How to utilize SEP 12.1 for Incident Response - PART 9

This article is the ninth installment in an on-going series of articles on how to utilize SEP 12.1 for Incident Response. Links to the previous eight articles are below:

1. How to utilize SEP 12.1 for Incident Response - PART 1
2. How to utilize SEP 12.1 for Incident Response - PART 2
3. How to utilize SEP 12.1 for Incident Response - PART 3
4. How to utilize SEP 12.1 for Incident Response - PART 4
5. How to utilize SEP 12.1 for Incident Response - PART 5
6. How to utilize SEP 12.1 for Incident Response - PART 6
7. How to utilize SEP 12.1 for Incident Response - PART 7
8. How to utilize SEP 12.1 for Incident Response - PART 8

In this article I will explain and demonstrate the use of multiple SEP components discussed in previous articles to be used in combination with one another to detect and prevent the spread of a malicious threat. The focus and purpose will be on two SEP components:

• SEP Application Control policy to allow only a specific executable to run using its MD5 hash value.
• SEP Firewall policy to block network traffic from the application so that it cannot automatically update.

The first piece to the puzzle is to create the Application Control Rule set for allowing the executable to run based on its MD5 hash value. Create a new Application and Device Control policy and perform the following steps:

1. Access the Application Control tab
2. Select Add
3. Give the rule set a name (ex. File Integrity Check [1.1]
4. In the Rules windows rename to Rule 1 to something of your liking (ex. Only Allow Specific EXE by MD5)
5. Now we will setup the first condition to allow the executable to run by MD5 hash value. Select Add >> Add Condition and choose Launch Process Attempts and name it (ex. Allow EXE by MD5). Ensure it is at the top.
6. Now we will setup the second condition to deny the executable to run by file name. Select Add >> Add Condition and choose Launch Process Attempts and name it (ex. Deny all other EXEs). Ensure it is just below the first condition you created.

At this point, here's what it should look like:

Select the first condition and on the Properties tab under Apply to the following processes select Add. Then select Options and check the radial button for Match the file fingerprint. Add in your fingerprint of the file you want to allow to execute. Click OK to save. Note: I simply used the symhelp tool here as an example. There are many free tools out there to get the MD5 hash value of an executable. Personally, I use winMd5Sum because it's very simple and easy to use. On the Actions tab under Launch Process Attempt set the action to take to Allow access and enable logging to log the event to the Security log. Feel free to check the other options as well. Click OK to save this condition. Here's another screen shot of what should be there:

Moving on to the second condition which denies the executable from running by name. Again using the symhelp tool for demonstration purposes, it is a legit tool and very helpful at that! On the Properties tab under Apply to the following processes select Add. Add symhelp.exe and click OK. On the Actions tab under Launch Process Attempt set the action to take to Block access and enable logging to log the event to the Security log. Feel free to check the other options as well. Click OK to save this condition. Here's another screen shot of what should be there:

Our Application Control policy is complete. Let's move over to the Firewall policy to block the application traffic.

Within your firewall policy we need to add a rule to block traffic from this application. Take the following steps:

1. Select Add Rule and give it a name (ex. Block Application Update)
2. Set the radial button to Block connections
3. Set the radial button to Only the applications listed below and select Add. In the File Name box set it to symhelp.exe and select OK and click Next
4. Set the radial button to Any computer or site and click Next
5. Set the radial button to All types of communication and click Next
6. Set the radial button to Yes to log the activity and select Finish

The rule has been added:

Now to test...

Upon executing the file that you allowed to run via MD5 hash, you will see the following message from SEP:

The symhelp.exe will open and attempt to check for an update but because of the firewall rule to block its traffic, you will also see this message:

Now one last test to confirm our executable block rule is working, let's attempt to run the symhelp.exe with a different MD5 hash value. You should see the following messages from SEP and Windows:

Looks like everything is working correctly!

Hopefully this article was helpful and gives you ideas on how to best utilize SEP during an incident response situation.

If you have any questions or comments, please leave them below or feel free to drop me a PM.