Video Screencast Help

System lockdown and fingerprint list

Created: 04 Oct 2012 • Updated: 05 Oct 2012 | 4 comments
ThaveshinP's picture
This issue has been solved. See solution.

Is there documentation on using the VDI tool when trying to do a system lockdown? Have a base image that needs to used.

Is there documentation on completing a fingerprint list and configuring a system lockdown using base image?

Comments 4 CommentsJump to latest comment

Mithun Sanghavi's picture


Symantec Endpoint Protection 12.1 comes with a Tool "Virtual Image Exception"

The tool is located on SEP 12.1 Tools DVD under \Tools\Virtual Image exception

You need to download it from https// You would required serial number for the same.

Please see the following article for more information on use of the VIEtool:

Using the Virtual Image Exception tool on a base image

Symantec Endpoint Protection 12.1 & Virtualization

Here are few Articles which may assist you  - 

Symantec Endpoint Protection 12.1 - Virtualization Best Practices

Symantec Endpoint Protection 12.1 - Non-persistent Virtualization Best Practices

How to prepare a Symantec Endpoint Protection 12.1 client for cloning (image)

How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1 

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

greg12's picture

Do you mean VIE tool?

System lockdown and Virtual Image Exception (VIE) don't have much in common. System lockdown uses a whitelist (fingerprint list) to allow only clean applications to run on the clients, while the vietool marks clean files so that they don't need to be scanned by SEP.

Both techniques are applied to clean images. System lockdown uses the checksum.exe tool to get the fingerprint list, while VIE uses vietool.exe to mark the clean files. 

If you install a new application on a client running System Lockdown, it's impossible to start the application (because it's not in the whitelist). If you do the same with a client that was prepared with VIE, the application will run -- and will be scanned by Auto-Protect or by scheduled scans because it's not marked.

Is there documentation on completing a fingerprint list and configuring a system lockdown using base image?

Yes, see Implementation Guide for SEP 12.1, chapter 20, starting with page 452. VIE and vietool are explained in a separate PDF file in the folder Mithun mentioned.

If you want to use VIE ans System Lockdown at the same time, I would keep the following order:

  1. Run a full scan on the base image, check for malware.
  2. Empty quarantine (if needed)
  3. Run checksum.exe for creation of fingerprint list
  4. Run vietool (that should always be the last step!)

BTW, System Lockdown is difficult to maintain because you have to add every new application (e.g., patches of Windows, Office, browsers etc.) to a special approval list. If you make a mistake (i.e., your fingerprint list does not cover all necessary applications), your client may freeze.