Endpoint Protection

Hi,

I have created a new group, turned off inheritance, created a new file fingerprint list using checksum on my own laptop and added it to Policy Components using the SEPM gui.  I then turned on System Lockdown for that group, setting it for Step 1 because I only want to log.  I then added the file fingerprint list to the approved applications list in the System Lockdown settings.  I then moved my laptop to this new group.  Once I confirmed that I had received the new policy, I started running applications that were not on my machine when I originally ran checksum.  However, I don't see any events in my client's logs (Control) nor in the SEPM Logs (Checked Application and Device Control logs in Monitors).  Am I looking in the right places?  If so, how can I troubleshoot why I am not seeing any events for running an application that is not whitelisted?

Thanks in advance,

 

Bob

Did you check on the client?

Symantec Endpoint Protection client 'Control Log'

The control log is where they would show. Do ensure the app and device control component is installed as well.

Errr, does anything show up if you click on the "System Lockdown" settings for that group?  You should be presented with a list after clicking on the of the "View Unapproved Applications" button at the bottom of the window.

Hi Everyone,

I do have the "View Unapproved Applications" button and no applications appear.  I reviewed the Control log on the client but nothing appears except an event that says application and device control is ready.  I also confirmed that all SEP components including application and device control are installed on my client.  

Hmmm, can you confirm the "Upload applications" option is enabled on the group in question (under Communcuations Settings) and that the SEP Site is enabled to "keep track of applications that the clients run" (under the general tab of the site properties)?

Hi,

Upload applications option is not enabled and "keep track of applications" is not enabled either.  Are these required for System Lockdown to work?

Bob

Those should not be required for system lockdown.

 

I just tried a very small file fingerprint list so that virtually nothing is whitelisted.  I waited for the policy ID to update, made sure my client was updated and tried again.  Still nothing shows up in my control log.  

I may have made some progress.  The app/dev control policies assigned to my group were disabled.  So I made a non-shared copy just for the group and enabled the policy.  Now I am seeing lockdown events.

I believe I have resolved this.  Although app/dev control is installed, it appears that the LockDown rules did not take effect until I assign an app/dev control policy.  The policy I assigned is enabled but has no active rules.  Thanks for everyone's help.

Correct. System Lockdown is a subcomponent of ADC so it uses the same driver ADC uses. From what I know System Lockdown is nothing more than an ADC rule configured to block monitor and block every exe/dll. You can create the same rule within ADC but there is no easy way to add exceptions like you do for system lockdown.