Endpoint SWAT: Protect the Endpoint Community

 View Only

  • 1.  Most Efficient Way to Block file MD5 fingerprints in SEPM 14

    Posted Feb 07, 2018 05:06 AM

    We have multiple Application & Device Control (ADC) Policies. Against any threat advisory we generally get multiple file fingerprints (MD5/SHA256).Thus, its cumbersome to one by one block all file fingerprints one by one in all ADC Policies. 

    Decided to work on a application using SEPM web API to block file fingerprints easily it may take sometime develop. If any solution already exists please share. 



  • 2.  RE: Most Efficient Way to Block file MD5 fingerprints in SEPM 14

    Broadcom Employee
    Posted Feb 07, 2018 11:09 AM

    Hello Ashish,

    The recommended path to accomplish this would be to leverage system lockdown with a blacklist of your MD5 hashes. This has been asked before in the Connect forums, which you can find the discussions linked below:

    How do I a list of MD5 hashes to an Application and Device Control Policy? - https://www.symantec.com/connect/forums/how-do-i-list-md5-hashes-application-and-device-control-policy

    How to block applications in SEP using MD5 - https://www.symantec.com/connect/forums/how-block-applications-sep-using-md5

    For more information on System Lockdown - https://www.symantec.com/connect/forums/how-block-applications-sep-using-md5

    14.x Rest API guide - http://www.symantec.com/docs/DOC9447

     

    Hopefully the above helps, but if you have further questions, don't hesitate to ask.



  • 3.  RE: Most Efficient Way to Block file MD5 fingerprints in SEPM 14

    Posted Feb 08, 2018 12:14 AM

    If you don't mind enrolling your SEPM into the cloud you can use a blacklist the way you are describing. The cloud portal introduces advanced visibility and controls to detect and remediate emerging threats in your environment.

    The cloud portal also leverages Symantec Endpoint Protection's advanced machine learning capabilities to provide visibility into suspicious files and intensive policy-based control of anti-malware. Advanced machine learning does not require signatures to make sure that threats are stopped in your environment.

    The following is a high-level summary of the features:


    Discover and block suspicious detections with the Intensive Protection policy

    Product configuration to optimize for low-bandwidth environments

    Integrated management with central blacklist and whitelist

    Modern cloud portal for managing advanced features



  • 4.  RE: Most Efficient Way to Block file MD5 fingerprints in SEPM 14
    Best Answer

    Posted Feb 08, 2018 06:37 AM

    Hi Ashish,

    Thanks for the post.  I wouldn't automatically add every hash mentioned in an advisory to the ADC blocking policy.  In time you'll build up an enormous policy that could be difficult to process, attempting to block specific files which are likely already detected by other SEP technologies.

    Check to see if coverage against those hashes already exists using open source intelligence sites (virustotal is a good resource).  If in doubt whether or not Symantec detects a particular hash, customers can check with Public Hash Submission.

    Does Symantec Detect This: An Illustrated Guide to Public Hash Submission
    https://www-secure.symantec.com/connect/articles/does-symantec-detect-illustrated-guide-public-hash-submission

     If the file is not listed in VT then by all means add it to the ADC policy.

    Hope this helps!