Endpoint Protection

Hello everyone , I have a requirement. We need to use System Lockdown to Allow application to be only executed from Program files but not from any other directory or folder, except from the Program files. How can I achieve this using System lockdown.

Appreciate your support. Thanks 

Put in %ProgramFiles%\* as your excluded directory.

You don't plan to patch or update content on these?

Yes initially I put in the %programfiles%*.exe but it blocked everything , Should I only put %programfiles%

Yes we inted to patch and update. What exclusions am I required for those ? 

Thanks 

What exlusions am I required to add for SEP Live updates and windows patching ?

Thanks and Regards

%programfiles%\*

Symantec Endpoint Protection system lockdown blocks definitions updates

You're probably better off importing a list of known apps you want to run otherwise this is gonna get ugly.

You could create a fingerprint list of all applications you want to launch only out of %ProgramFiles% and %ProgramFiles(x86)% and forbid them through System Lockdown's Blacklist mode.

Before 12.1.6, you have to make Blacklist mode appear by editing the conf.properties file, see here.

Then exclude the %ProgramFiles% and %ProgramFiles(x86)% folders in the System Lockdown form.

The whitelist way would be extremely difficult to create and maintain, if any.

Theoretically, it should be possible to do the same with a Application Control rule.

Hi can you please tell me how can I achieve the same with application control ? Appreciate if you can share the steps. Thanks

This should get you started:

Setting up application and device control: https://support.symantec.com/en_US/article.HOWTO80856.html

It should be possible with Application control, but If you leave out C:\Windows your system won't live for long.

This policy on only allow programs from %programfiles% looks good in theory and works in lab environment, but hardly ever work on production environment.

Just search your %appdata% or c:\programdata for *.exe. There are alot of applications that will stop working if you do as suggested.

Please forget my suggestion above. It won't work properly because there is no exclusion list in the System Lockdown form :-(

The only way I see is to thoroughly create a list of apps that may only run from %programfiles% (fingerprints or app name) and implement them into an Application Control rule.

The condition of this rule should look like this:

As you see, you have to insert the processes that may only run from %programfiles% (either fingerprints or process name). Exclude the %PROGRAMFILES% folders and select "Block access" in the Action tab. This way the apps will be blocked except they are in the %programfiles% folders.

On the rule level ("Rule 1") don't forget to insert an asterisk "*" (without quotes).

I admit this is not an elegant solution, and it requires some maintenance.

Greg. I'm pretty sure SymSpec is looking to just block all application on the system except if they are run from %programfiles%. He want to automatically trust %programfiles% and block everything else.

It should work if he puts * under "Apply to the following processes" and your suggestions under "Do not apply to the following procesess".

But his system will die because he also needs c:\windows\*  (c:\windows\*\*) and a bunch of other paths.

Torbjørn
 

Nor will his system patch or get Symantec updates.

The requirement needs to be adjusted to allow for these exceptions or whoever set the requirement needs some education on how system lockdown works and what the ramifications are of doing it this way.

You are right. I just did not want to lead SymSpec into temptation, so I showed a solution without the dreadful "*" in the condition. There is no easy and unperilous way to reach SymSpec's goal, I fear. Of course he can follow your suggestion and switch the AC rule to "Test" for the first time so that it's possible to find the necessary folders that must be excluded.

Two weaknesses of Application Control and System Lockdown are making the task so difficult: You cannot import a list of apps into AC (which is possible in SL), and it's not possible to define exclusions in SL (which is possible in AC).

Someone should launch an idea -- or two :-)

I agree. It's an awarness issue. Some people think that application whitelisting is a silver bullet and easy to deploy. Even die hard whitelisting products like bit9 and avecto are a pain to use.

I've seen several government CERTs preach that Application whitelisting is easy-peasy and just activiate applocker or similar with block everything except "%programfiles%" and you will never be hacked again.  The problem is that this doesn't work in real life.

It will only work if you have a 100% dedicated resource just to make exclusions and you only deploy the software on new endpoint you can control. Trying to push this out to systems already in production will cause a lot of pain.

Torb