Endpoint Protection

 View Only

  • 1.  System Lock Down Policy

    Posted Aug 10, 2012 01:46 AM

    Need Suggestions on below.

     

    1. In ADC , there is no option to block a file based on digital signature.

    2. There is should be an option to add SCCM , AD , WSUS servers as whitelist in ADC - System lock down policy

    We cannot add a finger print value manually everytime when the hotfix/patches are released from MS.

    There should be an option or way to whitlist the above server and allow the windows patches and SCCM jobs on a system lock down machine.

    3. When Finger Print DB is prepared from a machine ( WIndows 7 -32 bit ) the same finger print cannot be used on a different machine with same OS.

    We cannot prepare finger print DB on every single machine. Dynamic Whilisting approach would be the best way in System Lock Down Policy.

     

     

    Any ideas would be helpful.

     

    Thanks,

    Prakash



  • 2.  RE: System Lock Down Policy

    Posted Aug 10, 2012 04:35 AM

    ...it would really help to state the Symantec product you're using and post in the correct forum.

    Otherwise state what it is & I will move it accordingly.

    Thanks!



  • 3.  RE: System Lock Down Policy

    Posted Aug 10, 2012 04:39 AM

    SEP 12.1 RU1



  • 4.  RE: System Lock Down Policy

    Posted Aug 10, 2012 04:42 AM

    ...then moved to the correct location!



  • 5.  RE: System Lock Down Policy

    Broadcom Employee
    Posted Aug 10, 2012 05:05 AM

    Hi,

    Check following article

    Managing file fingerprint lists

    http://www.symantec.com/docs/HOWTO55133

    How to configure System Lockdown to allow Microsoft Security Updates

    http://www.symantec.com/docs/TECH103977

    Importing or merging file fingerprint lists in Symantec Endpoint Protection Manager

    http://www.symantec.com/docs/HOWTO55138



  • 6.  RE: System Lock Down Policy

    Posted Aug 10, 2012 05:19 AM

    Hi Chetan,

    Thanks.

    I have prepared the fingerprint DP as per HOWTO55133.

    But, for example when i prepare the fingerprint from Machine A, then the same cannot be used on Machine B even if it is of same configuation and OS. We cannot prepare 1000 fingerprints from every machine and merge it. There should be a dynamic way for this.

    Also, Article # TECH103977 is for XP machine .

    This is not working on windows 7. I need to allow MS patches for windows 7 machine which are already in  system lock down policy.

     

    Thanks,

    Prakash



  • 7.  RE: System Lock Down Policy

    Broadcom Employee
    Posted Aug 10, 2012 05:54 AM

    Hi,

    As per article HOWTO55133 best practice says you should create an approved software image.

    If you are installing OS separately then there isn't any dynamic way to implement it.



  • 8.  RE: System Lock Down Policy

    Posted Aug 12, 2012 11:09 PM

    Hi Chetan,

     

    If we have 1000 machines, its not easy to get the fingerprint on every individual machines.

    Even the OS image/software images are same. We are not able to use the fingerprinte collected from machine A on Machine B ( Configuration are same ).

     

    Also, any we need to allow the MS patches on windows 7 mahcine which are already in system lock down policy.

     

    Cheers

    Prakash