?
Solved

Detect unauhtorized execution of program via SEP ADC

Posted on 2016-10-27
3
Medium Priority
?
111 Views
Last Modified: 2016-11-12
Hi,

The SEP client version in use is 12.1.7004.6500.

We would like to use ADC function embedded to implement application whitelisting.

The fingerprints for all authorized program at one machine was collected.

Then we did a test to execute one unauthorized program. But we found there is no warnings at all.

Then we did another test to execute another unauthorized program (but this program needs to trigger another unauthorized program). We can just see the warning regarding the execution of the 2nd unauthorized program (no warning for the execution of the 1st program)

Would you please advise if SEP ADC behaves like this? Or the problem is due to some configuration settings?
Please advise. Thanks?
0
Comment
Question by:ee_lcpaa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 41864365
Applocker logs all program execution. Does SEP 'see' the 1st executin in its log?
0
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 41864823
Pls do make sure the fingerprint is MD5 hash. Use SEP to block unwanted software is to block the main .EXE of the program.

NOTE: When a program is updated to a new version a new MD5 will need to be created and added, additionally you will need to make MD5s for all versions of the .EXE that may be in use.

You may submit a file to http://www.threatexpert.com and the generated report will contain the hash value. This report will be emailed to your chosen email address and made available on the site.

Microsoft has a freely available utility called the File Checksum Integrity Verifier. The utility is discussed in great detail in Microsoft's KB 841290. http://support.microsoft.com/kb/841290

Pls see the step through

https://www.symantec.com/connect/articles/block-software-fingerprint

One thing to note is you could block/allow by group. The understanding is there is no possibility to enforce policies on a single machine unless you move it to another group. But you can create any amount of policies and enforce them on groups
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question