1. /
  2. Security Response/
  3. Symantec Endpoint Protection Application and Device Control

Security Updates

Security Updates give you the most recent protection content for your Symantec security products.

Symantec Endpoint Protection Application and Device Control

Symantec Endpoint Protection Application and Device Control enables extra security protection for client systems. Simple rules created with Application and Device Control can enforce security policies and stop unknown malware. This page is a resource for those looking to get the most out of this feature.

How Application and Device Control works

  Application Control is an advanced security feature included in Symantec Endpoint Protection 11.0. Application Control provides administrators with the ability to monitor and/or control the behavior of applications. Documentation on how to take full advantage of Application Control Policies is available here:  http://www.symantec.com/avcenter/security/ADC/Configuring_Application_Control_1.1.pdf

 

NEW!   W32.Stuxnet protection

 

Application Control rule to block Stuxnet infections.

download: http://www.symantec.com/avcenter/security/ADC/CVE-2010-2568.dat

 

This policy monitors '.lnk' files being READ by all processes on the following:

* Removable drives
* CD/DVD drive
* Network drives
* RAM drives

Create/write/delete are allowed but logged

 

The following process may read lnk files

* rtvscan.exe

On blocking action, the user is alerted with the following message:

See 'Vulnerability in Windows Shell Could Allow Remote Code Execution' (see Microsoft Security Advisory 2286198 for further information).

 

Examples of what Application Control can do

Block Attacks from removable drives
Network worms take advantage of USB and other types of removable drives. Application Control can be used to block this attack vector while still allowing an organization to use removable media like USB drives.
 
Prevent unknown PDF attacks
Web-based attacks are often hiding inside a PDF file. An Application Control rule can easily stop known and known attacks that hide in PDF files by preventing Acrobat and Acrobat Reader from writing code to a machine.

 

Prevent registration of new browser helper objects.
Browser Helper Objects, also known as BHOs, are commonly used by threats to spy on or interfere with web browsing. If your organization does not allow BHOs or has a pre-installed set of allowed BHOs, you can block all unwanted BHOs.

These and other rules sets, created for Symantec Endpoint Protection clients, can be downloaded from here:

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010050810365948 

 

Community Resources

The Symantec user community has created some very useful rule sets. This page provides links to some of the best. http://www.symantec.com/connect/security/downloads

Additional Documentation

Configuring Application and Device Control http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/7049d06ba3c9e86f802573620054d9c2?OpenDocument

 

Creating an Application and Device Control Policy http://seer.entsupport.symantec.com/docs/331049.htm


Using Application and Device Control to stop registry entries added by a threat or risk http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/07dcfaf99d61c063882575fa00705603?OpenDocument

 

How to use Application and Device Control to limit the spread of a threat http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/5b5f6319ba48fda5882575990075e260?OpenDocument


How to use Symantec Endpoint Protection to block or log legitimate but unauthorized software usage http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/d160be4b9941c53c88257674005536a3?OpenDocument

 

Merging Application and Device Control Policies http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010051009222048

Security Response Blog
The State of Spam