Endpoint Protection

 View Only

  • 1.  Network Application Monitoring and Allow and Log all

    Posted Jun 29, 2010 01:21 PM

    Hello,

        We have the "allow and log" option setup in the Network Application Monitoring on the Policies tab. But whenever an executable gets updated, the end user is still asked to either Allow or Block the executable from running. Is the "allow and log" option not a true Allow and Log option? We would like to have our end users not have the option appear to them.

    TIA
    LTD Security


  • 2.  RE: Network Application Monitoring and Allow and Log all

    Posted Jun 29, 2010 01:26 PM
    It will asked for all the applications running at the very first time ( i'm pretty sure at this), if the application is udpated or upgraded it will be considered new and will be asked again,can you disable ASK?



  • 3.  RE: Network Application Monitoring and Allow and Log all

    Posted Jun 29, 2010 01:33 PM

    Rafeeq,

       There are 3 options available when the Network Application Monitoring is enabled, Ask, Block the traffic and Allow and Log. We have the Allow and Log option enabled, so the user should not be prompted with option to deny or allow the executable to run, correct?

       All of the clients do have the most current policy with the Allow and Log option selected.


  • 4.  RE: Network Application Monitoring and Allow and Log all

    Posted Jun 29, 2010 01:38 PM

    Correct ! I was little confused when you mentioned that users are prompted so wanted to make sure that you have not enabled it.

    The document says"
    you can set the default policy when Endpoint Protection detects changes in an executable. Choose between Ask, Block the Traffic, or Allow and Log."

    http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/36f099f2e011f3dc882573a2005a9326?OpenDocument



  • 5.  RE: Network Application Monitoring and Allow and Log all



  • 6.  RE: Network Application Monitoring and Allow and Log all

    Posted Jun 29, 2010 01:44 PM

    Rafeeq,

       Yes, the option for Allow and Log is set, but the end user still is prompted with an option, this is not what we want for the end user. According to the settings, Allow and Log, this would lead me to believe that whenever an executable has been changed, the executable would be allowed to run and the executable changes, i.e. new date modified or new hash would be logged, hence the Allow and Log option, I am incorrect here?


  • 7.  RE: Network Application Monitoring and Allow and Log all
    Best Answer

    Posted Jun 29, 2010 01:47 PM
    Symantec Endpoint Protection clients will only get the Network Application Monitoring settings from the Symantec Endpoint Protection Manager if they are in Server Control Mode.

    In Mixed or Client Control Modes, Network Application Monitoring has two options, enabled or disabled. This means that if Network Application Monitoring is enabled, the user will get prompted everytime there is a change to a Network Application.

    what mode your clients are ?


  • 8.  RE: Network Application Monitoring and Allow and Log all

    Posted Jun 29, 2010 01:56 PM

    Rafeeq,

       Looks like you found our issue. The clients are in Mixed Mode, I am changing to Server Control and doing some testing and will let you know the results.

    Thanks!!


  • 9.  RE: Network Application Monitoring and Allow and Log all

    Posted Jun 29, 2010 02:48 PM

    Rafeeq,

       The option for the clients to be in Server Control fixed the Allow and Log option to actually Allow and Log the executable change information. Your solution has been marked as the solution.

       Thanj you very much for your help!!!


  • 10.  RE: Network Application Monitoring and Allow and Log all

    Posted Jun 30, 2010 01:21 PM

    What log can I use to monitor this feature?