spacer
Support - Platinum Support
tab end BCS Web Site divider MySupport divider Log Out navbar end
navbar end home symantec alerting service security center knowledge base navbar end
spacer
BCS Knowledge Base

spacer
spacer

Rate This Document
1x3 spacer
1x1 spacer

print this documentDocument ID:2007092616264848
Last Modified:03/30/2010

How to configure Application Control in Symantec Endpoint Protection 11.0 : Configuring Application Control Policies

Situation:You would like to know how to configure Application and Device Control Application policies.

Solution:Application and Device Control Policies

An Application and Device Control Policy offers two types of control, or protection, over client computers: application control and device control. Administrators use:

    • Application control to monitor Windows API calls to client computers and control access to client computers' files, registry keys, and processes.
    • Device control to manage the peripheral devices which users can attach to desktop computers.
Note: Application and Device Control Policies do not work on 64-bit client computers.

About Application Control

Application control blocks or allows the defined applications that try to access system resources on a client computer. Application control is implemented using application control rule sets. An application control rule set contains one or more rules that you create. Each rule contains one or more conditions. Use application control rule sets to define the application control part of your Application and Device Control Policy. Five categories of conditions are available. The categories are as follows:

ConditionDescription
Registry Access AttemptsAllow or block access to a client computer's registry settings.
File and Folder Access AttemptsAllow or block access to defined files or folders on a client computer.
Launch Process AttemptsAllow or block the ability to launch a process on a client computer.
Terminate Process AttemptsAllow or block the ability to terminate a process on a client computer. For example, you may want to block a particular application from being stopped.
Load DLL AttemptsAllow or block the ability to load a DLL on a client computer.

Launch Process Attempts example

In this example, I have configured a policy to prevent Textpad from launching Firefox:

    • First configure the process that should be monitored and add the desired condition. (Textpad.exe)

Application_Control_Rulset2.jpg

    • Next, select the process that should not be launched by the process you're monitoring

Application_Control_Rulset3.jpg

    • Then, select the action to take. The example below is to terminate Textpad if it tries to launch Firefox:

Application_Control_Rulset4.jpg

    • Finally, deploy the policy to the clients and try to open in weblink from within a Textpad document:


You can also select the action to be Block Access instead of Terminate:

Application_Device_blocked_TP.JPG

Application_Device_blocked1.JPG

For security reasons, you might consider using the applications' checksums rather than the file path, or even the file name.

    • Configure the process that should be monitored (Textpad checksum)

Textpad_checksum1.jpg

Textpad_checksum_0.jpg

    • Next, select the process that should not be launched by the process you're monitoring

Firefox_checksum_0.jpg

The driver responsible for Application and Device Control is SysPlant.sys


Generating the file fingerprint list:

    • Open a command prompt window.
    • Navigate to the directory that contains the file checksum.exe. By default, this file is located in the following location: C:\Program Files\Symantec\Symantec Endpoint Protection
    • Type the following command: checksum.exe outputfile drive
          where outputfile is the name of the text file that contains the checksums for all the executables that are located on the specified drive. The output file is a text file (outputfile.txt).
    • The following is an example of the syntax you use: checksum.exe cdrive.txt c:\
          This command creates a file that is called cdrive.txt. It contains the checksums and file paths of all the executables and DLLs found on the C drive of the client computer on which it was run.
    • Sample checksum.exe output
          A sample of a checksum.exe output file that was run on a computer image follows. The format of each line is <checksum of the file> <space> <full pathname of the exe or DLL>.
          8394abfc1be196a62c9f532511936df7 c:\Documents and Settings\Administrator\Local Settings\Temp\pft1~tmp\Reader\ActiveX\AcroIEHelper.ocx
          95f2fe2432c55862d7436aeba8ee162f c:\Documents and Settings\Administrator\Local Settings\Temp\pft1~tmp\Reader\ActiveX\pdf.ocx
          12179617805161ee22ceef37699ee4e6 c:\Documents and Settings\Administrator\Local Settings\Temp\pft1~tmp\Reader\Browser\nppdf32.dll


Technical Information:This comes from the Admin guide


Configuring application and device control
About the structure of an Application and Device Control Policy
Note: The information in this chapter applies only to 32-bit client computers.
Application and Device Control Policies do not work on 64-bit client computers.



References:This document is available in the following languages:

print this documentDocument ID:2007092616264848
Last Modified:03/30/2010


rate this document
Does this document answer your question?
Yes
No
Maybe, need to test
None of the above
Is this document well written and easy to use?
Submit specific suggestions to improve the quality of this document.


Product(s): Endpoint Protection 11
Operating Systems(s): Windows 2000 Professional, Windows 2000 Server/Advanced Server, Windows XP Home Edition, Windows XP Professional Edition, Windows XP Tablet PC Edition, Windows Server 2003 Web/Standard/Enterprise/Datacenter Edition, Windows Vista
Date Created: 09/26/2007

  © 1995-2014 Symantec Corporation. All rights reserved. feedback | legal notices | privacy policy