Hardening Symantec Endpoint Protection (SEP) with an Application and Device Control Policy to increase security and help prevent malicious attacks from viruses with the SEP client.
Symantec has created a policy that can be imported into the Symantec Endpoint Protection Manager (SEPM). This policy is very powerful and offers significant zero day protection against new threats.
Each rule is described below and should be considered individually for suitability of the intended network.
This Application and Device Control policy provides the following security measures;
1. Blocks modifications to the hosts file [AC6]
2. Blocks access to autorun.inf [AC9]
3. Prevents changes to Windows Shell load points (HIPS) [AC12]
4. Prevents changes to system using browser and office products (HIPS) [AC13]
Exclusions are already in place for Windows Updates.
Extra care should be used when rolling out this rule. It has been included in this set due to its power to block threats, but it has consequences that should be considered.
a. This rule can interfere with new ActiveX controls, which effectively code Internet Explorer downloads and runs.
b. Users will no longer be able to run downloaded executables directly from the browser. Instead they will be required to use Save As to disk before running.
5. Prevents registration of new Browser Helper Objects (HIPS) [AC15]
6. Prevent registration of new Toolbars (HIPS) [AC16]
7. Prevent vulnerable Windows processes from writing code [AC17]
8. Prevent Windows Services from using UNC paths [AC-23]
9. Block access to lnk and pif files [AC-24]
Block programs from accessing lnk and pif files, to mitigate CVE-2010-2568 vulnerability.
[AC24-1.1] Block lnk and pif files
10. Block applications from running out of the recycle bin [AC-25]
Block applications from running out of the recycle bin
[AC25-1.1] Block Launch Process Attempts from recycle bin
Applying the policy:
Note 1: This should be tested in your environment first by changing the policy from production to log until you are satisfied with the results.
Note 2: In order for an Application and Device Control Policy to work you must have the Application and Device Control feature installed.
HOWTO55188 Copying application rule sets or rules between Application and Device Control policies
TECH132307 How the Application and Device Control Hardening policy works