U3 Flash Drives & Executables
Updated: 21 May 2010 | 15 comments
This issue has been solved. See solution.
Hello,
We are having an issue with Symantec not blocking executables from running off of flash drives, even though the policy is set to block these things.
We use all of the Symantec Features except for the Firewall.
Under Application and Device control, the policy is definitely checkmarked to block applications from running. However, people are still managing to run everything they wish.
Any guidance as to why this is? We just want a blanket rule that no applications are able to run from ANY USB device.
Discussion Filed Under:
Comments
Hi,
Please be aware that 'Application and Device control' component is a part of Proactive Threat Protection, which DEPENDS on the firewall component .. (i.e Network ThreatProtection)
It is also not compatible with X64 OS.
Cheers,
Visu.
I came, I saw, I err ;)
Yeah...
You have to use the Firewall in order for that to work.
As mentioned in earlier posts
As mentioned in earlier posts you have to install firewall also Because Application and Device control' component is depends on Network Threat Protection. If you are having some problem with Network Threat Protection create a allow all rule keep it as the first rule, also keep all clients in server control mode (First do it in a test environment ). If you are having some other problems pls post here.
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
Ah....that explains it.
Ah....that explains it. I will test this further and report back here. Thanks for the help!
Great, it works! One more
Great, it works!
One more quick question:
How do I add a rule to block .msi's from running off of USB drives? It doesn't seem to do this by default, so I tried adding a "*.msi" underneath the rules, and that didn't work, either.
How to prevent programs from
How to prevent programs from running by blocking the file extension types from removable drives.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009020313373948?Open&seg=ent
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
So I followed that
So I followed that instruction sheet and it doesn't work. I get the message that it has blocked explorer.exe from trying to access the .msi, but the .msi still launches.
Any insight?
Both read and create, delete, or write attempt settings are set to "block". The rule itself is for File and Folder Access attempts, and it is set to block "*.msi".
Try setting it to terminate
Try setting it to terminate rather than block.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
That worked, but it
That worked, but it terminated my explorer process, lol. Definitely not a solution.
Hello again...
Just to check what happens, can you try with a simple text file insteadof msi? .. Try opening a txt file frm pen drive, after blocking *.txt ... Because if it blocks or terminates explorer.exe, then thats the handle associated with msi .. So, lets see if thats the case fo msi or any other file...
Cheers,
Visu.
I came, I saw, I err ;)
hi
you cannot block msiexec.exe from running
msiexec.exe is still able to Create and Write .exe files when an Application Control Polciy is in place to block all Create, Write and Delete attempts to all .exe Files
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/bdc1ca1f484550176525752e006e8dc8?OpenDocument
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
So a user can have an .msi
So a user can have an .msi file on his flash drive and run it even though the rule is to block .msi files?
------------------------------------------------------------
MR99 will fix it all.
Hey,
The document is talking about exe files which are executed from the USB drive, which inturn calls an associated MSI ... If you want to block installations, you can very well block the msiexec.exe with a md5 fingrprint :)
Cheers,
Visu.
I came, I saw, I err ;)
First create a registry key
First create a registry key for blocking it ,then protect that key with application and device control
With Windows Installer 1.1 and later, you can restrict users from browsing MSI files on removable media such as CD-ROMs and DVDs by performing the following steps:
Start a registry editor (e.g., regedit.exe).
Navigate to the HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer registry subkey (create this subkey if it doesn't exist).
From the Edit menu, select New, DWORD Value.
Enter the name DisableMedia, then press Enter.
Double-click the new value, set it to 1, then click OK.
Close the registry editor.
Log off and log on for the change to take effect.
Ref:How can I stop users from installing Windows Installer (MSI) files for removable media?
You can do the same through Group policy also
configure Windows Installer Group Policy computer options
Managing Windows Installer with Group Policy
For protecting the key refer below figure
block modification to that registry key
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
Would you like to reply?
Login or Register to post your comment.