Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Symantec Endpoint Protection Application and device control Exception

Created: 03 Jul 2014 | 3 comments

Hi,

 

I am managing a SEP 12 server at my site. We have a custom apllication and control rules configured for one clients group.

The issue i am facing is that whenever users try to intall network printer (Samsung) the symantec client block the process.

I figure out that rule AC17 Prevent vulnerable Windows processes from writing code is stopping spoolsv.exe to communicate with printer

drivers. When i disabled the rule, it works perfectly fine.

 

So, is there any way i can add exception for these drivers so as that they can communicate with spoolsv.exe and make the required changes.

I don't think permanently removing spoolsv.exe from the rule is a safe option.

 

Thanks,

SuperSec

 

Operating Systems:

Comments 3 CommentsJump to latest comment

James007's picture

How to enable file and printer sharing with Symantec Endpoint Protection installed

Article:TECH90999  | Created: 2008-01-20  | Updated: 2008-01-20  | Article URL http://www.symantec.com/docs/TECH90999

You can configure a blank firewall rull to allow your printing application, or by the IP address.

You can exclude printing devices from application and device control:

For managed clients:

  1. Log in to the Endpoint Manager Console.
  2. Click Policies, then click Application and Device Control.
  3. Double-click the application and device control policy that is in use by affected clients.
  4. Click on Device Control.
  5. Under Devices Excluded From Blocking, click Add...
  6. Click Printing Devices, then click OK.
raju123's picture

See this

Only the way is to stop the smc while install the driver either drop the Prevent vulnerable Windows processes from writing code policy.

HP Printer software installation halts, indicating a firewall is blocking access to a network printer.

Article:TECH93444  |  Created: 2009-01-15  |  Updated: 2010-08-04  |  Article URL http://www.symantec.com/docs/TECH93444

See - http://serverfault.com/questions/577995/symantec-enpoint-protection-blocking-mapped-printer-install

 

greg12's picture

Check the ADC log (e.g. Client GUI > View Logs > Control Log) and examine what really happened. The rule AC17 seems to be a rather old ready-for-use hardening rule that first emerged for SEP 11 (see http://www.symantec.com/docs/TECH132337). This particular rule forbids spoolsv and other Windows processes to write some special files (exe, bat etc.). So it would be interesting to know which particular file was not allowed to be written by spoolsv.

If you know that file (e.g. exludedfile.exe), you can make an exception for it in AC17:

adc_rule02.jpg

HTH!