Endpoint Protection System Lockdown exceptions not working
Last Updated April 13, 2017
The System Lockdown feature in Symantec Endpoint Protection (SEP) works as a white-list of approved applications, based on a finger-print list with checksums from the files on a clean and approved system. In addition to fingerprint lists, the feature also allows to enter exceptions or approved files based on wildcards or regular expressions.
When using the exceptions feature, it is found that System Lockdown still flags or blocks applications that are excluded - for example an exclusion for c:\windows\system32\* still flags executables in that folder as unapproved.
System Lockdown exceptions work on the target, not the calling process.
If this was not the case, you would end up with results that were likely unintended, for example an exception for c:\windows\* would still allow running c:\evil\example.exe just as long as it was started from Explorer.exe (which is in c:\windows).
An exception for c:\windows\system32\* will still let you see applications in that folder on the Unapproved Applications list, provided they tried to launch an executable (or load a DLL) that is outside of that folder.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe