There are several methods which may be used to block P2P applications using SEP. These include:
- Configuring SEP's built-in IPS signatures which detect and block P2P traffic
- Configuring SEP's Application and Device Control feature to block launching of P2P executables
- Configuring SEP's Firewall to block the traffic of P2P executables
More information on these methods may be found below.
How to configure SEP's build-in IPS signatures to detect and block P2P traffic:
For Symantec Endpoint Protection 12.1 RU1 MP1 and earlier:
- Login to the Symantec Endpoint Protection Manager (SEPM)
- Click Policies
- Click Intrusion Prevention
- Right-click your IPS policy and click Edit
- Click Exceptions
- Click Add...
- Click Show category and select Peer to Peer
- Click Select All
- Click Next
- Set Action to Block
- Set Log to Log the traffic
- Click OK
- Click OK
For Symantec Endpoint Protection 12.1 RU2 and later:
- Login to the Symantec Endpoint Protection Manager (SEPM)
- Click Policies
- Click Intrusion Prevention
- Right-click your IPS policy and click Edit
- Click Exceptions underneath Windows Settings
- Click Add...
- Click Signature Name two times to sort the IPS signatures in ascending order
- Select all signatures which start with: Audit: P2P
- Click Next
- Set Action to Block
- Set Log to Log the traffic
- Click OK
- Click OK
For SEP cloud managed client:
- Login to ICDm.
- Navigate to https://sep.securitycloud.symantec.com/v2/policy/policies
- Click on the Intrusion Prevention Policy you would like to enable P2P rules.
- In Audit Signature, click add.
- In Audit Signature>Quick Filters, use the following filter: SIGNATURE NAME:p2p, and increase the Items per page displayed in the table to see all rules.
- Under the line "Showing list of signature" click on the checkbox to select all filtered rules.
- Three new buttons will appear: Enable, Disable, and Log. Click on Enable then Submit.
- Save the policy and apply it to clients group.
NOTE: Actions in cloud Intrusion Prevention policy means the following:
Log: Audit the traffic only and log it
Enable: Block the traffic and log it
Disable: do not log the traffic and do not block it
How to use SEP's Application and Device Control feature to block P2P applications from running:
It is possible to use SEP's Application and Device Control feature to block P2P executables from launching. To do so, you will need to create an Application and Device Control rule which blocks attempts to run the P2P executables.
See the following knowledgebase document for more information: How to use Symantec Endpoint Protection to block or log legitimate but unauthorized software usage
How to use SEP's Firewall to block network traffic of P2P applications:
- Login to the Symantec Endpoint Protection Manager (SEPM)
- Click Policies
- Click Firewall
- Right-click your firewall policy and click Edit
- Click Rules
- Click Add Rule...
- Name your rule
- Click Next
- Click Block connections
- Click Next
- Click Only the applications listed below
- Click Add...
- Enter the name of the P2P application's executable in the File Name field
- Click OK
- Repeat steps 12 through 14 for every other P2P application you want to block
- Click Next > Next > Next
- Click Yes
- Click Next
- Click OK