Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP hardening App control document incorrect, maybe....

Created: 08 May 2013 | 8 comments

 

This link:   http://www.symantec.com/business/support/index?page=content&id=TECH171301
states that it will protect the following file types from being hijacked in the registry (shell open/shell load points protection) this is the quote:

The policy will protect the registry file associations for the following filetypes:

  • .exe
  • .com
  • .bat
  • .cmd
  • .pif
  • .scr
  • .reg

However, in the actual hardening policy, the rule set (HIPS) [AC12] shows that it is configured to protect only 3 of the above - these are the three that are actually in the policy as supplied by Symantec.

shell-load.png

 

My questions and/or comments:

* Are these accurate and perhaps based on current data showing the others aren't really at risk? (the others are no longer a concern or problem in today's computing world?)

* Is this a mistake in the above-linked documentation? (the document in the link lists several while the actual rule set has only 3 of them)

* Is this an error of omission in the policy or rule set itself? (is the linked document correct, and someone "forgot" to include the others?)

Operating Systems:

Comments 8 CommentsJump to latest comment

.Brian's picture

Did you download and import the policy from the KBA link you attached? If so, than it should all be there. I just imported and it looks fine to me? There are a whole bunch configured in this policy

The "default" ADC policy shows what you have above (which is lacking compared to the one in the KBA)

The KBA link implies that you need to download the policy that is attached and import it to use that one.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

I check the Article: TECH171301 and downloaded the policy provided in the Article - 

Protect executable file registry configuration.dat

and found it to be correct with all extensions. Check the Screenshot:

policy.JPG

 

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

ShadowsPapa's picture

Mithun - yes, it helps clarify what I'm asking better than I originally asked it.

That one has a whole list -just as the document says. However, if you download the hardening policy v2, it's different. Which is better - is it really necessary to protect that whole list - and if so, then why is the hardening policy missing all of that -

The point of people getting the hardening policy set is to do just that - harden SEP, lock things down, use more of the blades in the SEP Swiss army knife, so to speak. Use the great features. So if I truly wanted to lock things down, I'd follow the advice we see all over - get the hardening policy, and yet, it's tame compared to what you show.

I would venture a guess that folks who really want full protection and to turn SEP into a mean pit bull type of dog, they'd go for the hardening policy (v2) - but they'd probably skip this - even though it's "tighter".

Should someone there "update" or "fix" the sep hardening applicatin and device control policy v2 to include what you have shown? Maybe that's a better question! Would it be a good idea, or even an "ok" idea for Symantec to put what you show into the full SEP hardening policy v2 and call it v2.2 ?

Or - is that one you show (which I believe is from 2011) old stuff now? The hardening policy v2 is from 2012 and has less.
I know - sorry, I'm not asking very well, am I?

 

Thanks for your patience. It's a crazy week.

Mithun Sanghavi's picture

Hello,

I understand your requirements and I agree those extensions should also have been added.

However, as of now there are 2 different policies assisting with 2 different requirements - smiley

1) Hardening SEP with ADC

Hardening Symantec Endpoint Protection (SEP) with an Application and Device Control Policy to increase security

http://www.symantec.com/docs/TECH132337

This prevents changes to EXE, COM, and BAT shell associations, which allow a program to run any time an EXE, COM, or BAT file is run.

  • Threats use this technique to run code and to block execution of programs that may interfere with the threat.  Legitimate use is rare.

How the Application and Device Control Hardening policy works

http://www.symantec.com/business/support/index?page=content&id=TECH132307

2) SEP Application Control policy to protect executable file registry configuration

http://www.symantec.com/docs/TECH171301

There was Thread with similar Doubt, check this : 

https://www-secure.symantec.com/connect/forums/application-and-device-control-hardening-policy-sepm-121

 

I would surely raise this to the correct authority.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

ShadowsPapa's picture

PS. - it's very nice to see Symantec employees and technical support out here.

ShadowsPapa's picture

I downloaded the file called "SEP Hardening Application and Device Control policy v2"

That is a screenshot from that very policy - make sure it says v2, otherwise it may be an older one.

The document or link is not where I got the policy - that's a specific one for the shell load points. But my thought is that they do it two ways - in the full application and device control policy download, they have only 3 protected, in that specific niche-policy that service the single purpose of protecting the registry shell load points, they cover more.

I guess I'm asking - the full policy they supply protected but 3 keys or associations, but in this document and file, they protect the entire list. The full policy is NEW, that one I linked is from 2011.

Which should it be? The full list - or is it best to just do the 3, and if someone has the whole policy set like I do, and again, like I did, runs into that document that seems to say "This is what you need to protect", it brings up some "so, which one is the better? Is the new set I got flawed or missing something?"

Or - since that was released in 2011, has it been decided that just the 3 is ok if not better? I don't like discrepency in documents and policies - where whoever created the full SEP app and device control policy v2 does only 3, and the person who created this document says he/she does several more.

It's like I ran into in my car hobby - AMC vehicles and engines - buy an Edelbrock intake manifold. The instructions are unclear but seem to say you need to buy and use a different gasket set for their intakes. So you call their tech support - depending on who answers the phone or the email, one will say "no, you must use the stock type as supplied by AMC. Then someone else in our forum comes in and says "I just talked to support at Edelbrock and they told me I MUST use a different style gasket. This leaves us confused -if we use one and it fails... who's fault is it? If we use the OTHER and it fails, who's fault is in? They've told us two different things.

Here, the full policy with all of the app control rules included, v2, protects just 3 things - but this document says to protect all those others.

Wait - if you think this is small or no big deal, the watch for my NEXT one. It's killing our ability to use reports and alerts. Coming soon to a connect forum near you.........

 

.Brian's picture

I have v2 and AC12 lacks in this one compared to the KBA link you have in your first post. Seems they need to be combined to create a useable one. You will spend a lot of time combining them yourself (which for now seems to be your only option) but may be worth it if you use.

Would be nice to see a tool/feature to compare policies and weed out the duplicates so you can create one single policy...cool

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello ShadowsPapa,

The Hardening Symantec Endpoint Protection (SEP) with an Application and Device Control Policy (TECH132337) has been updated with Latest Policy with your suggestion.

SEP Hardening Application and Device Control policy v2 has been replaced with the Latest SEP Hardening Application and Device Control policy v3 policy.

You may see the following Articles with few more changes (in the coming days):

http://www.symantec.com/docs/TECH132337

http://www.symantec.com/docs/TECH132307

http://www.symantec.com/docs/TECH171301

I appreciate you for your Feedback. smiley

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.