Symante Critical System Protection (CSP) provides policy-based behavior control and detection for server and desktop computers. Symantec Critical System Protection provides a flexible computer security solution that controls application behavior, blocks port traffic, and provides host-based intrusion prevention and detection.
Symantec Critical System Protection agents control behavior by allowing and preventing specific actions that an application or user might take. For example, a Symantec Critical System Protection prevention policy can specify that an email application may not spawn other processes, including dangerous processes like viruses, worms, and Trojan horses. The email application can still read and write to the directories that it needs to access.
Symantec Critical System Protection agents detect behavior by auditing and monitoring processes, files, log data, and Windows registry settings. For example, a Symantec Critical System Protection detection policy can specify to monitor the Windows registry keys that the Welchia worm changes during infection and send an alert. As a result, Windows registry security-related events can be put into context and appropriate measures taken.
We will give the introduction of some use cases of CSP. The first and the simplest one is file watch.
Here are the configuration steps:
1. From the CSP management console, make a copy of this IDS policy: Windows_Baseline_Detection
2. Open to edit this new policy, and select 'My Custom Rules':
3. Click the + button to add a new custom control:
4. From the category list, select 'File Watch':
5. Click the + to edit the custom control:
6. Select to enable 'File Watch Rule Options':
7. Click the 'Edit' of the 'File Watch Rule Options', then input the name of the rule:
8. Select to enable 'Files to watch':
9. Click the 'Edit' of the 'Files to watch', then click 'Add':
10. Input the name of the folders or the files that you want to watch/monitor:
11. Select to enable the option of 'Monitor file creation', 'Monitor file deletion' or 'Monitor file access':
12. Save this policy:
13. Right click this saved policy, and select 'Apply' to apply this policy to the target agent:
14. Check out that the target agent/asset has received this policy:
15. If the use on the agent access the folders or files, the audit log will be find out on the Monitors tab of CSP management console:
