System lockdown in Symantec Endpoint protection.
Created: 25 Nov 2012 | 21 comments
Hi,
I have enable System Lockdown in test mode. I have found there is more then 600 process listed in “View Unapproved Applications”. As I have already created fingerprints through Checksum and added in fingerprint List. Now if I want to add some of the process which is appearing in “View Unapproved Applications” (which are related to Symantec OR Windows base process) in approved application.so what would be the best practice to do that?
SEPM version:-RU7.
Client Version:-RU7.
OS:- Window XP and Window 7.
Discussion Filed Under:
Comments 21 Comments • Jump to latest comment
let know if this helps
Importing or merging file fingerprint lists in Symantec Endpoint Protection Manager
http://www.symantec.com/docs/HOWTO55138
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Thanks Pete_4u2002,
I have taken one new system and installed all the application which are required in my organization and after that I have RUN checksum through CMD and after 1 hour I got all fingerprint in one .txt. I have imported the same txt into Fingerprint list but still we kept the System lockdown in test mode only.
Now we have found some Symantec as well as Windows file appearing into “View Unapproved Application”
Now MY question is:-
Thanks & Regards,
Nagesh Singh
An answer would be great to Question 1....
Hello,
Could you please clearify the Question 1 ?
However, check the following Articles:
How to configure System Lockdown in Symantec Endpoint Protection 11.0
http://www.symantec.com/docs/TECH102526
Managing file fingerprint lists
http://www.symantec.com/docs/HOWTO55133
Configuring system lockdown
http://www.symantec.com/docs/HOWTO80848
Importing or merging file fingerprint lists in Symantec Endpoint Protection Manager
http://www.symantec.com/docs/HOWTO55138
How to configure System Lockdown to allow Microsoft Security Updates
http://www.symantec.com/docs/TECH103977
Enabling system lockdown to run in whitelist mode
http://www.symantec.com/docs/HOWTO80850
Also, check this Article:
https://www-secure.symantec.com/connect/articles/what-system-lockdown-what-stages-do-i-implement-system-lockdown-symantec-endpoint-protectio
Hope that helps!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
You could also contact Support:
Phone numbers to contact Tech Support:-
Regional Support Telephone Numbers:
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000
India: Toll-Free 000 800 4401 456 directly
IDD call: +61 2 8220 7111
Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp
Customer Care Contact Numbers for Licensing Issues:-
http://www.symantec.com/support/assistance_care.jsp
How to create a new case in MySupport
http://www.symantec.com/business/support/index?page=content&id=TECH58873
Importing or merging file fingerprint lists in Symantec Endpoint Protection Manager
http://www.symantec.com/docs/HOWTO55138
Hope this is useful
Wael Hilal
Mobile: 00966531377132
Hi All,
MY question is:-
Thanks & Regards,
Nagesh Singh
Q1) will come back to you when i find the selution .
For Q2, Q3, Q4, see the below please.
For Q2) hope that is helpful:
https://www-secure.symantec.com/connect/forums/sepv11-importing-unapproved-application-list-fingerprint-system-lockdown
Q3) well maybe that will be helpful for Q3)
Setting up and testing the system lockdown configuration before you enable system lockdown
http://www.symantec.com/docs/HOWTO80849
Q4) maybe that will be helpful
Managing file fingerprint lists
http://www.symantec.com/docs/HOWTO55133
Hope this will be good
Wael Hilal
Mobile: 00966531377132
Thanks & Regards,
Nagesh Singh
if the first one didnt work because of V. deffrence
SEPv11 - Importing Unapproved Application List into Fingerprint for System Lockdown
you rather use the selution below or check the other links down,
You can import them for your firewall rules.
and for App control
go to SEPM - Policies - Policy Components - File Finger Print list - Search for Application -Select Group - click Search
Select and Export the application finger print
or check this:
Go to
1)Symantec Endpoint Manager - open
2)policies
3)firewall - click
3) Add a firewall policy
4)click on firewall rules
5)customize the default sitting
6)Add rule - and do what ever you like to enable and disable
or check this:
Check following Articles:
Managing file fingerprint lists
http://www.symantec.com/docs/HOWTO55133
Configuring system lockdown
http://www.symantec.com/docs/HOWTO80848
Importing or merging file fingerprint lists in Symantec Endpoint Protection Manager
http://www.symantec.com/docs/HOWTO55138
How to configure System Lockdown to allow Microsoft Security Updates
http://www.symantec.com/docs/TECH103977
Also, check this Article:
https://www-secure.symantec.com/connect/articles/what-system-lockdown-what-stages-do-i-implement-system-lockdown-symantec-endpoint-protectio
and
How to configure System Lockdown to allow Microsoft Security Updates
http://www.symantec.com/docs/TECH103977
Even though the Article was meant for SEP 11.x, the same Article would be assisting you with SEP 12.1 as well.
For the Enable Whitelist Mode or Enable Blacklist Mode.
you have two option
First:
Enabling automatic updates of whitelists and blacklists for system lockdown
http://www.symantec.com/docs/HOWTO81094
and the other selution is:
For enabling Blacklist:
Enabling system lockdown to run in blacklist mode
http://www.symantec.com/docs/HOWTO81100
and For Whitelist list
Enabling system lockdown to run in whitelist mode
http://www.symantec.com/docs/HOWTO80850
Hope that helps
Your always welcome,
if this was the selution please le me know
Wael Hilal
Mobile: 00966531377132
Hi,
How I can get the fingerprint of Any USB as well as CD ROM drives?
Thanks & Regards,
Nagesh Singh
You can use DevViewer. See this doc on how-to:
https://www.symantec.com/business/support/index?pa...
SEP Knowledge Base
Endpoint SWAT
Hi,
I just want to block all USB access except one USB ,and this only USB can access by all the system?
Thanks & Regards,
Nagesh Singh
How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection
http://www.symantec.com/docs/TECH106304
Check this thread
https://www-secure.symantec.com/connect/forums/block-usb-drives-0#comment-7321911
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
you use the ADC policy to allow/block Devices.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Thanks All,
I know how to block USB Drive through ADCP but my requirement is to allow only one USB to entire user? Apart from this USB if the user connects any other USB then it must get block by SEP?
Thanks & Regards,
Nagesh Singh
Hi,
You can exclude device id for USB block policy.
You can retrive device ID for DevViewer tool.
DevViewer - a tool for finding hardware device ID for Device Blocking in Symantec Endpoint Protection
http://www.symantec.com/business/support/index?pag...
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Hi Ashish,
It means to say if I connect my USB Device to 100 or 1000 system then also I’ll get same Device ID from all the system?
Thanks & Regards,
Nagesh Singh
yes, the device id is specific to that device (USB).
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Hi,
Yes,Device ID are same..
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Dear Nagesh,
If u r blocking USB through SEPM then you should give USB device ID in policy box.
and I think USB device ID are same only...
Regards,
Ambesh Sharma
Thank& Regards,
Ambesh
Please mark your thread as 'SOLVED' with the answer that helps you.
Would you like to reply?
Login or Register to post your comment.