ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Hardening Endpoint Protection with an Application and Device Control Policy to increase security

book

Article ID: 152443

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Hardening Symantec Endpoint Protection (SEP) with an Application and Device Control Policy to increase security and help prevent malicious attacks from viruses with the SEP client.
 

Resolution

Symantec has created a policy that can be imported into the Symantec Endpoint Protection Manager (SEPM).  This policy is very powerful and offers significant zero day protection against new threats. 
Each rule is described below and should be considered individually for suitability of the intended network.

This Application and Device Control policy provides the following security measures;

1
. Blocks modifications to the hosts file [AC6]

  • The hosts file redirects Internet requests to specific IP addresses.  Threats use the hosts file to redirect communication to malicious sites or block communication to legitimate sites. Legitimate modification of the hosts file is rare.
  • ​Block modifications to hosts file
    • Applies to:
      • *
  • ​[AC6-1.1] Block etc hosts file modifications
    • Applies to:
      • %windir%\system32\drivers\etc\hosts

2. Blocks access to autorun.inf [AC9]

  • Autorun is a technology that automatically runs when new media, such as a CD, is inserted.  It is less well known that autorun works on other drive types such as mapped network drives.  Threats such as Downadup attempt to automatically install by creating malicious autorun.inf file.  Legitimate use of autorun.inf on non-CD ROM drives is rare.
  • Explorer
    • Applies to:
      • %windir%\explorer.exe
      • %windir%\System32\explorer.exe
      • %windir%\SysWOW64\explorer.exe
  • [AC9-1.1] Autorun.inf:
    • Applies to:
      • [^\\]*\\Autorun\.inf
      • \\\\.*\\Autorun\.inf
      • Matches drive types:  Local fixed disk drive, Network Drive, RAM Drive and Removable Drive (floppy drive, USB drive, etc).

3. Prevents changes to Windows Shell load points (HIPS) [AC12]

  • Threats use this technique to run code and to block execution of programs that may interfere with the threat.  Legitimate use is rare.
  • Registry classes
    • Applies to:
      • *
  • [AC12-1.1] Protect shell associations:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\open\command
    • HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command
    • HKEY_CURRENT_USER\Software\Classes\comfile\shell\open\command
    • HKEY_CURRENT_USER\Software\Classes\batfile\shell\open\command
    • HKEY_CURRENT_USER\Software\Classes\cmdfile\shell\open\command
    • HKEY_CURRENT_USER\Software\Classes\piffile\shell\open\command
    • HKEY_CURRENT_USER\Software\Classes\regfile\shell\open\command
    • HKEY_CURRENT_USER\Software\Classes\scrfile\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe *
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.com *
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bat *
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cmd * 
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pif *
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.reg *
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.scr *
    • HKEY_CURRENT_USER\Software\Classes\.exe *
    • HKEY_CURRENT_USER\Software\Classes\.com *
    • HKEY_CURRENT_USER\Software\Classes\.bat *
    • HKEY_CURRENT_USER\Software\Classes\.cmd *
    • HKEY_CURRENT_USER\Software\Classes\.pif *
    • HKEY_CURRENT_USER\Software\Classes\.reg *
    • HKEY_CURRENT_USER\Software\Classes\.scr *
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell *
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell *
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell *
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell *
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell *
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell *
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell *
    • HKEY_CURRENT_USER\Software\Classes\exefile\shell *
    • HKEY_CURRENT_USER\Software\Classes\comfile\shell *
    • HKEY_CURRENT_USER\Software\Classes\batfile\shell *
    • HKEY_CURRENT_USER\Software\Classes\cmdfile\shell *
    • HKEY_CURRENT_USER\Software\Classes\piffile\shell *
    • HKEY_CURRENT_USER\Software\Classes\regfile\shell *
    • HKEY_CURRENT_USER\Software\Classes\scrfile\shell *

4. Prevents changes to system using browser and office products (HIPS) [AC13]

  • Internet Explorer drive by downloads is a very common threat vector.  This rule prevents many such attacks by blocking access to locations typically written to by threats.  Users also will be unable to download executables to WINDIR or anywhere in Program Files, but can continue to download to the Desktop, My Documents, or Downloads directories.

Exclusions are already in place for Windows Updates.

Extra care should be used when rolling out this rule.  It has been included in this set due to its power to block threats, but it has consequences that should be considered.  

a.  This rule can interfere with new ActiveX controls, which effectively code Internet Explorer downloads and runs.

b.  Users will no longer be able to run downloaded executables directly from the browser.  Instead they will be required to use Save As to disk before running. 

  • Browser Restrictions
    • Applies to:
      • iexplore.exe
      • firefox.exe
      • adobe.exe
      • excel.exe
      • outlook.exe
      • winword.exe
      • acrord32.exe
      • acrobat.exe
      • winzip.exe
      • java.exe
      • javaw.exe
  • [AC13-1.1] Block writing to system folders
    • Applies to:
      • %windir%\*\*
      • %programfiles%\*\*
      • %programfiles(X86)%\*\*
      • %ProgramW6432%\*\*
    • Does not apply to:
      • *\*softwaredistribution*
      • *\*softwaredistribution*\*\*
      • *\*windowsupdate*
      • *\*windowsupdate*\*\*
      • %windir%\profile*\*\*
      • *.tmp
  • [AC13-1.2] Allow to launch system process
    • Applies to:
      • %windir%\*\*
      • %programfiles%\*\*
      • %programfiles(X86)%\*\*
      • %ProgramW6432%\*\*
      • #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\PathExpansionMap\APPDATABASE#*\*
      • C:\Program Files\*\*
    • Does not apply to:
      • *script*.exe
      • *.tmp
      • *.log
      • cmd.exe
  • [AC13-1.3] Block from launching other processes
    • Applies to:
      • *
  • [AC13-1.4] Allow to load system DLLs
    • Applies to:
      • %windir%\*\*
      • %programfiles%\*\*
      • %programfiles(X86)%\*\*
      • %ProgramW6432%\*\*
      • #HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\Common Client\PathExpansionMap\APPDATABASE#*\*
      • C:\Program Files\*\*
    • Does not apply to:
      • vbe*.dll
  • [AC13-1.5] Block from loading other DLLs
    • Applies to:
      • *

5. Prevents registration of new Browser Helper Objects (HIPS) [AC15]

  • Browser Helper Objects (BHOs) are commonly used by threats to spy on or interfere with web browsing.  This rule is useful if your organization does not allow BHOs or has a pre-installed set of allowed BHOs.
  • Prevent registration of new Browser Helper Objects
    • Applies to:
      • *
  • [AC15-1.1] Prevent registration of new Browser Helper Objects
    • Applies to:
      • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*\*
      • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*\*

6. Prevent registration of new Toolbars (HIPS) [AC16]

  • Browser toolbars, like BHOs, are used to spy on or interfere with web browsing.  This rule is useful if your organization does not allow browser toolbars or has a pre-installed set of allowed browser toolbars.
  • ​Prevent registration of new Toolbars
    • Applies to:
      • *
  • Prevent registration of new Toolbars
    • Applies to:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\*\*
      • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\*\*

7. Prevent vulnerable Windows processes from writing code [AC17]​

  • This rule blocks threats from persisting on the system after exploiting key Windows processes.
  • ​Windows processes protection
    • Applies to:
      • ​lsass.exe
      • spoolsv.exe
      • csrss.exe
      • smss.exe
      • java.exe
      • javaw.exe
      • outlook.exe
      • excel.exe
      • winword.exe
      • adobe.exe
      • acrord*.exe
      • acrobat*.exe
  • [AC17-1.1] Block writing code
    • Applies to
      • *.exe
      • *.dll
      • *.com
      • *.ocx
      • *.bat
      • *.cmd
      • *.vbs
      • *.cs
      • *.pif
      • *.scr

8. Prevent Windows Services from using UNC paths [AC-23]

  • Prevents Windows services from using UNC network paths.
  • Services [AC-23]
    • Applies to:
      • Services.exe
  • Network File and Folder Access Attempts [AC-23 1.1]
    • Applies to:
      • *, Network Drive

9. Block access to lnk and pif files [AC-24]

Block programs from accessing lnk and pif files, to mitigate CVE-2010-2568 vulnerability.

Explorer [AC-24]

  • Applies to:
    • %windir%\explorer.exe
    • %windir%\System32\explorer.exe
    • %windir%\SysWOW64\explorer.exe

[AC24-1.1] Block lnk and pif files

  • Applies to:
    • *.lnk; CD/DVD, Network drive, RAM drive, Removable drive (floppy drive, USB drive, etc)
    •  *.pif; CD/DVD, Network drive, RAM drive, Removable drive (floppy drive, USB drive, etc)

10. Block applications from running out of the recycle bin [AC-25]

Block applications from running out of the recycle bin

Explorer [AC-25]

  • Applies to:
    • *

[AC25-1.1] Block Launch Process Attempts from recycle bin

  • Applies to:
    • *\$recycle.bin\*\*
    •  *\recycler\*\*

 

Applying the policy:

  1. Download the policy attached below > SEP Hardening Application and Device Control policy v3.zip
  2. Extract the policy SEP Hardening Application and Device Control policy v3.dat from the ZIP file.
  3. Password = symantec
  4. Logon to the Symantec Endpoint Protection Manager console.
  5. In the left hand pane, click Policies.
  6. On the Policies page, under View Policies, click Application and Device Control Policy.
  7. On the same page, under Tasks, click Import an Application and Device Control Policy.
  8. In the Import Policy dialog box, browse to the policy file that you want to import SEP Hardening.dat, and then click the Import button.
  9. Double click the newly imported SEP Hardening Application and Device Control Policy.
  10. Click Application Control
  11. Verify the appropriate ruleset boxes are checked in the policy,
  12. Verify the policy is set to either Production or Log (see Note 1 below).
  13. Client machines must be rebooted to apply the policy.

Note 1:  This should be tested in your environment first by changing the policy from production to log until you are satisfied with the results.

Note 2:  In order for an Application and Device Control Policy to work you must have the Application and Device Control feature installed.

References:

HOWTO55188 Copying application rule sets or rules between Application and Device Control policies
http://www.symantec.com/business/support/index?page=content&id=HOWTO55188

TECH132307 How the Application and Device Control Hardening policy works
http://www.symantec.com/business/support/index?page=content&id=TECH132307

 

 

 

Attachments

SEP Hardening Application and Device Control policy v3.zip get_app