Video Screencast Help

System lockdown - SEP 12RU1MP1 - unapproved applications query?

Created: 30 Nov 2012 | 1 comment
ThaveshinP's picture

Client - Windows 7 , SEP 12.1RU1MP1

We created a separate group with one machine inside, took inheritance off. Then ran the checksum utility(was i not supposed to have any application running ?) to create the fingerprint file on the client machine. Imported the created fingerprint file to the System lockdown policy and then set it to Step 1: Test mode only. This ran for about 1 week and when checking under the Monitors >> Logs >> Application and device control >> Application control, we get almost 2500 entries where it has identified 3 files with multiple entries to be blocked and on the unapproved file listing. 

Questions / Help: 

1. Why would these 3 files be logged as unapproved applications - by default shouldnt this be allowed?

a) c:/Windows/SysWOW64/rundll32.exe

b) C:/Program Files (x86)/Symantec/Symantec Endpoint Protection/12.1.1101.401.105/Bin/ccSvcHst.exe

c) C:/Program Files (x86)/Internet Explorer/iexplore.exe

2. How do I get these applications now added as "Approved"  - would I have to run the checksum util again ?

3. Will I have to do this to all groups that do not have inheritance?

Comments 1 CommentJump to latest comment

SMLatCST's picture

Hope these help!

  1. The only reasons I can think of for these to be marked as "Unapproved" are if they were missed somehow by the checksum.exe run, or if the fingerprint has changed since the checksum.exe run.  Can you verify the files are listed in your checksum.exe output, and compare the fingerprint to that recorded in the SEPM (under POLICIES -> Tasks -> "Search for Applications").
  2. From the results of the "Search for Applciations" task, you could easily create a text file defining the fingerprints for just these three applications and import it into the SEPM.  Once imported, you could either use both file fingerprint lists, or merge the two together.
  3. As with all group settings changes, if inheritance is disabled on a group, then you need to apply changes directly to that group.