Adjusting Prevention Policy Options Based on Prevention Events. Version 1.0 July 2006

Adjusting Prevention Policy Options Based on Prevention Events Version 1.0 July 2006

Table of Contents 1. WHO SHOULD READ THIS DOCUMENT... 4 2. WHERE TO GET MORE INFORMATION... 4 3. VERIFYING THE OPERATION OF AN AGENT COMPUTER... 4 4. ABOUT EVENT DETAILS... 5 4.1. ABOUT EVENT TYPES... 5 4.2. ABOUT EVENT SEVERITY LEVELS... 5 4.3. ABOUT FILE ACCESS EVENTS... 6 4.4. ABOUT REGISTRY ACCESS EVENTS... 6 4.5. ABOUT NETWORK ACCESS EVENTS... 6 4.6. ABOUT BUFFER OVERFLOW EVENTS... 7 4.7. ABOUT OS CALL EVENTS... 7 5. ADJUSTING POLICIES BASED ON FILE AND REGISTRY ACCESS EVENTS... 8 5.1. SCENARIO 1: EVENT IS WRITE DENIAL AND YOU WANT TO MAKE THE RESOURCE WRITABLE... 8 5.1.1. Making a resource writable for a process or process set... 8 5.1.2. Making a resource writable at the group level... 8 5.1.3. Making a resource writable at the global level... 8 5.2. SCENARIO 2: EVENT IS READ DENIAL AND YOU WANT TO SET RESOURCE PROTECTION TO READ-ONLY 9 5.2.1. Making a resource read-only for a specific process or process set... 9 5.2.2. Making a resource read-only at the group level... 9 5.2.3. Making a resource read-only at the global level... 9 5.3. SCENARIO 3: EVENT IS A DENIAL AND YOU WANT THE DENIAL TO BE SILENT... 10 5.4. SCENARIO 4: DIFFERENT ACCESS DENIAL EVENTS FOR A SPECIFIC PROCESS... 10 5.4.1. The program has no privileges... 10 5.4.2. The Program tries to create or modify an executable file... 11 5.4.3. The Program tries to modify a startup folder... 11 5.4.4. The program requires access to a specific resource set... 12 5.4.5. The program requires wide access to resources... 12 6. ADJUSTING POLICIES BASED ON NETWORK ACCESS EVENTS... 12 6.1. SCENARIO 1: ACCEPT IS DENIED AND YOU WANT TO ALLOW INBOUND NETWORK CONNECTIONS... 12 6.1.1. Allowing a specific process set to accept network connections... 12 6.1.2. Allowing all interactive programs or all services to accept network connections... 13 6.1.3. Allowing all programs to accept network connection... 14 6.2. SCENARIO2: EVENT IS A CONNECT DENIAL AND YOU WANT TO ALLOW THE CONNECT OPERATION... 14 6.2.1. Allowing a specific process set to make outbound network connections... 14 6.2.2. Allowing all interactive programs or all services to make outbound network connections... 15 6.2.3. Allowing all programs to make outbound network connections... 16 7. ADJUSTING POLICIES BASED ON BUFFER OVERFLOW EVENTS... 16 7.1. SCENARIO 1: BUFFER OVERFLOW DETECTED AND YOU WANT TO STOP BUFFER OVERFLOW DETECTION FOR A SPECIFIC PROCESS OR PROCESS SET... 16 8. ADJUSTING POLICIES BASED ON OS CALL EVENTS... 17 8.1. SCENARIO 1: OS CALL WAS DENIED AND YOU WANT TO ALLOW THIS OS CALL TO A SPECIFIC PROCESS SET... 17 Page 2 of 21

9. APPENDIX A: PROCESS SET TO POLICY OPTIONS MAPPING... 18 9.1. WINDOWS PREVENTION POLICIES... 18 9.2. LINUX PREVENTION POLICY... 20 9.3. SOLARIS PREVENTION POLICY... 21 Page 3 of 21

1. Who should read this document This document is intended for use by Symantec Critical System Protection policy administrators. The document discusses how to adjust prevention policies, based on prevention event details. When reading this document, please note the following: To match a process set with the correct policy option, See Appendix A: Process set to policy options mapping. Rules protecting Symantec Critical System Protection resources cannot be overridden by policy options. See the Symantec Critical System Protection Prevention Policy Reference Guide for more information. 2. Where to get more information For more information on events, see the Symantec Critical System Protection Administration Guide. For more information on prevention policies, see the Symantec Critical System Protection Prevention Policy Reference Guide. 3. Verifying the operation of an agent computer Once you apply a Symantec Critical System Protection prevention policy to an agent computer, you can verify the operation of the agent computer by viewing the events that were sent to the management server. The Monitors page in the management console displays event information that was reported to the management server from your entire agent deployment. To verify the operation of an agent computer, search the Monitors page for event messages from the agent computer. Messages with a severity of Warning indicate unexpected activity or problems that were already handled by Symantec Critical System Protection. If a message has an event type of file access, network access, OS call, or buffer overflow, then a severity of Warning indicates abnormal application behavior that was stopped. Even if the prevention policy is not enforcing prevention (that is, the disable prevention option is set), improper access to resources by a service or application will generate log messages. With the disable prevention option set, the disposition field in a log message will indicate allow instead of deny, and the event severity will appear on the Monitors page in blue instead of red. After investigating these warning messages, you may find that Symantec Critical System Protection prevented an attempt to attack the agent computer or that the events do not reflect a risk condition on the system. In the latter case, you may want to further configure the policy so that it does not produce these events in the future. To verify the operation of an agent computer: 1. In the management console, click Prevention View. 2. In the management console, click Monitors. 3. On the Monitors page, in the event pane, select an event from the agent computer. Details about the selected event are shown in the lower portion of the event pane. Page 4 of 21

4. About event details Prevention events with a severity of Warning describe different policy violations. Understanding event details is the first step in finding the correct policy settings that eliminate an event. 4.1. About event types Events are informative, notable, and critical activities that concern the Symantec Critical System Protection agent and management server. The agent logs events to the management server, and the management console lets you view summaries and details of those events. Symantec Critical System Protection groups events by type. The event type specifies whether a process violated a policy by an unauthorized attempt to access a file, registry key, network resource, or system call, or if a buffer overflow event was detected. The following table lists the Symantec Critical System Protection prevention event types. Event type File access Registry access Network access Buffer overflow OS call Mount Process assignment Process create Process destroy Description These events contain information about applications that access files and directories. These events contain information about applications that access registry keys. These events contain information about applications that access the TCP/IP network. These events contain information about applications that execute code that was inserted by using buffer overflows. Buffer overflow events apply to agent computers that run Windows operating system. These events contain information about applications that make selected operating system calls that are often exploited by attackers. These events contain information about applications that mount or unmount file systems. These events contain information about the assignment of a process to a process set. These events contain information about the creation of a process. These events contain information about the termination of a process. 4.2. About event severity levels Symantec Critical System Protection assigns a severity level to each event. The following table lists the Symantec Critical System Protection severity levels. Severity level Information Notice Description These events contain information about normal system operation. This severity level is used for events of trivial violations when a prevention policy is configured to show these events. By default, these events are not produced by an agent. Page 5 of 21

Severity level Warning Critical Error Description These events indicate unexpected activity or problems that were already handled by Symantec Critical System Protection. Warning messages might indicate that a service or application on an agent computer is functioning improperly with the applied policy. After investigating the policy violations, you can configure the policy and allow the service or application to access to the specific resources if necessary. These events indicate activity or problems that might require administrator intervention to correct. These events indicate detection policy internal errors. Error events are rare. 4.3. About file access events File access events contain information about applications that access files and directories. File access event details include the following information: Event Severity For policy violations, event severity is Warning. User Name Name of the user who was the process owner at the time of the event. Policy Name Name of the policy that was in effect at the time of the event. File Name Full path of the protected file. Process Full path of the process that attempted to access the file. Disposition Indicates whether access was Allowed or Denied. Process Set Process set to which the process was assigned at the time of the event. The process set is important for understanding which policy options are relevant for this event. Permissions Requested Permissions (write, delete, etc.) requested by the process accessing the file. 4.4. About registry access events Registry access events contain information about applications that access registry keys. Registry access event details include the following information: Event Severity For policy violations, event severity is Warning. User Name Name of the user who was the process owner at the time of the event. Policy Name Name of the policy that was in effect at the time of the event. Registry key Full path of the protected registry key. Process Full path of the process that attempted to access the registry key. Disposition Indicates whether access was Allowed or Denied Process Set Process set to which the process was assigned at the time of the event. The process set is important for understanding which policy options are relevant for this event. Permissions Requested Permissions (set_value, create_sub_key, etc.) requested by the process accessing the file. 4.5. About network access events Network access events contain information about applications that access the TCP/IP network. Network access event details include the following information: Event Severity For policy violations, event severity is Warning. Page 6 of 21

User Name Name of the user who was the process owner at the time of the event. Policy Name Name of the policy that was in effect at the time of the event. Operation Connect or Accept. Protocol TCP or UDP. Local IP IP address that was used by the local computer. Local Port Local port number. Remote IP IP address of the remote computer. Remote Port Port number of the remote computer. Process Full path of the process that attempted to access the network. Disposition Indicates whether access was Allowed or Denied Process Set Process set to which the process was assigned at the time of the event. The process set is important for understanding which policy options are relevant for this event. 4.6. About buffer overflow events Buffer overflow events contain information about applications that execute code that was inserted by using buffer overflows. Buffer overflow events apply to agent computers that run Windows operating system. Buffer overflow event details include the following information: Event Severity For policy violations, event severity is Warning. User Name Name of the user who was the process owner at the time of the event. Policy Name Name of the policy that was in effect at the time of the event. Operation Function that was called from injected code, intercepted by the Symantec Critical System Protection driver. Process Full path of the process that attempted to execute code inserted by using buffer overflows. Disposition Return value set by the Symantec Critical System Protection driver for the intercepted function. When prevention is turned on, the value is Denied, since the driver fails the function. Process Set Process set to which the process was assigned at the time of the event. The process set is important for understanding which policy options are relevant for this event. 4.7. About OS call events OS call events contain information about applications that make selected operating system calls that are often exploited by attackers. OS call event details include the following information: Event Severity For policy violations, event severity is Warning. User Name Name of the user who was the process owner at the time of the event. Policy Name Name of the policy that was in effect at the time of the event. Operation Protected OS function call (for example, link). Process Full path of the process that attempted to make the operating system call. Disposition Return value set by the Symantec Critical System Protection driver for the intercepted function. Process Set Process set to which the process was assigned at the time of the event. The process set is important for understanding which policy options are relevant for this event. Page 7 of 21

5. Adjusting policies based on file and registry access events This section explains how to adjust policy options based on file and registry access events. See About file access events. See About registry access events. 5.1. Scenario 1: Event is write denial and you want to make the resource writable Resource protection rules originate from behavior control descriptions (BCDs) or policy options. Policy options supersede BCD rules, allowing you to adjust the policy. When relaxing policy protection for a resource, you should apply the change to a small group of programs, so that the resource remains protected from most of the running processes. 5.1.1. Making a resource writable for a process or process set To make a file or registry key writable for a specific process or process set, first identify the process set name in the event. Then identify the policy option group that control this process set. Add (type or paste) the file path or registry key path to the writable resource list under the relevant option group. For example, suppose the event is a file access event, and the process set is iis_ps. Enable Service Options > Application Service Options > Internet Information Service > Advanced Options > Resource Lists > Writable Resource Lists > Allow Modifications to these files. Add the file path to the Value box in the List of files that can be modified. If the process belongs to the default interactive programs or default services (daemons), then the resource list options let you limit the cases when the rule applies by specifying also the program path, program command-line arguments, user name and group name. 5.1.2. Making a resource writable at the group level The Symantec Critical System Protection prevention policies refer to each process as either interactive or service (daemon). Interactive Program Options apply to the group of all interactive processes, while Service Options apply to the group of all service processes. You can make a file or registry key writable at the group level by adding it to the writable resource list of the relevant group (interactive program or service). A program can be considered an interactive program and a service (daemon), depending on how the program was launched. The best way to identity whether a process belongs to the interactive or service group is by the process set name that appears in the event. Sometimes a resource is denied access because of a resource list restriction set at the specific option level. In this case, when adding the resource to the writable resource list at the group level, the resource remains protected at the specific level. To make the resource writable for the specific process set as well, remove the resource list restriction. For example, suppose a registry key appears in the read-only list of IIS (Service Options > Application Service Options > Internet Information Service > Advanced Options > Resource Lists > Read-only Resource Lists > Block Modifications to these Registry keys > List of Registry keys that should not be modified). IIS is still denied write access to the registry key even if adding this registry key to the services writable resource list (Service Options > General Service Options > Resource Lists > Writable Resource Lists > Allow modifications to these Registry keys > List of Registry keys that can be modified). 5.1.3. Making a resource writable at the global level You can make a resource writable to all processes by adding its path to the writable resource list at the global level (Global Policy Options > Resource Lists > Writable Resource Lists). Sometimes a resource is denied access because of a resource list restriction set at the specific option level or at the group level (for example, for all interactive programs). In this case, when adding the resource to Page 8 of 21

the writable resource list at the global level, the resource remains protected at the more specific level. To make the resource writable for the specific process set, remove the resource list restriction from the specific resource list. To make the resource writable for the entire group, remove the resource list restriction from the group resource list. For example, if a registry key appears in the read-only list (Service Options > General Service Options > Resource Lists > Read-only Resource Lists > Block Modifications to these Registry keys > List of Registry keys that should not be modified), then all services would be denied write access to the registry key even after adding this registry key to the global writable resource list (Global Options > Resource Lists > Writable Resource Lists > Allow modifications to these Registry keys > List of Registry keys that can be modified). 5.2. Scenario 2: Event is read denial and you want to set resource protection to read-only Resource protection rules originate from BCDs or policy options. Policy options supersede BCD rules, allowing you to adjust the policy. When relaxing policy protection for a resource, you should apply the change to a small group of programs, so that the resource remains protected from most of the running processes. 5.2.1. Making a resource read-only for a specific process or process set To make a file or registry key read-only for a specific process or process set, first identify the process set name in the event. Then identify the policy option group that controls this process set. Add (type or paste) the file path or registry key path to the read-only resource list under the relevant option group. For example, if the event is a file access event, and the process set is iis_ps, then enable the option Service Options > Application Service Options > Internet Information Service > Advanced Options > Resource Lists > Read-only Resource Lists > Block Modifications to these files. Then add the file path to the Value box in the List of files that should not be modified. If the process belongs to the default interactive programs or default services (daemons), then the resource list options let you limit the cases when the rule applies by specifying also the program path, program command-line arguments, user name and group name. 5.2.2. Making a resource read-only at the group level You can make a file or registry key read-only at the group level by adding it to the read-only resource list of the relevant group (interactive program or service). Sometimes a resource is denied access because of a resource list no-access restriction set at the specific option level. In this case, when adding the resource to the read-only resource list at the group level, the resource remains non-accessible at the specific level. To make the resource read-only for the specific process set as well, remove the resource list restriction. For example, if a registry key appears in the no-access list of IIS (Service Options > Application Service Options > Internet Information Service > Advanced Options > Resource Lists > No-Access Resource Lists > Block all access to these Registry keys > List of Registry keys that should not be accessed), then IIS is still denied all access to the registry key even if adding this registry key to the services read-only resource list (Service Options > General Service Options > Resource Lists > Read-only Resource Lists > Block modifications to these Registry keys > List of Registry keys that should not be modified). 5.2.3. Making a resource read-only at the global level You can make a resource read-only to all processes by adding its path to the read-only resource list at the global level (Global Policy Options > Resource Lists > Read-only Resource Lists). Page 9 of 21

Sometimes a resource is denied access because of a resource list no-access restriction set at the specific option level or at the group level (for example, for all interactive programs). In this case, when adding the resource to the read-only resource list at the global level, the resource remains non-accessible at the more specific level. To make the resource read-only for the specific process set, remove the resource list noaccess restriction from the specific resource list. To make the resource read-only for the entire group, remove the resource list no-access restriction from the group resource list. For example, if a registry key appears in the no-access list (Service Options > General Service Options > Resource Lists > No-Access Resource Lists > Block all access to these Registry keys > List of Registry keys that should not be accessed), then all services are denied all access to the registry key even after adding this registry key to the global read-only resource list (Global Options > Resource Lists > Read-only Resource Lists > Block modifications to these Registry keys > List of Registry keys that should not be modified). 5.3. Scenario 3: Event is a denial and you want the denial to be silent Sometimes a valid program may attempt to access a protected resource. You may want the resource to remain protected. This scenario is more likely to happen with default services or default interactive programs, because they do not have tailored BCDs. Policy options for default services and default interactive programs provide the means to silent these events. Silent means that these events are considered trivial and therefore are only generated by an agent if option to enable logging of trivial policy violations is enabled. To silent an event for a default service or a default interactive program, first identify the process set and the permission requested attribute in the event. Then set the correct option under Service Options > Default Service Options > Resource Lists or Interactive Program Options > Default Interactive Program Options> Resource Lists. For example, to silent a file read access event by an interactive program, enable Interactive Program Options > Default Interactive Program Options> Resource Lists > Read-only Resource Lists > Block and log all access to these files as trivial. Then add the program and file details in the List of files that should not be accessed. Note: Adding the program path is optional but recommended. If you do not add the program path, then the event will be silent for all default programs in the group (for example, to all the default interactive programs). 5.4. Scenario 4: Different access denial events for a specific process 5.4.1. The program has no privileges A program may be denied access to resources because the program runs under a process set that has no privileges. The prevention policies assign programs to a non-privileged process set as a mean of denying it from running or accessing any resource. This can happen if the program was explicitly specified as one that should not run or when the sequence that created the program did not seem normal. The non-privileged process set names are as follows: int_nopriv_ps svc_nopriv_ps int_mailchild_unsafe_ps To determine if a program was denied access to a resource due to being in a non-privileged process set, compare the process set name from the event with one of these process sets. If you need the program to run, then the first step should be to understand why the program was sent to the non-privileged process set. Reasons for a program to be in svc_nopriv_ps (Windows) The prevention policies list several programs as programs that should not be launched by services. These programs, which are usually not started by services under normal operation, can pose a risk to the system if Page 10 of 21

launched by malicious software. This list of programs is defined under Service Options > General Service Options > Additional Parameter Settings > Disable service execution of specific programs. Identify the program name as it appears in the Process attribute in the event. If this program path also appears in the list specified above, then this configuration denies the program from gaining any privilege when begin launched from a service. To allow this program to be launched by services, you can specify conditions under which the program can run. The conditions are details on the program command-line arguments, user, and group. You can add these details in the exception list (Service Options > General Service Options > Additional Parameter Settings > Allow services to run these programs if using specific arguments > Exception List). Removing the program from the list of restricted programs is not recommended. Reasons for a program to be in int_mailchild_unsafe_ps (Windows) The prevention policies have an option for controlling which applications can be launched by Outlook and Outlook Express to open e-mail attachments. If the option Interactive Program Options > Specific Interactive Program Options > Outlook & Outlook Express > Basic Options > Disable opening of email attachments is enabled, then programs launched for opening e-mail attachments are routed to the int_mailchild_unsafe_ps process set. To specify exceptions to this rule, enable Interactive Program Options > Specific Interactive Program Options > Outlook & Outlook Express > Basic Options > Enable opening of specific email attachments, and specify the program details under The list of email attachment programs allowed to execute. Reasons for a program to be in int_nopriv_ps (All platforms) If a program is routed to the int_nopriv_ps process set, it is usually because the prevention policy does not expect the parent process to launch this program. If you are sure you want to allow the program to be launched, enable one of the options under Interactive Program Options > General Interactive Program Options > Alternate Privilege Lists, depending on the privilege that you want the program to have. For example, to give the program standard privileges, put the program details in Interactive Program Options > General Interactive Program Options > Alternate Privilege Lists > Specify Interactive Programs with Standard privileges > List of Interactive Programs with Standard privileges. 5.4.2. The Program tries to create or modify an executable file The Windows prevention policies have options for restricting write access to executable files. This prevents unauthorized software installation on the protected system. The list of file name extensions considered to be executables can be found in the policy option Global Policy Options > Additional Parameter Settings > Enable control of modifications to executable files > List of executable file extensions. The option Block modifications to executable files under specific process set option groups determines if restrictions apply for writing executables for this process set. It is usually not recommended to disable these options, because that would allow arbitrary programs write executables on the disk. Alternatively, you can use the writable resource list to allow write access. When using the writable resource list, you should be as specific as possible about the program using the resource and the resource name. 5.4.3. The Program tries to modify a startup folder The Windows prevention policy has options for restricting write access to files under the startup folder. This prevents unauthorized launching of software as the system starts up. The option Block modifications to Startup folders, under a specific process set option group, determines if restrictions apply for writing to startup folders by this process set. It is usually not recommended to disable these options, because this technique is known to be used by malicious software to start itself after system restart. Alternatively, use the writable resource list to allow write access. When using the writable resource list, you should be as specific as possible about the program using the resource and the resource name. See discussions on how to make a resource writable. Page 11 of 21

5.4.4. The program requires access to a specific resource set Sometimes a program that requires access to a set of resources is denied access by the out-of-the-box prevention policies. While the prevention policies provide per-process resource control for default programs, you should use the int_custompriv_ps process set if there are more than a few resources or if more than one program requires the custom rules. Policy options let you assign a selected program to this custom process set in order to define rules for it that do not apply to all the default programs. By doing this, you can allow programs assigned to the custom process set accessing resources that are not accessible to other programs. To assign a program to the int_custompriv_ps, insert the program detail in Interactive Program Options > Custom Interactive Program Options > Specify Interactive Programs with Custom privileges > List of Custom Interactive Programs. 5.4.5. The program requires wide access to resources If a critical program generates policy violation events for many resources, and you want to allow the program accessing all the denied resources, you may want to consider elevating the privilege level for this program. If the program already has a BCD, then you can change the privilege level for this program using the specific Alternate Privilege Options group. For example, to give the DNS Server safe privileges, enable DNS Server > Advanced Options > Alternate Privilege Level > Run with Safe Service Privileges. Sometimes a program does not have a specific BCD. An example for this scenario might be Anti-Virus software that is not recognized by the out-of-the-box prevention policies. Policy options allow you to add security software to an already pre-defined Host Security process set. This is set using Global Options > Host Security Programs > Basic Options > Additional Host Security Programs Installed. Add the path to your security programs, in the Value box, in List of other Host Security Programs. If the program does not have a BCD, and it is not a security program, you can give it safe or full privileges using the Alternate Privilege Level option, under the general group options. To give alternate privilege level to a service, enable Service Options > General Service Options > Alternate Privilege Lists. To specify an interactive program with safe or full privilege, use Interactive Program Options > General interactive Programs > Alternate Privilege Lists. 6. Adjusting policies based on network access events This section explains how to adjust policy options based on network access events. See About network access events. 6.1. Scenario 1: Accept is denied and you want to allow inbound network connections Network access rules in the prevention policies are combined from BCD internal rules, remote IP addresses specified in the Remote Network Access Options, and port numbers specified via the resource list options. When allowing remote network connections, it is usually advised to retain maximum security by applying the change to a small number of programs and opening the connection only with the required IP addresses. 6.1.1. Allowing a specific process set to accept network connections To allow inbound connection for a specific process set: 1. Identify the relevant option group. Page 12 of 21

2. Configure the policy to allow inbound connections from specified IP addresses or from all IP addresses as required. 3. Configure the policy to allow accepting connections on a specific port and protocol. This is typically not required if the service is confined by a specific process set and accepts connection on a well-known port. To identify the relevant option group, first identify the process set name in the event. Then identify the policy option group that control this process set. To configure the policy to allow inbound connections for specific IPs, add the IP addresses to the list of remote IPs that can make inbound connections under the relevant option group. For example, if the event is for process set is dns_ps, then enable Service Options > Application Service Options > DNS Server > Advanced Options > Remote Network Access Options > Prevent inbound network connections > Allow inbound network connections from these addresses, and add the IP addresses in List of addresses that can make inbound connections to this system, under this option. To allow inbound network access from all addresses, enable Allow inbound network connections from all addresses instead. To configure the policy to allow accepting inbound network connection on a specific port and protocol, identify the protocol and port number from the event. Then use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the process set is svc_stdpriv_ps, and the protocol is TCP, then enable Service Options > Default Service options > Resource Lists > Permit listening for TCP requests, and add the port number, in the Value box, in the List of TCP ports to permit listening on. 6.1.2. Allowing all interactive programs or all services to accept network connections To allow inbound network connections to all the interactive programs or all the services: 1. Identify the relevant option group. 2. Configure the policy to allow inbound connections from specified IP addresses. At this stage inbound connection is still restricted to allowed ports only. 3. Configure the policy to allow accepting connections on a specific port and protocol. This is typically not required if the service is confined by a specific process set and accepts connection on a well-known port. To identify the relevant option group, first identify the process set name in the event. Then identify the policy option group that controls the group of processes for this process set. To configure the policy to allow inbound connections for specific IPs, add the IP addresses to the list of remote IPs that can make inbound connections under the relevant option group. For example, if the event is for process set is dns_ps, and you want to allow inbound network connection to all the services, then enable Service Options > General Service Options > Remote Network Access Options > Prevent inbound network connections > Allow inbound network connections from these addresses, and add the IP addresses in List of addresses that can make inbound connections to this system. There is usually no gain in setting the port configuration at the group level, because only one program should listen on a given port. To configure the policy to allow a specific process or process set accepting inbound network connection on a specific port and protocol, see Allowing a specific process set to accept network connections. To set the port in the group level, use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the group is Interactive Programs, and the protocol is TCP, then enable Interactive Program Options > Resource Lists > Network Permit List > Permit listening for TCP requests, and add the port number, in the Value box, in the List of TCP ports to permit listening on. Page 13 of 21

Note: If the policy is configured to deny inbound network access at the specific level, then inbound network connection at the specific level is denied even when it is allowed at the group level. For example, if you deny network access to the DNS server by enabling DNS Server > Advanced Options > Remote Network Access Options > Prevent Inbound network connections, and disabling DNS Server > Advanced Options > Remote Network Access Options > Prevent Inbound network connections > Allow inbound network connections from these addresses, then inbound connection to the DNS server would be denied regardless of the settings at the Service Options > General Service Options option group. 6.1.3. Allowing all programs to accept network connection To allow inbound network connections to all programs: 1. Configure the policy to allow inbound connections from specified IP addresses. At this stage inbound connection is still restricted to allowed ports only. 2. Configure the policy to allow accepting connections on a specific port and protocol. This is typically not required if the service is confined by a specific process set and accepts connection on a well-known port To configure the policy to allow inbound connections for specific IPs, enable Global Policy Options > Remote Network Access Options > Prevent inbound network connections > Allow inbound network connection from these addresses, and add the IP addresses to List of addresses that can make inbound connections to this system. There is usually no gain in setting the port configuration at the global level, because only one program should listen on a given port. To configure the policy to allow a specific process or process set accepting inbound network connection on a specific port and protocol, refer to the discussion on allowing interactive programs or services to accept network connections. To set the port in the global level, use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the protocol is TCP, then enable Global Policy Options > Resource Lists > Network Permit List > Permit listening for TCP requests, and add the port number in the Value box for the List of TCP ports to permit listening on. Note: If the policy is configured to deny inbound network access at the specific level (or the group level), then inbound network connection at the specific level (or group level) is denied even when it is allowed at the global level. For example, if you deny network access to the DNS server by enabling Service Options > Core OS Service Options > DNS Server > Advanced Options > Remote Network Access Options > Prevent Inbound network connections, and disabling DNS Server > Advanced Options > Remote Network Access Options > Prevent Inbound network connections > Allow inbound network connections from these addresses, then inbound connection to the DNS server would be denied regardless of the settings at the Global Policy Options > Remote Network Access Options. 6.2. Scenario2: Event is a connect denial and you want to allow the connect operation Network access rules in the prevention policies are combined from BCD internal rules, remote IP addresses specified in the Remote Network Access Options, and port numbers specified via the resource list options. When allowing remote network connections, you should retain maximum security by applying the change to a small number of programs, and opening the connection only with the required IP addresses. 6.2.1. Allowing a specific process set to make outbound network connections To allow outbound connection for a specific process set: Page 14 of 21

1. Identify the relevant option group. 2. Configure the policy to allow outbound connections to specified IP addresses or to all IP addresses, as required. 3. Configure the policy to allow outbound connections on a specific port and protocol. To identify the relevant option group, first identify the process set name in the event. Then identify the policy option group that control this process set. To configure the policy to allow outbound connections for specific IPs, add the IP addresses to the list of remote IPs that can make outbound connections under the relevant option group. For example, if the event is for process set is dns_ps, then enable Service Options > Application Service Options > DNS Server > Advanced Options > Remote Network Access Options > Prevent outbound network connections > Allow outbound network connections to these addresses, and add the IP addresses in the List of addresses to which this system can make outbound network connections. To allow outbound network connections to all addresses, enable Allow outbound network connections to all addresses instead. To configure the policy to allow outbound network connection on a specific port and protocol, identify the protocol and port number from the event. Then use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the process set is svc_stdpriv_ps, and the protocol is TCP, then enable Service Options > Default Service options > Resource Lists > Permit sending TCP requests, and add the port number in the Value box in the List of TCP ports to permit sending to. 6.2.2. Allowing all interactive programs or all services to make outbound network connections To allow all interactive programs or all services to make outbound network connections: 1. Identify the relevant option group (interactive programs or services). 2. Configure the policy to allow outbound connections to specified IP addresses. At this stage, outbound connection is still restricted to allowed remote ports only. 3. Configure the policy to allow making outbound connections on a specific protocol and remote port. To identify the relevant option group, first identify the process set name in the event. Then identify the policy option group that controls the group of processes for this process set. To configure the policy to allow outbound connections to specific IPs, add the IP addresses to the list of IPs to which the local system can connect, under the relevant option group. For example, if the event is for process set is svc_stdpriv_ps, and you want to allow outbound network connection to all the services, then enable Service Options > General Service Options > Remote Network Access Options > Prevent outbound network connections > Allow outbound network connections to these addresses, and add the IP addresses in List of addresses to which this system can make network connections. To set the port in the group level, use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the group is interactive programs, and the protocol is TCP, then enable Interactive Program Options > Resource Lists > Network Permit List > Permit sending TCP requests, and add the port number in the Value box in the List of TCP ports to permit sending to. Note: If the policy is configured to deny outbound network access at the specific level, then outbound network connection at the specific level is denied even when it is allowed at the group level. For example, if you deny the DNS server to make outbound connections by enabling Service Options > Core OS Service Options > DNS Server > Advanced Options > Remote Network Access Options > Prevent outbound network connections, and disabling DNS Server > Advanced Options > Remote Network Access Options > Prevent outbound network connections > Allow outbound network connections to these addresses, then outbound connection would be denied for the DNS server regardless of the settings at the Service Options > General Service Options option group. Page 15 of 21

6.2.3. Allowing all programs to make outbound network connections To allow outbound network connections to all programs: 1. Configure the policy to allow outbound connections to specified IP. At this stage outbound connection is still restricted to allowed remote ports only. 2. Configure the policy to allow making outbound connections on a specific protocol and remote port. To configure the policy to allow outbound connections for specific IPs, enable Global Policy Options > Remote Network Access Options > Prevent outbound network connections > Allow outbound network connection to these addresses, and add the IP addresses to List of addresses to which this system can make outbound network connections. To set the port in the global level, use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the protocol is TCP, then enable Global Policy Options > Resource Lists > Network Permit List > Permit sending TCP requests, and add the port number in the Value box in the List of TCP ports to permit sending to. Note: If the policy is configured to deny outbound network connections at the specific level (or the group level), then outbound network connection at the specific level (or group level) is denied even when it is allowed at the global level. For example, if you deny the DNS server to make outbound connections by enabling DNS Server > Advanced Options > Remote Network Access Options > Prevent outbound network connections, and disabling Service Options > Core OS Service Options > DNS Server > Advanced Options > Remote Network Access Options > Prevent outbound network connections > Allow outbound network connections to these addresses, then DNS server would be denied outbound connections regardless of the settings at the Global Policy Options > Remote Network Access Options option group. 7. Adjusting policies based on buffer overflow events This section explains how to adjust policy options based on buffer overflow events. See About buffer overflow events. 7.1. Scenario 1: Buffer Overflow detected and you want to stop Buffer Overflow detection for a specific process or process set Programs confined using a specific process set have options for buffer overflow detection. For example, to disable buffer overflow detection for the DNS server, disable DNS Server > Advanced Options > Enable Buffer Overflow Detection. To disable buffer overflow for a service that does not have a specific process set (default service), enable Service Options > Default Service Options > Enable Buffer Overflow Detection for with Standard privileges > Disable Buffer Overflow Detection for these with Standard Privileges, and add the program information in List of Standard Privilege that will have Buffer Overflow detection turned OFF. If the service is configured to run in safe privilege, then use Service Options > Default Service Options > Enable Buffer Overflow Detection for with Safe privileges > Disable Buffer Overflow Detection for these with Safe Privileges. To disable buffer overflow for an interactive program that does not have a specific process set (default interactive program), enable Interactive Program Options > Default Interactive Program Options > Enable Buffer Overflow Detection for Interactive Programs with Standard privileges > Disable Buffer Overflow Detection for these Interactive Programs with Standard Privileges, and add the program information in the List of Standard Privilege Interactive Programs that will have Buffer Overflow detection turned OFF. If the interactive program is configured to run in safe privilege, then use Interactive Program Options > Default Interactive Program Options > Enable Buffer Overflow Detection for Interactive Programs with Safe privileges > Disable Buffer Overflow Detection for these Interactive Programs with Safe Privileges. Page 16 of 21

8. Adjusting policies based on OS call events This section explains how to adjust policy options based on OS call events. See About OS call events. 8.1. Scenario 1: OS Call was denied and you want to allow this OS call to a specific process set Disabling OS call protection using policy options is only supported for non-specific process sets. On Windows platforms, the following non-specific process sets are supported: svc_fullpriv_ps int_fullpriv_ps svc_safepriv_ps int_safepriv_ps svc_stdpriv_ps int_stdpriv_ps On Solaris and Linux platforms, the following non-specific process sets are supported: daemon_fullpriv_ps int_fullpriv_ps daemon_safepriv_ps int_safepriv_ps daemon_stdpriv_ps int_stdpriv_ps. Note: An exception to this rule is hsecurity_ps on Windows. To see if you can disable OS call protection for the program, check for the process set in the event. Use the process set and operation to identify the policy option that controls this OS call for this process set. For example, if the operation is link, and the process set is svc_safepriv_ps (Windows), then enable Service Options > Default Service Options > SysCall Options > Allow creation of hardlinks. Page 17 of 21

9. Appendix A: Process set to policy options mapping 9.1. Windows prevention policies The following table lists the process set to policy options mapping for the Symantec Critical System Protection Windows prevention policies. The table is arranged alphabetically by process set name. Process Set name Group Option Path dfssvc_ps Service Options > Core OS Service Options> Distributed File System dns_ps DNS Server exchange_ps Service Options > General Service Options > Application Service Options > Microsoft Exchange Server hsecurity_ps Global Global Policy Options > Host Security Programs iexplore_ps Interactive Programs Interactive Program Options > Specific Interactive Program Options > Internet Explorer iis_ps Service Options > Application Service Options > Internet Information int_fullpriv_ps Interactive Programs Interactive Program Options > Full Interactive Program Options int_custompriv_ps Interactive Programs Interactive Program Options > Custom Interactive Program Options int_mailchild_noservers_ps Interactive Programs Interactive Program Options > Specific Interactive Program Options > Outlook & Outlook Express int_mailchild_ps Interactive Programs Interactive Program Options > Specific Interactive Program Options > Outlook & Outlook Express int_mailchild_unsafe_ps Interactive Programs Interactive Program Options > Specific Interactive Program Options > Outlook & Outlook Express int_safepriv_ps Interactive Programs Interactive Program Options > Safe Interactive Program Options int_stdpriv_noservers_ps Interactive Programs Interactive Program Options > Default Interactive Program Options int_stdpriv_ps Interactive Programs Interactive Program Options > Default Interactive Program Options kernel_ps Global Global Policy Options > Kernel Driver Options llssrv_ps License Logging Service msdtc_ps Distributed Transaction Coordinator Page 18 of 21

Process Set name Group Option Path msoffice_ps Interactive Programs Interactive Program Options > Specific Interactive Program Options > Microsoft Office mssqlsrv_ps Service Options > Application Service Option > Microsoft SQL Server mstask_ps Task Scheduler Service Ntfrs_ps File Replication Service outlook_ps Interactive Programs Interactive Program Options > Specific Interactive Program Options > Outlook & Outlook Express regsvc_ps Remote Registry Service remote_file_ps Global Global Policy Options > Remote File Access Options rpcss_ps Remote Procedure Call (RPC) Scm_ps Service Control Manager scspagent_ps Service Options > General Service Options > Core OS Service Options > Symantec Critical System Protection Agent Service scspconsole_ps Interactive Programs Interactive Program Options > Specific Interactive Program Options > Symantec Critical System Protection UI Programs scspserver_ps Symantec Critical System Protection Management Service snmp_ps SNMP Service spoolsv_ps Print Spooler spoolsv_child_ps Print Spooler svc_custompriv_ps Service Options > Custom Service Options svc_fullpriv_ps Service Options > Full Service Options svc_safepriv_ps Service Options > Safe Service Options svc_stdpriv_ps Service Options > Default Service Options system_ps Startup Processes tapisrv_ps Telephony tcpsvcs_ps Simple TCP/IP Page 19 of 21

Process Set name Group Option Path termsrv_ps winmgmt_ps Wins_ps Terminal Windows Management Instrumentation Windows Internet Name Service (WINS) 9.2. Linux prevention policy The following table lists the process set to policy options mapping for the Symantec Critical System Protection Linux prevention policy. The table is arranged alphabetically by process set name. Process Set name Group Option Path remote_file_ps Global Global Policy Options > NFS Server Access Options apache_ps Daemon Options > Application Daemon Options > Apache Web Server mail_ps Daemon Options > Application Daemon Options > Mail System scspagent_ps Daemon Options > Core OS Daemon Options > Symantec Critical System Protection Agent daemon bind_ps Daemon Options > Core OS Daemon Options > Bind daemon crond_ps Daemon Options > Core OS Daemon Options > Cron daemon ftpd_ps Daemon Options > Core OS Daemon Options > FTP daemon inetd_ps Daemon Options > Core OS Daemon Options > Internet daemon print_ps Daemon Options > Core OS Daemon Options > Print System rservices_ps Daemon Options > Core OS Daemon Options > Remote login services rpc_ps Daemon Options > Core OS Daemon Options > RPC port mapper syslog_ps Daemon Options > Core OS Daemon Options > System Logging daemons tftpd_ps Daemon Options > Core OS Daemon Options > TFTP daemon daemon_stdpriv_ps Daemon Options > Default Daemon Options int_gateway_ps Daemon Options > Default Daemon Options rootpriv_ps Interactive Programs Interactive Program Options > Root Program Options int_stdpriv_ps Interactive Programs Interactive Program Options > Default Interactive Program Options Page 20 of 21

9.3. Solaris prevention policy The following table lists the process set to policy options mapping for the Symantec Critical System Protection Solaris prevention policy. The table is arranged alphabetically by process set name. Process Set name Group Option Path apache_ps Daemon Options > Application Daemon Options > Apache Web Server bind_ps Daemon Options > Core OS Daemon Options > Bind daemon crond_ps Daemon Options > Core OS Daemon Options > crond daemon daemon_stdpriv_ps Daemon Options > Default Daemon Options ftpd_ps Daemon Options > Core OS Daemon Options > FTP daemon inetd_ps Daemon Options > Core OS Daemon Options > inet daemon int_stdpriv_ps interactive Programs Interactive Program Options > Default Interactive Program Options lpd_ps Daemon Options > Core OS Daemon Options > Line printer daemon remote_file_ps Global Global Policy Options > NFS Server Access Options rootpriv_ps interactive Programs Interactive Program Options > Root Program Options rpcd_ps Daemon Options > Core OS Daemon Options > RPC port mapper rservices_ps Daemon Options > Core OS Daemon Options > Remote login services scspagent_ps Daemon Options > Core OS Daemon Options > Symantec Critical System Protection Agent daemon sendmail_ps Daemon Options > Application Daemon Options > Sendmail syslogd_ps Daemon Options > Core OS Daemon Options > syslog daemon Daemon Options > Core OS Daemon Options > TFTP tftpd_ps daemon Page 21 of 21