Hardening Symantec Endpoint Protection (SEP) with an Application and Device Control Policy to increase security and help prevent malicious attacks from viruses with the Symantec Endpoint Protection (SEP) client.
Symantec has created a policy that can be import into the Symantec Endpoint Protection Manager (SEPM). This policy is very powerful and offers significant zero day protection against new threats.
Each rule is described below and should be considered individually for suitability in the organizational network.
This Application and Device Control policy provides the following security measures;
1. Blocks modifications to the hosts file
- The hosts file redirects Internet requests to specific IP addresses. Threats use the hosts file to redirect communication to malicious sites or block communication to legitimate sites. Legitimate modification of the hosts file is rare.
2. Blocks access to autorun.inf for non-CD ROM drives.
- Autorun is a technology that automatically runs when new media, such as a CD, is inserted. It is less well known that autorun works on other drive types such as mapped network drives. Threats such as Downadup attempt to automatically install by creating malicious autorun.inf file. Legitimate use of autorun.inf on non-CD ROM drives is rare.
3. Prevents changes to EXE, COM, and BAT shell associations, which allow a program to run any time an EXE, COM, or BAT file is run.
- Threats use this technique to run code and to block execution of programs that may interfere with the threat. Legitimate use is rare.
4. Prevents Internet Explorer (IE) and Firefox from writing code to WINDIR and Program Files, including subdirectories, also prevents Internet Explorer from launching code except in WINDIR and Program Files
- Internet Explorer drive by downloads is a very common threat vector. This rule prevents many such attacks by blocking access to locations typically written to by threats. Users also will be unable to download executables to WINDIR or anywhere in Program Files, but can continue to download to the Desktop, My Documents, or Downloads directories.
Exclusions are already in place for Windows Updates.
Extra care should be used when rolling out this rule. It has been included in this set due to its power to block threats, but it has consequences that should be considered.
a. This rule can interfere with new ActiveX controls, which effectively code Internet Explorer downloads and runs.
b. Users will no longer be able to run downloaded executables directly from the browser. Instead they will be required to use Save As to disk before running.
5. Prevents IE from running commonly exploited system code such as wscript, telnet, mshta, cmd, ftp, rundll32, reg, and at.
- This rule blocks some common ways threats run after triggering a browser exploit. Legitimate use of these programs by browsers is rare.
6. Prevents registration of new browser helper objects.
- Browser Helper Objects (BHOs) are commonly used by threats to spy on or interfere with web browsing. This rule is useful if your organization does not allow BHOs or has a pre-installed set of allowed BHOs.
7. Prevents registration of new browser toolbars.
- Browser toolbars, like BHOs, are used to spy on or interfere with web browsing. This rule is useful if your organization does not allow browser toolbars or has a pre-installed set of allowed browser toolbars.
8. Prevents vulnerable Windows processes (lsass, spoolsv, csrss, smss) from writing code.
- This rule blocks threats from persisting on the system after exploiting key Windows processes.
9. Prevents Acrobat and Acrobat Reader from writing code.
- Infected PDFs have recently become one of the most prevalent attack vectors. This rule blocks threats from persisting on the system after exploiting Acrobat. While a very limited number of publishers have created installers using Acrobat, the number of legitimate uses is minimal compared to the number of malicious uses.
Applying the policy:
- Download the policy attached below > SEP Hardening Application and Device Control policy v3.zip
- Extract the policy SEP Hardening Application and Device Control policy v3.dat from the ZIP file.
- Password = symantec
- Logon to the Symantec Endpoint Protection Manager console.
- In the left hand pane, click Policies.
- On the Policies page, under View Policies, click Application and Device Control Policy.
- On the same page, under Tasks, click Import an Application and Device Control Policy.
- In the Import Policy dialog box, browse to the policy file that you want to import SEP Hardening.dat, and then click the Import button.
- Double click the newly imported SEP Hardening Application and Device Control Policy.
- Click Application Control
- Verify the appropriate ruleset boxes are checked in the policy,
- Verify the policy is set to either Production or Log (see Note 1 below).
- Client machines must be rebooted to apply the policy.
Note 1: This should be tested in your environment first by changing the policy from production to log until you are satisfied with the results.
Note 2: In order for an Application and Device Control Policy to work you must have the Application and Device Control feature installed.
HOWTO55188 Copying application rule sets or rules between Application and Device Control policies
TECH132307 How the Application and Device Control Hardening policy works
Application and Device Control Policy to harden the SEP client and provide significant protection against new threats.