Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Monitoring Application Installs and Removal via Application & Device Control Policies

Created: 16 Jan 2013 • Updated: 16 Jan 2013 | 9 comments
This issue has been solved. See solution.

Hello,

Our SEPMS are setup to forward events to SSIM and then they get distributed from there.  There is now a requirement to be notified anytime an application is installed and removed on any workstation.  Can this be setup via application and device control policies? if so any suggestion or guidance will be helpful.

Adam.

Comments 9 CommentsJump to latest comment

.Brian's picture

You should be able to craft a policy to alert any time an application is installed.

Import this policy and review it. Should be set to allow and log

AttachmentSize
New Application and Device Control policy.zip 2.09 KB

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Adamster's picture

Thank you brian.  It does allow, how come you choose Minor -- 10 as the logging?  I am not sure what the difference is. 

Also, what about removal of software? any way to have that to be logged and alerted as well?

.Brian's picture

It's just an easy way to identify the exact rule in the logs. I left it at the default. You can set it to whatever helps you identify it more easily.

I think you would use the same concept, the software has an uninstall mechanism and the program would call the uninstaller, so you would also see it run in the logs.

Overall, this will take some testing and monitoring on your part. It's easy to implement in theory but depending on the amount of machines you have, it could take some time to get it right.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Adamster's picture

so the policy as it won't actually block the applicaiton , or monitor an application install, it would just log any time an application is accessed.

.Brian's picture

It will not block.

Right now it will monitor everything, install, usuage, uninstall.

The key will be trying to decipher the logs for the info you need but SSIM is very customisable so it shouldn't be too bad.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Adamster's picture

What about monitoring the following reg keys for create, delete or write attempt:

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKLM\Software\Wow6432\Microsoft\Windows\CurrentVersion\Uninstall

my understanding is that those keys should list all of the applications installed.  So if there is any change in it, policy can be set to alert.  However, the only problem is differenciating between installs and uninstalls. Thoughts?

.Brian's picture

It should work, but it would be something to test. I'm not sure if the full path would show up or just the executable.

You would also need to add a condition for Registry Access Attempts in the policy I attached.

In addition to the Uninstall reg key you can also add the one called Installer. It should show all programs that are installed.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
Adamster's picture

This worked however, because most installs uses msiexec, when i tried to install yahoo messenger program as an example, all i got was that msiexec.exe tried to access the registry. doesn't say the application name.