Video Screencast Help
Symantec Secure Login will be live on Connect starting February 25. Get the details here.

How to utilize SEP 12.1 for Incident Response - PART 2

Created: 28 Aug 2013 • Updated: 01 Aug 2016 | 9 comments
Language Translations
ℬrίαη's picture
+18 18 Votes
Login to vote

In a continuation from my previous article, this article will look at using SEP 12.1 System Lockdown in blacklist mode to stop the spread of a malicious actor on your network. In order for System Lockdown to work properly, you do need to have the Application and Device Control component installed.


You do not, however, need to have an ADC policy assigned to the group the machines reside in that will use this feature.

Moving on, did you know System Lockdown has a Blacklist mode? If not, let's get started.

When you go into the System Lockdown settings, blacklist mode does not appear:


How do we make it appear? Stop the SEPM service and navigate to: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc and open the file in a text editor. Add the following line at the end of the file:


Save the changes and restart your SEPM service. Blacklist mode should now appear:


Much better. The objective of Blacklist mode is to block any file(s) that are in the Unapproved Applications list.

This can be utilised in the event of an attack and/or outbreak on your network. For instance, you notice a suspicious file appearing on multiple PCs but have no idea where it came from. It appears to be opening other suspicious processes. SEP is up to date and running a full scan reveals no infections. You upload the suspicious piece to multiple virus checker websites and only or two say that this is malicious. You decide to use System Lockdown in blacklist mode to stop it from spreading until you can figure out exactly what is going on.

Enable Blacklist Mode, enable System Lockdown, and add the filename to the Unapproved Applications list. Click OK and ensure your clients update their policy:


When the file attempts to execute, it will be stopped dead in its tracks:


This is a quick and dirty way but very useful for incident response and will allow you to quickly get a handle on the situation.

I hope this article will be helpful for you. Comments/Questions/Criticisms are encouraged.


Comments 9 CommentsJump to latest comment

Mithun Sanghavi's picture


Finally the second part is here. Good piece of information.

Well done. Keep it up.

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Login to vote
ℬrίαη's picture

I know, I know, I've been busy cheeky

I'll try to get the next one out much more quickly.


Login to vote
ℬrίαη's picture

Part 3 is now available:

How to utilize SEP 12.1 for Incident Response - PART 3


Login to vote
ℬrίαη's picture

Part 4 is out:

How to utilize SEP 12.1 for Incident Response - PART 4


Login to vote
Chetan Savade's picture

Good Job, Brian!!!

Chetan Savade
Social Media Support Lead
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Login to vote
Kashif.ali's picture

Excellent knowledge based article.

Login to vote
MIXIT's picture

These articles are excellent, however after having read so far only Part 1 and 2, I have noticed that some things have changed in the 3 years since they were created.  For example the blacklist option now is default in the System LockDown screen (when you radio-select the Enable System Lockdown option, the other options are then no longer greyed out).  This isn't a criticism at all but just a friendly request to keep the articles up to date so they stay frosty for the long term.  Experienced folk will know to translate from 2013 verbage into present-day functionality but people that don't read the whole test before answering the questions will start editing conf files only to learn later that it wasn't needed. 

Great articles either way. 

Login to vote