Video Screencast Help

System lockdown in Symantec Endpoint protection.

Created: 25 Nov 2012 | 21 comments

Hi,

I have enable System Lockdown in test mode. I have found there is more then 600 process listed in “View Unapproved Applications”. As I have already created fingerprints through Checksum and added in fingerprint List. Now if I want to add some of the process which is appearing in “View Unapproved Applications” (which are related to Symantec OR Windows base process) in approved application.so what would be the best practice to do that?

 

SEPM version:-RU7.

Client Version:-RU7.

OS:- Window XP and Window 7.

Comments 21 CommentsJump to latest comment

pete_4u2002's picture

let know if this helps

Importing or merging file fingerprint lists in Symantec Endpoint Protection Manager

http://www.symantec.com/docs/HOWTO55138

 

Nagesh Singh's picture

Thanks Pete_4u2002,

I have taken one new system and installed all the application which are required in my organization and after that I have RUN checksum through CMD and after 1 hour  I got all fingerprint in one .txt. I have imported the same txt into Fingerprint list but still we kept the System lockdown in test mode only.

Now we have found some Symantec as well as Windows file appearing into “View Unapproved Application”

Now MY question is:-

  1. If I want to get all the process at starting mode then how I can do that?
  2. If I want to allowed some processes which are appearing in “View Unapproved Application” then how I can do that?
  3. What would happen if I have put the policy “Step2:- Enable System lockdown” now?

Thanks & Regards,

Nagesh Singh

 

ThaveshinP's picture

An answer would be great to Question 1....

Mithun Sanghavi's picture

Hello,

Could you please clearify the Question 1 ?

However, check the following Articles:

How to configure System Lockdown in Symantec Endpoint Protection 11.0

http://www.symantec.com/docs/TECH102526

Managing file fingerprint lists

http://www.symantec.com/docs/HOWTO55133

Configuring system lockdown

http://www.symantec.com/docs/HOWTO80848

Importing or merging file fingerprint lists in Symantec Endpoint Protection Manager

http://www.symantec.com/docs/HOWTO55138

How to configure System Lockdown to allow Microsoft Security Updates

http://www.symantec.com/docs/TECH103977

Enabling system lockdown to run in whitelist mode

http://www.symantec.com/docs/HOWTO80850

Also, check this Article:

https://www-secure.symantec.com/connect/articles/what-system-lockdown-what-stages-do-i-implement-system-lockdown-symantec-endpoint-protectio

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Simpson Homer's picture

You could also contact Support:

 

 

Phone numbers to contact Tech Support:-

 

Regional Support Telephone Numbers:
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000

India: Toll-Free 000 800 4401 456 directly

IDD call: +61 2 8220 7111

 

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

 

Customer Care Contact Numbers for Licensing Issues:-

http://www.symantec.com/support/assistance_care.jsp

 

 

How to create a new case in MySupport

http://www.symantec.com/business/support/index?page=content&id=TECH58873

waelhilal's picture

 

 

Importing or merging file fingerprint lists in Symantec Endpoint Protection Manager

http://www.symantec.com/docs/HOWTO55138

 

 

Hope this is useful 

 

Wael Hilal

Mobile: 00966531377132

Nagesh Singh's picture

Hi All,

MY question is:-

  1. If I want to get all the process at starting mode then how I can do that?
  2. If I want to allowed some processes which are appearing in “View Unapproved Application” then how I can do that?
  3. What would happen if I have put the policy “Step2:- Enable System lockdown” now?
  4. If I want to collect the fingerprint file first time so what are the different way to do that?(Around 100 system in remote location)

Thanks & Regards,

Nagesh Singh

 

waelhilal's picture

Q1) will come back to you when i find the selution .

For Q2, Q3, Q4, see the below please.

 

For Q2) hope that is helpful:

https://www-secure.symantec.com/connect/forums/sepv11-importing-unapproved-application-list-fingerprint-system-lockdown

 

Q3)  well maybe that will be helpful for Q3) 

Setting up and testing the system lockdown configuration before you enable system lockdown

http://www.symantec.com/docs/HOWTO80849

 Q4)  maybe that will be helpful

 

Managing file fingerprint lists

http://www.symantec.com/docs/HOWTO55133

 

Hope this will be good

 

Wael Hilal

Mobile: 00966531377132

waelhilal's picture

if the first one didnt work because of V. deffrence

SEPv11 - Importing Unapproved Application List into Fingerprint for System Lockdown

you rather use the selution below or check the other links down,

You can import them for your firewall rules.

 

and for App control

go to SEPM - Policies - Policy Components - File Finger Print list - Search for Application -Select Group - click Search
Select and Export the application finger print

 

or check this:

Go to

1)Symantec Endpoint Manager - open

2)policies

3)firewall - click 

3) Add a firewall policy

4)click on firewall rules

5)customize the default sitting

6)Add rule - and do what ever you like to enable and disable

 

or check this:

 

Check following Articles:

Managing file fingerprint lists

http://www.symantec.com/docs/HOWTO55133

Configuring system lockdown

http://www.symantec.com/docs/HOWTO80848

Importing or merging file fingerprint lists in Symantec Endpoint Protection Manager

http://www.symantec.com/docs/HOWTO55138

How to configure System Lockdown to allow Microsoft Security Updates

http://www.symantec.com/docs/TECH103977

Also, check this Article:

https://www-secure.symantec.com/connect/articles/what-system-lockdown-what-stages-do-i-implement-system-lockdown-symantec-endpoint-protectio

and 

 

How to configure System Lockdown to allow Microsoft Security Updates

http://www.symantec.com/docs/TECH103977

Even though the Article was meant for SEP 11.x, the same Article would be assisting you with SEP 12.1 as well.

 

For the  Enable Whitelist Mode or Enable Blacklist Mode.

you have two option

First:

Enabling automatic updates of whitelists and blacklists for system lockdown

http://www.symantec.com/docs/HOWTO81094

 

 

and the other selution is:

 

For enabling Blacklist:

 

Enabling system lockdown to run in blacklist mode

http://www.symantec.com/docs/HOWTO81100

 

and For Whitelist list

 

Enabling system lockdown to run in whitelist mode

http://www.symantec.com/docs/HOWTO80850

 
 
and for Configuring system lockdown
 

Hope that helps

Your always welcome,

if this was the selution please le me know

 

Wael Hilal

Mobile: 00966531377132

Nagesh Singh's picture

Hi,

How I can get the fingerprint of Any USB as well as CD ROM drives?

Thanks & Regards,

Nagesh Singh

 

.Brian's picture

You can use DevViewer. See this doc on how-to:

https://www.symantec.com/business/support/index?pa...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Nagesh Singh's picture

Hi,

I just want to block all USB access except one USB ,and this only USB can access by all the system?

 

 

 

Thanks & Regards,

Nagesh Singh

 

Ashish-Sharma's picture

How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH106304

Check this thread

https://www-secure.symantec.com/connect/forums/block-usb-drives-0#comment-7321911

Thanks In Advance

Ashish Sharma

 

 

Nagesh Singh's picture

Thanks All,

I know how to block USB Drive through ADCP but my requirement is to allow only one USB to entire user? Apart from this USB if the user connects any other USB then it must get block by SEP?

Thanks & Regards,

Nagesh Singh

 

Ashish-Sharma's picture

Hi,

You can exclude device id for USB block policy.

You can retrive device ID for DevViewer tool.

 

DevViewer - a tool for finding hardware device ID for Device Blocking in Symantec Endpoint Protection

http://www.symantec.com/business/support/index?pag...

Thanks In Advance

Ashish Sharma

 

 

Nagesh Singh's picture

Hi Ashish,

It means to say if I connect my USB Device to 100 or 1000 system then also I’ll get same Device ID from all the system?

Thanks & Regards,

Nagesh Singh

 

Ashish-Sharma's picture

Hi,

Yes,Device ID are same..

 

Thanks In Advance

Ashish Sharma

 

 

Ambesh_444's picture

Dear Nagesh,

If u r blocking USB through SEPM then you should give USB device ID in policy box.

and I think USB device ID are same only...

 

 

 

 

 

 

Regards,

Ambesh Sharma

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."