Endpoint Protection

 View Only

  • 1.  System Lockdown on Process in Checksum List

    Posted Feb 20, 2014 09:31 PM

    Hi All,

     

    Thanks in advance for answering this post first of all.  So, this is a two pronged question. 

     

    1. What needs to be checksummed to allow an application to run.  Is it the caller process, the target or both. 

    2. Has anyone had issues where you know that an application has been checksummed but it still shows in the Client Management Logs/Exception logs.

     

    Expanding on question 2.  Having a real hard time getting the exceptions to nothing in our controlled environment.  When I export the checksum from SEPM and compare the hash to that of the file that has raised an exception it seems that it has been checksummed but still getting the exception.

     

    A little about the environment.  Server 2008, Client version 12.1.2015.2015, Sever version 12.1.2015.2015.



  • 2.  RE: System Lockdown on Process in Checksum List

    Posted Feb 20, 2014 09:35 PM

    When you run the checksum.exe utility it will hash all thje exe's and dll's on the system. This all happens automatically.

    When you say in the exception logs, do you mean it's not being allowed? If so, I've not seen this...

    How are you adding exceptions? Are you using wildcards? for example, c:\test\*\*\



  • 3.  RE: System Lockdown on Process in Checksum List

    Posted Feb 20, 2014 10:03 PM

    Exception logs meaning SEPM -> Clients -> Domain -> Policies -> System Lockdown -> View unapproved applications. 

     

    Well instead of adding exceptions I am checksumming both "File Name" and "Application" in the Unapproved applications and adding to the current checksum.  I have been waiting around a full day before pressing "Reset Test" so that clients have been updated with the new app whitelist but still having issues.



  • 4.  RE: System Lockdown on Process in Checksum List

    Posted Feb 20, 2014 10:17 PM

    And are you updating with the new checksum?

    http://www.symantec.com/docs/HOWTO81097

    I usually just add exceptions as needed instead of checksumming

    The exceptions need to be exact though, see if this thread helps, pay attention to the symantec employee commments

    https://www-secure.symantec.com/connect/forums/system-lockdownis-it-working

     



  • 5.  RE: System Lockdown on Process in Checksum List

    Posted Mar 02, 2014 03:51 PM

    Have you gotten this working?



  • 6.  RE: System Lockdown on Process in Checksum List

    Posted Mar 02, 2014 03:57 PM

    Not just yet. But I saw that in version 12.1.4 there are some fixes to the way exceptions are handled in system lockdown.  I am updating all of my clients at the end of this week and will reply here again with my findings :).  Fingers crossed.



  • 7.  RE: System Lockdown on Process in Checksum List

    Posted Mar 02, 2014 04:00 PM

    Very good, keep me updated, I'm curious to the outcome!

    -Brian



  • 8.  RE: System Lockdown on Process in Checksum List
    Best Answer

    Posted Mar 11, 2014 01:07 AM

    So my advice is to update.  Now when you get an exception it throws out the md5 hash of the executable that caused the exception then you can add that.

     

    So we can close this post stating that upgrading to 12.1 RU4 solved the issue.