Endpoint Protection

Hi

I tried to simulate a system lockdown solution in our office and I get a baseline with running checksum.exe <outputfile> and then import it as fingerprint list. After than I add it to system lockdown and immediately set it to block. At first everything seems good and I can run applications on that machine and it will block the others, but suddenly I realised that virusdefs are no longer being updated and is being blocked as well!

Surprise continues as adding exception for whole "c:\documents and settings\all users\application data" will not help that. Did I miss something??

can you check these links

About system lockdown
http://www.symantec.com/business/support/index?page=content&id=HOWTO27322

Configuring system lockdown
http://www.symantec.com/business/support/index?page=content&id=HOWTO55130

Running system lockdown in test mode
http://symantec.com/docs/HOWTO55131

Enabling system lockdown to block unapproved applications
http://symantec.com/docs/HOWTO55132

Hi Pete,

I've read implementation guide section for system lockdown (which was usless BTW) and what I did is "I setup successfully and it will block whatever it should block and allow whatever is in fingerprint" BUT the problem is after that I was not able to even update virusdefs!!!

To overcome this, I decided to add manual exception, but that didnt work either.

can you craete it in test mode instead block at first?

check the logs and then implement to block.

what is the exception you have set for SEP?

seems to be okay, has the client not updating?

can you check if communication is established with sepm/ symantec liveupdate?

No, client will not update and here's error in its system log:

"an update for {535CB6A4-....} failed to install. Error: 0xE00100001, DuResult: 60"

and also:

"Downloaded new content update from the management server failed."

and:

"cannot assign a client authentication token. there was a general communication failure"

Now that I set it back to test mode, client gets the update (obviously)

Please note even now in test mode, we receive "block" event (in control log) for fle BHEngine.dll in definitions directory in All users profile

Here's the log :

and see the attachment for "test phase"

Did you exclude the Symantec folders?

C:\program files\symantec

C:\program files\common files\symantec shared

I added those directories without any change. It still does not update.

Where did you allow the content of the application data folder? AFAIK, the only place is Clients > Policies > System Lock > File Name list (for allowed executables).

Screenshot would be nice.

Seems okay ...

Only idea: Try to use everywhere "C:\..." instead of "c:\...". If I remember correctly, I had a similar issue with lower case letters as drive letters in Application Control policies.

After 3 days of investigation, I found the answer.

It is really a shame for symantec with very poor level of documentation on this problem, and surprisingly no one ever answered something remotely relevant to real solution.

anyone who is interested in answer send me PM. I'm angry and I'll not post it to forums!

Hello,

Glad to read that you finally found the solution.

I experience the same issue. Could you please explain me how did your solve this ?

Thank you in advance,

Stéphane, Belgium

How about sharing with the entire community and helping everyone out?

You can also contact Symantec with suggestions as I'm sure they would want that feedback.

Don't make the entire community suffer because you have an issue with documentation.

Brian,

I did contact Symantec and shared the result and still waiting for an action and I also shared with everyone who sent me a pm. I wanted to make a point here to force them do something, although I received some non-senses from users and nothing from Symantec.

That's fine, you're free to do as you please but as I said the community suffers most and it defeats the purpose of it. It just sucks because I've had the same issue, although I don't use lock down in full production but only for problem machines. I guess as long as everyone that contacted you got an answer than that's all that matters.

Reza,

If you have a suggestion regarding Symantec documentation around SEP, you can make a post to the idea section in the Security Community.

Eileen, Partner and Security Community Manager

Hi there,

Could you explain what the solution was?

Thanks

Hi everybody in forum

I know what Reza say's because i had same issues & i didn't find any answer or action from Symantec Support team, also i crate a Ticket, but at last, i find the solution by myself & shared in forum for others who have same problem, but i didn't get the Answer from Symantec.

@Eileen: Sometime we are in not a good situation & really, We need fast action / response, for this reason we need Support from Symantec & this should be one of Big differences between Security Companies . isn't it ?

Where did you share?

Where did you share?

Reza

I sent you PM

I'm having same issue even after adding exception.

Far as I can tell this is blocked by a "special" application and device control policy. The rule is just simply called "LockDown"

How to make exceptions work? I don't understand why symantec folders be blocked even after I ran checksum.exe? Doesn't it scan entire hard drive? I also cannot get windows updates?

I believe you need to start by making the blacklist mode appear for system lockdown appear.

Look at the Admin guide starting on page 503

Stop the SEPM service

Add this line to the conf.properties file located under C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc

scm.systemlockdown.blacklist.enabled=1

Start the SEPM service and you will see the new options under system lockdown

Check your PM for solution

It surprises me how you complain that Symantec have bad documentation, yet you have supposedly find a solution and are unwilling to share.  Hypocrite.

Suspect you never did find a solution, just an attention seeker.

The issue here is that the virus definitions have updated binary files in them and these new binary files are not allowed by System Lockdown since they are not in the allowed File Fingerprint list.  You need to exclude these SEP folders from System Lockdown.

Here are the folders I recommend excluding:

• #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\PathExpansionMap\APPDATABASE#*\*
• #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\PathExpansionMap\INSTALLDIR#*\*
• #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_install_path#*\*
• #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SysPlant\SysFer\SEPBaseDir#*\*

Hello Reza,

There are two issues with the file paths you list.  The first issue is that you are excluding %alluserprofile% which is not safe to exclude.  Many malware files use this folder as a hiding place.  Secondly you only have a single asterisk after the path.  You should have a asterisk slash asterisk (*\*).

*  --  a single asterisk means any file in that folder
*\*  --  an asterisk slash asterisk means any file in that folder and any subfolder(s)

Example:
C:\Windows\*  --  this will match any file under the Windows folder
C:\Windows\*\*  --  this will match any file under the Windows folder and any file under any subfolder(s)

Reg keys are included in system lockdown? I was never aware of this...I've not seen reg keys in the logs in all the time I've been using it?

These are registry key variables.  This is supported in all file and folder paths for System Lockdown and Application Control.  The # indicates it is a registry variable just like a % would indicate an environment variable.

Example, these two would both match the Program Files folder:

#HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir#

%ProgramFiles%

KB article http://www.symantec.com/business/support/index?page=content&id=TECH207935 is created.

Reg keys are also used in HI policy custom requirements.