Tech or Treat! Write an article about your scariest tech disaster to win gadgets!Learn more

x
?
Solved

Detect unauhtorized execution of program via SEP ADC

Posted on 2016-10-27
3
Medium Priority
?
123 Views
Last Modified: 2016-11-12
Hi,

The SEP client version in use is 12.1.7004.6500.

We would like to use ADC function embedded to implement application whitelisting.

The fingerprints for all authorized program at one machine was collected.

Then we did a test to execute one unauthorized program. But we found there is no warnings at all.

Then we did another test to execute another unauthorized program (but this program needs to trigger another unauthorized program). We can just see the warning regarding the execution of the 2nd unauthorized program (no warning for the execution of the 1st program)

Would you please advise if SEP ADC behaves like this? Or the problem is due to some configuration settings?
Please advise. Thanks?
0
Comment
Question by:ee_lcpaa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 41864365
Applocker logs all program execution. Does SEP 'see' the 1st executin in its log?
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 41864823
Pls do make sure the fingerprint is MD5 hash. Use SEP to block unwanted software is to block the main .EXE of the program.

NOTE: When a program is updated to a new version a new MD5 will need to be created and added, additionally you will need to make MD5s for all versions of the .EXE that may be in use.

You may submit a file to http://www.threatexpert.com and the generated report will contain the hash value. This report will be emailed to your chosen email address and made available on the site.

Microsoft has a freely available utility called the File Checksum Integrity Verifier. The utility is discussed in great detail in Microsoft's KB 841290. http://support.microsoft.com/kb/841290

Pls see the step through

https://www.symantec.com/connect/articles/block-software-fingerprint

One thing to note is you could block/allow by group. The understanding is there is no possibility to enforce policies on a single machine unless you move it to another group. But you can create any amount of policies and enforce them on groups
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

647 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question