Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How do I a list of MD5 hashes to an Application and Device Control Policy?

Created: 21 Feb 2013 • Updated: 25 Feb 2013 | 10 comments
This issue has been solved. See solution.

I'm looking for a way to add a list of about 115 MD5 hashes to approximately 7 Application and Device Control policies.  If I can import a list or copy and paste all of them at once that would preferable.  At the moment adding them one at a time will take me forever.  Especially with the sluggish performance within my SEPM.

Can a multiple MD5 hashes be added at once?

Operating Systems:

Comments 10 CommentsJump to latest comment

Brɨan's picture

I don't believe this is possible to do thru the SEPM console.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SEP_FMI's picture

Is there any way to do this on the backend?  Like manually update the files that contain the policies? 

Also this may be all for not since I've been reading some stuff that says Application and Device Control is not applied to 64bit machines.  I am currently running SEPM 12.1 RU2 and my clients are SEP 11 RU6 MP2.  Would this be the case?

Brɨan's picture

There might be some way with an update statement but I doubt it is supported or recommended. Symantec would be able to help though if so.

ADC is not compatible on 64bit OS with SEP 11.x

It is compatible with 64bit though if you use SEP 12.1

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SEP_FMI's picture

So just to be clear I would need SEP 12.1 installed on the clients before I can utilize the ADC on 64bit OS?

Brɨan's picture

Yes

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SEP_FMI's picture

One other question that just came to mind is related to the functionality of applying MD5 hashes through the ADC policy.  So lets say I do get on the right version of SEP (SEP 12.1) and I do get the MD5's applied to the ADC policy.  If I run a scheduled scan on the machines in question will they trigger these MD5 hashes?  I guess I'm wondering what criteria will cause these ADC policies to be triggered upon? 

I'd love to be able to update my ADC policy get it applied to the machines and then have them report machines with the found MD5 hash on them just by running a simple scheduled scan.  Is this possible?

Brɨan's picture

The scan piece is separate and wouldn not affect this. The only way to report on this is to have the rule trigger, which would than cause an entry in the log.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SEP_FMI's picture

So I worked with a Symantec Security Engineer and he directed me to a link related to enabling the Application Blacklist.  This actually looks like it will do the best job for what I'm requesting.  By using the Application Blacklist you can apply a Fingerprint List of MD5 hashes.  This will save time since I won't have to manually enter each MD5 hash into the Application and Device Control policy and it also works with 64bit OS!  The only drawback is there is still no way to realtime scan for these MD5 hashes but there was no option using the ADC policy either.

http://www.symantec.com/docs/HOWTO80848

SOLUTION
Brɨan's picture

I currently use the System Lockdown blacklist but I didn't know you could import into the ADC policy?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SEP_FMI's picture

Well its not exactly importing into the ADC policy.  I would actually be utilizing the Application Blacklist in place of the ADC policy in this case.  Instead of putting MD5 hashes in the ADC policy I put the MD5 hashes into a Fingerprint List that I add to my Application Blacklist.