SEP 11 Firewall Rule - Using Hash values to trigger alerts
Question -
I want to look for specific files that initiate outbound communication through our SEP clients firewall. I have a list of hash values that I have manually entered into a Firewall rule under the Application column and have set under logging, to send an email when it is detected. I have also configured a client alert notification under logging.
I do not have Network Application Monitoring set to ON for any of my client groups, nor do I have the "Learn applications that run on the client computers" enabled under any of my client groups communication settings.
My question is - Will the SEP firewall still be able to alert on those hash values without enabling these settings? If the answer is yes, then I am led to believe that the SEP firewall must hash any application that attempts outbound communication "on the fly" as its said. Is this correct? My suspicion is that it will NOT work by nature of the options toggable under - Network Application Monitoring.
I don't believe this is spelled out anywhere in documentation.
Thanks!
Comments
RE: SEP 11 rule on hash
Hi Nardoni.
Network Application Monitoring monitors changes made to files via the network as malwares are known to do. This is different to the rule you've made in the Firewall Policy that monitors applications that send outbound information. Hash tags is frequently used in SEPs components especially if you have them all installed/enabled.
“Your most unhappy customers are your greatest source of learning.”
mon_raralio - I appreciate
mon_raralio - I appreciate your attempt to communicate something to me, but my question still remains.
Can anyone from Symantec comment on this please?
Thanks.
^_^
Hi Nardoni, if you want someone from Symantec to clarify this for you, the best course would be to contact them directly if the information sought is really important and requires urgency. The Symantec employees posting in the forums are doing this 'pro bono' and most are doing this on their off work hours.
Cheers.
“Your most unhappy customers are your greatest source of learning.”
Not a definitive "yes", but I
Not a definitive "yes", but I believe the firewall can alert on those hashes without those settings acitvated (based on my experience). I don't use the firewall component. However, I use Application and Device ControI to successfully block files with specific hash keys. Like you, I do not have Network Application Monitoring, nor the 'Learn Application' features enabled.
Hope that helps some.
Yes, thanks justin_g for your
Yes, thanks justin_g for your input. Much appreciated.
Would you like to reply?
Login or Register to post your comment.