Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

SEP application whitelisting

Created: 14 Jun 2012 • Updated: 21 Jun 2012 | 6 comments
Atif's picture
This issue has been solved. See solution.

One of our clients want to use SEP to block applications on endpoints bases on publisher i-e MS, Adobe etc. Is it doable to block or allow applications on publisher basis?

Comments 6 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

In case if he wants to block the Application, then he could use the System Lockdown feature which is available in the SEP 11.x and SEP 12.1 Enterprise Edition.

As of now, this feature is not available in the SEP SBE 12.0 and SEP SBE 12.1.

http://www.symantec.com/docs/TECH102526

https://www-secure.symantec.com/connect/articles/what-system-lockdown-what-stages-do-i-implement-system-lockdown-symantec-endpoint-protectio

In case, you want to Whitelist an Application, then check this Article:

Software developer would like to add his/her software to the Symantec White-List.

http://www.symantec.com/docs/TECH132220

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Atif's picture

Thanks Mithun for swift response. My question is little different. Our client wants to have certificate based verification whitelisting on SEP platform. Lets say client wants to install any Microsoft profuct which is certified by MS. Is this possible and if yes how SEPM is going to verify the certified applications?

Mithun Sanghavi's picture

Hello,

This idea does not work with Symantec. As of now, the detections are based on the Reputation of a file.

http://www.symantec.com/docs/HOWTO55275

However, Try creating an Idea on this:

https://www-secure.symantec.com/connect/node/add/idea

Hope that helps!!

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Atif's picture

Thanks Mithun for your feedback.. I have one more query regarding MS updates and patches installation.. Is there anyway to allow all such updates without adding each patch, updates signatures manually in application whitelist? Your usual swift response is required.

Mithun Sanghavi's picture

Hello,

Question: Is there anyway to allow all such updates without adding each patch, updates signatures manually in application whitelist?

Why would you allow the MS update patches to the Whitelist. These updates are not Threats. These updates are already carrying good Reputation.

Check these Articles on how Symantec decides the Reputation of Files.

How Symantec Endpoint Protection uses reputation data to make decisions about files

http://www.symantec.com/docs/HOWTO55275

How does Insight Lookup work?

http://www.symantec.com/docs/TECH169282

STAR

http://www.symantec.com/theme.jsp?themeid=star

It seems, a New Thread has been created by you on this similar Question - 

https://www-secure.symantec.com/connect/forums/sep-queries-0

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
jayinoz's picture

It sounds like you want a dynamic whitelisting solution, (which would allow you to specify a publisher/certificate as an updater to maintain the whitelist). In reality you would probabaly need several methods for doing this, as many things are not signed or not signed consistently, (e.g. Adobe use lots of different certs).

@Mithun

Question: Is there anyway to allow all such updates without adding each patch, updates signatures manually in application whitelist?

Why would you allow the MS update patches to the Whitelist. These updates are not Threats. These updates are already carrying good Reputation.

The reason you would want to do this, is that the definition of whitelisting is that only whitelisted files are allowed to execute. So, the challenge is how to maintain the whitelist. Using static admin maintained entries is not  a viable solution (win xp contains approxaitely 3000 'executables' - you want to create that list? you want to update it ???).

@Atif Bit9 /McAfee/Lumension offer whitelisting solutions that would probabaly give you exectly what you need.

Cheers,

Jay