Acronyms

SDCS:SA = Symantec Data Center Security: Server

Advanced. Also refer sometimes as DCS.
CSP= Critical System Protection (legacy name)
BCD = Behavior Control Description
LPAC = Lest Privilege Access Control
PBR = Process Binding Rules
PS, Pset = Process Set (legacy name for Sandbox)
PAC = Process Access Control (or Memory Control)

SDCS:SA Cheat Sheet v2.0

High Level Functionality

Regular Expressions

Detection
- Monitor
1D. Files
2D. Registry
3D. Logs

Detection (HIDS)
- Wildcard (*) & (?)

Prevention (HIPS)
- Wildcard (*) & (?)

Supported:
Only after Last
backslash (\)
i.e. c:\temp\*

Supported:
Multiples in path are
allowed
i.e. c:\temp*\log?.log

Prevention (HIPS)
- Monitor/Protect
1P. Files

2P. Registry
3P. Network
4P. Memory (PAC)

Out-of-box Generic Sandboxes

Modular Policy Architecture

Fully Open = Full privileges

Fully Open with Self-Protection Enabled = Limit access to
memory & SDCS:SA agent
Basic = Follows basic policy strategies rules
Hardened = Follows hardened policy strategies rules
Read-Only = Allows service or app to start but is not able to
modify any resources
Custom = Inherits a defined out-of-box generic sandbox
behavior and is fully customizable.
Deny = Prevent service or app from starting

Windows v6.0 Prevention Policy Strategies

Symantec-defined
Sandboxes

Default Security Level

Network Perimeter

Basic

Know applications
sandbox are present

- Block Software Install

- Self-Protection

Not defined

Know applications
sandbox are present

- Block Software install

- Self-Protection
- Protect OS resources
- Protect Raw Disk
- Provide app data protection

- Local IP and subnet addresses

for inbound/outbound traffic
- Restrict interactive programs
from accepting inbound network
connections

Default Deny posture- If not

listed is not allow to run

Not defined

Hardened

Protected
Whitelisting

Requires user to add

app to whitelist

Processing Order in Policy

The rules in SDCS:SAs BCDs are configured
according to the following pattern:
1) DCS self protection rules
2) Sandbox (PSET) specific resource lists (in the
order writeable, read-only, no-access)
3)Application data protection rules
4) Global resource lists (in the order writeable,
read-only, no-access)
5) Protection Category Restrictions - Software
installation restrictions
a) Block modification to startup folders
b) Block modifiation to executables
c) Block reegistration of COM/ActiveX controls
6) Sandbox (PSET) specific internal rules
7) Protection Category Restrictions - Basic OS
Restrictions
a) Protect OS resources
b) Protect auto start locations
c) Protect raw local disk device
8) Default rule

Tips

Precedence Rule of Thumb

Top to bottom, first one wins

To add an item as optional in a policy add a dash (-) before the description (i.e. For a user
that doesnt exist in a machine add <username>)
Get a list of apps for a specific machine using: agent: <IP address> or <hostname>
To profile an application in Win 6.0 policies:
o
Route application to a f ully closed custom sandbox
o
Ensure the custom sandbox has Prevention Disabled
o
Edit the sandbox to enable logging of trivial policy violations

SISIPSCONFIG tool
Option
-host (-h)
-port (-p)
-protocol
-certfile (-c)
-failbackinterval
-test (-t)
-forcereg
-setpolicy (-s)
-resetpolicy (-r)
-ipsstate on/off
-export (-export)
-pset
-help <option>
-process

Description
Sets the target Mgmt Server hostname
Sets the target Mgmt Server port (1-65535)
Sets the Management Server communications protocol
Sets the path to the SSL client certificate file
Sets the failback to try to communicate Mgmt Server
Tests the connection information with Mgmt Server
Forces the Agent to re-register with the server
Replaces the current policy with the applied policy
Replaces the current policy with the default policy
Enables or Disables state of the IPS Driver
Prints out the config file
Prints out assigned pset for each app/process
Prints detail f or option (i.e. sisipsconfig - help -forcereg)
Snapshot of running processes with its respective sandbox

Other tools (path to the tools is: <installroot>\agent\IPS\tools)
- sisservicectrl.exe = Dedicated tool to start/stop the agent

sisservicectrl.exe [start|stop] [sisipsservice|sisidsservice|sisutil] [wait_time_ms]
- GetEFA.exe = Get fileasstributes such as MD5, SHA256, and publisher

GetEFA.exe <file name>

Lesson Learned: Deployment Strategy

SDCS:SA vs. Competition

Legend

Bit9 = Whitelisting tool. Flawed business

process. No Firewall
McAfee Application/Device Control, HIPS &
Firewall = Multiple agents (dont match
SDCS:SA features), high performance
overhead.
Trend Micro Deep Security = Limited HIDS
features, higher performance overhead.
TripWire Enterprise = HIDS only, no firewall,
no anti-malware prevention, not scalable for
large environments

SDCS:SA Logs
- sisrtevents.csv = Real time events in SDC:SA
- sisidsevent.csv = All events recorded
- sisipsservice.log = Agent log service (operation,
policy appliance, etc.)
- sisipsconfigtool.log = sisipsconfig tool events

SDCS:SA Features

Architecture

Windows Policy Legacy Templates

My Notes

Created by: [email protected]
Last updated: June. 3rd, 2014