How to create a rule that will block or log Browser Helper Objects in Symantec Endpoint Protection
book
Article ID: 177763
calendar_today
Updated On:
Products
Endpoint Protection
Issue/Introduction
Is there a way to block or log Browser Helper Objects (BHOs) from loading by creating a rule in Symantec Endpoint Protection?
Symptoms
1. You have a BHO that loads when user logs in and you want to know how to block it.
2. You want to be able to prevent new BHOs from loading.
3. You want to log all BHOs in the environment.
Cause
Undesirable Browser Helper Objects are loading on machines. You are dealing with a threat in the environment.
Resolution
How to block BHO’s using Application and Device Control
Log into Symantec Endpoint Protection Manager console
Navigate to your Application and Device control policy. (Log only as a test)( Production will test for block)
In application control, add a rule set. "Block BHOs"
Make it apply to all processes using the * in the upper dialog
Under Rules click to Add and choose Add Condition
Choose Registry Access Attempts
Under Apply to the following registry keys click Add
In Registry key add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
Click OK
In the Actions tab
Set Read Attempt to "Continue processing other rules"
Set Create, Delete, or Write Attempt to "Block access"
Click the boxes for Enable Logging
Click OK
How to log BHO’s using Application and Device Control
Log into Symantec Endpoint Protection Manager console
Navigate to your Application and Device control policy. (Log only as a test)( Production will test for block)
In application control, add a rule set. "Log BHOs"
Make it apply to all processes using the * in the upper dialog
Under Rules click to Add and choose Add Condition
Choose Registry Access Attempts
Under Apply to the following registry keys click Add
In Registry key add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
Click OK
In the Actions tab
Set Read Attempt to "Allow access"
Set Create, Delete, or Write Attempt to "Allow access"