Symantec DCS is a versatile tool which can be used to perform various lockdown tasks on Windows and UNIX/Linux machines. It can do anything from application whitelisting through to a full least-privilege enforcement. It is a popular tool to use across many different operating systems, but its particularly useful on legacy machines which are no longer supported by the vendor. Symantec’s support for old OSes currently stretches back as far as Windows 2003, SP1!
When you create a prevention policy in DCS it is critical you understand what applications are in your whitelist. That is, which applications do you want to allow to have higher (or even full) access to resources on your system. DCS has an auto-discovery feature which allows you to do this automatically. However, one drawback to this method is that you need to already have the agent installed on a machine. The other drawback is you can’t use it in conjunction with application lists. I’ve created a script you can use to create an importable CSV for your application. The script will query any executable under a folder you specify and create the CSV with the following details:
- Full path to the executable
- Publisher name (if the code is signed)
- SHA 256 hash (if the code is unsigned)
It will also add the application name and version to the comments field.
The script requires SigCheck which is a SysInternals tool free for download. Just make sure SigCheck is in the same directory as the script and run the script from PowerShell.
A folder selection window will open. Navigate to the directory in which you have your applications to be imported and click OK:
Once the scan is completed, you will be prompted to save the CSV file. Save it in your preferred location:
Copy the CSV file you have saved to the management server or to a machine running the CSP console. Log into the console with your credentials and open the Prevention policy you wish to add the newly imported list to. In the policy, click Advanced and then click My Custom Sandboxes and lists:
If you haven’t created the list yet, click on the + Symbol to add a new list. Make sure you’ve selected ‘This defines a set of applications to be referenced later’ as your Category and you’ve added the Display Name and ID before selecting OK.
Click edit on your list:
If not already checked, check the box for Application Programs and click Edit:
Click import to import your newly created list. Navigate to the list and click Import. You will be prompted to either Append or Replace the list. Appending will leave the existing rules in place. Choose either option to import your list:
And that’s it! Reference the list in your application rules.