Hi,
I was wondering if Symantec (or anyone else) has done any scalability testing on the Application and Device Control rule sets, in particular around implementing whitelisting of applciations.
We're in the data collection phase of implementing whitelisting for the user's AppData folder to assist with the prevention of malware, and general lockdown of our environment to maintain control and stability.
We've found two types of data that work within the AppData folder:
1. Installed programs (typically when the user selects for it to be available for them only as well as web browser plugins etc)
2. Temporary files for setup.exe's when programs are being installed into 'Program Files' (etc) folders
It's the second one i'm focusing on as the whitelist for these is starting to look large. So far I've found around 300 individual temporary files, this can be reduced somewhat by using paths rather than MD5 hashes (but in doing this, we reduce the security offered by whitelisting.)
Has anyone tested the performance of SEP when you have hundreds of files in the exclusions (particuarly the 'Launch Process Attempts' rule)?
Our rule is currently set up as follows (more so for varying the types of logging we get):
One rule with two 'Launch Process Attempts' sub-rules.
1. Whitelisting for temporary installer based files (Playing with MD5 hashes and file paths located in the 'Apply to the following processes' box)
2. Broad blacklisting (Apply to the following processes) & exceptions (Do not apply to the following processes)
Thanks,
Steve