Using Application and Device Control in Endpoint Protection to log activity to common loading points for threats
search cancel

Using Application and Device Control in Endpoint Protection to log activity to common loading points for threats

book

Article ID: 177970

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How do you leverage Application and Device Control in Symantec Endpoint Protection (SEP) to help identify new threats by monitoring places where threats typically install and load from?

Environment

Microsoft Windows operating systems

Resolution

This Application and Device Control rule will log any time any process tries to read, create, delete or write to the registry keys or folder locations listed. This has the potential of generating large volumes of logs whenever something touches a location that is being logged, particularly in C:\Windows and C:\Windows\System32.

Create an Application and Device Control rule to log activities in common loading points

  1. Log into the Symantec Endpoint Protection Manager (SEPM).
  2. Click Policies.
  3. Click Application and Device Control.
  4. Click Add an Application and Device Control Policy...
  5. Specify a name for the policy. Symantec recommends that policies be named to reflect what the policy is trying to accomplish to help administrators manage their SEP environments.
  6. Click Application Control.
  7. Click Add...
  8. Specify a name for the rule set.
  9. Ensure that Enable logging is checked.
  10. In Apply this rule to the following processes:, click Add...
  11. In the Process name to match field, enter *. This will cause any process that attempts to use a common loading point will be logged. It is important that you do this, as trying to filter at this level can cause threats to be missed.
  12. Click OK.
  13. Under Rules, click Add, then Add Condition, then Registry Access Attempts.
  14. Under Apply to the following registry keys:, click Add...
  15. Under Registry key, enter this data:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  16. Click OK.
  17. Repeat steps 14 to 16 for the following values:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_CLASSES_ROOT\exefile\shell\open\command
    HKEY_CLASSES_ROOT\comfile\shell\open\command
    HKEY_CLASSES_ROOT\txtfile\shell\open\command
  18. Under Apply to the following registry keys:, click Add...
  19. Under Registry key, enter this data:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
  20. Under Registry value name, enter this data:
    Local Page
  21. Click OK.
  22. Repeat these steps for the following values (Registry key and Registry value name separated by a hyphen below for easier reading):
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main - Search Page
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - Userinit
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - Shell
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - VmApplet
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows - AppInit_DLLs
  23. Click OK.
  24. Click Actions.
  25. Check both Enable logging boxes. If you check Send Email Alert, an email will be sent to the email listed in the SEPM for reports.
    Note:
    • The Severity level is merely a value that can be assigned by an administrator to help filter reports. This has no bearing on the traffic itself, and is only there to allow administrators to filter the data from the SEPM.
    • If Notify user is checked, whenever that action (read attempt or create, delete, or write) occurs, the user will get a pop-up in the lower right corner of the screen showing whatever is in the text box. This is an extremely useful tool if doing limited testing. Symantec recommends putting very verbose information into these boxes if used (such as "Read attempt on blocked registry keys"), however, this will pop up on every machine who has the policy, assuming the event happens. As such, this should be used with care.
  26. Click Allow access for both Read Attempt as well as Create, Delete, or Write Attempt.
  27. Under Rules, click Add, then Add Condition, then File and Folder Access Attempts.
  28. Click File and Folder Access Attempts.
  29. Under Apply to the following files and folders:, click Add...
  30. Enter this value:
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
  31. Click OK.
  32. Repeat steps 29 to 31 for the following values:
    C:\Windows
    C:\Windows\System32
  33. Click Actions.
  34. Check both Enable logging boxes. If you check Send Email Alert, an email will be sent to the email listed in the SEPM for reports.
  35. Click OK.
  36. Change Test/Production to Production for your new rule. Because we're not blocking anything, there's no danger.
  37. Click OK. You will be prompted to assign the policy. You may do this if you wish from here, or you can assign the rule on your own.

View logs generated by this rule

To view the logs on the SEPM:

  1. Log into the SEPM.
  2. Click Monitors.
  3. Click Logs.
  4. Select Application and Device Control for Log Type.
  5. Select Application Control for the Log content.
  6. Modify the Time range, if needed.
  7. Click View Log.

Information found here can be broken down thusly:

  • Time: When did the process attempt to run?
  • Action: Did Application and Device Control allow it, or block it?
  • Domain/Computer: Which Domain, and what's the host name of the computer?
  • User: What account tried to run the program?
  • Severity: This is where you can sort by severity...again, this is only to help administrators, and has no bearing on the functionality of SEP.
  • Rule Name: Name of the Application and Device control rule that was matched by the action.
  • Caller Process: What tried to perform an action?
  • Target: What was the process trying to access?

To view the logs on the client:

  1. Open the SEP client.
  2. Click View logs.
  3. Under Client Management, click View Logs, then Control Log....

Information here can be broken down as follows:

  • Date and time: When did the process attempt to run?
  • Severity Level: This is where you can sort by severity...again, this is only to help administrators, and has no bearing on the functionality of SEP.
  • Action: Did Application and Device Control allow it, or block it?
  • Test/Production: Is this rule in Test/Production mode (and thus just testing), or is it in Production mode (and thus logging/blocking)?
  • Description: This column isn't used by the rules themselves, and can be ignored.
  • API Class: What happened? Was the process trying to read a file? Write a registry key?
  • Rule: Name of the Application and Device control rule that was matched by the action.
  • Caller Process: Which program was actually trying to do something?
  • Parameter: What was the process trying to touch?
  • User: What account tried to run the program?
  • User Domain: What domain is the user running from?
  • Location: What location is SEP currently in (if Location Awareness is being used)?