Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

system lockdown...is it working?

Created: 24 Jun 2012 | 31 comments

Hi

I tried to simulate a system lockdown solution in our office and I get a baseline with running checksum.exe <outputfile> and then import it as fingerprint list. After than I add it to system lockdown and immediately set it to block. At first everything seems good and I can run applications on that machine and it will block the others, but suddenly I realised that virusdefs are no longer being updated and is being blocked as well!

Surprise continues as adding exception for whole "c:\documents and settings\all users\application data" will not help that. Did I miss something??

 

 

Comments 31 CommentsJump to latest comment

reza akhlaghy's picture

Hi Pete,

I've read implementation guide section for system lockdown (which was usless BTW) and what I did is "I setup successfully and it will block whatever it should block and allow whatever is in fingerprint" BUT the problem is after that I was not able to even update virusdefs!!!

To overcome this, I decided to add manual exception, but that didnt work either.

pete_4u2002's picture

can you craete it in test mode instead block at first?

check the logs and then implement to block.

what is the exception you have set for SEP?

 

reza akhlaghy's picture

Here's the log :

Time Stamp Event Type Event Time Severity Host Name Action Test Mode Description API Begin Time End Time Rule ID Rule Name Caller Process ID Caller Process Name Return Address Return Module Target User Name File Size
06/24/2012 15:35:40 Application Control Rules 06/24/2012 15:31:21 Critical aftersales01 Block 0 System Lockdown Load Dll 06/24/2012 15:31:04 06/24/2012 15:31:04   LockDown 1432 C:/Program Files/Symantec/Symantec Endpoint Protection/12.1.1101.401.105/Bin/ccSvcHst.exe 0 No Module Name C:/Documents and Settings/All Users/Application Data/Symantec/Symantec Endpoint Protection/12.1.1101.401.105/Data/Definitions/BASHDefs/20120620.012/BHEngine.dll SYSTEM 1432056

and see the attachment for "test phase"

systemlockdown.jpg
pete_4u2002's picture

seems to be okay, has the client not updating?

can you check if communication is established with sepm/ symantec liveupdate?

reza akhlaghy's picture

No, client will not update and here's error in its system log:

"an update for {535CB6A4-....} failed to install. Error: 0xE00100001, DuResult: 60"

and also:

"Downloaded new content update from the management server failed."

and:

"cannot assign a client authentication token. there was a general communication failure"

 

Now that I set it back to test mode, client gets the update (obviously)

Please note even now in test mode, we receive "block" event (in control log) for fle BHEngine.dll in definitions directory in All users profile

 

.Brian's picture

Did you exclude the Symantec folders?

C:\program files\symantec

C:\program files\common files\symantec shared

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

reza akhlaghy's picture

I added those directories without any change. It still does not update.

greg12's picture

Where did you allow the content of the application data folder? AFAIK, the only place is Clients > Policies > System Lock > File Name list (for allowed executables).

Screenshot would be nice.

Elisha's picture

Hello Reza,

There are two issues with the file paths you list.  The first issue is that you are excluding %alluserprofile% which is not safe to exclude.  Many malware files use this folder as a hiding place.  Secondly you only have a single asterisk after the path.  You should have a asterisk slash asterisk (*\*).

*  --  a single asterisk means any file in that folder
*\*  --  an asterisk slash asterisk means any file in that folder and any subfolder(s)

Example:
C:\Windows\*  --  this will match any file under the Windows folder
C:\Windows\*\*  --  this will match any file under the Windows folder and any file under any subfolder(s)

greg12's picture

Seems okay ...

Only idea: Try to use everywhere "C:\..." instead of "c:\...". If I remember correctly, I had a similar issue with lower case letters as drive letters in Application Control policies.

 

reza akhlaghy's picture

After 3 days of investigation, I found the answer.

It is really a shame for symantec with very poor level of documentation on this problem, and surprisingly no one ever answered something remotely relevant to real solution.

anyone who is interested in answer send me PM. I'm angry and I'll not post it to forums!

openbrain's picture

Hello,

 

Glad to read that you finally found the solution.

 

I experience the same issue. Could you please explain me how did your solve this ?

 

Thank you in advance,

 

Stéphane, Belgium

.Brian's picture

How about sharing with the entire community and helping everyone out?

You can also contact Symantec with suggestions as I'm sure they would want that feedback.

Don't make the entire community suffer because you have an issue with documentation.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

mrmoretti2013's picture

It surprises me how you complain that Symantec have bad documentation, yet you have supposedly find a solution and are unwilling to share.  Hypocrite.

reza akhlaghy's picture

Brian,

I did contact Symantec and shared the result and still waiting for an action and I also shared with everyone who sent me a pm. I wanted to make a point here to force them do something, although I received some non-senses from users and nothing from Symantec.

 

.Brian's picture

That's fine, you're free to do as you please but as I said the community suffers most and it defeats the purpose of it. It just sucks because I've had the same issue, although I don't use lock down in full production but only for problem machines. I guess as long as everyone that contacted you got an answer than that's all that matters.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ThaveshinP's picture

Hi there,

Could you explain what the solution was?

Thanks

 

mrmoretti2013's picture

Suspect you never did find a solution, just an attention seeker.

Eileen's picture

Reza,

If you have a suggestion regarding Symantec documentation around SEP, you can make a post to the idea section in the Security Community.

Eileen, Partner and Security Community Manager

Nourbakhsh's picture

Hi everybody in forum

I know what Reza say's because i had same issues & i didn't find any answer or action from Symantec Support team, also i crate a Ticket, but at last, i find the solution by myself & shared in forum for others who have same problem, but i didn't get the Answer from Symantec.

@Eileen: Sometime we are in not a good situation & really, We need fast action / response, for this reason we need Support from Symantec & this should be one of Big differences between Security Companies . isn't it ?

 

 

.Brian's picture

Where did you share?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ashish Bhatia's picture

Reza

I sent you PM

I'm having same issue even after adding exception.

Far as I can tell this is blocked by a "special" application and device control policy. The rule is just simply called "LockDown"

How to make exceptions work? I don't understand why symantec folders be blocked even after I ran checksum.exe? Doesn't it scan entire hard drive? I also cannot get windows updates?

.Brian's picture

I believe you need to start by making the blacklist mode appear for system lockdown appear.

Look at the Admin guide starting on page 503

Stop the SEPM service

Add this line to the conf.properties file located under C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc

scm.systemlockdown.blacklist.enabled=1

Start the SEPM service and you will see the new options under system lockdown

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Elisha's picture

The issue here is that the virus definitions have updated binary files in them and these new binary files are not allowed by System Lockdown since they are not in the allowed File Fingerprint list.  You need to exclude these SEP folders from System Lockdown.

Here are the folders I recommend excluding:

  • #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\PathExpansionMap\APPDATABASE#*\*
  • #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\PathExpansionMap\INSTALLDIR#*\*
  • #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path#*\*
  • #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SysPlant\SysFer\SEPBaseDir#*\*
.Brian's picture

Reg keys are included in system lockdown? I was never aware of this...I've not seen reg keys in the logs in all the time I've been using it?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Elisha's picture

These are registry key variables.  This is supported in all file and folder paths for System Lockdown and Application Control.  The # indicates it is a registry variable just like a % would indicate an environment variable.

Example, these two would both match the Program Files folder:

#HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir#

%ProgramFiles%
fluo's picture

KB article http://www.symantec.com/business/support/index?page=content&id=TECH207935 is created.

Reg keys are also used in HI policy custom requirements.