Client - Windows 7 , SEP 12.1RU1MP1
We created a separate group with one machine inside, took inheritance off. Then ran the checksum utility(was i not supposed to have any application running ?) to create the fingerprint file on the client machine. Imported the created fingerprint file to the System lockdown policy and then set it to Step 1: Test mode only. This ran for about 1 week and when checking under the Monitors >> Logs >> Application and device control >> Application control, we get almost 2500 entries where it has identified 3 files with multiple entries to be blocked and on the unapproved file listing.
Questions / Help:
1. Why would these 3 files be logged as unapproved applications - by default shouldnt this be allowed?
a) c:/Windows/SysWOW64/rundll32.exe
b) C:/Program Files (x86)/Symantec/Symantec Endpoint Protection/12.1.1101.401.105/Bin/ccSvcHst.exe
c) C:/Program Files (x86)/Internet Explorer/iexplore.exe
2. How do I get these applications now added as "Approved" - would I have to run the checksum util again ?
3. Will I have to do this to all groups that do not have inheritance?