The most common method for blocking unauthorized software is to block the primary program executable. To ensure that the correct file is blocked, Symantec recommends that you calculate an MD5 hash of the file.

Note: When an update for a program is available and its executable modified, you need to create and add a new MD5 hash. Hashes are necessary for all versions of the executable that may be in use.

Generate an MD5 hash

Use one of the following methods to generate an MD5 hash:

• (Recommended) Use the checksum.exe utility that is installed with Symantec Endpoint Protection on the client computer to create a file fingerprint list.

• Submit a file to http://www.threatexpert.com - The generated report, which will be available online and emailed to you, contains the MD5 hash value.

• Use Microsoft’s free File Checksum Integrity Verifier.

• Use the Get-FileHash command from within Windows PowerShell.

Note: Some of these tools are 32-bit applications. Due to Windows file system redirection on 64-bit operating systems, some unexpected behavior can occur.

If an application such as notepad.exe is present in both of the following folders, each file has different hash values. Symantec recommends that you add both hash values to the policy.

• C:WindowsSysWOW64

• C:WindowsSystem32

Note: Some MD5 hash tools may provide hash values of files in the C:\Windows\SysWOW64\ folder, even though you request values for files in the C:\Windows\System32\ folder. Symantec’s checksum.exe tool (recommended) generates hash values for the exact file path requested.

Create a rule

1. In Symantec Endpoint Protection Manager (SEPM), click Policies.

2. Click Application and Device Control.

3. Create a new Application and Device Control policy, or use an existing policy.

4. Click your selected policy to edit it.

5. Click Application Control.

6. Click Add.

7. Next to Apply this rule to the following processes, click Add.

8. In the Process name to match field, type an asterisk (*).

9. Click OK.

10. Under Rules in the bottom left, click Add.

11. Click Add Condition.

12. Click Launch Process Attempts.

13. Next to Apply to the following processes, click Add.

14. In the lower right, click Options.

15. Select Match the file fingerprint.

16. Copy the MD5 hash into the field for the fingerprint.

17. Click OK.

18. Click the Actions tab.

19. Decide if you want to block the file when it runs, or log it.

    • Log: Choose "Continue processing other rules” and check "Enable logging.” There are 16 levels of logging, but "Critical - 0" is usually sufficient.

    • Block: Choose "Block Access.” You can enable logging under this option as well.

    • Notification: Check "Notify User" to notify the user by pop-up message that the software is unauthorized.

20. Click OK. Ensure that the new rule is enabled and is set for production (test only logs) when you are ready to use it.

21. Click OK.

22. Click Yes to assign the policy.

23. Check any client group to which the policy should apply.

24. Click OK.

Application and Device Control

Administrators may create policies to block specific software using Application and Device Control (ADC) in SEP. ADC can block threats for which virus definitions are not yet available, and can be used to prevent the unwanted use of legitimate applications.

References:

https://support.symantec.com/en_US/article.TECH97618.html