How to use Application and Device Control (ADC) to limit the spread of a threat.
Symptoms
There is a threat in the environment that is not being mitigated by the Antivirus functionality on the Symantec Endpoint Protection client.
The Application and Device Control feature is installed on the clients and functioning normally.
A suspicious file has been identified as a threat.
Please Note:
The first step is to identify the MD5 hash of the threat. There are several ways to find this information.
The Endpoint Protection client comes with a utility called Checksum.exe. This utility will generate a file with MD5 hash value for a specified file.
Microsoft has a utility (now archived), called the "Microsoft File Checksum Integrity Verifier"
The utility can be downloaded here: Microsoft File Checksum Integrity Verifier
SlavaSoft has a utility called HashCalc that is freely available for download on the Internet at http://www.slavasoft.com/hashcalc/.
Note:
Some of the tools used to generate MD5 hashes are 32-bit applications and due to Windows file system redirection on 64-bit Operating Systems, some unexpected behavior will occur.
If an application (like notepad.exe) is present in C:\Windows\SysWOW64 and C:\Windows\System32 folders, both the files have different hash values and it is recommended to add both hash values to the policy.
a4f6df0e33e644e802c8798ed94d80ea C:\Windows\SysWOW64\notepad.exe
b32189bdff6e577a92baa61ad49264e6 C:\Windows\System32\notepad.exe
Some MD5 Hash tools may provide the hash of the file from C:\Windows\SysWOW64\
though the user requests hash for the file from C:\Windows\System32\ folder.
Symantec’s Checksum.exe tool generates/provides hash value for the exact file path requested.
Hash of C:\Windows\SysWOW64\notepad.exe
will be provided if requested for C:\Windows\SysWOW64\notepad.exe
Hash of C:\Windows\System32\notepad.exe
will be provided if requested for C:\Windows\System32\notepad.exe
We would recommend to use Symantec’s checksum tool for generating the hash values.
Once the MD5 hash is known, the Application and Device Control policy can be configured to prevent that specific file from launching on the clients and beginning an active infection. The following steps demonstrate how to create a new Application and Device Control policy to block the specific threat and assign it to clients.
An article created in Symantec's Connect Forums illustrates how to Block Software By Fingerprint.