Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Detect unauhtorized execution of program via SEP ADC

Posted on 2016-10-27
3
89 Views
Last Modified: 2016-11-12
Hi,

The SEP client version in use is 12.1.7004.6500.

We would like to use ADC function embedded to implement application whitelisting.

The fingerprints for all authorized program at one machine was collected.

Then we did a test to execute one unauthorized program. But we found there is no warnings at all.

Then we did another test to execute another unauthorized program (but this program needs to trigger another unauthorized program). We can just see the warning regarding the execution of the 2nd unauthorized program (no warning for the execution of the 1st program)

Would you please advise if SEP ADC behaves like this? Or the problem is due to some configuration settings?
Please advise. Thanks?
0
Comment
Question by:ee_lcpaa
3 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 41864365
Applocker logs all program execution. Does SEP 'see' the 1st executin in its log?
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 41864823
Pls do make sure the fingerprint is MD5 hash. Use SEP to block unwanted software is to block the main .EXE of the program.

NOTE: When a program is updated to a new version a new MD5 will need to be created and added, additionally you will need to make MD5s for all versions of the .EXE that may be in use.

You may submit a file to http://www.threatexpert.com and the generated report will contain the hash value. This report will be emailed to your chosen email address and made available on the site.

Microsoft has a freely available utility called the File Checksum Integrity Verifier. The utility is discussed in great detail in Microsoft's KB 841290. http://support.microsoft.com/kb/841290

Pls see the step through

https://www.symantec.com/connect/articles/block-software-fingerprint

One thing to note is you could block/allow by group. The understanding is there is no possibility to enforce policies on a single machine unless you move it to another group. But you can create any amount of policies and enforce them on groups
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An article on effective troubleshooting
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question