About Application and Device Control policies in Endpoint Protection
search cancel

About Application and Device Control policies in Endpoint Protection

book

Article ID: 152992

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Security Complete

Issue/Introduction

What are Symantec's recommendations for using Symantec Endpoint Protection's (SEP) Application and Device Control (ADC) policies?  How can ADC best be put into use?  What practices should be avoided?

Resolution

An Application and Device Control Policy controls the access to files, folders, registry keys, processes and DLLs. It can also allow or block access to hardware devices users plug into clients. For more in-depth information on the ADC policy see the Administration Guide for Symantec Endpoint Protection.
 

Warnings 

Application and Device Control configuration errors can disable a computer or a server. When you implement an Application and Device Control Policy, the client computer can fail or its communication with the Symantec Endpoint Protection Manager can be blocked.

Application and Device Control is an advanced security feature that only experienced administrators should configure.

Known Limitations of ADC 

  • ADC cannot block burning to CD/DVD drives.
  • ADC cannot block files accessed via NetBIOS.


ADC and Threat Outbreaks

It is possible to use ADC to limit the spread of threats for which Symantec does not yet have Antivirus signatures. If the MD5 (unique identifier) of the suspicious file is known, a policy can be created to block that MD5. For full details please see How to use Application and Device Control to limit the spread of a threat.

Configuring ADC

Rule sets consist of rules and their conditions. A rule is a set of conditions and actions that apply to a given process or processes. A best practice is to create one rule set that includes all of the actions that allow, block, and monitor one given task.

Create multiple rules and add them to a single application control rule set. Create as many rules and as many rule sets as needed to implement the desired protection, but be aware that serious performance issues arise from the use of rule sets of excessive length.

Application control rules work similarly to most network-based firewall rules in that both use the first rule match feature. When there are multiple rules where the conditions are true, the top rule is the only one that is applied unless the action that is configured for the rule is to Continue processing other rules.  Consider the order of the rules and their conditions when configuring them to avoid unexpected consequences.

When applying a condition to all entities in a particular folder, a best practice is to use folder name\* or folder name\*\*. One asterisk includes all the files and folders in the named folder. Use folder name\*\* to include every file and folder in the named folder, plus every file and folder in every sub-folder.

Note: A best practice is to use the Block Access action to prevent a condition rather than to use the Terminate Process action. Terminate Process kills the application that has made the request. The Terminate Process action should be used only in advanced configurations.

Note: When creating rules and conditions: remember that using complex regular expression ("regex") queries for matching may be much more CPU-intensive than plain string matching.

Recommended Limits

While there are no hard-coded limitations with regards to the number of conditions in policies, performance will be seriously impacted if policies are configured in an overly-complex manner. Please abide by the below recommendations on estimated limits.

  1. Number of DeviceIDs that can be added manually to Hardware Devices in the Policy Components:
    Symantec Technical Support does not recommend configuring a value greater than 1000.
     
  2. Number of excluded devices in a Device Control policy:
    Symantec Technical Support does not recommend configuring a value greater than 1000.
     
  3. Number of Rule Sets in an Application Control policy:
    Symantec Technical Support does not recommend configuring a value greater than 200.
     
  4. Number of Rules in a Rule Set in an Application Control policy:
    Symantec Technical Support does not recommend configuring a value greater than 200.
     
  5. Number of Conditions in a Rule:
    Symantec Technical Support does not recommend configuring a value greater than 200.
     
  6. Number of entries in a Condition (e.g. "File and Folder Access") to apply or not apply a rule to:
    Symantec Technical Support does not recommend configuring a value greater than 200.
     

If the Application Control rule sets or conditions are very large, they will cause several performance problems:

  1. The SEP client will take longer to load.
  2. The SEP client will take longer to switch locations.
  3. The SEP client will start to consume more memory.
  4. If there is an exceptionally large list, SEP's ADC component may even start to slow down other applications.                                          

 

Additional Information

Endpoint Protection Application and Device Control Policies explained

Block or allow devices using Endpoint Protection