Video Screencast Help

Network Application Monitoring and Allow and Log all

Created: 29 Jun 2010 • Updated: 31 Jul 2010 | 9 comments
This issue has been solved. See solution.

Hello,

    We have the "allow and log" option setup in the Network Application Monitoring on the Policies tab. But whenever an executable gets updated, the end user is still asked to either Allow or Block the executable from running. Is the "allow and log" option not a true Allow and Log option? We would like to have our end users not have the option appear to them.

TIA
LTD Security

Comments 9 CommentsJump to latest comment

Rafeeq's picture

It will asked for all the applications running at the very first time ( i'm pretty sure at this), if the application is udpated or upgraded it will be considered new and will be asked again,can you disable ASK?

LTDSecurity's picture

Rafeeq,

   There are 3 options available when the Network Application Monitoring is enabled, Ask, Block the traffic and Allow and Log. We have the Allow and Log option enabled, so the user should not be prompted with option to deny or allow the executable to run, correct?

   All of the clients do have the most current policy with the Allow and Log option selected.

Rafeeq's picture

Correct ! I was little confused when you mentioned that users are prompted so wanted to make sure that you have not enabled it.

The document says"
you can set the default policy when Endpoint Protection detects changes in an executable. Choose between Ask, Block the Traffic, or Allow and Log."

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/36f099f2e011f3dc882573a2005a9326?OpenDocument

Vikram Kumar-SAV to SEP's picture

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/36f099f2e011f3dc882573a2005a9326?OpenDocument

Make sure you set it for all the groups.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

LTDSecurity's picture

Rafeeq,

   Yes, the option for Allow and Log is set, but the end user still is prompted with an option, this is not what we want for the end user. According to the settings, Allow and Log, this would lead me to believe that whenever an executable has been changed, the executable would be allowed to run and the executable changes, i.e. new date modified or new hash would be logged, hence the Allow and Log option, I am incorrect here?

Rafeeq's picture
Symantec Endpoint Protection clients will only get the Network Application Monitoring settings from the Symantec Endpoint Protection Manager if they are in Server Control Mode.

In Mixed or Client Control Modes, Network Application Monitoring has two options, enabled or disabled. This means that if Network Application Monitoring is enabled, the user will get prompted everytime there is a change to a Network Application.

what mode your clients are ?

SOLUTION
LTDSecurity's picture

Rafeeq,

   Looks like you found our issue. The clients are in Mixed Mode, I am changing to Server Control and doing some testing and will let you know the results.

Thanks!!

LTDSecurity's picture

Rafeeq,

   The option for the clients to be in Server Control fixed the Allow and Log option to actually Allow and Log the executable change information. Your solution has been marked as the solution.

   Thanj you very much for your help!!!

_Brian's picture

What log can I use to monitor this feature?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.