Endpoint Protection

View Only

Back to discussions

Expand all | Collapse all

system lockdown

1. system lockdown

0 Recommend
levd
Posted Apr 01, 2014 12:31 PM

Reply Reply Privately
Hi all,

I have a question about system lockdown.
For a small homeshoring project we want to use system lockdown on laptops so people can only start programs we allowed in the fingerprint.

So what we did:
-Install a laptop with all the applications the agents need to use to do their work.
-Use checksum.exe to create a filefingerprint from this system.
-Create a new group in SEPM, make a new policy for system lockdown with the filefingerprint, move the laptops to this group.

It all worked pretty great until today, we made exclusions so windows update can run. We applied a new Windows update, that changed about 18000 regkeys :) after that the laptops all where bricked totally unusable :) IE cant be started, even sep client didnt start.

For my perspective:

What went wrong, windows update changed files / file paths, the file fingerprint did not had these new locations in its list so the executables were denied to run. So for all new windows update, disable system lockdown, make a new file fingerprint, import it.? right?

Some other questions:
Can i use the same file fingerprint / policy on different hardware?, as long as the software that needs to run is the same?
Is there a way to 'unbrick' bricked devices? Uninstalling Sep will this fix it? I think a new windows install is needed because almost nothing will start and Sep services cant be stopped or removed :)

Thanks,

Levd
2. RE: system lockdown

0 Recommend
Migration User
Posted Apr 01, 2014 12:35 PM

Reply Reply Privately
Configuring system lockdown

http://www.symantec.com/docs/HOWTO55130
3. RE: system lockdown

0 Recommend
ℬrίαη
Posted Apr 01, 2014 12:36 PM

Reply Reply Privately
How long did you leave it in monitor mode to watch for changes. I would start with a month depending on how many machines you have.

Can you get into add/remove programs to uninstall the application and device control component? Or just simply disable it from the SEP interface/withdraw the policy.

Yes, hardware doesn't matter. It's only for sofware.

You need to manually add exclusions for sys lockdown

How to configure System Lockdown to allow Microsoft Security Updates

Symantec Endpoint Protection system lockdown blocks definitions updates

You can run a new file fingerprint and merge them as well

Enabling automatic updates of whitelists and blacklists for system lockdown

Automatically updating whitelists or blacklists for system lockdown
4. RE: system lockdown

0 Recommend
levd
Posted Apr 01, 2014 01:23 PM

Reply Reply Privately
Hi Brian, Well we didnt run into monitor mode for long, in monitor mode you see the applications that run and are not in the file fingerprint right? I put it back into monitor mode now btw. Like i said i think the problems are caused by the windows update, i allready whitelisted windows update to run, but i think this caused the issue. File/folder paths changed, not reconized by file fingerprint list anymore so blocked ;) I can get into add remove programs but sep wont deinstall, also the client isnt connected to the sepm anymore. Services cant be disabled. So i guess a reinstall i the only way. Levd
5. RE: system lockdown

0 Recommend
ℬrίαη
Posted Apr 01, 2014 01:26 PM

Reply Reply Privately
That's correct. Apps not in the fileprint will show up in the exception list, and than they can be added.

Also, try going into safemode first to see if you can just remove the app and device control component. I don't believe SEP will fully load up in safe mode so you can possibly fix it from here. If all else fails, you can try a cleanwipe but that may not even run.
6. RE: system lockdown

0 Recommend
levd
Posted Apr 02, 2014 05:31 AM

Reply Reply Privately
Ok, thanks i will try and fix them.
But the main issue: How can it be possible that a windows update destroyed the machines? I know this update changed registrykeys so i guess thats the problem, folder and file paths changed so not reconized anymore by the file fingerprint..

Levd
7. RE: system lockdown

0 Recommend
SMLatCST
Posted Apr 02, 2014 06:09 AM

Reply Reply Privately
I must admit, it sounds to me (dunno how accurate this assessment it) that the Windows updates (whatever the updates were) changed/updated some of the core processes (therefore changing the filehash) so that SEP's System Lockdown no longer allows these core processes to run.

I'd personally recommend implementing a managed process for distributing Windows updates should you wish to continue using System Lockdown to:

deploy Windows Updates on a test box in Monitor mode first to check if anything starts getting blocked

update the whitelist as necessary (the below article on automatically updating the lists might be helpful here:
http://www.symantec.com/docs/HOWTO81094)

verify the test box operates correctly in block mode

finally, deploy the tested updates to your production machines

Endpoint Protection

system lockdown

levdApr 01, 2014 12:31 PM

Migration UserApr 01, 2014 12:35 PM

ℬrίαηApr 01, 2014 12:36 PM

levdApr 01, 2014 01:23 PM

ℬrίαηApr 01, 2014 01:26 PM

levdApr 02, 2014 05:31 AM

SMLatCSTApr 02, 2014 06:09 AM

1. system lockdown

2. RE: system lockdown

Configuring system lockdown

3. RE: system lockdown

4. RE: system lockdown

5. RE: system lockdown

6. RE: system lockdown

7. RE: system lockdown