Endpoint Protection

 View Only

  • 1.  How to Block IPMessenger

    Posted Aug 10, 2012 01:59 AM

    Dear All,

    Currently i am trying to block IPMessenger using below mechanism.

     

    1. Block using MD5 in Application control

    2. Blocked the ports UDP and TCP 2425 used by IPMessenger.

    3. Also system lock down policy is applied. ( Prepared fingerprint DB of a machine and locked the policy )

     

    Howerver, the IPMessenger is still getting loaded when it is launched through JAVA compilation/App-V even after the above restrictions are in place.

     

    Does anyone have achieved this through any other mechanism. Please suggest.

     

    Thanks,
    Prakash



  • 2.  RE: How to Block IPMessenger

    Posted Aug 10, 2012 02:06 AM
    1. Log in to the Symantec Endpoint Protection Manager (SEPM).
    2. Click on Policies.
    3. Click on Application and Device Control.
    4. Under Tasks, click on Add an Application and Device Control Policy.
    5. On the top left click on Application Control.
    6. Click on the Add... button.
    7. Type a name for the Rule
    8. Click on the Add... button on the bottom right "Apply this rule to the Following processes".
    9. Type a name of the browsers processes that will not to able to download the file. Example: IEXPLORE.EXE (Can you add more than one process)
     
     
     
     
    10. Click Ok.
    11. Click on the Add... button on the bottom left under Rules.
    12. Select Add Condition.
    13. Select File and Folder Access Attempts.
    14. Click on the Add... button on the right next to "Apply this rule to the Following files and folders".
    15. On File or Folder Name to Match, type "*.extention". Example: " *.exe "  (without quotes) (Can you add more than one extention or file)
     
     
     
     
     
    16. Click Ok.
    17 . On Actions Tab in Read Attempt and Create, Delete, or Write Attempt select "Block Access"
    Optional: Can you Check Notify User for example "Is not permited download executable files, contact the administrator"
     
     
     
     
     
    16. Click Ok.
    17 . Set to Production
    18. Click Ok.
    18. Click Yes to assign the policy.
    19. Check the boxes for any group that the policy should be applied to.

    20. Click OK

     

    Please NOTE: Network Threat Protection feature is required to be installed on the machines carrying SEP 11.x, where as it is an optional, incase of SEP 12.1 clients.

     

    You could also try:

    Hardening Symantec Endpoint Protection (SEP) with an Application and Device Control Policy to increase security

    http://www.symantec.com/docs/TECH132337

    Hope that helps!!



  • 3.  RE: How to Block IPMessenger

    Posted Aug 10, 2012 02:27 AM

    Hi Anish,

    Thanks for the suggestion, but no luck.

    As mentioned earlier , i have the below restrictions in place.

     

    1. System Lock down policy – Only approved applications.
    2. Application Control – Blacklist added will all the version of IPMessenger MD5 values.
    3. Firewall policy – To allow only whitelisted IP.

     

    Having said that, here is the observation.

     

    1. When IPMessenger.exe is called by explorer.exe , Symantec is blocking the same.
    2. When IPMessenger.exe is called by JAVA ( through APP-v ) or any other method of compilation, it is allowing to run. But it will not communicate to other machines, since i have restriction in place through firewall rule.

    Tested between two restricted machines and communication through IPMessenger is not happening.

    But , i am trying to stop/block loading IPMessenger even when it is called by JAVA ( through APP-v ) or any other method of compilation.

    My question is:

    I  have the MD5 added in black list for the same version of IPMessenger . When it is triggered by explorer.exe , symantec is blocking it. But when the same version of IP messenger is lauched through App-V it is allowing the IPmessenger to get load and appears in task manger as well.

     

    Any suggestion on this would be helpful.

     

     

    Thanks,
    Prakash

     



  • 4.  RE: How to Block IPMessenger

    Trusted Advisor


  • 5.  RE: How to Block IPMessenger

    Posted Aug 12, 2012 11:12 PM

    Hello,

    I have seen those suggestion before implementing, but no luck.

    Cheers

    Prakash



  • 6.  RE: How to Block IPMessenger

    Trusted Advisor
    Posted Aug 13, 2012 03:22 AM

    Hello,

    I would suggest you to check this Articles and downloads provided below as well - 

    Articles:

    What do P2P Applications do and How to block Peer to Peer Applications (P2P) using Symantec Endpoint Protection?

    https://www-secure.symantec.com/connect/articles/what-do-p2p-applications-do-and-how-block-peer-peer-applications-p2p-using-symantec-endpoin

    http://www.symantec.com/docs/TECH122597

    How to use Symantec Endpoint Protection to block or log legitimate but unauthorized software usage

    http://www.symantec.com/docs/TECH97618

    Download:

    Firewall and Application Control Policy to Block Peer to Peer Applications
     
     
     
    Hope that helps!!


  • 7.  RE: How to Block IPMessenger

    Posted Aug 13, 2012 05:59 AM

    Hi Mithun,

     

    To block IP messenger using MD5 , *exe , inturstion ( P2P ) , firewall block all are working fine to block the communication of IP messenger between the machines . But my problem here is

    When IPMessenger.exe is called by JAVA ( through APP-v ) or any other method of compilation, it is allowing to run. But it will not communicate to other machines, since i have restriction in place through firewall rule.

    When we lauch IPmessenger through App-v i see the IPMSG.exe getting triggered in the task manager but its not blocked by either the black list MD5 or either system lock down policy.

    When the same IP messenger is run locally in the machine and called by explorer.exe , SEP blocks it without any issue.

    But as i said, we even want to block the IP messenger to get load if it lauched to App-v or any other method of compilation. I need suggestion in this.

     

    Cheers

    Prakash



  • 8.  RE: How to Block IPMessenger

    Posted Aug 18, 2012 10:10 AM

    Please check the version of application which is able to access.

    You would have taken the finger prints of the IP messenger of previous version.

    Regards

     



  • 9.  RE: How to Block IPMessenger

    Posted Aug 21, 2012 05:29 AM

    Its a same version and same finger print.

     

     

    Cheers

    Prakash