime etc.  Visit us at www.actiance.com   We also integraet very nicely into E-vault/Clearwell

David Cho

650-631-6344

www.actiance.com