Endpoint Protection

 View Only
Expand all | Collapse all

How to block applications in SEP using MD5

Migration User

Migration UserJun 06, 2009 06:32 AM

Migration User

Migration UserJul 06, 2009 02:29 AM

Migration User

Migration UserDec 04, 2009 04:24 PM

  • 1.  How to block applications in SEP using MD5

    Posted Jun 03, 2009 01:38 AM
    Hi all,

    This threat is for the use of SEP in blocking applications using the MD5 file fingerprint.

    The procedures are written below:

    Open SEPM
    • Clients - select group to apply policy to
    • Click on Policies tab on right window pane
    • Click on Application and Device Control policy - new window will open
    • Click on Application Control
    • Enable Block applications from Running and select it then click on Edit... button - new window will open
    • Click on Add... in the Rules tab [I'd like to leave the default in there]

    Modify the Properties
    • Add Rule Name
    • Click on Enable this rule
    • Add the application in the Apply this rule to the following process - new window will open
    • Click on Options>> to expand window
    • Click on Match file fingerprint
    • Copy MD5 hash in text field.
    • Click on 'OK'
    • Click on Actions tab
    • Select desired action to take on the monitored process, click on ok.

    Go to main client window (click on Ok to get there)
    • Update clients and make sure that the policies are updated.
    This link would is the discussions we made and how the solution was made.

    Thanks for the initial contributions of (in no particular order): RickJDS, SysAdmin1979, Paul Mapacpac, dimitri limanovski, Grant_Hall, Nel Ramos, Cycletech, delifeath, Jobert, Ms. Gracie...and those who voted!

    Rules for replying: (because I want to make this easier for new users to read this thread)

     If you have an MD5 you'll post here, follow this format.

    • Title is the application name
    • body contains the version number and the md5 associated with it and a short description of the application.
    • If it works or not, vote using the thumbs icons.
     For Requests
    • Title should contain the word request and the application name
    • body contains additional information and possibly link to where you got the application if availably.
    • Reply to request if you have the MD5 so that it will immediately be under the request threat for ease of search.
    • If you want an MD5 for this aps, vote.


  • 2.  RE: How to block applications in SEP using MD5

    Posted Jun 03, 2009 03:16 AM
    https://www-secure.symantec.com/connect/forums/ultrasurf


  • 3.  RE: How to block applications in SEP using MD5

    Posted Jun 03, 2009 04:35 AM
    Nice post mon_raralio,

    I think it would be helpful to define how to get the MD5 value or file fingerprint (taken from SEPM help file):

    Creating a file fingerprint list
    You can use Checksum.exe to create a file fingerprint list. The file fingerprint list names each file and corresponding checksum that resides on the client computer image. This tool is provided with Symantec Endpoint Protection on the client.

    To create a file fingerprint list

    Go to the computer that contains the image for which you want to create a file fingerprint list. The computer must have Symantec Endpoint Protection client software installed.

    Open a command prompt window.

    Navigate to the directory that contains the file Checksum.exe. By default, this file is located in the following location:
    C:\Program Files\Symantec\Symantec Endpoint Protection

    Type the following command:
    checksum.exe outputfile drive
    where outputfile is the name of the text file that contains the checksums for all the executables that are located on the specified drive. The output file is a text file (outputfile.txt).
    The following is an example of the syntax you use:
    checksum.exe cdrive.txt c:\
    This command creates a file that is called cdrive.txt. It contains the checksums and file paths of all the executables and DLLs found on the C drive of the client computer on which it was run.



  • 4.  RE: How to block applications in SEP using MD5

    Posted Jun 03, 2009 05:55 AM
    Firefox 3.0.10. 

    MD5: 7A2EE5713531A25CB3B2A516CD0E24BF

    An Open Source web browser.


  • 5.  RE: How to block applications in SEP using MD5

    Posted Jun 03, 2009 08:17 AM
    Ultr@VNC 1.0.2 - Win32 - June 2006 (from the readme.txt file)

    vncviewer.exe MD5: 95973838df1345ab4a28f346443f1cf3
    winvnc.exe MD5: 913ff5a608de6a2ab320eb919092049a

    Application used for remote desktop access. Requires a server and a client.



  • 6.  RE: How to block applications in SEP using MD5

    Posted Jun 03, 2009 08:23 AM
    The information provided by you is good.

    But first we need to have the MD5 value of the application or the exe to be blocked.


  • 7.  RE: How to block applications in SEP using MD5

    Posted Jun 03, 2009 10:16 AM
    Ultrasurf MD5's to date that I've found:

    8.6 or u86 = f53597f07ad9425d64a1eccd440e7b54
    9.0 or u90 = faf9418cc0d4d4ff0a78f61283a9d29a
    9.1 or u91 = 13f51c8c42e44bcb459c62e1c0e0e93b
    8.7 or u87 = b6d9db95e947705eeaa98544de5647ce
    8.8 or u88 = 4e3a66482ef96368251d91b4f5ae0fda
    9.2 or u92 = 4b498bcac14da546f420cd08bae1894b
    9.4 or u94 = 11bc744801b516d0b84fba5850ec8789
    8.9 or u89 = f556271e1338dfc224cbebf6fe8f8eae

    Looks like the Ultrasurf team lists the MD5's of the new versions as they are released on their website. This will be a good place to check for new versions and their MD5's.

    http://www.ultrareach.com/download_en.htm

    Ultrasurf is an application that creates a local proxy setting on a users' system in order to bypass a corporation, school or country wide firewall. Uses the ultrasurf servers as the proxies to hide all the users' internet traffic and deletes all the users' internet browsing history and related files.


  • 8.  RE: How to block applications in SEP using MD5

    Posted Jun 03, 2009 01:30 PM
    Note: SEP can fingerprint (and use the fingerprints in APPLICATION access control rules) EXEs only. Fingerprinting other types of files does nothing, you can not use that fingerprint in application access control rules, which is somewhat supid, as applications can have other extensions then EXE, like VBS, VBE, HTA, etc. 
    Blocking non-EXEs should be done via file and folder access control rule, but you will lose a fingerprint option.


  • 9.  RE: How to block applications in SEP using MD5

    Posted Jun 04, 2009 11:18 PM
    Request for the MD5 of various Instant Messenger clients.
    Like Yahoo version 8 and 9.


  • 10.  RE: How to block applications in SEP using MD5

    Posted Jun 04, 2009 11:56 PM
    found MD5 for Thor:

    5C53D9693F661E6A748157D766D362B3

    thanks..


  • 11.  RE: How to block applications in SEP using MD5

    Posted Jun 05, 2009 12:01 AM
    mon_raralio@ :  
    IMSMS is a tool that allows mobile to send and recieve IM..
    MD5 for IMSMS is 1E6005419BBF5DDE53CED6C4D73DEBDB
    LInk below:
    http:\\dsosoftware07.googlepages.com/imsms-instantmessagingsms






  • 12.  RE: How to block applications in SEP using MD5

    Posted Jun 05, 2009 03:19 AM
    how does checksum.exe works?
    sorry for asking since i am just new to symantec...
    would it work in SAV10.1?
    if not, is there a counterpart?
    thanks...


  • 13.  RE: How to block applications in SEP using MD5

    Posted Jun 05, 2009 09:49 AM
    checksum.exe is only available in SEP and can only be used there. Sorry, mate. Can't think of a counterpart for that. Why not considering an upgrade if you're willing to buy another security application. This is only part of what SEP can offer. And I'm not sucking up to the product when I say this.


  • 14.  RE: How to block applications in SEP using MD5

    Posted Jun 05, 2009 03:12 PM
    I just want to say that I don't see the point in posting a bunch of MD5's in this thread.  You can simply go to communication settings for your group under Clients > Policies and check the "Learn applications that run on client computers" box.  As per the description, "Clients will keep track of every application that is run and send the collected data to the management server."  Once the logs are uploaded to the server, you can simply search for the application under Policies > Expand Policy Components > File Fingerprint Lists > Search for Applications.  Once in this screen you can search by application name, file fingerprint, path, or you can list all the applications for specific computers, groups, etc.  Once you find the application it should list the file fingerprint/md5. 


  • 15.  RE: How to block applications in SEP using MD5

    Posted Jun 05, 2009 03:59 PM
    MD5: db06b12e8de572ab8b8c482e3ee574f5

    Yahoo Messenger Client Version 9.00.2152



  • 16.  RE: How to block applications in SEP using MD5

    Posted Jun 05, 2009 11:16 PM
    Citlali might be right .. but will it make the network slow... while in learning mode...
    if it does... might welll use it during off peaks..


  • 17.  RE: How to block applications in SEP using MD5

    Posted Jun 06, 2009 06:32 AM
    do you have the md5 for chikamail...
    thanks..


  • 18.  RE: How to block applications in SEP using MD5

    Posted Jun 06, 2009 01:05 PM
    Please post a link to the download page of the application. Thanks.


  • 19.  RE: How to block applications in SEP using MD5

    Posted Jun 06, 2009 01:10 PM
    You're right on that there is an easier way to do things. One explanation I could give you is that having the MD5 in advance would prevent the users from even installing or copying the application to your network. This is where we become proactive. :D

    And not every company or admin would be willing to just enable an application or feature. Based from experience, users almost always blame the AV software whenever their PCs gets slower. I just don't want to give them another excuse.


  • 20.  RE: How to block applications in SEP using MD5

    Posted Jun 11, 2009 08:07 AM
    How to get the MD5 Value for an Application

    One of the easiest way to download the Hastab tool from the link below :-

    http://beeblebrox.org/hashtab/

    Run that tool and after that you just have to right click on any application and you will get a tab for Hash Tab and in there you will get the MD5 value.
    It also provides SHA-1 and CRC32 value as well




  • 21.  RE: How to block applications in SEP using MD5

    Posted Jun 12, 2009 02:58 AM
    thanks for the info..
    I shall download it and check...
    will give you update later..
    thanks...


  • 22.  RE: How to block applications in SEP using MD5

    Posted Jun 12, 2009 06:24 PM
    This is what was "learned" in my environment by SEP (Executable, Name of Application, Version, MD5):

    firefox.exe Firefox 1.9.0.3399 CA2AC84AA6C67F742D9785E553848927
    firefox.exe Firefox 1.9.0.3105 A6D64056AD6CA84534143757FD782D7A
    firefox.exe Firefox 1.9.0.3257 8DA0A66CB74FCBB393038E37E0F691BA
    firefox.exe Firefox 1.9.0.3372 7E4B0BB3B1E87D2B0F07DFACBD5B3F0B
    firefox.exe Firefox 1.9.0.3306 A4458CA176309C9358E8DF3FE88B33D5
    firefox.exe Firefox 1.9.0.3384 4D9F3D6B4FA21D68B66C657D556B97A5
    Firefox_Portable_3.0.10_en-us.paf.exe Mozilla Firefox, Portable Edition 3.0.10.0 5F57D760F9B0D23560B1EA09731D2349
    FirefoxPortable.exe Mozilla Firefox, Portable Edition 1.6.4.0 153352 E20C8F15F66DF72F3FB1FDC4FCBCDDAC
    FirefoxPortable.exe Firefox Portable 1.3.3.0 133730 B866D4C78B4F0C076FB79F5AC78FD508


  • 23.  RE: How to block applications in SEP using MD5

    Posted Jun 17, 2009 04:11 AM
    hi...

    Where i got list of all md5 file fingerprient...

    plz help me.

    Thanx....


  • 24.  RE: How to block applications in SEP using MD5

    Posted Jun 17, 2009 11:30 AM
    Aside from the MD5s posted here, follow the instructions posted on the first few threads of this discussion.


  • 25.  RE: How to block applications in SEP using MD5

    Posted Jun 18, 2009 04:23 AM
    Hi Mon...
    are there new updates on new MD5s for the exclusion list..?
    thanks...


  • 26.  RE: How to block applications in SEP using MD5

    Posted Jun 20, 2009 10:59 AM
    If you want something to be added. Just post the program and download link for that program. Use the program name as the title.

    Oh, and FYI to the rest. Good news!  For those who want to block all Yahoo Messenger clients, you may want to read this blog:
    http://www.ymessengerblog.com/blog/2009/06/09/we%E2%80%99re-retiring-versions-60-to-75/


  • 27.  RE: How to block applications in SEP using MD5

    Posted Jun 22, 2009 12:48 AM
    great mon..
    surely this will make the clients go mad..
    hahaha..
    good for us..


  • 28.  RE: How to block applications in SEP using MD5

    Posted Jun 23, 2009 09:44 AM
    Another firewall bypass software: Freegate from Dynaweb / Dynamic Internet Technology Inc. (DIT).

    See http://us.dongtaiwang.com/home_en.php

    MD5's that I have:

    d299132bd15f0b3cab3b8f58846a2272 = Freegate 6.6
    7590226aee7d99a754648ca04acbbc64 = Freegate 6.77
    1ff2260a91b5b858389a33ed2e889116 = Freegate 6.79 Emergency Version
    fbfb1ddb7fcfc4c4b45b4651dc1853eb = Freegate 6.79
    2b948ee506f99d6c096c6fb8d0fce4e6 = Freegate 6.80
    80ade9e5a7cb72a2dd9b8fe768a9602d = Stunnel - looks like a freegate add on


  • 29.  RE: How to block applications in SEP using MD5

    Posted Jun 25, 2009 10:34 AM
    Additional note on YM clients. This also nullifies some third party IM applications like Pidgin.


  • 30.  RE: How to block applications in SEP using MD5

    Posted Jul 06, 2009 02:29 AM
    hey chack update....
    thanks..........


  • 31.  RE: How to block applications in SEP using MD5

    Posted Jul 13, 2009 09:14 AM
    9.5 Beta or U95a = a2cd6e4821eb21432ebe73df8d76cf86
    9.5 Release Version or U95 = 88a02758a8359def232956ef028b2b77


  • 32.  RE: How to block applications in SEP using MD5

    Posted Jul 13, 2009 10:21 AM
    In my experience, this is a standard best practice if management needs to track these applications for HIPPA.


  • 33.  RE: How to block applications in SEP using MD5

    Posted Jul 13, 2009 10:48 AM
    Well, seems like we've blocked almost all the popular softwares that endusers want to use on their office terminals regardless of company rules. :D
    I'm just curious as to why no one requested to have msn blocked. :D Maybe because its built in emoticons aren't that good. lol


  • 34.  RE: How to block applications in SEP using MD5

    Posted Jul 27, 2009 12:07 AM
    i want to block msn. please show me how to block msn.


  • 35.  RE: How to block applications in SEP using MD5

    Posted Jul 27, 2009 09:44 AM
    Monkeyhead just follow the intruction of mon_raralio and you will find a good result on your problem


  • 36.  RE: How to block applications in SEP using MD5

    Posted Jul 28, 2009 01:06 AM
    I can block the user but when they arrived home they cannot use msn messenger. They disable the symantec endpoint protection but they cannot login to msnmessenger.please help me how to configure.


  • 37.  RE: How to block applications in SEP using MD5

    Posted Jul 28, 2009 03:56 AM

    If that's the case, undo the changes made from your SEP and use the firewall to block the network traffic to msn instead.



  • 38.  RE: How to block applications in SEP using MD5

    Posted Jul 28, 2009 04:28 AM
    There are several tools that calculates the md5 hash of any provided exe file :)

    you can download this simple free one called "MD5 Check utility" from this link:
    http://www.midwavi.com/MD5.exe

    just choose any application you want, and it will calculate the MD5 checksum :) Cheers


  • 39.  RE: How to block applications in SEP using MD5

    Posted Jul 30, 2009 02:04 PM
    Great work Rule Breaker...
    2 thumbs up for you...
    will be using this cool link and check all other apps used illigitimately...


  • 40.  RE: How to block applications in SEP using MD5

    Posted Jul 31, 2009 05:32 PM

    Too  many application to post and to have its equivalent MD5 value... why not have a copy of MD5 application?



  • 41.  RE: How to block applications in SEP using MD5

    Posted Aug 01, 2009 11:46 AM
    If you meant to get an application to get the MD5 hash from your PC, Symantec already has that. See the 2nd post of this thread.
    BTW, if you ran the program yourself. It is a big list because aside from getting the executables, it also gets the dlls, system files...

    And based on the turnout on this thread, there aren't many applications that people want blocked. And don't get me started with all the games that endusers will install on the system. :D



  • 42.  RE: How to block applications in SEP using MD5

    Posted Aug 03, 2009 08:56 AM
    nice thread here, a helpful one :)

    Favor guys do you have some basic test criteria for implementation sep? I do need it. Thanks!


  • 43.  RE: How to block applications in SEP using MD5

    Posted Aug 04, 2009 11:31 AM
    Hi Mon... just monitored that enduser games are internet based...
    Farmtown and the likes in facebook...
    We had detected a zombie apps that was traced and deleted...
    just an FYI...
    thanks... 


  • 44.  RE: How to block applications in SEP using MD5

    Posted Aug 16, 2009 02:58 AM
    Here's some for the installers of some of the most famous peer-to-peer sharing applications that hogs your company's bandwidth:

    The MD5's I placed here are for the installers to prevent the users from even installing them on the harddrive. I also used Linux to get the MD5 so I didn't have the chance to install them.

    (site,file,md5)

    www.utorrent.com
    utorrent.exe
    036b08a28e47478807b56000b8e0e127

    www.bittorrent.com
    BitTorrent-6.2b.exe
    adb22fb1110db5be4be35784aa26c142 

    www.Bearshare.com
    BearShareV8.exe
    436cd80a04eb9dfea9359409ade5869b 



  • 45.  RE: How to block applications in SEP using MD5

    Posted Aug 16, 2009 09:10 PM
    Thanks Mon...
    Do you also have endusers bypassing the firewalls using Firefox portables...
    they use IP addresses that support proxies...
    Thnaks...


  • 46.  RE: How to block applications in SEP using MD5

    Posted Sep 10, 2009 09:15 PM
    We can have an MD5 for Firefox portable. But the IP addresses they use will need to be blocked by a different feature. That's for SEP's firewall or a different security appliance to effectively handle.

    I'm not sure what you mean by IP addresses supporting proxies.


  • 47.  RE: How to block applications in SEP using MD5

    Posted Nov 11, 2009 06:58 AM
    New proxy versions

    http://ultrasurf.en.softonic.com/
    406d754ad3baabdaa89338555482c9e9  ud_u95.exe

    http://www.ultrareach.com/
    e303bb009064e63e470326201da509d0  u96.exe



  • 48.  RE: How to block applications in SEP using MD5

    Posted Nov 13, 2009 11:05 AM
    Looks good. It is exactly the info on MD5 that what I was looking for.


  • 49.  RE: How to block applications in SEP using MD5

    Posted Dec 04, 2009 04:24 PM
    UltraSurf 9.7 44385142f2d89be75502cff94d63f56b


  • 50.  RE: How to block applications in SEP using MD5

    Posted Dec 21, 2009 05:02 AM
    Not all applications can be blocked using MD5 hash values. This is only applicable with 32 bit application and not for 16 bit applications.


  • 51.  RE: How to block applications in SEP using MD5

    Posted Dec 30, 2009 11:29 AM
    I cant find the place where to set the properties for the MD5 or the IP.


  • 52.  RE: How to block applications in SEP using MD5

    Posted Jan 07, 2010 04:26 PM

    For running the checksum utility I've created a simple batch file that runs it and places a text file to the root of the C drive for me.

    "C:\Program Files\Symantec\Symantec Endpoint Protection\checksum.exe" "C:"\%computername%.Apps.txt

    This runs the checksum for you against all drives and drops the text file with the name of the computer.apps - you can configure the locations as you like. This also depends on whether you have SEP installed to the default directory, adjust as needed.

    If you want to only scan a specific drive then simply add the specific drive to the end like this:

    "C:\Program Files\Symantec\Symantec Endpoint Protection\checksum.exe" "C:"\%computername%.Apps.txt D:\

    To scan a specific folder:

    "C:\Program Files\Symantec\Symantec Endpoint Protection\checksum.exe" "C:"\%computername%.Apps.txt "C:\Documents and Settings\Chuck Yeager\Desktop\Ultrasurf Versions"

    Just copy the first line into a text file and save it as a .bat file and you are good to go. Just drop the batch file onto the machine you want to scan and off you go!



  • 53.  RE: How to block applications in SEP using MD5

    Posted Apr 01, 2010 04:33 AM
    Dear sir , I am new with Symantec enpoint protection ,
    I want set the policy that client cannot access the program internet explore.
    I following the step that symantec guide book told but it doesnt take effect.

    I think the policy doesnt work properly
    Confirm
    go to symantec client -> task bar -> right click -> update policy
    then open symantec endpoint protection- > view logs ->client management-> view log-> system log

    But the content doesnt show the update policy

    and on the SEPM console
    confirm the policy that i just create but the information change ,
    the policy date time is the day 2 year before

    Anybody to help me how to prevent the client access the iexplore and how to fix the
    client update policy

    Thank you very much




  • 54.  RE: How to block applications in SEP using MD5

    Posted Jul 08, 2010 04:38 AM

    Hi,

    Just now i downloaded freegate from http://go4download.com/free-gate-6   . Am unable to use free gate with norton 360.


    Anybody explain how can i configure open port for free gate on noron 360.


  • 55.  RE: How to block applications in SEP using MD5

    Posted Jul 08, 2010 05:31 AM
    Do you have another firewall? An appliance perhaps.

    Quote from Wikipedia:
    "

    The Financial Times, citing a member of staff at Symantec in mainland China, reported that Norton AntiVirus identified Freegate as a trojan horse. There were initial fears that the reports may be a ploy by the Chinese Communist Party (CCP) authorities to encourage removal of the software from computers,[10] but it was soon delisted as a threat. Symantec explained that its detection was based on the software operating similarly to various Trojan horses, based on the use of open proxies to penetrate firewalls used to block web sites, but that it had modified its detection to exclude Freegate.[1] However, Spyware Guide lists it as a Trojan.[11]

    "


  • 56.  RE: How to block applications in SEP using MD5

    Posted Jul 13, 2010 12:52 PM
    Just wanted to know if anyone can send me some Check Sum's of the current UltraSurf programs.  I have the newest, 9.97 and I have I think 9.2.  I know there are some in between. 


  • 57.  RE: How to block applications in SEP using MD5

    Posted Jul 13, 2010 01:11 PM
    Use a checksum calculator such as MX MD5 Calculator to get the MD5 of these exe's.

    Another tool can be found here - https://www-secure.symantec.com/connect/downloads/checksum-and-md5-calculatorviewer-tool


  • 58.  RE: How to block applications in SEP using MD5

    Posted Jul 14, 2010 09:12 PM
    zip file
    md5: 7bf7d7f6251d66f4022702a7fbd36748
    exe file
    md5: f4310bda92aaf325cfb7e8273f7cb236

    I think we have the 92 somewhere in this post.