Solved

Detect unauhtorized execution of program via SEP ADC

Posted on 2016-10-27
3
43 Views
Last Modified: 2016-11-12
Hi,

The SEP client version in use is 12.1.7004.6500.

We would like to use ADC function embedded to implement application whitelisting.

The fingerprints for all authorized program at one machine was collected.

Then we did a test to execute one unauthorized program. But we found there is no warnings at all.

Then we did another test to execute another unauthorized program (but this program needs to trigger another unauthorized program). We can just see the warning regarding the execution of the 2nd unauthorized program (no warning for the execution of the 1st program)

Would you please advise if SEP ADC behaves like this? Or the problem is due to some configuration settings?
Please advise. Thanks?
0
Comment
Question by:ee_lcpaa
3 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 41864365
Applocker logs all program execution. Does SEP 'see' the 1st executin in its log?
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 41864823
Pls do make sure the fingerprint is MD5 hash. Use SEP to block unwanted software is to block the main .EXE of the program.

NOTE: When a program is updated to a new version a new MD5 will need to be created and added, additionally you will need to make MD5s for all versions of the .EXE that may be in use.

You may submit a file to http://www.threatexpert.com and the generated report will contain the hash value. This report will be emailed to your chosen email address and made available on the site.

Microsoft has a freely available utility called the File Checksum Integrity Verifier. The utility is discussed in great detail in Microsoft's KB 841290. http://support.microsoft.com/kb/841290

Pls see the step through

https://www.symantec.com/connect/articles/block-software-fingerprint

One thing to note is you could block/allow by group. The understanding is there is no possibility to enforce policies on a single machine unless you move it to another group. But you can create any amount of policies and enforce them on groups
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now