Information here can be broken down as follows:
Under Client Management, click View Logs, then Control Log. Target: What was the process trying to access?. Caller Process: What tried to perform an action?. Rule Name: Name of the Application and Device control rule that was matched by the action. Severity: This is where you can sort by severity.again, this is only to help administrators, and has no bearing on the functionality of SEP. User: What account tried to run the program?. Domain/Computer: Which Domain, and what's the host name of the computer?. Action: Did Application and Device Control allow it, or block it?. Time: When did the process attempt to run?. Information found here can be broken down thusly: Select Application Control for the Log content. Select Application and Device Control for Log Type. You may do this if you wish from here, or you can assign the rule on your own. You will be prompted to assign the policy. Because we're not blocking anything, there's no danger. Change Test/Production to Production for your new rule. Repeat steps 29 to 31 for the following values:. Under Apply to the following files and folders:, click Add.Ĭ:\Documents and Settings\All Users\Start Menu\Programs\Startup. Under Rules, click Add, then Add Condition, then File and Folder Access Attempts. Click Allow access for both Read Attempt as well as Create, Delete, or Write Attempt. Symantec recommends putting very verbose information into these boxes if used (such as "Read attempt on blocked registry keys"), however, this will pop up on every machine who has the policy, assuming the event happens. This is an extremely useful tool if doing limited testing. 
If Notify user is checked, whenever that action (read attempt or create, delete, or write) occurs, the user will get a pop-up in the lower right corner of the screen showing whatever is in the text box.This has no bearing on the traffic itself, and is only there to allow administrators to filter the data from the SEPM.
The Severity level is merely a value that can be assigned by an administrator to help filter reports.If you check Send Email Alert, an email will be sent to the email listed in the SEPM for reports. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows - AppInit_DLLs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - VmApplet HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - Shell HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - Userinit HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main - Search Page Repeat these steps for the following values ( Registry key and Registry value name separated by a hyphen below for easier reading):.Under Registry value name, enter this data:.HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main HKEY_CLASSES_ROOT\txtfile\shell\open\command HKEY_CLASSES_ROOT\comfile\shell\open\command HKEY_CLASSES_ROOT\exefile\shell\open\command HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Repeat steps 14 to 16 for the following values:. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Under Apply to the following registry keys:, click Add. Under Rules, click Add, then Add Condition, then Registry Access Attempts. It is important that you do this, as trying to filter at this level can cause threats to be missed. This will cause any process that attempts to use a common loading point will be logged. In the Process name to match field, enter *. In Apply this rule to the following processes:, click Add. Symantec recommends that policies be named to reflect what the policy is trying to accomplish to help administrators manage their SEP environments. Click Add an Application and Device Control Policy. Log into the Symantec Endpoint Protection Manager (SEPM). This has the potential of generating large volumes of logs whenever something touches a location that is being logged, particularly in C:\Windows and C:\Windows\System32.Ĭreate an Application and Device Control rule to log activities in common loading points This Application and Device Control rule will log any time any process tries to read, create, delete or write to the registry keys or folder locations listed.
0 kommentar(er)
