How to block Peer to Peer Applications (P2P) using Symantec Endpoint Protection/Complete
search cancel

How to block Peer to Peer Applications (P2P) using Symantec Endpoint Protection/Complete

book

Article ID: 152078

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Security Complete

Issue/Introduction

This document how Symantec Endpoint Protection (SEP) may be used to block Peer to Peer Applications (P2P).

Resolution

There are several methods which may be used to block P2P applications using SEP. These include:

  1. Configuring SEP's built-in IPS signatures which detect and block P2P traffic
  2. Configuring SEP's Application and Device Control feature to block launching of P2P executables
  3. Configuring SEP's Firewall to block the traffic of P2P executables

More information on these methods may be found below.

How to configure SEP's build-in IPS signatures to detect and block P2P traffic:

For Symantec Endpoint Protection 12.1 RU1 MP1 and earlier:

  1. Login to the Symantec Endpoint Protection Manager (SEPM)
  2. Click Policies
  3. Click Intrusion Prevention
  4. Right-click your IPS policy and click Edit
  5. Click Exceptions
  6. Click Add...
  7. Click Show category and select Peer to Peer
  8. Click Select All
  9. Click Next
  10. Set Action to Block
  11. Set Log to Log the traffic
  12. Click OK
  13. Click OK

 

For Symantec Endpoint Protection 12.1 RU2 and later:

  1. Login to the Symantec Endpoint Protection Manager (SEPM)
  2. Click Policies
  3. Click Intrusion Prevention
  4. Right-click your IPS policy and click Edit
  5. Click Exceptions underneath Windows Settings
  6. Click Add...
  7. Click Signature Name two times to sort the IPS signatures in ascending order
  8. Select all signatures which start with: Audit: P2P
  9. Click Next
  10. Set Action to Block
  11. Set Log to Log the traffic
  12. Click OK
  13. Click OK

For SEP cloud managed client:

  1. Login to ICDm.
  2. Navigate to https://sep.securitycloud.symantec.com/v2/policy/policies
  3. Click on the Intrusion Prevention Policy you would like to enable P2P rules.
  4. In Audit Signature, click add.
  5. In Audit Signature>Quick Filters, use the following filter: SIGNATURE NAME:p2p, and increase the Items per page displayed in the table to see all rules.
  6. Under the line "Showing list of signature" click on the checkbox to select all filtered rules.
  7. Three new buttons will appear: Enable, Disable, and Log. Click on Enable then Submit.
  8. Save the policy and apply it to clients group.

NOTE: Actions in cloud Intrusion Prevention policy means the following:

Log: Audit the traffic only and log it
Enable: Block the traffic and log it
Disable: do not log the traffic and do not block it

 

How to use SEP's Application and Device Control feature to block P2P applications from running:

It is possible to use SEP's Application and Device Control feature to block P2P executables from launching. To do so, you will need to create an Application and Device Control rule which blocks attempts to run the P2P executables.

See the following knowledgebase document for more information: How to use Symantec Endpoint Protection to block or log legitimate but unauthorized software usage

 

How to use SEP's Firewall to block network traffic of P2P applications:

  1. Login to the Symantec Endpoint Protection Manager (SEPM)
  2. Click Policies
  3. Click Firewall
  4. Right-click your firewall policy and click Edit
  5. Click Rules
  6. Click Add Rule...
  7. Name your rule
  8. Click Next
  9. Click Block connections
  10. Click Next
  11. Click Only the applications listed below
  12. Click Add...
  13. Enter the name of the P2P application's executable in the File Name field
  14. Click OK
  15. Repeat steps 12 through 14 for every other P2P application you want to block
  16. Click Next Next Next
  17. Click Yes
  18. Click Next
  19. Click OK