Endpoint Protection

I've had no trouble stopping installed windows and other applications from running, but they have been installed, there are some applications that reside in my network that are portable applications, like one portable Skype, and even if I set in my Devices and Applications policy to Terminate the process *\Skype.exe and *\skypePM.exe it still doesn't block them. I think that might be because they are portable applications.


How can I really block these applications from running from anywhere in anyway?

You can try blocking the application by the file fingerprint.


https://www-secure.symantec.com/connect/forums/how-block-applications-sep-using-md5

Check this link,
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092616264848

Generating the file fingerprint list:

=> Open a command prompt window.
=> Navigate to the directory that contains the file checksum.exe. By default, this file is located in the following location: C:\Program Files\Symantec\Symantec Endpoint Protection
=> Type the following command: checksum.exe outputfile drive

where outputfile is the name of the text file that contains the checksums for all the executables that are located on the specified drive. The output file is a text file (outputfile.txt).

=> The following is an example of the syntax you use: checksum.exe cdrive.txt c:\

This command creates a file that is called cdrive.txt. It contains the checksums and file paths of all the executables and DLLs found on the C drive of the client computer on which it was run.

you can also use application learning feature to find the all the applications which are used
Then you can block as u need using the File Fingerprint or the hash Value of the file

If you can, I find it best to block all applications not in approved paths.  On our high-security workstations, only programs in the Program Files folder and Windows folder are allowed to run in addtion to a network share where logon scripts go.  If the users are limited users, they have no way to run a program that wasn't installed for them.  If they are administrators, they still have to know to move the app to an approved location to install it or get it running.  Besides SEP, you can also use the software restriction policies built into Windows.

But are you not blocking JAVA and JAVA updates, FLASH and other things that run in the
%userprofile%application data
and
%userprofile%local settings\application data
areas?
A Lot of new stuff installs to and runs in those areas now.
No, I do not agree with them, GOOGLE is one, JAVA stuff is another, FLASH places crap there, too.
Many organizations are bypassing normal security by placing their stuff there.
Google places DLLS and other things there - in fact the entire CHROME install goes there - (and that's how I block CHROME!)

I agree with what you are doing - but wonder - don't you have to hassle with any exceptions, etc.?
Like Go-To Meeting runs from there! Anyone wishing online training, online meetings, etc. - it all runs from the above paths.
VERY few apps install to the Program Files area any more. They all seem to have found they can get into the corporate world through naive and wanting ends users by simply installing to the profile areas.
That way the poor suppressed needy end user can get past the greedy nasty bossy IT folks and get what they want, while Adobe and Google look like heros to them.