Endpoint Protection

 View Only

  • 1.  Blocking *.msi?

    Posted Aug 31, 2009 06:55 AM

    Hello
    I use SEPS 11.04 and I checked the block programs from running from removable drives check box under the application and device control policy.

    After I activated this policy I noticed that *.exe is blocked while *.msi still runs.
    Is there a way to change that? I mean the policy comes with * under the apply this rule to the following process which means any process to my understanding.
    Why isn't *.msi included in this I really don't know.

    I have tried to add *.msi to the policy and its still running.

    Please advice

    thank you in advance



  • 2.  RE: Blocking *.msi?

    Posted Aug 31, 2009 07:21 AM
    As Far as I know, application and device control will not block *.msi ( it should be by design i guess) 

    If you want to block msi, you need to block the entire application..

    from  here.

    c:\windows\system32\msiexec.exe ....



  • 3.  RE: Blocking *.msi?

    Posted Aug 31, 2009 07:30 AM
    msiexec.exe is still able to Create and Write .exe files when an Application Control Polciy is in place to block all Create, Write and Delete attempts to all .exe Files


    http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/bdc1ca1f484550176525752e006e8dc8?OpenDocument


    This behavior is as designed. Blocking specific MSI packages from installing can be achieved through Microsoft Active Directory Group Policy. Please consult your OS vendor for help with modifying Group Policy

    You cannot do this from SEP hope this answers your question...:) 

    Good Day


  • 4.  RE: Blocking *.msi?

    Posted Aug 31, 2009 09:15 AM
    Rafeeq is write blocking .msi is not supported.

    But i have seen an instance where by blocking msiexec.exe the objective was achieved.

    1 In SEPM go to . Policies/Application and device control / New policy /Application contol

    3. Select "Block appl. from running" -edit- on Block These appl. add line C:\WINDOWS\SYSTEM32\MSIEXEC.EXE

    3. In action choose Block

    ( It my or may not work , Test this first and then try this in production)


  • 5.  RE: Blocking *.msi?

    Posted Aug 31, 2009 10:14 AM
    You are correct :) 

    I wrote in the first comment as he need to block the application ( msiexec.exe) 

    "If you want to block msi, you need to block the entire application..

    from  here.

    c:\windows\system32\msiexec.exe "

     



  • 6.  RE: Blocking *.msi?

    Posted Aug 31, 2009 10:32 AM
    It is a work around not a solution:)