How do you leverage Application and Device Control in Symantec Endpoint Protection (SEP) to help identify new threats by monitoring places where threats typically install and load from?
This Application and Device Control rule will log any time any process tries to read, create, delete or write to the registry keys or folder locations listed. This has the potential of generating large volumes of logs whenever something touches a location that is being logged, particularly in C:\Windows and C:\Windows\System32.
Create an Application and Device Control rule to log activities in common loading points
1.) Log into the Symantec Endpoint Protection Manager (SEPM).
2.) Click Policies.
3.) Click Application and Device Control.
4.) Click Add an Application and Device Control Policy...
5.) Specify a name for the policy. Symantec recommends that policies be named to reflect what the policy is trying to accomplish to help administrators manage their SEP environments.
6.) Click Application Control.
7.) Click Add...
8.) Specify a name for the rule set.
9.) Ensure that Enable logging is checked.
10.) In Apply this rule to the following processes:, click Add...
11.) In the Process name to match field, enter *. This will cause any process that attempts to use a common loading point will be logged. It is important that you do this, as trying to filter at this level can cause threats to be missed.
12.) Click OK.
13.) Under Rules, click Add, then Add Condition, then Registry Access Attempts.
14.) Under Apply to the following registry keys:, click Add...
15.) Under Registry key, enter this data:
16.) Click OK.
17.) Repeat steps 14 to 16 for the following values:
18.) Under Apply to the following registry keys:, click Add...
19.) Under Registry key, enter this data:
20.) Under Registry value name, enter this data:
21.) Click OK.
22.) Repeat these steps for the following values (Registry key and Registry value name separated by a hyphen below for easier reading):
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main - Search Page
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - VmApplet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows - AppInit_DLLs
23.) Click OK.
24.) Click Actions.
25.) Check both Enable logging boxes. If you check Send Email Alert, an email will be sent to the email listed in the SEPM for reports.
26.) Click Allow access for both Read Attempt as well as Create, Delete, or Write Attempt.
27.) Under Rules, click Add, then Add Condition, then File and Folder Access Attempts.
28.) Click File and Folder Access Attempts.
29.) Under Apply to the following files and folders:, click Add...
30.) Enter this value:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
31.) Click OK.
32.) Repeat steps 29 to 31 for the following values:
33.) Click Actions.
34.) Check both Enable logging boxes. If you check Send Email Alert, an email will be sent to the email listed in the SEPM for reports.
35.) Click OK.
36.) Change Test/Production to Production for your new rule. Because we're not blocking anything, there's no danger.
37.) Click OK. You will be prompted to assign the policy. You may do this if you wish from here, or you can assign the rule on your own.
View logs generated by this rule
Information here can be broken down as follows:
Date and time: When did the process attempt to run?
Severity Level: This is where you can sort by severity...again, this is only to help administrators, and has no bearing on the functionality of SEP.
Action: Did Application and Device Control allow it, or block it?
Test/Production: Is this rule in Test/Production mode (and thus just testing), or is it in Production mode (and thus logging/blocking)?
Description: This column isn't used by the rules themselves, and can be ignored.
API Class: What happened? Was the process trying to read a file? Write a registry key?
Rule: Name of the Application and Device control rule that was matched by the action.
Caller Process: Which program was actually trying to do something?
Parameter: What was the process trying to touch?
User: What account tried to run the program?
User Domain: What domain is the user running from?
Location: What location is SEP currently in (if Location Awareness is being used)?