Endpoint Protection

Hi all,

I’ve set up a “Location” template that applies to systems when two conditions are met:

1)      Client computer uses wireless.

2)      Client computer uses Ethernet.

I then applied a Application and Device Control Policy that blocks Network adapters, PCMCIA slots, and USB devices.

The intent is to have SEP detect systems that have both a wireless network connection and a wired Ethernet connection running simultaneously, and then to block network access until one of the connections is closed. So far, the setup I described works reasonabley well . However, I’m noticing that the device blocking seems rather contentious in that  the device is blocked for a short duration and then unblocked. The cycle repeats over and over-blocked, unblocked, blocked, unblocked- each segment lasting  anywhere from a few seconds to 10 to 15 seconds.

To determine what’s going on, I have the systems’ device manager open and I’m watching the status of the network devices getting red “X” out and simultaneously, I have multiple web-browsers open attempting to access various web-pages.

 Is this contentious blocking of devices the expected behavior of SEP under these conditions? Granted, a user afflicted with the symptom I’m describing will not find their system particularly useful (part of our goal..), but I would have expected that the devices would be constantly blocked until one of the qualifying conditions was not present (removing one of the network connections.).

BTW, detection of the conditions works great; no blocks occur unless both conditions are met and the network activity returns to normal shortly after one of the conditions is removed.

TIA

Hi
 

There is a sample policy for wireless and ethernet. When wireless enabled the ethernet connection disabled automatically and vice versa. Or by firewall policy you will block the wireless traficc

I think this is solve your problem.

There are two ways to accomplish this goal:

1. Using a "Firewall rule" to block the wireless traffic.
2. Using an "Device blocking rule" to disable the wireless interface fully.
   
   Locations for "Ethernet" and "Wireless" will need to be set up for either method selected. See below for instructions on setting up the locations for "Ethernet" and "Wireless" followed by instructions for blocking the wireless traffic while an Ethernet interface is connected using Symantec Endpoint Protection 11.x.

• Setting up automatic location switching
  1. Select Clients> Policies in the Symantec Endpoint Protection Manager console.
  2. Under "Tasks", select Add Locations.
  3. In "Specify Location Name" type: Ethernet
  4. Click Next.
  5. Under "Specify the Condition", select Network Connection Type.
  6. Under "Connection Type" select Ethernet.
  7. Click Next> Finish.
  8. Under "Tasks", select Add Locations.
  9. In "Specify Location Name" type: Wireless
  10. Click Next.
  11. Under "Specify the Condition", select Network Connection Type.
  12. Under "Connection Type" select Wireless.
  13. Click Next> Finish.
  14. Select Manage Locations
  15. Select to highlight Wireless.
  16. Under "Switch to this location when:" select Client computer uses Wireless
  17. Click Add
  18. Select Add Criteria with AND Relationship.
  19. Under "Specify Location Criteria", select Network Connection Type
  20. Select If the client computer does not use the network connection type specified below.
  21. Select Ethernet.
  22. Click OK> OK.
      Note: By using the second requirement in the "Wireless location", the agent will switch away from this location as soon as an ethernet cable is attached.

• Block Wireless traffic using a Firewall rule
  1. Select Clients> Policies in the Symantec Endpoint Protection Manager console.
  2. Under "View Policies", select Firewall.
  3. Double click the Firewall Policy for the "Ethernet" location.
  4. Select Rules on the left
  5. Click the "Add a new Blank Rule." button on the lower right side of the window.
  6. Select the Blank Rule made in the previous step and move it to the top of the rule list.
  7. Double click Action and select Block.
  8. Double click Adapter and select Wireless.
  9. Leave "Application", "Host", "Service" and "Time" as Any.
  10. Click OK. The action is now completed.
      
      Note: When using this method some initial packets (like DHCP) can still be sent over the Wireless interface while the agent is in the Ethernet location.
      
       
• Block Wireless traffic using a Device Blocking rule (This method requires the MR2 release of the product.)
  This method is slightly more complicated, as it requires finding the hardware device ID string for the specific wireless adapters that you like to block. The ID for a hardware device can be found either manually in the "Windows registry", or automatically using the "DevViewer.exe" tool supplied on the Symantec Endpoint Protection 11.x CD.
  
  To find a device ID in the Windows registry
  • 1. Open regedit.exe and navigate to the key:
       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class
    2. Open up the sub-key:
       {4D36E972-E325-11CE-BFC1-08002bE10318}
    3. The 0000, 0001 etc. sub-keys under this key correspond to various networking components. Locate the one that matches the Wireless network card that you seek to block. The DriverDesc value in each subkey offers the best clue.
    4. Copy the "ComponentId" string value to the clipboard.
  
  
  To find a device ID using DevViewer
  • 1. Run "DevViewer.exe" from the Tools\NoSupport\DevViewer folder on the "Symantec Endpoint Protection 11.x Additional Tools" CD (CD3)
    2. Locate and select the hardware device that needs to be blocked in the "Device Tree."
    3. Right-click and select Copy Device ID
  
  
  Once the "Device ID" string has been found
  
  The "Device ID" string will have a format similar to the following:
  PCI\VEN_8086&DEV_4220&SUBSYS_27128086&REV_03\1&F31B64E&0&21BC
  
  Wildcards can be used for the Device ID in Symantec Endpoint Protection 11.x, and it is recommended to shorten the string enough to match all hardware of the same model.
  For example: PCI\VEN_8086&DEV_4220&SUBSYS_27128086*
  
  • 1. Open the Symantec Endpoint Protection Manager console and navigate to the "Policies" tab
    2. Expand the Policy Components list and select Hardware Devices.
    3. Select Add Hardware Device and enter the <name> <name></name>paste in the <Device ID> <device></device>string for the wireless adapter (Do not enter as "Class ID")
    4. Go to Clients> Policies in the console.
    5. Create a new (or edit the existing) "Application and Device Control Policy" for the Ethernet location.
    6. Select Device Control and add the newly created Hardware Device to the "Blocked Devices" list.
       
        
  Note: Hardware devices can be identified and blocked by either "Class/GUID" or "Device ID." The "Class/GUID" option cannot be used in this case as it would typically be the same for all network adapters.