SEP Application Control Not working
Updated: 21 May 2010 | 19 comments
This issue has been solved. See solution.
can somebody help me with my settings with application control with SEP, i want to block MS Groove, i tried using the exe path and using the checksum but still it is not working. this url is what i am using as my reference http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/7049d06ba3c9e86f802573620054d9c2?OpenDocument.
EXE PATH: C:\Program Files\Microsoft Office\Office12\groove.exe
checksum: f7351de406289f3a2fc6e0586a24082f
discussion Filed Under:
Comments
Have you tried it without the
Have you tried it without the checksum?
Also, do you have the application control components of SEP installed on the client?
I always start with the most basic application control rule possible...check that it works...then fine tune.
cheers
Z
yes i just used the path, but
yes i just used the path, but still it is not working
Aplication and device control
Aplication and device control needs a restesrt to update the Policies. So did u restarted ur SEPM.
Ajit Jha
Regards'
Ajit Jha
Technical Consultant
STS
First I know this might seem
First I know this might seem dumb, but you would be surprised at how many people post this but don't take into account that application and device control does not work with 64-bit computers. So make sure you are not using a 64-bit computer. Second did you use the below method to find the checksum or did you use one you found on the internet? If so try to do the method below.
"Type the following command: checksum.exe outputfile drive example checksum.exe cdrive.txt c:\ "
Lastly your question is somewhat vague, I could post the entire document again but you have already looked through that multiple times I am sure. Was there one part on it that you were confused about maybe? Or something that needed more clarfication? Without knowing what you are having trouble with it is somewhat hard to answer. Please let me know if there is somethind I can do to help clarify things.
Cheers
Grant-
Please don't forget to mark your thread solved with whatever answer helped you : )
Application control
For Application and Device Control to work all the features of SEP should be installed on your system.
Check if Application and device control is installed on your client and it enabled.
hklm\software\currentControlSet\Services\Sysplant --Start value should be 1
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
we are just using 32-bit
we are just using 32-bit computers, i also followed the instruction from the URL that i gave in my first post. for having the checksum
For zer0 is the application control for client needs to be installed? or i just need to update the policy of my sep client to get the new policy that i create from the sep manager?
we are just using 32-bit
we are just using 32-bit computers, i also followed the instruction from the URL that i gave in my first post. for having the checksum
For zer0 is the application control for client needs to be installed? if it is yes how can i install the application control for client
or i just need to update the policy of my sep client to get the new policy that i create from the sep manager?
You need to ensure the SEP
You need to ensure the SEP client is installed with the correct features as well as having the policy applied.
If the SEP client doesnt have the features installed it will simple ignore that part of your policy.
Test with a client with a full feature set installed and let us know how that goes.
cheers
Z
configure the firewall and
configure the firewall and application control policy
kajal
how can i know that the
how can i know that the application control has been installed with the client. is the default client installer created by the deployment tool of symantec doesnt include application control?
Hey ashram
To check if application and device control is indeed installed and working on the clients please check this registry value (i think it was posted above too).
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sysplant
*Start should be equal to 1 if it is working.
I can't remember if application and device control is included by default, I am currently not at the office but I can check for you when I get back. However if you want our guide for customizing install packages you can find it here:
http://service1.symantec.com/SUPPORT/ent-security....
The key paragraph from above is this:
To create a new custom Client Install Feature Set
1. Open the Symantec Endpoint Protection Manager console.
2. On the Admin tab, under Tasks, click Install Packages.
3. The current default client installation packages appear on the right.
4. Under View Install Packages, click Client Install Feature Sets.
5. Under Tasks, click Add Client Install Feature Sets.
6. Specify the name you would like the Client Install Feature Set to have.
7. Give the Client Install Feature Set a description.
Select the components you want to include in the install package from the following list:
AntiVirus and AntiSpyware Protection
AntiVirus Email Protection
Microsoft Outlook Scanner
Lotus Notes Scanner
POP3/SMTP Scanner
Proactive Threat Protection
Proactive Threat Scan
Application and Device Control
Network Threat Protection
Network Threat Protection
Please don't forget to mark your thread solved with whatever answer helped you : )
Have you tried using md5 file
Have you tried using md5 file fingerprint.
:-)
if not please follow this
if not please follow this procedure created by mon_raralio if applicable.
The procedures are written below:
Open SEPM
Clients - select group to apply policy to
Click on Policies tab on right window pane
Click on Application and Device Control policy - new window will open
Click on Application Control
Enable Block applications from Running and select it then click on Edit... button - new window will open
Click on Add... in the Rules tab [I'd like to leave the default in there]
Modify the Properties
Add Rule Name
Click on Enable this rule
Add the application in the Apply this rule to the following process - new window will open
Click on Options>> to expand window
Click on Match file fingerprint
Copy MD5 hash in text field.
Click on 'OK'
Click on Actions tab
Select desired action to take on the monitored process, click on ok.
Go to main client window (click on Ok to get there)
Update clients and make sure that the policies are updated.
:-)
:-)
SEP Application Control Not working
Make sure that on the client machine you should have Network threat protection installed.
Use the .dat file that is attached in the link below. You can also use the hashtab_setup.exe to get the MD5 and SHA-1 value of a particular exe.
Application and Device Control policy to Block Groove.exe
https://www-secure.symantec.com/connect/downloads/application-and-device-control-policy-block-grooveexe
Utility to calculate hash algorithms such as MD5, SHA1, SHA2.
https://www-secure.symantec.com/connect/downloads/utility-calculate-hash-algorithms-such-md5-sha1-sha2
Download the file “Application and Device Control policy to Block groove.exe" and Open your SEPM Console and click on Policies tab .go to application and device control policy. Here add a new policy or edit an existing policy. Select application control and right click select import policy and select the dat file you have downloaded.
Make a test group and put the client in that group so that you can test the policy before impelementing on our production enviroment.
I tried to block one
I tried to block one application. My client has installed NTP and Application and Device control. I used Peterpan procedures to import MD5. After I added the rule and import MD5 fingerprint, I cannot see the "Actions" page. On the left side Rule Panel, I can see the new rule I just created. But under the new rule, there is nothing on the next sub-level. But the under default rule, there is rocket icon - Block these Appplications. Anyone can help?
Try redoing peterpan's
Try redoing peterpan's procedures, you may had missed something... Works for me...
Same here i also follow the
Same here i also follow the instruction of Peter Pan and it works. Thanks a lot..
Thanks for the update. I am
Thanks for the update. I am going to mark Peter's answer as the solution so future users will know to go to his post first.
Thanks
Grant
Please don't forget to mark your thread solved with whatever answer helped you : )
Guys, any idea why
Guys, any idea why Application and Control would require a restart to work? I enabled one block rule for a Vista client - it said it needed restart to apply the rule (you know, the ballon tip that pops up from SEP tray icon). It didn't work till restart. After restart, it blocked whatever file I was configuring, then surprise. I disabled the rule again, and then reenabled it- was testing smth - once the rule was re-enabled on the machine and machine got the policy change - againg poppped up that needs restart to apply the App and Dev control.
I remember having seen this somewhere, can't remember now. SEPM is MR4 while machine is RU5. Let me know if you have any suggestions.
Thanks.
Would you like to reply?
Login or Register to post your comment.