How to create a rule that will block or log Browser Helper Objects in Symantec Endpoint Protection
search cancel

How to create a rule that will block or log Browser Helper Objects in Symantec Endpoint Protection

book

Article ID: 177763

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Is there a way to block or log Browser Helper Objects (BHOs) from loading by creating a rule in Symantec Endpoint Protection?

Symptoms

1. You have a BHO that loads when user logs in and you want to know how to block it.
2. You want to be able to prevent new BHOs from loading.
3. You want to log all BHOs in the environment.

Cause

Undesirable Browser Helper Objects are loading on machines. You are dealing with a threat in the environment.

Resolution


How to block BHO’s using Application and Device Control
  1. Log into Symantec Endpoint Protection Manager console
  2. Navigate to your Application and Device control policy. (Log only as a test)( Production will test for block)
  3. In application control, add a rule set. "Block BHOs"
  4. Make it apply to all processes using the * in the upper dialog
  5. Under Rules click to Add and choose Add Condition
  6. Choose Registry Access Attempts
  7. Under Apply to the following registry keys click Add
  8. In Registry key add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
  9. Click OK
  10. In the Actions tab
  11. Set Read Attempt to "Continue processing other rules"
  12. Set Create, Delete, or Write Attempt to "Block access"
  13. Click the boxes for Enable Logging
  14. Click OK




How to log BHO’s using Application and Device Control
  1. Log into Symantec Endpoint Protection Manager console
  2. Navigate to your Application and Device control policy. (Log only as a test)( Production will test for block)
  3. In application control, add a rule set. "Log BHOs"
  4. Make it apply to all processes using the * in the upper dialog
  5. Under Rules click to Add and choose Add Condition
  6. Choose Registry Access Attempts
  7. Under Apply to the following registry keys click Add
  8. In Registry key add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
  9. Click OK
  10. In the Actions tab
  11. Set Read Attempt to "Allow access"
  12. Set Create, Delete, or Write Attempt to "Allow access"
  13. Click the boxes for Enable Logging
  14. Click OK