search cancel

Endpoint Protection System Lockdown exceptions not working

book

Article ID: 163598

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The System Lockdown feature in Symantec Endpoint Protection (SEP) works as a white-list of approved applications, based on a finger-print list with checksums from the files on a clean and approved system.
In addition to fingerprint lists, the feature also allows to enter exceptions or approved files based on wildcards or regular expressions.

When using the exceptions feature, it is found that System Lockdown still flags or blocks applications that are excluded - for example an exclusion for c:\windows\system32\* still flags executables in that folder as unapproved.
 

Resolution

System Lockdown exceptions work on the target, not the calling process.

If this was not the case, you would end up with results that were likely unintended, for example an exception for c:\windows\* would still allow running c:\evil\example.exe just as long as it was started from Explorer.exe (which is in c:\windows).

An exception for c:\windows\system32\* will still let you see applications in that folder on the Unapproved Applications list, provided they tried to launch an executable (or load a DLL) that is outside of that folder.