How to use Application and Device Control to limit the spread of a threat.

book

Article ID: 177628

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How to use Application and Device Control (ADC) to limit the spread of a threat.

Symptoms
There is a threat in the environment that is not being mitigated by the Antivirus functionality on the Symantec Endpoint Protection client.

The Application and Device Control feature is installed on the clients and functioning normally.
A suspicious file has been identified as a threat.

Please Note:
 

  • There are some threats that mutate and change the files that they use to launch infections. This behavior can change the fingerprint of the file. These steps may not be completely effective against all threats.


 

Resolution

The first step is to identify the MD5 hash of the threat. There are several ways to find this information.

Generating a fingerprint

Solution 1

The Endpoint Protection client comes with a utility called Checksum.exe. This utility will generate a file with MD5 hash value for a specified file.

  1. Open a command prompt window.
  2. Start > Run > type: cmd > hit Enter or OK.
  3. Navigate to the directory that contains the file checksum.exe. By default, this file is located in the following location: C:\Program Files\Symantec\Symantec Endpoint Protection.
  4. by default: cd C:\Program Files\Symantec\Symantec Endpoint Protection
  5. Type the following command: checksum.exe outputfile inputfile
    • where 'outputfile' is the name of the text file that contains the checksum for specified file. The output file is a text file (i.e. outputfile.txt).
    • where 'inputfile' is the exact path to the file you want to generate the hash value from.
  6. The following is an example of the syntax you use: checksum.exe C:\checksum.txt "C:\Program Files\sample.exe"
    • In this example the command creates a file that is called checksum.txt in the root C: folder. It would contain the checksum of the specified file sample.exe.

Solution 2

Microsoft has a freely available utility called the File Checksum Integrity Verifier.
The utility is discussed in great detail in Microsoft's KB 841290.

Solution 3

SlavaSoft has a utility called HashCalc that is freely available for download on the Internet at http://www.slavasoft.com/hashcalc/.

  1. Download and install the HashCalc software.
  2. Run the HashCalc software from the All Programs menu.
  3. In the drop down menus at the top select File for Data Format.
  4. In the Data field, click the "..." button.
  5. Navigate to the executable file that is suspicious and click Open.
  6. Make sure the check box for MD5 is checked.
  7. Click the Calculate button at the bottom.

Solution 4

You may submit a file to www.threatexpert.com and the generated report will contain the hash value. This report will be emailed to your chosen email address and made available on the site.

Note:

Some of the tools used to generate MD5 hashes are 32-bit applications and due to Windows file system redirection on 64-bit Operating Systems, some unexpected behavior will occur.

If an application (like notepad.exe) is present in C:\Windows\SysWOW64 and C:\Windows\System32 folders, both the files have different hash values and it is recommended to add both hash values to the policy.

a4f6df0e33e644e802c8798ed94d80ea C:\Windows\SysWOW64\notepad.exe
b32189bdff6e577a92baa61ad49264e6 C:\Windows\System32\notepad.exe

Some MD5 Hash tools may provide the hash of the file from C:\Windows\SysWOW64\ though the user requests hash for the file from C:\Windows\System32\ folder.

Symantec’s Checksum.exe tool generates/provides hash value for the exact file path requested.  

Hash of C:\Windows\SysWOW64\notepad.exe will be provided if requested for C:\Windows\SysWOW64\notepad.exe Hash of C:\Windows\System32\notepad.exe will be provided if requested for C:\Windows\System32\notepad.exe

We would recommend to use Symantec’s checksum tool for generating the hash values.

Configuring the Policy

Once the MD5 hash is known, the Application and Device Control policy can be configured to prevent that specific file from launching on the clients and beginning an active infection. The following steps demonstrate how to create a new Application and Device Control policy to block the specific threat and assign it to clients.

  1. Log in to the SEPM.
  2. Click on Policies.
  3. Click on Application and Device Control.
  4. Under Tasks, click on Add an Application and Device Control Policy.
  5. On the top left click on Application Control.
  6. Click on the Add... button.
  7. Under Apply this rule to the following processes, click on the Add... button
  8. Under Process name to match field, enter * (wildcard)
  9. Click OK.
  10. Click on the Add... button on the bottom left under Rules.
  11. Select Add Condition.
  12. Select Launch Process Attempts.
  13. Click on the Add... button on the right next to "Apply to the following processes:".
  14. Click on the Options>> button at the lower right.
  15. Select the Radio button for "Match the file fingerprint".
  16. Copy the MD5 hash into the field for the fingerprint.
  17. Check "Only match processes with the following arguments" and add an * in the box and select "Match exactly"
  18. Click OK.
  19. Click OK.
  20. Click OK.
  21. Click Yes to assign the policy.
  22. Check the boxes for any group that the policy should be applied to.
  23. Click OK.

Illustrated Guide

An article created in Symantec's Connect Forums illustrates how to Block Software By Fingerprint. 

References

Microsoft KB 841290