About application control rule sets and rules
|Article:HOWTO27044|||||Created: 2010-01-08|||||Updated: 2010-01-15|||||Article URL http://www.symantec.com/docs/HOWTO27044|
Rule sets consist of rules and their conditions. A rule is a set of conditions and actions that apply to a given process or processes. A best practice is to create one rule set that includes all of the actions that allow, block, and monitor one given task. Follow this principle to help to keep your rules organized. For example, suppose you want to block write attempts to all removable drives and you want to block applications from tampering with a particular application. To accomplish these goals, you should create two different rule sets. You should not create all of the necessary rules to accomplish both these goals with one rule set.
Currently, Symantec Endpoint Protection Manager does not support a rule set that specifies the blocking of write attempts to CD or DVD drives. You can select the option in the Application and Device Control Policy, however, the option is not enforced. Instead, you can create an Application and Device Control Policy that blocks specific applications that write to CD or DVD drives. You should also create a Host Integrity Policy that sets the Windows registry key to block write attempts to CD or DVD drives.
For the latest information, see the Symantec Knowledge Base document: After setting up an Application and Device Control policy to block CD writing, CD writing is not blocked as expected, and write attempt is not logged.
You apply a rule to one or more applications to define the applications that you monitor. Rules contain conditions. These conditions monitor the application or applications that are defined in the rule for specified operations. Conditions define what you want to allow the applications to do or to keep them from doing. Conditions also contain the actions to take when the operation that is specified in the condition is observed.
Remember that actions always apply to the process that is defined in the rule. They do not apply to the processes that are defined in the condition.
Article URL http://www.symantec.com/docs/HOWTO27044