What are Symantec's recommendations for using Symantec Endpoint Protection's (SEP) Application and Device Control (ADC) policies? How can ADC best be put into use? What practices should be avoided?
An Application and Device Control Policy is a powerful tool that lets you create custom enforcement policies for your environment. Configuring Application and Device Control Policies of the Administration Guide for Symantec™ Endpoint Protection cover ADC in depth.
Application and Device Control configuration errors can disable a computer or a server. The client computer can fail, or its communication with the Symantec Endpoint Protection Manager can be blocked, when you implement an Application and Device Control Policy.
Application and Device Control is an advanced security feature that only experienced administrators should configure.
Known Limitations of ADC
ADC and Threat Outbreaks
Symantec Security Response has developed ADC policies to protect against the activities associated with certain particular threats. These policies are useful in reducing the risk of a threat infecting a computer, the unintentional removal of data, and to restrict the programs that are run on a computer. Administrators combating an outbreak can download, import, and distribute these policies as an additional protective measure. These policies, in .dat format, are referenced in the threat write-ups for W32.Sality.AE, [email protected], W32.Virut.CF, Trojan.Pidief.E, W32.Changeup.C, W32.Qakbot and more.
Please note that these ADC policies are recommended for use in outbreak situations. While useful in such situations, due to their restrictive nature they may cause disruptions to normal business activities. After the threat has been eradicated, these policies should be withdrawn from use.
It is also possible to use ADC to limit the spread of threats for which Symantec does not yet have Antivirus signatures. If the MD5 (unique identifier) of the suspicious file is known, a policy can be created to block that MD5. For full details please see How to use Application and Device Control to limit the spread of a threat.
Rule sets consist of rules and their conditions. A rule is a set of conditions and actions that apply to a given process or processes. A best practice is to create one rule set that includes all of the actions that allow, block, and monitor one given task.
You can create multiple rules and add them to a single application control rule set. Create as many rules and as many rule sets as you need to implement the protection you want, but be aware that serious performance issues arise from the use of rule sets of excessive length.
Application control rules work similarly to most network-based firewall rules in that both use the first rule match feature. When there are multiple rules where the conditions are true, the top rule is the only one that is applied unless the action that is configured for the rule is to Continue processing other rules. You should consider the order of the rules and their conditions when you configure them to avoid unexpected consequences.
When you apply a condition to all entities in a particular folder, a best practice is to use folder_name\* or folder_name\*\*. One asterisk includes all the files and folders in the named folder. Use folder_name\*\* to include every file and folder in the named folder, plus every file and folder in every sub-folder.
Note: A best practice is to use the Block Access action to prevent a condition rather than to use the Terminate Process action. Terminate Process kills the application that has made the request. The Terminate Process action should be used only in advanced configurations.
Note: When creating rules and conditions: remember that using complex regular expression ("regex") queries for matching may be much more CPU-intensive than plain string matching.
While there are no hard-coded limitations with regards to the number of conditions in policies, performance will be seriously impacted if policies are configured in an overly-complex manner. Please abide by the below recommendations on estimated limits.
If the Application Control rule sets or conditions are very large, they will cause several performance problems: