Endpoint Protection

 View Only

  • 1.  Lockdown Hash Exception?

    Posted Apr 21, 2016 11:14 AM

    We're running 12.1.6  on the server and all the 64-bit Win7 clients. I took and merged all clients' fingerprint files and put a half dozen or so into a new Group running with the Whitelist Policy on Log Unapproved Applications. Here are my questions: 

    1. If I JUST took fingerprint files and haven't installed any programs or updates since, why would it immediately start log Unapproved Applications. 

    2. I have a list of Hashes, Target and Caller ones. If I have to go through and add them to an exception list, where/how is this done?  The Unapproved Applications GUI doesn't allow for right-click or export options. 

    Thanks!

    Lee @ TACHC



  • 2.  RE: Lockdown Hash Exception?

    Posted Apr 21, 2016 12:32 PM
    There are always child processes that are trying to update. Such as content updates or patches. This is pretty normal from what I recall on system lockdown. In regards to adding exceptions, I believe they need to be added manually but I'm not in front of a console right now to verify.


  • 3.  RE: Lockdown Hash Exception?

    Posted Apr 21, 2016 02:49 PM

    In the File Name List you can expand the scope of your whitelist(s):

    syslock01.png

    "Import" lets you load a list of approved applications, and "Add ..." can be used to additionally whitelist files and folders in a very flexible manner. You can use wildcards, regular expressions or narrow down the allowed files to particular devices.

    But it's not possible to exclude apps which are already in the File Fingerprint List. It's only possible to expand the scope of whitelisting.

    Probably you know this article, but if not:

    Configuring system lockdown

    Perhaps this info may be interesting for you:

    Automatically updating whitelists or blacklists for system lockdown



  • 4.  RE: Lockdown Hash Exception?

    Posted Apr 21, 2016 04:20 PM

    Greg12, Thanks - I see that the list of Unapproved Applications shows the path to the .exe. Should I be concerned that it lists C:\Program Files (x86)\Internet Explorer\iexplore.exe? How could it have scanned the computer and missed this application? 

    Lee



  • 5.  RE: Lockdown Hash Exception?

    Posted Apr 22, 2016 06:19 AM

    If IE is in the Unapproved Applications list (btw, you can see this in the Client GUI as well, see View Logs > Client Management/View Logs > Control Log), then its MD5 hash is not in the whitelist.

    Perhaps the IE was updated in the meantime, that's not unusual. But if you are absolutely sure that IE was not updated, you should be very careful to overrule System Lockdown. If you do it, you should be sure that iexplore.exe is  not malware (scan it or let it check by virustotal.com).

    In my opinion, whitelisting via System Lockdown is a feature for very special environments. It's not intended for the typical Windows box with its frequent patches.



  • 6.  RE: Lockdown Hash Exception?

    Posted Apr 22, 2016 03:35 PM

    Thanks Greg,
          I'm concerned because even though I've placed a number of path\applications in the File Name list, they are still showing up in the list of Unapproved Applications. (We don't have a pre-configured list of Unapproved Applications on the SEP system or clients). 

          Our intent is to keep our healthyish systems from being able to run a CryptoBlocker or like program and from our research, a Whitelist set up was the surest way to go. Do you have any other recommendations we might consider? 

    Thanks again! 



  • 7.  RE: Lockdown Hash Exception?