search cancel

How to Whitelist or Profile-Sandbox applications using profiling group

book

Article ID: 164125

calendar_today

Updated On:

Products

Data Center Security Server Advanced

Issue/Introduction

How to use the profiling security group

Resolution

Steps to follow :

  • Create a new Prevention policyin java console:
    • Make a copy of sym_win_hardened_sbp
    • Name the policy profiling_sym_win_hardened
    • Policy has to be a 6.0 or above
    • To help allow all user to use event viewer -> Global policy options = "Allow all users to run the SDCSS Agent Event Viewer"
  • In the UMC console:
    • Click on Security Group -> Profiling
    • Click on Profiling Security Group to edit
    • Make sure to add the custom policy you created earlier
    • Save and Reapply
    • Go to Assets and assign your target machine for profiling
    • the asset should be online and Prevention Enabled in the Profiling group:
    • Back to the java console -> Go to Policies
    • Click on "Edit Profile List" (top right)
    • Add an Application
    • In this example we will use Notepad++ as a discovered application
    • Right click and Enable Profiling
    • It should then show profiling in progress
    • Logon to target machine.
    • Run the Notepad++ application
    • At same time look at event viewer
    • You should see event description : "Process Assignment for Notepadd++ to profile_ps"
    • In this example  notepad++ ia used to edit the hosts file
    • You can do many other action with your application as required.
    • Go back to java console
    • Click on Edit Profile List
    • Then Disable Profilling for Notepad++
    • Right click and create a new sandbox
    • The interface should display this with all the entries from Notepadd++
    • In example we want to allow Notepad++ so first choice
    • Then finish. A new custom sandbox is added to the policy
    • Now if you re-apply policy and look on your target machine. The new sandbox is applied:

Attachments