Endpoint Protection

We are trying to figure out a way to block hacking tools like Metasploit, Rainbowcrack, 0phtcrack etc with SEP. Apparently On-Access and Scheduled scans don't detect these, and the only way so far that I could find was to use Application Control plicy and block proccesses by name. As you can imagine, this is not very secure, as one can rename Metasploit.exe to Notepad.exe and run it, which is not good.
Anyone is doing this and has any pointers?

Instead of using Application Control to block the process by name you could block the process by checksum. Here is a link to a article on Application Control:

Title: 'How to configure Application Control in Symantec Endpoint Protection 11.0'
Document ID: 2007092616264848
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092616264848?Open&seg=ent

If you scroll down a little ways you will see where it starts to talk about blocking processes by checksum and how to use the checksum utility to collect this information.

Hope that helps!

David,

Thanks for your response. Fingerprint or checksum is indeed another way, but that means that I need to keep track of every single version of a bad app out there -- something I want to avoid. I guess I want to know why SEP is not catching these threats via its antivirus or antimalware engine, because I think it should.

Dimitri
 

Instead of using Application Control to block the process by name you could block the process by checksum. Here is a link to a article on Application Control:

Title: 'How to configure Application Control in Symantec Endpoint Protection 11.0'
Document ID: 2007092616264848
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092616264848?Open&seg=ent

If you scroll down a little ways you will see where it starts to talk about blocking processes by checksum and how to use the checksum utility to collect this information.

Hope that helps!