Endpoint Protection

 View Only

  • 1.  Making SEP to log or block any executable from running with low or unproven reputation

    Posted Mar 22, 2016 01:06 PM

    Hi guys , I am looking for a way to perform a use case which I need to follow. Appreciate your expert opinion on this. I need to make SEP to Log (create an event ) for  any executables which users try to run on their machines which have no reputation ( unproven files)  to be precise, in Symantec Reputation services. Is there any way we can achieve this ?

     

    I know we have a way to do this if users try to download any files from the Internet ( download Insight) we can block unproven files.  But I am asking if we can do it locally via the Auto Protect or some other component of SEP for any executable which users try to execute which has low reputation ( unproven files)   Appreciate your support.

     

    Thanks 



  • 2.  RE: Making SEP to log or block any executable from running with low or unproven reputation

    Posted Mar 22, 2016 01:08 PM

    It's already logged to the Risk log. It would show as "Left Alone" or "User-allowed download"



  • 3.  RE: Making SEP to log or block any executable from running with low or unproven reputation

    Posted Mar 22, 2016 01:26 PM

    Brian thanks for the reply firstly and secondly I wasn't talking about the downloading of executables from the internet.

     

    I am talking about the executables that are already availble on the file system , can be brought in via external device like USB etc etc. To put it in a simple way can we detect or force an incdent for excutables based on their reputation ( unproven files) which are already their on the system or brought in via USB. I am not talking about downloading files from the internet ( Download Insight).

     

    Appreciate your kind reply and expert opinion. Thanks



  • 4.  RE: Making SEP to log or block any executable from running with low or unproven reputation

    Posted Mar 22, 2016 01:31 PM

    The only other way is to set up an application to monitor like I linked in your other thread. Then you can create a "forced application" alert.

    You need to know the exact name of the executable you want to monitor. And no it has nothing to do with reputation. What you want to do exactly is not possible



  • 5.  RE: Making SEP to log or block any executable from running with low or unproven reputation

    Posted Mar 22, 2016 01:40 PM

    what you are looking for is something not possible at the moment 



  • 6.  RE: Making SEP to log or block any executable from running with low or unproven reputation

    Posted Mar 22, 2016 01:41 PM

    so there is no way of getting this thing achieved then ? Well using application montior to do this is not practical becuase we are looking to force detection for such executables for whom there is no reputation ( unproven files) so how we are supposed to know the name of all these executables prior to this . Well we can do this (block unproven  files ) which are being downloaded from the internet via the download insight to block all the executables from being downloaded which has no reputation (un proven files) but what if the execuable is not being downloaded instead it is already availble on the file system or it is introduced via external source like USB ? 

     

    This is what the use case  I need to acheive via SEP but so far I have not found a way to accomplish this.

     

     



  • 7.  RE: Making SEP to log or block any executable from running with low or unproven reputation

    Posted Mar 22, 2016 01:45 PM

    It cannot be done, no. Put in an Idea and hope it gets implemented in a future release.



  • 8.  RE: Making SEP to log or block any executable from running with low or unproven reputation

    Posted Mar 29, 2016 12:25 PM

    You can create a rule in Application control to log every time an executable is executed. But you cannot do it only for the files with low reputation.