system lockdown...is it working?
Created: 24 Jun 2012 | 26 comments
Hi
I tried to simulate a system lockdown solution in our office and I get a baseline with running checksum.exe <outputfile> and then import it as fingerprint list. After than I add it to system lockdown and immediately set it to block. At first everything seems good and I can run applications on that machine and it will block the others, but suddenly I realised that virusdefs are no longer being updated and is being blocked as well!
Surprise continues as adding exception for whole "c:\documents and settings\all users\application data" will not help that. Did I miss something??
Discussion Filed Under:
Comments 26 Comments • Jump to latest comment
can you check these links
About system lockdown
http://www.symantec.com/business/support/index?page=content&id=HOWTO27322
Configuring system lockdown
http://www.symantec.com/business/support/index?page=content&id=HOWTO55130
Running system lockdown in test mode
http://symantec.com/docs/HOWTO55131
Enabling system lockdown to block unapproved applications
http://symantec.com/docs/HOWTO55132
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Hi Pete,
I've read implementation guide section for system lockdown (which was usless BTW) and what I did is "I setup successfully and it will block whatever it should block and allow whatever is in fingerprint" BUT the problem is after that I was not able to even update virusdefs!!!
To overcome this, I decided to add manual exception, but that didnt work either.
can you craete it in test mode instead block at first?
check the logs and then implement to block.
what is the exception you have set for SEP?
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Here's the log :
and see the attachment for "test phase"
seems to be okay, has the client not updating?
can you check if communication is established with sepm/ symantec liveupdate?
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
No, client will not update and here's error in its system log:
"an update for {535CB6A4-....} failed to install. Error: 0xE00100001, DuResult: 60"
and also:
"Downloaded new content update from the management server failed."
and:
"cannot assign a client authentication token. there was a general communication failure"
Now that I set it back to test mode, client gets the update (obviously)
Please note even now in test mode, we receive "block" event (in control log) for fle BHEngine.dll in definitions directory in All users profile
Did you exclude the Symantec folders?
C:\program files\symantec
C:\program files\common files\symantec shared
SEP Knowledge Base
Endpoint SWAT
I added those directories without any change. It still does not update.
Where did you allow the content of the application data folder? AFAIK, the only place is Clients > Policies > System Lock > File Name list (for allowed executables).
Screenshot would be nice.
Seems okay ...
Only idea: Try to use everywhere "C:\..." instead of "c:\...". If I remember correctly, I had a similar issue with lower case letters as drive letters in Application Control policies.
After 3 days of investigation, I found the answer.
It is really a shame for symantec with very poor level of documentation on this problem, and surprisingly no one ever answered something remotely relevant to real solution.
anyone who is interested in answer send me PM. I'm angry and I'll not post it to forums!
Hello,
Glad to read that you finally found the solution.
I experience the same issue. Could you please explain me how did your solve this ?
Thank you in advance,
Stéphane, Belgium
How about sharing with the entire community and helping everyone out?
You can also contact Symantec with suggestions as I'm sure they would want that feedback.
Don't make the entire community suffer because you have an issue with documentation.
SEP Knowledge Base
Endpoint SWAT
It surprises me how you complain that Symantec have bad documentation, yet you have supposedly find a solution and are unwilling to share. Hypocrite.
Brian,
I did contact Symantec and shared the result and still waiting for an action and I also shared with everyone who sent me a pm. I wanted to make a point here to force them do something, although I received some non-senses from users and nothing from Symantec.
That's fine, you're free to do as you please but as I said the community suffers most and it defeats the purpose of it. It just sucks because I've had the same issue, although I don't use lock down in full production but only for problem machines. I guess as long as everyone that contacted you got an answer than that's all that matters.
SEP Knowledge Base
Endpoint SWAT
Hi there,
Could you explain what the solution was?
Thanks
Suspect you never did find a solution, just an attention seeker.
Reza,
If you have a suggestion regarding Symantec documentation around SEP, you can make a post to the idea section in the Security Community.
Eileen, Partner and Security Community Manager
Hi everybody in forum
I know what Reza say's because i had same issues & i didn't find any answer or action from Symantec Support team, also i crate a Ticket, but at last, i find the solution by myself & shared in forum for others who have same problem, but i didn't get the Answer from Symantec.
@Eileen: Sometime we are in not a good situation & really, We need fast action / response, for this reason we need Support from Symantec & this should be one of Big differences between Security Companies . isn't it ?
Where did you share?
SEP Knowledge Base
Endpoint SWAT
Where did you share?
Reza
I sent you PM
I'm having same issue even after adding exception.
Far as I can tell this is blocked by a "special" application and device control policy. The rule is just simply called "LockDown"
How to make exceptions work? I don't understand why symantec folders be blocked even after I ran checksum.exe? Doesn't it scan entire hard drive? I also cannot get windows updates?
I believe you need to start by making the blacklist mode appear for system lockdown appear.
Look at the Admin guide starting on page 503
Stop the SEPM service
Add this line to the conf.properties file located under C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc
scm.systemlockdown.blacklist.enabled=1
Start the SEPM service and you will see the new options under system lockdown
SEP Knowledge Base
Endpoint SWAT
Check your PM for solution
Would you like to reply?
Login or Register to post your comment.