Critical System Protection

Hi Ravi,

SCSP 5.2+ has a completely rewritten (most portions) IPS kernel driver (known as a kernel mode intercept driver). Major changes have occurred in source policy structure from 5.1 to 5.2+. Also note that in 5.2 the IPS driver is now modular based (DLL load structure), which also changed the way IPS policies interact with the system.

Another note is that any policy modified in the authoring environment, especially prevention policies, are not supported by Symantec. Why did you have a need to modify at a source level the prevention policy? There may well be the function you require now available in 5.2+ prevention policies where this is no longer needed?

From reading your inquire it sounds like you have upgraded to 5.2.4 however have not upgraded to the newest prevention policy source, or known as “base policy,” in the library workspace (authoring environment). The correct approach to this is to update your base policies, then use the “copy options” and “copy custom controls” (for your templates) to the newest base policy. This will allow you to keep all configured content from your older policies in the workspace environment (the csp manager) while upgrading the base prevention policy. Also 5.1 track of prevention policies wont compile in the authoring environment due to the above reasons as well. 5.2 track of policies is really where you want to be at this stage.

The issue you are seeing, I believe, is that your base policy is not compatible with windows 2008r2. Major changes were put in place within the policy to support the w2k8 family. This includes process routing rules (PBRs), behavior control descriptions (BCDs), and many process routing macros and init startup flows. Without the base policy upgraded the policy and driver simply won’t function on the machine, hence the error message.

Additionally the authoring environment is no longer shipped in the product to customers as of 5.2.6+

I've had problems with 5.2.4.266 on W2008 R2. The agent installs but does nothing. We worked with Symantec and needed to upgraded to 5.2.4.294.  They will ask you to upgrade to the latest policy pack and agent anyway.

Hi Intrusion_Security_Guru & Timl1228

Many thanks for your inputs. Since my last post, we have downloaded and installed the latest SCSP s.w ie. 5.2.6+

Some clarifications about my previous post. We have NOT modified any of the base policies - we created a new Prevention Policy in Authoring tool and added Option Groups (& options) and the BCD needed for it with SCSP s/w 5.1.2. We then used this policy to apply on agents in Management console.

I tried "Copy Options" in Management Console running on 5.2.6 as follows:

1. Made a copy of one of the base symantec prevention policy: "sym_win_protection_core_sbp".

2. Do a "copy options" from our Prevention Policy (made with SCSP s/w 5.1.2) to the copied base policy in step#1.

3. Choose "Merge options"

At this point after merging options, when I edit the copy of the base policy (made in step#1), I don't see our option groups appearing but only the default option groups i.e "Global Policy Options", "Service Options" and "Interactive Program Options".

After applying the policy to the agent, it still doesn't work. Am I missing something here?

It would really help if you could provide detailed  instructions on how to do this.

Thanks & BR,

Ravi

See if you can make a copy of the sym_win_protection_core_sbp policy and apply it without making any changes. Also, have you downloaded and installed the latest policy pack?  Can you use the My Custom Programs options to build out what you need?

Hi timl1228

Yes, I've tried applying sym_win_protection_core_sbp policy and it works alright. But I'm not able to merge the options in our older Policy(via copy options)  into sym_win_protection_core_sbp policy -> which is what we really want to work. 

At least it doesn't show up when I try to merge.

Can you give me some detailed instructions on how to use "My Custom Programs" to build out our older Rule set?

Thanks,

Ravi

Open the prevention policy and click on My custom Programs. Then click on new.

It will ask for some information:

Display name: This is a generic name you will see in the list of custom programs.

Category: Select whether the program you are trying to control is a service or is interactive. You can also use this to create lists of IP Addresses or other items to be referenced later. See the 5.2.6 Release notes.

Identifier: will be used as part of the pset name. so no spaces or special characters.

Description is self explanatory I recommend you document everything.

Click Finish.

The Custom program will appear in the list below "My Custom Programs". Expand it out and you will see all the options available for that custom PSET. Simply add the path under the "Specify Daemons with Custom Privileges and you are off and running.

You can highlight the Custom Program (PSET) and copy it to other policies if needed.

This is good practice b/c in 5.2.6 you will be able to apply more than one Prevention policy to an agent. Also in the 5.2.6 release notes.

Hope this will satisfy your need.

Hi Timl

thanks again for the steps. I have a few more questions.

My requirement is something as follows:

1. Our software has several windows services which use incoming and outgoing TCP ports to communicate. Eg: Say MyService#1 (run by MyService1.exe), MyService#2 (run by MyService2.exe)

2. There are also several clients (TCP) which connect with the windows services running on our default ports (say 1345) mentioned in point#1. The clients also have predefined default ports (eg: 161)

I followed your instructions and added our software's services and clients via Custom Programs. Typically for all those clients, I chose "This program is Interactive" and for our windows services chose "This program is a Service" as the category.

Basically, I want to add such a list of custom programs to a base symantec prevention policy like sym_win_protection_core_sbp and control access to those ports & IP addresses and file system access as well.

Right now, if I just apply sym_win_protection_core_sbp to one of my agent which has our software service running on it - I can't login with my client from another machine to this agent (on which our windows services is running) at all.

Also, please let me know if I can get in touch with you via any IM - I need to get this working asap and I'm on tight deadline. Would help bigtime.

Thanks, Ravi

You can add network rules for each process set or globally. If you drill down into each process set (custom, interactive, global,etc) you will find Network Controls, Inbound and outbound to control connections made to and from a system. Look at the Network Rules option. This is where you add your rules much like a firewall. They are hierarchical so first match wins.  There will be some default rules with some of them you can use as a reference. Also refer to page 70 of the ips_ref.pdf included with the agent installation binary.

Best practice is to apply the policy to your systems with Prevention Globally disabled. The advangtage of this is that the agent will still log everything that normally would be prevented. Using the event search you can see where to adjust your policy.  This is also very useful to ensure that the applications you add to your custom programs (PSET's) actually belong to that PSET.  Hope this helps.

Hello again timl!

thanks for all the assist. Now I'm able to get it working (block and unblock ports), but some minor glitches still around.

How to block USB and CDROM access? I followed the example specified in the Ips_ref.pdf and the html help, but they don't work! I get the following error when I add the files and registry entries under "Global Policy Options -> Resource List -> No-Access Resource List"-> "block all accesses to these files" and "block all accesses to these registry entries" [have followed the example in ips_ref.pdf to the 'T']

Failed to load driver: BCD Map Error - Unknown RSET or PSET

So question is, should these USB, CDROM accesses be denied under "Global Policy Options" or "Service Options"? I want all USB, CDROM access to be disabled as a default

Second question I have is, I want to have write access enabled for registry paths like HKEY_LOCAL_MACHINE\* globally - when I add the registry path to Global Policy Options -> Resource List -> Writable Resource List -> Allow modifications to these registry keys, it gives me the same error.

FYI, I'm trying to apply this on an agent running on Win2008 R2.

Thanks, Ravi

I would venture to guess the keys in the IPS doc are probably not for W2k8. And I would specify it under Global.  But I have never seen that error before so you should probably open a ticket with symantec.  Sorry I couldn't be more help on this one.

I was able to recreate this error but it only seems to happen when I add a value to the Global Options --> Resource List No-Access Lists--> Block and Log all access to these Registry Keys as trivial. I added values to all other lists under global, no access and it applied ok. Whether or not it actually prevented was not tested.

I am curious as to where else in the policy this could happen and is definately something that development should look at.  If someone is attempting to change a resource, even if it is prevented, it should be able to log so you can identify that person/process.

So it does look like a bug in SCSP. Not only the "no access resource list" but also under "Global Options -> Writable Resource List", if I add a registry value like "HKEY_LOCAL_MACHINE\*" to be writable, I still get the same error.

But strange enough, if I add it to "Writable Resource Lists" under Service Options -> General Service Options, it works OK though I'm not sure if I'm achieving "Writable registry access" at a global level.

What policy pack are you using? I didn't realize that I was using the 5.2.5 Jul 09 2010 policy pack. I created a new policy from the 5.2.6 Aug 25 policy pack and it appears to be working correctly.

I'm using the same as yours = AUG 25 2010, 5.2.6.137.

Could you tell me what and where you have added registry entries in detail? I can try repeating your steps here and let you know if I still see the error.

I am adding registry keys to the Global No Access Resource list. I did create a new policy. When you Edit your policy, click on General. What is the referenced Policy Pack?