Block or log unauthorized software with Application and Device Control
search cancel

Block or log unauthorized software with Application and Device Control

book

Article ID: 178088

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Learn how to use Application and Device Control in Symantec Endpoint Protection to block or log unauthorized software usage.

SEP block software by hash

Software may include peer-to-peer (P2P) applications, media players, instant messengers, image burning software, games, proxies, and other programs.

Resolution

The most common method for blocking unauthorized software is to block the primary program executable. To ensure that the correct file is blocked, Symantec recommends that you calculate an MD5 hash of the file.

Note: When an update for a program is available and its executable modified, you need to create and add a new MD5 hash. Hashes are necessary for all versions of the executable that may be in use.

Generate an MD5 hash

Use one of the following methods to generate an MD5 hash:

  • (Recommended) Use the checksum.exe utility that is installed with Symantec Endpoint Protection on the client computer to create a file fingerprint list.
  • Use the Get-FileHash command from within Windows PowerShell.

Note: Some of these tools are 32-bit applications. Due to Windows file system redirection on 64-bit operating systems, some unexpected behavior can occur.

If an application such as notepad.exe is present in both of the following folders, each file has different hash values. Symantec recommends that you add both hash values to the policy.

  • C:WindowsSysWOW64
  • C:WindowsSystem32

Note: Some MD5 hash tools may provide hash values of files in the C:\Windows\SysWOW64\ folder, even though you request values for files in the C:\Windows\System32\ folder. Symantec’s checksum.exe tool (recommended) generates hash values for the exact file path requested.

Create a rule

  1. In Symantec Endpoint Protection Manager (SEPM), click Policies.
  2. Click Application and Device Control.
  3. Create a new Application and Device Control policy, or use an existing policy.
  4. Click your selected policy to edit it.
  5. Click Application Control.
  6. Click Add.
  7. Next to Apply this rule to the following processes, click Add.
  8. In the Process name to match field, type an asterisk (*).
  9. Click OK.
  10. Under Rules in the bottom left, click Add.
  11. Click Add Condition.
  12. Click Launch Process Attempts.
  13. Next to Apply to the following processes, click Add.
  14. In the lower right, click Options.
  15. Select Match the file fingerprint.
  16. Copy the MD5 hash into the field for the fingerprint.
  17. Repeat steps 13 to 15 if you want to add more hashes
  18. Click OK.
  19. Click the Actions tab.
  20. Decide if you want to block the file when it runs, or log it.
    • Log: Choose "Continue processing other rules” and check "Enable logging.” There are 16 levels of logging, but "Critical - 0" is usually sufficient.
    • Block: Choose "Block Access.” You can enable logging under this option as well.
    • Notification: Check "Notify User" to notify the user by pop-up message that the software is unauthorized.
  21. Click OK.
    Ensure that the new rule is enabled and is set for production (test only logs) when you are ready to use it.
  22. Click OK.
  23. Click Yes to assign the policy.
  24. Check any client group to which the policy should apply.
  25. Click OK.

Application and Device Control

Administrators may create policies to block specific software using Application and Device Control (ADC) in SEP. ADC can block threats for which virus definitions are not yet available, and can be used to prevent the unwanted use of legitimate applications (Grayware/PUAs).

Note: SHA-256 hashes are also supported on SEP 14.3 RU1 and higher clients. Also, bulk hash values cannot be uploaded in ADC policy.