Video Screencast Help

Using lockdown to monitor for unauthorized apps (instead of preventing)

Created: 03 Jul 2013 | 3 comments

Has anyone used the SEP system lockdown in a monitor mode in order to find systems which are running unauthorized applications?  Although I would like the security of using whitelisting so that only approved apps run, my interest is to take a more conservative, reactive approach and find systems which are not complying by running unauthorized software via an alert or report.  

Operating Systems:

Comments 3 CommentsJump to latest comment

.Brian's picture

Yep, I currently use it to do this for our "problem" machines only.

I ran the checksum.exe against our clean image and imported it. Anything that shows up in the "Unapproved Apps" is reviewed and added if needed.

Great feature, just requires more time to setup and monitor.

If you have specific questions, ask away!

Very tough to pull off in a large environment for multiple reasons, mainly the large quantity of logs you are no doubt going to receive. But it can be done with the blessing of management of course.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

BzlBob's picture

Brian,

What kind of logs do you get?  Is it possible to only produce a logged event when an unauthorized app is used?  Is it possible to limit the retention of these logs?  Also, can you produce a report of unauthorized apps?  Finally, is it an onerous task to react to incidents of use of unauthorized apps?

Bob

 

.Brian's picture

If you go to Monitors >> Logs

Set Log Type to Application and Device Control

Set Long Content to Application Control

Click OK

You will be able get logs for System Lockdown by looking at the Rule Name column. It will show "LockDown"

Any thing that is not authorized to run will be shown here so I guess you could say these are the unauthorized apps. Although in my case, a good portion need to be added as excleusions.

Yes, you can set a retention

Admin >> Servers >> Select your DB and select the Log Settings tab. Under Client Log Setting, you need to edit the Control Log Limit

You can export the a log to CSV format from the Monitors page. You can also view Reports but they're not as near detailed as what you would see on the Monitors page.

It can be in a very large environment or if it is only you running the show. Fortunately, are techs around the world are very security conscious so for me personally, it is not very hard. I work with the techs and they get it done.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.